package ch.usp.core.waap.spec.v1.render.protocol;

import ch.usp.core.waap.spec.v1.spec.route.WaapRouteBackendProtocol;
import com.google.protobuf.Any;
import io.envoyproxy.envoy.config.cluster.v3.Cluster;
import io.envoyproxy.envoy.config.core.v3.DataSource;
import io.envoyproxy.envoy.config.core.v3.Http1ProtocolOptions;
import io.envoyproxy.envoy.config.core.v3.Http2ProtocolOptions;
import io.envoyproxy.envoy.config.core.v3.TransportSocket;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SubjectAltNameMatcher;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.TlsParameters;
import io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext;
import io.envoyproxy.envoy.extensions.upstreams.http.v3.HttpProtocolOptions;
import io.envoyproxy.envoy.type.matcher.v3.StringMatcher;

/* loaded from: input_file:ch/usp/core/waap/spec/v1/render/protocol/WaapToEnvoyProtocol.class */
public final class WaapToEnvoyProtocol {
    private static final String CA_CERTIFICATES_FILE_PATH = "/etc/ssl/certs/ca-certificates.crt";

    private WaapToEnvoyProtocol() {
    }

    public static void addClusterTlsSettings(Cluster.Builder builder, String str, String str2, boolean z, WaapRouteBackendProtocol.Selection selection) {
        CommonTlsContext.Builder tlsParams = CommonTlsContext.newBuilder().setTlsParams(TlsParameters.newBuilder().setTlsMinimumProtocolVersion(TlsParameters.TlsProtocol.TLSv1_2).setTlsMaximumProtocolVersion(TlsParameters.TlsProtocol.TLSv1_3).build());
        if (z) {
            tlsParams.setValidationContext(CertificateValidationContext.newBuilder().addMatchTypedSubjectAltNames(SubjectAltNameMatcher.newBuilder().setSanType(SubjectAltNameMatcher.SanType.DNS).setMatcher(StringMatcher.newBuilder().setExact(str2).build()).build()).setTrustedCa(DataSource.newBuilder().setFilename(CA_CERTIFICATES_FILE_PATH).build()).build());
        }
        if (selection == WaapRouteBackendProtocol.Selection.auto) {
            tlsParams.addAlpnProtocols("h2,http/1.1");
        }
        builder.setTransportSocket(TransportSocket.newBuilder().setName(str + ".transportSockets.tls").setTypedConfig(Any.pack(UpstreamTlsContext.newBuilder().setSni(str2).setCommonTlsContext(tlsParams.build()).build())).build());
    }

    public static void addClusterProtocolSettings(Cluster.Builder builder, WaapRouteBackendProtocol.Selection selection) {
        HttpProtocolOptions build;
        switch (selection) {
            case h1:
                build = HttpProtocolOptions.newBuilder().setExplicitHttpConfig(HttpProtocolOptions.ExplicitHttpConfig.newBuilder().setHttpProtocolOptions(Http1ProtocolOptions.newBuilder().getDefaultInstanceForType()).build()).build();
                break;
            case h2:
                build = HttpProtocolOptions.newBuilder().setExplicitHttpConfig(HttpProtocolOptions.ExplicitHttpConfig.newBuilder().setHttp2ProtocolOptions(Http2ProtocolOptions.newBuilder().getDefaultInstanceForType()).build()).build();
                break;
            case auto:
                build = HttpProtocolOptions.newBuilder().setAutoConfig(HttpProtocolOptions.AutoHttpConfig.newBuilder().setHttpProtocolOptions(Http1ProtocolOptions.newBuilder().getDefaultInstanceForType()).setHttp2ProtocolOptions(Http2ProtocolOptions.newBuilder().getDefaultInstanceForType()).build()).build();
                break;
            default:
                throw new IncompatibleClassChangeError();
        }
        builder.putTypedExtensionProtocolOptions("envoy.extensions.upstreams.http.v3.HttpProtocolOptions", Any.pack(build));
    }
}
