package org.apache.tez.http;

import com.ning.http.client.AsyncHttpClientConfig;
import java.io.IOException;
import java.net.HttpURLConnection;
import java.security.GeneralSecurityException;
import java.security.SecureRandom;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.authentication.client.ConnectionConfigurator;
import org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory;
import org.apache.hadoop.security.ssl.KeyStoresFactory;
import org.apache.hadoop.security.ssl.SSLFactory;
import org.apache.hadoop.security.ssl.SSLHostnameVerifier;
import org.apache.hadoop.util.ReflectionUtils;
import org.apache.tez.shaded.javax.net.ssl.HostnameVerifier;
import org.apache.tez.shaded.javax.net.ssl.HttpsURLConnection;
import org.apache.tez.shaded.javax.net.ssl.SSLContext;
import org.apache.tez.shaded.javax.net.ssl.SSLSocketFactory;

@InterfaceAudience.Private
@InterfaceStability.Evolving
/* loaded from: input_file:org/apache/tez/http/SSLFactory.class */
public class SSLFactory implements ConnectionConfigurator {
    public static final String SSL_ENABLED_PROTOCOLS = "hadoop.ssl.enabled.protocols";
    public static final String DEFAULT_SSL_ENABLED_PROTOCOLS = "TLSv1";
    public static final boolean DEFAULT_SSL_REQUIRE_CLIENT_CERT = false;
    private Configuration conf;
    private SSLFactory.Mode mode;
    private boolean requireClientCert;
    private SSLContext context;
    private HostnameVerifier hostnameVerifier;
    private KeyStoresFactory keystoresFactory;
    private String[] enabledProtocols;

    public SSLFactory(SSLFactory.Mode mode, Configuration configuration) {
        this.enabledProtocols = null;
        this.conf = configuration;
        if (mode == null) {
            throw new IllegalArgumentException("mode cannot be NULL");
        }
        this.mode = mode;
        this.requireClientCert = configuration.getBoolean("hadoop.ssl.require.client.cert", false);
        configuration.setBoolean("hadoop.ssl.require.client.cert", this.requireClientCert);
        this.keystoresFactory = (KeyStoresFactory) ReflectionUtils.newInstance(configuration.getClass("hadoop.ssl.keystores.factory.class", FileBasedKeyStoresFactory.class, KeyStoresFactory.class), configuration);
        this.enabledProtocols = configuration.getStrings(SSL_ENABLED_PROTOCOLS, new String[]{DEFAULT_SSL_ENABLED_PROTOCOLS});
    }

    private Configuration readSSLConfiguration(SSLFactory.Mode mode) {
        Configuration configuration = new Configuration(false);
        configuration.setBoolean("hadoop.ssl.require.client.cert", this.requireClientCert);
        configuration.addResource(mode == SSLFactory.Mode.CLIENT ? this.conf.get("hadoop.ssl.client.conf", "ssl-client.xml") : this.conf.get("hadoop.ssl.server.conf", "ssl-server.xml"));
        return configuration;
    }

    public void init() throws GeneralSecurityException, IOException {
        this.keystoresFactory.init(this.mode);
        this.context = SSLContext.getInstance("TLS");
        this.context.init(this.keystoresFactory.getKeyManagers(), this.keystoresFactory.getTrustManagers(), (SecureRandom) null);
        this.context.getDefaultSSLParameters().setProtocols(this.enabledProtocols);
        this.hostnameVerifier = getHostnameVerifier(this.conf);
    }

    private HostnameVerifier getHostnameVerifier(Configuration configuration) throws GeneralSecurityException, IOException {
        return getHostnameVerifier(configuration.get("hadoop.ssl.hostname.verifier", "DEFAULT").trim().toUpperCase());
    }

    public static HostnameVerifier getHostnameVerifier(String str) throws GeneralSecurityException, IOException {
        SSLHostnameVerifier sSLHostnameVerifier;
        if (str.equals("DEFAULT")) {
            sSLHostnameVerifier = SSLHostnameVerifier.DEFAULT;
        } else if (str.equals("DEFAULT_AND_LOCALHOST")) {
            sSLHostnameVerifier = SSLHostnameVerifier.DEFAULT_AND_LOCALHOST;
        } else if (str.equals("STRICT")) {
            sSLHostnameVerifier = SSLHostnameVerifier.STRICT;
        } else if (str.equals("STRICT_IE6")) {
            sSLHostnameVerifier = SSLHostnameVerifier.STRICT_IE6;
        } else {
            if (!str.equals("ALLOW_ALL")) {
                throw new GeneralSecurityException("Invalid hostname verifier: " + str);
            }
            sSLHostnameVerifier = SSLHostnameVerifier.ALLOW_ALL;
        }
        return sSLHostnameVerifier;
    }

    public void destroy() {
        this.keystoresFactory.destroy();
    }

    public KeyStoresFactory getKeystoresFactory() {
        return this.keystoresFactory;
    }

    public SSLSocketFactory createSSLSocketFactory() throws GeneralSecurityException, IOException {
        if (this.mode != SSLFactory.Mode.CLIENT) {
            throw new IllegalStateException("Factory is in CLIENT mode");
        }
        return this.context.getSocketFactory();
    }

    public HostnameVerifier getHostnameVerifier() {
        if (this.mode != SSLFactory.Mode.CLIENT) {
            throw new IllegalStateException("Factory is in CLIENT mode");
        }
        return this.hostnameVerifier;
    }

    public HttpURLConnection configure(HttpURLConnection httpURLConnection) throws IOException {
        if (httpURLConnection instanceof HttpsURLConnection) {
            HttpURLConnection httpURLConnection2 = (HttpsURLConnection) httpURLConnection;
            try {
                httpURLConnection2.setSSLSocketFactory(createSSLSocketFactory());
                httpURLConnection2.setHostnameVerifier(getHostnameVerifier());
                httpURLConnection = httpURLConnection2;
            } catch (GeneralSecurityException e) {
                throw new IOException(e);
            }
        }
        return httpURLConnection;
    }

    public void configure(AsyncHttpClientConfig.Builder builder) throws IOException {
        if (builder != null) {
            builder.setSSLContext(this.context);
            builder.setHostnameVerifier(getHostnameVerifier());
        }
    }
}
