package io.confluent.rest;

import java.util.Arrays;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.regex.Pattern;
import org.apache.kafka.common.config.AbstractConfig;
import org.apache.kafka.common.config.SslConfigs;
import org.apache.kafka.common.config.types.Password;
import org.apache.kafka.common.security.ssl.DefaultSslEngineFactory;
import org.apache.kafka.common.utils.SecurityUtils;
import org.eclipse.jetty.util.ssl.SslContextFactory;

/* loaded from: input_file:io/confluent/rest/InternalRestServerSSL.class */
public class InternalRestServerSSL {
    private static final Pattern COMMA_WITH_WHITESPACE = Pattern.compile("\\s*,\\s*");

    public static SslContextFactory.Server createServerSideSslContextFactory(AbstractConfig abstractConfig, String str) {
        Map valuesWithPrefixAllOrNothing = abstractConfig.valuesWithPrefixAllOrNothing(str);
        boolean useBcfks = useBcfks(valuesWithPrefixAllOrNothing, abstractConfig.getString("security.providers"));
        SecurityUtils.addConfiguredSecurityProviders(valuesWithPrefixAllOrNothing);
        SslContextFactory.Server server = new SslContextFactory.Server();
        configureSslContextFactoryKeyStore(server, valuesWithPrefixAllOrNothing, useBcfks);
        configureSslContextFactoryTrustStore(server, valuesWithPrefixAllOrNothing, useBcfks);
        configureSslContextFactoryAlgorithms(server, valuesWithPrefixAllOrNothing);
        configureSslContextFactoryAuthentication(server, valuesWithPrefixAllOrNothing);
        return server;
    }

    public static boolean useBcfks(Map<String, Object> map, String str) {
        String str2 = (String) map.get("ssl.provider");
        return str2 != null && str != null && str2.equalsIgnoreCase("BCJSSE") && str.toLowerCase(Locale.ROOT).contains("BCFIPS".toLowerCase(Locale.ROOT));
    }

    public static void setSecurityStoreProps(SslContextFactory sslContextFactory, Map<String, Object> map, boolean z, boolean z2, boolean z3) {
        String str = z ? (String) getOrDefault(map, "ssl.keystore.type", "JKS") : (String) getOrDefault(map, "ssl.truststore.type", "JKS");
        if (str.equals("PEM")) {
            if (z) {
                sslContextFactory.setKeyStore(new DefaultSslEngineFactory.FileBasedPemStore((String) map.get("ssl.keystore.location"), (Password) map.get("ssl.key.password"), true, z2).get());
                return;
            } else {
                sslContextFactory.setTrustStore(new DefaultSslEngineFactory.FileBasedPemStore((String) map.get("ssl.truststore.location"), (Password) null, false, z2).get());
                return;
            }
        }
        if (z) {
            String str2 = (String) map.get("ssl.keystore.location");
            if (str2 != null) {
                sslContextFactory.setKeyStorePath(str2);
            }
            if (z3) {
                return;
            }
            sslContextFactory.setKeyStoreType(str);
            Password password = (Password) map.get("ssl.keystore.password");
            if (password != null) {
                sslContextFactory.setKeyStorePassword(password.value());
                return;
            }
            return;
        }
        String str3 = (String) map.get("ssl.truststore.location");
        if (str3 != null) {
            sslContextFactory.setTrustStorePath(str3);
        }
        if (z3) {
            return;
        }
        sslContextFactory.setTrustStoreType(str);
        Password password2 = (Password) map.get("ssl.truststore.password");
        if (password2 != null) {
            sslContextFactory.setTrustStorePassword(password2.value());
        }
    }

    private static void configureSslContextFactoryKeyStore(SslContextFactory sslContextFactory, Map<String, Object> map, boolean z) {
        Password password = (Password) map.get("ssl.key.password");
        if (password != null) {
            sslContextFactory.setKeyManagerPassword(password.value());
        }
        setSecurityStoreProps(sslContextFactory, map, true, z, false);
    }

    private static Object getOrDefault(Map<String, Object> map, String str, Object obj) {
        return map.containsKey(str) ? map.get(str) : obj;
    }

    private static void configureSslContextFactoryTrustStore(SslContextFactory sslContextFactory, Map<String, Object> map, boolean z) {
        setSecurityStoreProps(sslContextFactory, map, false, z, false);
    }

    private static void configureSslContextFactoryAlgorithms(SslContextFactory sslContextFactory, Map<String, Object> map) {
        sslContextFactory.setIncludeProtocols((String[]) ((List) getOrDefault(map, "ssl.enabled.protocols", Arrays.asList(COMMA_WITH_WHITESPACE.split(SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS)))).toArray(new String[0]));
        String str = (String) map.get("ssl.provider");
        if (str != null) {
            sslContextFactory.setProvider(str);
        }
        sslContextFactory.setProtocol((String) getOrDefault(map, "ssl.protocol", SslConfigs.DEFAULT_SSL_PROTOCOL));
        List list = (List) map.get("ssl.cipher.suites");
        if (list != null) {
            sslContextFactory.setIncludeCipherSuites((String[]) list.toArray(new String[0]));
        }
        sslContextFactory.setKeyManagerFactoryAlgorithm((String) getOrDefault(map, "ssl.keymanager.algorithm", SslConfigs.DEFAULT_SSL_KEYMANGER_ALGORITHM));
        String str2 = (String) map.get("ssl.secure.random.implementation");
        if (str2 != null) {
            sslContextFactory.setSecureRandomAlgorithm(str2);
        }
        sslContextFactory.setTrustManagerFactoryAlgorithm((String) getOrDefault(map, "ssl.trustmanager.algorithm", SslConfigs.DEFAULT_SSL_TRUSTMANAGER_ALGORITHM));
    }

    private static void configureSslContextFactoryAuthentication(SslContextFactory.Server server, Map<String, Object> map) {
        String str = (String) getOrDefault(map, "ssl.client.auth", "none");
        boolean z = -1;
        switch (str.hashCode()) {
            case -393139297:
                if (str.equals("required")) {
                    z = true;
                    break;
                }
                break;
            case 693933934:
                if (str.equals("requested")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                server.setWantClientAuth(true);
                return;
            case true:
                server.setNeedClientAuth(true);
                return;
            default:
                server.setNeedClientAuth(false);
                server.setWantClientAuth(false);
                return;
        }
    }
}
