package com.yahoo.athenz.instance.provider.impl;

import com.yahoo.athenz.auth.Authorizer;
import com.yahoo.athenz.auth.impl.SimplePrincipal;
import com.yahoo.athenz.common.server.util.config.ConfigManagerSingleton;
import com.yahoo.athenz.common.server.util.config.dynamic.DynamicConfigCsv;
import com.yahoo.athenz.instance.provider.AttrValidator;
import com.yahoo.athenz.instance.provider.AttrValidatorFactory;
import com.yahoo.athenz.instance.provider.InstanceConfirmation;
import com.yahoo.athenz.instance.provider.InstanceProvider;
import java.lang.invoke.MethodHandles;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.net.ssl.SSLContext;
import org.eclipse.jetty.util.StringUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yahoo/athenz/instance/provider/impl/DefaultGCPGoogleKubernetesEngineValidator.class */
public class DefaultGCPGoogleKubernetesEngineValidator extends CommonKubernetesDistributionValidator {
    Set<String> gcpDNSSuffixes = new HashSet();
    List<String> gkeDnsSuffixes;
    DynamicConfigCsv gkeClusterNames;
    static final String GCP_OIDC_ISSUER_PREFIX = "https://container.googleapis.com/v1/projects/";
    AttrValidator attrValidator;
    static final String ZTS_PROP_K8S_PROVIDER_GCP_ATTR_VALIDATOR_FACTORY_CLASS = "athenz.zts.k8s_provider_gcp_attr_validator_factory_class";
    private static final Logger LOGGER = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
    private static final DefaultGCPGoogleKubernetesEngineValidator INSTANCE = new DefaultGCPGoogleKubernetesEngineValidator();

    public static DefaultGCPGoogleKubernetesEngineValidator getInstance() {
        return INSTANCE;
    }

    private DefaultGCPGoogleKubernetesEngineValidator() {
    }

    static AttrValidator newAttrValidator(SSLContext sSLContext) {
        String property = System.getProperty(ZTS_PROP_K8S_PROVIDER_GCP_ATTR_VALIDATOR_FACTORY_CLASS);
        LOGGER.info("GCP K8S AttributeValidatorFactory class: {}", property);
        if (property == null) {
            return null;
        }
        try {
            return ((AttrValidatorFactory) Class.forName(property).getConstructor(new Class[0]).newInstance(new Object[0])).create(sSLContext);
        } catch (Exception e) {
            LOGGER.error("Invalid AttributeValidatorFactory class: {}", property, e);
            throw new IllegalArgumentException("Invalid AttributeValidatorFactory class");
        }
    }

    @Override // com.yahoo.athenz.instance.provider.impl.CommonKubernetesDistributionValidator, com.yahoo.athenz.instance.provider.KubernetesDistributionValidator
    public void initialize(SSLContext sSLContext, Authorizer authorizer) {
        super.initialize(sSLContext, authorizer);
        String property = System.getProperty("athenz.zts.gcp_dns_suffix");
        if (!StringUtil.isEmpty(property)) {
            this.gcpDNSSuffixes.addAll(Arrays.asList(property.split(",")));
        }
        this.gkeDnsSuffixes = InstanceUtils.processK8SDnsSuffixList("athenz.zts.gcp_gke_dns_suffix");
        this.gkeClusterNames = new DynamicConfigCsv(ConfigManagerSingleton.CONFIG_MANAGER, "athenz.zts.gcp_gke_cluster_names", (String) null);
        this.attrValidator = newAttrValidator(sSLContext);
    }

    @Override // com.yahoo.athenz.instance.provider.KubernetesDistributionValidator
    public String validateIssuer(InstanceConfirmation instanceConfirmation, IdTokenAttestationData idTokenAttestationData, StringBuilder sb) {
        String issuerFromToken = getIssuerFromToken(idTokenAttestationData, sb);
        if (StringUtil.isEmpty(issuerFromToken)) {
            return null;
        }
        String str = instanceConfirmation.getAttributes().get(InstanceProvider.ZTS_INSTANCE_GCP_PROJECT);
        if (issuerFromToken.startsWith("https://container.googleapis.com/v1/projects/" + str)) {
            instanceConfirmation.getAttributes().put(InstanceProvider.ZTS_INSTANCE_ISSUER_GCP_PROJECT, str);
        } else {
            if (this.attrValidator == null) {
                sb.append("Issuer is not present in the GCP project associated with the domain");
                return null;
            }
            instanceConfirmation.getAttributes().put(InstanceProvider.ZTS_INSTANCE_UNATTESTED_ISSUER, issuerFromToken);
            if (!this.attrValidator.confirm(instanceConfirmation)) {
                return null;
            }
        }
        String domain = instanceConfirmation.getDomain();
        String service = instanceConfirmation.getService();
        String format = String.format("%s:%s:%s", domain, service, instanceConfirmation.getAttributes().get(InstanceProvider.ZTS_INSTANCE_ISSUER_GCP_PROJECT));
        if (this.authorizer.access("launch", format, SimplePrincipal.create(domain, service, (String) null), (String) null)) {
            return issuerFromToken;
        }
        sb.append("gke launch authorization check failed for action: ").append("launch").append(" resource: ").append(format);
        return null;
    }

    @Override // com.yahoo.athenz.instance.provider.KubernetesDistributionValidator
    public boolean validateSanDNSEntries(InstanceConfirmation instanceConfirmation, StringBuilder sb) {
        StringBuilder sb2 = new StringBuilder(256);
        Map<String, String> attributes = instanceConfirmation.getAttributes();
        if (StringUtil.isEmpty(InstanceUtils.getInstanceProperty(attributes, InstanceProvider.ZTS_INSTANCE_GCP_PROJECT))) {
            sb.append("Unable to find GCP project id");
            return false;
        }
        if (InstanceUtils.validateCertRequestSanDnsNames(attributes, instanceConfirmation.getDomain(), instanceConfirmation.getService(), this.gcpDNSSuffixes, this.gkeDnsSuffixes, this.gkeClusterNames.getStringsList(), true, sb2, null)) {
            return true;
        }
        sb.append("Unable to validate certificate request hostnames");
        return false;
    }
}
