package io.confluent.kafka.security.fips;

import io.confluent.kafka.security.fips.exceptions.InvalidFipsBrokerProtocolException;
import io.confluent.kafka.security.fips.exceptions.InvalidFipsRestProtocolException;
import io.confluent.kafka.security.fips.exceptions.InvalidFipsTlsCipherSuiteException;
import io.confluent.kafka.security.fips.exceptions.InvalidFipsTlsVersionException;
import io.netty.handler.ssl.Ciphers;
import io.netty.handler.ssl.SslProtocols;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.kafka.common.config.SslConfigs;
import org.apache.kafka.common.security.auth.SecurityProtocol;
import org.apache.kafka.common.security.fips.FipsValidator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/kafka/security/fips/ConfluentFipsValidator.class */
public class ConfluentFipsValidator implements FipsValidator {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) ConfluentFipsValidator.class);
    private static final Set<String> ALLOWED_CIPHER_SUITES = (Set) Stream.of((Object[]) new String[]{"TLS_AES_128_CCM_8_SHA256", "TLS_AES_128_CCM_SHA256", Ciphers.TLS_AES_128_GCM_SHA256, Ciphers.TLS_AES_256_GCM_SHA384, Ciphers.TLS_DHE_DSS_WITH_AES_128_CBC_SHA, Ciphers.TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, Ciphers.TLS_DHE_DSS_WITH_AES_256_CBC_SHA, Ciphers.TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, Ciphers.TLS_DHE_RSA_WITH_AES_128_CBC_SHA, Ciphers.TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, "TLS_DHE_RSA_WITH_AES_128_CCM", "TLS_DHE_RSA_WITH_AES_128_CCM_8", Ciphers.TLS_DHE_RSA_WITH_AES_256_CBC_SHA, Ciphers.TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, "TLS_DHE_RSA_WITH_AES_256_CCM", "TLS_DHE_RSA_WITH_AES_256_CCM_8", Ciphers.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, Ciphers.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM", Ciphers.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8", Ciphers.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, "TLS_ECDHE_ECDSA_WITH_AES_256_CCM", "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8", "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, Ciphers.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, Ciphers.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA, Ciphers.TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS_RSA_WITH_AES_128_CCM", Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA, Ciphers.TLS_RSA_WITH_AES_256_CBC_SHA256, "TLS_RSA_WITH_AES_256_CCM", "TLS_RSA_WITH_AES_256_CCM_8", "TLS_RSA_WITH_AES_128_CCM_8"}).collect(Collectors.toCollection(HashSet::new));
    private static final Set<String> ALLOWED_TLS_PROTOCOLS = (Set) Stream.of((Object[]) new String[]{SslProtocols.TLS_v1_2, SslProtocols.TLS_v1_3}).collect(Collectors.toCollection(HashSet::new));
    private static final Set<String> ALLOWED_BROKER_PROTOCOLS = (Set) Stream.of((Object[]) new String[]{"SASL_SSL", "SSL"}).collect(Collectors.toCollection(HashSet::new));
    private static final Set<String> ALLOWED_REST_PROTOCOLS = (Set) Stream.of("https").collect(Collectors.toCollection(HashSet::new));
    private static final String ERROR_CIPHER_SUITES = "FIPS 140-2 Configuration Error, invalid cipher suites: ";
    private static final String ERROR_TLS_VERSIONS = "FIPS 140-2 Configuration Error, invalid TLS versions: ";
    private static final String ERROR_BROKER_PROTOCOLS = "FIPS 140-2 Configuration Error, invalid broker protocols: ";
    private static final String ERROR_REST_PROTOCOL = "FIPS 140-2 Configuration Error, invalid rest protocol: ";

    @Override // org.apache.kafka.common.security.fips.FipsValidator
    public boolean fipsEnabled() {
        return true;
    }

    @Override // org.apache.kafka.common.security.fips.FipsValidator
    public void validateFipsTls(Map<String, ?> map) {
        validateFipsTlsCipherSuite(map);
        validateFipsTlsVersion(map);
    }

    @Override // org.apache.kafka.common.security.fips.FipsValidator
    public void validateFipsBrokerProtocol(Map<String, SecurityProtocol> map) {
        new ArrayList();
        List list = (List) map.entrySet().stream().filter(entry -> {
            return !ALLOWED_BROKER_PROTOCOLS.contains(((SecurityProtocol) entry.getValue()).name);
        }).map(entry2 -> {
            return ((String) entry2.getKey()) + ":" + ((SecurityProtocol) entry2.getValue()).name;
        }).collect(Collectors.toList());
        if (list.isEmpty()) {
            return;
        }
        String format = String.format("%s%s", ERROR_BROKER_PROTOCOLS, String.join(",", list));
        log.error(format);
        throw new InvalidFipsBrokerProtocolException(format);
    }

    @Override // org.apache.kafka.common.security.fips.FipsValidator
    public void validateRestProtocol(String str) {
        if (ALLOWED_REST_PROTOCOLS.contains(str)) {
            return;
        }
        String format = String.format("%s%s", ERROR_REST_PROTOCOL, str);
        log.error(format);
        throw new InvalidFipsRestProtocolException(format);
    }

    public void validateFipsTlsCipherSuite(Map<String, ?> map) {
        validateFipsTlsCipherSuite((List) map.get(SslConfigs.SSL_CIPHER_SUITES_CONFIG));
    }

    public void validateFipsTlsVersion(Map<String, ?> map) {
        validateFipsTlsVersion((List) map.get(SslConfigs.SSL_ENABLED_PROTOCOLS_CONFIG));
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v14, types: [java.util.List] */
    public void validateFipsTlsCipherSuite(Collection<String> collection) {
        ArrayList arrayList = new ArrayList();
        if (collection != null && !collection.isEmpty()) {
            arrayList = (List) collection.stream().filter(str -> {
                return !ALLOWED_CIPHER_SUITES.contains(str);
            }).collect(Collectors.toList());
        }
        if (arrayList.isEmpty()) {
            return;
        }
        String format = String.format("%s%s", ERROR_CIPHER_SUITES, String.join(",", arrayList));
        log.error(format);
        throw new InvalidFipsTlsCipherSuiteException(format);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v14, types: [java.util.List] */
    public void validateFipsTlsVersion(Collection<String> collection) {
        ArrayList arrayList = new ArrayList();
        if (collection != null && !collection.isEmpty()) {
            arrayList = (List) collection.stream().filter(str -> {
                return !ALLOWED_TLS_PROTOCOLS.contains(str);
            }).collect(Collectors.toList());
        }
        if (arrayList.isEmpty()) {
            return;
        }
        String format = String.format("%s%s", ERROR_TLS_VERSIONS, String.join(",", arrayList));
        log.error(format);
        throw new InvalidFipsTlsVersionException(format);
    }
}
