package org.apache.pulsar.functions.runtime.shaded.io.grpc.xds.internal.sds;

import com.sun.jna.Callback;
import java.io.File;
import java.io.IOException;
import java.security.cert.CertStoreException;
import java.security.cert.CertificateException;
import org.apache.pulsar.functions.runtime.shaded.com.google.common.annotations.VisibleForTesting;
import org.apache.pulsar.functions.runtime.shaded.com.google.common.base.Preconditions;
import org.apache.pulsar.functions.runtime.shaded.io.grpc.netty.shaded.io.grpc.netty.GrpcSslContexts;
import org.apache.pulsar.functions.runtime.shaded.io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
import org.apache.pulsar.functions.runtime.shaded.io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder;
import org.apache.pulsar.functions.runtime.shaded.io.grpc.xds.EnvoyServerProtoData;
import org.apache.pulsar.functions.runtime.shaded.io.grpc.xds.internal.sds.SslContextProvider;
import org.apache.pulsar.functions.runtime.shaded.io.grpc.xds.internal.sds.trust.SdsTrustManagerFactory;
import org.apache.pulsar.functions.runtime.shaded.io.grpc.xds.shaded.io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import org.apache.pulsar.functions.runtime.shaded.io.grpc.xds.shaded.io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import org.apache.pulsar.functions.runtime.shaded.io.grpc.xds.shaded.io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsCertificate;
import org.apache.pulsar.functions.runtime.shaded.javax.annotation.Nullable;

/* loaded from: input_file:org/apache/pulsar/functions/runtime/shaded/io/grpc/xds/internal/sds/SecretVolumeClientSslContextProvider.class */
final class SecretVolumeClientSslContextProvider extends SslContextProvider {

    @Nullable
    private final String privateKey;

    @Nullable
    private final String privateKeyPassword;

    @Nullable
    private final String certificateChain;

    @Nullable
    private final CertificateValidationContext certContext;

    private SecretVolumeClientSslContextProvider(@Nullable String str, @Nullable String str2, @Nullable String str3, @Nullable CertificateValidationContext certificateValidationContext, EnvoyServerProtoData.UpstreamTlsContext upstreamTlsContext) {
        super(upstreamTlsContext);
        this.privateKey = str;
        this.privateKeyPassword = str2;
        this.certificateChain = str3;
        this.certContext = certificateValidationContext;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SecretVolumeClientSslContextProvider getProvider(EnvoyServerProtoData.UpstreamTlsContext upstreamTlsContext) {
        Preconditions.checkNotNull(upstreamTlsContext, "upstreamTlsContext");
        CommonTlsContext commonTlsContext = upstreamTlsContext.getCommonTlsContext();
        Preconditions.checkArgument(commonTlsContext.getTlsCertificateSdsSecretConfigsCount() == 0, "unexpected TlsCertificateSdsSecretConfigs");
        CertificateValidationContext certificateValidationContext = CommonTlsContextUtil.getCertificateValidationContext(commonTlsContext);
        CommonTlsContextUtil.validateCertificateContext(certificateValidationContext, false);
        TlsCertificate tlsCertificate = null;
        if (commonTlsContext.getTlsCertificatesCount() > 0) {
            tlsCertificate = commonTlsContext.getTlsCertificates(0);
        }
        if (tlsCertificate != null) {
            tlsCertificate = CommonTlsContextUtil.validateTlsCertificate(tlsCertificate, true);
        }
        String str = null;
        String str2 = null;
        String str3 = null;
        if (tlsCertificate != null) {
            str = tlsCertificate.getPrivateKey().getFilename();
            if (tlsCertificate.hasPassword()) {
                str2 = tlsCertificate.getPassword().getInlineString();
            }
            str3 = tlsCertificate.getCertificateChain().getFilename();
        }
        return new SecretVolumeClientSslContextProvider(str, str2, str3, certificateValidationContext, upstreamTlsContext);
    }

    @Override // org.apache.pulsar.functions.runtime.shaded.io.grpc.xds.internal.sds.SslContextProvider
    public void addCallback(SslContextProvider.Callback callback) {
        Preconditions.checkNotNull(callback, Callback.METHOD_NAME);
        performCallback(new SslContextProvider.SslContextGetter() { // from class: org.apache.pulsar.functions.runtime.shaded.io.grpc.xds.internal.sds.SecretVolumeClientSslContextProvider.1
            @Override // org.apache.pulsar.functions.runtime.shaded.io.grpc.xds.internal.sds.SslContextProvider.SslContextGetter
            public SslContext get() throws CertificateException, IOException, CertStoreException {
                return SecretVolumeClientSslContextProvider.this.buildSslContextFromSecrets();
            }
        }, callback);
    }

    @Override // org.apache.pulsar.functions.runtime.shaded.io.grpc.xds.internal.sds.SslContextProvider, org.apache.pulsar.functions.runtime.shaded.io.grpc.xds.internal.sds.Closeable, java.io.Closeable, java.lang.AutoCloseable
    public void close() {
    }

    @VisibleForTesting
    SslContext buildSslContextFromSecrets() throws IOException, CertificateException, CertStoreException {
        SslContextBuilder trustManager = GrpcSslContexts.forClient().trustManager(new SdsTrustManagerFactory(this.certContext));
        if (this.privateKey != null && this.certificateChain != null) {
            trustManager.keyManager(new File(this.certificateChain), new File(this.privateKey), this.privateKeyPassword);
        }
        return trustManager.build();
    }
}
