package com.zegelin.cassandra.exporter.netty.ssl;

import com.google.common.annotations.VisibleForTesting;
import com.zegelin.cassandra.exporter.cli.HttpServerOptions;
import io.netty.buffer.ByteBufAllocator;
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.socket.SocketChannel;
import io.netty.handler.ssl.OptionalSslHandler;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslHandler;
import java.net.InetSocketAddress;
import java.util.concurrent.atomic.AtomicReference;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/zegelin/cassandra/exporter/netty/ssl/SslSupport.class */
public class SslSupport {
    private static final Logger logger = LoggerFactory.getLogger(SslSupport.class);
    private final HttpServerOptions httpServerOptions;
    private final SslContextFactory sslContextFactory;
    private final ReloadWatcher reloadWatcher;
    private final AtomicReference<SslContext> sslContextRef = new AtomicReference<>();

    public SslSupport(HttpServerOptions httpServerOptions) {
        this.httpServerOptions = httpServerOptions;
        if (!isEnabled()) {
            this.sslContextFactory = null;
            this.reloadWatcher = null;
        } else {
            this.sslContextFactory = new SslContextFactory(httpServerOptions);
            this.reloadWatcher = new ReloadWatcher(httpServerOptions);
            this.sslContextRef.set(this.sslContextFactory.createSslContext());
        }
    }

    public void maybeAddHandler(SocketChannel socketChannel) {
        if (isEnabled()) {
            socketChannel.pipeline().addFirst(new ChannelHandler[]{createSslHandler(socketChannel)}).addLast(new ChannelHandler[]{new UnexpectedSslExceptionHandler(this.reloadWatcher)}).addLast(new ChannelHandler[]{new SuppressingSslExceptionHandler()});
        }
    }

    private boolean isEnabled() {
        return this.httpServerOptions.sslMode != SslMode.DISABLE;
    }

    private ChannelHandler createSslHandler(final SocketChannel socketChannel) {
        maybeReloadContext();
        return this.httpServerOptions.sslMode == SslMode.OPTIONAL ? this.httpServerOptions.sslClientAuthentication.getHostnameValidation() ? new OptionalSslHandler(this.sslContextRef.get()) { // from class: com.zegelin.cassandra.exporter.netty.ssl.SslSupport.1
            protected SslHandler newSslHandler(ChannelHandlerContext channelHandlerContext, SslContext sslContext) {
                return SslSupport.this.createValidatingSslHandler(sslContext, channelHandlerContext.alloc(), socketChannel.remoteAddress());
            }
        } : new OptionalSslHandler(this.sslContextRef.get()) : this.httpServerOptions.sslClientAuthentication.getHostnameValidation() ? createValidatingSslHandler(this.sslContextRef.get(), socketChannel.alloc(), socketChannel.remoteAddress()) : this.sslContextRef.get().newHandler(socketChannel.alloc());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public SslHandler createValidatingSslHandler(SslContext sslContext, ByteBufAllocator byteBufAllocator, InetSocketAddress inetSocketAddress) {
        SslHandler newHandler = sslContext.newHandler(byteBufAllocator, inetSocketAddress.getHostString(), inetSocketAddress.getPort());
        SSLEngine engine = newHandler.engine();
        SSLParameters sSLParameters = engine.getSSLParameters();
        sSLParameters.setEndpointIdentificationAlgorithm("HTTPS");
        engine.setSSLParameters(sSLParameters);
        return newHandler;
    }

    private void maybeReloadContext() {
        if (!this.reloadWatcher.needReload()) {
            logger.debug("No need to reload exporter SSL certificate.");
            return;
        }
        try {
            this.sslContextRef.set(this.sslContextFactory.createSslContext());
            logger.info("Reloaded exporter SSL certificate");
        } catch (IllegalArgumentException e) {
            logger.error("Failed to reload exporter SSL certificate - Next poll in {} seconds.", Long.valueOf(this.httpServerOptions.sslReloadIntervalInSeconds));
        }
    }

    @VisibleForTesting
    SslContext getSslContext() {
        return this.sslContextRef.get();
    }
}
