package io.confluent.rest;

import java.io.File;
import java.nio.file.Paths;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.atomic.AtomicReference;
import org.apache.kafka.common.errors.InvalidConfigurationException;
import org.apache.kafka.common.utils.FileWatchService;
import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.Handler;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.server.SslConnectionFactory;
import org.eclipse.jetty.server.handler.ContextHandler;
import org.eclipse.jetty.server.handler.ContextHandlerCollection;
import org.eclipse.jetty.server.handler.DefaultHandler;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/rest/InternalRestServer.class */
public final class InternalRestServer {
    private static final Logger log = LoggerFactory.getLogger(InternalRestServer.class);
    private static final FileWatchService FILE_STORE_WATCH_SERVICE = new FileWatchService();
    private static final long CONNECTION_IDLE_TIMEOUT_MS = Duration.ofMinutes(1).toMillis();
    private static final int CONNECTOR_IDLE_TIMEOUT = 60000;
    private final BeginShutdownBrokerHandle beginShutdownBrokerHandle;
    private final KafkaRestorePartitionHandle kafkaRestorePartitionHandle;
    private final AuditJobHandle auditJobHandle;
    private final TierMetadataRecoveryHandle tierMetadataRecoveryHandle;
    private final ForceRollSegmentsHandle forceRollSegmentsHandle;
    private final BrokerStartupStatusHandle brokerStartupStatusHandle;
    private final int port;
    private final InternalRestServerConfig config;
    private final boolean sslEnabled;
    private Server server;
    private FileStoreWatchListener keyStoreFileWatchListener;
    private FileStoreWatchListener trustStoreFileWatchListener;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/confluent/rest/InternalRestServer$FileStoreWatchListener.class */
    public class FileStoreWatchListener implements FileWatchService.Listener {
        private final AtomicReference<Exception> lastLoadFailure = new AtomicReference<>(null);
        private final File watchFile;
        private final Runnable reloadSSLContext;
        private boolean initCompleted;

        public FileStoreWatchListener(String str, Runnable runnable) {
            this.watchFile = Paths.get(str, new String[0]).toFile();
            this.reloadSSLContext = runnable;
        }

        public File file() {
            return this.watchFile;
        }

        public void onInit() {
            this.initCompleted = true;
        }

        public void onUpdate() {
            try {
                this.reloadSSLContext.run();
                this.lastLoadFailure.set(null);
            } catch (Exception e) {
                this.lastLoadFailure.set(e);
                InternalRestServer.log.error("Error while reloading the security store", e);
            }
        }

        Exception lastLoadFailure() {
            return this.lastLoadFailure.get();
        }

        boolean initCompleted() {
            return this.initCompleted;
        }
    }

    public InternalRestServer(Map<?, ?> map, BeginShutdownBrokerHandle beginShutdownBrokerHandle, KafkaRestorePartitionHandle kafkaRestorePartitionHandle, AuditJobHandle auditJobHandle, TierMetadataRecoveryHandle tierMetadataRecoveryHandle, ForceRollSegmentsHandle forceRollSegmentsHandle, BrokerStartupStatusHandle brokerStartupStatusHandle) {
        this.config = new InternalRestServerConfig(map);
        this.port = this.config.getInt("confluent.internal.rest.server.bind.port").intValue();
        this.sslEnabled = this.config.getBoolean("confluent.internal.rest.server.ssl.enable").booleanValue();
        this.beginShutdownBrokerHandle = (BeginShutdownBrokerHandle) Objects.requireNonNull(beginShutdownBrokerHandle, "null beginShutdownBrokerHandle");
        this.kafkaRestorePartitionHandle = (KafkaRestorePartitionHandle) Objects.requireNonNull(kafkaRestorePartitionHandle, "null kafkaRestorePartitionHandle");
        this.auditJobHandle = (AuditJobHandle) Objects.requireNonNull(auditJobHandle, "null auditJobHandle");
        this.tierMetadataRecoveryHandle = (TierMetadataRecoveryHandle) Objects.requireNonNull(tierMetadataRecoveryHandle, "null tierMetadataRecoveryHandle");
        this.forceRollSegmentsHandle = (ForceRollSegmentsHandle) Objects.requireNonNull(forceRollSegmentsHandle, "null forceRollSegmentsHandle");
        this.brokerStartupStatusHandle = brokerStartupStatusHandle;
    }

    private ServerConnector configureConnector(int i, boolean z) {
        ServerConnector serverConnector;
        if (z) {
            log.info("Setting InternalRestServer SSL configurations" + this.config.printSslConfigs());
            serverConnector = new ServerConnector(this.server, InternalRestServerSSL.createServerSideSslContextFactory(this.config, InternalRestServerConfig.CONFIG_PREFIX));
        } else {
            serverConnector = new ServerConnector(this.server);
        }
        serverConnector.setIdleTimeout(60000L);
        serverConnector.setPort(i);
        return serverConnector;
    }

    public InternalRestServerConfig getConfigs() {
        return this.config;
    }

    public int getPort() {
        return this.port;
    }

    public synchronized void start() throws Exception {
        if (this.server != null) {
            throw new IllegalStateException("Server is already running.");
        }
        this.server = new Server();
        ServerConnector configureConnector = configureConnector(this.port, this.sslEnabled);
        if (this.sslEnabled) {
            registerSSLStoreFileWatchListeners();
        }
        log.info("Binding to port {}", Integer.valueOf(configureConnector.getPort()));
        this.server.addConnector(configureConnector);
        ArrayList arrayList = new ArrayList();
        arrayList.add(createContextHandler("/v1/roll", new RollHandler(this.beginShutdownBrokerHandle)));
        arrayList.add(createContextHandler("/v1/restore", new RestoreHandler(this.kafkaRestorePartitionHandle)));
        arrayList.add(createContextHandler("/v1/audit", new AuditJobHandler(this.auditJobHandle)));
        arrayList.add(createContextHandler(TierMetadataRecoveryHandler.TIER_METADATA_RECOVERY_CONTEXT_PATH, new TierMetadataRecoveryHandler(this.tierMetadataRecoveryHandle, (long) (CONNECTION_IDLE_TIMEOUT_MS * 0.75d))));
        arrayList.add(createContextHandler(ForceRollSegmentsHandler.FORCE_ROLL_SEGMENTS_CONTEXT_PATH, new ForceRollSegmentsHandler(this.forceRollSegmentsHandle)));
        if (this.brokerStartupStatusHandle != null) {
            arrayList.add(createContextHandler("/v1/startup", new BrokerStartupStatusHandler(this.brokerStartupStatusHandle)));
        }
        ContextHandlerCollection contextHandlerCollection = new ContextHandlerCollection(new ContextHandler[0]);
        arrayList.add(new DefaultHandler());
        contextHandlerCollection.setHandlers((Handler[]) arrayList.toArray(new Handler[0]));
        this.server.setHandler(contextHandlerCollection);
        this.server.start();
    }

    private ContextHandler createContextHandler(String str, Handler.Abstract r6) {
        ContextHandler contextHandler = new ContextHandler(str);
        contextHandler.setContextPath(str);
        contextHandler.setHandler(r6);
        return contextHandler;
    }

    FileStoreWatchListener keyStoreFileWatchListener() {
        return this.keyStoreFileWatchListener;
    }

    FileStoreWatchListener trustStoreFileWatchListener() {
        return this.trustStoreFileWatchListener;
    }

    private void reloadKeystoreCerts() {
        reloadSSLCerts(true);
    }

    private void reloadTruststoreCerts() {
        reloadSSLCerts(false);
    }

    private Optional<SslContextFactory> getSSLFactory(Connector connector) {
        SslConnectionFactory sslConnectionFactory;
        if ((connector instanceof ServerConnector) && (sslConnectionFactory = (SslConnectionFactory) ((ServerConnector) connector).getConnectionFactory(SslConnectionFactory.class)) != null) {
            return Optional.ofNullable(sslConnectionFactory.getSslContextFactory());
        }
        return Optional.empty();
    }

    boolean isKeyStoreConfigured() {
        return Arrays.stream(this.server.getConnectors()).anyMatch(connector -> {
            return getSSLFactory(connector).isPresent() && getSSLFactory(connector).get().getKeyStore() != null;
        });
    }

    private void reloadSSLCerts(boolean z) {
        Map valuesWithPrefixAllOrNothing = this.config.valuesWithPrefixAllOrNothing(InternalRestServerConfig.CONFIG_PREFIX);
        boolean useBcfks = InternalRestServerSSL.useBcfks(valuesWithPrefixAllOrNothing, this.config.getString("security.providers"));
        for (Connector connector : this.server.getConnectors()) {
            Optional<SslContextFactory> sSLFactory = getSSLFactory(connector);
            if (sSLFactory.isPresent()) {
                try {
                    InternalRestServerSSL.setSecurityStoreProps(sSLFactory.get(), valuesWithPrefixAllOrNothing, z, useBcfks, true);
                    sSLFactory.get().reload(sslContextFactory -> {
                        log.info("Reloaded ssl factory for the connector " + connector.getName());
                    });
                } catch (Exception e) {
                    log.error(e.getMessage());
                    throw new InvalidConfigurationException("Failed to load SSL keystore ", e);
                }
            }
        }
    }

    private void registerSSLStoreFileWatchListeners() {
        if (this.config.getBoolean("confluent.ssl.enable.dynamic.store.update").booleanValue()) {
            Map valuesWithPrefixAllOrNothing = this.config.valuesWithPrefixAllOrNothing(InternalRestServerConfig.CONFIG_PREFIX);
            String str = (String) valuesWithPrefixAllOrNothing.getOrDefault("ssl.keystore.location", null);
            String str2 = (String) valuesWithPrefixAllOrNothing.getOrDefault("ssl.truststore.location", null);
            if (str != null) {
                this.keyStoreFileWatchListener = new FileStoreWatchListener(str, this::reloadKeystoreCerts);
                FILE_STORE_WATCH_SERVICE.add(this.keyStoreFileWatchListener);
                log.info("Enabled ssl.enable.dynamic.store.update for keystore ");
            }
            if (str2 != null) {
                this.trustStoreFileWatchListener = new FileStoreWatchListener(str2, this::reloadTruststoreCerts);
                FILE_STORE_WATCH_SERVICE.add(this.trustStoreFileWatchListener);
                log.info("Enabled ssl.enable.dynamic.store.update for truststore");
            }
        }
    }

    private void removeFileWatcherListener() {
        if (this.keyStoreFileWatchListener != null) {
            FILE_STORE_WATCH_SERVICE.remove(this.keyStoreFileWatchListener);
        }
        if (this.trustStoreFileWatchListener != null) {
            FILE_STORE_WATCH_SERVICE.remove(this.trustStoreFileWatchListener);
        }
    }

    public synchronized void stop() throws Exception {
        if (this.server == null) {
            throw new IllegalStateException("Server is not running.");
        }
        log.info("Stopping");
        this.server.stop();
        this.server.join();
        this.server = null;
        removeFileWatcherListener();
    }
}
