package dev.miku.r2dbc.mysql.client;

import dev.miku.r2dbc.mysql.ConnectionContext;
import dev.miku.r2dbc.mysql.MySqlSslConfiguration;
import dev.miku.r2dbc.mysql.ServerVersion;
import dev.miku.r2dbc.mysql.constant.SslMode;
import dev.miku.r2dbc.mysql.message.server.SyntheticSslResponseMessage;
import dev.miku.r2dbc.mysql.util.AssertUtils;
import io.netty.channel.ChannelDuplexHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslHandshakeCompletionEvent;
import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
import java.io.File;
import java.net.InetSocketAddress;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import reactor.netty.tcp.SslProvider;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:BOOT-INF/lib/r2dbc-mysql-0.8.2.RELEASE.jar:dev/miku/r2dbc/mysql/client/SslBridgeHandler.class */
public final class SslBridgeHandler extends ChannelDuplexHandler {
    static final String NAME = "R2dbcMySqlSslBridgeHandler";
    private static final String SSL_NAME = "R2dbcMySqlSslHandler";
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) SslBridgeHandler.class);
    private static final ServerVersion TLS1_2_COMMUNITY_VER = ServerVersion.create(8, 0, 4);
    private static final ServerVersion TLS1_2_ENTERPRISE_VER = ServerVersion.create(5, 6, 0);
    private final ConnectionContext context;
    private final MySqlSslConfiguration ssl;
    private SSLEngine sslEngine;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SslBridgeHandler(ConnectionContext connectionContext, MySqlSslConfiguration mySqlSslConfiguration) {
        this.context = (ConnectionContext) AssertUtils.requireNonNull(connectionContext, "context must not be null");
        this.ssl = (MySqlSslConfiguration) AssertUtils.requireNonNull(mySqlSslConfiguration, "ssl must not be null");
    }

    @Override // io.netty.channel.ChannelHandlerAdapter, io.netty.channel.ChannelHandler
    public void handlerAdded(ChannelHandlerContext channelHandlerContext) {
        if (this.ssl.getSslMode() == SslMode.TUNNEL) {
            handleSslState(channelHandlerContext, SslState.BRIDGING);
        }
    }

    @Override // io.netty.channel.ChannelInboundHandlerAdapter, io.netty.channel.ChannelInboundHandler
    public void userEventTriggered(ChannelHandlerContext channelHandlerContext, Object obj) throws Exception {
        if (obj instanceof SslState) {
            handleSslState(channelHandlerContext, (SslState) obj);
            return;
        }
        if (obj instanceof SslHandshakeCompletionEvent) {
            handleSslCompleted(channelHandlerContext, (SslHandshakeCompletionEvent) obj);
        }
        super.userEventTriggered(channelHandlerContext, obj);
    }

    private void handleSslCompleted(ChannelHandlerContext channelHandlerContext, SslHandshakeCompletionEvent sslHandshakeCompletionEvent) {
        if (!sslHandshakeCompletionEvent.isSuccess()) {
            channelHandlerContext.fireExceptionCaught(sslHandshakeCompletionEvent.cause());
            return;
        }
        SslMode sslMode = this.ssl.getSslMode();
        if (sslMode.verifyIdentity()) {
            SSLEngine sSLEngine = this.sslEngine;
            if (sSLEngine == null) {
                channelHandlerContext.fireExceptionCaught((Throwable) new IllegalStateException("sslEngine must not be null when verify identity"));
                return;
            }
            String hostName = ((InetSocketAddress) channelHandlerContext.channel().remoteAddress()).getHostName();
            if (!hostnameVerifier().verify(hostName, sSLEngine.getSession())) {
                channelHandlerContext.fireExceptionCaught((Throwable) new SSLException("The hostname '" + hostName + "' could not be verified"));
                return;
            }
        }
        if (sslMode != SslMode.TUNNEL) {
            channelHandlerContext.fireChannelRead((Object) SyntheticSslResponseMessage.getInstance());
        }
        logger.debug("SSL handshake completed, remove SSL bridge in pipeline");
        channelHandlerContext.pipeline().remove(NAME);
    }

    private void handleSslState(ChannelHandlerContext channelHandlerContext, SslState sslState) {
        switch (sslState) {
            case BRIDGING:
                logger.debug("SSL event triggered, enable SSL handler to pipeline");
                SslHandler newHandler = buildProvider(this.ssl, this.context.getServerVersion()).getSslContext().newHandler(channelHandlerContext.alloc());
                this.sslEngine = newHandler.engine();
                channelHandlerContext.pipeline().addBefore(NAME, SSL_NAME, newHandler);
                return;
            case UNSUPPORTED:
                logger.debug("Server unsupported SSL, remove SSL bridge in pipeline");
                channelHandlerContext.pipeline().remove(NAME);
                return;
            default:
                return;
        }
    }

    private HostnameVerifier hostnameVerifier() {
        HostnameVerifier sslHostnameVerifier = this.ssl.getSslHostnameVerifier();
        return sslHostnameVerifier == null ? DefaultHostnameVerifier.INSTANCE : sslHostnameVerifier;
    }

    private static SslProvider buildProvider(MySqlSslConfiguration mySqlSslConfiguration, ServerVersion serverVersion) {
        return SslProvider.builder().sslContext(buildContext(mySqlSslConfiguration, serverVersion)).defaultConfiguration(SslProvider.DefaultConfigurationType.TCP).build();
    }

    private static SslContextBuilder buildContext(MySqlSslConfiguration mySqlSslConfiguration, ServerVersion serverVersion) {
        SslContextBuilder withTlsVersion = withTlsVersion(SslContextBuilder.forClient(), mySqlSslConfiguration, serverVersion);
        String sslKey = mySqlSslConfiguration.getSslKey();
        if (sslKey != null) {
            CharSequence sslKeyPassword = mySqlSslConfiguration.getSslKeyPassword();
            String sslCert = mySqlSslConfiguration.getSslCert();
            if (sslCert == null) {
                throw new IllegalStateException("SSL key param requires but SSL cert param to be present");
            }
            withTlsVersion.keyManager(new File(sslCert), new File(sslKey), sslKeyPassword == null ? null : sslKeyPassword.toString());
        }
        if (mySqlSslConfiguration.getSslMode().verifyCertificate()) {
            String sslCa = mySqlSslConfiguration.getSslCa();
            if (sslCa != null) {
                withTlsVersion.trustManager(new File(sslCa));
            }
        } else {
            withTlsVersion.trustManager(InsecureTrustManagerFactory.INSTANCE);
        }
        return mySqlSslConfiguration.customizeSslContext(withTlsVersion);
    }

    private static SslContextBuilder withTlsVersion(SslContextBuilder sslContextBuilder, MySqlSslConfiguration mySqlSslConfiguration, ServerVersion serverVersion) {
        String[] tlsVersion = mySqlSslConfiguration.getTlsVersion();
        if (tlsVersion.length > 0) {
            sslContextBuilder.protocols(tlsVersion);
        } else if (isEnabledTls1_2(serverVersion)) {
            sslContextBuilder.protocols("TLSv1.2", "TLSv1.1", "TLSv1");
        } else {
            sslContextBuilder.protocols("TLSv1.1", "TLSv1");
        }
        return sslContextBuilder;
    }

    private static boolean isEnabledTls1_2(ServerVersion serverVersion) {
        return serverVersion.isGreaterThanOrEqualTo(TLS1_2_COMMUNITY_VER) || (serverVersion.isGreaterThanOrEqualTo(TLS1_2_ENTERPRISE_VER) && serverVersion.isEnterprise());
    }
}
