package com.google.cloud.sql.mysql;

import com.google.api.client.auth.oauth2.Credential;
import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
import com.google.api.client.googleapis.json.GoogleJsonError;
import com.google.api.client.googleapis.json.GoogleJsonResponseException;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.jackson2.JacksonFactory;
import com.google.api.services.sqladmin.SQLAdmin;
import com.google.api.services.sqladmin.model.DatabaseInstance;
import com.google.api.services.sqladmin.model.IpMapping;
import com.google.api.services.sqladmin.model.SslCert;
import com.google.api.services.sqladmin.model.SslCertsCreateEphemeralRequest;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Optional;
import com.google.common.base.Throwables;
import com.google.common.util.concurrent.RateLimiter;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.Socket;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.GregorianCalendar;
import java.util.HashMap;
import java.util.Map;
import java.util.logging.Logger;
import javax.annotation.Nullable;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
import javax.xml.bind.DatatypeConverter;

/* loaded from: input_file:com/google/cloud/sql/mysql/SslSocketFactory.class */
public class SslSocketFactory {
    private static final Logger logger = Logger.getLogger(SslSocketFactory.class.getName());
    static final String ADMIN_API_NOT_ENABLED_REASON = "accessNotConfigured";
    static final String INSTANCE_NOT_AUTHORIZED_REASON = "notAuthorized";
    private static final String CREDENTIAL_FACTORY_PROPERTY = "_CLOUD_SQL_API_CREDENTIAL_FACTORY";
    private static final String API_ROOT_URL_PROPERTY = "_CLOUD_SQL_API_ROOT_URL";
    private static final String API_SERVICE_PATH_PROPERTY = "_CLOUD_SQL_API_SERVICE_PATH";
    private static final int DEFAULT_SERVER_PROXY_PORT = 3307;
    private static final int RSA_KEY_SIZE = 2048;
    private static SslSocketFactory sslSocketFactory;
    private final CertificateFactory certificateFactory;
    private final Clock clock;
    private final KeyPair localKeyPair;
    private final Credential credential;
    private final SQLAdmin adminApi;
    private final int serverProxyPort;
    private final Map<String, InstanceLookupResult> cache = new HashMap();
    private final RateLimiter forcedRenewRateLimiter = RateLimiter.create(0.016666666666666666d);

    /* loaded from: input_file:com/google/cloud/sql/mysql/SslSocketFactory$ApplicationDefaultCredentialFactory.class */
    private static class ApplicationDefaultCredentialFactory implements CredentialFactory {
        private ApplicationDefaultCredentialFactory() {
        }

        @Override // com.google.cloud.sql.mysql.CredentialFactory
        public Credential create() {
            try {
                GoogleCredential applicationDefault = GoogleCredential.getApplicationDefault();
                if (applicationDefault.createScopedRequired()) {
                    applicationDefault = applicationDefault.createScoped(Collections.singletonList("https://www.googleapis.com/auth/sqlservice.admin"));
                }
                return applicationDefault;
            } catch (IOException e) {
                throw new RuntimeException("Unable to obtain credentials to communicate with the Cloud SQL API", e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    /* loaded from: input_file:com/google/cloud/sql/mysql/SslSocketFactory$CertificateCaching.class */
    public enum CertificateCaching {
        USE_CACHE,
        BYPASS_CACHE
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/google/cloud/sql/mysql/SslSocketFactory$Clock.class */
    public static class Clock {
        Clock() {
        }

        long now() {
            return System.currentTimeMillis();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/google/cloud/sql/mysql/SslSocketFactory$InstanceLookupResult.class */
    public class InstanceLookupResult {
        private final Optional<RuntimeException> exception;
        private final long lastFailureMillis;
        private final Optional<InstanceSslInfo> instanceSslInfo;

        public InstanceLookupResult(RuntimeException runtimeException) {
            this.exception = Optional.of(runtimeException);
            this.lastFailureMillis = SslSocketFactory.this.clock.now();
            this.instanceSslInfo = Optional.absent();
        }

        public InstanceLookupResult(InstanceSslInfo instanceSslInfo) {
            this.instanceSslInfo = Optional.of(instanceSslInfo);
            this.exception = Optional.absent();
            this.lastFailureMillis = 0L;
        }

        public boolean isSuccessful() {
            return !this.exception.isPresent();
        }

        public Optional<InstanceSslInfo> getInstanceSslInfo() {
            return this.instanceSslInfo;
        }

        public Optional<RuntimeException> getException() {
            return this.exception;
        }

        public long getLastFailureMillis() {
            return this.lastFailureMillis;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/google/cloud/sql/mysql/SslSocketFactory$InstanceSslInfo.class */
    public static class InstanceSslInfo {
        private final String instanceIpAddress;
        private final X509Certificate ephemeralCertificate;
        private final SSLSocketFactory sslSocketFactory;

        InstanceSslInfo(String str, X509Certificate x509Certificate, SSLSocketFactory sSLSocketFactory) {
            this.instanceIpAddress = str;
            this.ephemeralCertificate = x509Certificate;
            this.sslSocketFactory = sSLSocketFactory;
        }

        public String getInstanceIpAddress() {
            return this.instanceIpAddress;
        }

        public X509Certificate getEphemeralCertificate() {
            return this.ephemeralCertificate;
        }

        public SSLSocketFactory getSslSocketFactory() {
            return this.sslSocketFactory;
        }
    }

    @VisibleForTesting
    SslSocketFactory(Clock clock, KeyPair keyPair, Credential credential, SQLAdmin sQLAdmin, int i) {
        try {
            this.certificateFactory = CertificateFactory.getInstance("X.509");
            this.clock = clock;
            this.localKeyPair = keyPair;
            this.credential = credential;
            this.adminApi = sQLAdmin;
            this.serverProxyPort = i;
        } catch (CertificateException e) {
            throw new RuntimeException("X509 implementation not available", e);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v18, types: [com.google.cloud.sql.mysql.CredentialFactory] */
    public static synchronized SslSocketFactory getInstance() {
        ApplicationDefaultCredentialFactory applicationDefaultCredentialFactory;
        if (sslSocketFactory == null) {
            logger.info("First Cloud SQL connection, generating RSA key pair.");
            KeyPair generateRsaKeyPair = generateRsaKeyPair();
            if (System.getProperty(CREDENTIAL_FACTORY_PROPERTY) != null) {
                logTestPropertyWarning(CREDENTIAL_FACTORY_PROPERTY);
                try {
                    applicationDefaultCredentialFactory = (CredentialFactory) Class.forName(System.getProperty(CREDENTIAL_FACTORY_PROPERTY)).newInstance();
                } catch (Exception e) {
                    throw new RuntimeException(e);
                }
            } else {
                applicationDefaultCredentialFactory = new ApplicationDefaultCredentialFactory();
            }
            Credential create = applicationDefaultCredentialFactory.create();
            sslSocketFactory = new SslSocketFactory(new Clock(), generateRsaKeyPair, create, createAdminApiClient(create), DEFAULT_SERVER_PROXY_PORT);
        }
        return sslSocketFactory;
    }

    public Socket create(String str) throws IOException {
        try {
            return createAndConfigureSocket(str, CertificateCaching.USE_CACHE);
        } catch (SSLHandshakeException e) {
            logger.warning(String.format("SSL handshake failed for Cloud SQL instance [%s], retrying with new certificate.\n%s", str, Throwables.getStackTraceAsString(e)));
            if (!this.forcedRenewRateLimiter.tryAcquire()) {
                logger.warning(String.format("Renewing too often, rate limiting certificate renewal for Cloud SQL instance [%s].", str));
                this.forcedRenewRateLimiter.acquire();
            }
            return createAndConfigureSocket(str, CertificateCaching.BYPASS_CACHE);
        }
    }

    private static void logTestPropertyWarning(String str) {
        logger.warning(String.format("%s is a test property and may be changed or removed in a future version without notice.", str));
    }

    private SSLSocket createAndConfigureSocket(String str, CertificateCaching certificateCaching) throws IOException {
        InstanceSslInfo instanceSslInfo = getInstanceSslInfo(str, certificateCaching);
        String instanceIpAddress = instanceSslInfo.getInstanceIpAddress();
        logger.info(String.format("Connecting to Cloud SQL instance [%s] on IP [%s].", str, instanceIpAddress));
        SSLSocket sSLSocket = (SSLSocket) instanceSslInfo.getSslSocketFactory().createSocket(instanceIpAddress, this.serverProxyPort);
        sSLSocket.setKeepAlive(true);
        sSLSocket.setTcpNoDelay(true);
        sSLSocket.startHandshake();
        return sSLSocket;
    }

    @VisibleForTesting
    synchronized InstanceSslInfo getInstanceSslInfo(String str, CertificateCaching certificateCaching) {
        InstanceLookupResult instanceLookupResult;
        if (certificateCaching.equals(CertificateCaching.USE_CACHE) && (instanceLookupResult = this.cache.get(str)) != null) {
            if (!instanceLookupResult.isSuccessful() && this.clock.now() - instanceLookupResult.getLastFailureMillis() < 60000) {
                logger.warning("Re-throwing cached exception due to attempt to refresh instance information too soon after error.");
                throw ((RuntimeException) instanceLookupResult.getException().get());
            }
            if (instanceLookupResult.isSuccessful()) {
                InstanceSslInfo instanceSslInfo = (InstanceSslInfo) instanceLookupResult.getInstanceSslInfo().get();
                if (instanceSslInfo != null) {
                    GregorianCalendar gregorianCalendar = new GregorianCalendar();
                    gregorianCalendar.setTimeInMillis(this.clock.now());
                    gregorianCalendar.add(12, 5);
                    try {
                        instanceSslInfo.getEphemeralCertificate().checkValidity(gregorianCalendar.getTime());
                    } catch (CertificateException e) {
                        logger.info(String.format("Ephemeral certificate for Cloud SQL instance [%s] is about to expire, obtaining new one.", str));
                        instanceSslInfo = null;
                    }
                }
                if (instanceSslInfo != null) {
                    return instanceSslInfo;
                }
            }
        }
        String format = String.format("Invalid Cloud SQL instance [%s], expected value in form [project:region:name].", str);
        int lastIndexOf = str.lastIndexOf(58);
        if (lastIndexOf <= 0) {
            throw new IllegalArgumentException(format);
        }
        int lastIndexOf2 = str.lastIndexOf(58, lastIndexOf - 1);
        if (lastIndexOf2 <= 0) {
            throw new IllegalArgumentException(format);
        }
        try {
            InstanceSslInfo fetchInstanceSslInfo = fetchInstanceSslInfo(str, str.substring(0, lastIndexOf2), str.substring(lastIndexOf2 + 1, lastIndexOf), str.substring(lastIndexOf + 1));
            this.cache.put(str, new InstanceLookupResult(fetchInstanceSslInfo));
            return fetchInstanceSslInfo;
        } catch (RuntimeException e2) {
            this.cache.put(str, new InstanceLookupResult(e2));
            throw e2;
        }
    }

    private InstanceSslInfo fetchInstanceSslInfo(String str, String str2, String str3, String str4) {
        logger.info(String.format("Obtaining ephemeral certificate for Cloud SQL instance [%s].", str));
        DatabaseInstance obtainInstanceMetadata = obtainInstanceMetadata(this.adminApi, str, str2, str4);
        if (obtainInstanceMetadata.getIpAddresses().isEmpty()) {
            throw new RuntimeException(String.format("Cloud SQL instance [%s] does not have any external IP addresses", str));
        }
        if (!obtainInstanceMetadata.getRegion().equals(str3)) {
            throw new IllegalArgumentException(String.format("Incorrect region value [%s] for Cloud SQL instance [%s], should be [%s]", str3, str, obtainInstanceMetadata.getRegion()));
        }
        X509Certificate obtainEphemeralCertificate = obtainEphemeralCertificate(this.adminApi, str, str2, str4);
        try {
            return new InstanceSslInfo(((IpMapping) obtainInstanceMetadata.getIpAddresses().get(0)).getIpAddress(), obtainEphemeralCertificate, createSslContext(obtainEphemeralCertificate, this.certificateFactory.generateCertificate(new ByteArrayInputStream(obtainInstanceMetadata.getServerCaCert().getCert().getBytes(StandardCharsets.UTF_8)))).getSocketFactory());
        } catch (CertificateException e) {
            throw new RuntimeException(String.format("Unable to parse certificate for Cloud SQL instance [%s]", str), e);
        }
    }

    private SSLContext createSslContext(Certificate certificate, Certificate certificate2) {
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            keyStore.setEntry("ephemeral", new KeyStore.PrivateKeyEntry(this.localKeyPair.getPrivate(), new Certificate[]{certificate}), new KeyStore.PasswordProtection(new char[0]));
            try {
                KeyStore keyStore2 = KeyStore.getInstance(KeyStore.getDefaultType());
                keyStore2.load(null, null);
                keyStore2.setCertificateEntry("instance", certificate2);
                try {
                    SSLContext sSLContext = SSLContext.getInstance("TLSv1.2");
                    KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                    keyManagerFactory.init(keyStore, new char[0]);
                    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("X.509");
                    trustManagerFactory.init(keyStore2);
                    sSLContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), new SecureRandom());
                    return sSLContext;
                } catch (GeneralSecurityException e) {
                    throw new RuntimeException("There was a problem initializing the SSL context", e);
                }
            } catch (IOException | GeneralSecurityException e2) {
                throw new RuntimeException("There was a problem initializing the trust key store", e2);
            }
        } catch (IOException | GeneralSecurityException e3) {
            throw new RuntimeException("There was a problem initializing the auth key store", e3);
        }
    }

    private DatabaseInstance obtainInstanceMetadata(SQLAdmin sQLAdmin, String str, String str2, String str3) {
        try {
            DatabaseInstance databaseInstance = (DatabaseInstance) sQLAdmin.instances().get(str2, str3).execute();
            if (databaseInstance.getBackendType().equals("SECOND_GEN")) {
                return databaseInstance;
            }
            throw new IllegalArgumentException("This client only supports connections to Second Generation Cloud SQL instances");
        } catch (GoogleJsonResponseException e) {
            if (e.getDetails() == null || e.getDetails().getErrors().isEmpty()) {
                throw new RuntimeException(String.format("Unable to retrieve information about Cloud SQL instance [%s]", str), e);
            }
            String reason = ((GoogleJsonError.ErrorInfo) e.getDetails().getErrors().get(0)).getReason();
            if (ADMIN_API_NOT_ENABLED_REASON.equals(reason)) {
                throw new RuntimeException(String.format("The Google Cloud SQL API is not enabled for project [%s]. Please use the Google Developers Console to enable it: %s", str2, "https://console.cloud.google.com/apis/api/sqladmin/overview?project=" + str2));
            }
            if (INSTANCE_NOT_AUTHORIZED_REASON.equals(reason)) {
                throw new RuntimeException(String.format("Cloud SQL Instance [%s] does not exist or %s not authorized to access it. Please check the instance and project names to make sure they are correct.", str, getCredentialServiceAccount(this.credential) != null ? "[" + getCredentialServiceAccount(this.credential) + "] is" : "you are"));
            }
            throw new RuntimeException(String.format("Unable to retrieve information about Cloud SQL instance [%s]", str), e);
        } catch (IOException e2) {
            throw new RuntimeException(String.format("Unable to retrieve information about Cloud SQL instance [%s]", str), e2);
        }
    }

    private X509Certificate obtainEphemeralCertificate(SQLAdmin sQLAdmin, String str, String str2, String str3) {
        SslCertsCreateEphemeralRequest sslCertsCreateEphemeralRequest = new SslCertsCreateEphemeralRequest();
        sslCertsCreateEphemeralRequest.setPublicKey("-----BEGIN RSA PUBLIC KEY-----\n" + DatatypeConverter.printBase64Binary(this.localKeyPair.getPublic().getEncoded()).replaceAll("(.{64})", "$1\n") + "\n-----END RSA PUBLIC KEY-----\n");
        try {
            try {
                return (X509Certificate) this.certificateFactory.generateCertificate(new ByteArrayInputStream(((SslCert) sQLAdmin.sslCerts().createEphemeral(str2, str3, sslCertsCreateEphemeralRequest).execute()).getCert().getBytes(StandardCharsets.UTF_8)));
            } catch (CertificateException e) {
                throw new RuntimeException(String.format("Unable to parse ephemeral certificate for Cloud SQL instance [%s]", str), e);
            }
        } catch (IOException e2) {
            throw new RuntimeException(String.format("Unable to obtain ephemeral certificate for Cloud SQL instance [%s]", str), e2);
        } catch (GoogleJsonResponseException e3) {
            if (e3.getDetails() == null || e3.getDetails().getErrors().isEmpty()) {
                throw new RuntimeException(String.format("Unable to obtain ephemeral certificate for Cloud SQL instance [%s]", str), e3);
            }
            if (INSTANCE_NOT_AUTHORIZED_REASON.equals(((GoogleJsonError.ErrorInfo) e3.getDetails().getErrors().get(0)).getReason())) {
                throw new RuntimeException(String.format("Unable to obtain ephemeral certificate for Cloud SQL Instance [%s]. Make sure %s Editor or Owner role on the project.", str, getCredentialServiceAccount(this.credential) != null ? "[" + getCredentialServiceAccount(this.credential) + "] has" : "you have"));
            }
            throw new RuntimeException(String.format("Unable to obtain ephemeral certificate for Cloud SQL instance [%s]", str), e3);
        }
    }

    @Nullable
    private String getCredentialServiceAccount(Credential credential) {
        if (credential instanceof GoogleCredential) {
            return ((GoogleCredential) credential).getServiceAccountId();
        }
        return null;
    }

    private static SQLAdmin createAdminApiClient(Credential credential) {
        try {
            NetHttpTransport newTrustedTransport = GoogleNetHttpTransport.newTrustedTransport();
            String property = System.getProperty(API_ROOT_URL_PROPERTY);
            String property2 = System.getProperty(API_SERVICE_PATH_PROPERTY);
            SQLAdmin.Builder applicationName = new SQLAdmin.Builder(newTrustedTransport, JacksonFactory.getDefaultInstance(), credential).setApplicationName("Cloud SQL Java Socket Factory");
            if (property != null) {
                logTestPropertyWarning(API_ROOT_URL_PROPERTY);
                applicationName.setRootUrl(property);
            }
            if (property2 != null) {
                logTestPropertyWarning(API_SERVICE_PATH_PROPERTY);
                applicationName.setServicePath(property2);
            }
            return applicationName.build();
        } catch (IOException | GeneralSecurityException e) {
            throw new RuntimeException("Unable to initialize HTTP transport", e);
        }
    }

    private static KeyPair generateRsaKeyPair() {
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
            keyPairGenerator.initialize(RSA_KEY_SIZE);
            return keyPairGenerator.generateKeyPair();
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("Unable to initialize Cloud SQL socket factory because no RSA implementation is available.");
        }
    }
}
