package com.databricks.jdbc.dbclient.impl.common;

import com.databricks.internal.apache.http.config.Registry;
import com.databricks.internal.apache.http.config.RegistryBuilder;
import com.databricks.internal.apache.http.conn.socket.ConnectionSocketFactory;
import com.databricks.internal.apache.http.conn.socket.PlainConnectionSocketFactory;
import com.databricks.internal.apache.http.conn.ssl.SSLConnectionSocketFactory;
import com.databricks.internal.apache.http.impl.conn.PoolingHttpClientConnectionManager;
import com.databricks.jdbc.api.internal.IDatabricksConnectionContext;
import com.databricks.jdbc.common.DatabricksJdbcConstants;
import com.databricks.jdbc.common.util.SocketFactoryUtil;
import com.databricks.jdbc.exception.DatabricksHttpException;
import com.databricks.jdbc.log.JdbcLogger;
import com.databricks.jdbc.log.JdbcLoggerFactory;
import com.databricks.jdbc.model.telemetry.enums.DatabricksDriverErrorCode;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertPathValidator;
import java.security.cert.CertificateException;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXRevocationChecker;
import java.security.cert.TrustAnchor;
import java.security.cert.X509CertSelector;
import java.util.Arrays;
import java.util.Collections;
import java.util.Set;
import java.util.stream.Collectors;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/* loaded from: input_file:com/databricks/jdbc/dbclient/impl/common/ConfiguratorUtils.class */
public class ConfiguratorUtils {
    private static final JdbcLogger LOGGER = JdbcLoggerFactory.getLogger((Class<?>) ConfiguratorUtils.class);
    private static final String JAVA_TRUST_STORE_PATH_PROPERTY = "javax.net.ssl.trustStore";
    private static final String JAVA_TRUST_STORE_PASSWORD_PROPERTY = "javax.net.ssl.trustStorePassword";
    private static final String JAVA_TRUST_STORE_TYPE_PROPERTY = "javax.net.ssl.trustStoreType";

    private static boolean isJDBCTestEnv() {
        return Boolean.parseBoolean(System.getenv(DatabricksJdbcConstants.IS_JDBC_TEST_ENV));
    }

    public static PoolingHttpClientConnectionManager getBaseConnectionManager(IDatabricksConnectionContext iDatabricksConnectionContext) throws DatabricksHttpException {
        if (iDatabricksConnectionContext.getSSLTrustStore() == null && iDatabricksConnectionContext.checkCertificateRevocation() && !iDatabricksConnectionContext.acceptUndeterminedCertificateRevocation() && !iDatabricksConnectionContext.useSystemTrustStore() && !iDatabricksConnectionContext.allowSelfSignedCerts()) {
            return new PoolingHttpClientConnectionManager();
        }
        if (isJDBCTestEnv()) {
            LOGGER.info("Using trust-all socket factory for JDBC test environment");
            return new PoolingHttpClientConnectionManager(SocketFactoryUtil.getTrustAllSocketFactoryRegistry());
        }
        if (!iDatabricksConnectionContext.allowSelfSignedCerts()) {
            return new PoolingHttpClientConnectionManager(createConnectionSocketFactoryRegistry(iDatabricksConnectionContext));
        }
        LOGGER.warn("Self-signed certificates are allowed. Please only use this parameter (AllowSelfSignedCerts) when you're sure of what you're doing. This is not recommended for production use.");
        return new PoolingHttpClientConnectionManager(SocketFactoryUtil.getTrustAllSocketFactoryRegistry());
    }

    public static Registry<ConnectionSocketFactory> createConnectionSocketFactoryRegistry(IDatabricksConnectionContext iDatabricksConnectionContext) throws DatabricksHttpException {
        return iDatabricksConnectionContext.getSSLTrustStore() != null ? createRegistryWithCustomTrustStore(iDatabricksConnectionContext) : createRegistryWithSystemOrDefaultTrustStore(iDatabricksConnectionContext);
    }

    private static Registry<ConnectionSocketFactory> createRegistryWithCustomTrustStore(IDatabricksConnectionContext iDatabricksConnectionContext) throws DatabricksHttpException {
        try {
            KeyStore loadTruststoreOrNull = loadTruststoreOrNull(iDatabricksConnectionContext);
            if (loadTruststoreOrNull == null) {
                String str = "Specified trust store could not be loaded: " + iDatabricksConnectionContext.getSSLTrustStore();
                handleError(str, new IOException(str));
            }
            Set<TrustAnchor> trustAnchorsFromTrustStore = getTrustAnchorsFromTrustStore(loadTruststoreOrNull);
            if (trustAnchorsFromTrustStore.isEmpty()) {
                handleError("Custom trust store contains no trust anchors. Certificate validation will fail.", new CertificateException("Custom trust store contains no trust anchors. Certificate validation will fail."));
            }
            LOGGER.info("Using custom trust store: " + iDatabricksConnectionContext.getSSLTrustStore());
            return createRegistryFromTrustAnchors(trustAnchorsFromTrustStore, iDatabricksConnectionContext, "custom trust store: " + iDatabricksConnectionContext.getSSLTrustStore());
        } catch (Exception e) {
            handleError("Error while setting up custom trust store: " + iDatabricksConnectionContext.getSSLTrustStore(), e);
            return null;
        }
    }

    private static Registry<ConnectionSocketFactory> createRegistryWithSystemOrDefaultTrustStore(IDatabricksConnectionContext iDatabricksConnectionContext) throws DatabricksHttpException {
        String str = null;
        if (iDatabricksConnectionContext.useSystemTrustStore()) {
            str = System.getProperty(JAVA_TRUST_STORE_PATH_PROPERTY);
        }
        return (str == null || str.isEmpty()) ? createRegistryWithJdkDefaultTrustStore(iDatabricksConnectionContext) : createRegistryWithSystemPropertyTrustStore(iDatabricksConnectionContext, str);
    }

    private static Registry<ConnectionSocketFactory> createRegistryWithSystemPropertyTrustStore(IDatabricksConnectionContext iDatabricksConnectionContext, String str) throws DatabricksHttpException {
        try {
            LOGGER.info("Using system property javax.net.ssl.trustStore: " + str + " (This overrides the JDK's default cacerts store)");
            if (!new File(str).exists()) {
                String str2 = "System property trust store file does not exist: " + str;
                handleError(str2, new IOException(str2));
            }
            KeyStore keyStore = KeyStore.getInstance(System.getProperty(JAVA_TRUST_STORE_TYPE_PROPERTY, "JKS"));
            char[] cArr = null;
            String property = System.getProperty(JAVA_TRUST_STORE_PASSWORD_PROPERTY);
            if (property != null) {
                cArr = property.toCharArray();
            }
            FileInputStream fileInputStream = new FileInputStream(str);
            try {
                keyStore.load(fileInputStream, cArr);
                fileInputStream.close();
                return createRegistryFromTrustAnchors(getTrustAnchorsFromTrustStore(keyStore), iDatabricksConnectionContext, "system property trust store: " + str);
            } finally {
            }
        } catch (DatabricksHttpException | IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            handleError("Error while setting up system property trust store: " + str, e);
            return null;
        }
    }

    private static Registry<ConnectionSocketFactory> createRegistryWithJdkDefaultTrustStore(IDatabricksConnectionContext iDatabricksConnectionContext) throws DatabricksHttpException {
        try {
            if (iDatabricksConnectionContext.useSystemTrustStore()) {
                LOGGER.info("No system property trust store found, using JDK default trust store (cacerts)");
            } else {
                LOGGER.info("UseSystemTrustStore=false, using JDK default trust store (cacerts) and ignoring system properties");
            }
            return createRegistryFromTrustAnchors(getTrustAnchorsFromTrustStore(null), iDatabricksConnectionContext, "JDK default trust store (cacerts)");
        } catch (DatabricksHttpException e) {
            handleError("Error while setting up JDK default trust store", e);
            return null;
        }
    }

    private static Registry<ConnectionSocketFactory> createRegistryFromTrustAnchors(Set<TrustAnchor> set, IDatabricksConnectionContext iDatabricksConnectionContext, String str) throws DatabricksHttpException {
        if (set == null || set.isEmpty()) {
            throw new DatabricksHttpException(str + " contains no trust anchors", DatabricksDriverErrorCode.SSL_HANDSHAKE_ERROR);
        }
        try {
            return createSocketFactoryRegistry(createTrustManagers(set, iDatabricksConnectionContext.checkCertificateRevocation(), iDatabricksConnectionContext.acceptUndeterminedCertificateRevocation()));
        } catch (Exception e) {
            handleError("Error setting up trust managers for " + str, e);
            return null;
        }
    }

    private static Registry<ConnectionSocketFactory> createSocketFactoryRegistry(TrustManager[] trustManagerArr) throws NoSuchAlgorithmException, KeyManagementException {
        SSLContext sSLContext = SSLContext.getInstance("TLS");
        sSLContext.init(null, trustManagerArr, null);
        return RegistryBuilder.create().register(DatabricksJdbcConstants.HTTPS, new SSLConnectionSocketFactory(sSLContext)).register("http", new PlainConnectionSocketFactory()).build();
    }

    private static TrustManager[] createTrustManagers(Set<TrustAnchor> set, boolean z, boolean z2) throws NoSuchAlgorithmException, InvalidAlgorithmParameterException, DatabricksHttpException {
        CertPathTrustManagerParameters buildTrustManagerParameters = buildTrustManagerParameters(set, z, z2);
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(buildTrustManagerParameters);
        LOGGER.info("Certificate revocation check: " + z);
        return trustManagerFactory.getTrustManagers();
    }

    private static X509TrustManager findX509TrustManager(TrustManager[] trustManagerArr) {
        if (trustManagerArr == null) {
            return null;
        }
        for (TrustManager trustManager : trustManagerArr) {
            if (trustManager instanceof X509TrustManager) {
                return (X509TrustManager) trustManager;
            }
        }
        return null;
    }

    public static KeyStore loadTruststoreOrNull(IDatabricksConnectionContext iDatabricksConnectionContext) throws DatabricksHttpException {
        String sSLTrustStore = iDatabricksConnectionContext.getSSLTrustStore();
        if (sSLTrustStore == null) {
            return null;
        }
        if (!new File(sSLTrustStore).exists()) {
            String str = "Specified trust store file does not exist: " + sSLTrustStore;
            LOGGER.error(str);
            throw new DatabricksHttpException(str, DatabricksDriverErrorCode.SSL_HANDSHAKE_ERROR);
        }
        char[] cArr = null;
        if (iDatabricksConnectionContext.getSSLTrustStorePassword() != null) {
            cArr = iDatabricksConnectionContext.getSSLTrustStorePassword().toCharArray();
        }
        String sSLTrustStoreType = iDatabricksConnectionContext.getSSLTrustStoreType();
        try {
            FileInputStream fileInputStream = new FileInputStream(sSLTrustStore);
            try {
                LOGGER.info("Loading trust store as type: " + sSLTrustStoreType);
                KeyStore keyStore = KeyStore.getInstance(sSLTrustStoreType);
                keyStore.load(fileInputStream, cArr);
                LOGGER.info("Successfully loaded trust store: " + sSLTrustStore);
                fileInputStream.close();
                return keyStore;
            } finally {
            }
        } catch (Exception e) {
            String str2 = "Failed to load trust store: " + sSLTrustStore + " with type " + sSLTrustStoreType + ": " + e.getMessage();
            LOGGER.error(str2);
            throw new DatabricksHttpException(str2, e, DatabricksDriverErrorCode.SSL_HANDSHAKE_ERROR);
        }
    }

    public static Set<TrustAnchor> getTrustAnchorsFromTrustStore(KeyStore keyStore) throws DatabricksHttpException {
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(keyStore);
            X509TrustManager findX509TrustManager = findX509TrustManager(trustManagerFactory.getTrustManagers());
            return (findX509TrustManager == null || findX509TrustManager.getAcceptedIssuers().length == 0) ? Collections.emptySet() : (Set) Arrays.stream(findX509TrustManager.getAcceptedIssuers()).map(x509Certificate -> {
                return new TrustAnchor(x509Certificate, null);
            }).collect(Collectors.toSet());
        } catch (KeyStoreException | NoSuchAlgorithmException e) {
            handleError("Error while getting trust anchors from trust store: " + e.getMessage(), e);
            return Collections.emptySet();
        }
    }

    public static CertPathTrustManagerParameters buildTrustManagerParameters(Set<TrustAnchor> set, boolean z, boolean z2) throws DatabricksHttpException {
        try {
            PKIXBuilderParameters pKIXBuilderParameters = new PKIXBuilderParameters(set, new X509CertSelector());
            pKIXBuilderParameters.setRevocationEnabled(z);
            if (z) {
                PKIXRevocationChecker pKIXRevocationChecker = (PKIXRevocationChecker) CertPathValidator.getInstance(DatabricksJdbcConstants.PKIX).getRevocationChecker();
                if (z2) {
                    pKIXRevocationChecker.setOptions(Set.of(PKIXRevocationChecker.Option.SOFT_FAIL, PKIXRevocationChecker.Option.NO_FALLBACK, PKIXRevocationChecker.Option.PREFER_CRLS));
                }
                LOGGER.info("Certificate revocation enabled. Undetermined revocation accepted: " + z2);
                pKIXBuilderParameters.addCertPathChecker(pKIXRevocationChecker);
            }
            return new CertPathTrustManagerParameters(pKIXBuilderParameters);
        } catch (InvalidAlgorithmParameterException | NoSuchAlgorithmException e) {
            handleError("Error while building trust manager parameters: " + e.getMessage(), e);
            return null;
        }
    }

    private static void handleError(String str, Exception exc) throws DatabricksHttpException {
        LOGGER.error(str, exc);
        throw new DatabricksHttpException(str, exc, DatabricksDriverErrorCode.SSL_HANDSHAKE_ERROR);
    }
}
