package io.grpc.xds.internal.sds;

import com.google.common.base.Preconditions;
import io.grpc.Status;
import io.grpc.netty.shaded.io.grpc.netty.GrpcSslContexts;
import io.grpc.netty.shaded.io.netty.handler.ssl.ApplicationProtocolConfig;
import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
import io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder;
import io.grpc.xds.internal.sds.SdsClient;
import io.grpc.xds.internal.sds.SslContextProvider;
import io.grpc.xds.internal.sds.trust.SdsTrustManagerFactory;
import io.grpc.xds.shaded.io.envoyproxy.envoy.api.v2.auth.CertificateValidationContext;
import io.grpc.xds.shaded.io.envoyproxy.envoy.api.v2.auth.CommonTlsContext;
import io.grpc.xds.shaded.io.envoyproxy.envoy.api.v2.auth.DownstreamTlsContext;
import io.grpc.xds.shaded.io.envoyproxy.envoy.api.v2.auth.SdsSecretConfig;
import io.grpc.xds.shaded.io.envoyproxy.envoy.api.v2.auth.Secret;
import io.grpc.xds.shaded.io.envoyproxy.envoy.api.v2.auth.TlsCertificate;
import io.grpc.xds.shaded.io.envoyproxy.envoy.api.v2.auth.UpstreamTlsContext;
import io.grpc.xds.shaded.io.envoyproxy.envoy.api.v2.core.Node;
import java.io.IOException;
import java.security.cert.CertStoreException;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.Executor;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.annotation.Nullable;

/* loaded from: input_file:io/grpc/xds/internal/sds/SdsSslContextProvider.class */
final class SdsSslContextProvider<K> extends SslContextProvider<K> implements SdsClient.SecretWatcher {
    private static final Logger logger = Logger.getLogger(SdsSslContextProvider.class.getName());

    @Nullable
    private final SdsClient certSdsClient;

    @Nullable
    private final SdsClient validationContextSdsClient;

    @Nullable
    private final SdsSecretConfig certSdsConfig;

    @Nullable
    private final SdsSecretConfig validationContextSdsConfig;

    @Nullable
    private final CertificateValidationContext staticCertificateValidationContext;
    private final List<CallbackPair> pendingCallbacks;

    @Nullable
    private TlsCertificate tlsCertificate;

    @Nullable
    private CertificateValidationContext certificateValidationContext;

    @Nullable
    private SslContext sslContext;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/grpc/xds/internal/sds/SdsSslContextProvider$CallbackPair.class */
    public static class CallbackPair {
        private final SslContextProvider.Callback callback;
        private final Executor executor;

        private CallbackPair(SslContextProvider.Callback callback, Executor executor) {
            this.callback = callback;
            this.executor = executor;
        }
    }

    private SdsSslContextProvider(Node node, SdsSecretConfig sdsSecretConfig, SdsSecretConfig sdsSecretConfig2, CertificateValidationContext certificateValidationContext, Executor executor, Executor executor2, boolean z, K k) {
        super(k, z);
        this.pendingCallbacks = new ArrayList();
        this.certSdsConfig = sdsSecretConfig;
        this.validationContextSdsConfig = sdsSecretConfig2;
        this.staticCertificateValidationContext = certificateValidationContext;
        if (sdsSecretConfig == null || !sdsSecretConfig.isInitialized()) {
            this.certSdsClient = null;
        } else {
            this.certSdsClient = SdsClient.Factory.createSdsClient(sdsSecretConfig, node, executor, executor2);
            this.certSdsClient.start();
            this.certSdsClient.watchSecret(this);
        }
        if (sdsSecretConfig2 == null || !sdsSecretConfig2.isInitialized()) {
            this.validationContextSdsClient = null;
            return;
        }
        this.validationContextSdsClient = SdsClient.Factory.createSdsClient(sdsSecretConfig2, node, executor, executor2);
        this.validationContextSdsClient.start();
        this.validationContextSdsClient.watchSecret(this);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SdsSslContextProvider<UpstreamTlsContext> getProviderForClient(UpstreamTlsContext upstreamTlsContext, Node node, Executor executor, Executor executor2) {
        Preconditions.checkNotNull(upstreamTlsContext, "upstreamTlsContext");
        CommonTlsContext commonTlsContext = upstreamTlsContext.getCommonTlsContext();
        SdsSecretConfig sdsSecretConfig = null;
        CertificateValidationContext certificateValidationContext = null;
        if (commonTlsContext.hasCombinedValidationContext()) {
            CommonTlsContext.CombinedCertificateValidationContext combinedValidationContext = commonTlsContext.getCombinedValidationContext();
            if (combinedValidationContext.hasValidationContextSdsSecretConfig()) {
                sdsSecretConfig = combinedValidationContext.getValidationContextSdsSecretConfig();
            }
            if (combinedValidationContext.hasDefaultValidationContext()) {
                certificateValidationContext = combinedValidationContext.getDefaultValidationContext();
            }
        } else if (commonTlsContext.hasValidationContextSdsSecretConfig()) {
            sdsSecretConfig = commonTlsContext.getValidationContextSdsSecretConfig();
        } else if (commonTlsContext.hasValidationContext()) {
            certificateValidationContext = commonTlsContext.getValidationContext();
        }
        SdsSecretConfig sdsSecretConfig2 = null;
        if (commonTlsContext.getTlsCertificateSdsSecretConfigsCount() > 0) {
            sdsSecretConfig2 = commonTlsContext.getTlsCertificateSdsSecretConfigs(0);
        }
        return new SdsSslContextProvider<>(node, sdsSecretConfig2, sdsSecretConfig, certificateValidationContext, executor, executor2, false, upstreamTlsContext);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SdsSslContextProvider<DownstreamTlsContext> getProviderForServer(DownstreamTlsContext downstreamTlsContext, Node node, Executor executor, Executor executor2) {
        Preconditions.checkNotNull(downstreamTlsContext, "downstreamTlsContext");
        CommonTlsContext commonTlsContext = downstreamTlsContext.getCommonTlsContext();
        SdsSecretConfig sdsSecretConfig = null;
        if (commonTlsContext.getTlsCertificateSdsSecretConfigsCount() > 0) {
            sdsSecretConfig = commonTlsContext.getTlsCertificateSdsSecretConfigs(0);
        }
        SdsSecretConfig sdsSecretConfig2 = null;
        if (commonTlsContext.hasValidationContextSdsSecretConfig()) {
            sdsSecretConfig2 = commonTlsContext.getValidationContextSdsSecretConfig();
        }
        return new SdsSslContextProvider<>(node, sdsSecretConfig, sdsSecretConfig2, null, executor, executor2, true, downstreamTlsContext);
    }

    @Override // io.grpc.xds.internal.sds.SslContextProvider
    public void addCallback(SslContextProvider.Callback callback, Executor executor) {
        Preconditions.checkNotNull(callback, "callback");
        Preconditions.checkNotNull(executor, "executor");
        SslContext sslContext = this.sslContext;
        if (sslContext != null) {
            callPerformCallback(callback, executor, sslContext);
            return;
        }
        synchronized (this.pendingCallbacks) {
            this.pendingCallbacks.add(new CallbackPair(callback, executor));
        }
    }

    private void callPerformCallback(SslContextProvider.Callback callback, Executor executor, final SslContext sslContext) {
        performCallback(new SslContextProvider.SslContextGetter() { // from class: io.grpc.xds.internal.sds.SdsSslContextProvider.1
            @Override // io.grpc.xds.internal.sds.SslContextProvider.SslContextGetter
            public SslContext get() {
                return sslContext;
            }
        }, callback, executor);
    }

    @Override // io.grpc.xds.internal.sds.SdsClient.SecretWatcher
    public synchronized void onSecretChanged(Secret secret) {
        Preconditions.checkNotNull(secret);
        if (secret.hasTlsCertificate()) {
            Preconditions.checkState(secret.getName().equals(this.certSdsConfig.getName()), "tlsCert names don't match");
            logger.log(Level.FINEST, "onSecretChanged certSdsConfig.name={0}", this.certSdsConfig.getName());
            this.tlsCertificate = secret.getTlsCertificate();
            if (this.certificateValidationContext != null || this.validationContextSdsConfig == null) {
                updateSslContext();
                return;
            }
            return;
        }
        if (!secret.hasValidationContext()) {
            throw new UnsupportedOperationException("Unexpected secret type:" + secret.getTypeCase());
        }
        Preconditions.checkState(secret.getName().equals(this.validationContextSdsConfig.getName()), "validationContext names don't match");
        logger.log(Level.FINEST, "onSecretChanged validationContextSdsConfig.name={0}", this.validationContextSdsConfig.getName());
        this.certificateValidationContext = secret.getValidationContext();
        if (this.tlsCertificate != null || this.certSdsConfig == null) {
            updateSslContext();
        }
    }

    private void updateSslContext() {
        SslContextBuilder trustManager;
        try {
            CertificateValidationContext mergeStaticAndDynamicCertContexts = mergeStaticAndDynamicCertContexts();
            if (this.server) {
                logger.log(Level.FINEST, "for server");
                trustManager = GrpcSslContexts.forServer(this.tlsCertificate.getCertificateChain().getInlineBytes().newInput(), this.tlsCertificate.getPrivateKey().getInlineBytes().newInput(), this.tlsCertificate.hasPassword() ? this.tlsCertificate.getPassword().getInlineString() : null);
                setClientAuthValues(trustManager, mergeStaticAndDynamicCertContexts);
            } else {
                logger.log(Level.FINEST, "for client");
                trustManager = GrpcSslContexts.forClient().trustManager(new SdsTrustManagerFactory(mergeStaticAndDynamicCertContexts));
                if (this.tlsCertificate != null) {
                    trustManager.keyManager(this.tlsCertificate.getCertificateChain().getInlineBytes().newInput(), this.tlsCertificate.getPrivateKey().getInlineBytes().newInput(), this.tlsCertificate.hasPassword() ? this.tlsCertificate.getPassword().getInlineString() : null);
                }
            }
            CommonTlsContext commonTlsContext = getCommonTlsContext();
            if (commonTlsContext != null && commonTlsContext.getAlpnProtocolsCount() > 0) {
                trustManager.applicationProtocolConfig(new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN, ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, commonTlsContext.mo2178getAlpnProtocolsList()));
            }
            SslContext build = trustManager.build();
            this.sslContext = build;
            makePendingCallbacks(build);
        } catch (IOException | CertStoreException | CertificateException e) {
            logger.log(Level.SEVERE, "exception in updateSslContext", e);
        }
    }

    private CertificateValidationContext mergeStaticAndDynamicCertContexts() {
        return this.staticCertificateValidationContext == null ? this.certificateValidationContext : this.certificateValidationContext == null ? this.staticCertificateValidationContext : this.certificateValidationContext.m2122toBuilder().mergeFrom(this.staticCertificateValidationContext).m2161build();
    }

    private void makePendingCallbacks(SslContext sslContext) {
        synchronized (this.pendingCallbacks) {
            for (CallbackPair callbackPair : this.pendingCallbacks) {
                callPerformCallback(callbackPair.callback, callbackPair.executor, sslContext);
            }
            this.pendingCallbacks.clear();
        }
    }

    @Override // io.grpc.xds.internal.sds.SdsClient.SecretWatcher
    public void onError(Status status) {
        synchronized (this.pendingCallbacks) {
            Iterator<CallbackPair> it = this.pendingCallbacks.iterator();
            while (it.hasNext()) {
                it.next().callback.onException(status.asException());
            }
            this.pendingCallbacks.clear();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // io.grpc.xds.internal.sds.SslContextProvider
    public void close() {
        if (this.certSdsClient != null) {
            this.certSdsClient.cancelSecretWatch(this);
            this.certSdsClient.shutdown();
        }
        if (this.validationContextSdsClient != null) {
            this.validationContextSdsClient.cancelSecretWatch(this);
            this.validationContextSdsClient.shutdown();
        }
    }
}
