package org.apache.pinot.plugin.stream.kafka;

import java.io.ByteArrayInputStream;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.nio.file.FileAlreadyExistsException;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.attribute.FileAttribute;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Arrays;
import java.util.Base64;
import java.util.Properties;
import org.apache.commons.lang3.StringUtils;
import org.apache.pinot.shaded.com.google.common.annotations.VisibleForTesting;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/pinot/plugin/stream/kafka/KafkaSSLUtils.class */
public class KafkaSSLUtils {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) KafkaSSLUtils.class);
    private static final String DEFAULT_CERTIFICATE_TYPE = "X.509";
    private static final String DEFAULT_KEY_ALGORITHM = "RSA";
    private static final String DEFAULT_KEYSTORE_TYPE = "PKCS12";
    private static final String DEFAULT_SECURITY_PROTOCOL = "SSL";
    private static final String DEFAULT_TRUSTSTORE_TYPE = "jks";
    private static final String DEFAULT_SERVER_ALIAS = "ServerAlias";
    private static final String DEFAULT_CLIENT_ALIAS = "ClientAlias";
    private static final String SSL_TRUSTSTORE_LOCATION = "ssl.truststore.location";
    private static final String SSL_TRUSTSTORE_PASSWORD = "ssl.truststore.password";
    private static final String SECURITY_PROTOCOL = "security.protocol";
    private static final String SSL_KEYSTORE_LOCATION = "ssl.keystore.location";
    private static final String SSL_KEYSTORE_PASSWORD = "ssl.keystore.password";
    private static final String SSL_KEY_PASSWORD = "ssl.key.password";
    private static final String STREAM_KAFKA_SSL_SERVER_CERTIFICATE = "stream.kafka.ssl.server.certificate";
    private static final String STREAM_KAFKA_SSL_CERTIFICATE_TYPE = "stream.kafka.ssl.certificate.type";
    private static final String SSL_TRUSTSTORE_TYPE = "ssl.truststore.type";
    private static final String STREAM_KAFKA_SSL_CLIENT_CERTIFICATE = "stream.kafka.ssl.client.certificate";
    private static final String STREAM_KAFKA_SSL_CLIENT_KEY = "stream.kafka.ssl.client.key";
    private static final String STREAM_KAFKA_SSL_CLIENT_KEY_ALGORITHM = "stream.kafka.ssl.client.key.algorithm";
    private static final String SSL_KEYSTORE_TYPE = "ssl.keystore.type";

    private KafkaSSLUtils() {
    }

    public static void initSSL(Properties properties) {
        if (StringUtils.isAnyEmpty(new CharSequence[]{properties.getProperty(SSL_TRUSTSTORE_LOCATION), properties.getProperty(SSL_TRUSTSTORE_PASSWORD), properties.getProperty(STREAM_KAFKA_SSL_SERVER_CERTIFICATE)})) {
            LOGGER.info("Skipping auto SSL server validation since it's not configured.");
            return;
        }
        if (shouldRenewTrustStore(properties)) {
            initTrustStore(properties);
        }
        properties.setProperty(SECURITY_PROTOCOL, properties.getProperty(SECURITY_PROTOCOL, DEFAULT_SECURITY_PROTOCOL));
        if (StringUtils.isAnyEmpty(new CharSequence[]{properties.getProperty(SSL_KEYSTORE_LOCATION), properties.getProperty(SSL_KEYSTORE_PASSWORD), properties.getProperty(SSL_KEY_PASSWORD), properties.getProperty(STREAM_KAFKA_SSL_CLIENT_CERTIFICATE)})) {
            LOGGER.info("Skipping auto SSL client validation since it's not configured.");
        } else if (shouldRenewKeyStore(properties)) {
            initKeyStore(properties);
        }
    }

    @VisibleForTesting
    static void initTrustStore(Properties properties) {
        Path trustStorePath = getTrustStorePath(properties);
        if (Files.exists(trustStorePath, new LinkOption[0])) {
            deleteFile(trustStorePath);
        }
        LOGGER.info("Initializing the SSL trust store");
        try {
            createFile(trustStorePath);
            try {
                String property = properties.getProperty(SSL_TRUSTSTORE_PASSWORD);
                String property2 = properties.getProperty(STREAM_KAFKA_SSL_SERVER_CERTIFICATE);
                String property3 = properties.getProperty(STREAM_KAFKA_SSL_CERTIFICATE_TYPE, DEFAULT_CERTIFICATE_TYPE);
                String property4 = properties.getProperty(SSL_TRUSTSTORE_TYPE, DEFAULT_TRUSTSTORE_TYPE);
                properties.setProperty(SSL_TRUSTSTORE_TYPE, property4);
                Certificate generateCertificate = CertificateFactory.getInstance(property3).generateCertificate(new ByteArrayInputStream(Base64.getDecoder().decode(property2)));
                KeyStore keyStore = KeyStore.getInstance(property4);
                keyStore.load(null, null);
                keyStore.setCertificateEntry(DEFAULT_SERVER_ALIAS, generateCertificate);
                FileOutputStream fileOutputStream = new FileOutputStream(trustStorePath.toString());
                try {
                    keyStore.store(fileOutputStream, property.toCharArray());
                    fileOutputStream.close();
                    LOGGER.info("Initialized the SSL trust store.");
                } finally {
                }
            } catch (Exception e) {
                throw new RuntimeException("Error initializing the SSL trust store", e);
            }
        } catch (FileAlreadyExistsException e2) {
            LOGGER.warn("SSL trust store initialization failed as trust store already exists.");
        } catch (IOException e3) {
            throw new RuntimeException(String.format("Failed to create the trust store path: %s", trustStorePath), e3);
        }
    }

    @VisibleForTesting
    static void initKeyStore(Properties properties) {
        Path keyStorePath = getKeyStorePath(properties);
        if (Files.exists(keyStorePath, new LinkOption[0])) {
            deleteFile(keyStorePath);
        }
        LOGGER.info("Initializing the SSL key store");
        try {
            createFile(keyStorePath);
            String property = properties.getProperty(SSL_KEYSTORE_PASSWORD);
            String property2 = properties.getProperty(SSL_KEY_PASSWORD);
            String property3 = properties.getProperty(STREAM_KAFKA_SSL_CLIENT_CERTIFICATE);
            String property4 = properties.getProperty(STREAM_KAFKA_SSL_CERTIFICATE_TYPE, DEFAULT_CERTIFICATE_TYPE);
            String property5 = properties.getProperty(STREAM_KAFKA_SSL_CLIENT_KEY);
            String property6 = properties.getProperty(STREAM_KAFKA_SSL_CLIENT_KEY_ALGORITHM, DEFAULT_KEY_ALGORITHM);
            String property7 = properties.getProperty(SSL_KEYSTORE_TYPE, DEFAULT_KEYSTORE_TYPE);
            properties.setProperty(SSL_KEYSTORE_TYPE, property7);
            try {
                byte[] decode = Base64.getDecoder().decode(property5);
                byte[] decode2 = Base64.getDecoder().decode(property3);
                PrivateKey generatePrivate = KeyFactory.getInstance(property6).generatePrivate(new PKCS8EncodedKeySpec(decode));
                Certificate generateCertificate = CertificateFactory.getInstance(property4).generateCertificate(new ByteArrayInputStream(decode2));
                KeyStore keyStore = KeyStore.getInstance(property7);
                keyStore.load(null, null);
                keyStore.setEntry(DEFAULT_CLIENT_ALIAS, new KeyStore.PrivateKeyEntry(generatePrivate, new Certificate[]{generateCertificate}), new KeyStore.PasswordProtection(property2.toCharArray()));
                FileOutputStream fileOutputStream = new FileOutputStream(keyStorePath.toString());
                try {
                    keyStore.store(fileOutputStream, property.toCharArray());
                    fileOutputStream.close();
                    LOGGER.info("Initialized the SSL key store.");
                } finally {
                }
            } catch (Exception e) {
                throw new RuntimeException("Error initializing the SSL key store", e);
            }
        } catch (FileAlreadyExistsException e2) {
            LOGGER.warn("SSL key store initialization failed as key store already exists.");
        } catch (IOException e3) {
            throw new RuntimeException(String.format("Failed to create the key store path: %s", keyStorePath), e3);
        }
    }

    private static Path getTrustStorePath(Properties properties) {
        return Paths.get(properties.getProperty(SSL_TRUSTSTORE_LOCATION), new String[0]);
    }

    private static Path getKeyStorePath(Properties properties) {
        return Paths.get(properties.getProperty(SSL_KEYSTORE_LOCATION), new String[0]);
    }

    private static boolean shouldRenewTrustStore(Properties properties) {
        boolean z;
        Path trustStorePath = getTrustStorePath(properties);
        String property = properties.getProperty(SSL_TRUSTSTORE_PASSWORD);
        String property2 = properties.getProperty(STREAM_KAFKA_SSL_SERVER_CERTIFICATE);
        String property3 = properties.getProperty(STREAM_KAFKA_SSL_CERTIFICATE_TYPE, DEFAULT_CERTIFICATE_TYPE);
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            FileInputStream fileInputStream = new FileInputStream(trustStorePath.toString());
            try {
                keyStore.load(fileInputStream, property.toCharArray());
                fileInputStream.close();
                z = !CertificateFactory.getInstance(property3).generateCertificate(new ByteArrayInputStream(Base64.getDecoder().decode(property2))).equals(keyStore.getCertificate(DEFAULT_SERVER_ALIAS));
            } catch (Throwable th) {
                try {
                    fileInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        } catch (FileNotFoundException e) {
            z = true;
        } catch (Exception e2) {
            z = true;
            LOGGER.warn("Trust store certificate comparison check failed.", (Throwable) e2);
        }
        return z;
    }

    private static boolean shouldRenewKeyStore(Properties properties) {
        boolean z;
        Path keyStorePath = getKeyStorePath(properties);
        String property = properties.getProperty(SSL_KEYSTORE_PASSWORD);
        String property2 = properties.getProperty(SSL_KEY_PASSWORD);
        String property3 = properties.getProperty(STREAM_KAFKA_SSL_CERTIFICATE_TYPE, DEFAULT_CERTIFICATE_TYPE);
        String property4 = properties.getProperty(STREAM_KAFKA_SSL_CLIENT_CERTIFICATE);
        String property5 = properties.getProperty(STREAM_KAFKA_SSL_CLIENT_KEY_ALGORITHM, DEFAULT_KEY_ALGORITHM);
        String property6 = properties.getProperty(STREAM_KAFKA_SSL_CLIENT_KEY);
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            FileInputStream fileInputStream = new FileInputStream(keyStorePath.toString());
            try {
                keyStore.load(fileInputStream, property.toCharArray());
                fileInputStream.close();
                z = (Arrays.equals(keyStore.getCertificate(DEFAULT_CLIENT_ALIAS).getEncoded(), CertificateFactory.getInstance(property3).generateCertificate(new ByteArrayInputStream(Base64.getDecoder().decode(property4))).getEncoded()) && Arrays.equals(((PrivateKey) keyStore.getKey(DEFAULT_CLIENT_ALIAS, property2.toCharArray())).getEncoded(), KeyFactory.getInstance(property5).generatePrivate(new PKCS8EncodedKeySpec(Base64.getDecoder().decode(property6))).getEncoded())) ? false : true;
            } catch (Throwable th) {
                try {
                    fileInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        } catch (FileNotFoundException e) {
            z = true;
        } catch (Exception e2) {
            z = true;
            LOGGER.warn("Key store certificate and private key comparison checks failed.", (Throwable) e2);
        }
        return z;
    }

    private static void deleteFile(Path path) {
        try {
            Files.deleteIfExists(path);
            LOGGER.info(String.format("Successfully deleted file: %s", path));
        } catch (IOException e) {
            LOGGER.warn(String.format("Failed to delete the file: %s", path));
        }
    }

    private static void createFile(Path path) throws IOException {
        Path parent = path.getParent();
        if (parent != null) {
            Files.createDirectories(parent, new FileAttribute[0]);
        }
        Path absolutePath = path.toAbsolutePath();
        if (Files.exists(absolutePath, new LinkOption[0])) {
            return;
        }
        Files.createFile(absolutePath, new FileAttribute[0]);
        LOGGER.info(String.format("Successfully created file: %s", path));
    }
}
