package oadd.org.apache.drill.exec.ssl;

import java.security.Security;
import java.util.HashMap;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManagerFactory;
import oadd.io.netty.handler.ssl.SslContext;
import oadd.io.netty.handler.ssl.SslContextBuilder;
import oadd.io.netty.handler.ssl.SslProtocols;
import oadd.io.netty.handler.ssl.SslProvider;
import oadd.org.apache.drill.common.config.DrillConfig;
import oadd.org.apache.drill.common.exceptions.DrillException;
import oadd.org.apache.drill.exec.ExecConstants;
import oadd.org.apache.drill.exec.memory.BufferAllocator;
import oadd.org.apache.drill.exec.ssl.SSLConfig;
import org.apache.drill.shaded.guava.com.google.common.base.Preconditions;
import org.apache.hadoop.conf.Configuration;
import org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider;
import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:oadd/org/apache/drill/exec/ssl/SSLConfigServer.class */
public class SSLConfigServer extends SSLConfig {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) SSLConfigServer.class);
    private static final String BCFKS_KEYSTORE_TYPE = "bcfks";
    private DrillConfig config;
    private final Configuration hadoopConfig;
    private final boolean userSslEnabled;
    private final boolean httpsEnabled;
    private final String keyStoreType;
    private final String keyStorePath;
    private final String keyStorePassword;
    private final String keyPassword;
    private final String trustStoreType;
    private final String trustStorePath;
    private final String trustStorePassword;
    private final String protocol;
    private final String provider;

    public SSLConfigServer(HashMap<String, String> hashMap, Configuration configuration, DrillConfig drillConfig) {
        this.config = drillConfig;
        this.httpsEnabled = Boolean.parseBoolean(hashMap.getOrDefault("HTTP_ENABLE_SSL", "true"));
        this.userSslEnabled = Boolean.parseBoolean(hashMap.getOrDefault("USER_SSL_ENABLED", "false"));
        SSLConfig.Mode mode = SSLConfig.Mode.SERVER;
        if (Boolean.parseBoolean(hashMap.get("SSL_USE_HADOOP_CONF"))) {
            if (configuration == null) {
                this.hadoopConfig = new Configuration();
            } else {
                this.hadoopConfig = configuration;
            }
            String str = this.hadoopConfig.get(resolveHadoopPropertyName(SSLConfig.HADOOP_SSL_CONF_TPL_KEY, getMode()));
            logger.debug("Using Hadoop configuration for SSL");
            logger.debug("Hadoop SSL configuration file: {}", str);
            this.hadoopConfig.addResource(str);
        } else {
            this.hadoopConfig = null;
        }
        SSLCredentialsProvider sSLCredentialsProvider = SSLCredentialsProvider.getSSLCredentialsProvider(this::getConfigParam, this::getPasswordConfigParam, SSLConfig.Mode.SERVER, Boolean.parseBoolean(hashMap.get("SSL_USE_MAPR_CONFIG")));
        this.keyStoreType = sSLCredentialsProvider.getKeyStoreType(ExecConstants.SSL_KEYSTORE_TYPE, resolveHadoopPropertyName(SSLConfig.HADOOP_SSL_KEYSTORE_TYPE_TPL_KEY, mode));
        if (this.keyStoreType.equalsIgnoreCase(BCFKS_KEYSTORE_TYPE)) {
            Security.addProvider(new BouncyCastleFipsProvider());
            Security.addProvider(new BouncyCastleJsseProvider());
        }
        this.keyStorePath = sSLCredentialsProvider.getKeyStoreLocation("drill.exec.ssl.keyStorePath", resolveHadoopPropertyName(SSLConfig.HADOOP_SSL_KEYSTORE_LOCATION_TPL_KEY, mode));
        this.keyStorePassword = sSLCredentialsProvider.getKeyStorePassword("drill.exec.ssl.keyStorePassword", resolveHadoopPropertyName(SSLConfig.HADOOP_SSL_KEYSTORE_PASSWORD_TPL_KEY, mode));
        this.trustStoreType = sSLCredentialsProvider.getTrustStoreType(ExecConstants.SSL_TRUSTSTORE_TYPE, resolveHadoopPropertyName(SSLConfig.HADOOP_SSL_TRUSTSTORE_TYPE_TPL_KEY, mode));
        this.trustStorePath = sSLCredentialsProvider.getTrustStoreLocation("drill.exec.ssl.trustStorePath", resolveHadoopPropertyName(SSLConfig.HADOOP_SSL_TRUSTSTORE_LOCATION_TPL_KEY, mode));
        this.trustStorePassword = sSLCredentialsProvider.getTrustStorePassword("drill.exec.ssl.trustStorePassword", resolveHadoopPropertyName(SSLConfig.HADOOP_SSL_TRUSTSTORE_PASSWORD_TPL_KEY, mode));
        String keyPassword = sSLCredentialsProvider.getKeyPassword(ExecConstants.SSL_KEY_PASSWORD, resolveHadoopPropertyName(SSLConfig.HADOOP_SSL_KEYSTORE_KEYPASSWORD_TPL_KEY, mode));
        this.keyPassword = keyPassword.isEmpty() ? this.keyStorePassword : keyPassword;
        this.protocol = hashMap.getOrDefault("SSL_PROTOCOL", SslProtocols.TLS_v1_2);
        this.provider = hashMap.getOrDefault("SSL_PROVIDER", SSLConfig.DEFAULT_SSL_PROVIDER);
    }

    public SSLConfigServer(DrillConfig drillConfig, Configuration configuration) {
        this(extractConfigs(drillConfig), configuration, drillConfig);
    }

    static HashMap<String, String> extractConfigs(DrillConfig drillConfig) {
        HashMap<String, String> hashMap = new HashMap<>();
        hashMap.put("HTTP_ENABLE_SSL", String.valueOf(drillConfig.hasPath(ExecConstants.HTTP_ENABLE_SSL) && drillConfig.getBoolean(ExecConstants.HTTP_ENABLE_SSL)));
        hashMap.put("USER_SSL_ENABLED", String.valueOf(drillConfig.hasPath(ExecConstants.USER_SSL_ENABLED) && drillConfig.getBoolean(ExecConstants.USER_SSL_ENABLED)));
        hashMap.put("SSL_USE_HADOOP_CONF", drillConfig.getString(ExecConstants.SSL_USE_HADOOP_CONF));
        hashMap.put("SSL_USE_MAPR_CONFIG", drillConfig.getString(ExecConstants.SSL_USE_MAPR_CONFIG));
        hashMap.put("SSL_PROTOCOL", drillConfig.getString(ExecConstants.SSL_PROTOCOL));
        hashMap.put("SSL_PROVIDER", drillConfig.getString(ExecConstants.SSL_PROVIDER));
        return hashMap;
    }

    @Override // oadd.org.apache.drill.exec.ssl.SSLConfig
    public void validateKeyStore() throws DrillException {
        if (isUserSslEnabled() || isHttpsEnabled()) {
            if (this.keyStorePath.isEmpty() && this.keyStorePassword.isEmpty()) {
                return;
            }
            if (this.keyStorePath.isEmpty()) {
                throw new DrillException(" *.ssl.keyStorePath in the configuration file is empty, but *.ssl.keyStorePassword is set");
            }
            if (this.keyStorePassword.isEmpty()) {
                throw new DrillException(" *.ssl.keyStorePassword in the configuration file is empty, but *.ssl.keyStorePath is set ");
            }
        }
    }

    @Override // oadd.org.apache.drill.exec.ssl.SSLConfig
    public SslContext initNettySslContext() throws DrillException {
        if (!this.userSslEnabled) {
            return null;
        }
        try {
            if (this.keyStorePath.isEmpty()) {
                throw new DrillException("No Keystore provided.");
            }
            SslContext build = SslContextBuilder.forServer(initializeKeyManagerFactory()).trustManager(initializeTrustManagerFactory()).protocols(this.protocol).sslProvider(getProvider()).build();
            this.nettySslContext = build;
            return build;
        } catch (Exception e) {
            throw new DrillException("SSL is enabled but cannot be initialized - [ " + e.getMessage() + "]. ");
        }
    }

    @Override // oadd.org.apache.drill.exec.ssl.SSLConfig
    public SSLContext initJDKSSLContext() throws DrillException {
        if (!this.userSslEnabled) {
            return null;
        }
        try {
            if (this.keyStorePath.isEmpty()) {
                throw new DrillException("No Keystore provided.");
            }
            KeyManagerFactory initializeKeyManagerFactory = initializeKeyManagerFactory();
            TrustManagerFactory initializeTrustManagerFactory = initializeTrustManagerFactory();
            SSLContext sSLContext = SSLContext.getInstance(this.protocol);
            sSLContext.init(initializeKeyManagerFactory.getKeyManagers(), initializeTrustManagerFactory.getTrustManagers(), null);
            this.jdkSSlContext = sSLContext;
            return sSLContext;
        } catch (Exception e) {
            throw new DrillException("SSL is enabled but cannot be initialized - [ " + e.getMessage() + "]. ");
        }
    }

    @Override // oadd.org.apache.drill.exec.ssl.SSLConfig
    public SSLEngine createSSLEngine(BufferAllocator bufferAllocator, String str, int i) {
        SSLEngine createSSLEngine = super.createSSLEngine(bufferAllocator, str, i);
        createSSLEngine.setUseClientMode(false);
        createSSLEngine.setNeedClientAuth(false);
        try {
            createSSLEngine.setEnableSessionCreation(true);
        } catch (Exception e) {
            logger.debug("Session creation not enabled. Exception: {}", e.getMessage());
        }
        return createSSLEngine;
    }

    private String getConfigParam(String str, String str2) {
        String hadoopConfigParam = this.hadoopConfig != null ? getHadoopConfigParam(str2) : "";
        if (hadoopConfigParam.isEmpty() && this.config != null && this.config.hasPath(str)) {
            hadoopConfigParam = this.config.getString(str);
        }
        return hadoopConfigParam.trim();
    }

    private String getHadoopConfigParam(String str) {
        Preconditions.checkArgument(this.hadoopConfig != null);
        return this.hadoopConfig.get(str, "").trim();
    }

    private String getPasswordConfigParam(String str, String str2) {
        String password = getPassword(str2);
        if (password == null) {
            password = getConfigParam(str, str2);
        }
        return password;
    }

    @Override // oadd.org.apache.drill.exec.ssl.SSLConfig
    public boolean isUserSslEnabled() {
        return this.userSslEnabled;
    }

    @Override // oadd.org.apache.drill.exec.ssl.SSLConfig
    public boolean isHttpsEnabled() {
        return this.httpsEnabled;
    }

    @Override // oadd.org.apache.drill.exec.ssl.SSLConfig
    public String getKeyStoreType() {
        return this.keyStoreType;
    }

    @Override // oadd.org.apache.drill.exec.ssl.SSLConfig
    public String getKeyStorePath() {
        return this.keyStorePath;
    }

    @Override // oadd.org.apache.drill.exec.ssl.SSLConfig
    public String getKeyStorePassword() {
        return this.keyStorePassword;
    }

    @Override // oadd.org.apache.drill.exec.ssl.SSLConfig
    public String getKeyPassword() {
        return this.keyPassword;
    }

    @Override // oadd.org.apache.drill.exec.ssl.SSLConfig
    public String getTrustStoreType() {
        return this.trustStoreType;
    }

    @Override // oadd.org.apache.drill.exec.ssl.SSLConfig
    public boolean hasTrustStorePath() {
        return !this.trustStorePath.isEmpty();
    }

    @Override // oadd.org.apache.drill.exec.ssl.SSLConfig
    public String getTrustStorePath() {
        return this.trustStorePath;
    }

    @Override // oadd.org.apache.drill.exec.ssl.SSLConfig
    public boolean hasTrustStorePassword() {
        return !this.trustStorePassword.isEmpty();
    }

    @Override // oadd.org.apache.drill.exec.ssl.SSLConfig
    public String getTrustStorePassword() {
        return this.trustStorePassword;
    }

    @Override // oadd.org.apache.drill.exec.ssl.SSLConfig
    public String getProtocol() {
        return this.protocol;
    }

    @Override // oadd.org.apache.drill.exec.ssl.SSLConfig
    public SslProvider getProvider() {
        return this.provider.equalsIgnoreCase(SSLConfig.DEFAULT_SSL_PROVIDER) ? SslProvider.JDK : SslProvider.OPENSSL;
    }

    @Override // oadd.org.apache.drill.exec.ssl.SSLConfig
    public int getHandshakeTimeout() {
        return 0;
    }

    @Override // oadd.org.apache.drill.exec.ssl.SSLConfig
    public SSLConfig.Mode getMode() {
        return SSLConfig.Mode.SERVER;
    }

    @Override // oadd.org.apache.drill.exec.ssl.SSLConfig
    public boolean disableHostVerification() {
        return false;
    }

    @Override // oadd.org.apache.drill.exec.ssl.SSLConfig
    public boolean disableCertificateVerification() {
        return false;
    }

    @Override // oadd.org.apache.drill.exec.ssl.SSLConfig
    public boolean useSystemTrustStore() {
        return false;
    }

    @Override // oadd.org.apache.drill.exec.ssl.SSLConfig
    public boolean isSslValid() {
        return (this.keyStorePath.isEmpty() || this.keyStorePassword.isEmpty()) ? false : true;
    }

    @Override // oadd.org.apache.drill.exec.ssl.SSLConfig
    Configuration getHadoopConfig() {
        return this.hadoopConfig;
    }
}
