package org.apache.cassandra.config;

import java.net.InetAddress;
import javax.net.ssl.SSLSocketFactory;
import org.apache.cassandra.auth.Resources;
import org.apache.cassandra.locator.IEndpointSnitch;
import org.apache.cassandra.utils.FBUtilities;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/cassandra/config/EncryptionOptions.class */
public abstract class EncryptionOptions {
    private static final Logger logger = LoggerFactory.getLogger(EncryptionOptions.class);
    public String keystore = "conf/.keystore";
    public String keystore_password = Resources.ROOT;
    public String truststore = "conf/.truststore";
    public String truststore_password = Resources.ROOT;
    public String[] cipher_suites = ((SSLSocketFactory) SSLSocketFactory.getDefault()).getDefaultCipherSuites();
    public String protocol = "TLS";
    public String algorithm = "SunX509";
    public String store_type = "JKS";
    public boolean require_client_auth = false;
    public boolean require_endpoint_verification = false;

    /* loaded from: input_file:org/apache/cassandra/config/EncryptionOptions$ClientEncryptionOptions.class */
    public static class ClientEncryptionOptions extends EncryptionOptions {
        public boolean enabled = false;
        public boolean optional = false;
    }

    /* loaded from: input_file:org/apache/cassandra/config/EncryptionOptions$ServerEncryptionOptions.class */
    public static class ServerEncryptionOptions extends EncryptionOptions {
        public InternodeEncryption internode_encryption = InternodeEncryption.none;

        /* loaded from: input_file:org/apache/cassandra/config/EncryptionOptions$ServerEncryptionOptions$InternodeEncryption.class */
        public enum InternodeEncryption {
            all,
            none,
            dc,
            rack
        }

        public boolean shouldEncrypt(InetAddress inetAddress) {
            IEndpointSnitch endpointSnitch = DatabaseDescriptor.getEndpointSnitch();
            InetAddress broadcastAddress = FBUtilities.getBroadcastAddress();
            switch (this.internode_encryption) {
                case none:
                    return false;
                case all:
                default:
                    return true;
                case dc:
                    return !endpointSnitch.getDatacenter(inetAddress).equals(endpointSnitch.getDatacenter(broadcastAddress));
                case rack:
                    return (endpointSnitch.getRack(inetAddress).equals(endpointSnitch.getRack(broadcastAddress)) && endpointSnitch.getDatacenter(inetAddress).equals(endpointSnitch.getDatacenter(broadcastAddress))) ? false : true;
            }
        }

        public void validate() {
            if (this.require_client_auth) {
                if (this.internode_encryption == InternodeEncryption.rack || this.internode_encryption == InternodeEncryption.dc) {
                    EncryptionOptions.logger.warn("Setting require_client_auth is incompatible with 'rack' and 'dc' internode_encryption values. It is possible for an internode connection to pretend to be in the same rack/dc by spoofing its broadcast address in the handshake and bypass authentication. To ensure that mutual TLS authentication is not bypassed, please set internode_encryption to 'all'. Continuing with insecure configuration.");
                }
            }
        }
    }
}
