package org.eclipse.ditto.services.gateway.endpoints.directives;

import akka.http.javadsl.model.StatusCodes;
import akka.http.javadsl.model.Uri;
import akka.http.javadsl.server.Directives;
import akka.http.javadsl.server.RequestContext;
import akka.http.javadsl.server.Route;
import com.typesafe.config.Config;
import java.util.Optional;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.Supplier;
import java.util.regex.Pattern;
import org.eclipse.ditto.services.gateway.endpoints.utils.DirectivesLoggingUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/ditto/services/gateway/endpoints/directives/HttpsEnsuringDirective.class */
public final class HttpsEnsuringDirective {
    private static final String X_FORWARDED_PROTO_STANDARD = "X-Forwarded-Proto";
    public static final String X_FORWARDED_PROTO_LBAAS = "x_forwarded_proto";
    private static final String HTTPS_PROTO = "https";
    private static final String HTTPS_TEXT = "Connection via plain HTTP not supported, please connect via HTTPS instead";
    private static final Logger LOGGER = LoggerFactory.getLogger(HttpsEnsuringDirective.class);
    private static final AtomicBoolean FORCE_HTTPS_DISABLED_ALREADY_LOGGED = new AtomicBoolean(false);

    private HttpsEnsuringDirective() {
    }

    public static Route ensureHttps(String str, Supplier<Route> supplier) {
        return Directives.extractActorSystem(actorSystem -> {
            return Directives.extractRequestContext(requestContext -> {
                return (Route) DirectivesLoggingUtils.enhanceLogWithCorrelationId(str, () -> {
                    Config config = actorSystem.settings().config();
                    if (!config.getBoolean("ditto.gateway.forcehttps")) {
                        if (FORCE_HTTPS_DISABLED_ALREADY_LOGGED.compareAndSet(false, true)) {
                            LOGGER.warn("No HTTPS is enforced");
                        }
                        return (Route) supplier.get();
                    }
                    boolean z = config.getBoolean("ditto.gateway.redirect-to-https");
                    Pattern compile = Pattern.compile(config.getString("ditto.gateway.redirect-to-https-blacklist-pattern"));
                    Uri uri = requestContext.getRequest().getUri();
                    return !HTTPS_PROTO.equalsIgnoreCase(extractXForwardedProtoHeader(uri, requestContext).orElse(null)) ? handleNonHttpsRequest(uri, z, compile) : (Route) supplier.get();
                });
            });
        });
    }

    private static Optional<String> extractXForwardedProtoHeader(Uri uri, RequestContext requestContext) {
        String str = (String) requestContext.getRequest().getHeader(X_FORWARDED_PROTO_STANDARD).filter(httpHeader -> {
            return httpHeader.value().length() > 0;
        }).map((v0) -> {
            return v0.value();
        }).orElse(null);
        if (str != null) {
            LOGGER.debug("Header {} was: '{}' for uri: {}", new Object[]{X_FORWARDED_PROTO_STANDARD, str, uri});
        } else {
            str = (String) requestContext.getRequest().getHeader(X_FORWARDED_PROTO_LBAAS).filter(httpHeader2 -> {
                return httpHeader2.value().length() > 0;
            }).map((v0) -> {
                return v0.value();
            }).orElse(null);
            if (str != null) {
                LOGGER.debug("Header {} was: '{}' for uri: {}", new Object[]{X_FORWARDED_PROTO_LBAAS, str, uri});
            } else {
                LOGGER.debug("Missing header {} for uri: {}", "X-Forwarded-Proto or x_forwarded_proto", uri);
            }
        }
        return Optional.ofNullable(str);
    }

    private static Route handleNonHttpsRequest(Uri uri, boolean z, Pattern pattern) {
        return (!z || pattern.matcher(uri.getPathString()).matches()) ? disallowRequest(uri) : redirectToHttps(uri);
    }

    private static Route redirectToHttps(Uri uri) {
        Uri scheme = uri.scheme(HTTPS_PROTO);
        LOGGER.debug("Redirecting uri '{}' to '{}'.", uri, scheme);
        return Directives.redirect(scheme, StatusCodes.MOVED_PERMANENTLY);
    }

    private static Route disallowRequest(Uri uri) {
        LOGGER.info("REST request on uri '{}' did not originate via HTTPS, sending back '{}'", uri, StatusCodes.NOT_FOUND);
        return Directives.complete(StatusCodes.NOT_FOUND, HTTPS_TEXT);
    }
}
