package com.yahoo.jdisc.http.server.jetty;

import com.yahoo.concurrent.DaemonThreadFactory;
import com.yahoo.container.jdisc.HttpResponse;
import com.yahoo.jdisc.http.ConnectorConfig;
import com.yahoo.security.SslContextBuilder;
import com.yahoo.security.TrustAllX509TrustManager;
import com.yahoo.security.tls.TransportSecurityOptions;
import com.yahoo.security.tls.TransportSecurityUtils;
import jakarta.servlet.AsyncContext;
import jakarta.servlet.AsyncEvent;
import jakarta.servlet.AsyncListener;
import jakarta.servlet.ServletException;
import jakarta.servlet.ServletOutputStream;
import jakarta.servlet.WriteListener;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.nio.file.Path;
import java.time.Duration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.SSLContext;
import org.eclipse.jetty.client.HttpClient;
import org.eclipse.jetty.client.ProxyProtocolClientConnectionFactory;
import org.eclipse.jetty.client.api.ContentResponse;
import org.eclipse.jetty.client.api.Request;
import org.eclipse.jetty.client.http.HttpClientTransportOverHTTP;
import org.eclipse.jetty.http.HttpField;
import org.eclipse.jetty.http.HttpHeader;
import org.eclipse.jetty.io.ClientConnector;
import org.eclipse.jetty.server.DetectorConnectionFactory;
import org.eclipse.jetty.server.SslConnectionFactory;
import org.eclipse.jetty.server.handler.HandlerWrapper;
import org.eclipse.jetty.util.ssl.SslContextFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/yahoo/jdisc/http/server/jetty/HealthCheckProxyHandler.class */
public class HealthCheckProxyHandler extends HandlerWrapper {
    private static final Logger log = Logger.getLogger(HealthCheckProxyHandler.class.getName());
    private static final String HEALTH_CHECK_PATH = "/status.html";
    private final ExecutorService executor = Executors.newSingleThreadExecutor(new DaemonThreadFactory("health-check-proxy-client-"));
    private final Map<Integer, ProxyTarget> portToProxyTargetMapping;

    /* loaded from: input_file:com/yahoo/jdisc/http/server/jetty/HealthCheckProxyHandler$ProxyRequestTask.class */
    private static class ProxyRequestTask implements Runnable {
        final AsyncContext asyncContext;
        final ProxyTarget target;
        final HttpServletResponse servletResponse;
        final ServletOutputStream output;
        final Object monitor = new Object();
        State state = State.INITIALIZED;

        /* loaded from: input_file:com/yahoo/jdisc/http/server/jetty/HealthCheckProxyHandler$ProxyRequestTask$State.class */
        enum State {
            INITIALIZED,
            DONE
        }

        ProxyRequestTask(AsyncContext asyncContext, ProxyTarget proxyTarget, HttpServletResponse httpServletResponse, ServletOutputStream servletOutputStream) {
            this.asyncContext = asyncContext;
            this.target = proxyTarget;
            this.servletResponse = httpServletResponse;
            this.output = servletOutputStream;
        }

        @Override // java.lang.Runnable
        public void run() {
            synchronized (this.monitor) {
                if (this.state == State.DONE) {
                    return;
                }
                final StatusResponse requestStatusHtml = this.target.requestStatusHtml();
                synchronized (this.monitor) {
                    if (this.state == State.DONE) {
                        return;
                    }
                    this.output.setWriteListener(new WriteListener() { // from class: com.yahoo.jdisc.http.server.jetty.HealthCheckProxyHandler.ProxyRequestTask.1
                        public void onWritePossible() throws IOException {
                            if (ProxyRequestTask.this.output.isReady()) {
                                synchronized (ProxyRequestTask.this.monitor) {
                                    if (ProxyRequestTask.this.state == State.DONE) {
                                        return;
                                    }
                                    ProxyRequestTask.this.servletResponse.setStatus(requestStatusHtml.statusCode);
                                    if (requestStatusHtml.contentType != null) {
                                        ProxyRequestTask.this.servletResponse.setHeader("Content-Type", requestStatusHtml.contentType);
                                    }
                                    ProxyRequestTask.this.servletResponse.setHeader("Vespa-Health-Check-Proxy-Target", Integer.toString(ProxyRequestTask.this.target.port));
                                    if (requestStatusHtml.content != null) {
                                        ProxyRequestTask.this.output.write(requestStatusHtml.content);
                                    }
                                    ProxyRequestTask.this.state = State.DONE;
                                    ProxyRequestTask.this.asyncContext.complete();
                                }
                            }
                        }

                        public void onError(Throwable th) {
                            HealthCheckProxyHandler.log.log(Level.FINE, th, () -> {
                                return "Failed to write status response: " + th.getMessage();
                            });
                            synchronized (ProxyRequestTask.this.monitor) {
                                if (ProxyRequestTask.this.state == State.DONE) {
                                    return;
                                }
                                ProxyRequestTask.this.state = State.DONE;
                                ProxyRequestTask.this.servletResponse.setStatus(500);
                                ProxyRequestTask.this.asyncContext.complete();
                            }
                        }
                    });
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/yahoo/jdisc/http/server/jetty/HealthCheckProxyHandler$ProxyTarget.class */
    public static class ProxyTarget implements AutoCloseable {
        final int port;
        final Duration clientTimeout;
        final Duration handlerTimeout;
        final Duration cacheExpiry;
        final SslContextFactory.Server serverSsl;
        final boolean proxyProtocol;
        volatile HttpClient client;
        volatile StatusResponse lastResponse;

        ProxyTarget(int i, Duration duration, Duration duration2, Duration duration3, SslContextFactory.Server server, boolean z) {
            this.port = i;
            this.clientTimeout = duration;
            this.cacheExpiry = duration3;
            this.serverSsl = server;
            this.proxyProtocol = z;
            this.handlerTimeout = duration2;
        }

        StatusResponse requestStatusHtml() {
            StatusResponse statusResponse = this.lastResponse;
            if (statusResponse != null && !statusResponse.isExpired(this.cacheExpiry)) {
                return statusResponse;
            }
            StatusResponse statusResponse2 = getStatusResponse();
            this.lastResponse = statusResponse2;
            return statusResponse2;
        }

        private StatusResponse getStatusResponse() {
            try {
                Request newRequest = client().newRequest("https://localhost:" + this.port + "/status.html");
                newRequest.timeout(this.clientTimeout.toMillis(), TimeUnit.MILLISECONDS);
                newRequest.idleTimeout(this.clientTimeout.toMillis(), TimeUnit.MILLISECONDS);
                if (this.proxyProtocol) {
                    newRequest.tag(new ProxyProtocolClientConnectionFactory.V1.Tag());
                }
                ContentResponse send = newRequest.send();
                byte[] content = send.getContent();
                return (content == null || content.length <= 0) ? new StatusResponse(send.getStatus(), null, null) : new StatusResponse(send.getStatus(), send.getMediaType(), content);
            } catch (TimeoutException e) {
                HealthCheckProxyHandler.log.log(Level.FINE, e, () -> {
                    return "Proxy request timeout ('" + e.getMessage() + "')";
                });
                return new StatusResponse(503, null, null);
            } catch (Exception e2) {
                HealthCheckProxyHandler.log.log(Level.FINE, e2, () -> {
                    return "Proxy request failed ('" + e2.getMessage() + "')";
                });
                return new StatusResponse(500, HttpResponse.DEFAULT_MIME_TYPE, e2.getMessage().getBytes());
            }
        }

        private HttpClient client() throws Exception {
            if (this.client == null) {
                synchronized (this) {
                    if (this.client == null) {
                        int millis = (int) this.clientTimeout.toMillis();
                        SslContextFactory.Client client = new SslContextFactory.Client();
                        client.setHostnameVerifier((str, sSLSession) -> {
                            return true;
                        });
                        client.setSslContext(getSslContext(this.serverSsl));
                        ClientConnector clientConnector = new ClientConnector();
                        clientConnector.setSslContextFactory(client);
                        HttpClient httpClient = new HttpClient(new HttpClientTransportOverHTTP(clientConnector));
                        httpClient.setMaxConnectionsPerDestination(4);
                        httpClient.setConnectTimeout(millis);
                        httpClient.setIdleTimeout(millis);
                        httpClient.setUserAgentField(new HttpField(HttpHeader.USER_AGENT, "health-check-proxy-client"));
                        httpClient.start();
                        this.client = httpClient;
                    }
                }
            }
            return this.client;
        }

        private SSLContext getSslContext(SslContextFactory.Server server) {
            if (!server.getNeedClientAuth()) {
                HealthCheckProxyHandler.log.info(String.format("Port %d does not require a client certificate - client will not provide a certificate", Integer.valueOf(this.port)));
                return new SslContextBuilder().withTrustManager(new TrustAllX509TrustManager()).build();
            }
            HealthCheckProxyHandler.log.info(String.format("Port %d requires client certificate - client will provide its node certificate", Integer.valueOf(this.port)));
            TransportSecurityOptions transportSecurityOptions = (TransportSecurityOptions) TransportSecurityUtils.getOptions().orElseThrow(() -> {
                return new IllegalStateException("Vespa TLS configuration is required when using health check proxy to a port with client auth 'need'");
            });
            return new SslContextBuilder().withKeyStore((Path) transportSecurityOptions.getPrivateKeyFile().get(), (Path) transportSecurityOptions.getCertificatesFile().get()).withTrustManager(new TrustAllX509TrustManager()).build();
        }

        @Override // java.lang.AutoCloseable
        public void close() throws Exception {
            synchronized (this) {
                if (this.client != null) {
                    this.client.stop();
                    this.client.destroy();
                    this.client = null;
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/yahoo/jdisc/http/server/jetty/HealthCheckProxyHandler$StatusResponse.class */
    public static class StatusResponse {
        final long createdAt = System.nanoTime();
        final int statusCode;
        final String contentType;
        final byte[] content;

        StatusResponse(int i, String str, byte[] bArr) {
            this.statusCode = i;
            this.contentType = str;
            this.content = bArr;
        }

        boolean isExpired(Duration duration) {
            return System.nanoTime() - this.createdAt > duration.toNanos();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public HealthCheckProxyHandler(List<JDiscServerConnector> list) {
        this.portToProxyTargetMapping = createPortToProxyTargetMapping(list);
    }

    private static Map<Integer, ProxyTarget> createPortToProxyTargetMapping(List<JDiscServerConnector> list) {
        HashMap hashMap = new HashMap();
        for (JDiscServerConnector jDiscServerConnector : list) {
            ConnectorConfig.HealthCheckProxy healthCheckProxy = jDiscServerConnector.connectorConfig().healthCheckProxy();
            if (healthCheckProxy.enable()) {
                hashMap.put(Integer.valueOf(jDiscServerConnector.listenPort()), createProxyTarget(healthCheckProxy.port(), Duration.ofMillis((int) (healthCheckProxy.clientTimeout() * 1000.0d)), Duration.ofMillis((int) (healthCheckProxy.handlerTimeout() * 1000.0d)), Duration.ofMillis((int) (healthCheckProxy.cacheExpiry() * 1000.0d)), list));
                log.info(String.format("Port %1$d is configured as a health check proxy for port %2$d. HTTP requests to '%3$s' on %1$d are proxied as HTTPS to %2$d.", Integer.valueOf(jDiscServerConnector.listenPort()), Integer.valueOf(healthCheckProxy.port()), HEALTH_CHECK_PATH));
            }
        }
        return hashMap;
    }

    private static ProxyTarget createProxyTarget(int i, Duration duration, Duration duration2, Duration duration3, List<JDiscServerConnector> list) {
        JDiscServerConnector orElseThrow = list.stream().filter(jDiscServerConnector -> {
            return jDiscServerConnector.listenPort() == i;
        }).findAny().orElseThrow(() -> {
            return new IllegalArgumentException("Could not find any connector with listen port " + i);
        });
        return new ProxyTarget(i, duration, duration2, duration3, (SslContextFactory.Server) Optional.ofNullable((SslConnectionFactory) orElseThrow.getConnectionFactory(SslConnectionFactory.class)).or(() -> {
            return Optional.ofNullable((DetectorConnectionFactory) orElseThrow.getConnectionFactory(DetectorConnectionFactory.class)).map(detectorConnectionFactory -> {
                return (SslConnectionFactory) detectorConnectionFactory.getBean(SslConnectionFactory.class);
            });
        }).map((v0) -> {
            return v0.getSslContextFactory();
        }).orElseThrow(() -> {
            return new IllegalArgumentException("Health check proxy can only target https port");
        }), orElseThrow.connectorConfig().proxyProtocol().enabled());
    }

    public void handle(String str, org.eclipse.jetty.server.Request request, HttpServletRequest httpServletRequest, final HttpServletResponse httpServletResponse) throws IOException, ServletException {
        ProxyTarget proxyTarget = this.portToProxyTargetMapping.get(Integer.valueOf(RequestUtils.getConnectorLocalPort(request)));
        if (proxyTarget == null) {
            this._handler.handle(str, request, httpServletRequest, httpServletResponse);
            return;
        }
        final AsyncContext startAsync = httpServletRequest.startAsync();
        ServletOutputStream outputStream = httpServletResponse.getOutputStream();
        if (httpServletRequest.getRequestURI().equals(HEALTH_CHECK_PATH)) {
            final ProxyRequestTask proxyRequestTask = new ProxyRequestTask(startAsync, proxyTarget, httpServletResponse, outputStream);
            startAsync.setTimeout(proxyTarget.handlerTimeout.toMillis());
            startAsync.addListener(new AsyncListener() { // from class: com.yahoo.jdisc.http.server.jetty.HealthCheckProxyHandler.1
                public void onStartAsync(AsyncEvent asyncEvent) {
                }

                public void onComplete(AsyncEvent asyncEvent) {
                }

                public void onError(AsyncEvent asyncEvent) {
                    HealthCheckProxyHandler.log.log(Level.FINE, asyncEvent.getThrowable(), () -> {
                        return "AsyncListener.onError()";
                    });
                    synchronized (proxyRequestTask.monitor) {
                        if (proxyRequestTask.state == ProxyRequestTask.State.DONE) {
                            return;
                        }
                        proxyRequestTask.state = ProxyRequestTask.State.DONE;
                        httpServletResponse.setStatus(500);
                        startAsync.complete();
                    }
                }

                public void onTimeout(AsyncEvent asyncEvent) {
                    HealthCheckProxyHandler.log.log(Level.FINE, asyncEvent.getThrowable(), () -> {
                        return "AsyncListener.onTimeout()";
                    });
                    synchronized (proxyRequestTask.monitor) {
                        if (proxyRequestTask.state == ProxyRequestTask.State.DONE) {
                            return;
                        }
                        proxyRequestTask.state = ProxyRequestTask.State.DONE;
                        httpServletResponse.setStatus(504);
                        startAsync.complete();
                    }
                }
            });
            this.executor.execute(proxyRequestTask);
        } else {
            httpServletResponse.setStatus(404);
            startAsync.complete();
        }
        request.setHandled(true);
    }

    protected void doStop() throws Exception {
        this.executor.shutdown();
        if (!this.executor.awaitTermination(10L, TimeUnit.SECONDS)) {
            log.warning("Failed to shutdown executor in time");
        }
        Iterator<ProxyTarget> it = this.portToProxyTargetMapping.values().iterator();
        while (it.hasNext()) {
            it.next().close();
        }
        super.doStop();
    }
}
