package com.yahoo.jdisc.http.server.jetty;

import com.yahoo.concurrent.DaemonThreadFactory;
import com.yahoo.container.jdisc.HttpResponse;
import com.yahoo.jdisc.http.ConnectorConfig;
import com.yahoo.security.SslContextBuilder;
import com.yahoo.security.tls.TransportSecurityOptions;
import com.yahoo.security.tls.TransportSecurityUtils;
import com.yahoo.security.tls.TrustAllX509TrustManager;
import java.io.IOException;
import java.nio.file.Path;
import java.time.Duration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.Executor;
import java.util.concurrent.Executors;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.SSLContext;
import javax.servlet.AsyncContext;
import javax.servlet.ServletException;
import javax.servlet.ServletOutputStream;
import javax.servlet.WriteListener;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.http.Header;
import org.apache.http.HttpEntity;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.util.EntityUtils;
import org.eclipse.jetty.server.DetectorConnectionFactory;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.SslConnectionFactory;
import org.eclipse.jetty.server.handler.HandlerWrapper;
import org.eclipse.jetty.util.ssl.SslContextFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/yahoo/jdisc/http/server/jetty/HealthCheckProxyHandler.class */
public class HealthCheckProxyHandler extends HandlerWrapper {
    private static final Logger log = Logger.getLogger(HealthCheckProxyHandler.class.getName());
    private static final String HEALTH_CHECK_PATH = "/status.html";
    private final Executor executor = Executors.newSingleThreadExecutor(new DaemonThreadFactory("health-check-proxy-client-"));
    private final Map<Integer, ProxyTarget> portToProxyTargetMapping;

    /* loaded from: input_file:com/yahoo/jdisc/http/server/jetty/HealthCheckProxyHandler$ProxyRequestTask.class */
    private static class ProxyRequestTask implements Runnable {
        final AsyncContext asyncContext;
        final ProxyTarget target;
        final HttpServletResponse servletResponse;
        final ServletOutputStream output;

        ProxyRequestTask(AsyncContext asyncContext, ProxyTarget proxyTarget, HttpServletResponse httpServletResponse, ServletOutputStream servletOutputStream) {
            this.asyncContext = asyncContext;
            this.target = proxyTarget;
            this.servletResponse = httpServletResponse;
            this.output = servletOutputStream;
        }

        @Override // java.lang.Runnable
        public void run() {
            final StatusResponse requestStatusHtml = this.target.requestStatusHtml();
            this.servletResponse.setStatus(requestStatusHtml.statusCode);
            if (requestStatusHtml.contentType != null) {
                this.servletResponse.setHeader("Content-Type", requestStatusHtml.contentType);
            }
            this.servletResponse.setHeader("Vespa-Health-Check-Proxy-Target", Integer.toString(this.target.port));
            this.output.setWriteListener(new WriteListener() { // from class: com.yahoo.jdisc.http.server.jetty.HealthCheckProxyHandler.ProxyRequestTask.1
                public void onWritePossible() throws IOException {
                    if (ProxyRequestTask.this.output.isReady()) {
                        if (requestStatusHtml.content != null) {
                            ProxyRequestTask.this.output.write(requestStatusHtml.content);
                        }
                        ProxyRequestTask.this.asyncContext.complete();
                    }
                }

                public void onError(Throwable th) {
                    HealthCheckProxyHandler.log.log(Level.FINE, th, () -> {
                        return "Failed to write status response: " + th.getMessage();
                    });
                    ProxyRequestTask.this.asyncContext.complete();
                }
            });
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/yahoo/jdisc/http/server/jetty/HealthCheckProxyHandler$ProxyTarget.class */
    public static class ProxyTarget implements AutoCloseable {
        final int port;
        final Duration timeout;
        final SslContextFactory.Server sslContextFactory;
        volatile CloseableHttpClient client;
        volatile StatusResponse lastResponse;

        ProxyTarget(int i, Duration duration, SslContextFactory.Server server) {
            this.port = i;
            this.timeout = duration;
            this.sslContextFactory = server;
        }

        StatusResponse requestStatusHtml() {
            StatusResponse statusResponse = this.lastResponse;
            if (statusResponse != null && !statusResponse.isExpired()) {
                return statusResponse;
            }
            StatusResponse statusResponse2 = getStatusResponse();
            this.lastResponse = statusResponse2;
            return statusResponse2;
        }

        private StatusResponse getStatusResponse() {
            try {
                CloseableHttpResponse execute = client().execute(new HttpGet("https://localhost:" + this.port + "/status.html"));
                try {
                    int statusCode = execute.getStatusLine().getStatusCode();
                    HttpEntity entity = execute.getEntity();
                    if (entity == null) {
                        StatusResponse statusResponse = new StatusResponse(statusCode, null, null);
                        if (execute != null) {
                            execute.close();
                        }
                        return statusResponse;
                    }
                    Header contentType = entity.getContentType();
                    StatusResponse statusResponse2 = new StatusResponse(statusCode, contentType != null ? contentType.getValue() : null, EntityUtils.toByteArray(entity));
                    if (execute != null) {
                        execute.close();
                    }
                    return statusResponse2;
                } finally {
                }
            } catch (Exception e) {
                HealthCheckProxyHandler.log.log(Level.FINE, e, () -> {
                    return "Proxy request failed" + e.getMessage();
                });
                return new StatusResponse(500, HttpResponse.DEFAULT_MIME_TYPE, e.getMessage().getBytes());
            }
        }

        private CloseableHttpClient client() {
            if (this.client == null) {
                synchronized (this) {
                    if (this.client == null) {
                        int millis = (int) this.timeout.toMillis();
                        this.client = HttpClientBuilder.create().disableAutomaticRetries().setMaxConnPerRoute(4).setSSLContext(getSslContext(this.sslContextFactory)).setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE).setUserTokenHandler(httpContext -> {
                            return null;
                        }).setUserAgent("health-check-proxy-client").setDefaultRequestConfig(RequestConfig.custom().setConnectTimeout(millis).setConnectionRequestTimeout(millis).setSocketTimeout(millis).build()).build();
                    }
                }
            }
            return this.client;
        }

        private SSLContext getSslContext(SslContextFactory.Server server) {
            if (!server.getNeedClientAuth()) {
                HealthCheckProxyHandler.log.info(String.format("Port %d does not require a client certificate - client will not provide a certificate", Integer.valueOf(this.port)));
                return new SslContextBuilder().withTrustManager(new TrustAllX509TrustManager()).build();
            }
            HealthCheckProxyHandler.log.info(String.format("Port %d requires client certificate - client will provide its node certificate", Integer.valueOf(this.port)));
            TransportSecurityOptions transportSecurityOptions = (TransportSecurityOptions) TransportSecurityUtils.getOptions().orElseThrow(() -> {
                return new IllegalStateException("Vespa TLS configuration is required when using health check proxy to a port with client auth 'need'");
            });
            return new SslContextBuilder().withKeyStore((Path) transportSecurityOptions.getPrivateKeyFile().get(), (Path) transportSecurityOptions.getCertificatesFile().get()).withTrustManager(new TrustAllX509TrustManager()).build();
        }

        @Override // java.lang.AutoCloseable
        public void close() throws IOException {
            synchronized (this) {
                if (this.client != null) {
                    this.client.close();
                    this.client = null;
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/yahoo/jdisc/http/server/jetty/HealthCheckProxyHandler$StatusResponse.class */
    public static class StatusResponse {
        final long createdAt = System.nanoTime();
        final int statusCode;
        final String contentType;
        final byte[] content;

        StatusResponse(int i, String str, byte[] bArr) {
            this.statusCode = i;
            this.contentType = str;
            this.content = bArr;
        }

        boolean isExpired() {
            return System.nanoTime() - this.createdAt > Duration.ofSeconds(1L).toNanos();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public HealthCheckProxyHandler(List<JDiscServerConnector> list) {
        this.portToProxyTargetMapping = createPortToProxyTargetMapping(list);
    }

    private static Map<Integer, ProxyTarget> createPortToProxyTargetMapping(List<JDiscServerConnector> list) {
        HashMap hashMap = new HashMap();
        for (JDiscServerConnector jDiscServerConnector : list) {
            ConnectorConfig.HealthCheckProxy healthCheckProxy = jDiscServerConnector.connectorConfig().healthCheckProxy();
            if (healthCheckProxy.enable()) {
                hashMap.put(Integer.valueOf(jDiscServerConnector.listenPort()), createProxyTarget(healthCheckProxy.port(), Duration.ofMillis((int) (healthCheckProxy.clientTimeout() * 1000.0d)), list));
                log.info(String.format("Port %1$d is configured as a health check proxy for port %2$d. HTTP requests to '%3$s' on %1$d are proxied as HTTPS to %2$d.", Integer.valueOf(jDiscServerConnector.listenPort()), Integer.valueOf(healthCheckProxy.port()), HEALTH_CHECK_PATH));
            }
        }
        return hashMap;
    }

    private static ProxyTarget createProxyTarget(int i, Duration duration, List<JDiscServerConnector> list) {
        JDiscServerConnector orElseThrow = list.stream().filter(jDiscServerConnector -> {
            return jDiscServerConnector.listenPort() == i;
        }).findAny().orElseThrow(() -> {
            return new IllegalArgumentException("Could not find any connector with listen port " + i);
        });
        return new ProxyTarget(i, duration, (SslContextFactory.Server) Optional.ofNullable((SslConnectionFactory) orElseThrow.getConnectionFactory(SslConnectionFactory.class)).or(() -> {
            return Optional.ofNullable((DetectorConnectionFactory) orElseThrow.getConnectionFactory(DetectorConnectionFactory.class)).map(detectorConnectionFactory -> {
                return (SslConnectionFactory) detectorConnectionFactory.getBean(SslConnectionFactory.class);
            });
        }).map(sslConnectionFactory -> {
            return sslConnectionFactory.getSslContextFactory();
        }).orElseThrow(() -> {
            return new IllegalArgumentException("Health check proxy can only target https port");
        }));
    }

    public void handle(String str, Request request, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        ProxyTarget proxyTarget = this.portToProxyTargetMapping.get(Integer.valueOf(RequestUtils.getConnectorLocalPort(request)));
        if (proxyTarget == null) {
            this._handler.handle(str, request, httpServletRequest, httpServletResponse);
            return;
        }
        AsyncContext startAsync = httpServletRequest.startAsync();
        ServletOutputStream outputStream = httpServletResponse.getOutputStream();
        if (httpServletRequest.getRequestURI().equals(HEALTH_CHECK_PATH)) {
            this.executor.execute(new ProxyRequestTask(startAsync, proxyTarget, httpServletResponse, outputStream));
        } else {
            httpServletResponse.setStatus(404);
            startAsync.complete();
        }
        request.setHandled(true);
    }

    protected void doStop() throws Exception {
        Iterator<ProxyTarget> it = this.portToProxyTargetMapping.values().iterator();
        while (it.hasNext()) {
            it.next().close();
        }
        super.doStop();
    }
}
