package org.eclipse.ditto.services.gateway.endpoints.directives;

import akka.http.javadsl.model.StatusCodes;
import akka.http.javadsl.model.Uri;
import akka.http.javadsl.server.Directives;
import akka.http.javadsl.server.RequestContext;
import akka.http.javadsl.server.Route;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.Supplier;
import javax.annotation.Nullable;
import org.eclipse.ditto.model.base.common.ConditionChecker;
import org.eclipse.ditto.services.gateway.util.config.endpoints.HttpConfig;
import org.eclipse.ditto.services.utils.akka.logging.DittoLoggerFactory;
import org.eclipse.ditto.services.utils.akka.logging.ThreadSafeDittoLogger;
import org.slf4j.Logger;

/* loaded from: input_file:org/eclipse/ditto/services/gateway/endpoints/directives/HttpsEnsuringDirective.class */
public final class HttpsEnsuringDirective {
    public static final String X_FORWARDED_PROTO_LBAAS = "x_forwarded_proto";
    private static final String X_FORWARDED_PROTO_STANDARD = "X-Forwarded-Proto";
    private static final String HTTPS_PROTO = "https";
    private static final String HTTPS_TEXT = "Connection via plain HTTP not supported, please connect via HTTPS instead";
    private static final AtomicBoolean FORCE_HTTPS_DISABLED_ALREADY_LOGGED = new AtomicBoolean(false);
    private static final ThreadSafeDittoLogger LOGGER = DittoLoggerFactory.getThreadSafeLogger(HttpsEnsuringDirective.class);
    private final HttpConfig httpConfig;

    private HttpsEnsuringDirective(HttpConfig httpConfig) {
        this.httpConfig = (HttpConfig) ConditionChecker.checkNotNull(httpConfig, "HTTP config");
    }

    public static HttpsEnsuringDirective getInstance(HttpConfig httpConfig) {
        return new HttpsEnsuringDirective(httpConfig);
    }

    public Route ensureHttps(CharSequence charSequence, Supplier<Route> supplier) {
        ThreadSafeDittoLogger withCorrelationId = null != charSequence ? LOGGER.withCorrelationId(charSequence) : LOGGER;
        return Directives.extractActorSystem(actorSystem -> {
            return Directives.extractRequestContext(requestContext -> {
                if (this.httpConfig.isForceHttps()) {
                    Uri uri = requestContext.getRequest().getUri();
                    return !HTTPS_PROTO.equalsIgnoreCase(getForwardedProtoHeaderOrNull(uri, requestContext, withCorrelationId)) ? handleNonHttpsRequest(uri, withCorrelationId) : (Route) supplier.get();
                }
                if (FORCE_HTTPS_DISABLED_ALREADY_LOGGED.compareAndSet(false, true)) {
                    withCorrelationId.warn("No HTTPS is enforced!");
                }
                return (Route) supplier.get();
            });
        });
    }

    @Nullable
    private static String getForwardedProtoHeaderOrNull(Uri uri, RequestContext requestContext, Logger logger) {
        String str = (String) requestContext.getRequest().getHeader(X_FORWARDED_PROTO_STANDARD).map((v0) -> {
            return v0.value();
        }).filter(str2 -> {
            return !str2.isEmpty();
        }).orElseGet(() -> {
            return (String) requestContext.getRequest().getHeader(X_FORWARDED_PROTO_LBAAS).map((v0) -> {
                return v0.value();
            }).filter(str3 -> {
                return !str3.isEmpty();
            }).orElse(null);
        });
        if (null != str) {
            logger.debug("Header <{}> was <{}> for URI <{}>.", new Object[]{X_FORWARDED_PROTO_STANDARD, str, uri});
        } else {
            logger.debug("Neither header <{}> nor <{}> set for URI <{}>.", new Object[]{X_FORWARDED_PROTO_STANDARD, X_FORWARDED_PROTO_LBAAS, uri});
        }
        return str;
    }

    private Route handleNonHttpsRequest(Uri uri, Logger logger) {
        return (!this.httpConfig.isRedirectToHttps() || isBlocked(uri.getPathString())) ? disallowRequest(uri, logger) : redirectToHttps(uri, logger);
    }

    private boolean isBlocked(CharSequence charSequence) {
        return this.httpConfig.getRedirectToHttpsBlocklistPattern().matcher(charSequence).matches();
    }

    private static Route redirectToHttps(Uri uri, Logger logger) {
        Uri scheme = uri.scheme(HTTPS_PROTO);
        logger.debug("Redirecting URI <{}> to <{}>.", uri, scheme);
        return Directives.redirect(scheme, StatusCodes.MOVED_PERMANENTLY);
    }

    private static Route disallowRequest(Uri uri, Logger logger) {
        logger.info("REST request on URI <{}> did not originate via HTTPS, sending back <{}>.", uri, StatusCodes.NOT_FOUND);
        return Directives.complete(StatusCodes.NOT_FOUND, HTTPS_TEXT);
    }
}
