package io.confluent.kafka.multitenant;

import com.fasterxml.jackson.databind.ObjectMapper;
import io.confluent.kafka.multitenant.utils.Utils;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.nio.file.FileSystems;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardWatchEventKinds;
import java.nio.file.WatchEvent;
import java.nio.file.WatchKey;
import java.nio.file.WatchService;
import java.nio.file.attribute.FileAttribute;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
import org.apache.kafka.clients.admin.AdminClient;
import org.apache.kafka.clients.admin.AlterConfigOp;
import org.apache.kafka.clients.admin.AlterConfigsOptions;
import org.apache.kafka.clients.admin.AlterConfigsResult;
import org.apache.kafka.clients.admin.ConfigEntry;
import org.apache.kafka.common.config.ConfigResource;
import org.apache.kafka.common.config.internals.ConfluentConfigs;
import org.apache.log4j.Priority;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/kafka/multitenant/SslCertificateManager.class */
public class SslCertificateManager {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) SslCertificateManager.class);
    private static final Long CLOSE_TIMEOUT_MS = Long.valueOf(TimeUnit.SECONDS.toMillis(30));
    private static final AlterConfigsOptions ALTER_OPTIONS = new AlterConfigsOptions().timeoutMs(Integer.valueOf(Priority.WARN_INT));
    private final String brokerId;
    private final String sslCertsDir;
    private final String sslSpecFilename;
    private final SslCertsDirListener dirListener;
    private final Thread dirListenerThread;
    private AdminClient adminClient;
    private AtomicBoolean adminClientCreated;
    private byte[] currentFullchainBytes;
    private byte[] currentPrivkeyBytes;

    /* loaded from: input_file:io/confluent/kafka/multitenant/SslCertificateManager$SslCertsDirListener.class */
    class SslCertsDirListener implements Runnable {
        private WatchService watchService = null;
        private Path sslCertsPath;
        private static final String DATA_DIR_NAME = "..data";

        SslCertsDirListener(String str) {
            this.sslCertsPath = null;
            this.sslCertsPath = Paths.get(str, new String[0]);
        }

        void register() throws IOException {
            if (this.watchService != null) {
                SslCertificateManager.LOG.warn("Trying to reregister an existing SslCertsDirListener");
                return;
            }
            this.watchService = FileSystems.getDefault().newWatchService();
            if (!Files.exists(this.sslCertsPath, new LinkOption[0])) {
                SslCertificateManager.LOG.info("{} doesn't exists yet, creating", this.sslCertsPath);
                Files.createDirectories(this.sslCertsPath, new FileAttribute[0]);
            }
            this.sslCertsPath.register(this.watchService, StandardWatchEventKinds.ENTRY_CREATE, StandardWatchEventKinds.ENTRY_MODIFY, StandardWatchEventKinds.OVERFLOW);
            SslCertificateManager.LOG.info("Registered to watch {} for ssl certs updates", this.sslCertsPath);
        }

        public void close() {
            if (this.watchService == null) {
                SslCertificateManager.LOG.warn("Trying to close a null watchService");
                return;
            }
            try {
                this.watchService.close();
                this.watchService = null;
                SslCertificateManager.LOG.info("Closed watcher for ssl certs at {}", this.sslCertsPath);
            } catch (IOException e) {
                SslCertificateManager.LOG.error("Failed to shutdown watcher for ssl certs at {}", this.sslCertsPath, e);
            }
        }

        @Override // java.lang.Runnable
        public void run() {
            try {
                doRun();
            } catch (InterruptedException e) {
                SslCertificateManager.LOG.warn("Watching {} for ssl certs was interrupted.", this.sslCertsPath);
            } catch (Exception e2) {
                SslCertificateManager.LOG.warn("Stopping watching for ssl certs. ", (Throwable) e2);
            } finally {
                close();
            }
        }

        private void doRun() throws InterruptedException {
            WatchKey take;
            do {
                take = this.watchService.take();
                for (WatchEvent<?> watchEvent : take.pollEvents()) {
                    SslCertificateManager.LOG.debug("Got event: {} {}", watchEvent.kind(), watchEvent.context());
                    if (this.sslCertsPath.resolve((Path) watchEvent.context()).getFileName().toString().equals(DATA_DIR_NAME)) {
                        SslCertificateManager.this.loadSslCertFiles();
                    }
                }
            } while (take.reset());
            SslCertificateManager.LOG.warn("Ssl certs dir no longer watched");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SslCertificateManager(Map<String, ?> map) {
        this(map.get("broker.id"), map.get(ConfluentConfigs.MULTITENANT_METADATA_SSL_CERTS_SPEC_CONFIG), null);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SslCertificateManager(Object obj, Object obj2, AdminClient adminClient) {
        this.adminClientCreated = new AtomicBoolean(false);
        this.currentFullchainBytes = null;
        this.currentPrivkeyBytes = null;
        this.brokerId = getBrokerId(obj);
        this.sslCertsDir = getSslCertsDirConfig(obj2);
        this.sslSpecFilename = getSslSpecFilename(obj2);
        this.adminClient = adminClient;
        if (this.adminClient != null) {
            this.adminClientCreated.compareAndSet(false, true);
        }
        if (this.sslCertsDir != null) {
            this.dirListener = new SslCertsDirListener(this.sslCertsDir);
            this.dirListenerThread = new Thread(this.dirListener, "confluent-ssl-certs-change-listener");
        } else {
            this.dirListener = null;
            this.dirListenerThread = null;
        }
    }

    public void createAdminClient(String str) {
        if (this.brokerId != null && this.sslCertsDir != null) {
            this.adminClient = Utils.createAdminClient(str);
        }
        if (this.adminClient != null) {
            this.adminClientCreated.compareAndSet(false, true);
        }
    }

    public void close() {
        if (this.dirListener != null) {
            this.dirListener.close();
        }
        if (this.adminClient != null) {
            this.adminClient.close(Duration.ofMillis(CLOSE_TIMEOUT_MS.longValue()));
        }
    }

    private String getBrokerId(Object obj) {
        if (obj == null) {
            return null;
        }
        return obj.toString();
    }

    private String getSslCertsDirConfig(Object obj) {
        String str = null;
        if (obj != null) {
            try {
                str = obj.toString().substring(0, obj.toString().lastIndexOf("/"));
            } catch (IndexOutOfBoundsException e) {
                LOG.warn("Ssl cert spec config not in the correct format {}", obj, e);
            }
        }
        return str;
    }

    private String getSslSpecFilename(Object obj) {
        String str = null;
        if (obj != null) {
            try {
                str = obj.toString().substring(obj.toString().lastIndexOf("/") + 1);
            } catch (IndexOutOfBoundsException e) {
                LOG.warn("Ssl cert spec config not in the correct format {}", obj, e);
            }
        }
        return str;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void startWatching() throws IOException {
        if (this.dirListener != null) {
            this.dirListener.register();
            this.dirListenerThread.start();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void shutdown() {
        try {
            if (this.dirListener != null) {
                this.dirListenerThread.interrupt();
                this.dirListenerThread.join(CLOSE_TIMEOUT_MS.longValue());
            }
        } catch (InterruptedException e) {
            LOG.error("Shutting down ssl certs reader thread was interrupted", (Throwable) e);
        }
    }

    AdminClient getAdminClient() {
        return this.adminClient;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void loadSslCertFiles() {
        if (!this.adminClientCreated.get()) {
            LOG.info("Admin client instance not created, would not proceed to certificate update");
            return;
        }
        Path sslCertsFilePath = getSslCertsFilePath(this.sslSpecFilename);
        if (Files.exists(sslCertsFilePath, new LinkOption[0])) {
            getSslCertificateSpecifications();
        } else {
            LOG.warn("No spec file found at path: {}", sslCertsFilePath);
        }
    }

    private void getSslCertificateSpecifications() {
        try {
            getSslConfigs((SslCertificateSpecification) new ObjectMapper().readValue(getSslCertsFilePath(this.sslSpecFilename).toFile(), SslCertificateSpecification.class));
        } catch (Exception e) {
            LOG.error("Error occurred while retrieving certificate specifications", (Throwable) e);
        }
    }

    private void getSslConfigs(SslCertificateSpecification sslCertificateSpecification) throws Exception {
        Path sslCertsFilePath = getSslCertsFilePath(sslCertificateSpecification.sslPemFullchainFilename());
        if (!Files.exists(sslCertsFilePath, new LinkOption[0])) {
            LOG.warn("No fullchain file found at path: {} ", sslCertsFilePath);
            return;
        }
        Path sslCertsFilePath2 = getSslCertsFilePath(sslCertificateSpecification.sslPemPrivkeyFilename());
        if (!Files.exists(sslCertsFilePath2, new LinkOption[0])) {
            LOG.warn("No privkey file found at path: {} ", sslCertsFilePath2);
            return;
        }
        Path sslCertsFilePath3 = getSslCertsFilePath(sslCertificateSpecification.pkcsCertFilename());
        if (!Files.exists(sslCertsFilePath3, new LinkOption[0])) {
            LOG.warn("No pkcs file found at path: {} ", sslCertsFilePath3);
            return;
        }
        byte[] pemToBytes = pemToBytes(sslCertsFilePath);
        byte[] pemToBytes2 = pemToBytes(sslCertsFilePath2);
        if (comparePEMCertificates(pemToBytes, pemToBytes2)) {
            return;
        }
        ConfigEntry configEntry = new ConfigEntry("listener.name.external.ssl.keystore.location", sslCertsFilePath3.toString());
        ConfigEntry configEntry2 = new ConfigEntry("listener.name.external.ssl.keystore.type", sslCertificateSpecification.sslKeystoreType());
        ArrayList arrayList = new ArrayList();
        arrayList.add(new AlterConfigOp(configEntry, AlterConfigOp.OpType.SET));
        arrayList.add(new AlterConfigOp(configEntry2, AlterConfigOp.OpType.SET));
        ConfigResource configResource = new ConfigResource(ConfigResource.Type.BROKER, this.brokerId);
        Map<ConfigResource, Collection<AlterConfigOp>> hashMap = new HashMap<>();
        hashMap.put(configResource, arrayList);
        invokeAdminClient(hashMap, pemToBytes, pemToBytes2);
    }

    private synchronized void invokeAdminClient(Map<ConfigResource, Collection<AlterConfigOp>> map, byte[] bArr, byte[] bArr2) throws Exception {
        AlterConfigsResult incrementalAlterConfigs = this.adminClient.incrementalAlterConfigs(map, ALTER_OPTIONS);
        incrementalAlterConfigs.all().get();
        this.currentFullchainBytes = (byte[]) bArr.clone();
        this.currentPrivkeyBytes = (byte[]) bArr2.clone();
        LOG.info("Updated SSL certificate files for broker {} with {}", this.brokerId, incrementalAlterConfigs);
    }

    private boolean comparePEMCertificates(byte[] bArr, byte[] bArr2) {
        return Arrays.equals(this.currentFullchainBytes, bArr) && Arrays.equals(this.currentPrivkeyBytes, bArr2);
    }

    private byte[] pemToBytes(Path path) throws Exception {
        String path2 = path.toString();
        File file = new File(path2);
        FileInputStream fileInputStream = new FileInputStream(path2);
        byte[] bArr = new byte[(int) file.length()];
        fileInputStream.read(bArr);
        return bArr;
    }

    private Path getSslCertsFilePath(String str) {
        return Paths.get(this.sslCertsDir, str);
    }
}
