package org.apache.pulsar.proxy.server;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.URI;
import java.nio.ByteBuffer;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.concurrent.Executor;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.SSLContext;
import javax.servlet.ServletConfig;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apache.pulsar.broker.web.AuthenticationFilter;
import org.apache.pulsar.client.api.Authentication;
import org.apache.pulsar.client.api.AuthenticationDataProvider;
import org.apache.pulsar.client.api.PulsarClientException;
import org.apache.pulsar.client.util.ExecutorProvider;
import org.apache.pulsar.common.util.PulsarSslConfiguration;
import org.apache.pulsar.common.util.PulsarSslFactory;
import org.apache.pulsar.policies.data.loadbalancer.LoadManagerReport;
import org.eclipse.jetty.client.HttpClient;
import org.eclipse.jetty.client.HttpRequest;
import org.eclipse.jetty.client.ProtocolHandlers;
import org.eclipse.jetty.client.RedirectProtocolHandler;
import org.eclipse.jetty.client.api.ContentProvider;
import org.eclipse.jetty.client.api.Request;
import org.eclipse.jetty.client.http.HttpClientTransportOverHTTP;
import org.eclipse.jetty.http.HttpHeader;
import org.eclipse.jetty.proxy.ProxyServlet;
import org.eclipse.jetty.util.HttpCookieStore;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.eclipse.jetty.util.thread.QueuedThreadPool;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/pulsar/proxy/server/AdminProxyHandler.class */
class AdminProxyHandler extends ProxyServlet {
    private static final String ORIGINAL_PRINCIPAL_HEADER = "X-Original-Principal";
    public static final String INIT_PARAM_REQUEST_BUFFER_SIZE = "requestBufferSize";
    private final ProxyConfiguration config;
    private final BrokerDiscoveryProvider discoveryProvider;
    private final Authentication proxyClientAuthentication;
    private final String brokerWebServiceUrl;
    private final String functionWorkerWebServiceUrl;
    private PulsarSslFactory pulsarSslFactory;
    private ScheduledExecutorService sslContextRefresher;
    private static final Logger LOG = LoggerFactory.getLogger(AdminProxyHandler.class);
    private static final Set<String> functionRoutes = new HashSet(Arrays.asList("/admin/v3/function", "/admin/v2/function", "/admin/function", "/admin/v3/source", "/admin/v2/source", "/admin/source", "/admin/v3/sink", "/admin/v2/sink", "/admin/sink", "/admin/v2/worker", "/admin/v2/worker-stats", "/admin/worker", "/admin/worker-stats"));

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/pulsar/proxy/server/AdminProxyHandler$Client.class */
    public static class Client extends SslContextFactory.Client {
        private final PulsarSslFactory sslFactory;

        public Client(PulsarSslFactory pulsarSslFactory) {
            this.sslFactory = pulsarSslFactory;
        }

        public SSLContext getSslContext() {
            return this.sslFactory.getInternalSslContext();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/pulsar/proxy/server/AdminProxyHandler$JettyHttpClient.class */
    public static class JettyHttpClient extends HttpClient {
        private static final int NUMBER_OF_SELECTOR_THREADS = 1;

        public JettyHttpClient() {
            super(new HttpClientTransportOverHTTP(NUMBER_OF_SELECTOR_THREADS), (SslContextFactory) null);
        }

        public JettyHttpClient(SslContextFactory sslContextFactory) {
            super(new HttpClientTransportOverHTTP(NUMBER_OF_SELECTOR_THREADS), sslContextFactory);
        }

        protected Request copyRequest(HttpRequest httpRequest, URI uri) {
            String str = httpRequest.getHeaders().get(HttpHeader.AUTHORIZATION);
            Request copyRequest = super.copyRequest(httpRequest, uri);
            if (str != null) {
                copyRequest.header(HttpHeader.AUTHORIZATION, str);
            }
            return copyRequest;
        }
    }

    /* loaded from: input_file:org/apache/pulsar/proxy/server/AdminProxyHandler$ReplayableProxyContentProvider.class */
    protected class ReplayableProxyContentProvider extends ProxyServlet.ProxyInputStreamContentProvider {
        static final int MIN_REPLAY_BODY_BUFFER_SIZE = 64;
        private boolean bodyBufferAvailable;
        private boolean bodyBufferMaxSizeReached;
        private final ByteArrayOutputStream bodyBuffer;
        private final long httpInputMaxReplayBufferSize;

        protected ReplayableProxyContentProvider(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Request request, InputStream inputStream, int i) {
            super(AdminProxyHandler.this, httpServletRequest, httpServletResponse, request, inputStream);
            this.bodyBufferAvailable = false;
            this.bodyBufferMaxSizeReached = false;
            this.bodyBuffer = new ByteArrayOutputStream(Math.min(Math.max(httpServletRequest.getContentLength(), MIN_REPLAY_BODY_BUFFER_SIZE), i));
            this.httpInputMaxReplayBufferSize = i;
        }

        public Iterator<ByteBuffer> iterator() {
            if (this.bodyBufferAvailable) {
                return Collections.singleton(ByteBuffer.wrap(this.bodyBuffer.toByteArray())).iterator();
            }
            this.bodyBufferAvailable = true;
            return super.iterator();
        }

        protected ByteBuffer onRead(byte[] bArr, int i, int i2) {
            if (!this.bodyBufferMaxSizeReached) {
                if (this.bodyBuffer.size() + i2 < this.httpInputMaxReplayBufferSize) {
                    this.bodyBuffer.write(bArr, i, i2);
                } else {
                    this.bodyBufferMaxSizeReached = true;
                    this.bodyBufferAvailable = false;
                    this.bodyBuffer.reset();
                }
            }
            return super.onRead(bArr, i, i2);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AdminProxyHandler(ProxyConfiguration proxyConfiguration, BrokerDiscoveryProvider brokerDiscoveryProvider, Authentication authentication) {
        this.config = proxyConfiguration;
        this.discoveryProvider = brokerDiscoveryProvider;
        this.proxyClientAuthentication = authentication;
        this.brokerWebServiceUrl = proxyConfiguration.isTlsEnabledWithBroker() ? proxyConfiguration.getBrokerWebServiceURLTLS() : proxyConfiguration.getBrokerWebServiceURL();
        this.functionWorkerWebServiceUrl = proxyConfiguration.isTlsEnabledWithBroker() ? proxyConfiguration.getFunctionWorkerWebServiceURLTLS() : proxyConfiguration.getFunctionWorkerWebServiceURL();
        if (proxyConfiguration.isTlsEnabledWithBroker()) {
            this.pulsarSslFactory = createPulsarSslFactory();
            this.sslContextRefresher = Executors.newSingleThreadScheduledExecutor(new ExecutorProvider.ExtendedThreadFactory("pulsar-proxy-admin-handler-ssl-refresh"));
            if (proxyConfiguration.getTlsCertRefreshCheckDurationSec() > 0) {
                this.sslContextRefresher.scheduleWithFixedDelay(this::refreshSslContext, proxyConfiguration.getTlsCertRefreshCheckDurationSec(), proxyConfiguration.getTlsCertRefreshCheckDurationSec(), TimeUnit.SECONDS);
            }
        }
        super.setTimeout(proxyConfiguration.getHttpProxyTimeout());
    }

    protected HttpClient createHttpClient() throws ServletException {
        QueuedThreadPool queuedThreadPool;
        ServletConfig servletConfig = getServletConfig();
        HttpClient newHttpClient = newHttpClient();
        newHttpClient.setFollowRedirects(true);
        newHttpClient.setCookieStore(new HttpCookieStore.Empty());
        String initParameter = servletConfig.getInitParameter("maxThreads");
        if (initParameter == null || "-".equals(initParameter)) {
            queuedThreadPool = (Executor) getServletContext().getAttribute("org.eclipse.jetty.server.Executor");
            if (queuedThreadPool == null) {
                throw new IllegalStateException("No server executor for proxy");
            }
        } else {
            QueuedThreadPool queuedThreadPool2 = new QueuedThreadPool(Integer.parseInt(initParameter));
            String servletName = servletConfig.getServletName();
            int lastIndexOf = servletName.lastIndexOf(46);
            if (lastIndexOf >= 0) {
                servletName = servletName.substring(lastIndexOf + 1);
            }
            queuedThreadPool2.setName(servletName);
            queuedThreadPool = queuedThreadPool2;
        }
        newHttpClient.setExecutor(queuedThreadPool);
        String initParameter2 = servletConfig.getInitParameter("maxConnections");
        if (initParameter2 == null) {
            initParameter2 = "256";
        }
        newHttpClient.setMaxConnectionsPerDestination(Integer.parseInt(initParameter2));
        String initParameter3 = servletConfig.getInitParameter("idleTimeout");
        if (initParameter3 == null) {
            initParameter3 = "30000";
        }
        newHttpClient.setIdleTimeout(Long.parseLong(initParameter3));
        String initParameter4 = servletConfig.getInitParameter(INIT_PARAM_REQUEST_BUFFER_SIZE);
        if (initParameter4 != null) {
            newHttpClient.setRequestBufferSize(Integer.parseInt(initParameter4));
        }
        String initParameter5 = servletConfig.getInitParameter("responseBufferSize");
        if (initParameter5 != null) {
            newHttpClient.setResponseBufferSize(Integer.parseInt(initParameter5));
        }
        try {
            newHttpClient.start();
            newHttpClient.getContentDecoderFactories().clear();
            ProtocolHandlers protocolHandlers = newHttpClient.getProtocolHandlers();
            protocolHandlers.clear();
            protocolHandlers.put(new RedirectProtocolHandler(newHttpClient));
            return newHttpClient;
        } catch (Exception e) {
            throw new ServletException(e);
        }
    }

    protected ContentProvider proxyRequestContent(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Request request) throws IOException {
        return new ReplayableProxyContentProvider(httpServletRequest, httpServletResponse, request, httpServletRequest.getInputStream(), this.config.getHttpInputMaxReplayBufferSize());
    }

    protected HttpClient newHttpClient() {
        try {
            if (!this.config.isTlsEnabledWithBroker()) {
                return new JettyHttpClient();
            }
            try {
                Client client = new Client(this.pulsarSslFactory);
                if (!this.config.isTlsHostnameVerificationEnabled()) {
                    client.setEndpointIdentificationAlgorithm((String) null);
                }
                return new JettyHttpClient(client);
            } catch (Exception e) {
                LOG.error("new jetty http client exception ", e);
                throw new PulsarClientException.InvalidConfigurationException(e.getMessage());
            }
        } catch (PulsarClientException e2) {
            throw new RuntimeException((Throwable) e2);
        }
    }

    protected String rewriteTarget(HttpServletRequest httpServletRequest) {
        StringBuilder sb = new StringBuilder();
        boolean z = false;
        String requestURI = httpServletRequest.getRequestURI();
        Iterator<String> it = functionRoutes.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (requestURI.startsWith(it.next())) {
                z = true;
                break;
            }
        }
        if (z && !StringUtils.isBlank(this.functionWorkerWebServiceUrl)) {
            sb.append(this.functionWorkerWebServiceUrl);
        } else if (StringUtils.isBlank(this.brokerWebServiceUrl)) {
            try {
                LoadManagerReport nextBroker = this.discoveryProvider.nextBroker();
                if (this.config.isTlsEnabledWithBroker()) {
                    sb.append(nextBroker.getWebServiceUrlTls());
                } else {
                    sb.append(nextBroker.getWebServiceUrl());
                }
                if (LOG.isDebugEnabled()) {
                    LOG.debug("[{}:{}] Selected active broker is {}", new Object[]{httpServletRequest.getRemoteAddr(), Integer.valueOf(httpServletRequest.getRemotePort()), sb});
                }
            } catch (Exception e) {
                LOG.warn("[{}:{}] Failed to get next active broker {}", new Object[]{httpServletRequest.getRemoteAddr(), Integer.valueOf(httpServletRequest.getRemotePort()), e.getMessage(), e});
                return null;
            }
        } else {
            sb.append(this.brokerWebServiceUrl);
        }
        if (sb.lastIndexOf("/") == sb.length() - 1) {
            sb.deleteCharAt(sb.lastIndexOf("/"));
        }
        sb.append(requestURI);
        String queryString = httpServletRequest.getQueryString();
        if (queryString != null) {
            sb.append("?").append(queryString);
        }
        URI normalize = URI.create(sb.toString()).normalize();
        if (validateDestination(normalize.getHost(), normalize.getPort())) {
            return normalize.toString();
        }
        return null;
    }

    protected void addProxyHeaders(HttpServletRequest httpServletRequest, Request request) {
        super.addProxyHeaders(httpServletRequest, request);
        String str = (String) httpServletRequest.getAttribute(AuthenticationFilter.AuthenticatedRoleAttributeName);
        if (str != null) {
            request.header(ORIGINAL_PRINCIPAL_HEADER, str);
        }
    }

    protected PulsarSslConfiguration buildSslConfiguration(AuthenticationDataProvider authenticationDataProvider) {
        return PulsarSslConfiguration.builder().tlsProvider(this.config.getBrokerClientSslProvider()).tlsKeyStoreType(this.config.getBrokerClientTlsKeyStoreType()).tlsKeyStorePath(this.config.getBrokerClientTlsKeyStore()).tlsKeyStorePassword(this.config.getBrokerClientTlsKeyStorePassword()).tlsTrustStoreType(this.config.getBrokerClientTlsTrustStoreType()).tlsTrustStorePath(this.config.getBrokerClientTlsTrustStore()).tlsTrustStorePassword(this.config.getBrokerClientTlsTrustStorePassword()).tlsCiphers(this.config.getBrokerClientTlsCiphers()).tlsProtocols(this.config.getBrokerClientTlsProtocols()).tlsTrustCertsFilePath(this.config.getBrokerClientTrustCertsFilePath()).tlsCertificateFilePath(this.config.getBrokerClientCertificateFilePath()).tlsKeyFilePath(this.config.getBrokerClientKeyFilePath()).allowInsecureConnection(this.config.isTlsAllowInsecureConnection()).requireTrustedClientCertOnConnect(false).tlsEnabledWithKeystore(this.config.isBrokerClientTlsEnabledWithKeyStore()).tlsCustomParams(this.config.getBrokerClientSslFactoryPluginParams()).authData(authenticationDataProvider).serverMode(false).isHttps(true).build();
    }

    protected PulsarSslFactory createPulsarSslFactory() {
        try {
            try {
                PulsarSslConfiguration buildSslConfiguration = buildSslConfiguration(this.proxyClientAuthentication.getAuthData());
                PulsarSslFactory pulsarSslFactory = (PulsarSslFactory) Class.forName(this.config.getBrokerClientSslFactoryPlugin()).getConstructor(new Class[0]).newInstance(new Object[0]);
                pulsarSslFactory.initialize(buildSslConfiguration);
                pulsarSslFactory.createInternalSslContext();
                return pulsarSslFactory;
            } catch (Exception e) {
                LOG.error("Failed to create Pulsar SSLFactory ", e);
                throw new PulsarClientException.InvalidConfigurationException(e.getMessage());
            }
        } catch (Exception e2) {
            throw new RuntimeException(e2);
        }
    }

    protected void refreshSslContext() {
        try {
            this.pulsarSslFactory.update();
        } catch (Exception e) {
            LOG.error("Failed to refresh SSL context", e);
        }
    }

    public void destroy() {
        super.destroy();
        if (this.sslContextRefresher != null) {
            this.sslContextRefresher.shutdownNow();
        }
    }
}
