package org.apache.pulsar.common.util;

import io.netty.buffer.ByteBufAllocator;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslProvider;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.concurrent.atomic.AtomicReference;
import javax.annotation.concurrent.NotThreadSafe;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import org.apache.commons.lang3.StringUtils;
import org.apache.pulsar.client.api.AuthenticationDataProvider;
import org.apache.pulsar.client.api.KeyStoreParams;
import org.apache.pulsar.common.util.keystoretls.KeyStoreSSLContext;

@NotThreadSafe
/* loaded from: input_file:META-INF/bundled-dependencies/pulsar-common-4.0.0.0.jar:org/apache/pulsar/common/util/DefaultPulsarSslFactory.class */
public class DefaultPulsarSslFactory implements PulsarSslFactory {
    private PulsarSslConfiguration config;
    protected FileModifiedTimeUpdater tlsKeyStore;
    protected FileModifiedTimeUpdater tlsTrustStore;
    protected FileModifiedTimeUpdater tlsTrustCertsFilePath;
    protected FileModifiedTimeUpdater tlsCertificateFilePath;
    protected FileModifiedTimeUpdater tlsKeyFilePath;
    protected AuthenticationDataProvider authData;
    protected boolean isTlsTrustStoreStreamProvided;
    protected String tlsKeystoreType;
    protected String tlsKeystorePath;
    protected String tlsKeystorePassword;
    private final AtomicReference<SSLContext> internalSslContext = new AtomicReference<>();
    private final AtomicReference<SslContext> internalNettySslContext = new AtomicReference<>();
    protected final String[] defaultSslEnabledProtocols = {"TLSv1.3", "TLSv1.2"};

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:META-INF/bundled-dependencies/pulsar-common-4.0.0.0.jar:org/apache/pulsar/common/util/DefaultPulsarSslFactory$NetworkMode.class */
    public enum NetworkMode {
        CLIENT,
        SERVER
    }

    @Override // org.apache.pulsar.common.util.PulsarSslFactory
    public void initialize(PulsarSslConfiguration pulsarSslConfiguration) {
        KeyStoreParams tlsKeyStoreParams;
        this.config = pulsarSslConfiguration;
        AuthenticationDataProvider authData = this.config.getAuthData();
        if (!this.config.isTlsEnabledWithKeystore()) {
            if (authData == null || !authData.hasDataForTls()) {
                this.tlsCertificateFilePath = new FileModifiedTimeUpdater(this.config.getTlsCertificateFilePath());
                this.tlsTrustCertsFilePath = new FileModifiedTimeUpdater(this.config.getTlsTrustCertsFilePath());
                this.tlsKeyFilePath = new FileModifiedTimeUpdater(this.config.getTlsKeyFilePath());
                return;
            } else {
                if (authData.getTlsTrustStoreStream() != null) {
                    this.isTlsTrustStoreStreamProvided = true;
                } else {
                    this.tlsTrustCertsFilePath = new FileModifiedTimeUpdater(this.config.getTlsTrustCertsFilePath());
                }
                this.authData = authData;
                return;
            }
        }
        if (authData != null && authData.hasDataForTls() && (tlsKeyStoreParams = authData.getTlsKeyStoreParams()) != null) {
            this.tlsKeystoreType = tlsKeyStoreParams.getKeyStoreType();
            this.tlsKeystorePath = tlsKeyStoreParams.getKeyStorePath();
            this.tlsKeystorePassword = tlsKeyStoreParams.getKeyStorePassword();
        }
        if (this.tlsKeystoreType == null) {
            this.tlsKeystoreType = this.config.getTlsKeyStoreType();
        }
        if (this.tlsKeystorePath == null) {
            this.tlsKeystorePath = this.config.getTlsKeyStorePath();
        }
        if (this.tlsKeystorePassword == null) {
            this.tlsKeystorePassword = this.config.getTlsKeyStorePassword();
        }
        this.tlsKeyStore = new FileModifiedTimeUpdater(this.tlsKeystorePath);
        this.tlsTrustStore = new FileModifiedTimeUpdater(this.config.getTlsTrustStorePath());
    }

    @Override // org.apache.pulsar.common.util.PulsarSslFactory
    public SSLEngine createClientSslEngine(ByteBufAllocator byteBufAllocator, String str, int i) {
        return createSSLEngine(byteBufAllocator, str, i, NetworkMode.CLIENT);
    }

    @Override // org.apache.pulsar.common.util.PulsarSslFactory
    public SSLEngine createServerSslEngine(ByteBufAllocator byteBufAllocator) {
        return createSSLEngine(byteBufAllocator, "", 0, NetworkMode.SERVER);
    }

    @Override // org.apache.pulsar.common.util.PulsarSslFactory
    public boolean needsUpdate() {
        return this.config.isTlsEnabledWithKeystore() ? (this.tlsKeyStore != null && this.tlsKeyStore.checkAndRefresh()) || (this.tlsTrustStore != null && this.tlsTrustStore.checkAndRefresh()) : (this.authData != null && this.authData.hasDataForTls()) || this.tlsTrustCertsFilePath.checkAndRefresh() || this.tlsCertificateFilePath.checkAndRefresh() || this.tlsKeyFilePath.checkAndRefresh();
    }

    @Override // org.apache.pulsar.common.util.PulsarSslFactory
    public void createInternalSslContext() throws Exception {
        if (this.config.isTlsEnabledWithKeystore()) {
            this.internalSslContext.set(buildKeystoreSslContext(this.config.isServerMode()));
        } else if (this.config.isHttps()) {
            this.internalSslContext.set(buildSslContext());
        } else {
            this.internalNettySslContext.set(buildNettySslContext());
        }
    }

    @Override // org.apache.pulsar.common.util.PulsarSslFactory
    public SSLContext getInternalSslContext() {
        if (this.internalSslContext.get() == null) {
            throw new RuntimeException("Internal SSL context is not initialized. Please call createInternalSslContext() first.");
        }
        return this.internalSslContext.get();
    }

    @Override // org.apache.pulsar.common.util.PulsarSslFactory
    public SslContext getInternalNettySslContext() {
        if (this.internalNettySslContext.get() == null) {
            throw new RuntimeException("Internal SSL context is not initialized. Please call createInternalSslContext() first.");
        }
        return this.internalNettySslContext.get();
    }

    private SSLContext buildKeystoreSslContext(boolean z) throws GeneralSecurityException, IOException {
        return (z ? KeyStoreSSLContext.createServerKeyStoreSslContext(this.config.getTlsProvider(), this.tlsKeystoreType, this.tlsKeyStore.getFileName(), this.tlsKeystorePassword, this.config.isAllowInsecureConnection(), this.config.getTlsTrustStoreType(), this.tlsTrustStore.getFileName(), this.config.getTlsTrustStorePassword(), this.config.isRequireTrustedClientCertOnConnect(), this.config.getTlsCiphers(), this.config.getTlsProtocols()) : KeyStoreSSLContext.createClientKeyStoreSslContext(this.config.getTlsProvider(), this.tlsKeystoreType, this.tlsKeyStore.getFileName(), this.tlsKeystorePassword, this.config.isAllowInsecureConnection(), this.config.getTlsTrustStoreType(), this.tlsTrustStore.getFileName(), this.config.getTlsTrustStorePassword(), this.config.getTlsCiphers(), this.config.getTlsProtocols())).createSSLContext();
    }

    private SSLContext buildSslContext() throws GeneralSecurityException {
        return (this.authData == null || !this.authData.hasDataForTls()) ? SecurityUtility.createSslContext(this.config.isAllowInsecureConnection(), this.tlsTrustCertsFilePath.getFileName(), this.tlsCertificateFilePath.getFileName(), this.tlsKeyFilePath.getFileName(), this.config.getTlsProvider()) : this.isTlsTrustStoreStreamProvided ? SecurityUtility.createSslContext(this.config.isAllowInsecureConnection(), SecurityUtility.loadCertificatesFromPemStream(this.authData.getTlsTrustStoreStream()), this.authData.getTlsCertificates(), this.authData.getTlsPrivateKey(), this.config.getTlsProvider()) : this.authData.getTlsCertificates() != null ? SecurityUtility.createSslContext(this.config.isAllowInsecureConnection(), SecurityUtility.loadCertificatesFromPemFile(this.tlsTrustCertsFilePath.getFileName()), this.authData.getTlsCertificates(), this.authData.getTlsPrivateKey(), this.config.getTlsProvider()) : SecurityUtility.createSslContext(this.config.isAllowInsecureConnection(), this.tlsTrustCertsFilePath.getFileName(), this.authData.getTlsCertificateFilePath(), this.authData.getTlsPrivateKeyFilePath(), this.config.getTlsProvider());
    }

    private SslContext buildNettySslContext() throws GeneralSecurityException, IOException {
        SslProvider sslProvider = null;
        if (StringUtils.isNotBlank(this.config.getTlsProvider())) {
            sslProvider = SslProvider.valueOf(this.config.getTlsProvider());
        }
        return (this.authData == null || !this.authData.hasDataForTls()) ? this.config.isServerMode() ? SecurityUtility.createNettySslContextForServer(sslProvider, this.config.isAllowInsecureConnection(), this.tlsTrustCertsFilePath.getFileName(), this.tlsCertificateFilePath.getFileName(), this.tlsKeyFilePath.getFileName(), this.config.getTlsCiphers(), this.config.getTlsProtocols(), this.config.isRequireTrustedClientCertOnConnect()) : SecurityUtility.createNettySslContextForClient(sslProvider, this.config.isAllowInsecureConnection(), this.tlsTrustCertsFilePath.getFileName(), this.tlsCertificateFilePath.getFileName(), this.tlsKeyFilePath.getFileName(), this.config.getTlsCiphers(), this.config.getTlsProtocols()) : this.isTlsTrustStoreStreamProvided ? SecurityUtility.createNettySslContextForClient(sslProvider, this.config.isAllowInsecureConnection(), this.authData.getTlsTrustStoreStream(), this.authData.getTlsCertificates(), this.authData.getTlsPrivateKey(), this.config.getTlsCiphers(), this.config.getTlsProtocols()) : this.authData.getTlsCertificates() != null ? SecurityUtility.createNettySslContextForClient(sslProvider, this.config.isAllowInsecureConnection(), this.tlsTrustCertsFilePath.getFileName(), this.authData.getTlsCertificates(), this.authData.getTlsPrivateKey(), this.config.getTlsCiphers(), this.config.getTlsProtocols()) : SecurityUtility.createNettySslContextForClient(sslProvider, this.config.isAllowInsecureConnection(), this.tlsTrustCertsFilePath.getFileName(), this.authData.getTlsCertificateFilePath(), this.authData.getTlsPrivateKeyFilePath(), this.config.getTlsCiphers(), this.config.getTlsProtocols());
    }

    private SSLEngine createSSLEngine(ByteBufAllocator byteBufAllocator, String str, int i, NetworkMode networkMode) {
        SSLEngine createSSLEngine;
        SSLParameters sSLParameters;
        SSLContext sSLContext = this.internalSslContext.get();
        SslContext sslContext = this.internalNettySslContext.get();
        validateSslContext(sSLContext, sslContext);
        if (networkMode == NetworkMode.CLIENT) {
            createSSLEngine = sSLContext != null ? sSLContext.createSSLEngine(str, i) : sslContext.newEngine(byteBufAllocator, str, i);
            createSSLEngine.setUseClientMode(true);
            sSLParameters = createSSLEngine.getSSLParameters();
        } else {
            createSSLEngine = sSLContext != null ? sSLContext.createSSLEngine() : sslContext.newEngine(byteBufAllocator);
            createSSLEngine.setUseClientMode(false);
            sSLParameters = createSSLEngine.getSSLParameters();
            if (this.config.isRequireTrustedClientCertOnConnect()) {
                sSLParameters.setNeedClientAuth(true);
            } else {
                sSLParameters.setWantClientAuth(true);
            }
        }
        if (this.config.getTlsProtocols() == null || this.config.getTlsProtocols().isEmpty()) {
            sSLParameters.setProtocols(this.defaultSslEnabledProtocols);
        } else {
            sSLParameters.setProtocols((String[]) this.config.getTlsProtocols().toArray(new String[0]));
        }
        if (this.config.getTlsCiphers() != null && !this.config.getTlsCiphers().isEmpty()) {
            sSLParameters.setCipherSuites((String[]) this.config.getTlsCiphers().toArray(new String[0]));
        }
        createSSLEngine.setSSLParameters(sSLParameters);
        return createSSLEngine;
    }

    private void validateSslContext(SSLContext sSLContext, SslContext sslContext) {
        if (sSLContext == null && sslContext == null) {
            throw new RuntimeException("Internal SSL context is not initialized. Please call createInternalSslContext() first.");
        }
    }

    @Override // java.lang.AutoCloseable
    public void close() throws Exception {
    }
}
