package org.apache.storm.security.auth.tls;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.InetAddress;
import java.net.ServerSocket;
import java.util.Map;
import java.util.concurrent.ArrayBlockingQueue;
import java.util.concurrent.BlockingQueue;
import java.util.concurrent.SynchronousQueue;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSocket;
import javax.security.auth.Subject;
import javax.security.cert.X509Certificate;
import org.apache.storm.security.auth.ITransportPlugin;
import org.apache.storm.security.auth.ReqContext;
import org.apache.storm.security.auth.SingleUserPrincipal;
import org.apache.storm.security.auth.ThriftConnectionType;
import org.apache.storm.thrift.TException;
import org.apache.storm.thrift.TProcessor;
import org.apache.storm.thrift.protocol.TBinaryProtocol;
import org.apache.storm.thrift.protocol.TProtocol;
import org.apache.storm.thrift.server.TServer;
import org.apache.storm.thrift.server.TThreadPoolServer;
import org.apache.storm.thrift.transport.TSSLTransportFactory;
import org.apache.storm.thrift.transport.TServerSocket;
import org.apache.storm.thrift.transport.TTransport;
import org.apache.storm.thrift.transport.TTransportException;
import org.apache.storm.utils.ExtendedThreadPoolExecutor;
import org.apache.storm.utils.SecurityUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/storm/security/auth/tls/TlsTransportPlugin.class */
public class TlsTransportPlugin implements ITransportPlugin {
    private static final Logger LOG = LoggerFactory.getLogger(TlsTransportPlugin.class);
    protected ThriftConnectionType type;
    protected Map<String, Object> conf;
    private int port;
    private static TServerSocket serverTransport;
    private static TThreadPoolServer tThreadPoolServer;

    /* loaded from: input_file:org/apache/storm/security/auth/tls/TlsTransportPlugin$TTlsWrapProcessor.class */
    private static class TTlsWrapProcessor implements TProcessor {
        final TProcessor wrapped;

        TTlsWrapProcessor(TProcessor tProcessor) {
            this.wrapped = tProcessor;
        }

        public void process(TProtocol tProtocol, TProtocol tProtocol2) throws TException {
            SSLSocket sSLSocket = (SSLSocket) tProtocol.getTransport().getSocket();
            String str = "CN=ANONYMOUS";
            try {
                X509Certificate[] peerCertificateChain = sSLSocket.getSession().getPeerCertificateChain();
                if (0 < peerCertificateChain.length) {
                    str = peerCertificateChain[0].getSubjectDN().getName();
                }
            } catch (SSLPeerUnverifiedException e) {
                TlsTransportPlugin.LOG.debug("Client cert is not verified. Set principalName={}.", str, e);
            }
            TlsTransportPlugin.LOG.debug("principalName : {} ", str);
            ReqContext context = ReqContext.context();
            context.setRemoteAddress(sSLSocket.getInetAddress());
            Subject subject = new Subject();
            subject.getPrincipals().add(new SingleUserPrincipal(str));
            context.setSubject(subject);
            this.wrapped.process(tProtocol, tProtocol2);
        }
    }

    @Override // org.apache.storm.security.auth.ITransportPlugin
    public void prepare(ThriftConnectionType thriftConnectionType, Map<String, Object> map) {
        this.type = thriftConnectionType;
        this.conf = map;
    }

    @Override // org.apache.storm.security.auth.ITransportPlugin
    public TServer getServer(TProcessor tProcessor) throws IOException, TTransportException {
        if (!this.type.isTlsEnabled()) {
            throw new UnsupportedEncodingException("Non-TLS connection is not supported");
        }
        int port = this.type.getPort(this.conf);
        Integer socketTimeOut = this.type.getSocketTimeOut(this.conf);
        TSSLTransportFactory.TSSLTransportParameters tSSLTransportParameters = new TSSLTransportFactory.TSSLTransportParameters();
        if (this.type.getServerKeyStorePath(this.conf) == null || this.type.getServerKeyStorePassword(this.conf) == null) {
            throw new IllegalArgumentException("The server keystore is not configured properly");
        }
        tSSLTransportParameters.setKeyStore(this.type.getServerKeyStorePath(this.conf), this.type.getServerKeyStorePassword(this.conf), (String) null, SecurityUtils.inferKeyStoreTypeFromPath(this.type.getServerKeyStorePath(this.conf)));
        if (this.type.isClientAuthRequired(this.conf)) {
            if (this.type.getServerTrustStorePath(this.conf) == null || this.type.getServerTrustStorePassword(this.conf) == null) {
                throw new IllegalArgumentException("The server truststore is not configured properly");
            }
            tSSLTransportParameters.setTrustStore(this.type.getServerTrustStorePath(this.conf), this.type.getServerTrustStorePassword(this.conf), (String) null, SecurityUtils.inferKeyStoreTypeFromPath(this.type.getServerTrustStorePath(this.conf)));
            tSSLTransportParameters.requireClientAuth(true);
        }
        try {
            TServerSocket serverSocket = ReloadableTsslTransportFactory.getServerSocket(port, socketTimeOut == null ? 0 : socketTimeOut.intValue(), InetAddress.getLocalHost(), this.type, this.conf);
            ServerSocket serverSocket2 = serverSocket.getServerSocket();
            serverSocket2.setReuseAddress(true);
            this.port = serverSocket2.getLocalPort();
            int numThreads = this.type.getNumThreads(this.conf);
            Integer queueSize = this.type.getQueueSize(this.conf);
            TThreadPoolServer.Args protocolFactory = new TThreadPoolServer.Args(serverSocket).processor(new TTlsWrapProcessor(tProcessor)).minWorkerThreads(numThreads).maxWorkerThreads(numThreads).protocolFactory(new TBinaryProtocol.Factory(false, true));
            BlockingQueue synchronousQueue = new SynchronousQueue();
            if (queueSize != null) {
                synchronousQueue = new ArrayBlockingQueue(queueSize.intValue());
            }
            protocolFactory.executorService(new ExtendedThreadPoolExecutor(numThreads, numThreads, 60L, TimeUnit.SECONDS, synchronousQueue));
            tThreadPoolServer = new TThreadPoolServer(protocolFactory);
            return tThreadPoolServer;
        } catch (Exception e) {
            throw new IOException(e);
        }
    }

    @Override // org.apache.storm.security.auth.ITransportPlugin
    public TTransport connect(TTransport tTransport, String str, String str2) throws IOException, TTransportException {
        return tTransport;
    }

    @Override // org.apache.storm.security.auth.ITransportPlugin
    public int getPort() {
        return this.port;
    }

    @Override // org.apache.storm.security.auth.ITransportPlugin
    public boolean areWorkerTokensSupported() {
        return false;
    }
}
