package org.apache.flink.runtime.net;

import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.net.InetAddress;
import java.net.ServerSocket;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import javax.annotation.Nullable;
import javax.net.ServerSocketFactory;
import javax.net.SocketFactory;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.TrustManagerFactory;
import org.apache.flink.annotation.VisibleForTesting;
import org.apache.flink.configuration.ConfigOption;
import org.apache.flink.configuration.Configuration;
import org.apache.flink.configuration.IllegalConfigurationException;
import org.apache.flink.configuration.SecurityOptions;
import org.apache.flink.runtime.io.network.netty.SSLHandlerFactory;
import org.apache.flink.runtime.io.network.partition.consumer.InputGateSpecUtils;
import org.apache.flink.shaded.netty4.io.netty.handler.ssl.ClientAuth;
import org.apache.flink.shaded.netty4.io.netty.handler.ssl.JdkSslContext;
import org.apache.flink.shaded.netty4.io.netty.handler.ssl.OpenSsl;
import org.apache.flink.shaded.netty4.io.netty.handler.ssl.OpenSslX509KeyManagerFactory;
import org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslContext;
import org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslContextBuilder;
import org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslProvider;
import org.apache.flink.shaded.netty4.io.netty.handler.ssl.util.FingerprintTrustManagerFactory;
import org.apache.flink.util.Preconditions;
import org.apache.flink.util.StringUtils;

/* loaded from: input_file:org/apache/flink/runtime/net/SSLUtils.class */
public class SSLUtils {

    /* loaded from: input_file:org/apache/flink/runtime/net/SSLUtils$ConfiguringSSLServerSocketFactory.class */
    private static class ConfiguringSSLServerSocketFactory extends ServerSocketFactory {
        private final SSLServerSocketFactory sslServerSocketFactory;
        private final String[] protocols;
        private final String[] cipherSuites;

        ConfiguringSSLServerSocketFactory(SSLServerSocketFactory sSLServerSocketFactory, String[] strArr, String[] strArr2) {
            this.sslServerSocketFactory = sSLServerSocketFactory;
            this.protocols = strArr;
            this.cipherSuites = strArr2;
        }

        @Override // javax.net.ServerSocketFactory
        public ServerSocket createServerSocket(int i) throws IOException {
            SSLServerSocket sSLServerSocket = (SSLServerSocket) this.sslServerSocketFactory.createServerSocket(i);
            configureServerSocket(sSLServerSocket);
            return sSLServerSocket;
        }

        @Override // javax.net.ServerSocketFactory
        public ServerSocket createServerSocket(int i, int i2) throws IOException {
            SSLServerSocket sSLServerSocket = (SSLServerSocket) this.sslServerSocketFactory.createServerSocket(i, i2);
            configureServerSocket(sSLServerSocket);
            return sSLServerSocket;
        }

        @Override // javax.net.ServerSocketFactory
        public ServerSocket createServerSocket(int i, int i2, InetAddress inetAddress) throws IOException {
            SSLServerSocket sSLServerSocket = (SSLServerSocket) this.sslServerSocketFactory.createServerSocket(i, i2, inetAddress);
            configureServerSocket(sSLServerSocket);
            return sSLServerSocket;
        }

        private void configureServerSocket(SSLServerSocket sSLServerSocket) {
            sSLServerSocket.setEnabledProtocols(this.protocols);
            sSLServerSocket.setEnabledCipherSuites(this.cipherSuites);
            sSLServerSocket.setNeedClientAuth(true);
        }
    }

    public static ServerSocketFactory createSSLServerSocketFactory(Configuration configuration) throws Exception {
        SSLContext createInternalSSLContext = createInternalSSLContext(configuration, false);
        if (createInternalSSLContext == null) {
            throw new IllegalConfigurationException("SSL is not enabled");
        }
        return new ConfiguringSSLServerSocketFactory(createInternalSSLContext.getServerSocketFactory(), getEnabledProtocols(configuration), getEnabledCipherSuites(configuration));
    }

    public static SocketFactory createSSLClientSocketFactory(Configuration configuration) throws Exception {
        SSLContext createInternalSSLContext = createInternalSSLContext(configuration, true);
        if (createInternalSSLContext == null) {
            throw new IllegalConfigurationException("SSL is not enabled");
        }
        return createInternalSSLContext.getSocketFactory();
    }

    public static SSLHandlerFactory createInternalServerSSLEngineFactory(Configuration configuration) throws Exception {
        SslContext createInternalNettySSLContext = createInternalNettySSLContext(configuration, false);
        if (createInternalNettySSLContext == null) {
            throw new IllegalConfigurationException("SSL is not enabled for internal communication.");
        }
        return new SSLHandlerFactory(createInternalNettySSLContext, ((Integer) configuration.get(SecurityOptions.SSL_INTERNAL_HANDSHAKE_TIMEOUT)).intValue(), ((Integer) configuration.get(SecurityOptions.SSL_INTERNAL_CLOSE_NOTIFY_FLUSH_TIMEOUT)).intValue());
    }

    public static SSLHandlerFactory createInternalClientSSLEngineFactory(Configuration configuration) throws Exception {
        SslContext createInternalNettySSLContext = createInternalNettySSLContext(configuration, true);
        if (createInternalNettySSLContext == null) {
            throw new IllegalConfigurationException("SSL is not enabled for internal communication.");
        }
        return new SSLHandlerFactory(createInternalNettySSLContext, ((Integer) configuration.get(SecurityOptions.SSL_INTERNAL_HANDSHAKE_TIMEOUT)).intValue(), ((Integer) configuration.get(SecurityOptions.SSL_INTERNAL_CLOSE_NOTIFY_FLUSH_TIMEOUT)).intValue());
    }

    public static SSLHandlerFactory createRestServerSSLEngineFactory(Configuration configuration) throws Exception {
        SslContext createRestNettySSLContext = createRestNettySSLContext(configuration, false, SecurityOptions.isRestSSLAuthenticationEnabled(configuration) ? ClientAuth.REQUIRE : ClientAuth.NONE);
        if (createRestNettySSLContext == null) {
            throw new IllegalConfigurationException("SSL is not enabled for REST endpoints.");
        }
        return new SSLHandlerFactory(createRestNettySSLContext, -1, -1);
    }

    public static SSLHandlerFactory createRestClientSSLEngineFactory(Configuration configuration) throws Exception {
        SslContext createRestNettySSLContext = createRestNettySSLContext(configuration, true, SecurityOptions.isRestSSLAuthenticationEnabled(configuration) ? ClientAuth.REQUIRE : ClientAuth.NONE);
        if (createRestNettySSLContext == null) {
            throw new IllegalConfigurationException("SSL is not enabled for REST endpoints.");
        }
        return new SSLHandlerFactory(createRestNettySSLContext, -1, -1);
    }

    private static String[] getEnabledProtocols(Configuration configuration) {
        Preconditions.checkNotNull(configuration, "config must not be null");
        return ((String) configuration.get(SecurityOptions.SSL_PROTOCOL)).split(",");
    }

    private static String[] getEnabledCipherSuites(Configuration configuration) {
        Preconditions.checkNotNull(configuration, "config must not be null");
        return ((String) configuration.get(SecurityOptions.SSL_ALGORITHMS)).split(",");
    }

    @VisibleForTesting
    static SslProvider getSSLProvider(Configuration configuration) {
        Preconditions.checkNotNull(configuration, "config must not be null");
        String str = (String) configuration.get(SecurityOptions.SSL_PROVIDER);
        if (str.equalsIgnoreCase("OPENSSL")) {
            if (OpenSsl.isAvailable()) {
                return SslProvider.OPENSSL;
            }
            throw new IllegalConfigurationException("openSSL not available", OpenSsl.unavailabilityCause());
        }
        if (str.equalsIgnoreCase("JDK")) {
            return SslProvider.JDK;
        }
        throw new IllegalConfigurationException("Unknown SSL provider: %s", new Object[]{str});
    }

    private static Optional<TrustManagerFactory> getTrustManagerFactory(Configuration configuration, boolean z) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
        String str = (String) configuration.get(z ? SecurityOptions.SSL_INTERNAL_TRUSTSTORE : SecurityOptions.SSL_REST_TRUSTSTORE, (String) configuration.get(SecurityOptions.SSL_TRUSTSTORE));
        String str2 = (String) configuration.get(z ? SecurityOptions.SSL_INTERNAL_TRUSTSTORE_PASSWORD : SecurityOptions.SSL_REST_TRUSTSTORE_PASSWORD, (String) configuration.get(SecurityOptions.SSL_TRUSTSTORE_PASSWORD));
        String str3 = z ? (String) configuration.get(SecurityOptions.SSL_INTERNAL_TRUSTSTORE_TYPE) : (String) configuration.get(SecurityOptions.SSL_REST_TRUSTSTORE_TYPE);
        if (!z && str == null && str2 == null) {
            return Optional.empty();
        }
        if (str == null) {
            throw new IllegalConfigurationException("The config option " + SecurityOptions.SSL_INTERNAL_TRUSTSTORE.key() + " or " + SecurityOptions.SSL_TRUSTSTORE.key() + " is missing.");
        }
        if (str2 == null) {
            throw new IllegalConfigurationException("The config option " + SecurityOptions.SSL_INTERNAL_TRUSTSTORE_PASSWORD.key() + " or " + SecurityOptions.SSL_TRUSTSTORE_PASSWORD + " is missing.");
        }
        KeyStore keyStore = KeyStore.getInstance(str3);
        InputStream newInputStream = Files.newInputStream(new File(str).toPath(), new OpenOption[0]);
        try {
            keyStore.load(newInputStream, str2.toCharArray());
            if (newInputStream != null) {
                newInputStream.close();
            }
            String str4 = (String) configuration.get(z ? SecurityOptions.SSL_INTERNAL_CERT_FINGERPRINT : SecurityOptions.SSL_REST_CERT_FINGERPRINT);
            TrustManagerFactory trustManagerFactory = StringUtils.isNullOrWhitespaceOnly(str4) ? TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()) : new FingerprintTrustManagerFactory(str4.split(","));
            trustManagerFactory.init(keyStore);
            return Optional.of(trustManagerFactory);
        } catch (Throwable th) {
            if (newInputStream != null) {
                try {
                    newInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static KeyManagerFactory getKeyManagerFactory(Configuration configuration, boolean z, SslProvider sslProvider) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, UnrecoverableKeyException {
        String andCheckOption = getAndCheckOption(configuration, z ? SecurityOptions.SSL_INTERNAL_KEYSTORE : SecurityOptions.SSL_REST_KEYSTORE, SecurityOptions.SSL_KEYSTORE);
        String andCheckOption2 = getAndCheckOption(configuration, z ? SecurityOptions.SSL_INTERNAL_KEYSTORE_PASSWORD : SecurityOptions.SSL_REST_KEYSTORE_PASSWORD, SecurityOptions.SSL_KEYSTORE_PASSWORD);
        String andCheckOption3 = getAndCheckOption(configuration, z ? SecurityOptions.SSL_INTERNAL_KEY_PASSWORD : SecurityOptions.SSL_REST_KEY_PASSWORD, SecurityOptions.SSL_KEY_PASSWORD);
        KeyStore keyStore = KeyStore.getInstance(z ? (String) configuration.get(SecurityOptions.SSL_INTERNAL_KEYSTORE_TYPE) : (String) configuration.get(SecurityOptions.SSL_REST_KEYSTORE_TYPE));
        InputStream newInputStream = Files.newInputStream(new File(andCheckOption).toPath(), new OpenOption[0]);
        try {
            keyStore.load(newInputStream, andCheckOption2.toCharArray());
            if (newInputStream != null) {
                newInputStream.close();
            }
            KeyManagerFactory openSslX509KeyManagerFactory = (sslProvider == SslProvider.OPENSSL || sslProvider == SslProvider.OPENSSL_REFCNT) ? new OpenSslX509KeyManagerFactory() : KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            openSslX509KeyManagerFactory.init(keyStore, andCheckOption3.toCharArray());
            return openSslX509KeyManagerFactory;
        } catch (Throwable th) {
            if (newInputStream != null) {
                try {
                    newInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Nullable
    private static SSLContext createInternalSSLContext(Configuration configuration, boolean z) throws Exception {
        JdkSslContext createInternalNettySSLContext = createInternalNettySSLContext(configuration, z, SslProvider.JDK);
        if (createInternalNettySSLContext != null) {
            return createInternalNettySSLContext.context();
        }
        return null;
    }

    @Nullable
    private static SslContext createInternalNettySSLContext(Configuration configuration, boolean z) throws Exception {
        return createInternalNettySSLContext(configuration, z, getSSLProvider(configuration));
    }

    @Nullable
    private static SslContext createInternalNettySSLContext(Configuration configuration, boolean z, SslProvider sslProvider) throws Exception {
        Preconditions.checkNotNull(configuration, "config");
        if (!SecurityOptions.isInternalSSLEnabled(configuration)) {
            return null;
        }
        String[] enabledProtocols = getEnabledProtocols(configuration);
        List asList = Arrays.asList(getEnabledCipherSuites(configuration));
        int intValue = ((Integer) configuration.get(SecurityOptions.SSL_INTERNAL_SESSION_CACHE_SIZE)).intValue();
        int intValue2 = ((Integer) configuration.get(SecurityOptions.SSL_INTERNAL_SESSION_TIMEOUT)).intValue();
        KeyManagerFactory keyManagerFactory = getKeyManagerFactory(configuration, true, sslProvider);
        ClientAuth clientAuth = ClientAuth.REQUIRE;
        SslContextBuilder keyManager = z ? SslContextBuilder.forClient().keyManager(keyManagerFactory) : SslContextBuilder.forServer(keyManagerFactory);
        Optional<TrustManagerFactory> trustManagerFactory = getTrustManagerFactory(configuration, true);
        SslContextBuilder sslContextBuilder = keyManager;
        Objects.requireNonNull(sslContextBuilder);
        trustManagerFactory.map(sslContextBuilder::trustManager);
        return keyManager.sslProvider(sslProvider).protocols(enabledProtocols).ciphers(asList).clientAuth(clientAuth).sessionCacheSize(intValue).sessionTimeout(intValue2 / InputGateSpecUtils.DEFAULT_MAX_REQUIRED_BUFFERS_PER_GATE_FOR_BATCH).build();
    }

    @VisibleForTesting
    @Nullable
    public static SSLContext createRestSSLContext(Configuration configuration, boolean z) throws Exception {
        JdkSslContext createRestNettySSLContext = createRestNettySSLContext(configuration, z, SecurityOptions.isRestSSLAuthenticationEnabled(configuration) ? ClientAuth.REQUIRE : ClientAuth.NONE, SslProvider.JDK);
        if (createRestNettySSLContext != null) {
            return createRestNettySSLContext.context();
        }
        return null;
    }

    @Nullable
    private static SslContext createRestNettySSLContext(Configuration configuration, boolean z, ClientAuth clientAuth) throws Exception {
        return createRestNettySSLContext(configuration, z, clientAuth, getSSLProvider(configuration));
    }

    @Nullable
    public static SslContext createRestNettySSLContext(Configuration configuration, boolean z, ClientAuth clientAuth, SslProvider sslProvider) throws Exception {
        SslContextBuilder forServer;
        Preconditions.checkNotNull(configuration, "config");
        if (!SecurityOptions.isRestSSLEnabled(configuration)) {
            return null;
        }
        String[] enabledProtocols = getEnabledProtocols(configuration);
        List asList = Arrays.asList(getEnabledCipherSuites(configuration));
        if (z) {
            forServer = SslContextBuilder.forClient();
            if (clientAuth != ClientAuth.NONE) {
                forServer.keyManager(getKeyManagerFactory(configuration, false, sslProvider));
            }
        } else {
            forServer = SslContextBuilder.forServer(getKeyManagerFactory(configuration, false, sslProvider));
        }
        if (z || clientAuth != ClientAuth.NONE) {
            SslContextBuilder sslContextBuilder = forServer;
            getTrustManagerFactory(configuration, false).map(trustManagerFactory -> {
                return sslContextBuilder.trustManager(trustManagerFactory).protocols(enabledProtocols).ciphers(asList).clientAuth(clientAuth);
            });
        }
        return forServer.sslProvider(sslProvider).build();
    }

    private static String getAndCheckOption(Configuration configuration, ConfigOption<String> configOption, ConfigOption<String> configOption2) {
        String str = (String) configuration.get(configOption, (String) configuration.get(configOption2));
        if (str != null) {
            return str;
        }
        throw new IllegalConfigurationException("The config option " + configOption.key() + " or " + configOption2.key() + " is missing.");
    }
}
