package io.cloudsoft.amp.networking;

import com.google.common.base.Function;
import com.google.common.base.Optional;
import com.google.common.base.Supplier;
import com.google.common.base.Suppliers;
import com.google.common.collect.HashMultiset;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import com.google.common.collect.Multiset;
import com.google.common.reflect.TypeToken;
import io.cloudsoft.amp.networking.entity.NetworkSecurityVisualizer;
import io.cloudsoft.amp.networking.task.SecurityGroupDeleter;
import io.cloudsoft.amp.networking.utils.Utils;
import java.util.Collection;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.annotation.Nullable;
import org.apache.brooklyn.api.entity.Application;
import org.apache.brooklyn.api.entity.Entity;
import org.apache.brooklyn.api.location.PortRange;
import org.apache.brooklyn.api.mgmt.Task;
import org.apache.brooklyn.api.sensor.AttributeSensor;
import org.apache.brooklyn.config.ConfigKey;
import org.apache.brooklyn.core.config.ConfigKeys;
import org.apache.brooklyn.core.entity.Entities;
import org.apache.brooklyn.core.location.Locations;
import org.apache.brooklyn.core.location.Machines;
import org.apache.brooklyn.core.mgmt.BrooklynTaskTags;
import org.apache.brooklyn.core.sensor.Sensors;
import org.apache.brooklyn.location.jclouds.BasicJcloudsLocationCustomizer;
import org.apache.brooklyn.location.jclouds.JcloudsLocation;
import org.apache.brooklyn.location.jclouds.JcloudsMachineLocation;
import org.apache.brooklyn.location.jclouds.networking.SecurityGroupEditor;
import org.apache.brooklyn.test.Asserts;
import org.apache.brooklyn.util.collections.MutableList;
import org.apache.brooklyn.util.collections.MutableSet;
import org.apache.brooklyn.util.core.config.ConfigBag;
import org.apache.brooklyn.util.core.flags.TypeCoercions;
import org.apache.brooklyn.util.core.task.DynamicTasks;
import org.apache.brooklyn.util.core.task.TaskTags;
import org.apache.brooklyn.util.core.task.Tasks;
import org.apache.brooklyn.util.exceptions.Exceptions;
import org.apache.brooklyn.util.guava.Maybe;
import org.apache.brooklyn.util.net.Cidr;
import org.jclouds.compute.ComputeService;
import org.jclouds.compute.domain.SecurityGroup;
import org.jclouds.compute.domain.Template;
import org.jclouds.compute.extensions.SecurityGroupExtension;
import org.jclouds.domain.Location;
import org.jclouds.net.domain.IpPermission;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/cloudsoft/amp/networking/NetworkSecurityCustomizer.class */
public class NetworkSecurityCustomizer extends BasicJcloudsLocationCustomizer {
    private static final Logger LOG = LoggerFactory.getLogger(NetworkSecurityCustomizer.class);
    private static final Supplier<Cidr> LOCALHOST_ADDRESS_SUPPLIER = Suppliers.memoize(new Utils.LocalhostExternalIpCidrSupplier());
    public static final ConfigKey<Collection<String>> NETWORKS = ConfigKeys.newConfigKey(new TypeToken<Collection<String>>() { // from class: io.cloudsoft.amp.networking.NetworkSecurityCustomizer.1
    }, "networks", "A list of network groups to attach the entity to");
    public static final ConfigKey<Collection<? extends Map<String, ?>>> NETWORKS_INGRESS = ConfigKeys.newConfigKey(new TypeToken<Collection<? extends Map<String, ?>>>() { // from class: io.cloudsoft.amp.networking.NetworkSecurityCustomizer.2
    }, "networks-ingress", "A list of network groups to define the access permitted to this entity");
    public static final ConfigKey<Boolean> RESTRICT_MANAGEMENT_CIDR = ConfigKeys.newBooleanConfigKey("restrict.management", "Controls whether access for management will be restricted to AMP (default 'true')", Boolean.TRUE);
    public static final String ENFORCEMENT_DESCRIPTIONS = "'" + Enforcement.DISABLED.toString().toLowerCase() + "' (disable entirely, for clouds where not supported), '" + Enforcement.OPTIONAL.toString().toLowerCase() + "' (apply security on supported clouds, silently do nothing otherwise), '" + Enforcement.MANDATORY.toString().toLowerCase() + "' (always apply security, fail if cloud does not support it)";
    public static final ConfigKey<Enforcement> ENFORCEMENT = ConfigKeys.newConfigKey(Enforcement.class, "enforcement", "Enforcement policy for the customizer, one of " + ENFORCEMENT_DESCRIPTIONS, Enforcement.MANDATORY);
    public static final AttributeSensor<Set<String>> ENTITY_NETWORKS = Sensors.newSensor(new TypeToken<Set<String>>() { // from class: io.cloudsoft.amp.networking.NetworkSecurityCustomizer.3
    }, "network.security", "networks this entity belongs to");
    public static final AttributeSensor<Set<String>> INGRESS_NETWORKS = Sensors.newSensor(new TypeToken<Set<String>>() { // from class: io.cloudsoft.amp.networking.NetworkSecurityCustomizer.4
    }, "network.security.ingress", "networks this entity has granted some ingress to");
    public static final AttributeSensor<Multiset<String>> APPLICATION_NETWORKS = Sensors.newSensor(new TypeToken<Multiset<String>>() { // from class: io.cloudsoft.amp.networking.NetworkSecurityCustomizer.5
    }, "network.security.application", "network security groups in the application, each one mapped to a reference count of entities in that network");
    public static final AttributeSensor<Location> DOMAIN_LOCATION = Sensors.newSensor(Location.class, "domain.location", "The jclouds domain location where security is applied");
    private Enforcement enforcement;
    private boolean restrictManagement;

    /* loaded from: input_file:io/cloudsoft/amp/networking/NetworkSecurityCustomizer$Enforcement.class */
    public enum Enforcement {
        DISABLED,
        OPTIONAL,
        MANDATORY
    }

    public NetworkSecurityCustomizer(ConfigBag configBag) {
        super(configBag);
        this.enforcement = Enforcement.MANDATORY;
        this.enforcement = getEnforcementPolicy(configBag);
        this.restrictManagement = ((Boolean) configBag.get(RESTRICT_MANAGEMENT_CIDR)).booleanValue();
    }

    private Enforcement getEnforcementPolicy(ConfigBag configBag) {
        return (Enforcement) configBag.get(ENFORCEMENT);
    }

    public NetworkSecurityCustomizer() {
        this.enforcement = Enforcement.MANDATORY;
    }

    public void setEnforcement(Enforcement enforcement) {
        this.enforcement = enforcement;
    }

    public void customize(JcloudsLocation jcloudsLocation, ComputeService computeService, Template template) {
        if (this.enforcement == Enforcement.DISABLED) {
            return;
        }
        Optional<SecurityGroupExtension> securityGroupExtension = computeService.getSecurityGroupExtension();
        if (enforcementPolicyUnsatisfied(jcloudsLocation, securityGroupExtension)) {
            return;
        }
        super.customize(jcloudsLocation, computeService, template);
        Tasks.setBlockingDetails("Initializing network accessibility");
        try {
            addSecurityGroups(template, (SecurityGroupExtension) securityGroupExtension.get());
        } finally {
            Tasks.resetBlockingDetails();
        }
    }

    private boolean enforcementPolicyUnsatisfied(JcloudsLocation jcloudsLocation, Optional<SecurityGroupExtension> optional) {
        if (optional.isPresent()) {
            return false;
        }
        if (this.enforcement == Enforcement.MANDATORY) {
            throw Exceptions.create("Security customizations are mandatory but not supported on this cloud", ImmutableList.of());
        }
        LOG.warn("Unable to manage security groups, no extension found in {}", jcloudsLocation);
        return true;
    }

    protected void addSecurityGroups(Template template, SecurityGroupExtension securityGroupExtension) {
        Entity contextEntity = getContextEntity();
        Asserts.assertNotNull(contextEntity, "No context entity found, cannot proceed");
        Location location = template.getLocation();
        contextEntity.sensors().set(DOMAIN_LOCATION, location);
        template.getOptions().securityGroups(ImmutableSet.builder().addAll(template.getOptions().getGroups()).addAll(addSecuritySpecifiedInConfig(contextEntity, location, securityGroupExtension)).build());
    }

    private Set<String> addSecuritySpecifiedInConfig(Entity entity, Location location, SecurityGroupExtension securityGroupExtension) {
        MutableSet of = MutableSet.of();
        MutableSet of2 = MutableSet.of();
        SecurityGroupEditor securityGroupEditor = new SecurityGroupEditor(location, securityGroupExtension);
        SecurityGroupRules newInstance = SecurityGroupRules.newInstance(location);
        MutableSet<String> of3 = MutableSet.of("management");
        Collection collection = (Collection) config().get(NETWORKS);
        if (collection != null) {
            Iterator it = collection.iterator();
            while (it.hasNext()) {
                of3.add((String) it.next());
            }
        }
        Iterable<NetworkSecurityVisualizer> networkSecurityVisualisers = getNetworkSecurityVisualisers(entity.getApplication());
        for (String str : of3) {
            SecurityGroup orCreateSecurityGroup = getOrCreateSecurityGroup(getAppNetworkName(str, entity), str, securityGroupEditor);
            securityGroupEditor.addPermissions(orCreateSecurityGroup, getNetworkRule(newInstance, str, orCreateSecurityGroup));
            of.add(orCreateSecurityGroup.getName());
            Iterator<NetworkSecurityVisualizer> it2 = networkSecurityVisualisers.iterator();
            while (it2.hasNext()) {
                it2.next().addEntityToGroup(str, entity);
            }
        }
        Collection collection2 = (Collection) config().get(NETWORKS_INGRESS);
        if (collection2 != null && !collection2.isEmpty()) {
            SecurityGroup createSecurityGroup = securityGroupEditor.createSecurityGroup("ingress-networks-" + entity.getId() + "-" + entity.getApplicationId());
            of.add(createSecurityGroup.getName());
            Iterator it3 = collection2.iterator();
            while (it3.hasNext()) {
                addIngressNetwork(entity, of2, securityGroupEditor, newInstance, createSecurityGroup, (Map) it3.next());
            }
        }
        entity.sensors().set(ENTITY_NETWORKS, ImmutableSet.copyOf(of));
        entity.sensors().set(INGRESS_NETWORKS, ImmutableSet.copyOf(of2));
        addNetworksToApplicationReferences(entity, of, of2);
        return of;
    }

    private void addIngressNetwork(Entity entity, Set<String> set, SecurityGroupEditor securityGroupEditor, SecurityGroupRules securityGroupRules, SecurityGroup securityGroup, Map<String, ?> map) {
        Iterable<NetworkSecurityVisualizer> networkSecurityVisualisers = getNetworkSecurityVisualisers(entity.getApplication());
        String str = (String) map.get("network");
        Collection collection = (Collection) TypeCoercions.coerce(map.get("exposing"), new TypeToken<Collection<Object>>() { // from class: io.cloudsoft.amp.networking.NetworkSecurityCustomizer.6
        });
        if (str == null || collection == null) {
            return;
        }
        for (Object obj : collection) {
            Integer sensorValue = getSensorValue(entity, obj);
            if (sensorValue == null) {
                sensorValue = getConfigValue(entity, obj);
            }
            if (sensorValue == null) {
                sensorValue = getCoercedValue(obj);
            }
            if (sensorValue != null) {
                SecurityGroup orCreateSecurityGroup = getOrCreateSecurityGroup(getAppNetworkName(str, entity), str, securityGroupEditor);
                set.add(orCreateSecurityGroup.getName());
                Collection<IpPermission> allFromOnPort = securityGroupRules.allFromOnPort(orCreateSecurityGroup, sensorValue.intValue());
                securityGroupEditor.addPermissions(securityGroup, allFromOnPort);
                Iterator<NetworkSecurityVisualizer> it = networkSecurityVisualisers.iterator();
                while (it.hasNext()) {
                    it.next().publishGroupAccess(str, entity, allFromOnPort);
                }
            } else {
                LOG.warn("Entity " + entity + " requests port " + obj + " to be exposed to network " + str + " but the sensor is not populated yet. Ignoring.");
            }
        }
    }

    private void addNetworksToApplicationReferences(Entity entity, final Set<String> set, final Set<String> set2) {
        entity.getApplication().sensors().modify(APPLICATION_NETWORKS, new Function<Multiset<String>, Maybe<Multiset<String>>>() { // from class: io.cloudsoft.amp.networking.NetworkSecurityCustomizer.7
            @Nullable
            public Maybe<Multiset<String>> apply(@Nullable Multiset<String> multiset) {
                HashMultiset create = HashMultiset.create(null == multiset ? ImmutableSet.of() : multiset);
                Iterator it = Iterables.concat(set, set2).iterator();
                while (it.hasNext()) {
                    create.add((String) it.next());
                }
                return Maybe.of(create);
            }
        });
    }

    private void removeNetworksFromApplicationReferences(Entity entity, final Set<String> set, final Set<String> set2, final SecurityGroupEditor securityGroupEditor) {
        final MutableList of = MutableList.of();
        entity.getApplication().sensors().modify(APPLICATION_NETWORKS, new Function<Multiset<String>, Maybe<Multiset<String>>>() { // from class: io.cloudsoft.amp.networking.NetworkSecurityCustomizer.8
            @Nullable
            public Maybe<Multiset<String>> apply(@Nullable Multiset<String> multiset) {
                HashMultiset create = HashMultiset.create(null == multiset ? ImmutableSet.of() : multiset);
                for (String str : Iterables.concat(set, set2)) {
                    if (create.remove(str) && create.count(str) == 0) {
                        of.add(NetworkSecurityCustomizer.this.removeSecurityGroup(securityGroupEditor, str));
                    }
                }
                return Maybe.of(create);
            }
        });
        if (of.isEmpty()) {
            return;
        }
        Task build = Tasks.builder().parallel(true).displayName("Delete security groups").description("Deleting " + of).tag(BrooklynTaskTags.tagForCallerEntity(entity)).addAll(of).build();
        TaskTags.markInessential(build);
        DynamicTasks.queueIfPossible(build).orSubmitAsync(entity).andWaitForSuccess();
    }

    public SecurityGroup getOrCreateSecurityGroup(String str, String str2, SecurityGroupEditor securityGroupEditor) {
        Optional findSecurityGroupByName = securityGroupEditor.findSecurityGroupByName(str);
        if (findSecurityGroupByName.isPresent()) {
            return (SecurityGroup) findSecurityGroupByName.get();
        }
        Iterator<NetworkSecurityVisualizer> it = getNetworkSecurityVisualisers(getContextEntity().getApplication()).iterator();
        while (it.hasNext()) {
            it.next().getOrCreateGroup(str2);
        }
        return securityGroupEditor.createSecurityGroup(str);
    }

    private Integer getConfigValue(Entity entity, Object obj) {
        String obj2 = obj.toString();
        ConfigKey configKey = entity.getEntityType().getConfigKey(obj2);
        if (configKey == null) {
            configKey = ConfigKeys.newConfigKey(PortRange.class, obj2);
        }
        PortRange portRange = (PortRange) TypeCoercions.tryCoerce(entity.config().get(configKey), PortRange.class).orNull();
        if (portRange != null) {
            return (Integer) portRange.iterator().next();
        }
        return null;
    }

    private Integer getCoercedValue(Object obj) {
        return (Integer) TypeCoercions.tryCoerce(obj, Integer.class).orNull();
    }

    protected Integer getSensorValue(Entity entity, Object obj) {
        String obj2 = obj.toString();
        AttributeSensor sensor = entity.getEntityType().getSensor(obj2);
        return (Integer) entity.sensors().get(sensor != null ? sensor : Sensors.newIntegerSensor(obj2));
    }

    protected String getAppNetworkName(String str, Entity entity) {
        return str + "-" + entity.getApplicationId();
    }

    protected Collection<IpPermission> getNetworkRule(SecurityGroupRules securityGroupRules, String str, SecurityGroup securityGroup) {
        return str.equalsIgnoreCase("public") ? securityGroupRules.everything() : str.equalsIgnoreCase("management") ? this.restrictManagement ? securityGroupRules.allFrom((Cidr) LOCALHOST_ADDRESS_SUPPLIER.get()) : securityGroupRules.everything() : securityGroupRules.allFrom(securityGroup);
    }

    protected static final Entity getContextEntity() {
        return BrooklynTaskTags.getTargetOrContextEntity(Tasks.current());
    }

    protected JcloudsLocation inferLocation(@Nullable Entity entity) {
        Collection locationsCheckingAncestors = Locations.getLocationsCheckingAncestors((Collection) null, entity);
        Maybe findUniqueElement = Machines.findUniqueElement(locationsCheckingAncestors, JcloudsLocation.class);
        if (findUniqueElement.isPresent()) {
            return (JcloudsLocation) findUniqueElement.get();
        }
        if (locationsCheckingAncestors == null || locationsCheckingAncestors.isEmpty()) {
            throw new IllegalArgumentException("No locations specified when starting " + this);
        }
        if (locationsCheckingAncestors.size() != 1 || Iterables.getOnlyElement(locationsCheckingAncestors) == null) {
            throw new IllegalArgumentException("Ambiguous locations detected when starting " + this + ": " + locationsCheckingAncestors);
        }
        throw new IllegalArgumentException("No matching JcloudsLocation when starting " + this + ": " + locationsCheckingAncestors);
    }

    public void postRelease(JcloudsMachineLocation jcloudsMachineLocation) {
        removeSecurityGroups();
    }

    private void removeSecurityGroups() {
        Entity contextEntity = getContextEntity();
        if (contextEntity == null) {
            LOG.warn("Unable to remove security groups, no context entity available to {}", this);
            return;
        }
        JcloudsLocation inferLocation = inferLocation(contextEntity);
        Optional securityGroupExtension = inferLocation.getComputeService().getSecurityGroupExtension();
        if (!securityGroupExtension.isPresent()) {
            LOG.warn("Unable to remove security groups, no security group extension found in {}", inferLocation);
            return;
        }
        Location location = (Location) contextEntity.sensors().get(DOMAIN_LOCATION);
        if (null == location) {
            LOG.warn("Unable to remove security groups, no domain location found on {}", contextEntity);
            return;
        }
        SecurityGroupEditor securityGroupEditor = new SecurityGroupEditor(location, (SecurityGroupExtension) securityGroupExtension.get());
        Set<String> set = (Set) contextEntity.sensors().get(ENTITY_NETWORKS);
        Set<String> set2 = (Set) contextEntity.sensors().get(INGRESS_NETWORKS);
        for (NetworkSecurityVisualizer networkSecurityVisualizer : getNetworkSecurityVisualisers(contextEntity.getApplication())) {
            networkSecurityVisualizer.unpublishGroupAccess(networkSecurityVisualizer);
        }
        removeNetworksFromApplicationReferences(contextEntity, set, set2, securityGroupEditor);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Task<Boolean> removeSecurityGroup(SecurityGroupEditor securityGroupEditor, String str) {
        LOG.info("Removing security group {}", str);
        Iterator<NetworkSecurityVisualizer> it = getNetworkSecurityVisualisers(getContextEntity().getApplication()).iterator();
        while (it.hasNext()) {
            it.next().removeEntityFromGroup(str, getContextEntity());
        }
        return Tasks.create(str, new SecurityGroupDeleter(securityGroupEditor, str));
    }

    public Iterable<NetworkSecurityVisualizer> getNetworkSecurityVisualisers(Application application) {
        return Entities.descendantsAndSelf(application, NetworkSecurityVisualizer.class);
    }
}
