package com.yahoo.jdisc.http.server.jetty;

import ai.vespa.metrics.ContainerMetrics;
import com.yahoo.component.annotation.Inject;
import com.yahoo.jdisc.Metric;
import com.yahoo.jdisc.http.ConnectorConfig;
import com.yahoo.jdisc.http.SslProvider;
import com.yahoo.jdisc.http.ssl.impl.DefaultConnectorSsl;
import com.yahoo.security.tls.MixedMode;
import com.yahoo.security.tls.TransportSecurityUtils;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.logging.Logger;
import org.eclipse.jetty.alpn.server.ALPNServerConnectionFactory;
import org.eclipse.jetty.http.ComplianceViolation;
import org.eclipse.jetty.http.HttpCompliance;
import org.eclipse.jetty.http.UriCompliance;
import org.eclipse.jetty.http2.server.AbstractHTTP2ServerConnectionFactory;
import org.eclipse.jetty.http2.server.HTTP2CServerConnectionFactory;
import org.eclipse.jetty.http2.server.HTTP2ServerConnectionFactory;
import org.eclipse.jetty.server.ConnectionFactory;
import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.DetectorConnectionFactory;
import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.HttpConnectionFactory;
import org.eclipse.jetty.server.ProxyConnectionFactory;
import org.eclipse.jetty.server.SecureRequestCustomizer;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.SslConnectionFactory;
import org.eclipse.jetty.util.HostPort;
import org.eclipse.jetty.util.ssl.SslContextFactory;

/* loaded from: input_file:com/yahoo/jdisc/http/server/jetty/ConnectorFactory.class */
public class ConnectorFactory {
    private static final Logger log = Logger.getLogger(ConnectorFactory.class.getName());
    private final ConnectorConfig connectorConfig;
    private final SslProvider sslProvider;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/yahoo/jdisc/http/server/jetty/ConnectorFactory$HttpComplianceViolationListener.class */
    public static final class HttpComplianceViolationListener extends Record implements ComplianceViolation.Listener {
        private final Metric metric;

        private HttpComplianceViolationListener(Metric metric) {
            this.metric = metric;
        }

        public void onComplianceViolation(ComplianceViolation.Event event) {
            ConnectorFactory.log.fine(() -> {
                return "Compliance violation: mode=%s, violation=%s".formatted(event.mode().getName(), event.violation().getName());
            });
            this.metric.add(ContainerMetrics.JETTY_HTTP_COMPLIANCE_VIOLATION.baseName(), 1L, this.metric.createContext(Map.of("mode", event.mode().getName(), "violation", event.violation().getName())));
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, HttpComplianceViolationListener.class), HttpComplianceViolationListener.class, "metric", "FIELD:Lcom/yahoo/jdisc/http/server/jetty/ConnectorFactory$HttpComplianceViolationListener;->metric:Lcom/yahoo/jdisc/Metric;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, HttpComplianceViolationListener.class), HttpComplianceViolationListener.class, "metric", "FIELD:Lcom/yahoo/jdisc/http/server/jetty/ConnectorFactory$HttpComplianceViolationListener;->metric:Lcom/yahoo/jdisc/Metric;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, HttpComplianceViolationListener.class, Object.class), HttpComplianceViolationListener.class, "metric", "FIELD:Lcom/yahoo/jdisc/http/server/jetty/ConnectorFactory$HttpComplianceViolationListener;->metric:Lcom/yahoo/jdisc/Metric;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public Metric metric() {
            return this.metric;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/yahoo/jdisc/http/server/jetty/ConnectorFactory$MandatoryProxyConnectionFactory.class */
    public static class MandatoryProxyConnectionFactory extends ProxyConnectionFactory {
        MandatoryProxyConnectionFactory(String str) {
            super(str);
        }

        protected String findNextProtocol(Connector connector) {
            return null;
        }
    }

    @Inject
    public ConnectorFactory(ConnectorConfig connectorConfig, SslProvider sslProvider) {
        runtimeConnectorConfigValidation(connectorConfig);
        this.connectorConfig = connectorConfig;
        this.sslProvider = sslProvider;
    }

    private static void runtimeConnectorConfigValidation(ConnectorConfig connectorConfig) {
        validateProxyProtocolConfiguration(connectorConfig);
    }

    private static void validateProxyProtocolConfiguration(ConnectorConfig connectorConfig) {
        if (connectorConfig.proxyProtocol().enabled()) {
            boolean z = TransportSecurityUtils.getInsecureMixedMode() != MixedMode.DISABLED;
            if (!isSslEffectivelyEnabled(connectorConfig) || z) {
                throw new IllegalArgumentException("Proxy protocol can only be enabled if connector is effectively HTTPS only");
            }
        }
    }

    public ConnectorConfig getConnectorConfig() {
        return this.connectorConfig;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public JDiscServerConnector createConnector(Metric metric, Server server) {
        return new JDiscServerConnector(this.connectorConfig, metric, server, (ConnectionFactory[]) createConnectionFactories(metric).toArray(i -> {
            return new ConnectionFactory[i];
        }));
    }

    private List<ConnectionFactory> createConnectionFactories(Metric metric) {
        boolean z = TransportSecurityUtils.isTransportSecurityEnabled() && this.connectorConfig.implicitTlsEnabled();
        MixedMode insecureMixedMode = TransportSecurityUtils.getInsecureMixedMode();
        if (this.connectorConfig.ssl().enabled() || (z && insecureMixedMode == MixedMode.DISABLED)) {
            return connectionFactoriesForHttps(metric);
        }
        if (!z) {
            return this.connectorConfig.http2Enabled() ? List.of(newHttp1ConnectionFactory(metric), newHttp2ClearTextConnectionFactory(metric)) : List.of(newHttp1ConnectionFactory(metric));
        }
        if (insecureMixedMode == MixedMode.TLS_CLIENT_MIXED_SERVER || insecureMixedMode == MixedMode.PLAINTEXT_CLIENT_MIXED_SERVER) {
            return connectionFactoriesForTlsMixedMode(metric);
        }
        throw new IllegalArgumentException("Unknown mixed mode " + String.valueOf(insecureMixedMode));
    }

    private List<ConnectionFactory> connectionFactoriesForHttps(Metric metric) {
        ConnectionFactory connectionFactory;
        SslConnectionFactory newSslConnectionFactory;
        ArrayList arrayList = new ArrayList();
        ConnectorConfig.ProxyProtocol proxyProtocol = this.connectorConfig.proxyProtocol();
        HttpConnectionFactory newHttp1ConnectionFactory = newHttp1ConnectionFactory(metric);
        if (this.connectorConfig.http2Enabled()) {
            connectionFactory = newAlpnConnectionFactory();
            newSslConnectionFactory = newSslConnectionFactory(metric, connectionFactory);
        } else {
            connectionFactory = null;
            newSslConnectionFactory = newSslConnectionFactory(metric, newHttp1ConnectionFactory);
        }
        if (proxyProtocol.enabled()) {
            arrayList.add(newProxyProtocolConnectionFactory(newSslConnectionFactory, proxyProtocol.mixedMode()));
        }
        arrayList.add(newSslConnectionFactory);
        if (this.connectorConfig.http2Enabled()) {
            arrayList.add(connectionFactory);
        }
        arrayList.add(newHttp1ConnectionFactory);
        if (this.connectorConfig.http2Enabled()) {
            arrayList.add(newHttp2ConnectionFactory(metric));
        }
        return List.copyOf(arrayList);
    }

    private List<ConnectionFactory> connectionFactoriesForTlsMixedMode(Metric metric) {
        log.warning(String.format("TLS mixed mode enabled for port %d - HTTP/2 and proxy-protocol are not supported", Integer.valueOf(this.connectorConfig.listenPort())));
        HttpConnectionFactory newHttp1ConnectionFactory = newHttp1ConnectionFactory(metric);
        SslConnectionFactory newSslConnectionFactory = newSslConnectionFactory(metric, newHttp1ConnectionFactory);
        return List.of(newDetectorConnectionFactory(newSslConnectionFactory), newHttp1ConnectionFactory, newSslConnectionFactory);
    }

    private HttpConfiguration newHttpConfiguration(Metric metric) {
        HttpConfiguration httpConfiguration = new HttpConfiguration();
        httpConfiguration.setSendDateHeader(true);
        httpConfiguration.setSendServerVersion(false);
        httpConfiguration.setSendXPoweredBy(false);
        httpConfiguration.setHeaderCacheSize(this.connectorConfig.headerCacheSize());
        httpConfiguration.setOutputBufferSize(this.connectorConfig.outputBufferSize());
        httpConfiguration.setRequestHeaderSize(this.connectorConfig.requestHeaderSize());
        httpConfiguration.setResponseHeaderSize(this.connectorConfig.responseHeaderSize());
        httpConfiguration.addComplianceViolationListener(new HttpComplianceViolationListener(metric));
        httpConfiguration.setUseInputDirectByteBuffers(false);
        httpConfiguration.setUseOutputDirectByteBuffers(false);
        httpConfiguration.setHttpCompliance(newHttpCompliance(this.connectorConfig));
        httpConfiguration.setMaxUnconsumedRequestContentReads(64);
        httpConfiguration.setUriCompliance(UriCompliance.LEGACY);
        if (isSslEffectivelyEnabled(this.connectorConfig)) {
            httpConfiguration.addCustomizer(new SecureRequestCustomizer(false, false, -1L, false));
        }
        String fallback = this.connectorConfig.serverName().fallback();
        if (!fallback.isBlank()) {
            httpConfiguration.setServerAuthority(new HostPort(fallback));
        }
        return httpConfiguration;
    }

    private static HttpCompliance newHttpCompliance(ConnectorConfig connectorConfig) {
        List list = connectorConfig.compliance().httpViolations().stream().map(str -> {
            try {
                return HttpCompliance.Violation.valueOf(str);
            } catch (IllegalArgumentException e) {
                log.warning("Ignoring unknown violation '%s'".formatted(str));
                return null;
            }
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).toList();
        if (list.isEmpty()) {
            return HttpCompliance.RFC7230;
        }
        log.info("Disabling HTTP compliance checks for port %d: %s".formatted(Integer.valueOf(connectorConfig.listenPort()), list.stream().map((v0) -> {
            return v0.getName();
        }).toList()));
        return HttpCompliance.RFC7230.with("RFC7230_VESPA", (HttpCompliance.Violation[]) list.toArray(i -> {
            return new HttpCompliance.Violation[i];
        }));
    }

    private HttpConnectionFactory newHttp1ConnectionFactory(Metric metric) {
        return new HttpConnectionFactory(newHttpConfiguration(metric));
    }

    private HTTP2ServerConnectionFactory newHttp2ConnectionFactory(Metric metric) {
        HTTP2ServerConnectionFactory hTTP2ServerConnectionFactory = new HTTP2ServerConnectionFactory(newHttpConfiguration(metric));
        setHttp2Config(hTTP2ServerConnectionFactory);
        return hTTP2ServerConnectionFactory;
    }

    private HTTP2CServerConnectionFactory newHttp2ClearTextConnectionFactory(Metric metric) {
        HTTP2CServerConnectionFactory hTTP2CServerConnectionFactory = new HTTP2CServerConnectionFactory(newHttpConfiguration(metric));
        setHttp2Config(hTTP2CServerConnectionFactory);
        return hTTP2CServerConnectionFactory;
    }

    private void setHttp2Config(AbstractHTTP2ServerConnectionFactory abstractHTTP2ServerConnectionFactory) {
        abstractHTTP2ServerConnectionFactory.setStreamIdleTimeout(toMillis(this.connectorConfig.http2().streamIdleTimeout()));
        abstractHTTP2ServerConnectionFactory.setMaxConcurrentStreams(this.connectorConfig.http2().maxConcurrentStreams());
        abstractHTTP2ServerConnectionFactory.setInitialSessionRecvWindow(16777216);
        abstractHTTP2ServerConnectionFactory.setInitialStreamRecvWindow(1048576);
    }

    private SslConnectionFactory newSslConnectionFactory(Metric metric, ConnectionFactory connectionFactory) {
        SslConnectionFactory sslConnectionFactory = new SslConnectionFactory(createSslContextFactory(), connectionFactory.getProtocol());
        sslConnectionFactory.setDirectBuffersForDecryption(false);
        sslConnectionFactory.setDirectBuffersForEncryption(false);
        sslConnectionFactory.addBean(new SslHandshakeFailedListener(metric, this.connectorConfig.name(), this.connectorConfig.listenPort()));
        return sslConnectionFactory;
    }

    private SslContextFactory.Server createSslContextFactory() {
        DefaultConnectorSsl defaultConnectorSsl = new DefaultConnectorSsl();
        this.sslProvider.configureSsl(defaultConnectorSsl, this.connectorConfig.name(), this.connectorConfig.listenPort());
        return defaultConnectorSsl.createSslContextFactory();
    }

    private ALPNServerConnectionFactory newAlpnConnectionFactory() {
        ALPNServerConnectionFactory aLPNServerConnectionFactory = new ALPNServerConnectionFactory(new String[]{"h2", "http/1.1"});
        aLPNServerConnectionFactory.setDefaultProtocol("http/1.1");
        return aLPNServerConnectionFactory;
    }

    private DetectorConnectionFactory newDetectorConnectionFactory(ConnectionFactory.Detecting... detectingArr) {
        return new DetectorConnectionFactory(detectingArr);
    }

    private ProxyConnectionFactory newProxyProtocolConnectionFactory(ConnectionFactory connectionFactory, boolean z) {
        return z ? new ProxyConnectionFactory(connectionFactory.getProtocol()) : new MandatoryProxyConnectionFactory(connectionFactory.getProtocol());
    }

    private static boolean isSslEffectivelyEnabled(ConnectorConfig connectorConfig) {
        return connectorConfig.ssl().enabled() || (connectorConfig.implicitTlsEnabled() && TransportSecurityUtils.isTransportSecurityEnabled());
    }

    private static long toMillis(double d) {
        return (long) (d * 1000.0d);
    }
}
