package io.airlift.http.server;

import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableList;
import com.google.common.hash.HashCode;
import com.google.common.hash.Hashing;
import com.google.common.io.Files;
import io.airlift.http.server.HttpServer;
import io.airlift.log.Logger;
import io.airlift.node.AddressToHostname;
import io.airlift.security.cert.CertificateBuilder;
import io.airlift.security.pem.PemReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.net.InetAddress;
import java.net.NetworkInterface;
import java.net.SocketException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.time.LocalDate;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import javax.security.auth.x500.X500Principal;
import org.eclipse.jetty.util.ssl.SslContextFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:io/airlift/http/server/ReloadableSslContextFactoryProvider.class */
public final class ReloadableSslContextFactoryProvider {
    private static final Logger log = Logger.get(ReloadableSslContextFactoryProvider.class);
    private final SslContextFactory.Server sslContextFactory;
    private final Optional<FileWatch> keystoreFile;
    private final String keystorePassword;
    private final String keyManagerPassword;
    private final String automaticHttpsSharedSecret;
    private final String environment;
    private final Optional<FileWatch> trustStoreFile;
    private final String trustStorePassword;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/airlift/http/server/ReloadableSslContextFactoryProvider$FileWatch.class */
    public static class FileWatch {
        private final File file;
        private long lastModified = -1;
        private long length = -1;
        private HashCode hashCode = Hashing.sha256().hashBytes(new byte[0]);

        public FileWatch(File file) {
            this.file = (File) Objects.requireNonNull(file, "file is null");
            updateState();
        }

        public File getFile() {
            return this.file;
        }

        public boolean updateState() {
            try {
                long lastModified = this.file.lastModified();
                long length = this.file.length();
                if (this.lastModified == lastModified && this.length == length) {
                    return false;
                }
                this.lastModified = lastModified;
                this.length = length;
                HashCode hash = Files.asByteSource(this.file).hash(Hashing.sha256());
                if (Objects.equals(this.hashCode, hash)) {
                    return false;
                }
                this.hashCode = hash;
                return true;
            } catch (IOException e) {
                return true;
            }
        }

        public String toString() {
            return this.file.toString();
        }
    }

    public ReloadableSslContextFactoryProvider(HttpsConfig httpsConfig, ScheduledExecutorService scheduledExecutorService, HttpServer.ClientCertificate clientCertificate, String str) {
        Objects.requireNonNull(httpsConfig, "config is null");
        Objects.requireNonNull(scheduledExecutorService, "scheduledExecutor is null");
        this.keystoreFile = Optional.ofNullable(httpsConfig.getKeystorePath()).map(File::new).map(FileWatch::new);
        this.keystorePassword = httpsConfig.getKeystorePassword();
        this.keyManagerPassword = httpsConfig.getKeyManagerPassword();
        this.automaticHttpsSharedSecret = httpsConfig.getAutomaticHttpsSharedSecret();
        this.environment = (String) Objects.requireNonNull(str, "environment is null");
        this.trustStoreFile = Optional.ofNullable(httpsConfig.getTrustStorePath()).map(File::new).map(FileWatch::new);
        this.trustStorePassword = httpsConfig.getTrustStorePassword();
        this.sslContextFactory = new SslContextFactory.Server();
        this.sslContextFactory.setIncludeCipherSuites((String[]) httpsConfig.getHttpsIncludedCipherSuites().toArray(new String[0]));
        this.sslContextFactory.setExcludeCipherSuites((String[]) httpsConfig.getHttpsExcludedCipherSuites().toArray(new String[0]));
        this.sslContextFactory.setSecureRandomAlgorithm(httpsConfig.getSecureRandomAlgorithm());
        this.sslContextFactory.setRenegotiationAllowed(false);
        switch (clientCertificate) {
            case NONE:
                break;
            case REQUESTED:
                this.sslContextFactory.setWantClientAuth(true);
                break;
            case REQUIRED:
                this.sslContextFactory.setNeedClientAuth(true);
                break;
            default:
                throw new IllegalArgumentException("Unsupported client certificate value: " + String.valueOf(clientCertificate));
        }
        this.sslContextFactory.setSslSessionTimeout(Math.toIntExact(httpsConfig.getSslSessionTimeout().roundTo(TimeUnit.SECONDS)));
        this.sslContextFactory.setSslSessionCacheSize(httpsConfig.getSslSessionCacheSize());
        loadContextFactory(this.sslContextFactory);
        long millis = httpsConfig.getSslContextRefreshTime().toMillis();
        scheduledExecutorService.scheduleWithFixedDelay(this::reload, millis, millis, TimeUnit.MILLISECONDS);
    }

    private void loadContextFactory(SslContextFactory.Server server) {
        KeyStore loadKeyStore = loadKeyStore(this.keystoreFile.map((v0) -> {
            return v0.getFile();
        }), this.keystorePassword, this.keyManagerPassword);
        String str = "";
        if (this.keyManagerPassword != null) {
            str = this.keyManagerPassword;
        } else if (this.keystorePassword != null) {
            str = this.keystorePassword;
        }
        if (this.automaticHttpsSharedSecret != null) {
            addAutomaticKeyForCurrentNode(this.automaticHttpsSharedSecret, loadKeyStore, this.environment, str);
        }
        server.setKeyStore(loadKeyStore);
        server.setKeyStorePassword(str);
        if (this.trustStoreFile.isPresent()) {
            server.setTrustStore(loadTrustStore(this.trustStoreFile.get().getFile(), this.trustStorePassword));
            server.setTrustStorePassword("");
        } else {
            server.setTrustStore(loadKeyStore);
            server.setKeyStorePassword(str);
        }
    }

    public static void addAutomaticKeyForCurrentNode(String str, KeyStore keyStore, String str2, String str3) {
        try {
            byte[] bytes = str.getBytes(StandardCharsets.UTF_8);
            SecureRandom secureRandom = SecureRandom.getInstance("SHA1PRNG");
            secureRandom.setSeed(bytes);
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
            keyPairGenerator.initialize(2048, secureRandom);
            KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
            X500Principal x500Principal = new X500Principal("CN=" + str2);
            LocalDate now = LocalDate.now();
            LocalDate plus = now.plus(10L, (TemporalUnit) ChronoUnit.YEARS);
            List<InetAddress> allLocalIpAddresses = getAllLocalIpAddresses();
            keyStore.setKeyEntry(str2, generateKeyPair.getPrivate(), str3 == null ? new char[0] : str3.toCharArray(), new Certificate[]{CertificateBuilder.certificateBuilder().setKeyPair(generateKeyPair).setSerialNumber(System.currentTimeMillis()).setIssuer(x500Principal).setNotBefore(now).setNotAfter(plus).setSubject(x500Principal).addSanIpAddresses(allLocalIpAddresses).addSanDnsNames((List) allLocalIpAddresses.stream().map(AddressToHostname::encodeAddressAsHostname).collect(ImmutableList.toImmutableList())).buildSelfSigned()});
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private static List<InetAddress> getAllLocalIpAddresses() throws SocketException {
        ImmutableList.Builder builder = ImmutableList.builder();
        Iterator it = Collections.list(NetworkInterface.getNetworkInterfaces()).iterator();
        while (it.hasNext()) {
            Iterator it2 = Collections.list(((NetworkInterface) it.next()).getInetAddresses()).iterator();
            while (it2.hasNext()) {
                InetAddress inetAddress = (InetAddress) it2.next();
                if (!inetAddress.isAnyLocalAddress() && !inetAddress.isLinkLocalAddress() && !inetAddress.isMulticastAddress()) {
                    builder.add(inetAddress);
                }
            }
        }
        return builder.build();
    }

    private static KeyStore loadKeyStore(Optional<File> optional, String str, String str2) {
        if (!optional.isPresent()) {
            try {
                KeyStore keyStore = KeyStore.getInstance("JKS");
                keyStore.load(null, new char[0]);
                return keyStore;
            } catch (IOException | GeneralSecurityException e) {
                throw new RuntimeException(e);
            }
        }
        File file = optional.get();
        try {
            if (PemReader.isPem(file)) {
                Preconditions.checkArgument(str2 == null, "key manager password is not allowed with a PEM keystore");
                return PemReader.loadKeyStore(file, file, Optional.ofNullable(str), true);
            }
            try {
                FileInputStream fileInputStream = new FileInputStream(file);
                try {
                    KeyStore keyStore2 = KeyStore.getInstance("JKS");
                    keyStore2.load(fileInputStream, str.toCharArray());
                    fileInputStream.close();
                    return keyStore2;
                } finally {
                }
            } catch (IOException | GeneralSecurityException e2) {
                throw new IllegalArgumentException("Error loading Java key store: " + String.valueOf(file), e2);
            }
        } catch (IOException | GeneralSecurityException e3) {
            throw new IllegalArgumentException("Error loading PEM key store: " + String.valueOf(file), e3);
        }
    }

    private static KeyStore loadTrustStore(File file, String str) {
        try {
            if (PemReader.isPem(file)) {
                return PemReader.loadTrustStore(file);
            }
            try {
                FileInputStream fileInputStream = new FileInputStream(file);
                try {
                    KeyStore keyStore = KeyStore.getInstance("JKS");
                    keyStore.load(fileInputStream, str == null ? null : str.toCharArray());
                    fileInputStream.close();
                    return keyStore;
                } catch (Throwable th) {
                    try {
                        fileInputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                    throw th;
                }
            } catch (IOException | GeneralSecurityException e) {
                throw new IllegalArgumentException("Error loading Java trust store: " + String.valueOf(file), e);
            }
        } catch (IOException | GeneralSecurityException e2) {
            throw new IllegalArgumentException("Error loading PEM trust store: " + String.valueOf(file), e2);
        }
    }

    public SslContextFactory.Server getSslContextFactory() {
        return this.sslContextFactory;
    }

    private synchronized void reload() {
        try {
            if (((Boolean) this.keystoreFile.map((v0) -> {
                return v0.updateState();
            }).orElse(false)).booleanValue() || ((Boolean) this.trustStoreFile.map((v0) -> {
                return v0.updateState();
            }).orElse(false)).booleanValue()) {
                this.sslContextFactory.reload(sslContextFactory -> {
                    loadContextFactory((SslContextFactory.Server) sslContextFactory);
                });
            }
        } catch (Exception e) {
            log.warn(e, "Unable to reload SslContext.");
        }
    }
}
