package io.trino.plugin.hive.metastore.thrift;

import com.google.common.net.HostAndPort;
import io.airlift.security.pem.PemReader;
import io.airlift.units.Duration;
import io.trino.spi.NodeManager;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.atomic.AtomicInteger;
import javax.inject.Inject;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.apache.thrift.transport.TTransport;
import org.apache.thrift.transport.TTransportException;

/* loaded from: input_file:io/trino/plugin/hive/metastore/thrift/DefaultThriftMetastoreClientFactory.class */
public class DefaultThriftMetastoreClientFactory implements ThriftMetastoreClientFactory {
    private final Optional<SSLContext> sslContext;
    private final Optional<HostAndPort> socksProxy;
    private final int timeoutMillis;
    private final HiveMetastoreAuthentication metastoreAuthentication;
    private final String hostname;
    private final MetastoreSupportsDateStatistics metastoreSupportsDateStatistics;
    private final AtomicInteger chosenGetTableAlternative;
    private final AtomicInteger chosenTableParamAlternative;
    private final AtomicInteger chosenGetAllViewsAlternative;

    public DefaultThriftMetastoreClientFactory(Optional<SSLContext> optional, Optional<HostAndPort> optional2, Duration duration, HiveMetastoreAuthentication hiveMetastoreAuthentication, String str) {
        this.metastoreSupportsDateStatistics = new MetastoreSupportsDateStatistics();
        this.chosenGetTableAlternative = new AtomicInteger(Integer.MAX_VALUE);
        this.chosenTableParamAlternative = new AtomicInteger(Integer.MAX_VALUE);
        this.chosenGetAllViewsAlternative = new AtomicInteger(Integer.MAX_VALUE);
        this.sslContext = (Optional) Objects.requireNonNull(optional, "sslContext is null");
        this.socksProxy = (Optional) Objects.requireNonNull(optional2, "socksProxy is null");
        this.timeoutMillis = Math.toIntExact(duration.toMillis());
        this.metastoreAuthentication = (HiveMetastoreAuthentication) Objects.requireNonNull(hiveMetastoreAuthentication, "metastoreAuthentication is null");
        this.hostname = (String) Objects.requireNonNull(str, "hostname is null");
    }

    @Inject
    public DefaultThriftMetastoreClientFactory(ThriftMetastoreConfig thriftMetastoreConfig, HiveMetastoreAuthentication hiveMetastoreAuthentication, NodeManager nodeManager) {
        this(buildSslContext(thriftMetastoreConfig.isTlsEnabled(), Optional.ofNullable(thriftMetastoreConfig.getKeystorePath()), Optional.ofNullable(thriftMetastoreConfig.getKeystorePassword()), thriftMetastoreConfig.getTruststorePath(), Optional.ofNullable(thriftMetastoreConfig.getTruststorePassword())), Optional.ofNullable(thriftMetastoreConfig.getSocksProxy()), thriftMetastoreConfig.getMetastoreTimeout(), hiveMetastoreAuthentication, nodeManager.getCurrentNode().getHost());
    }

    @Override // io.trino.plugin.hive.metastore.thrift.ThriftMetastoreClientFactory
    public ThriftMetastoreClient create(HostAndPort hostAndPort, Optional<String> optional) throws TTransportException {
        return create(createTransport(hostAndPort, optional), this.hostname);
    }

    protected ThriftMetastoreClient create(TTransport tTransport, String str) {
        return new ThriftHiveMetastoreClient(tTransport, str, this.metastoreSupportsDateStatistics, this.chosenGetTableAlternative, this.chosenTableParamAlternative, this.chosenGetAllViewsAlternative);
    }

    private TTransport createTransport(HostAndPort hostAndPort, Optional<String> optional) throws TTransportException {
        return Transport.create(hostAndPort, this.sslContext, this.socksProxy, this.timeoutMillis, this.metastoreAuthentication, optional);
    }

    private static Optional<SSLContext> buildSslContext(boolean z, Optional<File> optional, Optional<String> optional2, File file, Optional<String> optional3) {
        KeyStore keyStore;
        if (!z) {
            return Optional.empty();
        }
        try {
            KeyManager[] keyManagerArr = null;
            char[] cArr = new char[0];
            if (optional.isPresent()) {
                try {
                    keyStore = PemReader.loadKeyStore(optional.get(), optional.get(), optional2);
                } catch (IOException | GeneralSecurityException e) {
                    cArr = (char[]) optional2.map((v0) -> {
                        return v0.toCharArray();
                    }).orElse(null);
                    keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
                    FileInputStream fileInputStream = new FileInputStream(optional.get());
                    try {
                        keyStore.load(fileInputStream, cArr);
                        fileInputStream.close();
                    } finally {
                    }
                }
                validateCertificates(keyStore);
                KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                keyManagerFactory.init(keyStore, cArr);
                keyManagerArr = keyManagerFactory.getKeyManagers();
            }
            KeyStore loadTrustStore = loadTrustStore(file, optional3);
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(loadTrustStore);
            TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
            if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
                throw new RuntimeException("Unexpected default trust managers:" + Arrays.toString(trustManagers));
            }
            SSLContext sSLContext = SSLContext.getInstance("SSL");
            sSLContext.init(keyManagerArr, trustManagers, null);
            return Optional.of(sSLContext);
        } catch (IOException | GeneralSecurityException e2) {
            throw new RuntimeException(e2);
        }
    }

    private static KeyStore loadTrustStore(File file, Optional<String> optional) throws IOException, GeneralSecurityException {
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        try {
            List<X509Certificate> readCertificateChain = PemReader.readCertificateChain(file);
            if (!readCertificateChain.isEmpty()) {
                keyStore.load(null, null);
                for (X509Certificate x509Certificate : readCertificateChain) {
                    keyStore.setCertificateEntry(x509Certificate.getSubjectX500Principal().getName(), x509Certificate);
                }
                return keyStore;
            }
        } catch (IOException | GeneralSecurityException e) {
        }
        FileInputStream fileInputStream = new FileInputStream(file);
        try {
            keyStore.load(fileInputStream, (char[]) optional.map((v0) -> {
                return v0.toCharArray();
            }).orElse(null));
            fileInputStream.close();
            return keyStore;
        } catch (Throwable th) {
            try {
                fileInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private static void validateCertificates(KeyStore keyStore) throws GeneralSecurityException {
        Iterator it = Collections.list(keyStore.aliases()).iterator();
        while (it.hasNext()) {
            String str = (String) it.next();
            if (keyStore.isKeyEntry(str)) {
                Certificate certificate = keyStore.getCertificate(str);
                if (certificate instanceof X509Certificate) {
                    try {
                        ((X509Certificate) certificate).checkValidity();
                    } catch (CertificateExpiredException e) {
                        throw new CertificateExpiredException("KeyStore certificate is expired: " + e.getMessage());
                    } catch (CertificateNotYetValidException e2) {
                        throw new CertificateNotYetValidException("KeyStore certificate is not yet valid: " + e2.getMessage());
                    }
                } else {
                    continue;
                }
            }
        }
    }
}
