package com.yahoo.vespa.model.container.http.ssl;

import ai.vespa.utils.BytesQuantity;
import com.yahoo.config.model.api.EndpointCertificateSecrets;
import com.yahoo.jdisc.http.ConnectorConfig;
import com.yahoo.security.tls.TlsContext;
import com.yahoo.vespa.model.container.http.ConnectorFactory;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Set;
import java.util.TreeSet;

/* loaded from: input_file:com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory.class */
public class HostedSslConnectorFactory extends ConnectorFactory {
    private final SslClientAuth clientAuth;
    private final List<String> tlsCiphersOverride;
    private final boolean proxyProtocolEnabled;
    private final Duration endpointConnectionTtl;
    private final List<String> remoteAddressHeaders;
    private final List<String> remotePortHeaders;
    private final Set<String> knownServerNames;
    private final List<EntityLoggingEntry> entityLoggingEntries;

    /* loaded from: input_file:com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory$Builder.class */
    public static class Builder {
        final String name;
        final int port;
        SslClientAuth clientAuth;
        boolean proxyProtocolEnabled;
        Duration endpointConnectionTtl;
        EndpointCertificateSecrets endpointCertificate;
        String tlsCaCertificatesPem;
        String tlsCaCertificatesPath;
        boolean tokenEndpoint;
        final List<String> remoteAddressHeaders = new ArrayList();
        final List<String> remotePortHeaders = new ArrayList();
        List<String> tlsCiphersOverride = List.of();
        Set<String> knownServerNames = Set.of();
        Set<String> requestPrefixForLoggingContent = Set.of();

        private Builder(String str, int i) {
            this.name = str;
            this.port = i;
        }

        public Builder clientAuth(SslClientAuth sslClientAuth) {
            this.clientAuth = sslClientAuth;
            return this;
        }

        public Builder endpointConnectionTtl(Duration duration) {
            this.endpointConnectionTtl = duration;
            return this;
        }

        public Builder tlsCiphersOverride(Collection<String> collection) {
            this.tlsCiphersOverride = List.copyOf(collection);
            return this;
        }

        public Builder proxyProtocol(boolean z) {
            this.proxyProtocolEnabled = z;
            return this;
        }

        public Builder endpointCertificate(EndpointCertificateSecrets endpointCertificateSecrets) {
            this.endpointCertificate = endpointCertificateSecrets;
            return this;
        }

        public Builder tlsCaCertificatesPath(String str) {
            this.tlsCaCertificatesPath = str;
            return this;
        }

        public Builder tlsCaCertificatesPem(String str) {
            this.tlsCaCertificatesPem = str;
            return this;
        }

        public Builder tokenEndpoint(boolean z) {
            this.tokenEndpoint = z;
            return this;
        }

        public Builder remoteAddressHeader(String str) {
            this.remoteAddressHeaders.add(str);
            return this;
        }

        public Builder remotePortHeader(String str) {
            this.remotePortHeaders.add(str);
            return this;
        }

        public Builder knownServerNames(Set<String> set) {
            this.knownServerNames = Set.copyOf(set);
            return this;
        }

        public Builder requestPrefixForLoggingContent(Collection<String> collection) {
            this.requestPrefixForLoggingContent = Set.copyOf(collection);
            return this;
        }

        public HostedSslConnectorFactory build() {
            return new HostedSslConnectorFactory(this);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory$EntityLoggingEntry.class */
    public static final class EntityLoggingEntry extends Record {
        private final String prefix;
        private final double sampleRate;
        private final BytesQuantity maxEntitySize;

        private EntityLoggingEntry(String str, double d, BytesQuantity bytesQuantity) {
            this.prefix = str;
            this.sampleRate = d;
            this.maxEntitySize = bytesQuantity;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, EntityLoggingEntry.class), EntityLoggingEntry.class, "prefix;sampleRate;maxEntitySize", "FIELD:Lcom/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory$EntityLoggingEntry;->prefix:Ljava/lang/String;", "FIELD:Lcom/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory$EntityLoggingEntry;->sampleRate:D", "FIELD:Lcom/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory$EntityLoggingEntry;->maxEntitySize:Lai/vespa/utils/BytesQuantity;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, EntityLoggingEntry.class), EntityLoggingEntry.class, "prefix;sampleRate;maxEntitySize", "FIELD:Lcom/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory$EntityLoggingEntry;->prefix:Ljava/lang/String;", "FIELD:Lcom/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory$EntityLoggingEntry;->sampleRate:D", "FIELD:Lcom/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory$EntityLoggingEntry;->maxEntitySize:Lai/vespa/utils/BytesQuantity;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, EntityLoggingEntry.class, Object.class), EntityLoggingEntry.class, "prefix;sampleRate;maxEntitySize", "FIELD:Lcom/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory$EntityLoggingEntry;->prefix:Ljava/lang/String;", "FIELD:Lcom/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory$EntityLoggingEntry;->sampleRate:D", "FIELD:Lcom/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory$EntityLoggingEntry;->maxEntitySize:Lai/vespa/utils/BytesQuantity;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String prefix() {
            return this.prefix;
        }

        public double sampleRate() {
            return this.sampleRate;
        }

        public BytesQuantity maxEntitySize() {
            return this.maxEntitySize;
        }
    }

    /* loaded from: input_file:com/yahoo/vespa/model/container/http/ssl/HostedSslConnectorFactory$SslClientAuth.class */
    public enum SslClientAuth {
        WANT,
        NEED,
        WANT_WITH_ENFORCER
    }

    public static Builder builder(String str, int i) {
        return new Builder(str, i);
    }

    private HostedSslConnectorFactory(Builder builder) {
        super(new ConnectorFactory.Builder("tls" + builder.port, builder.port).sslProvider(createSslProvider(builder)));
        this.clientAuth = builder.clientAuth;
        this.tlsCiphersOverride = List.copyOf(builder.tlsCiphersOverride);
        this.proxyProtocolEnabled = builder.proxyProtocolEnabled;
        this.endpointConnectionTtl = builder.endpointConnectionTtl;
        this.remoteAddressHeaders = List.copyOf(builder.remoteAddressHeaders);
        this.remotePortHeaders = List.copyOf(builder.remotePortHeaders);
        this.knownServerNames = Collections.unmodifiableSet(new TreeSet(builder.knownServerNames));
        this.entityLoggingEntries = builder.requestPrefixForLoggingContent.stream().map(str -> {
            String[] split = str.split(":");
            if (split.length != 3) {
                throw new IllegalArgumentException("Expected string of format 'prefix:sample-rate:max-entity-size', got '%s'".formatted(str));
            }
            String str = split[0];
            if (str.isBlank()) {
                throw new IllegalArgumentException("Path prefix must not be blank");
            }
            double parseDouble = Double.parseDouble(split[1]);
            if (parseDouble < 0.0d || parseDouble > 1.0d) {
                throw new IllegalArgumentException("Sample rate must be in range [0, 1], got '%s'".formatted(Double.valueOf(parseDouble)));
            }
            return new EntityLoggingEntry(str, parseDouble, BytesQuantity.fromString(split[2]));
        }).toList();
    }

    private static SslProvider createSslProvider(Builder builder) {
        if (builder.endpointCertificate == null) {
            return new DefaultSslProvider(builder.name);
        }
        return new CloudSslProvider(builder.name, builder.endpointCertificate.key(), builder.endpointCertificate.certificate(), builder.tlsCaCertificatesPath, builder.tlsCaCertificatesPem, builder.clientAuth == SslClientAuth.NEED ? ConnectorConfig.Ssl.ClientAuth.Enum.NEED_AUTH : ConnectorConfig.Ssl.ClientAuth.Enum.WANT_AUTH, builder.tokenEndpoint);
    }

    @Override // com.yahoo.vespa.model.container.http.ConnectorFactory
    public void getConfig(ConnectorConfig.Builder builder) {
        super.getConfig(builder);
        if (this.clientAuth == SslClientAuth.WANT_WITH_ENFORCER) {
            builder.tlsClientAuthEnforcer(new ConnectorConfig.TlsClientAuthEnforcer.Builder().pathWhitelist(List.of("/status.html")).enable(true));
        }
        builder.ssl.enabledProtocols(List.of("TLSv1.2"));
        if (this.tlsCiphersOverride.isEmpty()) {
            builder.ssl.enabledCipherSuites(TlsContext.ALLOWED_CIPHER_SUITES.stream().sorted().toList());
        } else {
            builder.ssl.enabledCipherSuites(this.tlsCiphersOverride.stream().sorted().toList());
        }
        builder.proxyProtocol(new ConnectorConfig.ProxyProtocol.Builder().enabled(this.proxyProtocolEnabled)).idleTimeout(Duration.ofSeconds(30L).toSeconds()).maxConnectionLife(this.endpointConnectionTtl != null ? this.endpointConnectionTtl.toSeconds() : 0.0d).accessLog(new ConnectorConfig.AccessLog.Builder().remoteAddressHeaders(this.remoteAddressHeaders).remotePortHeaders(this.remotePortHeaders).content(this.entityLoggingEntries.stream().map(entityLoggingEntry -> {
            return new ConnectorConfig.AccessLog.Content.Builder().pathPrefix(entityLoggingEntry.prefix).sampleRate(entityLoggingEntry.sampleRate).maxSize(entityLoggingEntry.maxEntitySize.toBytes());
        }).toList())).serverName.known(this.knownServerNames);
    }
}
