package com.yahoo.vespa.model.container.http.ssl;

import com.yahoo.config.model.api.EndpointCertificateSecrets;
import com.yahoo.jdisc.http.ConnectorConfig;
import com.yahoo.security.tls.TlsContext;
import com.yahoo.vespa.model.container.http.ConnectorFactory;
import java.time.Duration;
import java.util.Collection;
import java.util.List;

/* loaded from: input_file:com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.class */
public class HostedSslConnectorFactory extends ConnectorFactory {
    private static final List<String> INSECURE_WHITELISTED_PATHS = List.of("/status.html");
    private static final String DEFAULT_HOSTED_TRUSTSTORE = "/opt/yahoo/share/ssl/certs/athenz_certificate_bundle.pem";
    private final boolean enforceClientAuth;
    private final boolean enforceHandshakeClientAuth;
    private final Collection<String> tlsCiphersOverride;
    private final boolean enableProxyProtocolMixedMode;
    private final Duration endpointConnectionTtl;

    public static HostedSslConnectorFactory withProvidedCertificate(String str, EndpointCertificateSecrets endpointCertificateSecrets, boolean z, Collection<String> collection, boolean z2, int i, Duration duration) {
        return new HostedSslConnectorFactory(createConfiguredDirectSslProvider(str, endpointCertificateSecrets, DEFAULT_HOSTED_TRUSTSTORE, null, z), false, z, collection, z2, i, duration);
    }

    public static HostedSslConnectorFactory withProvidedCertificateAndTruststore(String str, EndpointCertificateSecrets endpointCertificateSecrets, String str2, Collection<String> collection, boolean z, int i, Duration duration) {
        return new HostedSslConnectorFactory(createConfiguredDirectSslProvider(str, endpointCertificateSecrets, null, str2, false), true, false, collection, z, i, duration);
    }

    public static HostedSslConnectorFactory withDefaultCertificateAndTruststore(String str, Collection<String> collection, boolean z, int i, Duration duration) {
        return new HostedSslConnectorFactory(new DefaultSslProvider(str), true, false, collection, z, i, duration);
    }

    private HostedSslConnectorFactory(SslProvider sslProvider, boolean z, boolean z2, Collection<String> collection, boolean z3, int i, Duration duration) {
        super(new ConnectorFactory.Builder("tls" + i, i).sslProvider(sslProvider));
        this.enforceClientAuth = z;
        this.enforceHandshakeClientAuth = z2;
        this.tlsCiphersOverride = collection;
        this.enableProxyProtocolMixedMode = z3;
        this.endpointConnectionTtl = duration;
    }

    private static ConfiguredDirectSslProvider createConfiguredDirectSslProvider(String str, EndpointCertificateSecrets endpointCertificateSecrets, String str2, String str3, boolean z) {
        return new ConfiguredDirectSslProvider(str, endpointCertificateSecrets.key(), endpointCertificateSecrets.certificate(), str2, str3, z ? ConnectorConfig.Ssl.ClientAuth.Enum.NEED_AUTH : ConnectorConfig.Ssl.ClientAuth.Enum.WANT_AUTH);
    }

    @Override // com.yahoo.vespa.model.container.http.ConnectorFactory
    public void getConfig(ConnectorConfig.Builder builder) {
        super.getConfig(builder);
        if (!this.enforceHandshakeClientAuth) {
            builder.tlsClientAuthEnforcer(new ConnectorConfig.TlsClientAuthEnforcer.Builder().pathWhitelist(INSECURE_WHITELISTED_PATHS).enable(this.enforceClientAuth));
        }
        builder.ssl.enabledProtocols(List.of("TLSv1.2"));
        if (this.tlsCiphersOverride.isEmpty()) {
            builder.ssl.enabledCipherSuites(TlsContext.ALLOWED_CIPHER_SUITES.stream().sorted().toList());
        } else {
            builder.ssl.enabledCipherSuites(this.tlsCiphersOverride.stream().sorted().toList());
        }
        builder.proxyProtocol(new ConnectorConfig.ProxyProtocol.Builder().enabled(true).mixedMode(this.enableProxyProtocolMixedMode)).idleTimeout(Duration.ofSeconds(30L).toSeconds()).maxConnectionLife(this.endpointConnectionTtl != null ? this.endpointConnectionTtl.toSeconds() : 0.0d);
    }
}
