package io.quarkus.kafka.client.tls;

import io.quarkus.kafka.client.runtime.KafkaRuntimeConfigProducer;
import io.quarkus.tls.TlsConfiguration;
import io.quarkus.tls.TlsConfigurationRegistry;
import jakarta.enterprise.inject.Instance;
import jakarta.enterprise.inject.spi.CDI;
import java.io.IOException;
import java.lang.annotation.Annotation;
import java.security.KeyStore;
import java.util.Map;
import java.util.Set;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import org.apache.kafka.common.security.auth.SslEngineFactory;
import org.jboss.logging.Logger;

/* loaded from: input_file:io/quarkus/kafka/client/tls/QuarkusKafkaSslEngineFactory.class */
public class QuarkusKafkaSslEngineFactory implements SslEngineFactory {
    private static final Logger log = Logger.getLogger(QuarkusKafkaSslEngineFactory.class);
    private static final Set<String> KAFKA_SSL_CONFIGS = Set.of((Object[]) new String[]{"ssl.keystore.type", "ssl.keystore.location", "ssl.keystore.password", "ssl.key.password", "ssl.truststore.type", "ssl.truststore.location", "ssl.truststore.password", "ssl.keystore.certificate.chain", "ssl.keystore.key", "ssl.truststore.certificates", "ssl.protocol", "ssl.provider", "ssl.cipher.suites", "ssl.enabled.protocols", "ssl.keymanager.algorithm", "ssl.trustmanager.algorithm", "ssl.secure.random.implementation"});
    private TlsConfiguration configuration;
    private SSLContext sslContext;

    public SSLEngine createClientSslEngine(String str, int i, String str2) {
        SSLEngine createSSLEngine = this.sslContext.createSSLEngine(str, i);
        createSSLEngine.setUseClientMode(true);
        SSLParameters sSLParameters = createSSLEngine.getSSLParameters();
        sSLParameters.setEndpointIdentificationAlgorithm(str2);
        createSSLEngine.setSSLParameters(sSLParameters);
        return createSSLEngine;
    }

    public SSLEngine createServerSslEngine(String str, int i) {
        throw new IllegalStateException("Server mode is not supported");
    }

    public boolean shouldBeRebuilt(Map<String, Object> map) {
        return false;
    }

    public Set<String> reconfigurableConfigs() {
        return Set.of();
    }

    public KeyStore keystore() {
        return this.configuration.getKeyStore();
    }

    public KeyStore truststore() {
        return this.configuration.getTrustStore();
    }

    public void close() throws IOException {
        this.sslContext = null;
        this.configuration = null;
    }

    public void configure(Map<String, ?> map) {
        String str = (String) map.get(KafkaRuntimeConfigProducer.TLS_CONFIG_NAME_KEY);
        if (str == null) {
            throw new IllegalArgumentException("The 'tls-configuration-name' property is required for Kafka Quarkus TLS Registry integration.");
        }
        Instance select = CDI.current().getBeanManager().createInstance().select(TlsConfigurationRegistry.class, new Annotation[0]);
        if (select.isUnsatisfied()) {
            return;
        }
        this.configuration = (TlsConfiguration) ((TlsConfigurationRegistry) select.get()).get(str).orElseThrow(() -> {
            return new IllegalArgumentException("No TLS configuration found for name " + str);
        });
        try {
            this.sslContext = this.configuration.createSSLContext();
            log.debugf("Configured Kafka client '%s' QuarkusKafkaSslEngineFactory with TLS configuration : %s", (String) map.get("client.id"), str);
        } catch (Exception e) {
            throw new RuntimeException("Failed to create SSLContext", e);
        }
    }

    public static void checkForOtherSslConfigs(Map<String, ?> map) {
        String str = (String) map.get(KafkaRuntimeConfigProducer.TLS_CONFIG_NAME_KEY);
        for (String str2 : KAFKA_SSL_CONFIGS) {
            if (map.containsKey(str2)) {
                log.warnf("The SSL configuration '%s' is set for Kafka client '%s' but it will be ignored because the TLS configuration '%s' is set", str2, map.get("client.id"), str);
            }
        }
    }
}
