package org.keycloak.quarkus.runtime.storage.legacy.infinispan;

import io.micrometer.core.instrument.Metrics;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.util.Iterator;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.Future;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.SSLContext;
import org.infinispan.configuration.cache.ConfigurationBuilder;
import org.infinispan.configuration.cache.PersistenceConfigurationBuilder;
import org.infinispan.configuration.global.GlobalConfiguration;
import org.infinispan.configuration.global.TransportConfigurationBuilder;
import org.infinispan.configuration.parsing.ConfigurationBuilderHolder;
import org.infinispan.configuration.parsing.ParserRegistry;
import org.infinispan.jboss.marshalling.core.JBossUserMarshaller;
import org.infinispan.manager.DefaultCacheManager;
import org.infinispan.metrics.config.MicrometerMeterRegisterConfigurationBuilder;
import org.infinispan.persistence.remote.configuration.ExhaustedAction;
import org.infinispan.persistence.remote.configuration.RemoteStoreConfigurationBuilder;
import org.jboss.logging.Logger;
import org.jgroups.conf.ProtocolConfiguration;
import org.jgroups.protocols.TCP_NIO2;
import org.jgroups.protocols.UDP;
import org.jgroups.util.TLS;
import org.jgroups.util.TLSClientAuth;
import org.keycloak.connections.infinispan.InfinispanConnectionProvider;
import org.keycloak.quarkus.runtime.configuration.Configuration;

/* loaded from: input_file:org/keycloak/quarkus/runtime/storage/legacy/infinispan/CacheManagerFactory.class */
public class CacheManagerFactory {
    private static final Logger logger = Logger.getLogger(CacheManagerFactory.class);
    private String config;
    private final boolean metricsEnabled;
    private DefaultCacheManager cacheManager;
    private Future<DefaultCacheManager> cacheManagerFuture;
    private ExecutorService executor;
    private boolean initialized;

    public CacheManagerFactory(String str, boolean z) {
        this.config = str;
        this.metricsEnabled = z;
        this.executor = createThreadPool();
        this.cacheManagerFuture = this.executor.submit(this::startCacheManager);
    }

    public DefaultCacheManager getOrCreate() {
        if (this.cacheManager != null) {
            return this.cacheManager;
        }
        if (this.initialized) {
            return null;
        }
        try {
            try {
                DefaultCacheManager defaultCacheManager = this.cacheManagerFuture.get(getStartTimeout().intValue(), TimeUnit.SECONDS);
                this.cacheManager = defaultCacheManager;
                shutdownThreadPool();
                return defaultCacheManager;
            } catch (Exception e) {
                throw new RuntimeException("Failed to start caches", e);
            }
        } catch (Throwable th) {
            shutdownThreadPool();
            throw th;
        }
    }

    private ExecutorService createThreadPool() {
        return Executors.newSingleThreadExecutor(runnable -> {
            return new Thread(runnable, "keycloak-cache-init");
        });
    }

    private DefaultCacheManager startCacheManager() {
        ConfigurationBuilderHolder parse = new ParserRegistry().parse(this.config);
        if (((ConfigurationBuilder) parse.getNamedConfigurationBuilders().get("sessions")).clustering().cacheMode().isClustered()) {
            configureTransportStack(parse);
            configureRemoteStores(parse);
        }
        if (this.metricsEnabled) {
            parse.getGlobalConfigurationBuilder().addModule(MicrometerMeterRegisterConfigurationBuilder.class);
            ((MicrometerMeterRegisterConfigurationBuilder) parse.getGlobalConfigurationBuilder().module(MicrometerMeterRegisterConfigurationBuilder.class)).meterRegistry(Metrics.globalRegistry);
        }
        parse.getGlobalConfigurationBuilder().serialization().marshaller(new JBossUserMarshaller());
        return new DefaultCacheManager(parse, isStartEagerly());
    }

    private boolean isStartEagerly() {
        return Boolean.parseBoolean(System.getProperty("kc.cache-ispn-start-eagerly", Boolean.TRUE.toString()));
    }

    private Integer getStartTimeout() {
        return Integer.getInteger("kc.cache-ispn-start-timeout", 120);
    }

    private void shutdownThreadPool() {
        if (this.executor != null) {
            this.executor.shutdown();
            try {
                if (!this.executor.awaitTermination(60L, TimeUnit.SECONDS)) {
                    this.executor.shutdownNow();
                    if (!this.executor.awaitTermination(60L, TimeUnit.SECONDS)) {
                        Logger.getLogger(CacheManagerFactory.class).warn("Cache init thread pool not terminated");
                    }
                }
            } catch (Exception e) {
                this.executor.shutdownNow();
            } finally {
                this.executor = null;
                this.cacheManagerFuture = null;
                this.config = null;
                this.initialized = true;
            }
        }
    }

    private void configureTransportStack(ConfigurationBuilderHolder configurationBuilderHolder) {
        String rawValue = Configuration.getRawValue("kc.cache-stack");
        TransportConfigurationBuilder transport = configurationBuilderHolder.getGlobalConfigurationBuilder().transport();
        if (rawValue != null && !rawValue.isBlank()) {
            transport.defaultTransport().stack(rawValue);
        }
        if (booleanProperty("cache-embedded-mtls-enabled")) {
            validateTlsAvailable(transport.build());
            transport.addProperty("socketFactory", new TLS().enabled(true).setKeystorePath(requiredStringProperty("cache-embedded-mtls-key-store-file")).setKeystorePassword(requiredStringProperty("cache-embedded-mtls-key-store-password")).setKeystoreType("pkcs12").setTruststorePath(requiredStringProperty("cache-embedded-mtls-trust-store-file")).setTruststorePassword(requiredStringProperty("cache-embedded-mtls-trust-store-password")).setTruststoreType("pkcs12").setClientAuth(TLSClientAuth.NEED).setProtocols(new String[]{"TLSv1.3"}).createSocketFactory());
            Logger.getLogger(CacheManagerFactory.class).info("MTLS enabled for communications for embedded caches");
        }
    }

    private void validateTlsAvailable(GlobalConfiguration globalConfiguration) {
        String stack = globalConfiguration.transport().stack();
        if (stack == null) {
            return;
        }
        Iterator it = globalConfiguration.transport().jgroups().configurator(stack).getProtocolStack().iterator();
        while (it.hasNext()) {
            String protocolName = ((ProtocolConfiguration) it.next()).getProtocolName();
            if (protocolName.equals(UDP.class.getSimpleName()) || protocolName.equals(UDP.class.getName()) || protocolName.equals(TCP_NIO2.class.getSimpleName()) || protocolName.equals(TCP_NIO2.class.getName())) {
                throw new RuntimeException("Cache TLS is not available with protocol " + protocolName);
            }
        }
    }

    private void configureRemoteStores(ConfigurationBuilderHolder configurationBuilderHolder) {
        if (Configuration.getOptionalKcValue("cache-remote-host").isPresent() || Configuration.getOptionalKcValue("cache-remote-username").isPresent() || Configuration.getOptionalKcValue("cache-remote-password").isPresent()) {
            String requiredStringProperty = requiredStringProperty("cache-remote-host");
            Integer num = (Integer) Configuration.getOptionalKcValue("cache-remote-port").map(Integer::parseInt).orElse(11222);
            String requiredStringProperty2 = requiredStringProperty("cache-remote-username");
            String requiredStringProperty3 = requiredStringProperty("cache-remote-password");
            try {
                SSLContext sSLContext = SSLContext.getInstance("TLS");
                sSLContext.init(null, null, null);
                InfinispanConnectionProvider.DISTRIBUTED_REPLICATED_CACHE_NAMES.forEach(str -> {
                    PersistenceConfigurationBuilder persistence = ((ConfigurationBuilder) configurationBuilderHolder.getNamedConfigurationBuilders().get(str)).persistence();
                    if (!persistence.stores().isEmpty()) {
                        throw new RuntimeException(String.format("Remote store for cache '%s' is already configured via CLI parameters. It should not be present in the XML file.", str));
                    }
                    persistence.addStore(RemoteStoreConfigurationBuilder.class).rawValues(true).shared(true).segmented(false).remoteCacheName(str).connectionPool().maxActive(16).exhaustedAction(ExhaustedAction.CREATE_NEW).remoteSecurity().ssl().enable().sslContext(sSLContext).sniHostName(requiredStringProperty).authentication().enable().username(requiredStringProperty2).password(requiredStringProperty3).realm("default").saslMechanism("SCRAM-SHA-512").addServer().host(requiredStringProperty).port(num.intValue()).async().enable().modificationQueueSize(1024);
                });
            } catch (KeyManagementException | NoSuchAlgorithmException e) {
                throw new RuntimeException(e);
            }
        }
    }

    private static boolean booleanProperty(String str) {
        return ((Boolean) Configuration.getOptionalKcValue(str).map(Boolean::parseBoolean).orElse(Boolean.FALSE)).booleanValue();
    }

    private static String requiredStringProperty(String str) {
        return (String) Configuration.getOptionalKcValue(str).orElseThrow(() -> {
            return new RuntimeException("Property " + str + " required but not specified");
        });
    }

    public CacheManagerFactory() {
    }
}
