package org.apache.pinot.common.utils.tls;

import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.atomic.AtomicReference;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;
import nl.altindag.ssl.SSLFactory;
import nl.altindag.ssl.exception.GenericSSLContextException;
import org.apache.commons.lang3.StringUtils;
import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
import org.apache.hc.core5.ssl.SSLContexts;
import org.apache.pinot.$internal.com.google.common.base.Preconditions;
import org.apache.pinot.common.config.TlsConfig;
import org.apache.pinot.spi.env.PinotConfiguration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/pinot/common/utils/tls/TlsUtils.class */
public final class TlsUtils {
    private static final String CLIENT_AUTH_ENABLED = "client.auth.enabled";
    private static final String KEYSTORE_TYPE = "keystore.type";
    private static final String KEYSTORE_PATH = "keystore.path";
    private static final String KEYSTORE_PASSWORD = "keystore.password";
    private static final String TRUSTSTORE_TYPE = "truststore.type";
    private static final String TRUSTSTORE_PATH = "truststore.path";
    private static final String TRUSTSTORE_PASSWORD = "truststore.password";
    private static final String SSL_PROVIDER = "ssl.provider";
    private static final String SSL_CONTEXT_PROTOCOL = "SSL";
    private static final String FILE_SCHEME = "file";
    private static final String FILE_SCHEME_PREFIX = "file://";
    private static final String FILE_SCHEME_PREFIX_WITHOUT_SLASH = "file:";
    private static final String INSECURE = "insecure";
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) TlsUtils.class);
    private static final AtomicReference<SSLContext> SSL_CONTEXT_REF = new AtomicReference<>();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/pinot/common/utils/tls/TlsUtils$SSLContextHolder.class */
    public static final class SSLContextHolder {
        static final SSLContext SSL_CONTEXT;

        private SSLContextHolder() {
        }

        static {
            SSL_CONTEXT = TlsUtils.SSL_CONTEXT_REF.get() == null ? SSLContexts.createDefault() : TlsUtils.SSL_CONTEXT_REF.get();
        }
    }

    private TlsUtils() {
    }

    public static TlsConfig extractTlsConfig(PinotConfiguration pinotConfiguration, String str) {
        return extractTlsConfig(pinotConfiguration, str, new TlsConfig());
    }

    public static TlsConfig extractTlsConfig(PinotConfiguration pinotConfiguration, String str, TlsConfig tlsConfig) {
        TlsConfig tlsConfig2 = new TlsConfig(tlsConfig);
        tlsConfig2.setClientAuthEnabled(pinotConfiguration.getProperty(key(str, CLIENT_AUTH_ENABLED), tlsConfig.isClientAuthEnabled()));
        tlsConfig2.setKeyStoreType(pinotConfiguration.getProperty(key(str, KEYSTORE_TYPE), tlsConfig.getKeyStoreType()));
        tlsConfig2.setKeyStorePath(pinotConfiguration.getProperty(key(str, KEYSTORE_PATH), tlsConfig.getKeyStorePath()));
        tlsConfig2.setKeyStorePassword(pinotConfiguration.getProperty(key(str, KEYSTORE_PASSWORD), tlsConfig.getKeyStorePassword()));
        tlsConfig2.setTrustStoreType(pinotConfiguration.getProperty(key(str, TRUSTSTORE_TYPE), tlsConfig.getTrustStoreType()));
        tlsConfig2.setTrustStorePath(pinotConfiguration.getProperty(key(str, TRUSTSTORE_PATH), tlsConfig.getTrustStorePath()));
        tlsConfig2.setTrustStorePassword(pinotConfiguration.getProperty(key(str, TRUSTSTORE_PASSWORD), tlsConfig.getTrustStorePassword()));
        tlsConfig2.setSslProvider(pinotConfiguration.getProperty(key(str, SSL_PROVIDER), tlsConfig.getSslProvider()));
        tlsConfig2.setInsecure(pinotConfiguration.getProperty(key(str, INSECURE), tlsConfig.isInsecure()));
        return tlsConfig2;
    }

    public static KeyManagerFactory createKeyManagerFactory(TlsConfig tlsConfig) {
        return createKeyManagerFactory(tlsConfig.getKeyStorePath(), tlsConfig.getKeyStorePassword(), tlsConfig.getKeyStoreType());
    }

    public static KeyManagerFactory createKeyManagerFactory(String str, String str2, String str3) {
        Preconditions.checkNotNull(str, "key store path must not be null");
        Preconditions.checkNotNull(str2, "key store password must not be null");
        try {
            KeyStore keyStore = KeyStore.getInstance(str3);
            InputStream openStream = makeKeyOrTrustStoreUrl(str).openStream();
            try {
                keyStore.load(openStream, str2.toCharArray());
                if (openStream != null) {
                    openStream.close();
                }
                KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                keyManagerFactory.init(keyStore, str2.toCharArray());
                return keyManagerFactory;
            } finally {
            }
        } catch (Exception e) {
            throw new RuntimeException(String.format("Could not create key manager factory '%s'", str), e);
        }
    }

    public static TrustManagerFactory createTrustManagerFactory(TlsConfig tlsConfig) {
        return tlsConfig.isInsecure() ? InsecureTrustManagerFactory.INSTANCE : createTrustManagerFactory(tlsConfig.getTrustStorePath(), tlsConfig.getTrustStorePassword(), tlsConfig.getTrustStoreType());
    }

    public static TrustManagerFactory createTrustManagerFactory(String str, String str2, String str3) {
        Preconditions.checkNotNull(str, "trust store path must not be null");
        Preconditions.checkNotNull(str2, "trust store password must not be null");
        try {
            KeyStore keyStore = KeyStore.getInstance(str3);
            InputStream openStream = makeKeyOrTrustStoreUrl(str).openStream();
            try {
                keyStore.load(openStream, str2.toCharArray());
                if (openStream != null) {
                    openStream.close();
                }
                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                trustManagerFactory.init(keyStore);
                return trustManagerFactory;
            } finally {
            }
        } catch (Exception e) {
            throw new RuntimeException(String.format("Could not create trust manager factory '%s'", str), e);
        }
    }

    public static void installDefaultSSLSocketFactory(TlsConfig tlsConfig) {
        installDefaultSSLSocketFactory(tlsConfig.getKeyStoreType(), tlsConfig.getKeyStorePath(), tlsConfig.getKeyStorePassword(), tlsConfig.getTrustStoreType(), tlsConfig.getTrustStorePath(), tlsConfig.getTrustStorePassword());
    }

    public static void installDefaultSSLSocketFactory(String str, String str2, String str3, String str4, String str5, String str6) {
        SSLContext sslContext;
        try {
            SecureRandom secureRandom = new SecureRandom();
            if (str2 == null && str5 == null) {
                sslContext = SSLContext.getInstance("SSL");
                sslContext.init(null, null, secureRandom);
            } else {
                SSLFactory createSSLFactory = RenewableTlsUtils.createSSLFactory(str, str2, str3, str4, str5, str6, "SSL", secureRandom, true, false);
                if (isKeyOrTrustStorePathNullOrHasFileScheme(str2) && isKeyOrTrustStorePathNullOrHasFileScheme(str5)) {
                    RenewableTlsUtils.enableAutoRenewalFromFileStoreForSSLFactory(createSSLFactory, str, str2, str3, str4, str5, str6, "SSL", secureRandom, PinotInsecureMode::isPinotInInsecureMode);
                }
                sslContext = createSSLFactory.getSslContext();
            }
            HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
            setSslContext(sslContext);
        } catch (GeneralSecurityException | GenericSSLContextException e) {
            throw new IllegalStateException("Could not initialize SSL support", e);
        }
    }

    private static String key(String str, String str2) {
        return str + "." + str2;
    }

    public static URL makeKeyOrTrustStoreUrl(String str) throws URISyntaxException, MalformedURLException {
        URI uri = new URI(str);
        return StringUtils.isBlank(uri.getScheme()) ? str.startsWith("/") ? new URL("file://" + str) : new URL("file://./" + str) : uri.toURL();
    }

    public static SSLContext getSslContext() {
        return SSLContextHolder.SSL_CONTEXT;
    }

    public static void setSslContext(SSLContext sSLContext) {
        if (SSL_CONTEXT_REF.compareAndSet(null, sSLContext)) {
            return;
        }
        LOGGER.warn("SSL Context has already been set.");
    }

    public static SslContext buildClientContext(TlsConfig tlsConfig) {
        SSLFactory createSSLFactoryAndEnableAutoRenewalWhenUsingFileStores = RenewableTlsUtils.createSSLFactoryAndEnableAutoRenewalWhenUsingFileStores(tlsConfig, PinotInsecureMode::isPinotInInsecureMode);
        SslContextBuilder sslProvider = SslContextBuilder.forClient().sslProvider(SslProvider.valueOf(tlsConfig.getSslProvider()));
        Optional<KeyManagerFactory> keyManagerFactory = createSSLFactoryAndEnableAutoRenewalWhenUsingFileStores.getKeyManagerFactory();
        Objects.requireNonNull(sslProvider);
        keyManagerFactory.ifPresent(sslProvider::keyManager);
        Optional<TrustManagerFactory> trustManagerFactory = createSSLFactoryAndEnableAutoRenewalWhenUsingFileStores.getTrustManagerFactory();
        Objects.requireNonNull(sslProvider);
        trustManagerFactory.ifPresent(sslProvider::trustManager);
        try {
            return sslProvider.build();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public static SslContext buildServerContext(TlsConfig tlsConfig) {
        if (tlsConfig.getKeyStorePath() == null) {
            throw new IllegalArgumentException("Must provide key store path for secured server");
        }
        SSLFactory createSSLFactoryAndEnableAutoRenewalWhenUsingFileStores = RenewableTlsUtils.createSSLFactoryAndEnableAutoRenewalWhenUsingFileStores(tlsConfig, PinotInsecureMode::isPinotInInsecureMode);
        SslContextBuilder sslProvider = SslContextBuilder.forServer(createSSLFactoryAndEnableAutoRenewalWhenUsingFileStores.getKeyManagerFactory().get()).sslProvider(SslProvider.valueOf(tlsConfig.getSslProvider()));
        Optional<TrustManagerFactory> trustManagerFactory = createSSLFactoryAndEnableAutoRenewalWhenUsingFileStores.getTrustManagerFactory();
        Objects.requireNonNull(sslProvider);
        trustManagerFactory.ifPresent(sslProvider::trustManager);
        if (tlsConfig.isClientAuthEnabled()) {
            sslProvider.clientAuth(ClientAuth.REQUIRE);
        }
        try {
            return sslProvider.build();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public static SSLConnectionSocketFactory buildConnectionSocketFactory() {
        return new SSLConnectionSocketFactory(getSslContext());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isKeyOrTrustStorePathNullOrHasFileScheme(String str) {
        if (str != null) {
            try {
                if (!makeKeyOrTrustStoreUrl(str).toURI().getScheme().startsWith("file")) {
                    return false;
                }
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
        return true;
    }
}
