package org.infinispan.server.configuration.endpoint;

import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import org.infinispan.commons.configuration.Builder;
import org.infinispan.commons.configuration.Combine;
import org.infinispan.commons.configuration.attributes.AttributeSet;
import org.infinispan.rest.configuration.RestAuthenticationConfigurationBuilder;
import org.infinispan.rest.configuration.RestServerConfigurationBuilder;
import org.infinispan.server.Server;
import org.infinispan.server.configuration.ServerConfigurationBuilder;
import org.infinispan.server.configuration.SocketBindingsConfiguration;
import org.infinispan.server.configuration.security.KerberosSecurityFactoryConfiguration;
import org.infinispan.server.configuration.security.RealmConfiguration;
import org.infinispan.server.configuration.security.SecurityConfiguration;
import org.infinispan.server.core.configuration.AuthenticationConfigurationBuilder;
import org.infinispan.server.core.configuration.ProtocolServerConfiguration;
import org.infinispan.server.core.configuration.ProtocolServerConfigurationBuilder;
import org.infinispan.server.core.configuration.SaslAuthenticationConfigurationBuilder;
import org.infinispan.server.core.configuration.SaslConfigurationBuilder;
import org.infinispan.server.hotrod.configuration.HotRodServerConfigurationBuilder;
import org.infinispan.server.memcached.configuration.MemcachedAuthenticationConfigurationBuilder;
import org.infinispan.server.memcached.configuration.MemcachedProtocol;
import org.infinispan.server.memcached.configuration.MemcachedServerConfigurationBuilder;
import org.infinispan.server.resp.configuration.RespAuthenticationConfigurationBuilder;
import org.infinispan.server.resp.configuration.RespServerConfigurationBuilder;
import org.infinispan.server.security.ElytronHTTPAuthenticator;
import org.infinispan.server.security.ElytronRESPAuthenticator;
import org.infinispan.server.security.ElytronSASLAuthenticator;
import org.infinispan.server.security.ElytronUsernamePasswordAuthenticator;
import org.infinispan.server.security.RespClientCertAuthenticator;
import org.infinispan.server.security.ServerSecurityRealm;

/* loaded from: input_file:org/infinispan/server/configuration/endpoint/EndpointConfigurationBuilder.class */
public class EndpointConfigurationBuilder implements Builder<EndpointConfiguration> {
    private boolean implicitConnectorSecurity;
    private final List<ProtocolServerConfigurationBuilder<?, ?, ?>> connectorBuilders = new ArrayList(2);
    private final SinglePortServerConfigurationBuilder singlePortBuilder = new SinglePortServerConfigurationBuilder();
    private final AttributeSet attributes = EndpointConfiguration.attributeDefinitionSet();

    public EndpointConfigurationBuilder(ServerConfigurationBuilder serverConfigurationBuilder, String str) {
        this.singlePortBuilder.socketBinding(str);
    }

    public AttributeSet attributes() {
        return this.attributes;
    }

    public EndpointConfigurationBuilder securityRealm(String str) {
        this.attributes.attribute(EndpointConfiguration.SECURITY_REALM).set(str);
        return this;
    }

    public String securityRealm() {
        return (String) this.attributes.attribute(EndpointConfiguration.SECURITY_REALM).get();
    }

    public EndpointConfigurationBuilder implicitConnectorSecurity(boolean z) {
        this.implicitConnectorSecurity = z;
        return this;
    }

    public EndpointConfigurationBuilder admin(boolean z) {
        this.attributes.attribute(EndpointConfiguration.ADMIN).set(Boolean.valueOf(z));
        return this;
    }

    public boolean admin() {
        return ((Boolean) this.attributes.attribute(EndpointConfiguration.ADMIN).get()).booleanValue();
    }

    public EndpointConfigurationBuilder metricsAuth(boolean z) {
        this.attributes.attribute(EndpointConfiguration.METRICS_AUTH).set(Boolean.valueOf(z));
        return this;
    }

    public boolean metricsAuth() {
        return ((Boolean) this.attributes.attribute(EndpointConfiguration.METRICS_AUTH).get()).booleanValue();
    }

    public List<ProtocolServerConfigurationBuilder<?, ?, ?>> connectors() {
        return this.connectorBuilders;
    }

    public SinglePortServerConfigurationBuilder singlePort() {
        return this.singlePortBuilder;
    }

    public <T extends ProtocolServerConfigurationBuilder<?, ?, ?>> T addConnector(Class<T> cls) {
        try {
            T newInstance = cls.getConstructor(new Class[0]).newInstance(new Object[0]);
            this.connectorBuilders.add(newInstance);
            this.singlePortBuilder.applyConfigurationToProtocol(newInstance);
            return newInstance;
        } catch (Exception e) {
            throw Server.log.cannotInstantiateProtocolServerConfigurationBuilder(cls, e);
        }
    }

    public void validate() {
        ((Map) this.connectorBuilders.stream().collect(Collectors.groupingBy(protocolServerConfigurationBuilder -> {
            return protocolServerConfigurationBuilder.getClass().getSimpleName() + "/" + protocolServerConfigurationBuilder.socketBinding();
        }))).values().stream().filter(list -> {
            return list.size() > 1;
        }).findFirst().ifPresent(list2 -> {
            throw Server.log.multipleEndpointsSameTypeFound((String) list2.stream().map((v0) -> {
                return v0.name();
            }).collect(Collectors.joining(",")));
        });
    }

    /* renamed from: create, reason: merged with bridge method [inline-methods] */
    public EndpointConfiguration m29create() {
        throw new UnsupportedOperationException();
    }

    public EndpointConfiguration create(SocketBindingsConfiguration socketBindingsConfiguration, SecurityConfiguration securityConfiguration) {
        boolean z = this.implicitConnectorSecurity && securityRealm() != null;
        socketBindingsConfiguration.applySocketBinding(this.singlePortBuilder.socketBinding(), this.singlePortBuilder, this.singlePortBuilder);
        ArrayList arrayList = new ArrayList(this.connectorBuilders.size());
        Iterator<ProtocolServerConfigurationBuilder<?, ?, ?>> it = this.connectorBuilders.iterator();
        while (it.hasNext()) {
            HotRodServerConfigurationBuilder hotRodServerConfigurationBuilder = (ProtocolServerConfigurationBuilder) it.next();
            socketBindingsConfiguration.applySocketBinding(hotRodServerConfigurationBuilder.socketBinding(), hotRodServerConfigurationBuilder, this.singlePortBuilder);
            if (z) {
                if (hotRodServerConfigurationBuilder instanceof HotRodServerConfigurationBuilder) {
                    enableImplicitAuthentication(securityConfiguration, securityRealm(), hotRodServerConfigurationBuilder);
                } else if (hotRodServerConfigurationBuilder instanceof RestServerConfigurationBuilder) {
                    enableImplicitAuthentication(securityConfiguration, securityRealm(), (RestServerConfigurationBuilder) hotRodServerConfigurationBuilder);
                } else if (hotRodServerConfigurationBuilder instanceof RespServerConfigurationBuilder) {
                    hotRodServerConfigurationBuilder = enableImplicitAuthentication(securityConfiguration, securityRealm(), (RespServerConfigurationBuilder) hotRodServerConfigurationBuilder);
                } else if (hotRodServerConfigurationBuilder instanceof MemcachedServerConfigurationBuilder) {
                    hotRodServerConfigurationBuilder = enableImplicitAuthentication(securityConfiguration, securityRealm(), (MemcachedServerConfigurationBuilder) hotRodServerConfigurationBuilder);
                }
            }
            if (hotRodServerConfigurationBuilder != null) {
                arrayList.add((ProtocolServerConfiguration) hotRodServerConfigurationBuilder.create());
            }
        }
        if (z) {
            RealmConfiguration realm = securityConfiguration.realms().getRealm(securityRealm());
            if (realm.hasFeature(ServerSecurityRealm.Feature.ENCRYPT)) {
                this.singlePortBuilder.ssl().enable().sslContext(realm.serverSSLContext());
            }
        }
        return new EndpointConfiguration(this.attributes.protect(), arrayList, this.singlePortBuilder.m34create());
    }

    public EndpointConfigurationBuilder read(EndpointConfiguration endpointConfiguration, Combine combine) {
        this.attributes.read(endpointConfiguration.attributes(), combine);
        return this;
    }

    public static void enableImplicitAuthentication(SecurityConfiguration securityConfiguration, String str, HotRodServerConfigurationBuilder hotRodServerConfigurationBuilder) {
        SaslAuthenticationConfigurationBuilder authentication = hotRodServerConfigurationBuilder.authentication();
        if (!authentication.hasSecurityRealm()) {
            authentication.securityRealm(str);
            Server.log.debugf("Using endpoint realm \"%s\" for Hot Rod", str);
        }
        enableSaslAuthentication(authentication, authentication.sasl(), securityConfiguration.realms().getRealm(authentication.securityRealm()).serverSecurityRealm(), "hotrod/", "Hot Rod");
    }

    private static void enableSaslAuthentication(AuthenticationConfigurationBuilder<?> authenticationConfigurationBuilder, SaslConfigurationBuilder saslConfigurationBuilder, ServerSecurityRealm serverSecurityRealm, String str, String str2) {
        if (saslConfigurationBuilder.hasMechanisms()) {
            return;
        }
        String str3 = null;
        Iterator<KerberosSecurityFactoryConfiguration> it = serverSecurityRealm.getServerIdentities().kerberosConfigurations().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            KerberosSecurityFactoryConfiguration next = it.next();
            if (next.getPrincipal().startsWith(str)) {
                authenticationConfigurationBuilder.enable();
                saslConfigurationBuilder.addMechanisms(new String[]{"GS2-KRB5", "GSSAPI"});
                str3 = next.getPrincipal();
                break;
            }
            Server.log.debugf("Enabled Kerberos mechanisms for %s using principal '%s'", str2, next.getPrincipal());
        }
        if (serverSecurityRealm.hasFeature(ServerSecurityRealm.Feature.TOKEN)) {
            authenticationConfigurationBuilder.enable();
            saslConfigurationBuilder.addMechanisms(new String[]{"OAUTHBEARER"});
            Server.log.debugf("Enabled OAUTHBEARER mechanism for %s", str2);
        }
        if (serverSecurityRealm.hasFeature(ServerSecurityRealm.Feature.TRUST)) {
            authenticationConfigurationBuilder.enable();
            saslConfigurationBuilder.addMechanisms(new String[]{"EXTERNAL"});
            Server.log.debugf("Enabled EXTERNAL mechanism for %s", str2);
        }
        if (serverSecurityRealm.hasFeature(ServerSecurityRealm.Feature.PASSWORD_HASHED)) {
            authenticationConfigurationBuilder.enable();
            saslConfigurationBuilder.addMechanisms(new String[]{"SCRAM-SHA-512", "SCRAM-SHA-384", "SCRAM-SHA-256", "SCRAM-SHA-1", "DIGEST-SHA-512", "DIGEST-SHA-384", "DIGEST-SHA-256", "DIGEST-SHA", "CRAM-MD5", "DIGEST-MD5"});
            Server.log.debugf("Enabled SCRAM, DIGEST and CRAM mechanisms for %s", str2);
            if (serverSecurityRealm.hasFeature(ServerSecurityRealm.Feature.ENCRYPT)) {
                authenticationConfigurationBuilder.enable();
                saslConfigurationBuilder.addMechanisms(new String[]{"PLAIN"});
                Server.log.debugf("Enabled PLAIN mechanism for %s", str2);
            }
        }
        saslConfigurationBuilder.authenticator(new ElytronSASLAuthenticator(authenticationConfigurationBuilder.securityRealm(), str3, saslConfigurationBuilder.mechanisms()));
    }

    public static void enableImplicitAuthentication(SecurityConfiguration securityConfiguration, String str, RestServerConfigurationBuilder restServerConfigurationBuilder) {
        RestAuthenticationConfigurationBuilder authentication = restServerConfigurationBuilder.authentication();
        if (!authentication.hasSecurityRealm()) {
            authentication.securityRealm(str);
        }
        ServerSecurityRealm serverSecurityRealm = securityConfiguration.realms().getRealm(authentication.securityRealm()).serverSecurityRealm();
        if (authentication.hasMechanisms()) {
            return;
        }
        String str2 = null;
        for (KerberosSecurityFactoryConfiguration kerberosSecurityFactoryConfiguration : serverSecurityRealm.getServerIdentities().kerberosConfigurations()) {
            if (kerberosSecurityFactoryConfiguration.getPrincipal().startsWith("HTTP/")) {
                authentication.enable().addMechanisms(new String[]{"SPNEGO"});
                str2 = kerberosSecurityFactoryConfiguration.getPrincipal();
            }
            Server.log.debugf("Enabled SPNEGO authentication for HTTP using principal '%s'", kerberosSecurityFactoryConfiguration.getPrincipal());
        }
        if (serverSecurityRealm.hasFeature(ServerSecurityRealm.Feature.TOKEN)) {
            authentication.enable().addMechanisms(new String[]{"BEARER_TOKEN"});
            Server.log.debug("Enabled BEARER_TOKEN for HTTP");
        }
        if (serverSecurityRealm.hasFeature(ServerSecurityRealm.Feature.TRUST)) {
            authentication.enable().addMechanisms(new String[]{"CLIENT_CERT"});
            Server.log.debug("Enabled CLIENT_CERT for HTTP");
        }
        if (serverSecurityRealm.hasFeature(ServerSecurityRealm.Feature.PASSWORD_HASHED)) {
            authentication.enable().addMechanisms(new String[]{"DIGEST"});
            Server.log.debug("Enabled DIGEST for HTTP");
            if (serverSecurityRealm.hasFeature(ServerSecurityRealm.Feature.ENCRYPT)) {
                authentication.enable().addMechanisms(new String[]{"BASIC"});
                Server.log.debug("Enabled BASIC for HTTP");
            }
        }
        authentication.authenticator(new ElytronHTTPAuthenticator(authentication.securityRealm(), str2, authentication.mechanisms()));
    }

    private ProtocolServerConfigurationBuilder<?, ?, ?> enableImplicitAuthentication(SecurityConfiguration securityConfiguration, String str, RespServerConfigurationBuilder respServerConfigurationBuilder) {
        RespAuthenticationConfigurationBuilder authentication = respServerConfigurationBuilder.authentication();
        if (!authentication.hasSecurityRealm()) {
            authentication.securityRealm(str);
        }
        boolean z = false;
        ServerSecurityRealm serverSecurityRealm = securityConfiguration.realms().getRealm(authentication.securityRealm()).serverSecurityRealm();
        ElytronRESPAuthenticator elytronRESPAuthenticator = new ElytronRESPAuthenticator();
        if (serverSecurityRealm.hasFeature(ServerSecurityRealm.Feature.PASSWORD_PLAIN)) {
            elytronRESPAuthenticator.withUsernamePasswordAuth(new ElytronUsernamePasswordAuthenticator(authentication.securityRealm()));
            z = true;
        }
        if (serverSecurityRealm.hasFeature(ServerSecurityRealm.Feature.TRUST)) {
            elytronRESPAuthenticator.withClientCertAuth(new RespClientCertAuthenticator(authentication.securityRealm()));
            z = true;
        }
        if (z) {
            authentication.authenticator(elytronRESPAuthenticator);
            return respServerConfigurationBuilder;
        }
        if (respServerConfigurationBuilder.implicitConnector()) {
            return null;
        }
        if (serverSecurityRealm.isAnonymous()) {
            return respServerConfigurationBuilder;
        }
        throw Server.log.respEndpointRequiresRealmWithPasswordOrTrustore();
    }

    private ProtocolServerConfigurationBuilder<?, ?, ?> enableImplicitAuthentication(SecurityConfiguration securityConfiguration, String str, MemcachedServerConfigurationBuilder memcachedServerConfigurationBuilder) {
        MemcachedAuthenticationConfigurationBuilder authentication = memcachedServerConfigurationBuilder.authentication();
        if (!authentication.hasSecurityRealm()) {
            authentication.securityRealm(str);
        }
        ServerSecurityRealm serverSecurityRealm = securityConfiguration.realms().getRealm(authentication.securityRealm()).serverSecurityRealm();
        MemcachedProtocol protocol = memcachedServerConfigurationBuilder.protocol();
        if (protocol.isBinary()) {
            enableSaslAuthentication(authentication, authentication.sasl(), serverSecurityRealm, "memcached/", "Memcached");
        }
        if (protocol.isText()) {
            if (!serverSecurityRealm.hasFeature(ServerSecurityRealm.Feature.PASSWORD_PLAIN)) {
                if (memcachedServerConfigurationBuilder.implicitConnector()) {
                    return null;
                }
                if (serverSecurityRealm.isAnonymous()) {
                    return memcachedServerConfigurationBuilder;
                }
                throw Server.log.memcachedTextEndpointRequiresRealmWithPassword();
            }
            authentication.text().authenticator(new ElytronUsernamePasswordAuthenticator(authentication.securityRealm()));
        }
        return memcachedServerConfigurationBuilder;
    }
}
