package com.tencent.polaris.plugins.connector.grpc;

import com.tencent.polaris.api.config.global.ServerConnectorConfig;
import com.tencent.polaris.api.utils.StringUtils;
import com.tencent.polaris.logging.LoggerFactory;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import javax.annotation.Nullable;
import javax.net.ssl.SSLException;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
import org.slf4j.Logger;

/* loaded from: input_file:com/tencent/polaris/plugins/connector/grpc/ChannelTlsCertificates.class */
public class ChannelTlsCertificates {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) ChannelTlsCertificates.class);
    private final X509TrustManager trustManager;
    private final X509KeyManager keyManager;

    public ChannelTlsCertificates(X509TrustManager x509TrustManager, X509KeyManager x509KeyManager) {
        this.trustManager = x509TrustManager;
        this.keyManager = x509KeyManager;
    }

    @Nullable
    public static ChannelTlsCertificates build(ServerConnectorConfig serverConnectorConfig) {
        try {
            X509TrustManager x509TrustManager = null;
            X509KeyManager x509KeyManager = null;
            if (hasTrustedCertificates(serverConnectorConfig)) {
                x509TrustManager = X509ManagerUtil.buildTrustManager(readCertificateFileBytes(serverConnectorConfig.getTrustedCAFile()));
            }
            if (hasClientCertificates(serverConnectorConfig)) {
                x509KeyManager = X509ManagerUtil.buildKeyManager(readCertificateFileBytes(serverConnectorConfig.getCertFile()), readCertificateFileBytes(serverConnectorConfig.getKeyFile()));
            }
            if (x509TrustManager == null && x509KeyManager == null) {
                return null;
            }
            return new ChannelTlsCertificates(x509TrustManager, x509KeyManager);
        } catch (SSLException e) {
            LOG.error("Build X.509 key/trust manager error. Return null.", e);
            return null;
        }
    }

    private static boolean hasTrustedCertificates(ServerConnectorConfig serverConnectorConfig) {
        return StringUtils.isNotEmpty(serverConnectorConfig.getTrustedCAFile());
    }

    private static boolean hasClientCertificates(ServerConnectorConfig serverConnectorConfig) {
        String keyFile = serverConnectorConfig.getKeyFile();
        String certFile = serverConnectorConfig.getCertFile();
        if (StringUtils.isEmpty(certFile) && StringUtils.isEmpty(keyFile)) {
            LOG.debug("The server connector configuration has no client certificates and key chain.");
            return false;
        }
        if (StringUtils.isNotEmpty(certFile) && StringUtils.isEmpty(keyFile)) {
            LOG.warn("The server connector configuration has client certificates but not client key chain");
            return false;
        }
        if (!StringUtils.isEmpty(certFile) || !StringUtils.isNotEmpty(keyFile)) {
            return true;
        }
        LOG.warn("The server connector configuration has client key chain but not client certificates");
        return false;
    }

    private static byte[] readCertificateFileBytes(String str) {
        Path path = Paths.get(str, new String[0]);
        if (!Files.exists(path, new LinkOption[0])) {
            throw new RuntimeException("Invalid Grpc tls certificate path: " + path);
        }
        try {
            return Files.readAllBytes(path);
        } catch (IOException e) {
            throw new RuntimeException("Error reading certificate file: " + path, e);
        }
    }

    public X509TrustManager getTrustManager() {
        return this.trustManager;
    }

    public X509KeyManager getKeyManager() {
        return this.keyManager;
    }
}
