package com.yahoo.vespa.model.application.validation;

import com.yahoo.config.provision.CloudName;
import com.yahoo.vespa.model.application.validation.Validation;
import com.yahoo.vespa.model.container.http.AccessControl;
import com.yahoo.vespa.model.container.http.Http;
import java.util.Set;
import java.util.logging.Level;

/* loaded from: input_file:com/yahoo/vespa/model/application/validation/AccessControlFilterExcludeValidator.class */
public class AccessControlFilterExcludeValidator implements Validator {
    @Override // com.yahoo.vespa.model.application.validation.Validator
    public void validate(Validation.Context context) {
        if (!context.deployState().isHosted() || context.deployState().zone().system().isPublic() || context.deployState().getProperties().allowDisableMtls()) {
            return;
        }
        context.model().getContainerClusters().forEach((str, applicationContainerCluster) -> {
            Http http = applicationContainerCluster.getHttp();
            if (http == null || !http.getAccessControl().isPresent()) {
                return;
            }
            verifyNoExclusions(str, http.getAccessControl().get(), context);
        });
    }

    private void verifyNoExclusions(String str, AccessControl accessControl, Validation.Context context) {
        if (accessControl.excludedBindings().isEmpty()) {
            return;
        }
        String formatted = "Application cluster %s excludes paths from access control, this is not allowed and should be removed.".formatted(str);
        if (Set.of(CloudName.DEFAULT, CloudName.YAHOO).contains(context.deployState().zone().cloud().name())) {
            context.deployState().getDeployLogger().log(Level.WARNING, formatted);
        } else {
            context.illegal(formatted);
        }
    }
}
