package com.yahoo.athenz.instance.provider.impl;

import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.yahoo.athenz.auth.KeyStore;
import com.yahoo.athenz.common.server.util.config.ConfigManagerSingleton;
import com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigCsv;
import com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigLong;
import com.yahoo.athenz.instance.provider.InstanceConfirmation;
import com.yahoo.athenz.instance.provider.InstanceProvider;
import com.yahoo.athenz.instance.provider.ResourceException;
import com.yahoo.rdl.JSON;
import com.yahoo.rdl.Timestamp;
import java.math.BigDecimal;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.SSLContext;
import org.eclipse.jetty.util.StringUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yahoo/athenz/instance/provider/impl/InstanceGCPProvider.class */
public class InstanceGCPProvider implements InstanceProvider {
    private static final Logger LOGGER = LoggerFactory.getLogger(InstanceGCPProvider.class);
    static final String GCP_PROP_GKE_DNS_SUFFIX = "athenz.zts.gcp_gke_dns_suffix";
    static final String GCP_PROP_BOOT_TIME_OFFSET = "athenz.zts.gcp_boot_time_offset";
    static final String GCP_PROP_DNS_SUFFIX = "athenz.zts.gcp_dns_suffix";
    static final String GCP_PROP_REGION_NAME = "athenz.zts.gcp_region_name";
    static final String GCP_PROP_CERT_VALIDITY = "athenz.zts.gcp_cert_validity";
    static final String GCP_SSH_CERT_PRINCIPAL_SEPARATOR = ",";
    static final String GCP_PROP_GKE_CLUSTER_NAMES = "athenz.zts.gcp_gke_cluster_names";
    DynamicConfigLong bootTimeOffsetSeconds;
    long certValidityTime;
    String gcpRegion;
    DynamicConfigCsv gkeClusterNames;
    boolean supportRefresh = false;
    Set<String> dnsSuffixes = null;
    List<String> gkeDnsSuffixes = null;
    InstanceGCPUtils gcpUtils = null;

    public long getTimeOffsetInMilli() {
        return ((Long) this.bootTimeOffsetSeconds.get()).longValue() * 1000;
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public InstanceProvider.Scheme getProviderScheme() {
        return InstanceProvider.Scheme.HTTP;
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public void initialize(String str, String str2, SSLContext sSLContext, KeyStore keyStore) {
        this.gcpUtils = new InstanceGCPUtils();
        this.bootTimeOffsetSeconds = new DynamicConfigLong(ConfigManagerSingleton.CONFIG_MANAGER, GCP_PROP_BOOT_TIME_OFFSET, Long.valueOf(TimeUnit.SECONDS.convert(5L, TimeUnit.MINUTES)));
        this.dnsSuffixes = new HashSet();
        String property = System.getProperty(GCP_PROP_DNS_SUFFIX);
        if (StringUtil.isEmpty(property)) {
            LOGGER.error("GCP DNS Suffix not specified - no instance requests will be authorized");
        } else {
            this.dnsSuffixes.addAll(Arrays.asList(property.split(GCP_SSH_CERT_PRINCIPAL_SEPARATOR)));
        }
        this.gkeDnsSuffixes = InstanceUtils.processK8SDnsSuffixList(GCP_PROP_GKE_DNS_SUFFIX);
        this.certValidityTime = TimeUnit.MINUTES.convert(Integer.parseInt(System.getProperty(GCP_PROP_CERT_VALIDITY, "7")), TimeUnit.DAYS);
        this.gcpRegion = System.getProperty(GCP_PROP_REGION_NAME);
        this.gkeClusterNames = new DynamicConfigCsv(ConfigManagerSingleton.CONFIG_MANAGER, GCP_PROP_GKE_CLUSTER_NAMES, (String) null);
    }

    public ResourceException error(String str) {
        return error(ResourceException.FORBIDDEN, str);
    }

    public ResourceException error(int i, String str) {
        LOGGER.error(str);
        return new ResourceException(i, str);
    }

    protected Set<String> getDnsSuffixes() {
        return this.dnsSuffixes;
    }

    boolean validateGCPProject(String str, String str2, StringBuilder sb) {
        if (str.equalsIgnoreCase(str2)) {
            return true;
        }
        LOGGER.error("ZTS GCP Domain Lookup project id: {}", str);
        sb.append("mismatch between project values - instance identity value= ").append(str2);
        return false;
    }

    boolean validateGCPProvider(String str, String str2, StringBuilder sb) {
        if (str.endsWith("." + str2)) {
            return true;
        }
        sb.append("provider ").append(str).append(" does not end with expected suffix ").append(str2);
        return false;
    }

    boolean validateGCPInstanceId(String str, String str2, StringBuilder sb) {
        if (str.equalsIgnoreCase(str2)) {
            return true;
        }
        sb.append("mismatch between instance-id values: request= ").append(str).append(" vs. attested= ").append(str2);
        return false;
    }

    protected boolean validateIdentityToken(String str, GCPAttestationData gCPAttestationData, GCPDerivedAttestationData gCPDerivedAttestationData, String str2, String str3, boolean z, StringBuilder sb) {
        GoogleIdToken.Payload validateGCPIdentityToken = this.gcpUtils.validateGCPIdentityToken(gCPAttestationData.getIdentityToken(), sb);
        if (validateGCPIdentityToken == null) {
            return false;
        }
        this.gcpUtils.populateAttestationData(validateGCPIdentityToken, gCPDerivedAttestationData);
        if (!validateGCPProject(str2, this.gcpUtils.getProjectIdFromAttestedData(gCPDerivedAttestationData), sb)) {
            return false;
        }
        if (gCPDerivedAttestationData.getAdditionalAttestationData() == null) {
            return true;
        }
        if (validateGCPProvider(str, this.gcpUtils.getGCPRegionFromZone(gCPDerivedAttestationData.getAdditionalAttestationData().getZone()), sb) && validateGCPInstanceId(str3, gCPDerivedAttestationData.getAdditionalAttestationData().getInstanceId(), sb)) {
            return !z || validateInstanceBootTime(gCPDerivedAttestationData.getAdditionalAttestationData().getInstanceCreationTimestamp(), sb);
        }
        return false;
    }

    boolean validateInstanceBootTime(BigDecimal bigDecimal, StringBuilder sb) {
        if (getTimeOffsetInMilli() <= 0) {
            return true;
        }
        Timestamp fromMillis = Timestamp.fromMillis(bigDecimal.longValue() * 1000);
        if (fromMillis.millis() >= System.currentTimeMillis() - getTimeOffsetInMilli()) {
            return true;
        }
        sb.append("Instance boot time is not recent enough: ");
        sb.append(fromMillis);
        return false;
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public InstanceConfirmation confirmInstance(InstanceConfirmation instanceConfirmation) {
        GCPAttestationData gCPAttestationData = (GCPAttestationData) JSON.fromString(instanceConfirmation.getAttestationData(), GCPAttestationData.class);
        GCPDerivedAttestationData gCPDerivedAttestationData = new GCPDerivedAttestationData();
        StringBuilder sb = new StringBuilder(256);
        Map<String, String> attributes = instanceConfirmation.getAttributes();
        String domain = instanceConfirmation.getDomain();
        String service = instanceConfirmation.getService();
        String instanceProperty = InstanceUtils.getInstanceProperty(attributes, InstanceProvider.ZTS_INSTANCE_GCP_PROJECT);
        if (StringUtil.isEmpty(instanceProperty)) {
            throw error("Unable to find GCP Project id");
        }
        StringBuilder sb2 = new StringBuilder(256);
        if (!InstanceUtils.validateCertRequestSanDnsNames(attributes, domain, service, getDnsSuffixes(), this.gkeDnsSuffixes, this.gkeClusterNames.getStringsList(), true, sb2)) {
            throw error("Unable to validate certificate request hostnames");
        }
        validateAttestationData(instanceConfirmation, gCPAttestationData, gCPDerivedAttestationData, instanceProperty, sb2.toString(), true, sb);
        validateInstanceNameUri(gCPDerivedAttestationData.getAdditionalAttestationData(), attributes);
        validateAthenzService(gCPDerivedAttestationData, service, instanceProperty);
        setConfirmationAttributes(instanceConfirmation, gCPDerivedAttestationData.getAdditionalAttestationData());
        return instanceConfirmation;
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public InstanceConfirmation refreshInstance(InstanceConfirmation instanceConfirmation) {
        String attestationData = instanceConfirmation.getAttestationData();
        if (attestationData == null || attestationData.isEmpty()) {
            throw error(this.supportRefresh ? ResourceException.FORBIDDEN : ResourceException.NOT_FOUND, "No attestation data provided during refresh");
        }
        GCPAttestationData gCPAttestationData = (GCPAttestationData) JSON.fromString(attestationData, GCPAttestationData.class);
        GCPDerivedAttestationData gCPDerivedAttestationData = new GCPDerivedAttestationData();
        StringBuilder sb = new StringBuilder(256);
        Map<String, String> attributes = instanceConfirmation.getAttributes();
        String service = instanceConfirmation.getService();
        String instanceProperty = InstanceUtils.getInstanceProperty(attributes, InstanceProvider.ZTS_INSTANCE_GCP_PROJECT);
        if (StringUtil.isEmpty(instanceProperty)) {
            throw error("Unable to find GCP Project id");
        }
        String instanceProperty2 = InstanceUtils.getInstanceProperty(attributes, InstanceProvider.ZTS_INSTANCE_ID);
        if (instanceProperty2 == null) {
            throw error("Unable to extract Instance Id");
        }
        validateAttestationData(instanceConfirmation, gCPAttestationData, gCPDerivedAttestationData, instanceProperty, instanceProperty2, false, sb);
        validateInstanceNameUri(gCPDerivedAttestationData.getAdditionalAttestationData(), attributes);
        validateAthenzService(gCPDerivedAttestationData, service, instanceProperty);
        setConfirmationAttributes(instanceConfirmation, gCPDerivedAttestationData.getAdditionalAttestationData());
        return instanceConfirmation;
    }

    private void validateAttestationData(InstanceConfirmation instanceConfirmation, GCPAttestationData gCPAttestationData, GCPDerivedAttestationData gCPDerivedAttestationData, String str, String str2, boolean z, StringBuilder sb) {
        if (!validateIdentityToken(instanceConfirmation.getProvider(), gCPAttestationData, gCPDerivedAttestationData, str, str2, z, sb)) {
            throw error("Unable to validate instance identity token: " + sb);
        }
    }

    void validateInstanceNameUri(GCPAdditionalAttestationData gCPAdditionalAttestationData, Map<String, String> map) {
        String instanceProperty = InstanceUtils.getInstanceProperty(map, InstanceProvider.ZTS_INSTANCE_SAN_URI);
        if (StringUtil.isEmpty(instanceProperty)) {
            return;
        }
        String str = gCPAdditionalAttestationData != null ? "athenz://instancename/" + gCPAdditionalAttestationData.getProjectId() + "/" + gCPAdditionalAttestationData.getInstanceName() : null;
        for (String str2 : instanceProperty.split(GCP_SSH_CERT_PRINCIPAL_SEPARATOR)) {
            if (str2.startsWith("athenz://instancename/") && !str2.equals(str)) {
                throw error("Instance name URI mismatch: " + str2 + " vs. " + str);
            }
        }
    }

    private void validateAthenzService(GCPDerivedAttestationData gCPDerivedAttestationData, String str, String str2) {
        String str3 = str2 + "." + str;
        String serviceNameFromAttestedData = this.gcpUtils.getServiceNameFromAttestedData(gCPDerivedAttestationData);
        if (!str3.equals(serviceNameFromAttestedData)) {
            throw error("Service name mismatch: attested=" + serviceNameFromAttestedData + " vs. requested=" + str3);
        }
    }

    protected void setConfirmationAttributes(InstanceConfirmation instanceConfirmation, GCPAdditionalAttestationData gCPAdditionalAttestationData) {
        HashMap hashMap = new HashMap();
        hashMap.put(InstanceProvider.ZTS_CERT_EXPIRY_TIME, Long.toString(this.certValidityTime));
        hashMap.put(InstanceProvider.ZTS_CERT_SSH, Boolean.toString(gCPAdditionalAttestationData != null));
        if (gCPAdditionalAttestationData != null) {
            hashMap.put(InstanceProvider.ZTS_ATTESTED_SSH_CERT_PRINCIPALS, gCPAdditionalAttestationData.getInstanceName() + ",compute." + gCPAdditionalAttestationData.getInstanceId() + "," + String.format("%s.c.%s.internal", gCPAdditionalAttestationData.getInstanceName(), gCPAdditionalAttestationData.getProjectId()));
        }
        instanceConfirmation.setAttributes(hashMap);
    }
}
