package io.airlift.http.server;

import io.airlift.http.server.HttpServer;
import io.airlift.log.Logger;
import io.airlift.security.pem.PemReader;
import java.io.File;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import org.eclipse.jetty.util.ssl.SslContextFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:io/airlift/http/server/ReloadableSslContextFactoryProvider.class */
public final class ReloadableSslContextFactoryProvider {
    private static final Logger log = Logger.get(ReloadableSslContextFactoryProvider.class);
    private final SslContextFactory.Server sslContextFactory;
    private final List<String> includedCipherSuites;
    private final List<String> excludedCipherSuites;
    private final String keystorePath;
    private final String keystorePassword;
    private final String keyManagerPassword;
    private final String trustStorePath;
    private final String trustStorePassword;
    private final String secureRandomAlgorithm;
    private final int sslSessionTimeoutSeconds;
    private final int sslSessionCacheSize;
    private final HttpServer.ClientCertificate clientCertificate;

    public ReloadableSslContextFactoryProvider(HttpServerConfig httpServerConfig, ScheduledExecutorService scheduledExecutorService, HttpServer.ClientCertificate clientCertificate) {
        Objects.requireNonNull(httpServerConfig, "config is null");
        Objects.requireNonNull(scheduledExecutorService, "scheduledExecutor is null");
        this.includedCipherSuites = httpServerConfig.getHttpsIncludedCipherSuites();
        this.excludedCipherSuites = httpServerConfig.getHttpsExcludedCipherSuites();
        this.keystorePath = httpServerConfig.getKeystorePath();
        this.keystorePassword = httpServerConfig.getKeystorePassword();
        this.keyManagerPassword = httpServerConfig.getKeyManagerPassword();
        this.trustStorePath = httpServerConfig.getTrustStorePath();
        this.trustStorePassword = httpServerConfig.getTrustStorePassword();
        this.secureRandomAlgorithm = httpServerConfig.getSecureRandomAlgorithm();
        this.sslSessionTimeoutSeconds = Math.toIntExact(httpServerConfig.getSslSessionTimeout().roundTo(TimeUnit.SECONDS));
        this.sslSessionCacheSize = httpServerConfig.getSslSessionCacheSize();
        this.clientCertificate = (HttpServer.ClientCertificate) Objects.requireNonNull(clientCertificate, "clientCertificate is null");
        this.sslContextFactory = buildContextFactory();
        long millis = httpServerConfig.getSslContextRefreshTime().toMillis();
        scheduledExecutorService.scheduleWithFixedDelay(this::reload, millis, millis, TimeUnit.MILLISECONDS);
    }

    private SslContextFactory.Server buildContextFactory() {
        SslContextFactory.Server server = new SslContextFactory.Server();
        Optional<KeyStore> tryLoadPemKeyStore = tryLoadPemKeyStore(this.keystorePath, this.keystorePassword);
        if (tryLoadPemKeyStore.isPresent()) {
            server.setKeyStore(tryLoadPemKeyStore.get());
            server.setKeyStorePassword("");
        } else {
            server.setKeyStorePath(this.keystorePath);
            server.setKeyStorePassword(this.keystorePassword);
            if (this.keyManagerPassword != null) {
                server.setKeyManagerPassword(this.keyManagerPassword);
            }
        }
        if (this.trustStorePath != null) {
            Optional<KeyStore> tryLoadPemTrustStore = tryLoadPemTrustStore(this.trustStorePath);
            if (tryLoadPemTrustStore.isPresent()) {
                server.setTrustStore(tryLoadPemTrustStore.get());
                server.setTrustStorePassword("");
            } else {
                server.setTrustStorePath(this.trustStorePath);
                server.setTrustStorePassword(this.trustStorePassword);
            }
        }
        server.setIncludeCipherSuites((String[]) this.includedCipherSuites.toArray(new String[0]));
        server.setExcludeCipherSuites((String[]) this.excludedCipherSuites.toArray(new String[0]));
        server.setSecureRandomAlgorithm(this.secureRandomAlgorithm);
        switch (this.clientCertificate) {
            case NONE:
                break;
            case REQUESTED:
                server.setWantClientAuth(true);
                break;
            case REQUIRED:
                server.setNeedClientAuth(true);
                break;
            default:
                throw new IllegalArgumentException("Unsupported client certificate value: " + this.clientCertificate);
        }
        server.setSslSessionTimeout(this.sslSessionTimeoutSeconds);
        server.setSslSessionCacheSize(this.sslSessionCacheSize);
        return server;
    }

    private static Optional<KeyStore> tryLoadPemKeyStore(String str, String str2) {
        File file = new File(str);
        try {
            if (!PemReader.isPem(file)) {
                return Optional.empty();
            }
            try {
                return Optional.of(PemReader.loadKeyStore(file, file, Optional.ofNullable(str2)));
            } catch (IOException | GeneralSecurityException e) {
                throw new IllegalArgumentException("Error loading PEM key store: " + file, e);
            }
        } catch (IOException e2) {
            throw new IllegalArgumentException("Error reading key store file: " + file, e2);
        }
    }

    private static Optional<KeyStore> tryLoadPemTrustStore(String str) {
        File file = new File(str);
        try {
            if (!PemReader.isPem(file)) {
                return Optional.empty();
            }
            try {
                if (PemReader.readCertificateChain(file).isEmpty()) {
                    throw new IllegalArgumentException("PEM trust store file does not contain any certificates: " + file);
                }
                return Optional.of(PemReader.loadTrustStore(file));
            } catch (IOException | GeneralSecurityException e) {
                throw new IllegalArgumentException("Error loading PEM trust store: " + file, e);
            }
        } catch (IOException e2) {
            throw new IllegalArgumentException("Error reading trust store file: " + file, e2);
        }
    }

    public SslContextFactory.Server getSslContextFactory() {
        return this.sslContextFactory;
    }

    private synchronized void reload() {
        try {
            SslContextFactory.Server buildContextFactory = buildContextFactory();
            buildContextFactory.start();
            this.sslContextFactory.reload(sslContextFactory -> {
                sslContextFactory.setSslContext(buildContextFactory.getSslContext());
            });
        } catch (Exception e) {
            log.warn(e, "Unable to reload SslContext.");
        }
    }
}
