package org.apache.cassandra.security;

import io.netty.buffer.ByteBufAllocator;
import io.netty.handler.ssl.CipherSuiteFilter;
import io.netty.handler.ssl.OpenSsl;
import io.netty.handler.ssl.SslContext;
import io.netty.util.ReferenceCountUtil;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import org.apache.cassandra.concurrent.ScheduledExecutors;
import org.apache.cassandra.config.EncryptionOptions;
import org.apache.cassandra.security.ISslContextFactory;
import org.apache.cassandra.transport.PipelineConfigurator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/cassandra/security/SSLFactory.class */
public final class SSLFactory {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) SSLFactory.class);
    private static final boolean openSslIsAvailable;
    private static final ConcurrentHashMap<CacheKey, SslContext> cachedSslContexts;
    public static final int DEFAULT_HOT_RELOAD_INITIAL_DELAY_SEC = 600;
    public static final int DEFAULT_HOT_RELOAD_PERIOD_SEC = 600;
    private static boolean isHotReloadingInitialized;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/cassandra/security/SSLFactory$CacheKey.class */
    public static class CacheKey {
        private final EncryptionOptions encryptionOptions;
        private final ISslContextFactory.SocketType socketType;
        private final String contextDescription;

        public CacheKey(EncryptionOptions encryptionOptions, ISslContextFactory.SocketType socketType, String str) {
            this.encryptionOptions = encryptionOptions;
            this.socketType = socketType;
            this.contextDescription = str;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            CacheKey cacheKey = (CacheKey) obj;
            return this.socketType == cacheKey.socketType && Objects.equals(this.encryptionOptions, cacheKey.encryptionOptions) && Objects.equals(this.contextDescription, cacheKey.contextDescription);
        }

        public int hashCode() {
            return 0 + (31 * this.socketType.hashCode()) + (31 * this.encryptionOptions.hashCode()) + (31 * this.contextDescription.hashCode());
        }
    }

    /* loaded from: input_file:org/apache/cassandra/security/SSLFactory$LoggingCipherSuiteFilter.class */
    public static final class LoggingCipherSuiteFilter implements CipherSuiteFilter {
        public static final CipherSuiteFilter QUIET_FILTER = new LoggingCipherSuiteFilter();
        final String settingDescription;

        private LoggingCipherSuiteFilter() {
            this.settingDescription = null;
        }

        public LoggingCipherSuiteFilter(String str) {
            this.settingDescription = str;
        }

        @Override // io.netty.handler.ssl.CipherSuiteFilter
        public String[] filterCipherSuites(Iterable<String> iterable, List<String> list, Set<String> set) {
            ArrayList arrayList;
            String next;
            Objects.requireNonNull(list, "defaultCiphers");
            Objects.requireNonNull(set, "supportedCiphers");
            if (iterable == null) {
                arrayList = new ArrayList(list.size());
                iterable = list;
            } else {
                arrayList = new ArrayList(set.size());
            }
            Iterator<String> it = iterable.iterator();
            while (it.hasNext() && (next = it.next()) != null) {
                if (set.contains(next)) {
                    arrayList.add(next);
                } else if (this.settingDescription != null) {
                    SSLFactory.logger.warn("Dropping unsupported cipher_suite {} from {} configuration", next, this.settingDescription.toLowerCase());
                }
            }
            if (arrayList.isEmpty()) {
                throw new IllegalStateException("No ciphers left after filtering supported cipher suite");
            }
            return (String[]) arrayList.toArray(new String[0]);
        }
    }

    public static boolean openSslIsAvailable() {
        return openSslIsAvailable;
    }

    public static List<String> tlsInstanceProtocolSubstitution() {
        try {
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            sSLContext.init(null, null, null);
            return Arrays.asList(sSLContext.getDefaultSSLParameters().getProtocols());
        } catch (Exception e) {
            throw new RuntimeException("Error finding supported TLS Protocols", e);
        }
    }

    public static SSLContext createSSLContext(EncryptionOptions encryptionOptions, boolean z) throws IOException {
        return encryptionOptions.sslContextFactoryInstance.createJSSESslContext(z);
    }

    public static SslContext getOrCreateSslContext(EncryptionOptions encryptionOptions, boolean z, ISslContextFactory.SocketType socketType, String str) throws IOException {
        CacheKey cacheKey = new CacheKey(encryptionOptions, socketType, str);
        SslContext sslContext = cachedSslContexts.get(cacheKey);
        if (sslContext != null) {
            return sslContext;
        }
        SslContext createNettySslContext = createNettySslContext(encryptionOptions, z, socketType);
        SslContext putIfAbsent = cachedSslContexts.putIfAbsent(cacheKey, createNettySslContext);
        if (putIfAbsent == null) {
            return createNettySslContext;
        }
        ReferenceCountUtil.release(createNettySslContext);
        return putIfAbsent;
    }

    static SslContext createNettySslContext(EncryptionOptions encryptionOptions, boolean z, ISslContextFactory.SocketType socketType) throws IOException {
        return createNettySslContext(encryptionOptions, z, socketType, LoggingCipherSuiteFilter.QUIET_FILTER);
    }

    static SslContext createNettySslContext(EncryptionOptions encryptionOptions, boolean z, ISslContextFactory.SocketType socketType, CipherSuiteFilter cipherSuiteFilter) throws IOException {
        return encryptionOptions.sslContextFactoryInstance.createNettySslContext(z, socketType, cipherSuiteFilter);
    }

    public static void checkCertFilesForHotReloading() {
        if (!isHotReloadingInitialized) {
            throw new IllegalStateException("Hot reloading functionality has not been initialized.");
        }
        checkCachedContextsForReload(false);
    }

    public static void forceCheckCertFiles() {
        checkCachedContextsForReload(true);
    }

    private static void checkCachedContextsForReload(boolean z) {
        ArrayList arrayList = new ArrayList(Collections.list(cachedSslContexts.keys()));
        while (!arrayList.isEmpty()) {
            CacheKey cacheKey = (CacheKey) arrayList.remove(arrayList.size() - 1);
            EncryptionOptions encryptionOptions = cacheKey.encryptionOptions;
            logger.debug("Checking whether certificates have been updated for {}", cacheKey.contextDescription);
            if (z || encryptionOptions.sslContextFactoryInstance.shouldReload()) {
                try {
                    validateSslContext(cacheKey.contextDescription, encryptionOptions, (encryptionOptions instanceof EncryptionOptions.ServerEncryptionOptions) || encryptionOptions.require_client_auth, false);
                    logger.info("SSL certificates have been updated for {}. Resetting the ssl contexts for new connections.", cacheKey.contextDescription);
                    clearSslContextCache(cacheKey.encryptionOptions, arrayList);
                } catch (Throwable th) {
                    logger.error("Failed to hot reload the SSL Certificates! Please check the certificate files for {}.", cacheKey.contextDescription, th);
                }
            }
        }
    }

    public static void clearSslContextCache() {
        cachedSslContexts.clear();
    }

    private static void clearSslContextCache(EncryptionOptions encryptionOptions, List<CacheKey> list) {
        cachedSslContexts.forEachKey(1L, cacheKey -> {
            if (Objects.equals(encryptionOptions, cacheKey.encryptionOptions)) {
                cachedSslContexts.remove(cacheKey);
                list.remove(cacheKey);
            }
        });
    }

    public static synchronized void initHotReloading(EncryptionOptions.ServerEncryptionOptions serverEncryptionOptions, EncryptionOptions encryptionOptions, boolean z) throws IOException {
        if (!isHotReloadingInitialized || z) {
            logger.debug("Initializing hot reloading SSLContext");
            if (serverEncryptionOptions != null && serverEncryptionOptions.tlsEncryptionPolicy() != EncryptionOptions.TlsEncryptionPolicy.UNENCRYPTED) {
                serverEncryptionOptions.sslContextFactoryInstance.initHotReloading();
            }
            if (encryptionOptions != null && encryptionOptions.tlsEncryptionPolicy() != EncryptionOptions.TlsEncryptionPolicy.UNENCRYPTED) {
                encryptionOptions.sslContextFactoryInstance.initHotReloading();
            }
            if (!isHotReloadingInitialized) {
                ScheduledExecutors.scheduledTasks.scheduleWithFixedDelay(SSLFactory::checkCertFilesForHotReloading, 600L, 600L, TimeUnit.SECONDS);
            }
            isHotReloadingInitialized = true;
        }
    }

    private static boolean filterOutSSLv2Hello(String str) {
        return !str.equals("SSLv2Hello");
    }

    /* JADX WARN: Finally extract failed */
    public static void validateSslContext(String str, EncryptionOptions encryptionOptions, boolean z, boolean z2) throws IOException {
        if (encryptionOptions == null || encryptionOptions.tlsEncryptionPolicy() == EncryptionOptions.TlsEncryptionPolicy.UNENCRYPTED) {
            return;
        }
        try {
            SslContext createNettySslContext = createNettySslContext(encryptionOptions, z, ISslContextFactory.SocketType.SERVER, z2 ? new LoggingCipherSuiteFilter(str) : LoggingCipherSuiteFilter.QUIET_FILTER);
            try {
                SSLEngine newEngine = createNettySslContext.newEngine(ByteBufAllocator.DEFAULT);
                if (z2) {
                    try {
                        String[] supportedProtocols = newEngine.getSupportedProtocols();
                        String[] supportedCipherSuites = newEngine.getSupportedCipherSuites();
                        String[] enabledProtocols = newEngine.getEnabledProtocols();
                        String str2 = supportedProtocols == null ? "system default" : (String) Arrays.stream(newEngine.getEnabledProtocols()).filter(SSLFactory::filterOutSSLv2Hello).collect(Collectors.joining(", "));
                        String[] enabledCipherSuites = newEngine.getEnabledCipherSuites();
                        logger.debug("{} supported TLS protocols: {}", str, supportedProtocols == null ? "system default" : String.join(", ", supportedProtocols));
                        logger.debug("{} unfiltered enabled TLS protocols: {}", str, enabledProtocols == null ? "system default" : String.join(", ", enabledProtocols));
                        logger.info("{} enabled TLS protocols: {}", str, str2);
                        logger.debug("{} supported cipher suites: {}", str, supportedCipherSuites == null ? "system default" : String.join(", ", supportedCipherSuites));
                        logger.info("{} enabled cipher suites: {}", str, enabledCipherSuites == null ? "system default" : String.join(", ", enabledCipherSuites));
                    } catch (Throwable th) {
                        newEngine.closeInbound();
                        newEngine.closeOutbound();
                        ReferenceCountUtil.release(newEngine);
                        throw th;
                    }
                }
                newEngine.closeInbound();
                newEngine.closeOutbound();
                ReferenceCountUtil.release(newEngine);
                ReferenceCountUtil.release(createNettySslContext);
                ReferenceCountUtil.release(createNettySslContext(encryptionOptions, z, ISslContextFactory.SocketType.CLIENT));
            } catch (Throwable th2) {
                ReferenceCountUtil.release(createNettySslContext);
                throw th2;
            }
        } catch (Exception e) {
            throw new IOException("Failed to create SSL context using " + str, e);
        }
    }

    public static void validateSslCerts(EncryptionOptions.ServerEncryptionOptions serverEncryptionOptions, EncryptionOptions encryptionOptions) throws IOException {
        validateSslContext("server_encryption_options", serverEncryptionOptions, true, false);
        validateSslContext(PipelineConfigurator.SSL_FACTORY_CONTEXT_DESCRIPTION, encryptionOptions, encryptionOptions.require_client_auth, false);
    }

    static {
        if (Boolean.getBoolean("cassandra.disable_tcactive_openssl")) {
            openSslIsAvailable = false;
        } else {
            openSslIsAvailable = OpenSsl.isAvailable();
        }
        cachedSslContexts = new ConcurrentHashMap<>();
        isHotReloadingInitialized = false;
    }
}
