package org.apache.pinot.common.utils.tls;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Supplier;
import java.io.IOException;
import java.io.InputStream;
import java.net.URISyntaxException;
import java.net.URL;
import java.nio.file.FileSystems;
import java.nio.file.Path;
import java.nio.file.StandardWatchEventKinds;
import java.nio.file.WatchEvent;
import java.nio.file.WatchKey;
import java.nio.file.WatchService;
import java.security.SecureRandom;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.Executors;
import java.util.concurrent.TimeUnit;
import nl.altindag.ssl.SSLFactory;
import nl.altindag.ssl.keymanager.HotSwappableX509ExtendedKeyManager;
import nl.altindag.ssl.trustmanager.HotSwappableX509ExtendedTrustManager;
import nl.altindag.ssl.util.SSLFactoryUtils;
import org.apache.pinot.common.config.TlsConfig;
import org.apache.pinot.common.exception.QueryException;
import org.apache.pinot.spi.utils.retry.RetryPolicies;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/pinot/common/utils/tls/RenewableTlsUtils.class */
public class RenewableTlsUtils {
    private static final Logger LOGGER = LoggerFactory.getLogger(RenewableTlsUtils.class);
    private static final String FILE_SCHEME = "file";
    private static final int CERT_RELOAD_JOB_INTERVAL_IN_MINUTES = 1440;
    private static final int CERT_RELOAD_JOB_INITAL_DELAY_IN_MINUTES = 20;

    private RenewableTlsUtils() {
    }

    public static SSLFactory createSSLFactoryAndEnableAutoRenewalWhenUsingFileStores(TlsConfig tlsConfig) {
        return createSSLFactoryAndEnableAutoRenewalWhenUsingFileStores(tlsConfig, () -> {
            return false;
        });
    }

    public static SSLFactory createSSLFactoryAndEnableAutoRenewalWhenUsingFileStores(TlsConfig tlsConfig, Supplier<Boolean> supplier) {
        SSLFactory createSSLFactory = createSSLFactory(tlsConfig, ((Boolean) supplier.get()).booleanValue());
        if (TlsUtils.isKeyOrTrustStorePathNullOrHasFileScheme(tlsConfig.getKeyStorePath()) && TlsUtils.isKeyOrTrustStorePathNullOrHasFileScheme(tlsConfig.getTrustStorePath())) {
            enableAutoRenewalFromFileStoreForSSLFactory(createSSLFactory, tlsConfig, supplier);
        }
        return createSSLFactory;
    }

    private static SSLFactory createSSLFactory(TlsConfig tlsConfig, boolean z) {
        return createSSLFactory(tlsConfig.getKeyStoreType(), tlsConfig.getKeyStorePath(), tlsConfig.getKeyStorePassword(), tlsConfig.getTrustStoreType(), tlsConfig.getTrustStorePath(), tlsConfig.getTrustStorePassword(), null, null, true, tlsConfig.isInsecure() || z);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SSLFactory createSSLFactory(String str, String str2, String str3, String str4, String str5, String str6, String str7, SecureRandom secureRandom, boolean z, boolean z2) {
        try {
            SSLFactory.Builder builder = SSLFactory.builder();
            InputStream inputStream = null;
            InputStream inputStream2 = null;
            if (str2 != null) {
                Preconditions.checkNotNull(str3, "key store password must not be null");
                inputStream = TlsUtils.makeKeyOrTrustStoreUrl(str2).openStream();
                if (z) {
                    builder.withSwappableIdentityMaterial();
                }
                builder.withIdentityMaterial(inputStream, str3.toCharArray(), str);
            }
            if (z2) {
                if (z) {
                    builder.withSwappableTrustMaterial();
                }
                builder.withUnsafeTrustMaterial();
            } else if (str5 != null) {
                Preconditions.checkNotNull(str6, "trust store password must not be null");
                inputStream2 = TlsUtils.makeKeyOrTrustStoreUrl(str5).openStream();
                if (z) {
                    builder.withSwappableTrustMaterial();
                }
                builder.withTrustMaterial(inputStream2, str6.toCharArray(), str4);
            }
            if (str7 != null) {
                builder.withSslContextAlgorithm(str7);
            }
            if (secureRandom != null) {
                builder.withSecureRandom(secureRandom);
            }
            SSLFactory build = builder.build();
            if (inputStream != null) {
                inputStream.close();
            }
            if (inputStream2 != null) {
                inputStream2.close();
            }
            LOGGER.info("Successfully created SSLFactory {} with key store {} and trust store {}. Key and trust material swappable: {}", new Object[]{build, str2, str5, Boolean.valueOf(z)});
            return build;
        } catch (Exception e) {
            throw new IllegalStateException(e);
        }
    }

    @VisibleForTesting
    static void enableAutoRenewalFromFileStoreForSSLFactory(SSLFactory sSLFactory, TlsConfig tlsConfig, Supplier<Boolean> supplier) {
        enableAutoRenewalFromFileStoreForSSLFactory(sSLFactory, tlsConfig.getKeyStoreType(), tlsConfig.getKeyStorePath(), tlsConfig.getKeyStorePassword(), tlsConfig.getTrustStoreType(), tlsConfig.getTrustStorePath(), tlsConfig.getTrustStorePassword(), null, null, () -> {
            return Boolean.valueOf(tlsConfig.isInsecure() || ((Boolean) supplier.get()).booleanValue());
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void enableAutoRenewalFromFileStoreForSSLFactory(SSLFactory sSLFactory, String str, String str2, String str3, String str4, String str5, String str6, String str7, SecureRandom secureRandom, Supplier<Boolean> supplier) {
        URL makeKeyOrTrustStoreUrl;
        if (str2 == null) {
            makeKeyOrTrustStoreUrl = null;
        } else {
            try {
                makeKeyOrTrustStoreUrl = TlsUtils.makeKeyOrTrustStoreUrl(str2);
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
        URL url = makeKeyOrTrustStoreUrl;
        URL makeKeyOrTrustStoreUrl2 = str5 == null ? null : TlsUtils.makeKeyOrTrustStoreUrl(str5);
        if (url != null) {
            Preconditions.checkArgument(url.toURI().getScheme().startsWith(FILE_SCHEME), "key store path must be a local file path or null when SSL auto renew is enabled");
            Preconditions.checkArgument(sSLFactory.getKeyManager().isPresent() && (sSLFactory.getKeyManager().get() instanceof HotSwappableX509ExtendedKeyManager), "key manager of the existing SSLFactory must be swappable");
        }
        if (makeKeyOrTrustStoreUrl2 != null) {
            Preconditions.checkArgument(makeKeyOrTrustStoreUrl2.toURI().getScheme().startsWith(FILE_SCHEME), "trust store path must be a local file path or null when SSL auto renew is enabled");
            Preconditions.checkArgument(sSLFactory.getTrustManager().isPresent() && (sSLFactory.getTrustManager().get() instanceof HotSwappableX509ExtendedTrustManager), "trust manager of the existing SSLFactory must be swappable");
        }
        Executors.newSingleThreadExecutor().execute(() -> {
            try {
                reloadSslFactoryWhenFileStoreChanges(sSLFactory, str, str2, str3, str4, str5, str6, str7, secureRandom, supplier);
            } catch (Exception e2) {
                throw new RuntimeException(e2);
            }
        });
        Executors.newSingleThreadScheduledExecutor().scheduleAtFixedRate(() -> {
            LOGGER.info("Creating a scheduled thread to reloadSsl once a day");
            try {
                reloadSslFactory(sSLFactory, str, str2, str3, str4, str5, str6, str7, secureRandom, supplier);
            } catch (Exception e2) {
                throw new RuntimeException(e2);
            }
        }, 20L, 1440L, TimeUnit.MINUTES);
    }

    @VisibleForTesting
    static void reloadSslFactoryWhenFileStoreChanges(SSLFactory sSLFactory, String str, String str2, String str3, String str4, String str5, String str6, String str7, SecureRandom secureRandom, Supplier<Boolean> supplier) throws IOException, URISyntaxException, InterruptedException {
        LOGGER.info("Enable auto renewal of SSLFactory {} when key store {} or trust store {} changes", new Object[]{sSLFactory, str2, str5});
        WatchService newWatchService = FileSystems.getDefault().newWatchService();
        HashMap hashMap = new HashMap();
        registerFile(newWatchService, hashMap, str2);
        registerFile(newWatchService, hashMap, str5);
        while (true) {
            WatchKey take = newWatchService.take();
            if (take == null) {
                return;
            }
            Iterator<WatchEvent<?>> it = take.pollEvents().iterator();
            while (it.hasNext()) {
                Path path = (Path) it.next().context();
                if (((Set) hashMap.get(take)).contains(path)) {
                    LOGGER.info("Detected change in file: {}, try to renew SSLFactory {} (built from key store {} and truststore {})", new Object[]{path, sSLFactory, str2, str5});
                    reloadSslFactory(sSLFactory, str, str2, str3, str4, str5, str6, str7, secureRandom, supplier);
                }
            }
            take.reset();
        }
    }

    private static synchronized void reloadSslFactory(SSLFactory sSLFactory, String str, String str2, String str3, String str4, String str5, String str6, String str7, SecureRandom secureRandom, Supplier<Boolean> supplier) {
        LOGGER.info("reloadSslFactory :: Enable auto renewal of SSLFactory {}, key store {}, trust store {}", new Object[]{sSLFactory, str2, str5});
        try {
            RetryPolicies.fixedDelayRetryPolicy(3, QueryException.UNKNOWN_ERROR_CODE).attempt(() -> {
                try {
                    SSLFactoryUtils.reload(sSLFactory, createSSLFactory(str, str2, str3, str4, str5, str6, str7, secureRandom, false, ((Boolean) supplier.get()).booleanValue()));
                    LOGGER.info("reloadSslFactory :: Successfully renewed SSLFactory {} (built from key store {} and truststore {}) on file", new Object[]{sSLFactory, str2, str5});
                    return true;
                } catch (Exception e) {
                    LOGGER.info("reloadSslFactory :: Encountered issues when renewing SSLFactory {} (built from key store {} and truststore {}) on ", new Object[]{sSLFactory, str2, str5, e});
                    return false;
                }
            });
        } catch (Exception e) {
            LOGGER.error("reloadSslFactory :: Failed to renew SSLFactory {} (built from key store {} and truststore {}) after {} retries", new Object[]{sSLFactory, str2, str5, 3, e});
        }
    }

    @VisibleForTesting
    static void registerFile(WatchService watchService, Map<WatchKey, Set<Path>> map, String str) throws IOException, URISyntaxException {
        if (str == null) {
            return;
        }
        Path of = Path.of(TlsUtils.makeKeyOrTrustStoreUrl(str).getPath(), new String[0]);
        WatchKey register = of.getParent().register(watchService, StandardWatchEventKinds.ENTRY_MODIFY);
        map.computeIfAbsent(register, watchKey -> {
            return new HashSet();
        });
        map.get(register).add(of.getFileName());
    }
}
