package co.cask.cdap.security.tools;

import co.cask.http.NettyHttpService;
import co.cask.http.SSLHandlerFactory;
import io.netty.buffer.ByteBufAllocator;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.util.function.Supplier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;

/* loaded from: input_file:co/cask/cdap/security/tools/HttpsEnabler.class */
public final class HttpsEnabler {
    private KeyManagerFactory keyManagerFactory;
    private TrustManagerFactory trustManagerFactory;
    private volatile SSLSocketFactory sslSocketFactory;

    /* loaded from: input_file:co/cask/cdap/security/tools/HttpsEnabler$CustomSSLHandlerFactory.class */
    private static final class CustomSSLHandlerFactory extends SSLHandlerFactory {
        private final boolean clientAuthEnabled;

        CustomSSLHandlerFactory(SslContext sslContext, boolean z) {
            super(sslContext);
            this.clientAuthEnabled = z;
        }

        public SslHandler create(ByteBufAllocator byteBufAllocator) {
            SslHandler create = super.create(byteBufAllocator);
            create.engine().setNeedClientAuth(this.clientAuthEnabled);
            return create;
        }
    }

    public synchronized HttpsEnabler setKeyStore(KeyStore keyStore, Supplier<char[]> supplier) {
        try {
            this.keyManagerFactory = createKeyManagerFactory(keyStore, supplier);
            this.sslSocketFactory = null;
            return this;
        } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e) {
            throw new RuntimeException("Failed to set key store", e);
        }
    }

    public synchronized HttpsEnabler setTrustStore(KeyStore keyStore) {
        try {
            this.trustManagerFactory = createTrustManagerFactory(keyStore);
            this.sslSocketFactory = null;
            return this;
        } catch (KeyStoreException | NoSuchAlgorithmException e) {
            throw new RuntimeException("Failed to set trust store", e);
        }
    }

    public synchronized HttpsEnabler setTrustAll(boolean z) {
        if (z) {
            this.trustManagerFactory = InsecureTrustManagerFactory.INSTANCE;
            this.sslSocketFactory = null;
        }
        return this;
    }

    public HttpsURLConnection enable(HttpsURLConnection httpsURLConnection) {
        try {
            httpsURLConnection.setSSLSocketFactory(getSSLSocketFactory());
            httpsURLConnection.setHostnameVerifier((str, sSLSession) -> {
                return true;
            });
            return httpsURLConnection;
        } catch (KeyManagementException | NoSuchAlgorithmException e) {
            throw new RuntimeException("Failed to enable HTTPS for HttpsURLConnection", e);
        }
    }

    public <T extends NettyHttpService.Builder> T enable(T t) {
        try {
            KeyManagerFactory keyManagerFactory = this.keyManagerFactory;
            if (keyManagerFactory == null) {
                throw new IllegalArgumentException("Missing keystore to enable HTTPS for NettyHttpService");
            }
            SslContextBuilder forServer = SslContextBuilder.forServer(keyManagerFactory);
            TrustManagerFactory trustManagerFactory = this.trustManagerFactory;
            boolean z = (trustManagerFactory == null || trustManagerFactory == InsecureTrustManagerFactory.INSTANCE) ? false : true;
            if (z) {
                forServer = forServer.trustManager(trustManagerFactory);
            }
            t.enableSSL(new CustomSSLHandlerFactory(forServer.build(), z));
            return t;
        } catch (SSLException e) {
            throw new RuntimeException("Failed to enable HTTPS for NettyHttpService", e);
        }
    }

    private KeyManagerFactory createKeyManagerFactory(KeyStore keyStore, Supplier<char[]> supplier) throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException {
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(keyStore, supplier.get());
        return keyManagerFactory;
    }

    private TrustManagerFactory createTrustManagerFactory(KeyStore keyStore) throws NoSuchAlgorithmException, KeyStoreException {
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(keyStore);
        return trustManagerFactory;
    }

    private SSLSocketFactory getSSLSocketFactory() throws NoSuchAlgorithmException, KeyManagementException {
        SSLSocketFactory sSLSocketFactory = this.sslSocketFactory;
        if (sSLSocketFactory != null) {
            return sSLSocketFactory;
        }
        synchronized (this) {
            SSLSocketFactory sSLSocketFactory2 = this.sslSocketFactory;
            if (sSLSocketFactory2 != null) {
                return sSLSocketFactory2;
            }
            SSLContext sSLContext = SSLContext.getInstance("SSL");
            KeyManagerFactory keyManagerFactory = this.keyManagerFactory;
            TrustManagerFactory trustManagerFactory = this.trustManagerFactory;
            sSLContext.init(keyManagerFactory == null ? null : keyManagerFactory.getKeyManagers(), trustManagerFactory == null ? null : trustManagerFactory.getTrustManagers(), new SecureRandom());
            SSLSocketFactory socketFactory = sSLContext.getSocketFactory();
            this.sslSocketFactory = socketFactory;
            return socketFactory;
        }
    }
}
