package io.airlift.drift.transport.netty.ssl;

import com.google.common.collect.ImmutableList;
import com.google.common.hash.HashCode;
import com.google.common.hash.Hashing;
import com.google.common.io.Files;
import io.airlift.security.pem.PemReader;
import io.airlift.units.Duration;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import java.io.File;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.security.GeneralSecurityException;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Supplier;

/* loaded from: input_file:io/airlift/drift/transport/netty/ssl/ReloadableSslContext.class */
public final class ReloadableSslContext implements Supplier<SslContext> {
    private final boolean forClient;
    private final FileWatch trustCertificatesFileWatch;
    private final Optional<FileWatch> clientCertificatesFileWatch;
    private final Optional<FileWatch> privateKeyFileWatch;
    private final Optional<String> privateKeyPassword;
    private final long sessionCacheSize;
    private final Duration sessionTimeout;
    private final List<String> ciphers;
    private final AtomicReference<SslContextHolder> sslContext = new AtomicReference<>(new SslContextHolder(new UncheckedIOException(new IOException("Not initialized"))));

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/airlift/drift/transport/netty/ssl/ReloadableSslContext$FileWatch.class */
    public static class FileWatch {
        private final File file;
        private long lastModified = -1;
        private long length = -1;
        private HashCode hashCode = Hashing.sha256().hashBytes(new byte[0]);

        public FileWatch(File file) {
            this.file = (File) Objects.requireNonNull(file, "file is null");
        }

        public File getFile() {
            return this.file;
        }

        public boolean updateState() throws IOException {
            long lastModified = this.file.lastModified();
            long length = this.file.length();
            if (this.lastModified == lastModified && this.length == length) {
                return false;
            }
            this.lastModified = lastModified;
            this.length = length;
            HashCode hash = Files.asByteSource(this.file).hash(Hashing.sha256());
            if (Objects.equals(this.hashCode, hash)) {
                return false;
            }
            this.hashCode = hash;
            return true;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/airlift/drift/transport/netty/ssl/ReloadableSslContext$SslContextHolder.class */
    public static class SslContextHolder {
        private final SslContext sslContext;
        private final UncheckedIOException exception;

        public SslContextHolder(SslContext sslContext) {
            this.sslContext = (SslContext) Objects.requireNonNull(sslContext, "sslContext is null");
            this.exception = null;
        }

        public SslContextHolder(UncheckedIOException uncheckedIOException) {
            this.exception = (UncheckedIOException) Objects.requireNonNull(uncheckedIOException, "exception is null");
            this.sslContext = null;
        }

        public SslContext getSslContext() {
            if (this.exception != null) {
                throw this.exception;
            }
            return this.sslContext;
        }
    }

    public ReloadableSslContext(boolean z, File file, Optional<File> optional, Optional<File> optional2, Optional<String> optional3, long j, Duration duration, List<String> list) {
        this.forClient = z;
        this.trustCertificatesFileWatch = new FileWatch((File) Objects.requireNonNull(file, "trustCertificatesFile is null"));
        Objects.requireNonNull(optional, "clientCertificatesFile is null");
        this.clientCertificatesFileWatch = optional.map(FileWatch::new);
        Objects.requireNonNull(optional2, "privateKeyFile is null");
        this.privateKeyFileWatch = optional2.map(FileWatch::new);
        this.privateKeyPassword = (Optional) Objects.requireNonNull(optional3, "privateKeyPassword is null");
        this.sessionCacheSize = j;
        this.sessionTimeout = (Duration) Objects.requireNonNull(duration, "sessionTimeout is null");
        this.ciphers = ImmutableList.copyOf((Collection) Objects.requireNonNull(list, "ciphers is null"));
        reload();
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // java.util.function.Supplier
    public SslContext get() {
        return this.sslContext.get().getSslContext();
    }

    public synchronized void reload() {
        try {
            boolean updateState = this.trustCertificatesFileWatch.updateState();
            boolean z = false;
            if (this.clientCertificatesFileWatch.isPresent()) {
                z = this.clientCertificatesFileWatch.get().updateState();
            }
            boolean z2 = false;
            if (this.privateKeyFileWatch.isPresent()) {
                z2 = this.privateKeyFileWatch.get().updateState();
            }
            if (updateState || z || z2) {
                PrivateKey privateKey = null;
                if (this.privateKeyFileWatch.isPresent()) {
                    privateKey = PemReader.loadPrivateKey(this.privateKeyFileWatch.get().getFile(), this.privateKeyPassword);
                }
                X509Certificate[] x509CertificateArr = null;
                if (this.clientCertificatesFileWatch.isPresent()) {
                    x509CertificateArr = (X509Certificate[]) PemReader.readCertificateChain(this.clientCertificatesFileWatch.get().getFile()).toArray(new X509Certificate[0]);
                }
                SslContextBuilder keyManager = this.forClient ? SslContextBuilder.forClient().keyManager(privateKey, x509CertificateArr) : SslContextBuilder.forServer(privateKey, x509CertificateArr);
                keyManager.trustManager((X509Certificate[]) PemReader.readCertificateChain(this.trustCertificatesFileWatch.getFile()).toArray(new X509Certificate[0])).sessionCacheSize(this.sessionCacheSize).sessionTimeout(this.sessionTimeout.roundTo(TimeUnit.SECONDS));
                if (!this.ciphers.isEmpty()) {
                    keyManager.ciphers(this.ciphers);
                }
                this.sslContext.set(new SslContextHolder(keyManager.build()));
            }
        } catch (IOException e) {
            this.sslContext.set(new SslContextHolder(new UncheckedIOException(e)));
        } catch (GeneralSecurityException e2) {
            this.sslContext.set(new SslContextHolder(new UncheckedIOException(new IOException(e2))));
        }
    }
}
