package io.spiffe.provider;

import io.spiffe.spiffeid.SpiffeId;
import io.spiffe.workloadapi.X509Source;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.util.Set;
import java.util.function.Supplier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import lombok.Generated;
import lombok.NonNull;
import org.apache.commons.lang3.StringUtils;

/* loaded from: input_file:io/spiffe/provider/SpiffeSslContextFactory.class */
public final class SpiffeSslContextFactory {
    private static final String DEFAULT_SSL_PROTOCOL = "TLSv1.2";

    /* loaded from: input_file:io/spiffe/provider/SpiffeSslContextFactory$SslContextOptions.class */
    public static class SslContextOptions {
        private String sslProtocol;
        private X509Source x509Source;
        private Supplier<Set<SpiffeId>> acceptedSpiffeIdsSupplier;
        private boolean acceptAnySpiffeId;

        /* loaded from: input_file:io/spiffe/provider/SpiffeSslContextFactory$SslContextOptions$SslContextOptionsBuilder.class */
        public static class SslContextOptionsBuilder {
            private String sslProtocol;
            private X509Source x509Source;
            private Supplier<Set<SpiffeId>> acceptedSpiffeIdsSupplier;
            private boolean acceptAnySpiffeId;

            SslContextOptionsBuilder() {
            }

            public SslContextOptionsBuilder sslProtocol(String str) {
                this.sslProtocol = str;
                return this;
            }

            public SslContextOptionsBuilder x509Source(X509Source x509Source) {
                this.x509Source = x509Source;
                return this;
            }

            public SslContextOptionsBuilder acceptedSpiffeIdsSupplier(Supplier<Set<SpiffeId>> supplier) {
                this.acceptedSpiffeIdsSupplier = supplier;
                return this;
            }

            public SslContextOptionsBuilder acceptAnySpiffeId() {
                this.acceptAnySpiffeId = true;
                return this;
            }

            public SslContextOptions build() {
                return new SslContextOptions(this.sslProtocol, this.x509Source, this.acceptedSpiffeIdsSupplier, this.acceptAnySpiffeId);
            }
        }

        public SslContextOptions(String str, X509Source x509Source, Supplier<Set<SpiffeId>> supplier, boolean z) {
            this.x509Source = x509Source;
            this.acceptedSpiffeIdsSupplier = supplier;
            this.sslProtocol = str;
            this.acceptAnySpiffeId = z;
        }

        public static SslContextOptionsBuilder builder() {
            return new SslContextOptionsBuilder();
        }

        @Generated
        public String getSslProtocol() {
            return this.sslProtocol;
        }

        @Generated
        public X509Source getX509Source() {
            return this.x509Source;
        }

        @Generated
        public Supplier<Set<SpiffeId>> getAcceptedSpiffeIdsSupplier() {
            return this.acceptedSpiffeIdsSupplier;
        }

        @Generated
        public boolean isAcceptAnySpiffeId() {
            return this.acceptAnySpiffeId;
        }

        @Generated
        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof SslContextOptions)) {
                return false;
            }
            SslContextOptions sslContextOptions = (SslContextOptions) obj;
            if (!sslContextOptions.canEqual(this) || isAcceptAnySpiffeId() != sslContextOptions.isAcceptAnySpiffeId()) {
                return false;
            }
            String sslProtocol = getSslProtocol();
            String sslProtocol2 = sslContextOptions.getSslProtocol();
            if (sslProtocol == null) {
                if (sslProtocol2 != null) {
                    return false;
                }
            } else if (!sslProtocol.equals(sslProtocol2)) {
                return false;
            }
            X509Source x509Source = getX509Source();
            X509Source x509Source2 = sslContextOptions.getX509Source();
            if (x509Source == null) {
                if (x509Source2 != null) {
                    return false;
                }
            } else if (!x509Source.equals(x509Source2)) {
                return false;
            }
            Supplier<Set<SpiffeId>> acceptedSpiffeIdsSupplier = getAcceptedSpiffeIdsSupplier();
            Supplier<Set<SpiffeId>> acceptedSpiffeIdsSupplier2 = sslContextOptions.getAcceptedSpiffeIdsSupplier();
            return acceptedSpiffeIdsSupplier == null ? acceptedSpiffeIdsSupplier2 == null : acceptedSpiffeIdsSupplier.equals(acceptedSpiffeIdsSupplier2);
        }

        @Generated
        protected boolean canEqual(Object obj) {
            return obj instanceof SslContextOptions;
        }

        @Generated
        public int hashCode() {
            int i = (1 * 59) + (isAcceptAnySpiffeId() ? 79 : 97);
            String sslProtocol = getSslProtocol();
            int hashCode = (i * 59) + (sslProtocol == null ? 43 : sslProtocol.hashCode());
            X509Source x509Source = getX509Source();
            int hashCode2 = (hashCode * 59) + (x509Source == null ? 43 : x509Source.hashCode());
            Supplier<Set<SpiffeId>> acceptedSpiffeIdsSupplier = getAcceptedSpiffeIdsSupplier();
            return (hashCode2 * 59) + (acceptedSpiffeIdsSupplier == null ? 43 : acceptedSpiffeIdsSupplier.hashCode());
        }

        @Generated
        public String toString() {
            return "SpiffeSslContextFactory.SslContextOptions(sslProtocol=" + getSslProtocol() + ", x509Source=" + getX509Source() + ", acceptedSpiffeIdsSupplier=" + getAcceptedSpiffeIdsSupplier() + ", acceptAnySpiffeId=" + isAcceptAnySpiffeId() + ")";
        }
    }

    private SpiffeSslContextFactory() {
    }

    public static SSLContext getSslContext(@NonNull SslContextOptions sslContextOptions) throws NoSuchAlgorithmException, KeyManagementException {
        if (sslContextOptions == null) {
            throw new NullPointerException("options is marked non-null but is null");
        }
        if (sslContextOptions.x509Source == null) {
            throw new IllegalArgumentException("x509Source option cannot be null, an X.509 Source must be provided");
        }
        if (!sslContextOptions.acceptAnySpiffeId && sslContextOptions.acceptedSpiffeIdsSupplier == null) {
            throw new IllegalArgumentException("SSL context should be configured either with a Supplier of accepted SPIFFE IDs or with acceptAnySpiffeId=true");
        }
        SSLContext newSslContext = newSslContext(sslContextOptions);
        newSslContext.init(new SpiffeKeyManagerFactory().engineGetKeyManagers(sslContextOptions.x509Source), newTrustManager(sslContextOptions), null);
        return newSslContext;
    }

    private static TrustManager[] newTrustManager(SslContextOptions sslContextOptions) {
        if (sslContextOptions.acceptAnySpiffeId) {
            return new SpiffeTrustManagerFactory().engineGetTrustManagersAcceptAnySpiffeId(sslContextOptions.x509Source);
        }
        return sslContextOptions.acceptedSpiffeIdsSupplier != null ? new SpiffeTrustManagerFactory().engineGetTrustManagers(sslContextOptions.x509Source, sslContextOptions.acceptedSpiffeIdsSupplier) : new SpiffeTrustManagerFactory().engineGetTrustManagers(sslContextOptions.x509Source);
    }

    private static SSLContext newSslContext(SslContextOptions sslContextOptions) throws NoSuchAlgorithmException {
        if (StringUtils.isBlank(sslContextOptions.sslProtocol)) {
            sslContextOptions.sslProtocol = DEFAULT_SSL_PROTOCOL;
        }
        return SSLContext.getInstance(sslContextOptions.sslProtocol);
    }
}
