package com.cloudera.oryx.lambda.serving;

import com.cloudera.oryx.common.io.IOUtils;
import com.cloudera.oryx.common.settings.ConfigUtils;
import com.google.common.base.Preconditions;
import com.typesafe.config.Config;
import java.io.Closeable;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.attribute.FileAttribute;
import java.util.Objects;
import javax.security.auth.message.config.AuthConfigFactory;
import javax.servlet.MultipartConfigElement;
import org.apache.catalina.Context;
import org.apache.catalina.Engine;
import org.apache.catalina.Host;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.Server;
import org.apache.catalina.Wrapper;
import org.apache.catalina.authenticator.DigestAuthenticator;
import org.apache.catalina.authenticator.jaspic.AuthConfigFactoryImpl;
import org.apache.catalina.connector.Connector;
import org.apache.catalina.core.JreMemoryLeakPreventionListener;
import org.apache.catalina.core.ThreadLocalLeakPreventionListener;
import org.apache.catalina.startup.Tomcat;
import org.apache.coyote.http11.Http11Nio2Protocol;
import org.apache.coyote.http2.Http2Protocol;
import org.apache.tomcat.util.descriptor.web.ErrorPage;
import org.apache.tomcat.util.descriptor.web.LoginConfig;
import org.apache.tomcat.util.descriptor.web.SecurityCollection;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.apache.tomcat.util.net.SSLHostConfig;
import org.apache.tomcat.util.net.SSLHostConfigCertificate;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/cloudera/oryx/lambda/serving/ServingLayer.class */
public final class ServingLayer implements Closeable {
    private static final Logger log = LoggerFactory.getLogger(ServingLayer.class);
    private static final int[] ERROR_PAGE_STATUSES = {400, 401, 404, 405, 500, 503};
    private final Config config;
    private final String id;
    private final int port;
    private final int securePort;
    private final String userName;
    private final String password;
    private final Path keystoreFile;
    private final String keystorePassword;
    private final String keyAlias;
    private final String contextPathURIBase;
    private final String appResourcesPackages;
    private final boolean doNotInitTopics;
    private Tomcat tomcat;
    private Context context;
    private Path noSuchBaseDir;

    public ServingLayer(Config config) {
        Objects.requireNonNull(config);
        log.info("Configuration:\n{}", ConfigUtils.prettyPrint(config));
        this.config = config;
        this.id = ConfigUtils.getOptionalString(config, "oryx.id");
        this.port = config.getInt("oryx.serving.api.port");
        this.securePort = config.getInt("oryx.serving.api.secure-port");
        this.userName = ConfigUtils.getOptionalString(config, "oryx.serving.api.user-name");
        this.password = ConfigUtils.getOptionalString(config, "oryx.serving.api.password");
        String optionalString = ConfigUtils.getOptionalString(config, "oryx.serving.api.keystore-file");
        this.keystoreFile = optionalString == null ? null : Paths.get(optionalString, new String[0]);
        this.keystorePassword = ConfigUtils.getOptionalString(config, "oryx.serving.api.keystore-password");
        this.keyAlias = ConfigUtils.getOptionalString(config, "oryx.serving.api.key-alias");
        String string = config.getString("oryx.serving.api.context-path");
        this.contextPathURIBase = (string == null || string.isEmpty() || "/".equals(string)) ? "" : string;
        this.appResourcesPackages = config.getString("oryx.serving.application-resources") + ",com.cloudera.oryx.lambda.serving";
        this.doNotInitTopics = config.getBoolean("oryx.serving.no-init-topics");
    }

    public synchronized void start() throws IOException {
        if (this.id != null) {
            log.info("Starting Serving Layer {}", this.id);
        }
        Preconditions.checkState(this.tomcat == null);
        System.setProperty("org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH", "true");
        this.noSuchBaseDir = Files.createTempDirectory("Oryx", new FileAttribute[0]);
        this.noSuchBaseDir.toFile().deleteOnExit();
        Tomcat tomcat = new Tomcat();
        configureTomcat(tomcat, makeConnector());
        configureEngine(tomcat.getEngine());
        configureServer(tomcat.getServer());
        configureHost(tomcat.getHost());
        makeContext(tomcat, this.noSuchBaseDir);
        try {
            tomcat.start();
            this.tomcat = tomcat;
        } catch (LifecycleException e) {
            throw new IOException((Throwable) e);
        }
    }

    public void await() {
        Server server;
        synchronized (this) {
            server = this.tomcat.getServer();
        }
        server.await();
    }

    public Context getContext() {
        return this.context;
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public synchronized void close() throws IOException {
        try {
        } catch (LifecycleException e) {
            log.warn("Unexpected error while stopping", e);
        } finally {
            this.tomcat = null;
        }
        if (this.tomcat != null) {
            this.tomcat.stop();
            this.tomcat.destroy();
            IOUtils.deleteRecursively(this.noSuchBaseDir);
        }
    }

    private void configureTomcat(Tomcat tomcat, Connector connector) {
        tomcat.setBaseDir(this.noSuchBaseDir.toAbsolutePath().toString());
        tomcat.setConnector(connector);
    }

    private void configureEngine(Engine engine) {
        if (this.userName == null || this.password == null) {
            return;
        }
        InMemoryRealm inMemoryRealm = new InMemoryRealm();
        inMemoryRealm.addUser(this.userName, this.password);
        engine.setRealm(inMemoryRealm);
    }

    private static void configureServer(Server server) {
        server.addLifecycleListener(new JreMemoryLeakPreventionListener());
        server.addLifecycleListener(new ThreadLocalLeakPreventionListener());
    }

    private static void configureHost(Host host) {
        host.setAutoDeploy(false);
    }

    private Connector makeConnector() {
        Connector connector = new Connector(Http11Nio2Protocol.class.getName());
        if (this.keystoreFile == null) {
            connector.setPort(this.port);
            connector.setSecure(false);
            connector.setScheme("http");
        } else {
            connector.setPort(this.securePort);
            connector.setSecure(true);
            connector.setScheme("https");
            connector.setAttribute("SSLEnabled", "true");
            SSLHostConfig sSLHostConfig = new SSLHostConfig();
            SSLHostConfigCertificate sSLHostConfigCertificate = new SSLHostConfigCertificate(sSLHostConfig, SSLHostConfigCertificate.Type.RSA);
            sSLHostConfigCertificate.setCertificateKeystoreFile(this.keystoreFile.toAbsolutePath().toString());
            sSLHostConfigCertificate.setCertificateKeystorePassword(this.keystorePassword);
            sSLHostConfigCertificate.setCertificateKeyAlias(this.keyAlias);
            sSLHostConfig.addCertificate(sSLHostConfigCertificate);
            connector.addSslHostConfig(sSLHostConfig);
        }
        connector.addUpgradeProtocol(new Http2Protocol());
        connector.setXpoweredBy(false);
        connector.setAttribute("maxThreads", 400);
        connector.setAttribute("acceptCount", 50);
        connector.setAttribute("maxKeepAliveRequests", 100);
        connector.setAttribute("socket.soReuseAddress", true);
        connector.setMaxPostSize(0);
        connector.setAttribute("disableUploadTimeout", false);
        connector.setAttribute("maxHttpHeaderSize", 65536);
        connector.setAttribute("compression", "on");
        connector.setAttribute("compressableMimeType", "text/html,text/xml,text/plain,text/css,text/csv,application/json");
        return connector;
    }

    private void makeContext(Tomcat tomcat, Path path) throws IOException {
        Path resolve = path.resolve("context");
        Files.createDirectories(resolve, new FileAttribute[0]);
        this.context = tomcat.addContext(this.contextPathURIBase, resolve.toAbsolutePath().toString());
        this.context.setWebappVersion("3.1");
        this.context.setName("Oryx");
        this.context.addWelcomeFile("index.html");
        addErrorPages(this.context);
        this.context.addParameter(OryxApplication.class.getName() + ".packages", this.appResourcesPackages);
        this.context.addParameter(ConfigUtils.class.getName() + ".serialized", ConfigUtils.serialize(this.config));
        Wrapper addServlet = Tomcat.addServlet(this.context, "Jersey", "org.glassfish.jersey.servlet.ServletContainer");
        addServlet.addInitParameter("javax.ws.rs.Application", OryxApplication.class.getName());
        addServlet.addMapping("/*");
        addServlet.setLoadOnStartup(1);
        addServlet.setMultipartConfigElement(new MultipartConfigElement(""));
        if (!this.doNotInitTopics) {
            this.context.addApplicationListener(ModelManagerListener.class.getName());
        }
        AuthConfigFactory.setFactory(new AuthConfigFactoryImpl());
        boolean z = this.keystoreFile != null;
        boolean z2 = this.userName != null;
        if (z || z2) {
            SecurityCollection securityCollection = new SecurityCollection();
            securityCollection.addPattern("/*");
            SecurityConstraint securityConstraint = new SecurityConstraint();
            securityConstraint.addCollection(securityCollection);
            if (z) {
                securityConstraint.setUserConstraint("CONFIDENTIAL");
            }
            if (z2) {
                LoginConfig loginConfig = new LoginConfig();
                loginConfig.setAuthMethod("DIGEST");
                loginConfig.setRealmName("Oryx");
                this.context.setLoginConfig(loginConfig);
                securityConstraint.addAuthRole("oryx-user");
                this.context.addSecurityRole("oryx-user");
                DigestAuthenticator digestAuthenticator = new DigestAuthenticator();
                digestAuthenticator.setNonceValidity(10000L);
                digestAuthenticator.setNonceCacheSize(20000);
                this.context.getPipeline().addValve(digestAuthenticator);
            }
            this.context.addConstraint(securityConstraint);
        }
        this.context.setCookies(false);
    }

    private static void addErrorPages(Context context) {
        for (int i : ERROR_PAGE_STATUSES) {
            ErrorPage errorPage = new ErrorPage();
            errorPage.setErrorCode(i);
            errorPage.setLocation("/error");
            context.addErrorPage(errorPage);
        }
        ErrorPage errorPage2 = new ErrorPage();
        errorPage2.setExceptionType(Throwable.class.getName());
        errorPage2.setLocation("/error");
        context.addErrorPage(errorPage2);
    }
}
