package io.confluent.ksql.api.util;

import io.confluent.ksql.properties.PropertiesUtil;
import io.confluent.ksql.rest.entity.KsqlRequest;
import io.confluent.ksql.rest.server.KsqlRestConfig;
import io.confluent.ksql.util.FileWatcher;
import io.confluent.ksql.util.QueryMask;
import io.confluent.ksql.util.VertxSslOptionsFactory;
import io.netty.handler.codec.haproxy.HAProxyProtocolException;
import io.vertx.core.http.ClientAuth;
import io.vertx.core.http.HttpHeaders;
import io.vertx.core.http.HttpServerOptions;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.web.RoutingContext;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.channels.ClosedChannelException;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import org.apache.kafka.common.config.ConfigException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/ksql/api/util/ApiServerUtils.class */
public final class ApiServerUtils {
    private static final Logger LOG = LoggerFactory.getLogger(ApiServerUtils.class);

    private ApiServerUtils() {
    }

    public static void setMaskedSqlIfNeeded(KsqlRequest ksqlRequest) {
        try {
            ksqlRequest.getMaskedKsql();
        } catch (Exception e) {
            setMaskedSql(ksqlRequest);
        }
    }

    public static void setMaskedSql(KsqlRequest ksqlRequest) {
        ksqlRequest.setMaskedKsql(QueryMask.getMaskedStatement(ksqlRequest.getUnmaskedKsql()));
    }

    public static void unhandledExceptionHandler(Throwable th) {
        if (th instanceof ClosedChannelException) {
            LOG.debug("Unhandled ClosedChannelException (connection likely closed early)", th);
        } else if (th instanceof HAProxyProtocolException) {
            LOG.error("Failed to decode proxy protocol header", th);
        } else {
            LOG.error("Unhandled exception", th);
        }
    }

    public static void chcHandler(RoutingContext routingContext) {
        routingContext.response().putHeader(HttpHeaders.CONTENT_TYPE.toString(), "application/json").end(new JsonObject().toBuffer());
    }

    public static FileWatcher configureTlsCertReload(KsqlRestConfig ksqlRestConfig, FileWatcher.Callback callback) {
        if (!ksqlRestConfig.getBoolean(KsqlRestConfig.SSL_KEYSTORE_RELOAD_CONFIG).booleanValue()) {
            return null;
        }
        Path path = !ksqlRestConfig.getString(KsqlRestConfig.SSL_KEYSTORE_WATCH_LOCATION_CONFIG).isEmpty() ? Paths.get(ksqlRestConfig.getString(KsqlRestConfig.SSL_KEYSTORE_WATCH_LOCATION_CONFIG), new String[0]) : Paths.get(ksqlRestConfig.getString("ssl.keystore.location"), new String[0]);
        FileWatcher fileWatcher = null;
        try {
            fileWatcher = new FileWatcher(path, callback);
            fileWatcher.start();
            LOG.info("Enabled SSL cert auto reload for: " + path);
        } catch (IOException e) {
            LOG.error("Failed to enable SSL cert auto reload", e);
        }
        return fileWatcher;
    }

    public static List<URI> parseListenerStrings(KsqlRestConfig ksqlRestConfig, List<String> list) {
        String string;
        ArrayList arrayList = new ArrayList();
        for (String str : list) {
            try {
                URI uri = new URI(str);
                String scheme = uri.getScheme();
                if (!"http".equalsIgnoreCase(scheme) && !"https".equalsIgnoreCase(scheme)) {
                    throw new ConfigException("Invalid URI scheme should be http or https: " + str);
                }
                if ("https".equalsIgnoreCase(scheme) && ((string = ksqlRestConfig.getString("ssl.keystore.location")) == null || string.isEmpty())) {
                    throw new ConfigException("https listener specified but no keystore provided");
                }
                arrayList.add(uri);
            } catch (URISyntaxException e) {
                throw new ConfigException("Invalid listener URI: " + str);
            }
        }
        return arrayList;
    }

    public static List<URI> parseListeners(KsqlRestConfig ksqlRestConfig) {
        return parseListenerStrings(ksqlRestConfig, ksqlRestConfig.getList(KsqlRestConfig.LISTENERS_CONFIG));
    }

    public static List<URI> parseProxyProtocolListeners(KsqlRestConfig ksqlRestConfig) {
        List list = ksqlRestConfig.getList(KsqlRestConfig.PROXY_PROTOCOL_LISTENERS_CONFIG);
        HashSet hashSet = new HashSet(parseListeners(ksqlRestConfig));
        List<URI> parseListenerStrings = parseListenerStrings(ksqlRestConfig, list);
        for (URI uri : parseListenerStrings) {
            if (!hashSet.contains(uri)) {
                throw new ConfigException(String.format("Listener %s is listed in %s but not in %s.", uri, KsqlRestConfig.PROXY_PROTOCOL_LISTENERS_CONFIG, KsqlRestConfig.LISTENERS_CONFIG));
            }
        }
        return parseListenerStrings;
    }

    public static void setTlsOptions(KsqlRestConfig ksqlRestConfig, HttpServerOptions httpServerOptions, String str, ClientAuth clientAuth) {
        httpServerOptions.setUseAlpn(true).setSsl(true);
        if (ksqlRestConfig.getBoolean(KsqlRestConfig.KSQL_SERVER_SNI_CHECK_ENABLE).booleanValue()) {
            httpServerOptions.setSni(true);
        }
        configureTlsKeyStore(ksqlRestConfig, httpServerOptions, str);
        configureTlsTrustStore(ksqlRestConfig, httpServerOptions);
        List list = ksqlRestConfig.getList(KsqlRestConfig.SSL_ENABLED_PROTOCOLS_CONFIG);
        if (!list.isEmpty()) {
            httpServerOptions.setEnabledSecureTransportProtocols(new HashSet(list));
        }
        List list2 = ksqlRestConfig.getList(KsqlRestConfig.SSL_CIPHER_SUITES_CONFIG);
        if (!list2.isEmpty()) {
            Set enabledCipherSuites = httpServerOptions.getEnabledCipherSuites();
            enabledCipherSuites.clear();
            enabledCipherSuites.addAll(list2);
        }
        httpServerOptions.setClientAuth(clientAuth);
    }

    private static void configureTlsKeyStore(KsqlRestConfig ksqlRestConfig, HttpServerOptions httpServerOptions, String str) {
        Map mapStrings = PropertiesUtil.toMapStrings(ksqlRestConfig.originals());
        String string = ksqlRestConfig.getString(KsqlRestConfig.SSL_KEYSTORE_TYPE_CONFIG);
        if (string.equals(KsqlRestConfig.SSL_STORE_TYPE_JKS)) {
            VertxSslOptionsFactory.buildJksKeyStoreOptions(mapStrings, Optional.ofNullable(str)).ifPresent(jksOptions -> {
                httpServerOptions.setKeyStoreOptions(jksOptions);
            });
        } else if (string.equals(KsqlRestConfig.SSL_STORE_TYPE_PKCS12)) {
            VertxSslOptionsFactory.getPfxKeyStoreOptions(mapStrings).ifPresent(pfxOptions -> {
                httpServerOptions.setPfxKeyCertOptions(pfxOptions);
            });
        } else if (string.equals(KsqlRestConfig.SSL_STORE_TYPE_BCFKS)) {
            VertxSslOptionsFactory.getBcfksKeyStoreOptions(mapStrings).ifPresent(keyStoreOptions -> {
                httpServerOptions.setKeyCertOptions(keyStoreOptions);
            });
        }
    }

    private static void configureTlsTrustStore(KsqlRestConfig ksqlRestConfig, HttpServerOptions httpServerOptions) {
        Map mapStrings = PropertiesUtil.toMapStrings(ksqlRestConfig.originals());
        String string = ksqlRestConfig.getString(KsqlRestConfig.SSL_TRUSTSTORE_TYPE_CONFIG);
        if (string.equals(KsqlRestConfig.SSL_STORE_TYPE_JKS)) {
            VertxSslOptionsFactory.getJksTrustStoreOptions(mapStrings).ifPresent(jksOptions -> {
                httpServerOptions.setTrustOptions(jksOptions);
            });
        } else if (string.equals(KsqlRestConfig.SSL_STORE_TYPE_PKCS12)) {
            VertxSslOptionsFactory.getPfxTrustStoreOptions(mapStrings).ifPresent(pfxOptions -> {
                httpServerOptions.setTrustOptions(pfxOptions);
            });
        } else if (string.equals(KsqlRestConfig.SSL_STORE_TYPE_BCFKS)) {
            VertxSslOptionsFactory.getBcfksTrustStoreOptions(mapStrings).ifPresent(keyStoreOptions -> {
                httpServerOptions.setTrustOptions(keyStoreOptions);
            });
        }
    }
}
