package ai.vespa.util.http.hc5;

import com.yahoo.security.tls.MixedMode;
import com.yahoo.security.tls.TransportSecurityUtils;
import com.yahoo.vespa.feeder.shaded.internal.apache.http.HttpHost;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLParameters;
import org.apache.hc.client5.http.impl.classic.HttpClientBuilder;
import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager;
import org.apache.hc.client5.http.io.HttpClientConnectionManager;
import org.apache.hc.client5.http.socket.ConnectionSocketFactory;
import org.apache.hc.client5.http.socket.PlainConnectionSocketFactory;
import org.apache.hc.client5.http.ssl.NoopHostnameVerifier;
import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
import org.apache.hc.core5.http.config.Registry;
import org.apache.hc.core5.http.config.RegistryBuilder;

/* loaded from: input_file:ai/vespa/util/http/hc5/VespaHttpClientBuilder.class */
public class VespaHttpClientBuilder {

    /* loaded from: input_file:ai/vespa/util/http/hc5/VespaHttpClientBuilder$HttpClientConnectionManagerFactory.class */
    public interface HttpClientConnectionManagerFactory {
        HttpClientConnectionManager create(Registry<ConnectionSocketFactory> registry);
    }

    public static HttpClientBuilder create() {
        return create(PoolingHttpClientConnectionManager::new);
    }

    public static HttpClientBuilder create(HttpClientConnectionManagerFactory httpClientConnectionManagerFactory) {
        return create(httpClientConnectionManagerFactory, new NoopHostnameVerifier());
    }

    public static HttpClientBuilder create(HttpClientConnectionManagerFactory httpClientConnectionManagerFactory, HostnameVerifier hostnameVerifier) {
        return create(httpClientConnectionManagerFactory, hostnameVerifier, true);
    }

    public static HttpClientBuilder create(HttpClientConnectionManagerFactory httpClientConnectionManagerFactory, HostnameVerifier hostnameVerifier, boolean z) {
        HttpClientBuilder create = HttpClientBuilder.create();
        addSslSocketFactory(create, httpClientConnectionManagerFactory, hostnameVerifier);
        if (z) {
            addHttpsRewritingRoutePlanner(create);
        }
        create.disableConnectionState();
        create.disableCookieManagement();
        create.disableAuthCaching();
        create.disableRedirectHandling();
        return create;
    }

    private static void addSslSocketFactory(HttpClientBuilder httpClientBuilder, HttpClientConnectionManagerFactory httpClientConnectionManagerFactory, HostnameVerifier hostnameVerifier) {
        TransportSecurityUtils.getSystemTlsContext().ifPresent(tlsContext -> {
            SSLParameters parameters = tlsContext.parameters();
            httpClientBuilder.setConnectionManager(httpClientConnectionManagerFactory.create(createRegistry(new SSLConnectionSocketFactory(tlsContext.context(), parameters.getProtocols(), parameters.getCipherSuites(), hostnameVerifier))));
            httpClientBuilder.setUserTokenHandler((httpRoute, httpContext) -> {
                return null;
            });
        });
    }

    private static Registry<ConnectionSocketFactory> createRegistry(SSLConnectionSocketFactory sSLConnectionSocketFactory) {
        return RegistryBuilder.create().register("https", sSLConnectionSocketFactory).register(HttpHost.DEFAULT_SCHEME_NAME, PlainConnectionSocketFactory.getSocketFactory()).build();
    }

    private static void addHttpsRewritingRoutePlanner(HttpClientBuilder httpClientBuilder) {
        if (!TransportSecurityUtils.isTransportSecurityEnabled() || TransportSecurityUtils.getInsecureMixedMode() == MixedMode.PLAINTEXT_CLIENT_MIXED_SERVER) {
            return;
        }
        httpClientBuilder.setRoutePlanner(new HttpToHttpsRoutePlanner());
    }
}
