package com.datadog.appsec.config;

import com.datadog.appsec.AppSecSystem;
import com.datadog.appsec.api.security.ApiSecurityRequestSampler;
import com.datadog.appsec.config.AppSecConfigService;
import com.datadog.appsec.config.AppSecFeatures;
import com.datadog.appsec.config.AppSecModuleConfigurer;
import com.datadog.appsec.config.CurrentAppSecConfig;
import com.datadog.appsec.util.AbortStartupException;
import com.datadog.appsec.util.StandardizedLogging;
import datadog.remoteconfig.Capabilities;
import datadog.remoteconfig.ConfigurationEndListener;
import datadog.remoteconfig.ConfigurationPoller;
import datadog.remoteconfig.Product;
import datadog.slf4j.Logger;
import datadog.slf4j.LoggerFactory;
import datadog.trace.api.Config;
import datadog.trace.api.ProductActivation;
import datadog.trace.api.UserIdCollectionMode;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.ConcurrentHashMap;

/* loaded from: input_file:appsec/com/datadog/appsec/config/AppSecConfigServiceImpl.classdata */
public class AppSecConfigServiceImpl implements AppSecConfigService {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) AppSecConfigServiceImpl.class);
    private static final String DEFAULT_CONFIG_LOCATION = "default_config.json";
    private static AppSecConfig DEFAULT_WAF_CONFIG;
    private final ConfigurationPoller configurationPoller;
    private CurrentAppSecConfig currentAppSecConfig;
    private MergedAsmFeatures mergedAsmFeatures;
    private volatile boolean initialized;
    private final Config tracerConfig;
    private final AppSecModuleConfigurer.Reconfiguration reconfiguration;
    private final ApiSecurityRequestSampler apiSecurityRequestSampler;
    private boolean hasUserWafConfig;
    private final ConcurrentHashMap<String, Object> lastConfig = new ConcurrentHashMap<>();
    private final ConcurrentHashMap<String, AppSecModuleConfigurer.SubconfigListener> subconfigListeners = new ConcurrentHashMap<>();
    private final List<TraceSegmentPostProcessor> traceSegmentPostProcessors = new ArrayList();
    private final ConfigurationEndListener applyRemoteConfigListener = this::applyRemoteConfigListener;

    /* loaded from: input_file:appsec/com/datadog/appsec/config/AppSecConfigServiceImpl$TransactionalAppSecModuleConfigurerImpl.classdata */
    private class TransactionalAppSecModuleConfigurerImpl implements AppSecConfigService.TransactionalAppSecModuleConfigurer {
        private final Map<String, AppSecModuleConfigurer.SubconfigListener> listenerMap;
        private final List<TraceSegmentPostProcessor> postProcessors;

        private TransactionalAppSecModuleConfigurerImpl() {
            this.listenerMap = new HashMap();
            this.postProcessors = new ArrayList();
        }

        @Override // com.datadog.appsec.config.AppSecModuleConfigurer
        public Optional<Object> addSubConfigListener(String str, AppSecModuleConfigurer.SubconfigListener subconfigListener) {
            this.listenerMap.put(str, subconfigListener);
            return Optional.ofNullable(AppSecConfigServiceImpl.this.lastConfig.get(str));
        }

        @Override // com.datadog.appsec.config.AppSecModuleConfigurer
        public void addTraceSegmentPostProcessor(TraceSegmentPostProcessor traceSegmentPostProcessor) {
            this.postProcessors.add(traceSegmentPostProcessor);
        }

        @Override // com.datadog.appsec.config.AppSecConfigService.TransactionalAppSecModuleConfigurer
        public void commit() {
            AppSecConfigServiceImpl.this.subconfigListeners.putAll(this.listenerMap);
            AppSecConfigServiceImpl.this.traceSegmentPostProcessors.addAll(this.postProcessors);
        }
    }

    public AppSecConfigServiceImpl(Config config, ConfigurationPoller configurationPoller, ApiSecurityRequestSampler apiSecurityRequestSampler, AppSecModuleConfigurer.Reconfiguration reconfiguration) {
        this.tracerConfig = config;
        this.configurationPoller = configurationPoller;
        this.reconfiguration = reconfiguration;
        this.apiSecurityRequestSampler = apiSecurityRequestSampler;
    }

    private void subscribeConfigurationPoller() {
        subscribeAsmFeatures();
        if (this.hasUserWafConfig) {
            log.debug("Will not subscribe to ASM, ASM_DD and ASM_DATA (AppSec custom rules in use)");
        } else {
            subscribeRulesAndData();
        }
        this.configurationPoller.addConfigurationEndListener(this.applyRemoteConfigListener);
        long j = 64424773564L;
        if (this.tracerConfig.isAppSecRaspEnabled()) {
            j = 64424773564L | 2097152 | Capabilities.CAPABILITY_ASM_RASP_SSRF | 4194304 | Capabilities.CAPABILITY_ASM_RASP_CMDI | 16777216;
        }
        this.configurationPoller.addCapabilities(j);
    }

    private void subscribeRulesAndData() {
        this.configurationPoller.addListener(Product.ASM_DD, AppSecConfigDeserializer.INSTANCE, (str, appSecConfig, pollingRateHinter) -> {
            if (!this.initialized) {
                throw new IllegalStateException();
            }
            if (appSecConfig == null) {
                if (DEFAULT_WAF_CONFIG == null) {
                    throw new IllegalStateException("Expected default waf config to be available");
                }
                log.debug("AppSec config given by remote config was pulled. Restoring default WAF config");
                appSecConfig = DEFAULT_WAF_CONFIG;
            }
            this.currentAppSecConfig.setDdConfig(appSecConfig);
            this.currentAppSecConfig.dirtyStatus.markAllDirty();
        });
        this.configurationPoller.addListener(Product.ASM_DATA, AppSecDataDeserializer.INSTANCE, (str2, appSecData, pollingRateHinter2) -> {
            if (!this.initialized) {
                throw new IllegalStateException();
            }
            if (appSecData == null) {
                this.currentAppSecConfig.mergedAsmData.removeConfig(str2);
            } else {
                this.currentAppSecConfig.mergedAsmData.addConfig(str2, appSecData);
            }
            this.currentAppSecConfig.dirtyStatus.data = true;
        });
        this.configurationPoller.addListener(Product.ASM, AppSecUserConfigDeserializer.INSTANCE, (str3, builder, pollingRateHinter3) -> {
            CurrentAppSecConfig.DirtyStatus addConfig;
            if (!this.initialized) {
                throw new IllegalStateException();
            }
            if (builder == null) {
                addConfig = this.currentAppSecConfig.userConfigs.removeConfig(str3);
            } else {
                addConfig = this.currentAppSecConfig.userConfigs.addConfig(builder.build(str3));
            }
            this.currentAppSecConfig.dirtyStatus.mergeFrom(addConfig);
        });
    }

    private void subscribeAsmFeatures() {
        this.configurationPoller.addListener(Product.ASM_FEATURES, AppSecFeaturesDeserializer.INSTANCE, (str, appSecFeatures, pollingRateHinter) -> {
            if (!this.initialized) {
                throw new IllegalStateException();
            }
            if (appSecFeatures == null) {
                this.mergedAsmFeatures.removeConfig(str);
            } else {
                this.mergedAsmFeatures.addConfig(str, appSecFeatures);
            }
        });
        if (this.tracerConfig.getAppSecActivation() == ProductActivation.ENABLED_INACTIVE) {
            this.configurationPoller.addCapabilities(2L);
        } else {
            log.debug("Will not subscribe report CAPABILITY_ASM_ACTIVATION (AppSec explicitly enabled)");
        }
        this.configurationPoller.addCapabilities(Capabilities.CAPABILITY_ASM_AUTO_USER_INSTRUM_MODE);
        this.configurationPoller.addCapabilities(2048L);
    }

    private void distributeSubConfigurations(Map<String, Object> map, AppSecModuleConfigurer.Reconfiguration reconfiguration) {
        for (Map.Entry<String, AppSecModuleConfigurer.SubconfigListener> entry : this.subconfigListeners.entrySet()) {
            String key = entry.getKey();
            if (map.containsKey(key)) {
                try {
                    entry.getValue().onNewSubconfig(map.get(key), reconfiguration);
                } catch (Exception e) {
                    log.warn("Error updating configuration of app sec module listening on key {}", key, e);
                }
            }
        }
    }

    @Override // com.datadog.appsec.config.AppSecConfigService
    public void init() {
        this.hasUserWafConfig = false;
        try {
            AppSecConfig loadUserWafConfig = loadUserWafConfig(this.tracerConfig);
            if (loadUserWafConfig == null) {
                try {
                    loadUserWafConfig = loadDefaultWafConfig();
                } catch (IOException e) {
                    log.error("Error loading default config", (Throwable) e);
                    throw new AbortStartupException("Error loading default config", e);
                }
            } else {
                this.hasUserWafConfig = true;
            }
            this.currentAppSecConfig = new CurrentAppSecConfig();
            this.currentAppSecConfig.setDdConfig(loadUserWafConfig);
            this.lastConfig.put("waf", this.currentAppSecConfig);
            this.mergedAsmFeatures = new MergedAsmFeatures();
            this.initialized = true;
        } catch (Exception e2) {
            log.error("Error loading user-provided config", (Throwable) e2);
            throw new AbortStartupException("Error loading user-provided config", e2);
        }
    }

    public void maybeSubscribeConfigPolling() {
        if (this.configurationPoller == null) {
            log.info("Remote config is disabled; AppSec will not be able to use it");
        } else if (this.hasUserWafConfig && this.tracerConfig.getAppSecActivation() == ProductActivation.FULLY_ENABLED) {
            log.info("AppSec will not use remote config because there is a custom user configuration and AppSec is explicitly enabled");
        } else {
            subscribeConfigurationPoller();
        }
    }

    public List<TraceSegmentPostProcessor> getTraceSegmentPostProcessors() {
        return this.traceSegmentPostProcessors;
    }

    @Override // com.datadog.appsec.config.AppSecConfigService
    public AppSecConfigService.TransactionalAppSecModuleConfigurer createAppSecModuleConfigurer() {
        return new TransactionalAppSecModuleConfigurerImpl();
    }

    private static AppSecConfig loadDefaultWafConfig() throws IOException {
        InputStream resourceAsStream = AppSecConfigServiceImpl.class.getClassLoader().getResourceAsStream(DEFAULT_CONFIG_LOCATION);
        Throwable th = null;
        try {
            if (resourceAsStream == null) {
                throw new IOException("Resource default_config.json not found");
            }
            AppSecConfig deserialize = AppSecConfigDeserializer.INSTANCE.deserialize(resourceAsStream);
            StandardizedLogging._initialConfigSourceAndLibddwafVersion(log, "<bundled config>");
            if (log.isInfoEnabled()) {
                StandardizedLogging.numLoadedRules(log, "<bundled config>", countRules(deserialize));
            }
            DEFAULT_WAF_CONFIG = deserialize;
            if (resourceAsStream != null) {
                if (0 != 0) {
                    try {
                        resourceAsStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    resourceAsStream.close();
                }
            }
            return deserialize;
        } catch (Throwable th3) {
            if (resourceAsStream != null) {
                if (0 != 0) {
                    try {
                        resourceAsStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    resourceAsStream.close();
                }
            }
            throw th3;
        }
    }

    private static AppSecConfig loadUserWafConfig(Config config) throws IOException {
        String appSecRulesFile = config.getAppSecRulesFile();
        if (appSecRulesFile == null) {
            return null;
        }
        try {
            FileInputStream fileInputStream = new FileInputStream(appSecRulesFile);
            Throwable th = null;
            try {
                try {
                    AppSecConfig deserialize = AppSecConfigDeserializer.INSTANCE.deserialize(fileInputStream);
                    StandardizedLogging._initialConfigSourceAndLibddwafVersion(log, appSecRulesFile);
                    if (log.isInfoEnabled()) {
                        StandardizedLogging.numLoadedRules(log, appSecRulesFile, countRules(deserialize));
                    }
                    if (fileInputStream != null) {
                        if (0 != 0) {
                            try {
                                fileInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            fileInputStream.close();
                        }
                    }
                    return deserialize;
                } finally {
                }
            } catch (Throwable th3) {
                if (fileInputStream != null) {
                    if (th != null) {
                        try {
                            fileInputStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        fileInputStream.close();
                    }
                }
                throw th3;
            }
        } catch (FileNotFoundException e) {
            StandardizedLogging.rulesFileNotFound(log, appSecRulesFile);
            throw e;
        } catch (IOException e2) {
            StandardizedLogging.rulesFileInvalid(log, appSecRulesFile, StandardizedLogging.RulesInvalidReason.INVALID_JSON_FILE);
            throw e2;
        }
    }

    private static int countRules(AppSecConfig appSecConfig) {
        return appSecConfig.getNumberOfRules();
    }

    @Override // com.datadog.appsec.config.AppSecConfigService, java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        if (this.configurationPoller == null) {
            return;
        }
        this.configurationPoller.removeCapabilities(204042670014L);
        this.configurationPoller.removeListeners(Product.ASM_DD);
        this.configurationPoller.removeListeners(Product.ASM_DATA);
        this.configurationPoller.removeListeners(Product.ASM);
        this.configurationPoller.removeListeners(Product.ASM_FEATURES);
        this.configurationPoller.removeConfigurationEndListener(this.applyRemoteConfigListener);
        this.configurationPoller.stop();
    }

    private void applyRemoteConfigListener() {
        AppSecFeatures mergedData = this.mergedAsmFeatures.getMergedData();
        setAppSecActivation(mergedData.asm);
        setApiSecuritySampling(mergedData.apiSecurity);
        setUserIdCollectionMode(mergedData.autoUserInstrum);
        if (AppSecSystem.isActive() && this.currentAppSecConfig.dirtyStatus.isAnyDirty()) {
            distributeSubConfigurations(Collections.singletonMap("waf", this.currentAppSecConfig), this.reconfiguration);
            this.currentAppSecConfig.dirtyStatus.clearDirty();
        }
    }

    private void setAppSecActivation(AppSecFeatures.Asm asm) {
        boolean booleanValue;
        if (asm == null) {
            booleanValue = this.tracerConfig.getAppSecActivation() == ProductActivation.FULLY_ENABLED;
        } else {
            booleanValue = asm.enabled.booleanValue();
        }
        if (AppSecSystem.isActive() != booleanValue) {
            log.info("AppSec {} (runtime)", booleanValue ? "enabled" : "disabled");
            AppSecSystem.setActive(booleanValue);
            if (AppSecSystem.isActive()) {
                this.currentAppSecConfig.dirtyStatus.markAllDirty();
            }
        }
    }

    private void setApiSecuritySampling(AppSecFeatures.ApiSecurity apiSecurity) {
        if (this.apiSecurityRequestSampler.setSampling(apiSecurity == null ? this.tracerConfig.getApiSecurityRequestSampleRate() : apiSecurity.requestSampleRate.floatValue())) {
            int sampling = this.apiSecurityRequestSampler.getSampling();
            if (sampling == 0) {
                log.info("Api Security is disabled via remote-config");
            } else {
                log.info("Api Security changed via remote-config. New sampling rate is {}% of all requests.", Integer.valueOf(sampling));
            }
        }
    }

    private void setUserIdCollectionMode(AppSecFeatures.AutoUserInstrum autoUserInstrum) {
        UserIdCollectionMode userIdCollectionMode = UserIdCollectionMode.get();
        UserIdCollectionMode appSecUserIdCollectionMode = autoUserInstrum == null ? this.tracerConfig.getAppSecUserIdCollectionMode() : UserIdCollectionMode.fromRemoteConfig(autoUserInstrum.mode);
        if (appSecUserIdCollectionMode != userIdCollectionMode) {
            log.info("User ID collection mode changed via remote-config: {} -> {}", userIdCollectionMode, appSecUserIdCollectionMode);
        }
    }
}
