package com.yahoo.vespa.hosted.node.admin.maintenance.acl;

import com.yahoo.collections.Pair;
import com.yahoo.vespa.hosted.dockerapi.Container;
import com.yahoo.vespa.hosted.dockerapi.ContainerName;
import com.yahoo.vespa.hosted.node.admin.docker.DockerOperations;
import com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.Action;
import com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.Chain;
import com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.FlushCommand;
import com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.PolicyCommand;
import com.yahoo.vespa.hosted.node.admin.noderepository.NodeRepository;
import com.yahoo.vespa.hosted.node.admin.util.PrefixLogger;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;

/* loaded from: input_file:com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.class */
public class AclMaintainer implements Runnable {
    private static final PrefixLogger log = PrefixLogger.getNodeAdminLogger(AclMaintainer.class);
    private static final String IPTABLES_COMMAND = "ip6tables";
    private final DockerOperations dockerOperations;
    private final NodeRepository nodeRepository;
    private final String nodeAdminHostname;
    private final Map<ContainerName, Acl> containerAcls = new HashMap();

    public AclMaintainer(DockerOperations dockerOperations, NodeRepository nodeRepository, String str) {
        this.dockerOperations = dockerOperations;
        this.nodeRepository = nodeRepository;
        this.nodeAdminHostname = str;
    }

    private boolean isAclActive(ContainerName containerName, Acl acl) {
        Optional ofNullable = Optional.ofNullable(this.containerAcls.get(containerName));
        acl.getClass();
        return ((Boolean) ofNullable.map((v1) -> {
            return r1.equals(v1);
        }).orElse(false)).booleanValue();
    }

    private void applyAcl(ContainerName containerName, Acl acl) {
        if (isAclActive(containerName, acl)) {
            return;
        }
        FlushCommand flushCommand = new FlushCommand(Chain.INPUT);
        PolicyCommand policyCommand = new PolicyCommand(Chain.INPUT, Action.ACCEPT);
        log.info("Start modifying ACL rules for " + containerName.asString());
        try {
            log.debug("Running ACL command '" + flushCommand.asString() + "'");
            this.dockerOperations.executeCommandInNetworkNamespace(containerName, flushCommand.asArray(IPTABLES_COMMAND));
            acl.toCommands().forEach(command -> {
                log.debug("Running ACL command '" + command.asString() + "' for " + containerName.asString());
                this.dockerOperations.executeCommandInNetworkNamespace(containerName, command.asArray(IPTABLES_COMMAND));
            });
            this.containerAcls.put(containerName, acl);
        } catch (Exception e) {
            log.error("Exception occurred while configuring ACLs for " + containerName.asString() + ", attempting rollback", e);
            try {
                this.dockerOperations.executeCommandInNetworkNamespace(containerName, policyCommand.asArray(IPTABLES_COMMAND));
            } catch (Exception e2) {
                log.error("Rollback of ACLs for " + containerName.asString() + " failed, giving up", e2);
            }
        }
        log.info("Finished modifying ACL rules for " + containerName.asString());
    }

    private synchronized void configureAcls() {
        Map map = (Map) this.nodeRepository.getContainerAclSpecs(this.nodeAdminHostname).stream().collect(Collectors.groupingBy((v0) -> {
            return v0.trustedBy();
        }));
        this.dockerOperations.getAllManagedContainers().stream().filter(container -> {
            return container.state.isRunning();
        }).map(container2 -> {
            return new Pair(container2, map.get(container2.name));
        }).filter(pair -> {
            return pair.getSecond() != null;
        }).forEach(pair2 -> {
            applyAcl(((Container) pair2.getFirst()).name, new Acl(((Container) pair2.getFirst()).pid, (List) pair2.getSecond()));
        });
    }

    @Override // java.lang.Runnable
    public void run() {
        try {
            configureAcls();
        } catch (Throwable th) {
            log.error("Failed to configure ACLs", th);
        }
    }
}
