package com.yahoo.jdisc.http.ssl.impl;

import com.yahoo.container.handler.Coverage;
import com.yahoo.jdisc.http.ConnectorConfig;
import com.yahoo.jdisc.http.SslProvider;
import com.yahoo.security.AutoReloadingX509KeyManager;
import com.yahoo.security.KeyUtils;
import com.yahoo.security.SslContextBuilder;
import com.yahoo.security.X509CertificateUtils;
import com.yahoo.security.tls.TlsContext;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.List;
import java.util.Optional;
import javax.net.ssl.SSLContext;

/* loaded from: input_file:com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider.class */
public class ConfiguredSslContextFactoryProvider implements SslProvider {
    private volatile AutoReloadingX509KeyManager keyManager;
    private final ConnectorConfig connectorConfig;

    /* renamed from: com.yahoo.jdisc.http.ssl.impl.ConfiguredSslContextFactoryProvider$1, reason: invalid class name */
    /* loaded from: input_file:com/yahoo/jdisc/http/ssl/impl/ConfiguredSslContextFactoryProvider$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$yahoo$jdisc$http$ConnectorConfig$Ssl$ClientAuth$Enum = new int[ConnectorConfig.Ssl.ClientAuth.Enum.values().length];

        static {
            try {
                $SwitchMap$com$yahoo$jdisc$http$ConnectorConfig$Ssl$ClientAuth$Enum[ConnectorConfig.Ssl.ClientAuth.Enum.NEED_AUTH.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$yahoo$jdisc$http$ConnectorConfig$Ssl$ClientAuth$Enum[ConnectorConfig.Ssl.ClientAuth.Enum.WANT_AUTH.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$com$yahoo$jdisc$http$ConnectorConfig$Ssl$ClientAuth$Enum[ConnectorConfig.Ssl.ClientAuth.Enum.DISABLED.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    public ConfiguredSslContextFactoryProvider(ConnectorConfig connectorConfig) {
        validateConfig(connectorConfig.ssl());
        this.connectorConfig = connectorConfig;
    }

    @Override // com.yahoo.jdisc.http.SslProvider
    public void configureSsl(SslProvider.ConnectorSsl connectorSsl, String str, int i) {
        ConnectorConfig.Ssl ssl = this.connectorConfig.ssl();
        if (!ssl.enabled()) {
            throw new IllegalStateException();
        }
        SslContextBuilder sslContextBuilder = new SslContextBuilder();
        if (ssl.certificateFile().isBlank() || ssl.privateKeyFile().isBlank()) {
            sslContextBuilder.withKeyStore(KeyUtils.fromPemEncodedPrivateKey(getPrivateKey(ssl)), X509CertificateUtils.certificateListFromPem(getCertificate(ssl)));
        } else {
            this.keyManager = AutoReloadingX509KeyManager.fromPemFiles(Paths.get(ssl.privateKeyFile(), new String[0]), Paths.get(ssl.certificateFile(), new String[0]));
            sslContextBuilder.withKeyManager(this.keyManager);
        }
        sslContextBuilder.withTrustStore((List) getCaCertificates(ssl).map(X509CertificateUtils::certificateListFromPem).orElse(List.of()));
        SSLContext build = sslContextBuilder.build();
        connectorSsl.setSslContext(build);
        switch (AnonymousClass1.$SwitchMap$com$yahoo$jdisc$http$ConnectorConfig$Ssl$ClientAuth$Enum[ssl.clientAuth().ordinal()]) {
            case Coverage.DEGRADED_BY_MATCH_PHASE /* 1 */:
                connectorSsl.setClientAuth(SslProvider.ConnectorSsl.ClientAuth.NEED);
                break;
            case Coverage.DEGRADED_BY_TIMEOUT /* 2 */:
                connectorSsl.setClientAuth(SslProvider.ConnectorSsl.ClientAuth.WANT);
                break;
            case 3:
                connectorSsl.setClientAuth(SslProvider.ConnectorSsl.ClientAuth.DISABLED);
                break;
            default:
                throw new IllegalArgumentException(ssl.clientAuth().toString());
        }
        connectorSsl.setEnabledProtocolVersions(!ssl.enabledProtocols().isEmpty() ? ssl.enabledProtocols() : new ArrayList<>(TlsContext.getAllowedProtocols(build)));
        connectorSsl.setEnabledCipherSuites(!ssl.enabledCipherSuites().isEmpty() ? ssl.enabledCipherSuites() : new ArrayList<>(TlsContext.getAllowedCipherSuites(build)));
    }

    @Override // com.yahoo.jdisc.http.SslProvider, java.lang.AutoCloseable
    public void close() {
        if (this.keyManager != null) {
            this.keyManager.close();
        }
    }

    private static void validateConfig(ConnectorConfig.Ssl ssl) {
        if (ssl.enabled()) {
            if (hasBoth(ssl.certificate(), ssl.certificateFile())) {
                throw new IllegalArgumentException("Specified both certificate and certificate file.");
            }
            if (hasBoth(ssl.privateKey(), ssl.privateKeyFile())) {
                throw new IllegalArgumentException("Specified both private key and private key file.");
            }
            if (hasNeither(ssl.certificate(), ssl.certificateFile())) {
                throw new IllegalArgumentException("Specified neither certificate or certificate file.");
            }
            if (hasNeither(ssl.privateKey(), ssl.privateKeyFile())) {
                throw new IllegalArgumentException("Specified neither private key or private key file.");
            }
        }
    }

    private static boolean hasBoth(String str, String str2) {
        return (str.isBlank() || str2.isBlank()) ? false : true;
    }

    private static boolean hasNeither(String str, String str2) {
        return str.isBlank() && str2.isBlank();
    }

    Optional<String> getCaCertificates(ConnectorConfig.Ssl ssl) {
        StringBuilder sb = new StringBuilder();
        if (ssl.caCertificateFile().isBlank() && ssl.caCertificate().isBlank()) {
            return Optional.empty();
        }
        if (!ssl.caCertificate().isBlank()) {
            sb.append(ssl.caCertificate());
        }
        if (!ssl.caCertificateFile().isBlank()) {
            if (sb.length() > 0) {
                sb.append('\n');
            }
            sb.append(readToString(ssl.caCertificateFile()));
        }
        return Optional.of(sb.toString());
    }

    private static String getPrivateKey(ConnectorConfig.Ssl ssl) {
        return !ssl.privateKey().isBlank() ? ssl.privateKey() : readToString(ssl.privateKeyFile());
    }

    private static String getCertificate(ConnectorConfig.Ssl ssl) {
        return !ssl.certificate().isBlank() ? ssl.certificate() : readToString(ssl.certificateFile());
    }

    static String readToString(String str) {
        try {
            return Files.readString(Paths.get(str, new String[0]), StandardCharsets.UTF_8);
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }
}
