package alluxio.shaded.client.org.eclipse.jetty.server;

import alluxio.shaded.client.javax.net.ssl.SSLEngine;
import alluxio.shaded.client.javax.net.ssl.SSLSession;
import alluxio.shaded.client.org.eclipse.jetty.http.BadMessageException;
import alluxio.shaded.client.org.eclipse.jetty.http.HttpField;
import alluxio.shaded.client.org.eclipse.jetty.http.HttpHeader;
import alluxio.shaded.client.org.eclipse.jetty.http.HttpScheme;
import alluxio.shaded.client.org.eclipse.jetty.http.PreEncodedHttpField;
import alluxio.shaded.client.org.eclipse.jetty.io.EndPoint;
import alluxio.shaded.client.org.eclipse.jetty.io.ssl.SslConnection;
import alluxio.shaded.client.org.eclipse.jetty.server.HttpConfiguration;
import alluxio.shaded.client.org.eclipse.jetty.server.ProxyConnectionFactory;
import alluxio.shaded.client.org.eclipse.jetty.util.Attributes;
import alluxio.shaded.client.org.eclipse.jetty.util.StringUtil;
import alluxio.shaded.client.org.eclipse.jetty.util.TypeUtil;
import alluxio.shaded.client.org.eclipse.jetty.util.annotation.Name;
import alluxio.shaded.client.org.eclipse.jetty.util.log.Log;
import alluxio.shaded.client.org.eclipse.jetty.util.log.Logger;
import alluxio.shaded.client.org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager;
import alluxio.shaded.client.org.eclipse.jetty.util.ssl.SslContextFactory;
import alluxio.shaded.client.org.eclipse.jetty.util.ssl.X509;
import java.security.cert.X509Certificate;
import java.util.HashSet;
import java.util.Set;
import java.util.concurrent.TimeUnit;

/* loaded from: input_file:alluxio/shaded/client/org/eclipse/jetty/server/SecureRequestCustomizer.class */
public class SecureRequestCustomizer implements HttpConfiguration.Customizer {
    private static final Logger LOG = Log.getLogger((Class<?>) SecureRequestCustomizer.class);
    public static final String JAVAX_SERVLET_REQUEST_X_509_CERTIFICATE = "alluxio.shaded.client.javax.servlet.request.X509Certificate";
    public static final String JAVAX_SERVLET_REQUEST_CIPHER_SUITE = "alluxio.shaded.client.javax.servlet.request.cipher_suite";
    public static final String JAVAX_SERVLET_REQUEST_KEY_SIZE = "alluxio.shaded.client.javax.servlet.request.key_size";
    public static final String JAVAX_SERVLET_REQUEST_SSL_SESSION_ID = "alluxio.shaded.client.javax.servlet.request.ssl_session_id";
    private String sslSessionAttribute;
    private boolean _sniRequired;
    private boolean _sniHostCheck;
    private long _stsMaxAge;
    private boolean _stsIncludeSubDomains;
    private HttpField _stsField;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:alluxio/shaded/client/org/eclipse/jetty/server/SecureRequestCustomizer$SslAttributes.class */
    public class SslAttributes extends Attributes.Wrapper {
        private final Request _request;
        private final SSLSession _session;
        private X509Certificate[] _certs;
        private String _cipherSuite;
        private Integer _keySize;
        private String _sessionId;
        private String _sessionAttribute;

        public SslAttributes(Request request, SSLSession sSLSession, Attributes attributes) {
            super(attributes);
            this._request = request;
            this._session = sSLSession;
            try {
                SslSessionData sslSessionData = getSslSessionData();
                this._certs = sslSessionData.getCerts();
                this._cipherSuite = this._session.getCipherSuite();
                this._keySize = sslSessionData.getKeySize();
                this._sessionId = sslSessionData.getIdStr();
                this._sessionAttribute = SecureRequestCustomizer.this.getSslSessionAttribute();
            } catch (Exception e) {
                SecureRequestCustomizer.LOG.warn("Unable to get secure details ", e);
            }
        }

        @Override // alluxio.shaded.client.org.eclipse.jetty.util.Attributes.Wrapper, alluxio.shaded.client.org.eclipse.jetty.util.Attributes
        public Object getAttribute(String str) {
            boolean z = -1;
            switch (str.hashCode()) {
                case -1630936796:
                    if (str.equals(SecureRequestCustomizer.JAVAX_SERVLET_REQUEST_CIPHER_SUITE)) {
                        z = true;
                        break;
                    }
                    break;
                case -580517055:
                    if (str.equals(SecureRequestCustomizer.JAVAX_SERVLET_REQUEST_KEY_SIZE)) {
                        z = 2;
                        break;
                    }
                    break;
                case 100259031:
                    if (str.equals(SecureRequestCustomizer.JAVAX_SERVLET_REQUEST_SSL_SESSION_ID)) {
                        z = 3;
                        break;
                    }
                    break;
                case 1500284593:
                    if (str.equals(SecureRequestCustomizer.JAVAX_SERVLET_REQUEST_X_509_CERTIFICATE)) {
                        z = false;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    return this._certs;
                case true:
                    return this._cipherSuite;
                case true:
                    return this._keySize;
                case true:
                    return this._sessionId;
                default:
                    return (StringUtil.isEmpty(this._sessionAttribute) || !this._sessionAttribute.equals(str)) ? this._attributes.getAttribute(str) : this._session;
            }
        }

        private SslSessionData getSslSessionData() {
            String name = SslSessionData.class.getName();
            SslSessionData sslSessionData = (SslSessionData) this._session.getValue(name);
            if (sslSessionData == null) {
                int deduceKeyLength = SslContextFactory.deduceKeyLength(this._session.getCipherSuite());
                sslSessionData = new SslSessionData(Integer.valueOf(deduceKeyLength), SecureRequestCustomizer.this.getCertChain(this._request.getHttpChannel().getConnector(), this._session), TypeUtil.toHexString(this._session.getId()));
                this._session.putValue(name, sslSessionData);
            }
            return sslSessionData;
        }

        @Override // alluxio.shaded.client.org.eclipse.jetty.util.Attributes.Wrapper, alluxio.shaded.client.org.eclipse.jetty.util.Attributes
        public Set<String> getAttributeNameSet() {
            HashSet hashSet = new HashSet(this._attributes.getAttributeNameSet());
            hashSet.remove(SecureRequestCustomizer.JAVAX_SERVLET_REQUEST_X_509_CERTIFICATE);
            hashSet.remove(SecureRequestCustomizer.JAVAX_SERVLET_REQUEST_CIPHER_SUITE);
            hashSet.remove(SecureRequestCustomizer.JAVAX_SERVLET_REQUEST_KEY_SIZE);
            hashSet.remove(SecureRequestCustomizer.JAVAX_SERVLET_REQUEST_SSL_SESSION_ID);
            if (this._certs != null) {
                hashSet.add(SecureRequestCustomizer.JAVAX_SERVLET_REQUEST_X_509_CERTIFICATE);
            }
            if (this._cipherSuite != null) {
                hashSet.add(SecureRequestCustomizer.JAVAX_SERVLET_REQUEST_CIPHER_SUITE);
            }
            if (this._keySize != null) {
                hashSet.add(SecureRequestCustomizer.JAVAX_SERVLET_REQUEST_KEY_SIZE);
            }
            if (this._sessionId != null) {
                hashSet.add(SecureRequestCustomizer.JAVAX_SERVLET_REQUEST_SSL_SESSION_ID);
            }
            if (!StringUtil.isEmpty(this._sessionAttribute)) {
                hashSet.add(this._sessionAttribute);
            }
            return hashSet;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:alluxio/shaded/client/org/eclipse/jetty/server/SecureRequestCustomizer$SslSessionData.class */
    public static class SslSessionData {
        private final Integer _keySize;
        private final X509Certificate[] _certs;
        private final String _idStr;

        private SslSessionData(Integer num, X509Certificate[] x509CertificateArr, String str) {
            this._keySize = num;
            this._certs = x509CertificateArr;
            this._idStr = str;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Integer getKeySize() {
            return this._keySize;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public X509Certificate[] getCerts() {
            return this._certs;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public String getIdStr() {
            return this._idStr;
        }
    }

    public SecureRequestCustomizer() {
        this(true);
    }

    public SecureRequestCustomizer(@Name("sniHostCheck") boolean z) {
        this(z, -1L, false);
    }

    public SecureRequestCustomizer(@Name("sniHostCheck") boolean z, @Name("stsMaxAgeSeconds") long j, @Name("stsIncludeSubdomains") boolean z2) {
        this(false, z, j, z2);
    }

    public SecureRequestCustomizer(@Name("sniRequired") boolean z, @Name("sniHostCheck") boolean z2, @Name("stsMaxAgeSeconds") long j, @Name("stsIncludeSubdomains") boolean z3) {
        this.sslSessionAttribute = "alluxio.shaded.client.org.eclipse.jetty.servlet.request.ssl_session";
        this._stsMaxAge = -1L;
        this._sniRequired = z;
        this._sniHostCheck = z2;
        this._stsMaxAge = j;
        this._stsIncludeSubDomains = z3;
        formatSTS();
    }

    public boolean isSniHostCheck() {
        return this._sniHostCheck;
    }

    public void setSniHostCheck(boolean z) {
        this._sniHostCheck = z;
    }

    public boolean isSniRequired() {
        return this._sniRequired;
    }

    public void setSniRequired(boolean z) {
        this._sniRequired = z;
    }

    public long getStsMaxAge() {
        return this._stsMaxAge;
    }

    public void setStsMaxAge(long j) {
        this._stsMaxAge = j;
        formatSTS();
    }

    public void setStsMaxAge(long j, TimeUnit timeUnit) {
        this._stsMaxAge = timeUnit.toSeconds(j);
        formatSTS();
    }

    public boolean isStsIncludeSubDomains() {
        return this._stsIncludeSubDomains;
    }

    public void setStsIncludeSubDomains(boolean z) {
        this._stsIncludeSubDomains = z;
        formatSTS();
    }

    private void formatSTS() {
        if (this._stsMaxAge < 0) {
            this._stsField = null;
            return;
        }
        HttpHeader httpHeader = HttpHeader.STRICT_TRANSPORT_SECURITY;
        Object[] objArr = new Object[2];
        objArr[0] = Long.valueOf(this._stsMaxAge);
        objArr[1] = this._stsIncludeSubDomains ? "; includeSubDomains" : "";
        this._stsField = new PreEncodedHttpField(httpHeader, String.format("max-age=%d%s", objArr));
    }

    @Override // alluxio.shaded.client.org.eclipse.jetty.server.HttpConfiguration.Customizer
    public void customize(Connector connector, HttpConfiguration httpConfiguration, Request request) {
        EndPoint endPoint = request.getHttpChannel().getEndPoint();
        if (endPoint instanceof SslConnection.DecryptedEndPoint) {
            customize(((SslConnection.DecryptedEndPoint) endPoint).getSslConnection().getSSLEngine(), request);
            if (request.getHttpURI().getScheme() == null) {
                request.setScheme(HttpScheme.HTTPS.asString());
            }
        } else if (endPoint instanceof ProxyConnectionFactory.ProxyEndPoint) {
            ProxyConnectionFactory.ProxyEndPoint proxyEndPoint = (ProxyConnectionFactory.ProxyEndPoint) endPoint;
            if (request.getHttpURI().getScheme() == null && proxyEndPoint.getAttribute(ProxyConnectionFactory.TLS_VERSION) != null) {
                request.setScheme(HttpScheme.HTTPS.asString());
            }
        }
        if (HttpScheme.HTTPS.is(request.getScheme())) {
            customizeSecure(request);
        }
    }

    protected void customizeSecure(Request request) {
        request.setSecure(true);
        if (this._stsField != null) {
            request.getResponse().getHttpFields().add(this._stsField);
        }
    }

    protected void customize(SSLEngine sSLEngine, Request request) {
        SSLSession session = sSLEngine.getSession();
        if (this._sniHostCheck || this._sniRequired) {
            X509 x509 = (X509) session.getValue(SniX509ExtendedKeyManager.SNI_X509);
            if (LOG.isDebugEnabled()) {
                LOG.debug("Host {} with SNI {}", request.getServerName(), x509);
            }
            if (x509 == null) {
                if (this._sniRequired) {
                    throw new BadMessageException(400, "SNI required");
                }
            } else if (this._sniHostCheck && !x509.matches(request.getServerName())) {
                throw new BadMessageException(400, "Host does not match SNI");
            }
        }
        request.setAttributes(new SslAttributes(request, session, request.getAttributes()));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public X509Certificate[] getCertChain(Connector connector, SSLSession sSLSession) {
        SslContextFactory sslContextFactory;
        SslConnectionFactory sslConnectionFactory = (SslConnectionFactory) connector.getConnectionFactory(SslConnectionFactory.class);
        return (sslConnectionFactory == null || (sslContextFactory = sslConnectionFactory.getSslContextFactory()) == null) ? SslContextFactory.getCertChain(sSLSession) : sslContextFactory.getX509CertChain(sSLSession);
    }

    public void setSslSessionAttribute(String str) {
        this.sslSessionAttribute = str;
    }

    public String getSslSessionAttribute() {
        return this.sslSessionAttribute;
    }

    public String toString() {
        return String.format("%s@%x", getClass().getSimpleName(), Integer.valueOf(hashCode()));
    }
}
