package org.apache.pinot.common.utils;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.nio.file.FileSystems;
import java.nio.file.Path;
import java.nio.file.StandardWatchEventKinds;
import java.nio.file.WatchEvent;
import java.nio.file.WatchKey;
import java.nio.file.WatchService;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.Executors;
import java.util.concurrent.atomic.AtomicReference;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;
import nl.altindag.ssl.SSLFactory;
import nl.altindag.ssl.exception.GenericSSLContextException;
import nl.altindag.ssl.keymanager.HotSwappableX509ExtendedKeyManager;
import nl.altindag.ssl.trustmanager.HotSwappableX509ExtendedTrustManager;
import nl.altindag.ssl.util.SSLFactoryUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.http.ssl.SSLContexts;
import org.apache.pinot.common.config.TlsConfig;
import org.apache.pinot.common.exception.QueryException;
import org.apache.pinot.spi.env.PinotConfiguration;
import org.apache.pinot.spi.utils.retry.RetryPolicies;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/pinot/common/utils/TlsUtils.class */
public final class TlsUtils {
    private static final String CLIENT_AUTH_ENABLED = "client.auth.enabled";
    private static final String KEYSTORE_TYPE = "keystore.type";
    private static final String KEYSTORE_PATH = "keystore.path";
    private static final String KEYSTORE_PASSWORD = "keystore.password";
    private static final String TRUSTSTORE_TYPE = "truststore.type";
    private static final String TRUSTSTORE_PATH = "truststore.path";
    private static final String TRUSTSTORE_PASSWORD = "truststore.password";
    private static final String SSL_PROVIDER = "ssl.provider";
    private static final String FILE_SCHEME = "file";
    private static final String FILE_SCHEME_PREFIX = "file://";
    private static final String FILE_SCHEME_PREFIX_WITHOUT_SLASH = "file:";
    private static final Logger LOGGER = LoggerFactory.getLogger(TlsUtils.class);
    private static final AtomicReference<SSLContext> SSL_CONTEXT_REF = new AtomicReference<>();

    /* loaded from: input_file:org/apache/pinot/common/utils/TlsUtils$SSLContextHolder.class */
    private static final class SSLContextHolder {
        static final SSLContext SSL_CONTEXT;

        private SSLContextHolder() {
        }

        static {
            SSL_CONTEXT = TlsUtils.SSL_CONTEXT_REF.get() == null ? SSLContexts.createDefault() : TlsUtils.SSL_CONTEXT_REF.get();
        }
    }

    private TlsUtils() {
    }

    public static TlsConfig extractTlsConfig(PinotConfiguration pinotConfiguration, String str) {
        return extractTlsConfig(pinotConfiguration, str, new TlsConfig());
    }

    public static TlsConfig extractTlsConfig(PinotConfiguration pinotConfiguration, String str, TlsConfig tlsConfig) {
        TlsConfig tlsConfig2 = new TlsConfig(tlsConfig);
        tlsConfig2.setClientAuthEnabled(pinotConfiguration.getProperty(key(str, CLIENT_AUTH_ENABLED), tlsConfig.isClientAuthEnabled()));
        tlsConfig2.setKeyStoreType(pinotConfiguration.getProperty(key(str, KEYSTORE_TYPE), tlsConfig.getKeyStoreType()));
        tlsConfig2.setKeyStorePath(pinotConfiguration.getProperty(key(str, KEYSTORE_PATH), tlsConfig.getKeyStorePath()));
        tlsConfig2.setKeyStorePassword(pinotConfiguration.getProperty(key(str, KEYSTORE_PASSWORD), tlsConfig.getKeyStorePassword()));
        tlsConfig2.setTrustStoreType(pinotConfiguration.getProperty(key(str, TRUSTSTORE_TYPE), tlsConfig.getTrustStoreType()));
        tlsConfig2.setTrustStorePath(pinotConfiguration.getProperty(key(str, TRUSTSTORE_PATH), tlsConfig.getTrustStorePath()));
        tlsConfig2.setTrustStorePassword(pinotConfiguration.getProperty(key(str, TRUSTSTORE_PASSWORD), tlsConfig.getTrustStorePassword()));
        tlsConfig2.setSslProvider(pinotConfiguration.getProperty(key(str, SSL_PROVIDER), tlsConfig.getSslProvider()));
        return tlsConfig2;
    }

    public static KeyManagerFactory createKeyManagerFactory(TlsConfig tlsConfig) {
        return createKeyManagerFactory(tlsConfig.getKeyStorePath(), tlsConfig.getKeyStorePassword(), tlsConfig.getKeyStoreType());
    }

    public static KeyManagerFactory createKeyManagerFactory(String str, String str2, String str3) {
        Preconditions.checkNotNull(str, "key store path must not be null");
        Preconditions.checkNotNull(str2, "key store password must not be null");
        try {
            KeyStore keyStore = KeyStore.getInstance(str3);
            InputStream openStream = makeKeyOrTrustStoreUrl(str).openStream();
            try {
                keyStore.load(openStream, str2.toCharArray());
                if (openStream != null) {
                    openStream.close();
                }
                KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                keyManagerFactory.init(keyStore, str2.toCharArray());
                return keyManagerFactory;
            } finally {
            }
        } catch (Exception e) {
            throw new RuntimeException(String.format("Could not create key manager factory '%s'", str), e);
        }
    }

    public static TrustManagerFactory createTrustManagerFactory(TlsConfig tlsConfig) {
        return createTrustManagerFactory(tlsConfig.getTrustStorePath(), tlsConfig.getTrustStorePassword(), tlsConfig.getTrustStoreType());
    }

    public static TrustManagerFactory createTrustManagerFactory(String str, String str2, String str3) {
        Preconditions.checkNotNull(str, "trust store path must not be null");
        Preconditions.checkNotNull(str2, "trust store password must not be null");
        try {
            KeyStore keyStore = KeyStore.getInstance(str3);
            InputStream openStream = makeKeyOrTrustStoreUrl(str).openStream();
            try {
                keyStore.load(openStream, str2.toCharArray());
                if (openStream != null) {
                    openStream.close();
                }
                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                trustManagerFactory.init(keyStore);
                return trustManagerFactory;
            } finally {
            }
        } catch (Exception e) {
            throw new RuntimeException(String.format("Could not create trust manager factory '%s'", str), e);
        }
    }

    public static void installDefaultSSLSocketFactory(TlsConfig tlsConfig) {
        installDefaultSSLSocketFactory(tlsConfig.getKeyStoreType(), tlsConfig.getKeyStorePath(), tlsConfig.getKeyStorePassword(), tlsConfig.getTrustStoreType(), tlsConfig.getTrustStorePath(), tlsConfig.getTrustStorePassword());
    }

    public static void installDefaultSSLSocketFactory(String str, String str2, String str3, String str4, String str5, String str6) {
        try {
            SecureRandom secureRandom = new SecureRandom();
            SSLFactory createSSLFactory = createSSLFactory(str, str2, str3, str4, str5, str6, "SSL", secureRandom, true);
            if (isKeyOrTrustStorePathNullOrHasFileScheme(str2) && isKeyOrTrustStorePathNullOrHasFileScheme(str5)) {
                enableAutoRenewalFromFileStoreForSSLFactory(createSSLFactory, str, str2, str3, str4, str5, str6, "SSL", secureRandom);
            }
            HttpsURLConnection.setDefaultSSLSocketFactory(createSSLFactory.getSslSocketFactory());
            setSslContext(createSSLFactory.getSslContext());
        } catch (GenericSSLContextException e) {
            throw new IllegalStateException("Could not initialize SSL support", e);
        }
    }

    private static String key(String str, String str2) {
        return str + "." + str2;
    }

    public static URL makeKeyOrTrustStoreUrl(String str) throws URISyntaxException, MalformedURLException {
        URI uri = new URI(str);
        return StringUtils.isBlank(uri.getScheme()) ? str.startsWith("/") ? new URL("file://" + str) : new URL("file://./" + str) : uri.toURL();
    }

    public static SSLContext getSslContext() {
        return SSLContextHolder.SSL_CONTEXT;
    }

    public static void setSslContext(SSLContext sSLContext) {
        if (SSL_CONTEXT_REF.compareAndSet(null, sSLContext)) {
            return;
        }
        LOGGER.warn("SSL Context has already been set.");
    }

    public static SslContext buildClientContext(TlsConfig tlsConfig) {
        SSLFactory createSSLFactory = createSSLFactory(tlsConfig);
        if (isKeyOrTrustStorePathNullOrHasFileScheme(tlsConfig.getKeyStorePath()) && isKeyOrTrustStorePathNullOrHasFileScheme(tlsConfig.getTrustStorePath())) {
            enableAutoRenewalFromFileStoreForSSLFactory(createSSLFactory, tlsConfig);
        }
        SslContextBuilder sslProvider = SslContextBuilder.forClient().sslProvider(SslProvider.valueOf(tlsConfig.getSslProvider()));
        Optional keyManagerFactory = createSSLFactory.getKeyManagerFactory();
        Objects.requireNonNull(sslProvider);
        keyManagerFactory.ifPresent(sslProvider::keyManager);
        Optional trustManagerFactory = createSSLFactory.getTrustManagerFactory();
        Objects.requireNonNull(sslProvider);
        trustManagerFactory.ifPresent(sslProvider::trustManager);
        try {
            return sslProvider.build();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public static SslContext buildServerContext(TlsConfig tlsConfig) {
        if (tlsConfig.getKeyStorePath() == null) {
            throw new IllegalArgumentException("Must provide key store path for secured server");
        }
        SSLFactory createSSLFactory = createSSLFactory(tlsConfig);
        if (isKeyOrTrustStorePathNullOrHasFileScheme(tlsConfig.getKeyStorePath()) && isKeyOrTrustStorePathNullOrHasFileScheme(tlsConfig.getTrustStorePath())) {
            enableAutoRenewalFromFileStoreForSSLFactory(createSSLFactory, tlsConfig);
        }
        SslContextBuilder sslProvider = SslContextBuilder.forServer((KeyManagerFactory) createSSLFactory.getKeyManagerFactory().get()).sslProvider(SslProvider.valueOf(tlsConfig.getSslProvider()));
        Optional trustManagerFactory = createSSLFactory.getTrustManagerFactory();
        Objects.requireNonNull(sslProvider);
        trustManagerFactory.ifPresent(sslProvider::trustManager);
        if (tlsConfig.isClientAuthEnabled()) {
            sslProvider.clientAuth(ClientAuth.REQUIRE);
        }
        try {
            return sslProvider.build();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public static boolean isKeyOrTrustStorePathNullOrHasFileScheme(String str) {
        if (str != null) {
            try {
                if (!makeKeyOrTrustStoreUrl(str).toURI().getScheme().startsWith(FILE_SCHEME)) {
                    return false;
                }
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
        return true;
    }

    public static void enableAutoRenewalFromFileStoreForSSLFactory(SSLFactory sSLFactory, TlsConfig tlsConfig) {
        enableAutoRenewalFromFileStoreForSSLFactory(sSLFactory, tlsConfig.getKeyStoreType(), tlsConfig.getKeyStorePath(), tlsConfig.getKeyStorePassword(), tlsConfig.getTrustStoreType(), tlsConfig.getTrustStorePath(), tlsConfig.getTrustStorePassword(), null, null);
    }

    private static void enableAutoRenewalFromFileStoreForSSLFactory(SSLFactory sSLFactory, String str, String str2, String str3, String str4, String str5, String str6, String str7, SecureRandom secureRandom) {
        URL makeKeyOrTrustStoreUrl;
        if (str2 == null) {
            makeKeyOrTrustStoreUrl = null;
        } else {
            try {
                makeKeyOrTrustStoreUrl = makeKeyOrTrustStoreUrl(str2);
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
        URL url = makeKeyOrTrustStoreUrl;
        URL makeKeyOrTrustStoreUrl2 = str5 == null ? null : makeKeyOrTrustStoreUrl(str5);
        if (url != null) {
            Preconditions.checkArgument(url.toURI().getScheme().startsWith(FILE_SCHEME), "key store path must be a local file path or null when SSL auto renew is enabled");
            Preconditions.checkArgument(sSLFactory.getKeyManager().isPresent() && (sSLFactory.getKeyManager().get() instanceof HotSwappableX509ExtendedKeyManager), "key manager of the existing SSLFactory must be swappable");
        }
        if (makeKeyOrTrustStoreUrl2 != null) {
            Preconditions.checkArgument(makeKeyOrTrustStoreUrl2.toURI().getScheme().startsWith(FILE_SCHEME), "trust store path must be a local file path or null when SSL auto renew is enabled");
            Preconditions.checkArgument(sSLFactory.getTrustManager().isPresent() && (sSLFactory.getTrustManager().get() instanceof HotSwappableX509ExtendedTrustManager), "trust manager of the existing SSLFactory must be swappable");
        }
        Executors.newSingleThreadExecutor().execute(() -> {
            try {
                reloadSslFactoryWhenFileStoreChanges(sSLFactory, str, str2, str3, str4, str5, str6, str7, secureRandom);
            } catch (Exception e2) {
                throw new RuntimeException(e2);
            }
        });
    }

    @VisibleForTesting
    static void reloadSslFactoryWhenFileStoreChanges(SSLFactory sSLFactory, String str, String str2, String str3, String str4, String str5, String str6, String str7, SecureRandom secureRandom) throws IOException, URISyntaxException, InterruptedException {
        LOGGER.info("Enable auto renewal of SSLFactory {} when key store {} or trust store {} changes", new Object[]{sSLFactory, str2, str5});
        WatchService newWatchService = FileSystems.getDefault().newWatchService();
        HashMap hashMap = new HashMap();
        registerFile(newWatchService, hashMap, str2);
        registerFile(newWatchService, hashMap, str5);
        while (true) {
            WatchKey take = newWatchService.take();
            if (take == null) {
                return;
            }
            Iterator<WatchEvent<?>> it = take.pollEvents().iterator();
            while (it.hasNext()) {
                Path path = (Path) it.next().context();
                if (((Set) hashMap.get(take)).contains(path)) {
                    LOGGER.info("Detected change in file: {}, try to renew SSLFactory {} (built from key store {} and truststore {})", new Object[]{path, sSLFactory, str2, str5});
                    try {
                        RetryPolicies.fixedDelayRetryPolicy(3, QueryException.UNKNOWN_ERROR_CODE).attempt(() -> {
                            try {
                                SSLFactoryUtils.reload(sSLFactory, createSSLFactory(str, str2, str3, str4, str5, str6, str7, secureRandom, false));
                                LOGGER.info("Successfully renewed SSLFactory {} (built from key store {} and truststore {}) on file {} changes", new Object[]{sSLFactory, str2, str5, path});
                                return true;
                            } catch (Exception e) {
                                LOGGER.info("Encountered issues when renewing SSLFactory {} (built from key store {} and truststore {}) on file {} changes", new Object[]{sSLFactory, str2, str5, path, e});
                                return false;
                            }
                        });
                    } catch (Exception e) {
                        LOGGER.error("Failed to renew SSLFactory {} (built from key store {} and truststore {}) on file {} changes after {} retries", new Object[]{sSLFactory, str2, str5, path, 3, e});
                    }
                }
            }
            take.reset();
        }
    }

    @VisibleForTesting
    static void registerFile(WatchService watchService, Map<WatchKey, Set<Path>> map, String str) throws IOException, URISyntaxException {
        if (str == null) {
            return;
        }
        Path of = Path.of(makeKeyOrTrustStoreUrl(str).getPath(), new String[0]);
        WatchKey register = of.getParent().register(watchService, StandardWatchEventKinds.ENTRY_MODIFY);
        map.computeIfAbsent(register, watchKey -> {
            return new HashSet();
        });
        map.get(register).add(of.getFileName());
    }

    public static SSLFactory createSSLFactory(TlsConfig tlsConfig) {
        return createSSLFactory(tlsConfig.getKeyStoreType(), tlsConfig.getKeyStorePath(), tlsConfig.getKeyStorePassword(), tlsConfig.getTrustStoreType(), tlsConfig.getTrustStorePath(), tlsConfig.getTrustStorePassword(), null, null, true);
    }

    @VisibleForTesting
    static SSLFactory createSSLFactory(String str, String str2, String str3, String str4, String str5, String str6, String str7, SecureRandom secureRandom, boolean z) {
        try {
            SSLFactory.Builder builder = SSLFactory.builder();
            InputStream inputStream = null;
            InputStream inputStream2 = null;
            if (str2 != null) {
                Preconditions.checkNotNull(str3, "key store password must not be null");
                inputStream = makeKeyOrTrustStoreUrl(str2).openStream();
                if (z) {
                    builder.withSwappableIdentityMaterial();
                }
                builder.withIdentityMaterial(inputStream, str3.toCharArray(), str);
            }
            if (str5 != null) {
                Preconditions.checkNotNull(str6, "trust store password must not be null");
                inputStream2 = makeKeyOrTrustStoreUrl(str5).openStream();
                if (z) {
                    builder.withSwappableTrustMaterial();
                }
                builder.withTrustMaterial(inputStream2, str6.toCharArray(), str4);
            }
            if (str7 != null) {
                builder.withSslContextAlgorithm(str7);
            }
            if (secureRandom != null) {
                builder.withSecureRandom(secureRandom);
            }
            SSLFactory build = builder.build();
            if (inputStream != null) {
                inputStream.close();
            }
            if (inputStream2 != null) {
                inputStream2.close();
            }
            LOGGER.info("Successfully created SSLFactory {} with key store {} and trust store {}. Key and trust material swappable: {}", new Object[]{build, str2, str5, Boolean.valueOf(z)});
            return build;
        } catch (Exception e) {
            throw new IllegalStateException(e);
        }
    }
}
