package io.confluent.rest;

import java.io.IOException;
import java.nio.file.Path;
import java.nio.file.Paths;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/rest/SslFactory.class */
public final class SslFactory {
    private static final Logger log = LoggerFactory.getLogger(SslFactory.class);

    private SslFactory() {
    }

    public static SslContextFactory createSslContextFactory(SslConfig sslConfig) {
        SslContextFactory.Server server = new SslContextFactory.Server();
        if (!sslConfig.getKeyStorePath().isEmpty()) {
            server.setKeyStorePath(sslConfig.getKeyStorePath());
            server.setKeyStorePassword(sslConfig.getKeyStorePassword());
            server.setKeyManagerPassword(sslConfig.getKeyManagerPassword());
            server.setKeyStoreType(sslConfig.getKeyStoreType());
            if (!sslConfig.getKeyManagerFactoryAlgorithm().isEmpty()) {
                server.setKeyManagerFactoryAlgorithm(sslConfig.getKeyManagerFactoryAlgorithm());
            }
            if (sslConfig.getReloadOnKeyStoreChange()) {
                Path path = Paths.get(sslConfig.getReloadOnKeyStoreChangePath(), new String[0]);
                try {
                    FileWatcher.onFileChange(path, () -> {
                        server.setKeyStorePath(sslConfig.getKeyStorePath());
                        server.reload(sslContextFactory -> {
                            log.info("Reloaded SSL cert");
                        });
                    });
                    log.info("Enabled SSL cert auto reload for: " + path);
                } catch (IOException e) {
                    log.error("Can not enabled SSL cert auto reload", e);
                }
            }
        }
        configureClientAuth(server, sslConfig);
        if (!sslConfig.getIncludeProtocols().isEmpty()) {
            server.setIncludeProtocols((String[]) sslConfig.getIncludeProtocols().toArray(new String[0]));
        }
        if (!sslConfig.getIncludeCipherSuites().isEmpty()) {
            server.setIncludeCipherSuites((String[]) sslConfig.getIncludeCipherSuites().toArray(new String[0]));
        }
        server.setEndpointIdentificationAlgorithm(sslConfig.getEndpointIdentificationAlgorithm());
        if (!sslConfig.getTrustStorePath().isEmpty()) {
            server.setTrustStorePath(sslConfig.getTrustStorePath());
            server.setTrustStorePassword(sslConfig.getTrustStorePassword());
            server.setTrustStoreType(sslConfig.getTrustStoreType());
            if (!sslConfig.getTrustManagerFactoryAlgorithm().isEmpty()) {
                server.setTrustManagerFactoryAlgorithm(sslConfig.getTrustManagerFactoryAlgorithm());
            }
        }
        server.setProtocol(sslConfig.getProtocol());
        if (!sslConfig.getProvider().isEmpty()) {
            server.setProvider(sslConfig.getProvider());
        }
        server.setRenegotiationAllowed(false);
        return server;
    }

    private static void configureClientAuth(SslContextFactory.Server server, SslConfig sslConfig) {
        switch (sslConfig.getClientAuth()) {
            case NEED:
                server.setNeedClientAuth(true);
                return;
            case WANT:
                server.setWantClientAuth(true);
                return;
            default:
                return;
        }
    }
}
