package com.yahoo.vespa.model.container.http;

import com.yahoo.component.ComponentId;
import com.yahoo.component.ComponentSpecification;
import com.yahoo.vespa.defaults.Defaults;
import com.yahoo.vespa.model.container.ApplicationContainerCluster;
import com.yahoo.vespa.model.container.ContainerCluster;
import com.yahoo.vespa.model.container.component.BindingPattern;
import com.yahoo.vespa.model.container.component.FileStatusHandlerComponent;
import com.yahoo.vespa.model.container.component.Handler;
import com.yahoo.vespa.model.container.component.SystemBindingPattern;
import com.yahoo.vespa.model.container.http.FilterBinding;
import com.yahoo.vespa.model.container.http.HttpFilterChain;
import com.yahoo.vespa.model.container.http.ssl.HostedSslConnectorFactory;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Objects;
import java.util.Set;

/* loaded from: input_file:com/yahoo/vespa/model/container/http/AccessControl.class */
public class AccessControl {
    private static final int HOSTED_CONTAINER_PORT = 4443;
    public final String domain;
    public final ClientAuthentication clientAuthentication;
    private final Set<BindingPattern> excludedBindings;
    private final Collection<Handler> handlers;
    public static final ComponentId ACCESS_CONTROL_CHAIN_ID = ComponentId.fromString("access-control-chain");
    public static final ComponentId ACCESS_CONTROL_EXCLUDED_CHAIN_ID = ComponentId.fromString("access-control-excluded-chain");
    public static final ComponentId DEFAULT_CONNECTOR_HOSTED_REQUEST_CHAIN_ID = ComponentId.fromString("default-connector-hosted-request-chain");
    public static final List<String> EXCLUDED_HANDLERS = List.of(FileStatusHandlerComponent.CLASS, ContainerCluster.APPLICATION_STATUS_HANDLER_CLASS, ContainerCluster.BINDINGS_OVERVIEW_HANDLER_CLASS, ContainerCluster.STATE_HANDLER_CLASS, ContainerCluster.LOG_HANDLER_CLASS, ApplicationContainerCluster.METRICS_V2_HANDLER_CLASS, ApplicationContainerCluster.PROMETHEUS_V1_HANDLER_CLASS);

    /* loaded from: input_file:com/yahoo/vespa/model/container/http/AccessControl$Builder.class */
    public static class Builder {
        private final String domain;
        private ClientAuthentication clientAuthentication = ClientAuthentication.need;
        private final Set<BindingPattern> excludeBindings = new LinkedHashSet();
        private Collection<Handler> handlers = List.of();

        public Builder(String str) {
            this.domain = str;
        }

        public Builder excludeBinding(BindingPattern bindingPattern) {
            this.excludeBindings.add(bindingPattern);
            return this;
        }

        public Builder setHandlers(ApplicationContainerCluster applicationContainerCluster) {
            this.handlers = applicationContainerCluster.getHandlers();
            return this;
        }

        public Builder clientAuthentication(ClientAuthentication clientAuthentication) {
            this.clientAuthentication = clientAuthentication;
            return this;
        }

        public AccessControl build() {
            return new AccessControl(this.domain, this.clientAuthentication, this.excludeBindings, this.handlers);
        }
    }

    /* loaded from: input_file:com/yahoo/vespa/model/container/http/AccessControl$ClientAuthentication.class */
    public enum ClientAuthentication {
        want,
        need
    }

    private AccessControl(String str, ClientAuthentication clientAuthentication, Set<BindingPattern> set, Collection<Handler> collection) {
        this.domain = str;
        this.clientAuthentication = clientAuthentication;
        this.excludedBindings = Collections.unmodifiableSet(set);
        this.handlers = collection;
    }

    public void configureHttpFilterChains(Http http) {
        http.setAccessControl(this);
        addAccessControlFilterChain(http);
        addAccessControlExcludedChain(http);
        addDefaultHostedRequestChain(http);
        removeDuplicateBindingsFromAccessControlChain(http);
    }

    public void configureHostedConnector(HostedSslConnectorFactory hostedSslConnectorFactory) {
        hostedSslConnectorFactory.setDefaultRequestFilterChain(ACCESS_CONTROL_CHAIN_ID);
    }

    public void configureDefaultHostedConnector(Http http) {
        http.getHttpServer().get().getConnectorFactories().stream().filter(connectorFactory -> {
            return connectorFactory.getListenPort() == Defaults.getDefaults().vespaWebServicePort();
        }).findFirst().orElseThrow(() -> {
            return new RuntimeException("Could not find default connector");
        }).setDefaultRequestFilterChain(DEFAULT_CONNECTOR_HOSTED_REQUEST_CHAIN_ID);
    }

    public Set<BindingPattern> excludedBindings() {
        return this.excludedBindings;
    }

    public Collection<Handler> handlers() {
        return this.handlers;
    }

    public static boolean hasHandlerThatNeedsProtection(ApplicationContainerCluster applicationContainerCluster) {
        return applicationContainerCluster.getHandlers().stream().anyMatch(handler -> {
            return !isExcludedHandler(handler) && hasNonMbusBinding(handler);
        });
    }

    private void addAccessControlFilterChain(Http http) {
        http.getFilterChains().add((FilterChains) createChain(ACCESS_CONTROL_CHAIN_ID));
    }

    private void addAccessControlExcludedChain(Http http) {
        http.getFilterChains().add((FilterChains) createChain(ACCESS_CONTROL_EXCLUDED_CHAIN_ID));
        Iterator<BindingPattern> it = this.excludedBindings.iterator();
        while (it.hasNext()) {
            http.getBindings().add(createAccessControlExcludedBinding(it.next()));
        }
        for (Handler handler : this.handlers) {
            if (isExcludedHandler(handler)) {
                Iterator<BindingPattern> it2 = handler.getServerBindings().iterator();
                while (it2.hasNext()) {
                    http.getBindings().add(createAccessControlExcludedBinding(it2.next()));
                }
            }
        }
    }

    private void addDefaultHostedRequestChain(Http http) {
        http.getFilterChains().add((FilterChains) createChain(DEFAULT_CONNECTOR_HOSTED_REQUEST_CHAIN_ID));
    }

    private void removeDuplicateBindingsFromAccessControlChain(Http http) {
        removeDuplicateBindingsFromChain(http, ACCESS_CONTROL_EXCLUDED_CHAIN_ID);
    }

    private void removeDuplicateBindingsFromChain(Http http, ComponentId componentId) {
        HashSet hashSet = new HashSet();
        for (FilterBinding filterBinding : http.getBindings()) {
            if (filterBinding.chainId().toId().equals(componentId)) {
                Iterator<FilterBinding> it = http.getBindings().iterator();
                while (it.hasNext()) {
                    if (effectivelyDuplicateOf(filterBinding, it.next())) {
                        hashSet.add(filterBinding);
                    }
                }
            }
        }
        List<FilterBinding> bindings = http.getBindings();
        Objects.requireNonNull(bindings);
        hashSet.forEach((v1) -> {
            r1.remove(v1);
        });
    }

    private static boolean effectivelyDuplicateOf(FilterBinding filterBinding, FilterBinding filterBinding2) {
        if (filterBinding.chainId().equals(filterBinding2.chainId()) || filterBinding2.type() == FilterBinding.Type.RESPONSE) {
            return false;
        }
        return filterBinding.binding().equals(filterBinding2.binding()) || (filterBinding.binding().path().equals(filterBinding2.binding().path()) && filterBinding2.binding().matchesAnyPort());
    }

    private static FilterBinding createAccessControlExcludedBinding(BindingPattern bindingPattern) {
        return FilterBinding.create(FilterBinding.Type.REQUEST, new ComponentSpecification(ACCESS_CONTROL_EXCLUDED_CHAIN_ID.stringValue()), SystemBindingPattern.fromHttpPortAndPath(Integer.toString(HOSTED_CONTAINER_PORT), bindingPattern.path()));
    }

    private static HttpFilterChain createChain(ComponentId componentId) {
        return new HttpFilterChain(componentId, HttpFilterChain.Type.SYSTEM);
    }

    private static boolean isExcludedHandler(Handler handler) {
        return EXCLUDED_HANDLERS.contains(handler.getClassId().getName());
    }

    private static boolean hasNonMbusBinding(Handler handler) {
        return handler.getServerBindings().stream().anyMatch(bindingPattern -> {
            return !bindingPattern.scheme().equals("mbus");
        });
    }
}
