package org.apache.pulsar.client.impl;

import io.netty.channel.Channel;
import io.netty.channel.ChannelInitializer;
import io.netty.channel.socket.SocketChannel;
import io.netty.handler.codec.LengthFieldBasedFrameDecoder;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslProvider;
import java.net.InetSocketAddress;
import java.util.Objects;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.TimeUnit;
import java.util.function.Supplier;
import org.apache.commons.lang3.StringUtils;
import org.apache.pulsar.client.api.AuthenticationDataProvider;
import org.apache.pulsar.client.api.PulsarClientException;
import org.apache.pulsar.client.impl.conf.ClientConfigurationData;
import org.apache.pulsar.client.util.ObjectCache;
import org.apache.pulsar.common.protocol.ByteBufPair;
import org.apache.pulsar.common.util.SecurityUtility;
import org.apache.pulsar.common.util.keystoretls.NettySSLContextAutoRefreshBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/bundled-dependencies/pulsar-client-original-2.8.4.jar:org/apache/pulsar/client/impl/PulsarChannelInitializer.class */
public class PulsarChannelInitializer extends ChannelInitializer<SocketChannel> {
    public static final String TLS_HANDLER = "tls";
    private final Supplier<ClientCnx> clientCnxSupplier;
    private final boolean tlsEnabled;
    private final boolean tlsHostnameVerificationEnabled;
    private final boolean tlsEnabledWithKeyStore;
    private final Supplier<SslContext> sslContextSupplier;
    private NettySSLContextAutoRefreshBuilder nettySSLContextAutoRefreshBuilder;
    private static final Logger log = LoggerFactory.getLogger((Class<?>) PulsarChannelInitializer.class);
    private static final long TLS_CERTIFICATE_CACHE_MILLIS = TimeUnit.MINUTES.toMillis(1);

    public PulsarChannelInitializer(ClientConfigurationData clientConfigurationData, Supplier<ClientCnx> supplier) throws Exception {
        this.clientCnxSupplier = supplier;
        this.tlsEnabled = clientConfigurationData.isUseTls();
        this.tlsHostnameVerificationEnabled = clientConfigurationData.isTlsHostnameVerificationEnable();
        this.tlsEnabledWithKeyStore = clientConfigurationData.isUseKeyStoreTls();
        if (!this.tlsEnabled) {
            this.sslContextSupplier = null;
            return;
        }
        if (this.tlsEnabledWithKeyStore) {
            AuthenticationDataProvider authData = clientConfigurationData.getAuthentication().getAuthData();
            if (StringUtils.isBlank(clientConfigurationData.getTlsTrustStorePath())) {
                throw new PulsarClientException("Failed to create TLS context, the tlsTrustStorePath need to be configured if useKeyStoreTls enabled");
            }
            this.nettySSLContextAutoRefreshBuilder = new NettySSLContextAutoRefreshBuilder(clientConfigurationData.getSslProvider(), clientConfigurationData.isTlsAllowInsecureConnection(), clientConfigurationData.getTlsTrustStoreType(), clientConfigurationData.getTlsTrustStorePath(), clientConfigurationData.getTlsTrustStorePassword(), clientConfigurationData.getTlsCiphers(), clientConfigurationData.getTlsProtocols(), TLS_CERTIFICATE_CACHE_MILLIS, authData);
        }
        this.sslContextSupplier = new ObjectCache(() -> {
            try {
                SslProvider sslProvider = null;
                if (clientConfigurationData.getSslProvider() != null) {
                    sslProvider = SslProvider.valueOf(clientConfigurationData.getSslProvider());
                }
                AuthenticationDataProvider authData2 = clientConfigurationData.getAuthentication().getAuthData();
                return authData2.hasDataForTls() ? authData2.getTlsTrustStoreStream() == null ? SecurityUtility.createNettySslContextForClient(sslProvider, clientConfigurationData.isTlsAllowInsecureConnection(), clientConfigurationData.getTlsTrustCertsFilePath(), authData2.getTlsCertificates(), authData2.getTlsPrivateKey(), clientConfigurationData.getTlsCiphers(), clientConfigurationData.getTlsProtocols()) : SecurityUtility.createNettySslContextForClient(sslProvider, clientConfigurationData.isTlsAllowInsecureConnection(), authData2.getTlsTrustStoreStream(), authData2.getTlsCertificates(), authData2.getTlsPrivateKey(), clientConfigurationData.getTlsCiphers(), clientConfigurationData.getTlsProtocols()) : SecurityUtility.createNettySslContextForClient(sslProvider, clientConfigurationData.isTlsAllowInsecureConnection(), clientConfigurationData.getTlsTrustCertsFilePath(), clientConfigurationData.getTlsCiphers(), clientConfigurationData.getTlsProtocols());
            } catch (Exception e) {
                throw new RuntimeException("Failed to create TLS context", e);
            }
        }, TLS_CERTIFICATE_CACHE_MILLIS, TimeUnit.MILLISECONDS);
    }

    @Override // io.netty.channel.ChannelInitializer
    public void initChannel(SocketChannel socketChannel) throws Exception {
        socketChannel.pipeline().addLast("ByteBufPairEncoder", this.tlsEnabled ? ByteBufPair.COPYING_ENCODER : ByteBufPair.ENCODER);
        socketChannel.pipeline().addLast("frameDecoder", new LengthFieldBasedFrameDecoder(5253120, 0, 4, 0, 4));
        socketChannel.pipeline().addLast("handler", this.clientCnxSupplier.get());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CompletableFuture<Channel> initTls(Channel channel, InetSocketAddress inetSocketAddress) {
        Objects.requireNonNull(channel, "A channel is required");
        Objects.requireNonNull(inetSocketAddress, "A sniHost is required");
        if (!this.tlsEnabled) {
            throw new IllegalStateException("TLS is not enabled in client configuration");
        }
        CompletableFuture<Channel> completableFuture = new CompletableFuture<>();
        channel.eventLoop().execute(() -> {
            try {
                SslHandler sslHandler = this.tlsEnabledWithKeyStore ? new SslHandler(this.nettySSLContextAutoRefreshBuilder.get().createSSLEngine(inetSocketAddress.getHostString(), inetSocketAddress.getPort())) : this.sslContextSupplier.get().newHandler(channel.alloc(), inetSocketAddress.getHostString(), inetSocketAddress.getPort());
                if (this.tlsHostnameVerificationEnabled) {
                    SecurityUtility.configureSSLHandler(sslHandler);
                }
                channel.pipeline().addFirst(TLS_HANDLER, sslHandler);
                completableFuture.complete(channel);
            } catch (Throwable th) {
                completableFuture.completeExceptionally(th);
            }
        });
        return completableFuture;
    }

    public boolean isTlsEnabled() {
        return this.tlsEnabled;
    }
}
