package org.apache.pulsar.functions.runtime.shaded.io.grpc.xds.internal.certprovider;

import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Map;
import org.apache.pulsar.functions.runtime.shaded.io.grpc.xds.Bootstrapper;
import org.apache.pulsar.functions.runtime.shaded.io.grpc.xds.EnvoyServerProtoData;
import org.apache.pulsar.functions.runtime.shaded.io.grpc.xds.internal.certprovider.CertificateProvider;
import org.apache.pulsar.functions.runtime.shaded.io.grpc.xds.internal.certprovider.CertificateProviderStore;
import org.apache.pulsar.functions.runtime.shaded.io.grpc.xds.internal.sds.DynamicSslContextProvider;
import org.apache.pulsar.functions.runtime.shaded.io.grpc.xds.shaded.io.envoyproxy.envoy.config.core.v3.Node;
import org.apache.pulsar.functions.runtime.shaded.io.grpc.xds.shaded.io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import org.apache.pulsar.functions.runtime.shaded.io.grpc.xds.shaded.io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import org.apache.pulsar.functions.runtime.shaded.javax.annotation.Nullable;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/apache/pulsar/functions/runtime/shaded/io/grpc/xds/internal/certprovider/CertProviderSslContextProvider.class */
public abstract class CertProviderSslContextProvider extends DynamicSslContextProvider implements CertificateProvider.Watcher {

    @Nullable
    private final CertificateProviderStore.Handle certHandle;

    @Nullable
    private final CertificateProviderStore.Handle rootCertHandle;

    @Nullable
    private final CommonTlsContext.CertificateProviderInstance certInstance;

    @Nullable
    private final CommonTlsContext.CertificateProviderInstance rootCertInstance;

    @Nullable
    protected PrivateKey savedKey;

    @Nullable
    protected List<X509Certificate> savedCertChain;

    @Nullable
    protected List<X509Certificate> savedTrustedRoots;

    /* JADX INFO: Access modifiers changed from: protected */
    public CertProviderSslContextProvider(Node node, Map<String, Bootstrapper.CertificateProviderInfo> map, CommonTlsContext.CertificateProviderInstance certificateProviderInstance, CommonTlsContext.CertificateProviderInstance certificateProviderInstance2, CertificateValidationContext certificateValidationContext, EnvoyServerProtoData.BaseTlsContext baseTlsContext, CertificateProviderStore certificateProviderStore) {
        super(baseTlsContext, certificateValidationContext);
        this.certInstance = certificateProviderInstance;
        this.rootCertInstance = certificateProviderInstance2;
        String str = null;
        if (certificateProviderInstance == null || !certificateProviderInstance.isInitialized()) {
            this.certHandle = null;
        } else {
            str = certificateProviderInstance.getInstanceName();
            Bootstrapper.CertificateProviderInfo certProviderConfig = getCertProviderConfig(map, str);
            this.certHandle = certificateProviderStore.createOrGetProvider(certificateProviderInstance.getCertificateName(), certProviderConfig.getPluginName(), certProviderConfig.getConfig(), this, true);
        }
        if (certificateProviderInstance2 == null || !certificateProviderInstance2.isInitialized() || certificateProviderInstance2.getInstanceName().equals(str)) {
            this.rootCertHandle = null;
        } else {
            Bootstrapper.CertificateProviderInfo certProviderConfig2 = getCertProviderConfig(map, certificateProviderInstance2.getInstanceName());
            this.rootCertHandle = certificateProviderStore.createOrGetProvider(certificateProviderInstance2.getCertificateName(), certProviderConfig2.getPluginName(), certProviderConfig2.getConfig(), this, true);
        }
    }

    private static Bootstrapper.CertificateProviderInfo getCertProviderConfig(Map<String, Bootstrapper.CertificateProviderInfo> map, String str) {
        return map.get(str);
    }

    @Override // org.apache.pulsar.functions.runtime.shaded.io.grpc.xds.internal.certprovider.CertificateProvider.Watcher
    public final void updateCertificate(PrivateKey privateKey, List<X509Certificate> list) {
        this.savedKey = privateKey;
        this.savedCertChain = list;
        updateSslContextWhenReady();
    }

    @Override // org.apache.pulsar.functions.runtime.shaded.io.grpc.xds.internal.certprovider.CertificateProvider.Watcher
    public final void updateTrustedRoots(List<X509Certificate> list) {
        this.savedTrustedRoots = list;
        updateSslContextWhenReady();
    }

    private void updateSslContextWhenReady() {
        if (isMtls()) {
            if (this.savedKey == null || this.savedTrustedRoots == null) {
                return;
            }
            updateSslContext();
            clearKeysAndCerts();
            return;
        }
        if (isClientSideTls()) {
            if (this.savedTrustedRoots != null) {
                updateSslContext();
                clearKeysAndCerts();
                return;
            }
            return;
        }
        if (!isServerSideTls() || this.savedKey == null) {
            return;
        }
        updateSslContext();
        clearKeysAndCerts();
    }

    private void clearKeysAndCerts() {
        this.savedKey = null;
        this.savedTrustedRoots = null;
        this.savedCertChain = null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public final boolean isMtls() {
        return (this.certInstance == null || this.rootCertInstance == null) ? false : true;
    }

    protected final boolean isClientSideTls() {
        return this.rootCertInstance != null && this.certInstance == null;
    }

    protected final boolean isServerSideTls() {
        return this.certInstance != null && this.rootCertInstance == null;
    }

    @Override // org.apache.pulsar.functions.runtime.shaded.io.grpc.xds.internal.sds.DynamicSslContextProvider
    protected final CertificateValidationContext generateCertificateValidationContext() {
        return this.staticCertificateValidationContext;
    }

    @Override // org.apache.pulsar.functions.runtime.shaded.io.grpc.xds.internal.sds.SslContextProvider, org.apache.pulsar.functions.runtime.shaded.io.grpc.xds.internal.sds.Closeable, java.io.Closeable, java.lang.AutoCloseable
    public final void close() {
        if (this.certHandle != null) {
            this.certHandle.close();
        }
        if (this.rootCertHandle != null) {
            this.rootCertHandle.close();
        }
    }
}
