package dev.miku.r2dbc.mysql.client;

import dev.miku.r2dbc.mysql.MySqlSslConfiguration;
import dev.miku.r2dbc.mysql.constant.SslMode;
import dev.miku.r2dbc.mysql.constant.TlsVersions;
import dev.miku.r2dbc.mysql.message.server.SyntheticSslResponseMessage;
import dev.miku.r2dbc.mysql.util.AssertUtils;
import dev.miku.r2dbc.mysql.util.ConnectionContext;
import dev.miku.r2dbc.mysql.util.ServerVersion;
import io.netty.channel.ChannelDuplexHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslHandshakeCompletionEvent;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import java.io.File;
import java.net.InetSocketAddress;
import javax.net.ssl.SSLEngine;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import reactor.netty.tcp.SslProvider;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:dev/miku/r2dbc/mysql/client/SslBridgeHandler.class */
public final class SslBridgeHandler extends ChannelDuplexHandler {
    static final String NAME = "R2dbcMySqlSslBridgeHandler";
    private static final String SSL_NAME = "R2dbcMySqlSslHandler";
    private static final Logger logger = LoggerFactory.getLogger(SslBridgeHandler.class);
    private static final ServerVersion TLS1_2_COMMUNITY_VER = ServerVersion.create(8, 0, 4);
    private static final ServerVersion TLS1_2_ENTERPRISE_VER = ServerVersion.create(5, 6, 0);
    private final ConnectionContext context;
    private final boolean verifyIdentity;
    private volatile SSLEngine sslEngine;
    private volatile MySqlSslConfiguration ssl;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SslBridgeHandler(ConnectionContext connectionContext, MySqlSslConfiguration mySqlSslConfiguration) {
        this.context = (ConnectionContext) AssertUtils.requireNonNull(connectionContext, "context must not be null");
        this.ssl = (MySqlSslConfiguration) AssertUtils.requireNonNull(mySqlSslConfiguration, "ssl must not be null");
        this.verifyIdentity = mySqlSslConfiguration.getSslMode().verifyIdentity();
    }

    public void userEventTriggered(ChannelHandlerContext channelHandlerContext, Object obj) throws Exception {
        if (obj instanceof SslState) {
            handleSslState(channelHandlerContext, (SslState) obj);
            return;
        }
        if (SslHandshakeCompletionEvent.SUCCESS == obj) {
            handleSslCompleted(channelHandlerContext);
        }
        super.userEventTriggered(channelHandlerContext, obj);
    }

    private void handleSslCompleted(ChannelHandlerContext channelHandlerContext) {
        if (this.verifyIdentity) {
            SSLEngine sSLEngine = this.sslEngine;
            String hostName = ((InetSocketAddress) channelHandlerContext.channel().remoteAddress()).getHostName();
            if (sSLEngine == null) {
                channelHandlerContext.fireExceptionCaught(new IllegalStateException("sslEngine must not be null when verify identity"));
                return;
            }
            try {
                MySqlHostVerifier.accept(hostName, sSLEngine.getSession());
            } catch (Exception e) {
                channelHandlerContext.fireExceptionCaught(e);
                return;
            }
        }
        channelHandlerContext.fireChannelRead(SyntheticSslResponseMessage.getInstance());
        logger.debug("SSL handshake completed, remove SSL bridge in pipeline");
        channelHandlerContext.pipeline().remove(NAME);
    }

    private void handleSslState(ChannelHandlerContext channelHandlerContext, SslState sslState) {
        switch (sslState) {
            case BRIDGING:
                logger.debug("SSL event triggered, enable SSL handler to pipeline");
                MySqlSslConfiguration mySqlSslConfiguration = this.ssl;
                this.ssl = null;
                if (mySqlSslConfiguration == null) {
                    channelHandlerContext.fireExceptionCaught(new IllegalStateException("The SSL bridge has used, cannot build SSL handler twice"));
                    return;
                }
                SslHandler newHandler = buildProvider(mySqlSslConfiguration, this.context.getServerVersion()).getSslContext().newHandler(channelHandlerContext.alloc());
                this.sslEngine = newHandler.engine();
                channelHandlerContext.pipeline().addBefore(NAME, SSL_NAME, newHandler);
                return;
            case UNSUPPORTED:
                logger.debug("Server unsupported SSL, remove SSL bridge in pipeline");
                channelHandlerContext.pipeline().remove(NAME);
                return;
            default:
                return;
        }
    }

    private static SslProvider buildProvider(MySqlSslConfiguration mySqlSslConfiguration, ServerVersion serverVersion) {
        return SslProvider.builder().sslContext(buildContext(mySqlSslConfiguration, serverVersion)).defaultConfiguration(SslProvider.DefaultConfigurationType.TCP).build();
    }

    private static SslContextBuilder buildContext(MySqlSslConfiguration mySqlSslConfiguration, ServerVersion serverVersion) {
        SslContextBuilder withTlsVersion = withTlsVersion(SslContextBuilder.forClient(), mySqlSslConfiguration, serverVersion);
        String sslKey = mySqlSslConfiguration.getSslKey();
        if (sslKey != null) {
            CharSequence sslKeyPassword = mySqlSslConfiguration.getSslKeyPassword();
            String sslCert = mySqlSslConfiguration.getSslCert();
            if (sslCert == null) {
                throw new IllegalStateException("SSL key param requires but SSL cert param to be present");
            }
            withTlsVersion.keyManager(new File(sslCert), new File(sslKey), sslKeyPassword == null ? null : sslKeyPassword.toString());
        }
        SslMode sslMode = mySqlSslConfiguration.getSslMode();
        if (sslMode.verifyCertificate()) {
            String sslCa = mySqlSslConfiguration.getSslCa();
            if (sslCa == null) {
                throw new IllegalStateException(String.format("SSL mode %s requires SSL CA parameter", sslMode));
            }
            withTlsVersion.trustManager(new File(sslCa));
        } else {
            withTlsVersion.trustManager(InsecureTrustManagerFactory.INSTANCE);
        }
        return withTlsVersion;
    }

    private static SslContextBuilder withTlsVersion(SslContextBuilder sslContextBuilder, MySqlSslConfiguration mySqlSslConfiguration, ServerVersion serverVersion) {
        String[] tlsVersion = mySqlSslConfiguration.getTlsVersion();
        if (tlsVersion.length > 0) {
            sslContextBuilder.protocols(tlsVersion);
        } else if (isEnabledTls1_2(serverVersion)) {
            sslContextBuilder.protocols(new String[]{TlsVersions.TLS1, TlsVersions.TLS1_1, TlsVersions.TLS1_2});
        } else {
            sslContextBuilder.protocols(new String[]{TlsVersions.TLS1, TlsVersions.TLS1_1});
        }
        return sslContextBuilder;
    }

    private static boolean isEnabledTls1_2(ServerVersion serverVersion) {
        return serverVersion.isGreaterThanOrEqualTo(TLS1_2_COMMUNITY_VER) || (serverVersion.isGreaterThanOrEqualTo(TLS1_2_ENTERPRISE_VER) && serverVersion.isEnterprise());
    }
}
