package org.apache.cassandra.security;

import com.google.common.collect.ImmutableList;
import io.netty.handler.ssl.CipherSuiteFilter;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.OpenSsl;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import org.apache.cassandra.config.CassandraRelevantProperties;
import org.apache.cassandra.config.EncryptionOptions;
import org.apache.cassandra.security.ISslContextFactory;
import org.apache.cassandra.transport.ConnectedClient;

/* loaded from: input_file:org/apache/cassandra/security/AbstractSslContextFactory.class */
public abstract class AbstractSslContextFactory implements ISslContextFactory {
    protected static final List<String> TLS_PROTOCOL_SUBSTITUTION = SSLFactory.tlsInstanceProtocolSubstitution();
    protected boolean openSslIsAvailable;
    protected final Map<String, Object> parameters;
    protected final List<String> cipher_suites;
    protected final String protocol;
    protected final List<String> accepted_protocols;
    protected final String algorithm;
    protected final String store_type;
    protected final EncryptionOptions.ClientAuth clientAuth;
    protected final boolean require_endpoint_verification;
    protected Boolean enabled;
    protected Boolean optional;

    /* JADX INFO: Access modifiers changed from: protected */
    public AbstractSslContextFactory() {
        this.parameters = new HashMap();
        this.cipher_suites = null;
        this.protocol = null;
        this.accepted_protocols = null;
        this.algorithm = null;
        this.store_type = "JKS";
        this.clientAuth = EncryptionOptions.ClientAuth.NOT_REQUIRED;
        this.require_endpoint_verification = false;
        this.enabled = null;
        this.optional = null;
        deriveIfOpenSslAvailable();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AbstractSslContextFactory(Map<String, Object> map) {
        this.parameters = map;
        this.cipher_suites = getStringList("cipher_suites");
        this.protocol = getString(ConnectedClient.PROTOCOL);
        this.accepted_protocols = getStringList("accepted_protocols");
        this.algorithm = getString("algorithm");
        this.store_type = getString("store_type", "JKS");
        this.clientAuth = map.get("require_client_auth") == null ? EncryptionOptions.ClientAuth.NOT_REQUIRED : EncryptionOptions.ClientAuth.from(getString("require_client_auth"));
        this.require_endpoint_verification = getBoolean("require_endpoint_verification", false).booleanValue();
        this.enabled = getBoolean("enabled");
        this.optional = getBoolean("optional");
        deriveIfOpenSslAvailable();
    }

    protected void deriveIfOpenSslAvailable() {
        if (CassandraRelevantProperties.DISABLE_TCACTIVE_OPENSSL.getBoolean()) {
            this.openSslIsAvailable = false;
        } else {
            this.openSslIsAvailable = OpenSsl.isAvailable();
        }
    }

    protected String getString(String str, String str2) {
        return this.parameters.get(str) == null ? str2 : (String) this.parameters.get(str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getString(String str) {
        return (String) this.parameters.get(str);
    }

    protected List<String> getStringList(String str) {
        return (List) this.parameters.get(str);
    }

    protected Boolean getBoolean(String str, boolean z) {
        return Boolean.valueOf(this.parameters.get(str) == null ? z : ((Boolean) this.parameters.get(str)).booleanValue());
    }

    protected Boolean getBoolean(String str) {
        return (Boolean) this.parameters.get(str);
    }

    @Override // org.apache.cassandra.security.ISslContextFactory
    public SSLContext createJSSESslContext(boolean z) throws SSLException {
        return createJSSESslContext(z ? EncryptionOptions.ClientAuth.REQUIRED : EncryptionOptions.ClientAuth.NOT_REQUIRED);
    }

    @Override // org.apache.cassandra.security.ISslContextFactory
    public SSLContext createJSSESslContext(EncryptionOptions.ClientAuth clientAuth) throws SSLException {
        TrustManager[] trustManagerArr = null;
        if (clientAuth != EncryptionOptions.ClientAuth.NOT_REQUIRED) {
            trustManagerArr = buildTrustManagerFactory().getTrustManagers();
        }
        KeyManagerFactory buildKeyManagerFactory = buildKeyManagerFactory();
        try {
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            sSLContext.init(buildKeyManagerFactory.getKeyManagers(), trustManagerArr, null);
            return sSLContext;
        } catch (Exception e) {
            throw new SSLException("Error creating/initializing the SSL Context", e);
        }
    }

    @Override // org.apache.cassandra.security.ISslContextFactory
    public SslContext createNettySslContext(boolean z, ISslContextFactory.SocketType socketType, CipherSuiteFilter cipherSuiteFilter) throws SSLException {
        return createNettySslContext(z ? EncryptionOptions.ClientAuth.REQUIRED : EncryptionOptions.ClientAuth.NOT_REQUIRED, socketType, cipherSuiteFilter);
    }

    @Override // org.apache.cassandra.security.ISslContextFactory
    public SslContext createNettySslContext(EncryptionOptions.ClientAuth clientAuth, ISslContextFactory.SocketType socketType, CipherSuiteFilter cipherSuiteFilter) throws SSLException {
        SslContextBuilder keyManager;
        if (socketType == ISslContextFactory.SocketType.SERVER) {
            keyManager = SslContextBuilder.forServer(buildKeyManagerFactory()).clientAuth(toNettyClientAuth(this.clientAuth));
        } else {
            keyManager = SslContextBuilder.forClient().keyManager(buildOutboundKeyManagerFactory());
        }
        keyManager.sslProvider(getSslProvider()).protocols(getAcceptedProtocols());
        if (this.cipher_suites != null && !this.cipher_suites.isEmpty()) {
            keyManager.ciphers(this.cipher_suites, cipherSuiteFilter);
        }
        if (clientAuth != EncryptionOptions.ClientAuth.NOT_REQUIRED) {
            keyManager.trustManager(buildTrustManagerFactory());
        }
        return keyManager.build();
    }

    @Override // org.apache.cassandra.security.ISslContextFactory
    public List<String> getAcceptedProtocols() {
        if (this.accepted_protocols != null) {
            return (this.protocol == null || this.protocol.equalsIgnoreCase("TLS") || !this.accepted_protocols.stream().noneMatch(str -> {
                return str.equalsIgnoreCase(this.protocol);
            })) ? this.accepted_protocols : ImmutableList.builder().addAll(this.accepted_protocols).add(this.protocol).build();
        }
        if (this.protocol == null) {
            return null;
        }
        return this.protocol.equalsIgnoreCase("TLS") ? TLS_PROTOCOL_SUBSTITUTION : ImmutableList.of(this.protocol);
    }

    @Override // org.apache.cassandra.security.ISslContextFactory
    public List<String> getCipherSuites() {
        return this.cipher_suites;
    }

    protected SslProvider getSslProvider() {
        return this.openSslIsAvailable ? SslProvider.OPENSSL : SslProvider.JDK;
    }

    protected abstract KeyManagerFactory buildKeyManagerFactory() throws SSLException;

    protected abstract TrustManagerFactory buildTrustManagerFactory() throws SSLException;

    protected abstract KeyManagerFactory buildOutboundKeyManagerFactory() throws SSLException;

    private ClientAuth toNettyClientAuth(EncryptionOptions.ClientAuth clientAuth) {
        switch (clientAuth) {
            case REQUIRED:
                return ClientAuth.REQUIRE;
            case NOT_REQUIRED:
                return ClientAuth.NONE;
            case OPTIONAL:
                return ClientAuth.OPTIONAL;
            default:
                throw new RuntimeException("Unsupported client auth " + clientAuth);
        }
    }
}
