package com.yahoo.vespa.model.container.http.ssl;

import com.yahoo.config.model.api.EndpointCertificateSecrets;
import com.yahoo.jdisc.http.ConnectorConfig;
import com.yahoo.security.tls.TlsContext;
import com.yahoo.vespa.model.container.http.ConnectorFactory;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.Set;

/* loaded from: input_file:com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.class */
public class HostedSslConnectorFactory extends ConnectorFactory {
    private final SslClientAuth clientAuth;
    private final List<String> tlsCiphersOverride;
    private final boolean proxyProtocolEnabled;
    private final boolean proxyProtocolMixedMode;
    private final Duration endpointConnectionTtl;
    private final List<String> remoteAddressHeaders;
    private final List<String> remotePortHeaders;
    private final Set<String> knownServerNames;

    /* loaded from: input_file:com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory$Builder.class */
    public static class Builder {
        final String name;
        final int port;
        SslClientAuth clientAuth;
        boolean proxyProtocolEnabled;
        boolean proxyProtocolMixedMode;
        Duration endpointConnectionTtl;
        EndpointCertificateSecrets endpointCertificate;
        String tlsCaCertificatesPem;
        String tlsCaCertificatesPath;
        boolean tokenEndpoint;
        final List<String> remoteAddressHeaders = new ArrayList();
        final List<String> remotePortHeaders = new ArrayList();
        List<String> tlsCiphersOverride = List.of();
        Set<String> knownServerNames = Set.of();

        private Builder(String str, int i) {
            this.name = str;
            this.port = i;
        }

        public Builder clientAuth(SslClientAuth sslClientAuth) {
            this.clientAuth = sslClientAuth;
            return this;
        }

        public Builder endpointConnectionTtl(Duration duration) {
            this.endpointConnectionTtl = duration;
            return this;
        }

        public Builder tlsCiphersOverride(Collection<String> collection) {
            this.tlsCiphersOverride = List.copyOf(collection);
            return this;
        }

        public Builder proxyProtocol(boolean z, boolean z2) {
            this.proxyProtocolEnabled = z;
            this.proxyProtocolMixedMode = z2;
            return this;
        }

        public Builder endpointCertificate(EndpointCertificateSecrets endpointCertificateSecrets) {
            this.endpointCertificate = endpointCertificateSecrets;
            return this;
        }

        public Builder tlsCaCertificatesPath(String str) {
            this.tlsCaCertificatesPath = str;
            return this;
        }

        public Builder tlsCaCertificatesPem(String str) {
            this.tlsCaCertificatesPem = str;
            return this;
        }

        public Builder tokenEndpoint(boolean z) {
            this.tokenEndpoint = z;
            return this;
        }

        public Builder remoteAddressHeader(String str) {
            this.remoteAddressHeaders.add(str);
            return this;
        }

        public Builder remotePortHeader(String str) {
            this.remotePortHeaders.add(str);
            return this;
        }

        public Builder knownServerNames(Set<String> set) {
            this.knownServerNames = Set.copyOf(set);
            return this;
        }

        public HostedSslConnectorFactory build() {
            return new HostedSslConnectorFactory(this);
        }
    }

    /* loaded from: input_file:com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory$SslClientAuth.class */
    public enum SslClientAuth {
        WANT,
        NEED,
        WANT_WITH_ENFORCER
    }

    public static Builder builder(String str, int i) {
        return new Builder(str, i);
    }

    private HostedSslConnectorFactory(Builder builder) {
        super(new ConnectorFactory.Builder("tls" + builder.port, builder.port).sslProvider(createSslProvider(builder)));
        this.clientAuth = builder.clientAuth;
        this.tlsCiphersOverride = List.copyOf(builder.tlsCiphersOverride);
        this.proxyProtocolEnabled = builder.proxyProtocolEnabled;
        this.proxyProtocolMixedMode = builder.proxyProtocolMixedMode;
        this.endpointConnectionTtl = builder.endpointConnectionTtl;
        this.remoteAddressHeaders = List.copyOf(builder.remoteAddressHeaders);
        this.remotePortHeaders = List.copyOf(builder.remotePortHeaders);
        this.knownServerNames = Set.copyOf(builder.knownServerNames);
    }

    private static SslProvider createSslProvider(Builder builder) {
        if (builder.endpointCertificate == null) {
            return new DefaultSslProvider(builder.name);
        }
        return new CloudSslProvider(builder.name, builder.endpointCertificate.key(), builder.endpointCertificate.certificate(), builder.tlsCaCertificatesPath, builder.tlsCaCertificatesPem, builder.clientAuth == SslClientAuth.NEED ? ConnectorConfig.Ssl.ClientAuth.Enum.NEED_AUTH : ConnectorConfig.Ssl.ClientAuth.Enum.WANT_AUTH, builder.tokenEndpoint);
    }

    @Override // com.yahoo.vespa.model.container.http.ConnectorFactory
    public void getConfig(ConnectorConfig.Builder builder) {
        super.getConfig(builder);
        if (this.clientAuth == SslClientAuth.WANT_WITH_ENFORCER) {
            builder.tlsClientAuthEnforcer(new ConnectorConfig.TlsClientAuthEnforcer.Builder().pathWhitelist(List.of("/status.html")).enable(true));
        }
        builder.ssl.enabledProtocols(List.of("TLSv1.2"));
        if (this.tlsCiphersOverride.isEmpty()) {
            builder.ssl.enabledCipherSuites(TlsContext.ALLOWED_CIPHER_SUITES.stream().sorted().toList());
        } else {
            builder.ssl.enabledCipherSuites(this.tlsCiphersOverride.stream().sorted().toList());
        }
        builder.proxyProtocol(new ConnectorConfig.ProxyProtocol.Builder().enabled(this.proxyProtocolEnabled).mixedMode(this.proxyProtocolMixedMode)).idleTimeout(Duration.ofSeconds(30L).toSeconds()).maxConnectionLife(this.endpointConnectionTtl != null ? this.endpointConnectionTtl.toSeconds() : 0.0d).accessLog(new ConnectorConfig.AccessLog.Builder().remoteAddressHeaders(this.remoteAddressHeaders).remotePortHeaders(this.remotePortHeaders)).serverName.known(this.knownServerNames);
    }
}
