package org.tikv.common.util;

import java.io.File;
import java.io.FileInputStream;
import java.net.URI;
import java.security.KeyStore;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicReference;
import java.util.concurrent.locks.ReadWriteLock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManagerFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.tikv.common.HostMapping;
import org.tikv.common.pd.PDUtils;
import org.tikv.shade.com.google.common.annotations.VisibleForTesting;
import org.tikv.shade.com.google.common.collect.ImmutableList;
import org.tikv.shade.io.grpc.ManagedChannel;
import org.tikv.shade.io.grpc.netty.GrpcSslContexts;
import org.tikv.shade.io.grpc.netty.NettyChannelBuilder;
import org.tikv.shade.io.netty.handler.ssl.SslContextBuilder;

/* loaded from: input_file:org/tikv/common/util/ChannelFactory.class */
public class ChannelFactory implements AutoCloseable {
    private static final Logger logger = LoggerFactory.getLogger(ChannelFactory.class);
    private static final String PUB_KEY_INFRA = "PKIX";
    private final long connRecycleTime;
    private final int maxFrameSize;
    private final int keepaliveTime;
    private final int keepaliveTimeout;
    private final int idleTimeout;
    private final CertContext certContext;
    private final CertWatcher certWatcher;

    @VisibleForTesting
    public final ConcurrentHashMap<String, ManagedChannel> connPool;
    private final AtomicReference<SslContextBuilder> sslContextBuilder;
    private final ScheduledExecutorService recycler;
    private final ReadWriteLock lock;

    @VisibleForTesting
    /* loaded from: input_file:org/tikv/common/util/ChannelFactory$CertContext.class */
    public static abstract class CertContext {
        public abstract SslContextBuilder createSslContextBuilder();
    }

    @VisibleForTesting
    /* loaded from: input_file:org/tikv/common/util/ChannelFactory$CertWatcher.class */
    public static class CertWatcher implements AutoCloseable {
        private static final Logger logger = LoggerFactory.getLogger(CertWatcher.class);
        private final List<File> targets;
        private final List<Long> lastReload = new ArrayList();
        private final ScheduledExecutorService executorService = Executors.newSingleThreadScheduledExecutor();
        private final Runnable onChange;

        public CertWatcher(long j, List<File> list, Runnable runnable) {
            this.targets = list;
            this.onChange = runnable;
            for (File file : list) {
                this.lastReload.add(0L);
            }
            this.executorService.scheduleAtFixedRate(this::tryReload, j, j, TimeUnit.SECONDS);
        }

        private void tryReload() {
            try {
                if (needReload()) {
                    this.onChange.run();
                }
            } catch (Exception e) {
                logger.error("Failed to reload cert!", e);
            }
        }

        private boolean needReload() {
            boolean z = false;
            for (int i = 0; i < this.targets.size(); i++) {
                try {
                    long lastModified = this.targets.get(i).lastModified();
                    if (lastModified != this.lastReload.get(i).longValue()) {
                        this.lastReload.set(i, Long.valueOf(lastModified));
                        logger.warn("detected ssl context changes: {}", this.targets.get(i));
                        z = true;
                    }
                } catch (Exception e) {
                    logger.error("fail to check the status of ssl context files", e);
                }
            }
            return z;
        }

        @Override // java.lang.AutoCloseable
        public void close() {
            this.executorService.shutdown();
        }
    }

    /* loaded from: input_file:org/tikv/common/util/ChannelFactory$JksContext.class */
    public static class JksContext extends CertContext {
        private final String keyPath;
        private final String keyPassword;
        private final String trustPath;
        private final String trustPassword;

        public JksContext(String str, String str2, String str3, String str4) {
            this.keyPath = str;
            this.keyPassword = str2;
            this.trustPath = str3;
            this.trustPassword = str4;
        }

        @Override // org.tikv.common.util.ChannelFactory.CertContext
        public SslContextBuilder createSslContextBuilder() {
            SslContextBuilder forClient = GrpcSslContexts.forClient();
            try {
                if (this.keyPath != null && this.keyPassword != null) {
                    KeyStore keyStore = KeyStore.getInstance("JKS");
                    keyStore.load(new FileInputStream(this.keyPath), this.keyPassword.toCharArray());
                    KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                    keyManagerFactory.init(keyStore, this.keyPassword.toCharArray());
                    forClient.keyManager(keyManagerFactory);
                }
                if (this.trustPath != null && this.trustPassword != null) {
                    KeyStore keyStore2 = KeyStore.getInstance("JKS");
                    keyStore2.load(new FileInputStream(this.trustPath), this.trustPassword.toCharArray());
                    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(ChannelFactory.PUB_KEY_INFRA);
                    trustManagerFactory.init(keyStore2);
                    forClient.trustManager(trustManagerFactory);
                }
                return forClient;
            } catch (Exception e) {
                ChannelFactory.logger.error("JKS SSL context builder failed!", e);
                throw new IllegalArgumentException(e);
            }
        }
    }

    @VisibleForTesting
    /* loaded from: input_file:org/tikv/common/util/ChannelFactory$OpenSslContext.class */
    public static class OpenSslContext extends CertContext {
        private final String trustPath;
        private final String chainPath;
        private final String keyPath;

        public OpenSslContext(String str, String str2, String str3) {
            this.trustPath = str;
            this.chainPath = str2;
            this.keyPath = str3;
        }

        @Override // org.tikv.common.util.ChannelFactory.CertContext
        public SslContextBuilder createSslContextBuilder() {
            SslContextBuilder forClient = GrpcSslContexts.forClient();
            try {
                if (this.trustPath != null) {
                    forClient.trustManager(new File(this.trustPath));
                }
                if (this.chainPath != null && this.keyPath != null) {
                    forClient.keyManager(new File(this.chainPath), new File(this.keyPath));
                }
                return forClient;
            } catch (Exception e) {
                ChannelFactory.logger.error("Failed to create ssl context builder", e);
                throw new IllegalArgumentException(e);
            }
        }
    }

    public ChannelFactory(int i, int i2, int i3, int i4) {
        this.connPool = new ConcurrentHashMap<>();
        this.sslContextBuilder = new AtomicReference<>();
        this.lock = new ReentrantReadWriteLock();
        this.maxFrameSize = i;
        this.keepaliveTime = i2;
        this.keepaliveTimeout = i3;
        this.idleTimeout = i4;
        this.certWatcher = null;
        this.certContext = null;
        this.recycler = null;
        this.connRecycleTime = 0L;
    }

    public ChannelFactory(int i, int i2, int i3, int i4, long j, long j2, String str, String str2, String str3) {
        this.connPool = new ConcurrentHashMap<>();
        this.sslContextBuilder = new AtomicReference<>();
        this.lock = new ReentrantReadWriteLock();
        this.maxFrameSize = i;
        this.keepaliveTime = i2;
        this.keepaliveTimeout = i3;
        this.idleTimeout = i4;
        this.connRecycleTime = j;
        this.certContext = new OpenSslContext(str, str2, str3);
        this.recycler = Executors.newSingleThreadScheduledExecutor();
        File file = new File(str);
        File file2 = new File(str2);
        File file3 = new File(str3);
        if (j2 <= 0) {
            this.certWatcher = null;
        } else {
            onCertChange();
            this.certWatcher = new CertWatcher(j2, ImmutableList.of(file, file2, file3), this::onCertChange);
        }
    }

    public ChannelFactory(int i, int i2, int i3, int i4, long j, long j2, String str, String str2, String str3, String str4) {
        this.connPool = new ConcurrentHashMap<>();
        this.sslContextBuilder = new AtomicReference<>();
        this.lock = new ReentrantReadWriteLock();
        this.maxFrameSize = i;
        this.keepaliveTime = i2;
        this.keepaliveTimeout = i3;
        this.idleTimeout = i4;
        this.connRecycleTime = j;
        this.certContext = new JksContext(str, str2, str3, str4);
        this.recycler = Executors.newSingleThreadScheduledExecutor();
        File file = new File(str);
        File file2 = new File(str3);
        if (j2 <= 0) {
            this.certWatcher = null;
        } else {
            onCertChange();
            this.certWatcher = new CertWatcher(j2, ImmutableList.of(file, file2), this::onCertChange);
        }
    }

    private void onCertChange() {
        try {
            SslContextBuilder createSslContextBuilder = this.certContext.createSslContextBuilder();
            this.lock.writeLock().lock();
            this.sslContextBuilder.set(createSslContextBuilder);
            ArrayList arrayList = new ArrayList(this.connPool.values());
            this.recycler.schedule(() -> {
                cleanExpiredConn(arrayList);
            }, this.connRecycleTime, TimeUnit.SECONDS);
            this.connPool.clear();
        } finally {
            this.lock.writeLock().unlock();
        }
    }

    public ManagedChannel getChannel(String str, HostMapping hostMapping) {
        if (this.certContext == null) {
            return this.connPool.computeIfAbsent(str, str2 -> {
                return createChannel(null, str, hostMapping);
            });
        }
        try {
            this.lock.readLock().lock();
            ManagedChannel computeIfAbsent = this.connPool.computeIfAbsent(str, str3 -> {
                return createChannel(this.sslContextBuilder.get(), str, hostMapping);
            });
            this.lock.readLock().unlock();
            return computeIfAbsent;
        } catch (Throwable th) {
            this.lock.readLock().unlock();
            throw th;
        }
    }

    private ManagedChannel createChannel(SslContextBuilder sslContextBuilder, String str, HostMapping hostMapping) {
        try {
            URI addrToUri = PDUtils.addrToUri(str);
            try {
                URI mappedURI = hostMapping.getMappedURI(addrToUri);
                NettyChannelBuilder idleTimeout = NettyChannelBuilder.forAddress(mappedURI.getHost(), mappedURI.getPort()).maxInboundMessageSize(this.maxFrameSize).keepAliveTime(this.keepaliveTime, TimeUnit.SECONDS).keepAliveTimeout(this.keepaliveTimeout, TimeUnit.SECONDS).keepAliveWithoutCalls(true).idleTimeout(this.idleTimeout, TimeUnit.SECONDS);
                if (sslContextBuilder == null) {
                    return idleTimeout.usePlaintext().build();
                }
                try {
                    return idleTimeout.sslContext(sslContextBuilder.build()).build();
                } catch (SSLException e) {
                    logger.error("create ssl context failed!", e);
                    throw new IllegalArgumentException(e);
                }
            } catch (Exception e2) {
                throw new IllegalArgumentException("failed to get mapped address " + addrToUri, e2);
            }
        } catch (Exception e3) {
            throw new IllegalArgumentException("failed to form address " + str, e3);
        }
    }

    private void cleanExpiredConn(List<ManagedChannel> list) {
        for (ManagedChannel managedChannel : list) {
            logger.info("cleaning expire channels");
            managedChannel.shutdownNow();
            while (!managedChannel.isShutdown()) {
                try {
                    managedChannel.awaitTermination(5L, TimeUnit.SECONDS);
                } catch (Exception e) {
                    logger.warn("recycle channels timeout:", e);
                }
            }
        }
    }

    @Override // java.lang.AutoCloseable
    public void close() {
        Iterator<ManagedChannel> it = this.connPool.values().iterator();
        while (it.hasNext()) {
            it.next().shutdown();
        }
        this.connPool.clear();
        if (this.recycler != null) {
            this.recycler.shutdown();
        }
        if (this.certWatcher != null) {
            this.certWatcher.close();
        }
    }
}
