package com.yahoo.vespa.model.application.validation;

import com.yahoo.vespa.model.application.validation.Validation;
import com.yahoo.vespa.model.container.Container;
import com.yahoo.vespa.model.container.http.ConnectorFactory;
import com.yahoo.vespa.model.container.http.Http;
import com.yahoo.vespa.model.container.http.ssl.DefaultSslProvider;
import com.yahoo.vespa.model.container.http.ssl.HostedSslConnectorFactory;
import java.util.List;

/* loaded from: input_file:com/yahoo/vespa/model/application/validation/CloudHttpConnectorValidator.class */
public class CloudHttpConnectorValidator implements Validator {
    @Override // com.yahoo.vespa.model.application.validation.Validator
    public void validate(Validation.Context context) {
        if (context.deployState().isHostedTenantApplication(context.model().getAdmin().getApplicationType())) {
            context.model().getContainerClusters().forEach((str, applicationContainerCluster) -> {
                Http http = applicationContainerCluster.getHttp();
                if (http == null) {
                    return;
                }
                List list = http.getHttpServer().stream().flatMap(jettyHttpServer -> {
                    return jettyHttpServer.getConnectorFactories().stream().filter(connectorFactory -> {
                        return !isAllowedConnector(connectorFactory);
                    });
                }).map(connectorFactory -> {
                    return "%s@%d".formatted(connectorFactory.getName(), Integer.valueOf(connectorFactory.getListenPort()));
                }).toList();
                if (list.isEmpty()) {
                    return;
                }
                context.illegal("Adding additional or modifying existing HTTPS connectors is not allowed for Vespa Cloud applications. Violating connectors: %s. See https://docs.vespa.ai/en/cloud/security/whitepaper.html, https://docs.vespa.ai/en/cloud/security/guide.html#data-plane.".formatted(list));
            });
        }
    }

    private static boolean isAllowedConnector(ConnectorFactory connectorFactory) {
        return (connectorFactory instanceof HostedSslConnectorFactory) || connectorFactory.getClass().getSimpleName().endsWith("HealthCheckProxyConnector") || connectorFactory.getClass().getPackageName().startsWith("com.yahoo.vespa.model.container.amender") || (connectorFactory.getListenPort() == Container.BASEPORT && (connectorFactory.sslProvider() instanceof DefaultSslProvider));
    }
}
