package io.grpc.xds.internal.rbac.engine;

import com.google.auto.value.AutoValue;
import com.google.common.base.Joiner;
import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.UnmodifiableIterator;
import com.google.common.io.BaseEncoding;
import io.grpc.Grpc;
import io.grpc.Metadata;
import io.grpc.ServerCall;
import io.grpc.xds.internal.Matchers;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.security.cert.Certificate;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.annotation.Nullable;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import org.infinispan.xsite.GlobalXSiteAdminOperations;

/* loaded from: input_file:META-INF/bundled-dependencies/grpc-xds-1.56.1.jar:io/grpc/xds/internal/rbac/engine/GrpcAuthorizationEngine.class */
public final class GrpcAuthorizationEngine {
    private static final Logger log = Logger.getLogger(GrpcAuthorizationEngine.class.getName());
    private final AuthConfig authConfig;

    /* loaded from: input_file:META-INF/bundled-dependencies/grpc-xds-1.56.1.jar:io/grpc/xds/internal/rbac/engine/GrpcAuthorizationEngine$Action.class */
    public enum Action {
        ALLOW,
        DENY
    }

    @AutoValue
    /* loaded from: input_file:META-INF/bundled-dependencies/grpc-xds-1.56.1.jar:io/grpc/xds/internal/rbac/engine/GrpcAuthorizationEngine$AlwaysTrueMatcher.class */
    public static abstract class AlwaysTrueMatcher implements Matcher {
        public static AlwaysTrueMatcher INSTANCE = new AutoValue_GrpcAuthorizationEngine_AlwaysTrueMatcher();

        @Override // io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.Matcher
        public boolean matches(EvaluateArgs evaluateArgs) {
            return true;
        }
    }

    @AutoValue
    /* loaded from: input_file:META-INF/bundled-dependencies/grpc-xds-1.56.1.jar:io/grpc/xds/internal/rbac/engine/GrpcAuthorizationEngine$AndMatcher.class */
    public static abstract class AndMatcher implements Matcher {
        public abstract ImmutableList<? extends Matcher> allMatch();

        public static AndMatcher create(List<? extends Matcher> list) {
            Preconditions.checkNotNull(list, "matchers");
            Iterator<? extends Matcher> it = list.iterator();
            while (it.hasNext()) {
                Preconditions.checkNotNull(it.next(), "matcher");
            }
            return new AutoValue_GrpcAuthorizationEngine_AndMatcher(ImmutableList.copyOf((Collection) list));
        }

        public static AndMatcher create(Matcher... matcherArr) {
            return create((List<? extends Matcher>) Arrays.asList(matcherArr));
        }

        @Override // io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.Matcher
        public boolean matches(EvaluateArgs evaluateArgs) {
            UnmodifiableIterator<? extends Matcher> it = allMatch().iterator();
            while (it.hasNext()) {
                if (!it.next().matches(evaluateArgs)) {
                    return false;
                }
            }
            return true;
        }
    }

    @AutoValue
    /* loaded from: input_file:META-INF/bundled-dependencies/grpc-xds-1.56.1.jar:io/grpc/xds/internal/rbac/engine/GrpcAuthorizationEngine$AuthConfig.class */
    public static abstract class AuthConfig {
        public abstract ImmutableList<PolicyMatcher> policies();

        public abstract Action action();

        public static AuthConfig create(List<PolicyMatcher> list, Action action) {
            return new AutoValue_GrpcAuthorizationEngine_AuthConfig(ImmutableList.copyOf((Collection) list), action);
        }
    }

    @AutoValue
    /* loaded from: input_file:META-INF/bundled-dependencies/grpc-xds-1.56.1.jar:io/grpc/xds/internal/rbac/engine/GrpcAuthorizationEngine$AuthDecision.class */
    public static abstract class AuthDecision {
        public abstract Action decision();

        @Nullable
        public abstract String matchingPolicyName();

        static AuthDecision create(Action action, @Nullable String str) {
            return new AutoValue_GrpcAuthorizationEngine_AuthDecision(action, str);
        }
    }

    @AutoValue
    /* loaded from: input_file:META-INF/bundled-dependencies/grpc-xds-1.56.1.jar:io/grpc/xds/internal/rbac/engine/GrpcAuthorizationEngine$AuthHeaderMatcher.class */
    public static abstract class AuthHeaderMatcher implements Matcher {
        public abstract Matchers.HeaderMatcher delegate();

        public static AuthHeaderMatcher create(Matchers.HeaderMatcher headerMatcher) {
            return new AutoValue_GrpcAuthorizationEngine_AuthHeaderMatcher(headerMatcher);
        }

        @Override // io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.Matcher
        public boolean matches(EvaluateArgs evaluateArgs) {
            return delegate().matches(evaluateArgs.getHeader(delegate().name()));
        }
    }

    @AutoValue
    /* loaded from: input_file:META-INF/bundled-dependencies/grpc-xds-1.56.1.jar:io/grpc/xds/internal/rbac/engine/GrpcAuthorizationEngine$AuthenticatedMatcher.class */
    public static abstract class AuthenticatedMatcher implements Matcher {
        @Nullable
        public abstract Matchers.StringMatcher delegate();

        public static AuthenticatedMatcher create(@Nullable Matchers.StringMatcher stringMatcher) {
            return new AutoValue_GrpcAuthorizationEngine_AuthenticatedMatcher(stringMatcher);
        }

        @Override // io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.Matcher
        public boolean matches(EvaluateArgs evaluateArgs) {
            Collection principalNames = evaluateArgs.getPrincipalNames();
            GrpcAuthorizationEngine.log.log(Level.FINER, "Matching principal names: {0}", new Object[]{principalNames});
            if (principalNames == null) {
                return false;
            }
            if (delegate() == null) {
                return true;
            }
            Iterator it = principalNames.iterator();
            while (it.hasNext()) {
                if (delegate().matches((String) it.next())) {
                    return true;
                }
            }
            return false;
        }
    }

    @AutoValue
    /* loaded from: input_file:META-INF/bundled-dependencies/grpc-xds-1.56.1.jar:io/grpc/xds/internal/rbac/engine/GrpcAuthorizationEngine$DestinationIpMatcher.class */
    public static abstract class DestinationIpMatcher implements Matcher {
        public abstract Matchers.CidrMatcher delegate();

        public static DestinationIpMatcher create(Matchers.CidrMatcher cidrMatcher) {
            return new AutoValue_GrpcAuthorizationEngine_DestinationIpMatcher(cidrMatcher);
        }

        @Override // io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.Matcher
        public boolean matches(EvaluateArgs evaluateArgs) {
            return delegate().matches(evaluateArgs.getDestinationIp());
        }
    }

    @AutoValue
    /* loaded from: input_file:META-INF/bundled-dependencies/grpc-xds-1.56.1.jar:io/grpc/xds/internal/rbac/engine/GrpcAuthorizationEngine$DestinationPortMatcher.class */
    public static abstract class DestinationPortMatcher implements Matcher {
        public abstract int port();

        public static DestinationPortMatcher create(int i) {
            return new AutoValue_GrpcAuthorizationEngine_DestinationPortMatcher(i);
        }

        @Override // io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.Matcher
        public boolean matches(EvaluateArgs evaluateArgs) {
            return port() == evaluateArgs.getDestinationPort();
        }
    }

    @AutoValue
    /* loaded from: input_file:META-INF/bundled-dependencies/grpc-xds-1.56.1.jar:io/grpc/xds/internal/rbac/engine/GrpcAuthorizationEngine$DestinationPortRangeMatcher.class */
    public static abstract class DestinationPortRangeMatcher implements Matcher {
        public abstract int start();

        public abstract int end();

        public static DestinationPortRangeMatcher create(int i, int i2) {
            return new AutoValue_GrpcAuthorizationEngine_DestinationPortRangeMatcher(i, i2);
        }

        @Override // io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.Matcher
        public boolean matches(EvaluateArgs evaluateArgs) {
            int destinationPort = evaluateArgs.getDestinationPort();
            return destinationPort >= start() && destinationPort < end();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:META-INF/bundled-dependencies/grpc-xds-1.56.1.jar:io/grpc/xds/internal/rbac/engine/GrpcAuthorizationEngine$EvaluateArgs.class */
    public static final class EvaluateArgs {
        private final Metadata metadata;
        private final ServerCall<?, ?> serverCall;
        private static final int URI_SAN = 6;
        private static final int DNS_SAN = 2;

        private EvaluateArgs(Metadata metadata, ServerCall<?, ?> serverCall) {
            this.metadata = metadata;
            this.serverCall = serverCall;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public String getPath() {
            return "/" + this.serverCall.getMethodDescriptor().getFullMethodName();
        }

        /* JADX INFO: Access modifiers changed from: private */
        @Nullable
        public Collection<String> getPrincipalNames() {
            SSLSession sSLSession = (SSLSession) this.serverCall.getAttributes().get(Grpc.TRANSPORT_ATTR_SSL_SESSION);
            if (sSLSession == null) {
                return null;
            }
            try {
                Certificate[] peerCertificates = sSLSession.getPeerCertificates();
                if (peerCertificates == null || peerCertificates.length < 1) {
                    return Collections.singleton("");
                }
                X509Certificate x509Certificate = (X509Certificate) peerCertificates[0];
                if (x509Certificate == null) {
                    return Collections.singleton("");
                }
                Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
                ArrayList arrayList = new ArrayList();
                if (subjectAlternativeNames != null) {
                    for (List<?> list : subjectAlternativeNames) {
                        if (6 == ((Integer) list.get(0)).intValue()) {
                            arrayList.add((String) list.get(1));
                        }
                    }
                    if (!arrayList.isEmpty()) {
                        return Collections.unmodifiableCollection(arrayList);
                    }
                    for (List<?> list2 : subjectAlternativeNames) {
                        if (2 == ((Integer) list2.get(0)).intValue()) {
                            arrayList.add((String) list2.get(1));
                        }
                    }
                    if (!arrayList.isEmpty()) {
                        return Collections.unmodifiableCollection(arrayList);
                    }
                }
                return (x509Certificate.getSubjectDN() == null || x509Certificate.getSubjectDN().getName() == null) ? Collections.singleton("") : Collections.singleton(x509Certificate.getSubjectDN().getName());
            } catch (CertificateParsingException | SSLPeerUnverifiedException e) {
                GrpcAuthorizationEngine.log.log(Level.FINE, "Unexpected getPrincipalNames error.", e);
                return Collections.singleton("");
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        @Nullable
        public String getHeader(String str) {
            String lowerCase = str.toLowerCase(Locale.ROOT);
            if ("te".equals(lowerCase)) {
                return null;
            }
            if (":authority".equals(lowerCase)) {
                lowerCase = "host";
            }
            return "host".equals(lowerCase) ? this.serverCall.getAuthority() : ":path".equals(lowerCase) ? getPath() : ":method".equals(lowerCase) ? "POST" : deserializeHeader(lowerCase);
        }

        @Nullable
        private String deserializeHeader(String str) {
            if (!str.endsWith(Metadata.BINARY_HEADER_SUFFIX)) {
                try {
                    Iterable<? extends Object> all = this.metadata.getAll(Metadata.Key.of(str, Metadata.ASCII_STRING_MARSHALLER));
                    if (all == null) {
                        return null;
                    }
                    return Joiner.on(GlobalXSiteAdminOperations.CACHE_DELIMITER).join(all);
                } catch (IllegalArgumentException e) {
                    return null;
                }
            }
            try {
                Iterable all2 = this.metadata.getAll(Metadata.Key.of(str, Metadata.BINARY_BYTE_MARSHALLER));
                if (all2 == null) {
                    return null;
                }
                ArrayList arrayList = new ArrayList();
                Iterator it = all2.iterator();
                while (it.hasNext()) {
                    arrayList.add(BaseEncoding.base64().omitPadding().encode((byte[]) it.next()));
                }
                return Joiner.on(GlobalXSiteAdminOperations.CACHE_DELIMITER).join(arrayList);
            } catch (IllegalArgumentException e2) {
                return null;
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public InetAddress getDestinationIp() {
            SocketAddress socketAddress = (SocketAddress) this.serverCall.getAttributes().get(Grpc.TRANSPORT_ATTR_LOCAL_ADDR);
            if (socketAddress == null) {
                return null;
            }
            return ((InetSocketAddress) socketAddress).getAddress();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public InetAddress getSourceIp() {
            SocketAddress socketAddress = (SocketAddress) this.serverCall.getAttributes().get(Grpc.TRANSPORT_ATTR_REMOTE_ADDR);
            if (socketAddress == null) {
                return null;
            }
            return ((InetSocketAddress) socketAddress).getAddress();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public int getDestinationPort() {
            SocketAddress socketAddress = (SocketAddress) this.serverCall.getAttributes().get(Grpc.TRANSPORT_ATTR_LOCAL_ADDR);
            if (socketAddress == null) {
                return -1;
            }
            return ((InetSocketAddress) socketAddress).getPort();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public String getRequestedServerName() {
            return "";
        }
    }

    @AutoValue
    /* loaded from: input_file:META-INF/bundled-dependencies/grpc-xds-1.56.1.jar:io/grpc/xds/internal/rbac/engine/GrpcAuthorizationEngine$InvertMatcher.class */
    public static abstract class InvertMatcher implements Matcher {
        public abstract Matcher toInvertMatcher();

        public static InvertMatcher create(Matcher matcher) {
            return new AutoValue_GrpcAuthorizationEngine_InvertMatcher(matcher);
        }

        @Override // io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.Matcher
        public boolean matches(EvaluateArgs evaluateArgs) {
            return !toInvertMatcher().matches(evaluateArgs);
        }
    }

    /* loaded from: input_file:META-INF/bundled-dependencies/grpc-xds-1.56.1.jar:io/grpc/xds/internal/rbac/engine/GrpcAuthorizationEngine$Matcher.class */
    public interface Matcher {
        boolean matches(EvaluateArgs evaluateArgs);
    }

    @AutoValue
    /* loaded from: input_file:META-INF/bundled-dependencies/grpc-xds-1.56.1.jar:io/grpc/xds/internal/rbac/engine/GrpcAuthorizationEngine$OrMatcher.class */
    public static abstract class OrMatcher implements Matcher {
        public abstract ImmutableList<? extends Matcher> anyMatch();

        public static OrMatcher create(List<? extends Matcher> list) {
            Preconditions.checkNotNull(list, "matchers");
            Iterator<? extends Matcher> it = list.iterator();
            while (it.hasNext()) {
                Preconditions.checkNotNull(it.next(), "matcher");
            }
            return new AutoValue_GrpcAuthorizationEngine_OrMatcher(ImmutableList.copyOf((Collection) list));
        }

        public static OrMatcher create(Matcher... matcherArr) {
            return create((List<? extends Matcher>) Arrays.asList(matcherArr));
        }

        @Override // io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.Matcher
        public boolean matches(EvaluateArgs evaluateArgs) {
            UnmodifiableIterator<? extends Matcher> it = anyMatch().iterator();
            while (it.hasNext()) {
                if (it.next().matches(evaluateArgs)) {
                    return true;
                }
            }
            return false;
        }
    }

    @AutoValue
    /* loaded from: input_file:META-INF/bundled-dependencies/grpc-xds-1.56.1.jar:io/grpc/xds/internal/rbac/engine/GrpcAuthorizationEngine$PathMatcher.class */
    public static abstract class PathMatcher implements Matcher {
        public abstract Matchers.StringMatcher delegate();

        public static PathMatcher create(Matchers.StringMatcher stringMatcher) {
            return new AutoValue_GrpcAuthorizationEngine_PathMatcher(stringMatcher);
        }

        @Override // io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.Matcher
        public boolean matches(EvaluateArgs evaluateArgs) {
            return delegate().matches(evaluateArgs.getPath());
        }
    }

    @AutoValue
    /* loaded from: input_file:META-INF/bundled-dependencies/grpc-xds-1.56.1.jar:io/grpc/xds/internal/rbac/engine/GrpcAuthorizationEngine$PolicyMatcher.class */
    public static abstract class PolicyMatcher implements Matcher {
        public abstract String name();

        public abstract OrMatcher permissions();

        public abstract OrMatcher principals();

        public static PolicyMatcher create(String str, OrMatcher orMatcher, OrMatcher orMatcher2) {
            return new AutoValue_GrpcAuthorizationEngine_PolicyMatcher(str, orMatcher, orMatcher2);
        }

        @Override // io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.Matcher
        public boolean matches(EvaluateArgs evaluateArgs) {
            return permissions().matches(evaluateArgs) && principals().matches(evaluateArgs);
        }
    }

    @AutoValue
    /* loaded from: input_file:META-INF/bundled-dependencies/grpc-xds-1.56.1.jar:io/grpc/xds/internal/rbac/engine/GrpcAuthorizationEngine$RequestedServerNameMatcher.class */
    public static abstract class RequestedServerNameMatcher implements Matcher {
        public abstract Matchers.StringMatcher delegate();

        public static RequestedServerNameMatcher create(Matchers.StringMatcher stringMatcher) {
            return new AutoValue_GrpcAuthorizationEngine_RequestedServerNameMatcher(stringMatcher);
        }

        @Override // io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.Matcher
        public boolean matches(EvaluateArgs evaluateArgs) {
            return delegate().matches(evaluateArgs.getRequestedServerName());
        }
    }

    @AutoValue
    /* loaded from: input_file:META-INF/bundled-dependencies/grpc-xds-1.56.1.jar:io/grpc/xds/internal/rbac/engine/GrpcAuthorizationEngine$SourceIpMatcher.class */
    public static abstract class SourceIpMatcher implements Matcher {
        public abstract Matchers.CidrMatcher delegate();

        public static SourceIpMatcher create(Matchers.CidrMatcher cidrMatcher) {
            return new AutoValue_GrpcAuthorizationEngine_SourceIpMatcher(cidrMatcher);
        }

        @Override // io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.Matcher
        public boolean matches(EvaluateArgs evaluateArgs) {
            return delegate().matches(evaluateArgs.getSourceIp());
        }
    }

    public GrpcAuthorizationEngine(AuthConfig authConfig) {
        this.authConfig = authConfig;
    }

    public AuthDecision evaluate(Metadata metadata, ServerCall<?, ?> serverCall) {
        Preconditions.checkNotNull(metadata, "metadata");
        Preconditions.checkNotNull(serverCall, "serverCall");
        String str = null;
        EvaluateArgs evaluateArgs = new EvaluateArgs(metadata, serverCall);
        UnmodifiableIterator<PolicyMatcher> it = this.authConfig.policies().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            PolicyMatcher next = it.next();
            if (next.matches(evaluateArgs)) {
                str = next.name();
                break;
            }
        }
        Action action = Action.DENY;
        if (Action.DENY.equals(this.authConfig.action()) == (str == null)) {
            action = Action.ALLOW;
        }
        return AuthDecision.create(action, str);
    }
}
