package io.opentelemetry.testing.internal.armeria.internal.common;

import io.opentelemetry.testing.internal.armeria.client.ClientTlsConfig;
import io.opentelemetry.testing.internal.armeria.common.AbstractTlsConfig;
import io.opentelemetry.testing.internal.armeria.common.TlsKeyPair;
import io.opentelemetry.testing.internal.armeria.common.TlsProvider;
import io.opentelemetry.testing.internal.armeria.common.annotation.Nullable;
import io.opentelemetry.testing.internal.armeria.common.metric.CloseableMeterBinder;
import io.opentelemetry.testing.internal.armeria.common.metric.MeterIdPrefix;
import io.opentelemetry.testing.internal.armeria.common.metric.MoreMeterBinders;
import io.opentelemetry.testing.internal.armeria.common.util.TlsEngineType;
import io.opentelemetry.testing.internal.armeria.internal.common.util.ReentrantShortLock;
import io.opentelemetry.testing.internal.armeria.internal.common.util.SslContextUtil;
import io.opentelemetry.testing.internal.armeria.internal.shaded.guava.base.MoreObjects;
import io.opentelemetry.testing.internal.armeria.internal.shaded.guava.collect.ImmutableList;
import io.opentelemetry.testing.internal.armeria.server.ServerTlsConfig;
import io.opentelemetry.testing.internal.io.micrometer.core.instrument.MeterRegistry;
import io.opentelemetry.testing.internal.io.netty.handler.codec.rtsp.RtspHeaders;
import io.opentelemetry.testing.internal.io.netty.handler.ssl.SslContext;
import io.opentelemetry.testing.internal.io.netty.handler.ssl.SslContextBuilder;
import io.opentelemetry.testing.internal.io.netty.handler.ssl.SslProvider;
import io.opentelemetry.testing.internal.io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;

/* loaded from: input_file:io/opentelemetry/testing/internal/armeria/internal/common/SslContextFactory.class */
public final class SslContextFactory {
    private static final MeterIdPrefix SERVER_METER_ID_PREFIX;
    private static final MeterIdPrefix CLIENT_METER_ID_PREFIX;
    private final TlsProvider tlsProvider;
    private final TlsEngineType engineType;
    private final MeterRegistry meterRegistry;

    @Nullable
    private final AbstractTlsConfig tlsConfig;

    @Nullable
    private final MeterIdPrefix meterIdPrefix;
    private final boolean allowsUnsafeCiphers;
    static final /* synthetic */ boolean $assertionsDisabled;
    private final Map<CacheKey, SslContextHolder> cache = new HashMap();
    private final Map<SslContext, CacheKey> reverseCache = new HashMap();
    private final ReentrantShortLock lock = new ReentrantShortLock();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/opentelemetry/testing/internal/armeria/internal/common/SslContextFactory$CacheKey.class */
    public static final class CacheKey {
        private final SslContextMode mode;

        @Nullable
        private final TlsKeyPair tlsKeyPair;
        private final List<X509Certificate> trustedCertificates;

        private CacheKey(SslContextMode sslContextMode, @Nullable TlsKeyPair tlsKeyPair, List<X509Certificate> list) {
            this.mode = sslContextMode;
            this.tlsKeyPair = tlsKeyPair;
            this.trustedCertificates = list;
        }

        SslContextMode mode() {
            return this.mode;
        }

        @Nullable
        TlsKeyPair tlsKeyPair() {
            return this.tlsKeyPair;
        }

        public List<X509Certificate> trustedCertificates() {
            return this.trustedCertificates;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (!(obj instanceof CacheKey)) {
                return false;
            }
            CacheKey cacheKey = (CacheKey) obj;
            return this.mode == cacheKey.mode && Objects.equals(this.tlsKeyPair, cacheKey.tlsKeyPair) && this.trustedCertificates.equals(cacheKey.trustedCertificates);
        }

        public int hashCode() {
            return Objects.hash(this.mode, this.tlsKeyPair, this.trustedCertificates);
        }

        public String toString() {
            return MoreObjects.toStringHelper(this).omitNullValues().add(RtspHeaders.Values.MODE, this.mode).add("tlsKeyPair", this.tlsKeyPair).add("trustedCertificates", this.trustedCertificates).toString();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/opentelemetry/testing/internal/armeria/internal/common/SslContextFactory$SslContextHolder.class */
    public static final class SslContextHolder {
        private final SslContext sslContext;

        @Nullable
        private final CloseableMeterBinder meterBinder;
        private long refCnt;
        static final /* synthetic */ boolean $assertionsDisabled;

        SslContextHolder(SslContext sslContext, @Nullable CloseableMeterBinder closeableMeterBinder) {
            this.sslContext = sslContext;
            this.meterBinder = closeableMeterBinder;
        }

        SslContext sslContext() {
            return this.sslContext;
        }

        void retain() {
            this.refCnt++;
        }

        boolean release() {
            this.refCnt--;
            if ($assertionsDisabled || this.refCnt >= 0) {
                return this.refCnt == 0;
            }
            throw new AssertionError("refCount: " + this.refCnt);
        }

        void destroy() {
            if (this.meterBinder != null) {
                this.meterBinder.close();
            }
        }

        static {
            $assertionsDisabled = !SslContextFactory.class.desiredAssertionStatus();
        }
    }

    /* loaded from: input_file:io/opentelemetry/testing/internal/armeria/internal/common/SslContextFactory$SslContextMode.class */
    public enum SslContextMode {
        SERVER,
        CLIENT_HTTP1_ONLY,
        CLIENT
    }

    public SslContextFactory(TlsProvider tlsProvider, TlsEngineType tlsEngineType, @Nullable AbstractTlsConfig abstractTlsConfig, MeterRegistry meterRegistry) {
        if (!$assertionsDisabled && tlsEngineType.sslProvider() == SslProvider.OPENSSL_REFCNT) {
            throw new AssertionError();
        }
        this.tlsProvider = tlsProvider;
        this.engineType = tlsEngineType;
        this.meterRegistry = meterRegistry;
        if (abstractTlsConfig != null) {
            this.tlsConfig = abstractTlsConfig;
            this.meterIdPrefix = abstractTlsConfig.meterIdPrefix();
            this.allowsUnsafeCiphers = abstractTlsConfig.allowsUnsafeCiphers();
        } else {
            this.tlsConfig = null;
            this.meterIdPrefix = null;
            this.allowsUnsafeCiphers = false;
        }
    }

    public SslContext getOrCreate(SslContextMode sslContextMode, String str) {
        this.lock.lock();
        try {
            CacheKey cacheKey = new CacheKey(sslContextMode, findTlsKeyPair(sslContextMode, str), findTrustedCertificates(str));
            SslContextHolder computeIfAbsent = this.cache.computeIfAbsent(cacheKey, this::create);
            computeIfAbsent.retain();
            this.reverseCache.putIfAbsent(computeIfAbsent.sslContext(), cacheKey);
            SslContext sslContext = computeIfAbsent.sslContext();
            this.lock.unlock();
            return sslContext;
        } catch (Throwable th) {
            this.lock.unlock();
            throw th;
        }
    }

    public void release(SslContext sslContext) {
        this.lock.lock();
        try {
            CacheKey cacheKey = this.reverseCache.get(sslContext);
            SslContextHolder sslContextHolder = this.cache.get(cacheKey);
            if (!$assertionsDisabled && sslContextHolder == null) {
                throw new AssertionError("sslContext not found in the cache: " + sslContext);
            }
            if (sslContextHolder.release()) {
                SslContextHolder remove = this.cache.remove(cacheKey);
                if (!$assertionsDisabled && remove != sslContextHolder) {
                    throw new AssertionError();
                }
                this.reverseCache.remove(sslContext);
                sslContextHolder.destroy();
            }
        } finally {
            this.lock.unlock();
        }
    }

    @Nullable
    private TlsKeyPair findTlsKeyPair(SslContextMode sslContextMode, String str) {
        TlsKeyPair keyPair = this.tlsProvider.keyPair(str);
        if (keyPair == null) {
            keyPair = this.tlsProvider.keyPair("*");
        }
        if (sslContextMode == SslContextMode.SERVER && keyPair == null) {
            throw new IllegalStateException("No TLS key pair found for " + str);
        }
        return keyPair;
    }

    private List<X509Certificate> findTrustedCertificates(String str) {
        List<X509Certificate> trustedCertificates = this.tlsProvider.trustedCertificates(str);
        if (trustedCertificates == null) {
            trustedCertificates = this.tlsProvider.trustedCertificates("*");
        }
        return (List) MoreObjects.firstNonNull(trustedCertificates, ImmutableList.of());
    }

    private SslContextHolder create(CacheKey cacheKey) {
        MeterIdPrefix meterIdPrefix = meterIdPrefix(cacheKey.mode);
        SslContext newSslContext = newSslContext(cacheKey);
        ImmutableList.Builder builder = ImmutableList.builder();
        if (cacheKey.tlsKeyPair != null) {
            builder.addAll((Iterable) cacheKey.tlsKeyPair.certificateChain());
        }
        if (!cacheKey.trustedCertificates.isEmpty()) {
            builder.addAll((Iterable) cacheKey.trustedCertificates);
        }
        ImmutableList build = builder.build();
        CloseableMeterBinder closeableMeterBinder = null;
        if (!build.isEmpty()) {
            closeableMeterBinder = MoreMeterBinders.certificateMetrics(build, meterIdPrefix);
            closeableMeterBinder.bindTo(this.meterRegistry);
        }
        return new SslContextHolder(newSslContext, closeableMeterBinder);
    }

    private SslContext newSslContext(CacheKey cacheKey) {
        SslContextMode mode = cacheKey.mode();
        TlsKeyPair tlsKeyPair = cacheKey.tlsKeyPair();
        List<X509Certificate> trustedCertificates = cacheKey.trustedCertificates();
        if (mode != SslContextMode.SERVER) {
            return SslContextUtil.createSslContext(() -> {
                SslContextBuilder forClient = SslContextBuilder.forClient();
                if (tlsKeyPair != null) {
                    forClient.keyManager(tlsKeyPair.privateKey(), tlsKeyPair.certificateChain());
                }
                if (!trustedCertificates.isEmpty()) {
                    forClient.trustManager(trustedCertificates);
                }
                applyTlsConfig(forClient);
                return forClient;
            }, mode == SslContextMode.CLIENT_HTTP1_ONLY, this.engineType, this.allowsUnsafeCiphers, null, null);
        }
        if ($assertionsDisabled || tlsKeyPair != null) {
            return SslContextUtil.createSslContext(() -> {
                SslContextBuilder forServer = SslContextBuilder.forServer(tlsKeyPair.privateKey(), tlsKeyPair.certificateChain());
                if (!trustedCertificates.isEmpty()) {
                    forServer.trustManager(trustedCertificates);
                }
                applyTlsConfig(forServer);
                return forServer;
            }, false, this.engineType, this.allowsUnsafeCiphers, null, null);
        }
        throw new AssertionError();
    }

    private void applyTlsConfig(SslContextBuilder sslContextBuilder) {
        if (this.tlsConfig == null) {
            return;
        }
        if (this.tlsConfig instanceof ServerTlsConfig) {
            sslContextBuilder.clientAuth(((ServerTlsConfig) this.tlsConfig).clientAuth());
        } else {
            ClientTlsConfig clientTlsConfig = (ClientTlsConfig) this.tlsConfig;
            if (clientTlsConfig.tlsNoVerifySet()) {
                sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE);
            } else if (!clientTlsConfig.insecureHosts().isEmpty()) {
                sslContextBuilder.trustManager(IgnoreHostsTrustManager.of(clientTlsConfig.insecureHosts()));
            }
        }
        this.tlsConfig.tlsCustomizer().accept(sslContextBuilder);
    }

    private MeterIdPrefix meterIdPrefix(SslContextMode sslContextMode) {
        MeterIdPrefix meterIdPrefix = this.meterIdPrefix;
        if (meterIdPrefix == null) {
            meterIdPrefix = sslContextMode == SslContextMode.SERVER ? SERVER_METER_ID_PREFIX : CLIENT_METER_ID_PREFIX;
        }
        return meterIdPrefix;
    }

    public int numCachedContexts() {
        return this.cache.size();
    }

    static {
        $assertionsDisabled = !SslContextFactory.class.desiredAssertionStatus();
        SERVER_METER_ID_PREFIX = new MeterIdPrefix("armeria.server", "hostname.pattern", "UNKNOWN");
        CLIENT_METER_ID_PREFIX = new MeterIdPrefix("armeria.client");
    }
}
