package com.yahoo.athenz.instance.provider.impl;

import com.google.common.net.InetAddresses;
import com.yahoo.athenz.auth.KeyStore;
import com.yahoo.athenz.auth.util.Crypto;
import com.yahoo.athenz.common.server.dns.HostnameResolver;
import com.yahoo.athenz.instance.provider.AttrValidator;
import com.yahoo.athenz.instance.provider.AttrValidatorFactory;
import com.yahoo.athenz.instance.provider.InstanceConfirmation;
import com.yahoo.athenz.instance.provider.InstanceProvider;
import com.yahoo.athenz.instance.provider.ResourceException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import javax.net.ssl.SSLContext;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.eclipse.jetty.util.StringUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yahoo/athenz/instance/provider/impl/SecureBootProvider.class */
public class SecureBootProvider implements InstanceProvider {
    private static final Logger LOG = LoggerFactory.getLogger(SecureBootProvider.class);
    static final String ZTS_PROP_SB_PROVIDER_DNS_SUFFIX = "athenz.zts.sb_provider_dns_suffix";
    static final String ZTS_PROP_SB_PRINCIPAL_LIST = "athenz.zts.sb_provider_service_list";
    static final String ZTS_PROP_SB_ISSUER_DN_LIST = "athenz.zts.sb_provider_issuer_dn_list";
    static final String ZTS_PROP_SB_ATTR_VALIDATOR_FACTORY_CLASS = "athenz.zts.sb_provider_attr_validator_factory_class";
    KeyStore keyStore = null;
    Set<String> dnsSuffixes = null;
    String provider = null;
    Set<String> principals = null;
    Set<String> issuerDNs = null;
    HostnameResolver hostnameResolver = null;
    AttrValidator attrValidator = null;

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public InstanceProvider.Scheme getProviderScheme() {
        return InstanceProvider.Scheme.CLASS;
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public void initialize(String str, String str2, SSLContext sSLContext, KeyStore keyStore) {
        this.provider = str;
        String property = System.getProperty(ZTS_PROP_SB_PRINCIPAL_LIST);
        if (!StringUtil.isEmpty(property)) {
            this.principals = new HashSet(Arrays.asList(property.split(",")));
        }
        String property2 = System.getProperty(ZTS_PROP_SB_ISSUER_DN_LIST);
        if (!StringUtil.isEmpty(property2)) {
            this.issuerDNs = parseDnList(Arrays.asList(property2.split(";")));
        }
        this.dnsSuffixes = new HashSet();
        this.dnsSuffixes.addAll(Arrays.asList(System.getProperty(ZTS_PROP_SB_PROVIDER_DNS_SUFFIX, "zts.athenz.cloud").split(",")));
        this.keyStore = keyStore;
        this.attrValidator = newAttrValidator(sSLContext);
        LOG.debug("initialized with provider: {}, endpoint: {}, sslContext: {}, keyStore: {}", new Object[]{str, str2, sSLContext, keyStore});
    }

    static AttrValidator newAttrValidator(SSLContext sSLContext) {
        String property = System.getProperty(ZTS_PROP_SB_ATTR_VALIDATOR_FACTORY_CLASS);
        if (property == null) {
            return null;
        }
        try {
            return ((AttrValidatorFactory) Class.forName(property).getConstructor(new Class[0]).newInstance(new Object[0])).create(sSLContext);
        } catch (Exception e) {
            LOG.error("Invalid AttributeValidatorFactory class: {}", property, e);
            throw new IllegalArgumentException("Invalid AttributeValidatorFactory class");
        }
    }

    static Set<String> parseDnList(List<String> list) {
        return (Set) list.stream().map(str -> {
            return new X500Principal(str).getName();
        }).collect(Collectors.toSet());
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public void setHostnameResolver(HostnameResolver hostnameResolver) {
        this.hostnameResolver = hostnameResolver;
    }

    public void setAttrValidator(AttrValidator attrValidator) {
        this.attrValidator = attrValidator;
    }

    private ResourceException forbiddenError(String str, String str2) {
        LOG.error("mesaage: {}, logText: {}", str, str2);
        return new ResourceException(ResourceException.FORBIDDEN, str);
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public InstanceConfirmation confirmInstance(InstanceConfirmation instanceConfirmation) {
        return validateInstanceRequest(instanceConfirmation, true);
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public InstanceConfirmation refreshInstance(InstanceConfirmation instanceConfirmation) {
        return validateInstanceRequest(instanceConfirmation, false);
    }

    InstanceConfirmation validateInstanceRequest(InstanceConfirmation instanceConfirmation, boolean z) {
        String domain = instanceConfirmation.getDomain();
        String service = instanceConfirmation.getService();
        Map<String, String> attributes = instanceConfirmation.getAttributes();
        if (this.principals != null && !this.principals.contains(domain + "." + service)) {
            throw forbiddenError("Service not supported to be launched by SecureBoot Provider", logTxt(instanceConfirmation));
        }
        if (z && !validateIssuer(attributes)) {
            throw forbiddenError("Invalid issuer DN", logTxt(instanceConfirmation));
        }
        String instanceProperty = InstanceUtils.getInstanceProperty(attributes, InstanceProvider.ZTS_INSTANCE_HOSTNAME);
        if (!validateHostname(instanceProperty, z, attributes)) {
            throw forbiddenError("Unable to validate certificate request hostname", logTxt(instanceConfirmation));
        }
        if (!this.attrValidator.confirm(instanceConfirmation)) {
            throw forbiddenError("Unable to validate request instance attributes", logTxt(instanceConfirmation));
        }
        if (!validateSanIp(instanceProperty, attributes)) {
            throw forbiddenError("Unable to validate request IP address", logTxt(instanceConfirmation));
        }
        if (!InstanceUtils.validateCertRequestSanDnsNames(attributes, domain, service, this.dnsSuffixes, null, null, false, new StringBuilder(256), null)) {
            throw forbiddenError("Unable to validate certificate request DNS", logTxt(instanceConfirmation));
        }
        HashMap hashMap = new HashMap();
        hashMap.put(InstanceProvider.ZTS_CERT_SSH, "true");
        instanceConfirmation.setAttributes(hashMap);
        return instanceConfirmation;
    }

    boolean validateIssuer(Map<String, String> map) {
        String instanceProperty = InstanceUtils.getInstanceProperty(map, InstanceProvider.ZTS_INSTANCE_CERT_ISSUER_DN);
        if (StringUtil.isEmpty(instanceProperty)) {
            LOG.error("issuer DN must be passed by ZTS");
            return false;
        }
        if (this.issuerDNs == null) {
            return true;
        }
        return this.issuerDNs.contains(instanceProperty);
    }

    static boolean validateHostname(String str, boolean z, Map<String, String> map) {
        if (StringUtil.isEmpty(str)) {
            return false;
        }
        return z ? validateCnHostname(str, map) : validateCertHostname(str, map);
    }

    static String getSubjectCn(String str) {
        return Crypto.extractX500DnField(str, BCStyle.CN);
    }

    static boolean validateCnHostname(String str, Map<String, String> map) {
        return str.equals(getSubjectCn(InstanceUtils.getInstanceProperty(map, InstanceProvider.ZTS_INSTANCE_CERT_SUBJECT_DN)));
    }

    static boolean validateCertHostname(String str, Map<String, String> map) {
        String instanceProperty = InstanceUtils.getInstanceProperty(map, InstanceProvider.ZTS_INSTANCE_CERT_HOSTNAME);
        if (StringUtil.isEmpty(instanceProperty)) {
            return true;
        }
        return str.equals(instanceProperty);
    }

    boolean validateSanIp(String str, Map<String, String> map) {
        String instanceProperty = InstanceUtils.getInstanceProperty(map, InstanceProvider.ZTS_INSTANCE_SAN_IP);
        String[] split = StringUtil.isEmpty(instanceProperty) ? null : instanceProperty.split(",");
        if (split == null || split.length == 0) {
            return true;
        }
        Set set = (Set) this.hostnameResolver.getAllByName(str).stream().map(SecureBootProvider::flattenIp).filter(str2 -> {
            return !StringUtil.isEmpty(str2);
        }).collect(Collectors.toSet());
        LOG.debug("validating sanIps: {}, hostIps: {}", split, set);
        for (String str3 : split) {
            if (!set.contains(str3)) {
                LOG.error("Unable to match sanIp: {} with hostIps:{}", split, set);
                return false;
            }
        }
        return true;
    }

    static String flattenIp(String str) {
        try {
            return InetAddresses.forString(str).getHostAddress();
        } catch (IllegalArgumentException e) {
            LOG.error("unable to parse ip: {}", str);
            return "";
        }
    }

    public static String logTxt(InstanceConfirmation instanceConfirmation) {
        Map<String, String> attributes = instanceConfirmation.getAttributes();
        return "InstanceConfirmation{provider='" + instanceConfirmation.getProvider() + "', domain='" + instanceConfirmation.getDomain() + "', service='" + instanceConfirmation.getService() + "', issuerDn='" + InstanceUtils.getInstanceProperty(attributes, InstanceProvider.ZTS_INSTANCE_CERT_ISSUER_DN) + "', subjectDn='" + InstanceUtils.getInstanceProperty(attributes, InstanceProvider.ZTS_INSTANCE_CERT_SUBJECT_DN) + "', sanIpStr='" + InstanceUtils.getInstanceProperty(attributes, InstanceProvider.ZTS_INSTANCE_SAN_IP) + "'}";
    }
}
