package io.kroxylicious.proxy.model;

import edu.umd.cs.findbugs.annotations.NonNull;
import io.kroxylicious.proxy.config.IllegalConfigurationException;
import io.kroxylicious.proxy.config.NamedFilterDefinition;
import io.kroxylicious.proxy.config.TargetCluster;
import io.kroxylicious.proxy.config.tls.NettyKeyProvider;
import io.kroxylicious.proxy.config.tls.NettyTrustProvider;
import io.kroxylicious.proxy.config.tls.PlatformTrustProvider;
import io.kroxylicious.proxy.config.tls.Tls;
import io.kroxylicious.proxy.config.tls.TrustProvider;
import io.kroxylicious.proxy.internal.net.EndpointGateway;
import io.kroxylicious.proxy.service.ClusterNetworkAddressConfigProvider;
import io.kroxylicious.proxy.service.HostPort;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import java.io.UncheckedIOException;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLParameters;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/kroxylicious/proxy/model/VirtualClusterModel.class */
public class VirtualClusterModel {
    private static final Logger LOGGER = LoggerFactory.getLogger(VirtualClusterModel.class);
    public static final int DEFAULT_SOCKET_FRAME_MAX_SIZE_BYTES = 104857600;
    private final String clusterName;
    private final TargetCluster targetCluster;
    private final boolean logNetwork;
    private final boolean logFrames;
    private final List<NamedFilterDefinition> filters;
    private final Map<String, VirtualClusterGatewayModel> gateways = new HashMap();
    private final Optional<SslContext> upstreamSslContext = buildUpstreamSslContext();

    /* loaded from: input_file:io/kroxylicious/proxy/model/VirtualClusterModel$VirtualClusterGatewayModel.class */
    public static class VirtualClusterGatewayModel implements EndpointGateway {
        private final VirtualClusterModel virtualCluster;
        private final ClusterNetworkAddressConfigProvider provider;
        private final Optional<Tls> tls;
        private final Optional<SslContext> downstreamSslContext;
        private final String name;

        VirtualClusterGatewayModel(VirtualClusterModel virtualClusterModel, ClusterNetworkAddressConfigProvider clusterNetworkAddressConfigProvider, Optional<Tls> optional, String str) {
            this.virtualCluster = virtualClusterModel;
            this.provider = clusterNetworkAddressConfigProvider;
            this.tls = optional;
            this.name = str;
            validatePortUsage(clusterNetworkAddressConfigProvider);
            validateTLsSettings(clusterNetworkAddressConfigProvider, optional);
            this.downstreamSslContext = buildDownstreamSslContext();
        }

        private void validatePortUsage(ClusterNetworkAddressConfigProvider clusterNetworkAddressConfigProvider) {
            Set set = (Set) clusterNetworkAddressConfigProvider.getExclusivePorts().stream().filter(num -> {
                return clusterNetworkAddressConfigProvider.getSharedPorts().contains(num);
            }).collect(Collectors.toSet());
            if (!set.isEmpty()) {
                throw new IllegalStateException("The set of exclusive ports described by the cluster endpoint provider must be distinct from those described as shared. Intersection: " + String.valueOf(set));
            }
        }

        private void validateTLsSettings(ClusterNetworkAddressConfigProvider clusterNetworkAddressConfigProvider, Optional<Tls> optional) {
            if (clusterNetworkAddressConfigProvider.requiresServerNameIndication()) {
                if (optional.isEmpty() || !optional.get().definesKey()) {
                    throw new IllegalStateException("Cluster endpoint provider requires ServerNameIndication, but virtual cluster gateway '%s' does not configure TLS and provide a certificate for the server".formatted(name()));
                }
            }
        }

        @Override // io.kroxylicious.proxy.internal.net.EndpointGateway
        public VirtualClusterModel virtualCluster() {
            return this.virtualCluster;
        }

        private ClusterNetworkAddressConfigProvider getClusterNetworkAddressConfigProvider() {
            return this.provider;
        }

        @Override // io.kroxylicious.proxy.internal.net.EndpointGateway
        public HostPort getClusterBootstrapAddress() {
            return getClusterNetworkAddressConfigProvider().getClusterBootstrapAddress();
        }

        @Override // io.kroxylicious.proxy.internal.net.EndpointGateway
        public TargetCluster targetCluster() {
            return this.virtualCluster.targetCluster();
        }

        @Override // io.kroxylicious.proxy.internal.net.EndpointGateway
        public HostPort getBrokerAddress(int i) throws IllegalArgumentException {
            return getClusterNetworkAddressConfigProvider().getBrokerAddress(i);
        }

        @Override // io.kroxylicious.proxy.internal.net.EndpointGateway
        public Optional<String> getBindAddress() {
            return getClusterNetworkAddressConfigProvider().getBindAddress();
        }

        @Override // io.kroxylicious.proxy.internal.net.EndpointGateway
        public boolean requiresServerNameIndication() {
            return getClusterNetworkAddressConfigProvider().requiresServerNameIndication();
        }

        @Override // io.kroxylicious.proxy.internal.net.EndpointGateway
        public Set<Integer> getExclusivePorts() {
            return getClusterNetworkAddressConfigProvider().getExclusivePorts();
        }

        @Override // io.kroxylicious.proxy.internal.net.EndpointGateway
        public Set<Integer> getSharedPorts() {
            return getClusterNetworkAddressConfigProvider().getSharedPorts();
        }

        @Override // io.kroxylicious.proxy.internal.net.EndpointGateway
        public Map<Integer, HostPort> discoveryAddressMap() {
            return getClusterNetworkAddressConfigProvider().discoveryAddressMap();
        }

        @Override // io.kroxylicious.proxy.internal.net.EndpointGateway
        public Integer getBrokerIdFromBrokerAddress(HostPort hostPort) {
            return getClusterNetworkAddressConfigProvider().getBrokerIdFromBrokerAddress(hostPort);
        }

        @Override // io.kroxylicious.proxy.internal.net.EndpointGateway
        public String name() {
            return this.name;
        }

        @Override // io.kroxylicious.proxy.internal.net.EndpointGateway
        public HostPort getAdvertisedBrokerAddress(int i) {
            return getClusterNetworkAddressConfigProvider().getAdvertisedBrokerAddress(i);
        }

        @Override // io.kroxylicious.proxy.internal.net.EndpointGateway
        public boolean isUseTls() {
            return this.tls.isPresent();
        }

        @Override // io.kroxylicious.proxy.internal.net.EndpointGateway
        public Optional<SslContext> getDownstreamSslContext() {
            return this.downstreamSslContext;
        }

        public Optional<Tls> getTls() {
            return this.tls;
        }

        private Optional<SslContext> buildDownstreamSslContext() {
            return this.tls.map(tls -> {
                try {
                    SslContextBuilder sslContextBuilder = (SslContextBuilder) Optional.of(tls.key()).map(NettyKeyProvider::new).map((v0) -> {
                        return v0.forServer();
                    }).orElseThrow();
                    VirtualClusterModel.configureCipherSuites(sslContextBuilder, tls);
                    VirtualClusterModel.configureEnabledProtocols(sslContextBuilder, tls);
                    return VirtualClusterModel.configureTrustProvider(tls).apply(sslContextBuilder).build();
                } catch (SSLException e) {
                    throw new UncheckedIOException(e);
                }
            });
        }

        public String toString() {
            return "VirtualClusterGatewayModel[name=" + this.name + ", virtualCluster=" + this.virtualCluster.getClusterName() + ", provider=" + String.valueOf(this.provider) + ", tls=" + isUseTls() + "]";
        }
    }

    public VirtualClusterModel(String str, TargetCluster targetCluster, boolean z, boolean z2, @NonNull List<NamedFilterDefinition> list) {
        this.clusterName = str;
        this.targetCluster = targetCluster;
        this.logNetwork = z;
        this.logFrames = z2;
        this.filters = list;
    }

    public void logVirtualClusterSummary() {
        HostPort hostPort = this.targetCluster.bootstrapServersList().get(0);
        String generateTlsSummary = generateTlsSummary(this.targetCluster.tls());
        LOGGER.info("Virtual Cluster '{}' - gateway summary", this.clusterName);
        this.gateways.forEach((str, virtualClusterGatewayModel) -> {
            LOGGER.info("Gateway: {}, Downstream {}{} => Upstream {}{}", new Object[]{str, virtualClusterGatewayModel.getClusterBootstrapAddress(), generateTlsSummary(virtualClusterGatewayModel.getTls()), hostPort, generateTlsSummary});
        });
    }

    private static String generateTlsSummary(Optional<Tls> optional) {
        return ((String) optional.map(tls -> {
            return (String) Optional.ofNullable(tls.trust()).map((v0) -> {
                return v0.trustOptions();
            }).map((v0) -> {
                return v0.toString();
            }).orElse("-");
        }).map(str -> {
            return " (TLS: " + str + ") ";
        }).orElse("")) + ((String) optional.map(tls2 -> {
            return (List) Optional.ofNullable(tls2.cipherSuites()).map((v0) -> {
                return v0.allowed();
            }).orElse(Collections.emptyList());
        }).map(list -> {
            return " (Allowed Ciphers: " + String.valueOf(list) + ")";
        }).orElse("")) + ((String) optional.map(tls3 -> {
            return (Set) Optional.ofNullable(tls3.cipherSuites()).map((v0) -> {
                return v0.denied();
            }).orElse(Collections.emptySet());
        }).map(set -> {
            return " (Denied Ciphers: " + String.valueOf(set) + ")";
        }).orElse("")) + ((String) optional.map(tls4 -> {
            return (List) Optional.ofNullable(tls4.protocols()).map((v0) -> {
                return v0.allowed();
            }).orElse(Collections.emptyList());
        }).map(list2 -> {
            return " (Allowed Protocols: " + String.valueOf(list2) + ")";
        }).orElse("")) + ((String) optional.map(tls5 -> {
            return (Set) Optional.ofNullable(tls5.protocols()).map((v0) -> {
                return v0.denied();
            }).orElse(Collections.emptySet());
        }).map(set2 -> {
            return " (Denied Protocols: " + String.valueOf(set2) + ")";
        }).orElse(""));
    }

    public void addGateway(String str, ClusterNetworkAddressConfigProvider clusterNetworkAddressConfigProvider, Optional<Tls> optional) {
        this.gateways.put(str, new VirtualClusterGatewayModel(this, clusterNetworkAddressConfigProvider, optional, str));
    }

    public TargetCluster targetCluster() {
        return this.targetCluster;
    }

    public String getClusterName() {
        return this.clusterName;
    }

    public boolean isLogNetwork() {
        return this.logNetwork;
    }

    public boolean isLogFrames() {
        return this.logFrames;
    }

    public int socketFrameMaxSizeBytes() {
        return DEFAULT_SOCKET_FRAME_MAX_SIZE_BYTES;
    }

    public String toString() {
        return "VirtualClusterModel{clusterName='" + this.clusterName + "', targetCluster=" + String.valueOf(this.targetCluster) + ", gateways=" + String.valueOf(this.gateways) + ", logNetwork=" + this.logNetwork + ", logFrames=" + this.logFrames + ", upstreamSslContext=" + String.valueOf(this.upstreamSslContext) + "}";
    }

    public Optional<SslContext> getUpstreamSslContext() {
        return this.upstreamSslContext;
    }

    @NonNull
    private static NettyTrustProvider configureTrustProvider(Tls tls) {
        return new NettyTrustProvider((TrustProvider) Optional.ofNullable(tls.trust()).orElse(PlatformTrustProvider.INSTANCE));
    }

    private Optional<SslContext> buildUpstreamSslContext() {
        return this.targetCluster.tls().map(tls -> {
            try {
                SslContextBuilder sslContextBuilder = (SslContextBuilder) Optional.ofNullable(tls.key()).map(NettyKeyProvider::new).map((v0) -> {
                    return v0.forClient();
                }).orElse(SslContextBuilder.forClient());
                configureCipherSuites(sslContextBuilder, tls);
                configureEnabledProtocols(sslContextBuilder, tls);
                Optional.ofNullable(tls.trust()).map((v0) -> {
                    return v0.trustOptions();
                }).filter(Predicate.not((v0) -> {
                    return v0.forClient();
                })).ifPresent(trustOptions -> {
                    throw new IllegalConfigurationException("Cannot apply trust options " + String.valueOf(trustOptions) + " to upstream (client) TLS.)");
                });
                return configureTrustProvider(tls).apply(sslContextBuilder).build();
            } catch (SSLException e) {
                throw new UncheckedIOException(e);
            }
        });
    }

    private static void configureCipherSuites(SslContextBuilder sslContextBuilder, Tls tls) {
        Optional.ofNullable(tls.cipherSuites()).ifPresent(allowDeny -> {
            sslContextBuilder.ciphers(tls.cipherSuites().allowed(), new DenyCipherSuiteFilter(tls.cipherSuites().denied()));
        });
    }

    private static void configureEnabledProtocols(SslContextBuilder sslContextBuilder, Tls tls) {
        Optional ofNullable = Optional.ofNullable(tls.protocols());
        List list = Arrays.stream(getDefaultSSLParameters().getProtocols()).toList();
        List list2 = Arrays.stream(getSupportedSSLParameters().getProtocols()).toList();
        ofNullable.ifPresent(allowDeny -> {
            List list3 = (List) ofNullable.map((v0) -> {
                return v0.allowed();
            }).orElse(list);
            Set set = (Set) ofNullable.map((v0) -> {
                return v0.denied();
            }).orElse(Set.of());
            Stream stream = list3.stream();
            Objects.requireNonNull(list2);
            stream.filter(Predicate.not((v1) -> {
                return r1.contains(v1);
            })).forEach(str -> {
                LOGGER.warn("Ignoring allowed protocol '{}' as it is not recognized by this platform (supported protocols: {})", str, list2);
            });
            Stream stream2 = set.stream();
            Objects.requireNonNull(list2);
            stream2.filter(Predicate.not((v1) -> {
                return r1.contains(v1);
            })).forEach(str2 -> {
                LOGGER.warn("Ignoring denied protocol '{}' as it is not recognized by this platform (supported protocols: {})", str2, list2);
            });
            Stream stream3 = list3.stream();
            Objects.requireNonNull(list2);
            Stream filter = stream3.filter((v1) -> {
                return r1.contains(v1);
            });
            Objects.requireNonNull(set);
            List list4 = filter.filter(Predicate.not((v1) -> {
                return r1.contains(v1);
            })).toList();
            if (list4.isEmpty()) {
                throw new IllegalConfigurationException("The protocols configuration you have in place has resulted in no protocols being set. Allowed: " + String.valueOf(list3) + ", Denied: " + String.valueOf(set));
            }
            sslContextBuilder.protocols(list4);
        });
    }

    private static SSLParameters getDefaultSSLParameters() {
        try {
            return SSLContext.getDefault().getDefaultSSLParameters();
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    private static SSLParameters getSupportedSSLParameters() {
        try {
            return SSLContext.getDefault().getSupportedSSLParameters();
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    @NonNull
    public List<NamedFilterDefinition> getFilters() {
        return this.filters;
    }

    public Map<String, EndpointGateway> gateways() {
        return Collections.unmodifiableMap(this.gateways);
    }
}
