package com.yahoo.vespa.hosted.node.admin.maintenance.acl;

import com.google.common.net.InetAddresses;
import com.yahoo.vespa.hosted.dockerapi.Container;
import com.yahoo.vespa.hosted.node.admin.component.Environment;
import com.yahoo.vespa.hosted.node.admin.configserver.noderepository.Acl;
import com.yahoo.vespa.hosted.node.admin.configserver.noderepository.NodeRepository;
import com.yahoo.vespa.hosted.node.admin.docker.DockerNetworking;
import com.yahoo.vespa.hosted.node.admin.docker.DockerOperations;
import com.yahoo.vespa.hosted.node.admin.task.util.network.IPAddresses;
import com.yahoo.vespa.hosted.node.admin.task.util.network.IPVersion;
import com.yahoo.vespa.hosted.node.admin.util.PrefixLogger;
import java.net.InetAddress;
import java.util.Map;
import java.util.stream.Collectors;

/* loaded from: input_file:com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.class */
public class AclMaintainer implements Runnable {
    private static final PrefixLogger log = PrefixLogger.getNodeAdminLogger(AclMaintainer.class);
    private final DockerOperations dockerOperations;
    private final NodeRepository nodeRepository;
    private final IPAddresses ipAddresses;
    private final String nodeAdminHostname;
    private final Environment environment;

    public AclMaintainer(DockerOperations dockerOperations, NodeRepository nodeRepository, String str, IPAddresses iPAddresses, Environment environment) {
        this.dockerOperations = dockerOperations;
        this.nodeRepository = nodeRepository;
        this.ipAddresses = iPAddresses;
        this.nodeAdminHostname = str;
        this.environment = environment;
    }

    private void applyRedirect(Container container, InetAddress inetAddress) {
        IPVersion iPVersion = IPVersion.get(inetAddress);
        IPTablesEditor.editLogOnError(this.dockerOperations, container.name, iPVersion, "nat", NatTableLineEditor.from("-A OUTPUT -d " + InetAddresses.toAddrString(inetAddress) + iPVersion.singleHostCidr() + " -j REDIRECT"));
    }

    private void apply(Container container, Acl acl) {
        IPTablesEditor.editFlushOnError(this.dockerOperations, container.name, IPVersion.IPv6, "filter", FilterTableLineEditor.from(acl, IPVersion.IPv6));
        IPTablesEditor.editFlushOnError(this.dockerOperations, container.name, IPVersion.IPv4, "filter", FilterTableLineEditor.from(acl, IPVersion.IPv4));
        this.ipAddresses.getAddress(container.hostname, IPVersion.IPv4).ifPresent(inetAddress -> {
            applyRedirect(container, inetAddress);
        });
        this.ipAddresses.getAddress(container.hostname, IPVersion.IPv6).ifPresent(inetAddress2 -> {
            applyRedirect(container, inetAddress2);
        });
    }

    private synchronized void configureAcls() {
        if (this.environment.getDockerNetworking() != DockerNetworking.NPT) {
            return;
        }
        log.info("Configuring ACLs");
        Map map = (Map) this.dockerOperations.getAllManagedContainers().stream().filter(container -> {
            return container.state.isRunning();
        }).collect(Collectors.toMap(container2 -> {
            return container2.hostname;
        }, container3 -> {
            return container3;
        }));
        this.nodeRepository.getAcls(this.nodeAdminHostname).entrySet().stream().filter(entry -> {
            return map.containsKey(entry.getKey());
        }).forEach(entry2 -> {
            apply((Container) map.get(entry2.getKey()), (Acl) entry2.getValue());
        });
    }

    @Override // java.lang.Runnable
    public void run() {
        try {
            configureAcls();
        } catch (Throwable th) {
            log.error("Failed to configure ACLs", th);
        }
    }
}
