package org.apache.drill.exec.server.rest.ssl;

import java.math.BigInteger;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Objects;
import java.util.function.Consumer;
import java.util.function.Function;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.drill.common.config.DrillConfig;
import org.apache.drill.exec.ExecConstants;
import org.apache.drill.exec.ssl.SSLConfig;
import org.apache.drill.exec.ssl.SSLConfigBuilder;
import org.bouncycastle.asn1.x500.X500NameBuilder;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.joda.time.DateTime;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/drill/exec/server/rest/ssl/SslContextFactoryConfigurator.class */
public class SslContextFactoryConfigurator {
    private static final Logger logger = LoggerFactory.getLogger(SslContextFactoryConfigurator.class);
    private final DrillConfig config;
    private final String drillbitEndpointAddress;

    public SslContextFactoryConfigurator(DrillConfig drillConfig, String str) {
        this.config = drillConfig;
        this.drillbitEndpointAddress = str;
    }

    public SslContextFactory configureNewSslContextFactory() throws Exception {
        SSLConfig build = new SSLConfigBuilder().config(this.config).mode(SSLConfig.Mode.SERVER).initializeSSLContext(false).validateKeyStore(true).build();
        SslContextFactory sslContextFactory = new SslContextFactory();
        if (build.isSslValid()) {
            useOptionsConfiguredByUser(sslContextFactory, build);
        } else {
            useAutoGeneratedSelfSignedCertificate(sslContextFactory);
        }
        return sslContextFactory;
    }

    private void useOptionsConfiguredByUser(SslContextFactory sslContextFactory, SSLConfig sSLConfig) {
        logger.info("Using configured SSL settings for web server");
        sslContextFactory.setKeyStorePath(sSLConfig.getKeyStorePath());
        sslContextFactory.setKeyStorePassword(sSLConfig.getKeyStorePassword());
        sslContextFactory.setKeyManagerPassword(sSLConfig.getKeyPassword());
        if (sSLConfig.hasTrustStorePath()) {
            sslContextFactory.setTrustStorePath(sSLConfig.getTrustStorePath());
            if (sSLConfig.hasTrustStorePassword()) {
                sslContextFactory.setTrustStorePassword(sSLConfig.getTrustStorePassword());
            }
        }
        sslContextFactory.setIncludeProtocols(new String[]{sSLConfig.getProtocol()});
        logger.info("Web server configured to use TLS protocol '{}'", sSLConfig.getProtocol());
        if (this.config.hasPath(ExecConstants.HTTP_JETTY_SSL_CONTEXT_FACTORY_OPTIONS_PREFIX)) {
            Objects.requireNonNull(sslContextFactory);
            setStringIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_CERT_ALIAS, sslContextFactory::setCertAlias);
            Objects.requireNonNull(sslContextFactory);
            setStringIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_CRL_PATH, sslContextFactory::setCrlPath);
            Objects.requireNonNull(sslContextFactory);
            setBooleanIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_ENABLE_CRLDP, (v1) -> {
                r2.setEnableCRLDP(v1);
            });
            Objects.requireNonNull(sslContextFactory);
            setBooleanIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_ENABLE_OCSP, (v1) -> {
                r2.setEnableOCSP(v1);
            });
            Objects.requireNonNull(sslContextFactory);
            setStringIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_ENDPOINT_IDENTIFICATION_ALGORITHM, sslContextFactory::setEndpointIdentificationAlgorithm);
            Objects.requireNonNull(sslContextFactory);
            setStringArrayIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_EXCLUDE_CIPHER_SUITES, sslContextFactory::setExcludeCipherSuites);
            Objects.requireNonNull(sslContextFactory);
            setStringArrayIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_EXCLUDE_PROTOCOLS, sslContextFactory::setExcludeProtocols);
            Objects.requireNonNull(sslContextFactory);
            setStringArrayIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_INCLUDE_CIPHER_SUITES, sslContextFactory::setIncludeCipherSuites);
            Objects.requireNonNull(sslContextFactory);
            setStringArrayIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_INCLUDE_PROTOCOLS, sslContextFactory::setIncludeProtocols);
            Objects.requireNonNull(sslContextFactory);
            setStringIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_KEY_MANAGER_FACTORY_ALGORITHM, sslContextFactory::setKeyManagerFactoryAlgorithm);
            Objects.requireNonNull(sslContextFactory);
            setStringIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_KEYSTORE_PROVIDER, sslContextFactory::setKeyStoreProvider);
            Objects.requireNonNull(sslContextFactory);
            setStringIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_KEYSTORE_TYPE, sslContextFactory::setKeyStoreType);
            Objects.requireNonNull(sslContextFactory);
            setIntIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_MAX_CERT_PATH_LENGTH, (v1) -> {
                r2.setMaxCertPathLength(v1);
            });
            Objects.requireNonNull(sslContextFactory);
            setBooleanIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_NEED_CLIENT_AUTH, (v1) -> {
                r2.setNeedClientAuth(v1);
            });
            Objects.requireNonNull(sslContextFactory);
            setStringIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_OCSP_RESPONDER_URL, sslContextFactory::setOcspResponderURL);
            Objects.requireNonNull(sslContextFactory);
            setStringIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_PROVIDER, sslContextFactory::setProvider);
            Objects.requireNonNull(sslContextFactory);
            setBooleanIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_RENEGOTIATION_ALLOWED, (v1) -> {
                r2.setRenegotiationAllowed(v1);
            });
            Objects.requireNonNull(sslContextFactory);
            setIntIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_RENEGOTIATION_LIMIT, (v1) -> {
                r2.setRenegotiationLimit(v1);
            });
            Objects.requireNonNull(sslContextFactory);
            setStringIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_SECURE_RANDOM_ALGORITHM, sslContextFactory::setSecureRandomAlgorithm);
            Objects.requireNonNull(sslContextFactory);
            setBooleanIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_SESSION_CACHING_ENABLED, (v1) -> {
                r2.setSessionCachingEnabled(v1);
            });
            Objects.requireNonNull(sslContextFactory);
            setIntIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_SSL_SESSION_CACHE_SIZE, (v1) -> {
                r2.setSslSessionCacheSize(v1);
            });
            Objects.requireNonNull(sslContextFactory);
            setIntIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_SSL_SESSION_TIMEOUT, (v1) -> {
                r2.setSslSessionTimeout(v1);
            });
            Objects.requireNonNull(sslContextFactory);
            setStringIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_TRUSTMANAGERFACTORY_ALGORITHM, sslContextFactory::setTrustManagerFactoryAlgorithm);
            Objects.requireNonNull(sslContextFactory);
            setStringIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_TRUSTSTORE_PROVIDER, sslContextFactory::setTrustStoreProvider);
            Objects.requireNonNull(sslContextFactory);
            setStringIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_TRUSTSTORE_TYPE, sslContextFactory::setTrustStoreType);
            Objects.requireNonNull(sslContextFactory);
            setBooleanIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_USE_CIPHER_SUITE_ORDER, (v1) -> {
                r2.setUseCipherSuitesOrder(v1);
            });
            Objects.requireNonNull(sslContextFactory);
            setBooleanIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_VALIDATE_CERTS, (v1) -> {
                r2.setValidateCerts(v1);
            });
            Objects.requireNonNull(sslContextFactory);
            setBooleanIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_VALIDATE_PEER_CERTS, (v1) -> {
                r2.setValidatePeerCerts(v1);
            });
            Objects.requireNonNull(sslContextFactory);
            setBooleanIfPresent(ExecConstants.HTTP_JETTY_SERVER_SSL_CONTEXT_FACTORY_WANT_CLIENT_AUTH, (v1) -> {
                r2.setWantClientAuth(v1);
            });
        }
    }

    private void setStringArrayIfPresent(String str, Consumer<String[]> consumer) {
        setIfPresent(str, str2 -> {
            List stringList = this.config.getStringList(str2);
            if (stringList == null) {
                return null;
            }
            return (String[]) stringList.toArray(new String[0]);
        }, consumer);
    }

    private void setBooleanIfPresent(String str, Consumer<Boolean> consumer) {
        DrillConfig drillConfig = this.config;
        Objects.requireNonNull(drillConfig);
        setIfPresent(str, str2 -> {
            return Boolean.valueOf(drillConfig.getBoolean(str2));
        }, consumer);
    }

    private void setStringIfPresent(String str, Consumer<String> consumer) {
        DrillConfig drillConfig = this.config;
        Objects.requireNonNull(drillConfig);
        setIfPresent(str, str2 -> {
            return drillConfig.getString(str2);
        }, consumer);
    }

    private void setIntIfPresent(String str, Consumer<Integer> consumer) {
        DrillConfig drillConfig = this.config;
        Objects.requireNonNull(drillConfig);
        setIfPresent(str, str2 -> {
            return Integer.valueOf(drillConfig.getInt(str2));
        }, consumer);
    }

    private <T> void setIfPresent(String str, Function<String, T> function, Consumer<T> consumer) {
        T apply;
        if (!this.config.hasPath(str) || (apply = function.apply(str)) == null) {
            return;
        }
        consumer.accept(apply);
    }

    private void useAutoGeneratedSelfSignedCertificate(SslContextFactory sslContextFactory) throws Exception {
        logger.info("Using generated self-signed SSL settings for web server");
        SecureRandom secureRandom = new SecureRandom();
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(1024, secureRandom);
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        X500NameBuilder addRDN = new X500NameBuilder(BCStyle.INSTANCE).addRDN(BCStyle.OU, "Apache Drill (auth-generated)").addRDN(BCStyle.O, "Apache Software Foundation (auto-generated)").addRDN(BCStyle.CN, this.drillbitEndpointAddress);
        DateTime now = DateTime.now();
        X509Certificate certificate = new JcaX509CertificateConverter().getCertificate(new JcaX509v3CertificateBuilder(addRDN.build(), new BigInteger(128, secureRandom), now.minusMinutes(1).toDate(), now.plusYears(5).toDate(), addRDN.build(), generateKeyPair.getPublic()).build(new JcaContentSignerBuilder("SHA256WithRSAEncryption").build(generateKeyPair.getPrivate())));
        certificate.checkValidity(now.toDate());
        certificate.verify(certificate.getPublicKey());
        String random = RandomStringUtils.random(20);
        KeyStore keyStore = KeyStore.getInstance("JKS");
        keyStore.load(null, null);
        keyStore.setKeyEntry("DrillAutoGeneratedCert", generateKeyPair.getPrivate(), random.toCharArray(), new Certificate[]{certificate});
        sslContextFactory.setKeyStore(keyStore);
        sslContextFactory.setKeyStorePassword(random);
    }
}
