package io.asyncer.r2dbc.mysql.client;

import io.asyncer.r2dbc.mysql.ConnectionContext;
import io.asyncer.r2dbc.mysql.MySqlSslConfiguration;
import io.asyncer.r2dbc.mysql.ServerVersion;
import io.asyncer.r2dbc.mysql.constant.ServerStatuses;
import io.asyncer.r2dbc.mysql.constant.SslMode;
import io.asyncer.r2dbc.mysql.constant.TlsVersions;
import io.asyncer.r2dbc.mysql.internal.util.AssertUtils;
import io.asyncer.r2dbc.mysql.message.server.SyntheticSslResponseMessage;
import io.netty.channel.ChannelDuplexHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.ssl.ApplicationProtocolConfig;
import io.netty.handler.ssl.IdentityCipherSuiteFilter;
import io.netty.handler.ssl.OpenSsl;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslHandshakeCompletionEvent;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import io.netty.util.internal.logging.InternalLogger;
import io.netty.util.internal.logging.InternalLoggerFactory;
import java.io.File;
import java.net.InetSocketAddress;
import java.util.function.Consumer;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import reactor.netty.tcp.SslProvider;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:io/asyncer/r2dbc/mysql/client/SslBridgeHandler.class */
public final class SslBridgeHandler extends ChannelDuplexHandler {
    static final String NAME = "R2dbcMySqlSslBridgeHandler";
    private static final String SSL_NAME = "R2dbcMySqlSslHandler";
    private static final InternalLogger logger = InternalLoggerFactory.getInstance(SslBridgeHandler.class);
    private static final String[] TLS_PROTOCOLS = {TlsVersions.TLS1_3, TlsVersions.TLS1_2, TlsVersions.TLS1_1, TlsVersions.TLS1};
    private static final String[] OLD_TLS_PROTOCOLS = {TlsVersions.TLS1_1, TlsVersions.TLS1};
    private static final ServerVersion MARIA_10_2_16 = ServerVersion.create(10, 2, 16, true);
    private static final ServerVersion MARIA_10_3_0 = ServerVersion.create(10, 3, 0, true);
    private static final ServerVersion MARIA_10_3_8 = ServerVersion.create(10, 3, 8, true);
    private static final ServerVersion MYSQL_5_6_0 = ServerVersion.create(5, 6, 0);
    private static final ServerVersion MYSQL_5_6_46 = ServerVersion.create(5, 6, 46);
    private static final ServerVersion MYSQL_5_7_0 = ServerVersion.create(5, 7, 0);
    private static final ServerVersion MYSQL_5_7_28 = ServerVersion.create(5, 7, 28);
    private final ConnectionContext context;
    private final MySqlSslConfiguration ssl;
    private SSLEngine sslEngine;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: io.asyncer.r2dbc.mysql.client.SslBridgeHandler$1, reason: invalid class name */
    /* loaded from: input_file:io/asyncer/r2dbc/mysql/client/SslBridgeHandler$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$asyncer$r2dbc$mysql$client$SslState = new int[SslState.values().length];

        static {
            try {
                $SwitchMap$io$asyncer$r2dbc$mysql$client$SslState[SslState.BRIDGING.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$asyncer$r2dbc$mysql$client$SslState[SslState.UNSUPPORTED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/asyncer/r2dbc/mysql/client/SslBridgeHandler$MySqlSslContextSpec.class */
    public static final class MySqlSslContextSpec implements SslProvider.ProtocolSslContextSpec {
        private final SslContextBuilder builder;

        private MySqlSslContextSpec(SslContextBuilder sslContextBuilder) {
            this.builder = sslContextBuilder;
        }

        public MySqlSslContextSpec configure(Consumer<SslContextBuilder> consumer) {
            AssertUtils.requireNonNull(consumer, "customizer must not be null");
            consumer.accept(this.builder);
            return this;
        }

        public SslContext sslContext() throws SSLException {
            return this.builder.build();
        }

        static MySqlSslContextSpec forClient(MySqlSslConfiguration mySqlSslConfiguration, ConnectionContext connectionContext) {
            SslContextBuilder applicationProtocolConfig = SslContextBuilder.forClient().sslProvider(OpenSsl.isAvailable() ? io.netty.handler.ssl.SslProvider.OPENSSL : io.netty.handler.ssl.SslProvider.JDK).ciphers((Iterable) null, IdentityCipherSuiteFilter.INSTANCE).applicationProtocolConfig((ApplicationProtocolConfig) null);
            String[] tlsVersion = mySqlSslConfiguration.getTlsVersion();
            if (tlsVersion.length > 0 || mySqlSslConfiguration.getSslMode() == SslMode.TUNNEL) {
                if (tlsVersion.length > 0) {
                    applicationProtocolConfig.protocols(tlsVersion);
                }
            } else if (SslBridgeHandler.isTls13Enabled(connectionContext)) {
                applicationProtocolConfig.protocols(SslBridgeHandler.TLS_PROTOCOLS);
            } else {
                if (SslBridgeHandler.logger.isWarnEnabled()) {
                    SslBridgeHandler.logger.warn("{} {} does not support TLS1.2, TLS1.1 is disabled in latest JDKs", connectionContext.isMariaDb() ? "MariaDB" : "MySQL", connectionContext.getServerVersion());
                }
                applicationProtocolConfig.protocols(SslBridgeHandler.OLD_TLS_PROTOCOLS);
            }
            String sslKey = mySqlSslConfiguration.getSslKey();
            if (sslKey != null) {
                CharSequence sslKeyPassword = mySqlSslConfiguration.getSslKeyPassword();
                String sslCert = mySqlSslConfiguration.getSslCert();
                if (sslCert == null) {
                    throw new IllegalStateException("SSL key present but client cert does not exist");
                }
                applicationProtocolConfig.keyManager(new File(sslCert), new File(sslKey), sslKeyPassword == null ? null : sslKeyPassword.toString());
            }
            if (mySqlSslConfiguration.getSslMode().verifyCertificate()) {
                String sslCa = mySqlSslConfiguration.getSslCa();
                if (sslCa != null) {
                    applicationProtocolConfig.trustManager(new File(sslCa));
                }
            } else {
                applicationProtocolConfig.trustManager(InsecureTrustManagerFactory.INSTANCE);
            }
            return new MySqlSslContextSpec(mySqlSslConfiguration.customizeSslContext(applicationProtocolConfig));
        }

        /* renamed from: configure, reason: collision with other method in class */
        public /* bridge */ /* synthetic */ SslProvider.ProtocolSslContextSpec m88configure(Consumer consumer) {
            return configure((Consumer<SslContextBuilder>) consumer);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SslBridgeHandler(ConnectionContext connectionContext, MySqlSslConfiguration mySqlSslConfiguration) {
        this.context = (ConnectionContext) AssertUtils.requireNonNull(connectionContext, "context must not be null");
        this.ssl = (MySqlSslConfiguration) AssertUtils.requireNonNull(mySqlSslConfiguration, "ssl must not be null");
    }

    public void handlerAdded(ChannelHandlerContext channelHandlerContext) {
        if (this.ssl.getSslMode() == SslMode.TUNNEL) {
            handleSslState(channelHandlerContext, SslState.BRIDGING);
        }
    }

    public void userEventTriggered(ChannelHandlerContext channelHandlerContext, Object obj) {
        if (obj instanceof SslState) {
            handleSslState(channelHandlerContext, (SslState) obj);
            return;
        }
        if (obj instanceof SslHandshakeCompletionEvent) {
            handleSslCompleted(channelHandlerContext, (SslHandshakeCompletionEvent) obj);
        }
        channelHandlerContext.fireUserEventTriggered(obj);
    }

    private void handleSslCompleted(ChannelHandlerContext channelHandlerContext, SslHandshakeCompletionEvent sslHandshakeCompletionEvent) {
        if (!sslHandshakeCompletionEvent.isSuccess()) {
            channelHandlerContext.fireExceptionCaught(sslHandshakeCompletionEvent.cause());
            return;
        }
        SslMode sslMode = this.ssl.getSslMode();
        if (sslMode.verifyIdentity()) {
            SSLEngine sSLEngine = this.sslEngine;
            if (sSLEngine == null) {
                channelHandlerContext.fireExceptionCaught(new IllegalStateException("sslEngine must not be null when verify identity"));
                return;
            }
            String hostName = ((InetSocketAddress) channelHandlerContext.channel().remoteAddress()).getHostName();
            if (!hostnameVerifier().verify(hostName, sSLEngine.getSession())) {
                channelHandlerContext.fireExceptionCaught(new SSLException("The hostname '" + hostName + "' could not be verified"));
                return;
            }
        }
        if (sslMode != SslMode.TUNNEL) {
            channelHandlerContext.fireChannelRead(SyntheticSslResponseMessage.INSTANCE);
        }
        logger.debug("SSL handshake completed, remove SSL bridge in pipeline");
        channelHandlerContext.pipeline().remove(NAME);
    }

    private void handleSslState(ChannelHandlerContext channelHandlerContext, SslState sslState) {
        switch (AnonymousClass1.$SwitchMap$io$asyncer$r2dbc$mysql$client$SslState[sslState.ordinal()]) {
            case ServerStatuses.IN_TRANSACTION /* 1 */:
                logger.debug("SSL event triggered, enable SSL handler to pipeline");
                SslHandler newHandler = SslProvider.builder().sslContext(MySqlSslContextSpec.forClient(this.ssl, this.context)).build().getSslContext().newHandler(channelHandlerContext.alloc());
                this.sslEngine = newHandler.engine();
                channelHandlerContext.pipeline().addBefore(NAME, SSL_NAME, newHandler);
                return;
            case ServerStatuses.AUTO_COMMIT /* 2 */:
                logger.debug("Server unsupported SSL, remove SSL bridge in pipeline");
                channelHandlerContext.pipeline().remove(NAME);
                return;
            default:
                return;
        }
    }

    private HostnameVerifier hostnameVerifier() {
        HostnameVerifier sslHostnameVerifier = this.ssl.getSslHostnameVerifier();
        return sslHostnameVerifier == null ? DefaultHostnameVerifier.INSTANCE : sslHostnameVerifier;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isTls13Enabled(ConnectionContext connectionContext) {
        ServerVersion serverVersion = connectionContext.getServerVersion();
        return connectionContext.isMariaDb() ? (serverVersion.isGreaterThanOrEqualTo(MARIA_10_2_16) && serverVersion.isLessThan(MARIA_10_3_0)) || serverVersion.isGreaterThanOrEqualTo(MARIA_10_3_8) : serverVersion.isGreaterThanOrEqualTo(MYSQL_5_7_28) || (serverVersion.isGreaterThanOrEqualTo(MYSQL_5_6_46) && serverVersion.isLessThan(MYSQL_5_7_0)) || (serverVersion.isGreaterThanOrEqualTo(MYSQL_5_6_0) && serverVersion.isEnterprise());
    }
}
