package org.apache.ignite.internal.network.configuration;

import io.netty.buffer.ByteBufAllocator;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.SslContextBuilder;
import java.lang.annotation.Annotation;
import java.nio.file.Files;
import java.nio.file.InvalidPathException;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.util.Arrays;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import javax.net.ssl.SSLException;
import org.apache.ignite.configuration.validation.ValidationContext;
import org.apache.ignite.configuration.validation.ValidationIssue;
import org.apache.ignite.configuration.validation.Validator;
import org.apache.ignite.internal.logger.IgniteLogger;
import org.apache.ignite.internal.logger.Loggers;
import org.apache.ignite.internal.util.StringUtils;

/* loaded from: input_file:org/apache/ignite/internal/network/configuration/SslConfigurationValidatorImpl.class */
public class SslConfigurationValidatorImpl implements Validator<SslConfigurationValidator, AbstractSslView> {
    public static final SslConfigurationValidatorImpl INSTANCE = new SslConfigurationValidatorImpl();
    private static final IgniteLogger LOG = Loggers.forClass(SslConfigurationValidatorImpl.class);

    public void validate(SslConfigurationValidator sslConfigurationValidator, ValidationContext<AbstractSslView> validationContext) {
        AbstractSslView abstractSslView = (AbstractSslView) validationContext.getNewValue();
        if (abstractSslView.enabled()) {
            validateKeyStore(validationContext, ".keyStore", "Key store", abstractSslView.keyStore());
            try {
                if (ClientAuth.valueOf(abstractSslView.clientAuth().toUpperCase()) != ClientAuth.NONE) {
                    validateKeyStore(validationContext, ".trustStore", "Trust store", abstractSslView.trustStore());
                }
            } catch (IllegalArgumentException e) {
                validationContext.addIssue(new ValidationIssue(validationContext.currentKey(), "Incorrect client auth parameter " + abstractSslView.clientAuth()));
            }
            if (abstractSslView.ciphers().isBlank()) {
                return;
            }
            validateCiphers(validationContext, abstractSslView);
        }
    }

    private static void validateKeyStore(ValidationContext<AbstractSslView> validationContext, String str, String str2, KeyStoreView keyStoreView) {
        String path = keyStoreView.path();
        if (StringUtils.nullOrBlank(path) && StringUtils.nullOrBlank(keyStoreView.password())) {
            return;
        }
        if (StringUtils.nullOrBlank(keyStoreView.type())) {
            validationContext.addIssue(new ValidationIssue(validationContext.currentKey() + str, str2 + " type must not be blank"));
        }
        if (StringUtils.nullOrBlank(path)) {
            validationContext.addIssue(new ValidationIssue(validationContext.currentKey() + str, str2 + " path must not be blank"));
            return;
        }
        try {
            if (!Files.exists(Path.of(path, new String[0]), new LinkOption[0])) {
                validationContext.addIssue(new ValidationIssue(validationContext.currentKey() + str, str2 + " file doesn't exist at " + path));
            }
        } catch (InvalidPathException e) {
            validationContext.addIssue(new ValidationIssue(validationContext.currentKey() + str, str2 + " file path is incorrect: " + path));
        }
    }

    private static void validateCiphers(ValidationContext<AbstractSslView> validationContext, AbstractSslView abstractSslView) {
        try {
            Set set = (Set) Arrays.stream(SslContextBuilder.forClient().build().newEngine(ByteBufAllocator.DEFAULT).getSupportedCipherSuites()).filter((v0) -> {
                return Objects.nonNull(v0);
            }).collect(Collectors.toSet());
            Set set2 = (Set) Arrays.stream(abstractSslView.ciphers().split(",")).map((v0) -> {
                return v0.strip();
            }).collect(Collectors.toSet());
            boolean removeAll = set2.removeAll(set);
            if (!set2.isEmpty()) {
                if (!removeAll) {
                    validationContext.addIssue(new ValidationIssue(validationContext.currentKey(), "None of the configured cipher suites are supported: " + set2));
                }
                LOG.info("Some of the configured cipher suites are unsupported: {}", new Object[]{set2});
            }
        } catch (SSLException e) {
            validationContext.addIssue(new ValidationIssue(validationContext.currentKey(), "Can't create SSL engine"));
            LOG.warn("Can't create SSL engine", e);
        }
    }

    public /* bridge */ /* synthetic */ void validate(Annotation annotation, ValidationContext validationContext) {
        validate((SslConfigurationValidator) annotation, (ValidationContext<AbstractSslView>) validationContext);
    }
}
