package com.linkedin.alpini.netty4.ssl;

import com.linkedin.alpini.base.misc.ExceptionUtil;
import com.linkedin.alpini.base.misc.Time;
import com.linkedin.alpini.base.ssl.SslFactory;
import com.linkedin.alpini.netty4.handlers.ChannelInitializer;
import com.linkedin.alpini.netty4.misc.NettyUtils;
import io.netty.buffer.ByteBuf;
import io.netty.buffer.ByteBufAllocator;
import io.netty.buffer.ByteBufUtil;
import io.netty.channel.Channel;
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelInboundHandlerAdapter;
import io.netty.channel.ChannelPipeline;
import io.netty.channel.ChannelPromise;
import io.netty.handler.codec.ByteToMessageDecoder;
import io.netty.handler.ssl.NotSslRecordException;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslHandshakeCompletionEvent;
import io.netty.util.AttributeKey;
import io.netty.util.concurrent.EventExecutorGroup;
import io.netty.util.concurrent.Future;
import io.netty.util.concurrent.FutureListener;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.net.UnknownHostException;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Objects;
import java.util.Queue;
import java.util.concurrent.Callable;
import java.util.concurrent.ConcurrentLinkedQueue;
import java.util.concurrent.Executor;
import java.util.concurrent.RejectedExecutionException;
import java.util.concurrent.Semaphore;
import java.util.concurrent.ThreadLocalRandom;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.LongAdder;
import java.util.stream.Stream;
import java.util.stream.StreamSupport;
import javax.annotation.Nonnegative;
import javax.annotation.Nonnull;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSessionContext;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

@ChannelHandler.Sharable
/* loaded from: input_file:com/linkedin/alpini/netty4/ssl/SslInitializer.class */
public class SslInitializer extends ChannelInitializer<Channel> {
    private static final String SSL_DETECT_NAME = "ssl-detect";
    private static final String SSL_HANDLER_NAME = "ssl-handler";
    private static final String HANDSHAKE_COMPLETE_NAME = "SslInitializerComplete";
    private static final String POST_HANDSHAKE_HANDLER_NAME = "PostHandshakeHandler";
    private final boolean _sslEnabled;
    private final boolean _requireSSL;
    private final SSLEngineFactory _sslFactory;
    private final ChannelHandler _postHandshakeHandler;
    private boolean _resolveClient;
    private EventExecutorGroup _resolveExecutor;
    private Executor _sslExecutor;
    private int _resolveAttempts;
    private long _resolveBackOffMillis;
    private final Queue<ChannelPromise> _pendingHandshake;
    private final Semaphore _handshakeSemaphore;
    private final HandshakeComplete _handshakeComplete;
    private final HandshakeRelease _handshakeRelease;
    private final LongAdder _handshakesStarted;
    private final LongAdder _handshakesSuccessful;
    private final LongAdder _handshakesFailed;
    private ResolveByAddress _resolveByAddress;
    private ResolveAllByName _resolveAllByName;
    public static final SslHandshakeCompletionEvent NO_SSL_HANDSHAKE = new SslHandshakeCompletionEvent(ExceptionUtil.withoutStackTrace(new SSLHandshakeException("No SSL")));
    private static final AttributeKey<Boolean> RELEASED_ATTRIBUTE_KEY = AttributeKey.valueOf(SslInitializer.class, "released");
    private static final AttributeKey<SSLEngine> SSL_ENGINE_ATTRIBUTE_KEY = AttributeKey.valueOf(SslInitializer.class, "sslEngine");
    private static final AttributeKey<Long> SSL_HANDSHAKE_START_TS = AttributeKey.valueOf(SslInitializer.class, "sslHandshakeStartTs");
    private static final Logger LOG = LogManager.getLogger(SslInitializer.class);

    /* renamed from: com.linkedin.alpini.netty4.ssl.SslInitializer$1SslDetect, reason: invalid class name */
    /* loaded from: input_file:com/linkedin/alpini/netty4/ssl/SslInitializer$1SslDetect.class */
    class C1SslDetect extends ByteToMessageDecoder implements Callable<String>, FutureListener<String> {
        private ChannelHandlerContext _channelHandlerContext;
        private ChannelPromise _resolvePromise;
        private int _remainingAttempts;
        private boolean _startResolve;
        static final /* synthetic */ boolean $assertionsDisabled;

        C1SslDetect() {
            this._remainingAttempts = SslInitializer.this._resolveAttempts;
        }

        private boolean isActive() {
            return !this._channelHandlerContext.isRemoved() && this._channelHandlerContext.channel().isActive();
        }

        private void initializeSslEngine(SocketAddress socketAddress) {
            if (this._channelHandlerContext.channel().hasAttr(SslInitializer.SSL_ENGINE_ATTRIBUTE_KEY)) {
                return;
            }
            this._channelHandlerContext.channel().attr(SslInitializer.SSL_ENGINE_ATTRIBUTE_KEY).set(SslInitializer.this.createSslEngine(this._channelHandlerContext.alloc(), socketAddress));
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.util.concurrent.Callable
        public String call() throws Exception {
            if (!$assertionsDisabled && !SslInitializer.this.inResolveExecutorEventLoop()) {
                throw new AssertionError("Not in resolveExecutor event executor");
            }
            if (!isActive()) {
                return "closed";
            }
            if (!(this._channelHandlerContext.channel().remoteAddress() instanceof InetSocketAddress)) {
                SocketAddress remoteAddress = this._channelHandlerContext.channel().remoteAddress();
                initializeSslEngine(remoteAddress);
                return remoteAddress.toString();
            }
            InetSocketAddress inetSocketAddress = (InetSocketAddress) this._channelHandlerContext.channel().remoteAddress();
            InetAddress byAddress = SslInitializer.this._resolveByAddress.getByAddress(inetSocketAddress.getAddress().getAddress());
            InetAddress[] allByName = SslInitializer.this._resolveAllByName.getAllByName(byAddress.getHostName());
            int length = allByName.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                InetAddress inetAddress = allByName[i];
                if (!Arrays.equals(inetAddress.getAddress(), inetSocketAddress.getAddress().getAddress())) {
                    i++;
                } else if (inetAddress.getHostName().equals(inetSocketAddress.getHostName())) {
                    String hostName = inetSocketAddress.getHostName();
                    initializeSslEngine(inetSocketAddress);
                    return hostName;
                }
            }
            throw new UnknownHostException("Remote client failed DNS check: " + byAddress);
        }

        public void handlerAdded(ChannelHandlerContext channelHandlerContext) throws Exception {
            super.handlerAdded(channelHandlerContext);
            this._channelHandlerContext = channelHandlerContext;
            this._resolvePromise = channelHandlerContext.channel().newPromise();
            this._resolvePromise.addListener(this::resolved);
        }

        private void handshakeStarted(ChannelHandlerContext channelHandlerContext) {
            SslInitializer.this._handshakesStarted.increment();
            channelHandlerContext.channel().attr(SslInitializer.SSL_HANDSHAKE_START_TS).set(Long.valueOf(Time.nanoTime()));
        }

        public void channelReadComplete(ChannelHandlerContext channelHandlerContext) throws Exception {
            super.channelReadComplete(channelHandlerContext);
            if (this._startResolve) {
                if (channelHandlerContext.pipeline().get(HandshakeRelease.class) == null) {
                    ChannelPromise addListener = channelHandlerContext.channel().newPromise().addListener(future -> {
                        try {
                            SslInitializer.this._resolveExecutor.submit(this).addListener(this);
                        } catch (RejectedExecutionException e) {
                            SslInitializer.this.executorFailure(this._resolvePromise, e);
                        }
                    });
                    boolean z = true;
                    boolean z2 = false;
                    if (SslInitializer.this._pendingHandshake.offer(addListener)) {
                        channelHandlerContext.pipeline().addAfter(NettyUtils.executorGroup(channelHandlerContext.channel()), channelHandlerContext.name(), SslInitializer.HANDSHAKE_COMPLETE_NAME, SslInitializer.this._handshakeRelease);
                        handshakeStarted(channelHandlerContext);
                        z2 = SslInitializer.this._handshakeSemaphore.tryAcquire();
                        z = z2;
                    }
                    if (z) {
                        if ((!addListener.trySuccess()) & z2) {
                            SslInitializer.this._handshakeSemaphore.release();
                        }
                    }
                }
                this._startResolve = false;
            }
        }

        protected void decode(ChannelHandlerContext channelHandlerContext, ByteBuf byteBuf, List<Object> list) throws Exception {
            if (byteBuf.readableBytes() < 5) {
                return;
            }
            ChannelPipeline pipeline = channelHandlerContext.pipeline();
            if (!SslHandler.isEncrypted(byteBuf)) {
                if (SslInitializer.this._requireSSL) {
                    channelHandlerContext.close();
                    throw new NotSslRecordException("Non-SSL data from client " + channelHandlerContext.channel().remoteAddress() + " : " + ByteBufUtil.hexDump(byteBuf));
                }
                pipeline.fireUserEventTriggered(SslInitializer.NO_SSL_HANDSHAKE);
                pipeline.remove(this);
                return;
            }
            if (SslInitializer.this._resolveClient) {
                channelHandlerContext.channel().config().setAutoRead(false);
                this._startResolve = true;
            } else {
                handshakeStarted(channelHandlerContext);
                pipeline.addAfter(NettyUtils.executorGroup(channelHandlerContext.channel()), channelHandlerContext.name(), SslInitializer.HANDSHAKE_COMPLETE_NAME, SslInitializer.this._handshakeComplete);
                replaceWithSslHandler(pipeline);
            }
        }

        private void replaceWithSslHandler(ChannelPipeline channelPipeline) {
            SSLEngine createSslEngine = channelPipeline.channel().hasAttr(SslInitializer.SSL_ENGINE_ATTRIBUTE_KEY) ? (SSLEngine) channelPipeline.channel().attr(SslInitializer.SSL_ENGINE_ATTRIBUTE_KEY).get() : SslInitializer.this.createSslEngine(this._channelHandlerContext.alloc(), channelPipeline.channel().remoteAddress());
            FusedSslHandler fusedSslHandler = SslInitializer.this._sslExecutor != null ? new FusedSslHandler(createSslEngine, SslInitializer.this._sslExecutor) : new FusedSslHandler(createSslEngine);
            if (SslInitializer.this._postHandshakeHandler != null) {
                channelPipeline.addAfter(NettyUtils.executorGroup(channelPipeline), SslInitializer.HANDSHAKE_COMPLETE_NAME, SslInitializer.POST_HANDSHAKE_HANDLER_NAME, SslInitializer.this._postHandshakeHandler);
            }
            channelPipeline.replace(this, SslInitializer.SSL_HANDLER_NAME, fusedSslHandler);
        }

        public void operationComplete(Future<String> future) {
            if (!$assertionsDisabled && !SslInitializer.this.inResolveExecutorEventLoop()) {
                throw new AssertionError("Not in resolveExecutor event executor");
            }
            if (future.isSuccess()) {
                SslInitializer.LOG.debug("Resolve successful: {}", future.getNow());
                this._resolvePromise.setSuccess();
                return;
            }
            int i = this._remainingAttempts;
            this._remainingAttempts = i - 1;
            if (i <= 0 || !isActive()) {
                this._resolvePromise.setFailure(future.cause());
                return;
            }
            SslInitializer.LOG.info("Check failure, remaining attempts {}", Integer.valueOf(this._remainingAttempts + 1), future.cause());
            try {
                SslInitializer.this._resolveExecutor.schedule(this, SslInitializer.this._resolveBackOffMillis + ThreadLocalRandom.current().nextInt(1000), TimeUnit.MILLISECONDS).addListener(this);
            } catch (RejectedExecutionException e) {
                SslInitializer.this.executorFailure(this._resolvePromise, e);
            }
        }

        private void resolved(Future<? super Void> future) {
            if (!$assertionsDisabled && !this._channelHandlerContext.channel().eventLoop().inEventLoop()) {
                throw new AssertionError();
            }
            if (!future.isSuccess()) {
                SslInitializer.LOG.warn("Resolve failure of client {}", this._channelHandlerContext.channel().remoteAddress(), future.cause());
            }
            if (isActive()) {
                replaceWithSslHandler(this._channelHandlerContext.pipeline());
                this._channelHandlerContext.channel().config().setAutoRead(true);
            }
        }

        static {
            $assertionsDisabled = !SslInitializer.class.desiredAssertionStatus();
        }
    }

    @ChannelHandler.Sharable
    /* loaded from: input_file:com/linkedin/alpini/netty4/ssl/SslInitializer$HandshakeComplete.class */
    private class HandshakeComplete extends ChannelInboundHandlerAdapter {
        private HandshakeComplete() {
        }

        /* JADX WARN: Code restructure failed: missing block: B:18:0x009d, code lost:
        
            r16 = r0.getName();
         */
        /*
            Code decompiled incorrectly, please refer to instructions dump.
            To view partially-correct add '--show-bad-code' argument
        */
        public void userEventTriggered(io.netty.channel.ChannelHandlerContext r11, java.lang.Object r12) throws java.lang.Exception {
            /*
                Method dump skipped, instructions count: 289
                To view this dump add '--comments-level debug' option
            */
            throw new UnsupportedOperationException("Method not decompiled: com.linkedin.alpini.netty4.ssl.SslInitializer.HandshakeComplete.userEventTriggered(io.netty.channel.ChannelHandlerContext, java.lang.Object):void");
        }
    }

    @ChannelHandler.Sharable
    /* loaded from: input_file:com/linkedin/alpini/netty4/ssl/SslInitializer$HandshakeRelease.class */
    final class HandshakeRelease extends HandshakeComplete {
        HandshakeRelease() {
            super();
        }

        private void next(ChannelHandlerContext channelHandlerContext) {
            ChannelPromise channelPromise;
            if (channelHandlerContext.channel().hasAttr(SslInitializer.RELEASED_ATTRIBUTE_KEY)) {
                return;
            }
            channelHandlerContext.channel().attr(SslInitializer.RELEASED_ATTRIBUTE_KEY).set(true);
            do {
                channelPromise = (ChannelPromise) SslInitializer.this._pendingHandshake.poll();
                if (channelPromise == null) {
                    SslInitializer.this._handshakeSemaphore.release();
                    return;
                }
            } while (!channelPromise.trySuccess());
        }

        public void channelInactive(ChannelHandlerContext channelHandlerContext) throws Exception {
            if (!channelHandlerContext.isRemoved()) {
                next(channelHandlerContext);
            }
            super.channelInactive(channelHandlerContext);
        }

        @Override // com.linkedin.alpini.netty4.ssl.SslInitializer.HandshakeComplete
        public void userEventTriggered(ChannelHandlerContext channelHandlerContext, Object obj) throws Exception {
            try {
                super.userEventTriggered(channelHandlerContext, obj);
            } finally {
                if (obj instanceof SslHandshakeCompletionEvent) {
                    next(channelHandlerContext);
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/linkedin/alpini/netty4/ssl/SslInitializer$ResolveAllByName.class */
    public interface ResolveAllByName {
        InetAddress[] getAllByName(String str) throws UnknownHostException;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/linkedin/alpini/netty4/ssl/SslInitializer$ResolveByAddress.class */
    public interface ResolveByAddress {
        InetAddress getByAddress(byte[] bArr) throws UnknownHostException;
    }

    public static boolean isNoSslHandshake(Throwable th) {
        return NO_SSL_HANDSHAKE.cause() == th;
    }

    public SslInitializer(SslFactory sslFactory, boolean z) {
        this(sslFactory, z, (ChannelHandler) null);
    }

    public SslInitializer(SslFactory sslFactory, ChannelHandler channelHandler) {
        this(sslFactory, true, channelHandler);
    }

    public SslInitializer(SslFactory sslFactory, boolean z, ChannelHandler channelHandler) {
        this(SSLEngineFactory.adaptSSLFactory(sslFactory), z, channelHandler);
    }

    public SslInitializer(SSLEngineFactory sSLEngineFactory, ChannelHandler channelHandler) {
        this(sSLEngineFactory, true, channelHandler);
    }

    public SslInitializer(SSLEngineFactory sSLEngineFactory, boolean z, ChannelHandler channelHandler) {
        this._pendingHandshake = new ConcurrentLinkedQueue();
        this._handshakeSemaphore = new Semaphore(0);
        this._handshakeComplete = new HandshakeComplete();
        this._handshakeRelease = new HandshakeRelease();
        this._handshakesStarted = new LongAdder();
        this._handshakesSuccessful = new LongAdder();
        this._handshakesFailed = new LongAdder();
        this._resolveByAddress = InetAddress::getByAddress;
        this._resolveAllByName = InetAddress::getAllByName;
        this._sslEnabled = sSLEngineFactory != null && sSLEngineFactory.isSslEnabled();
        this._requireSSL = z;
        if (!this._sslEnabled) {
            this._sslFactory = null;
            this._postHandshakeHandler = null;
        } else {
            this._sslFactory = sSLEngineFactory;
            SSLSessionContext sessionContext = this._sslFactory.sessionContext(true);
            LOG.info("factory={} sessionTimeout={} sessionCacheSize={}", this._sslFactory, Integer.valueOf(sessionContext.getSessionTimeout()), Integer.valueOf(sessionContext.getSessionCacheSize()));
            this._postHandshakeHandler = channelHandler;
        }
    }

    public int getAvailablePermits() {
        return this._handshakeSemaphore.availablePermits();
    }

    public int getPendingHandshakes() {
        return this._pendingHandshake.size();
    }

    public long getHandshakesStarted() {
        return this._handshakesStarted.longValue();
    }

    public long getHandshakesSuccessful() {
        return this._handshakesSuccessful.longValue();
    }

    public long getHandshakesFailed() {
        return this._handshakesFailed.longValue();
    }

    public SslInitializer enableResolveBeforeSSL(@Nonnull EventExecutorGroup eventExecutorGroup, @Nonnegative int i, @Nonnegative long j) {
        return enableResolveBeforeSSL(eventExecutorGroup, i, j, Math.toIntExact(StreamSupport.stream(eventExecutorGroup.spliterator(), false).count()));
    }

    public SslInitializer enableResolveBeforeSSL(@Nonnull EventExecutorGroup eventExecutorGroup, @Nonnegative int i, @Nonnegative long j, @Nonnegative int i2) {
        this._resolveExecutor = (EventExecutorGroup) Objects.requireNonNull(eventExecutorGroup);
        this._resolveAttempts = i;
        this._resolveBackOffMillis = j;
        this._handshakeSemaphore.release(i2);
        this._resolveClient = true;
        return this;
    }

    public SslInitializer enableSslTaskExecutor(Executor executor) {
        this._sslExecutor = (Executor) Objects.requireNonNull(executor);
        return this;
    }

    protected SSLEngine createSslEngine(ByteBufAllocator byteBufAllocator, SocketAddress socketAddress) {
        SSLEngine createSSLEngine;
        if (socketAddress instanceof InetSocketAddress) {
            InetSocketAddress inetSocketAddress = (InetSocketAddress) socketAddress;
            createSSLEngine = this._sslFactory.createSSLEngine(byteBufAllocator, inetSocketAddress.getHostString(), inetSocketAddress.getPort(), true);
        } else {
            createSSLEngine = this._sslFactory.createSSLEngine(byteBufAllocator, true);
        }
        createSSLEngine.setUseClientMode(false);
        SSLParameters sSLParameters = this._sslFactory.getSSLParameters();
        if (sSLParameters != null) {
            HashSet hashSet = new HashSet(Arrays.asList(createSSLEngine.getSupportedCipherSuites()));
            Stream of = Stream.of((Object[]) sSLParameters.getCipherSuites());
            Objects.requireNonNull(hashSet);
            createSSLEngine.setEnabledCipherSuites((String[]) of.filter((v1) -> {
                return r2.contains(v1);
            }).toArray(i -> {
                return new String[i];
            }));
            if (sSLParameters.getNeedClientAuth()) {
                createSSLEngine.setNeedClientAuth(true);
            } else if (sSLParameters.getWantClientAuth()) {
                createSSLEngine.setWantClientAuth(true);
            } else {
                createSSLEngine.setWantClientAuth(false);
            }
        }
        return createSSLEngine;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean inResolveExecutorEventLoop() {
        return StreamSupport.stream(this._resolveExecutor.spliterator(), false).anyMatch((v0) -> {
            return v0.inEventLoop();
        });
    }

    protected void executorFailure(ChannelPromise channelPromise, RejectedExecutionException rejectedExecutionException) {
        channelPromise.setFailure(rejectedExecutionException);
    }

    @Override // com.linkedin.alpini.netty4.handlers.ChannelInitializer
    protected void initChannel(Channel channel) throws Exception {
        if (this._sslEnabled) {
            channel.pipeline().replace(this, SSL_DETECT_NAME, new C1SslDetect());
        }
    }

    void setResolveByAddress(ResolveByAddress resolveByAddress) {
        this._resolveByAddress = resolveByAddress;
    }

    void setResolveAllByName(ResolveAllByName resolveAllByName) {
        this._resolveAllByName = resolveAllByName;
    }
}
