package com.yahoo.athenz.instance.provider.impl;

import com.yahoo.athenz.auth.Authorizer;
import com.yahoo.athenz.auth.KeyStore;
import com.yahoo.athenz.instance.provider.InstanceConfirmation;
import com.yahoo.athenz.instance.provider.InstanceProvider;
import com.yahoo.athenz.instance.provider.KubernetesDistributionValidator;
import com.yahoo.athenz.instance.provider.KubernetesDistributionValidatorFactory;
import com.yahoo.athenz.instance.provider.ProviderResourceException;
import com.yahoo.rdl.JSON;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.SSLContext;
import org.eclipse.jetty.util.StringUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yahoo/athenz/instance/provider/impl/InstanceK8SProvider.class */
public class InstanceK8SProvider implements InstanceProvider {
    private static final Logger LOGGER = LoggerFactory.getLogger(InstanceK8SProvider.class);
    static final String ZTS_PROP_K8S_CERT_VALIDITY = "athenz.zts.k8s_cert_validity";
    static final String ZTS_PROP_K8S_PROVIDER_DISTRIBUTION_VALIDATOR_FACTORY_CLASS = "athenz.zts.k8s_provider_distribution_validator_factory_class";
    long certValidityTime;
    KubernetesDistributionValidatorFactory kubernetesDistributionValidatorFactory;
    Map<String, KubernetesDistributionValidator> kubernetesDistributionValidatorMap;
    Authorizer authorizer = null;

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public InstanceProvider.Scheme getProviderScheme() {
        return InstanceProvider.Scheme.CLASS;
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public void setAuthorizer(Authorizer authorizer) {
        this.authorizer = authorizer;
    }

    public ProviderResourceException error(String str) {
        return error(ProviderResourceException.FORBIDDEN, str);
    }

    public ProviderResourceException error(int i, String str) {
        LOGGER.error(str);
        return new ProviderResourceException(i, str);
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public void initialize(String str, String str2, SSLContext sSLContext, KeyStore keyStore) {
        this.certValidityTime = TimeUnit.MINUTES.convert(Integer.parseInt(System.getProperty(ZTS_PROP_K8S_CERT_VALIDITY, "7")), TimeUnit.DAYS);
        this.kubernetesDistributionValidatorFactory = newKubernetesDistributionValidatorFactory();
        if (this.kubernetesDistributionValidatorFactory != null) {
            this.kubernetesDistributionValidatorFactory.initialize();
            this.kubernetesDistributionValidatorMap = this.kubernetesDistributionValidatorFactory.getSupportedDistributions();
            this.kubernetesDistributionValidatorMap.forEach((str3, kubernetesDistributionValidator) -> {
                kubernetesDistributionValidator.initialize(sSLContext, this.authorizer);
            });
        }
    }

    KubernetesDistributionValidatorFactory newKubernetesDistributionValidatorFactory() {
        String property = System.getProperty(ZTS_PROP_K8S_PROVIDER_DISTRIBUTION_VALIDATOR_FACTORY_CLASS);
        if (property == null) {
            return null;
        }
        try {
            return (KubernetesDistributionValidatorFactory) Class.forName(property).getConstructor(new Class[0]).newInstance(new Object[0]);
        } catch (Exception e) {
            LOGGER.error("Invalid KubernetesDistributionValidatorFactory class: {}", property, e);
            throw new IllegalArgumentException("Invalid KubernetesDistributionValidatorFactory class");
        }
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public InstanceConfirmation confirmInstance(InstanceConfirmation instanceConfirmation) throws ProviderResourceException {
        IdTokenAttestationData idTokenAttestationData = (IdTokenAttestationData) JSON.fromString(instanceConfirmation.getAttestationData(), IdTokenAttestationData.class);
        KubernetesDistributionValidator kubernetesDistributionValidator = this.kubernetesDistributionValidatorMap.get(instanceConfirmation.getAttributes().get(InstanceProvider.ZTS_INSTANCE_CLOUD));
        if (kubernetesDistributionValidator == null) {
            throw error("Provided cloud is not supported");
        }
        StringBuilder sb = new StringBuilder(256);
        String validateIssuer = kubernetesDistributionValidator.validateIssuer(instanceConfirmation, idTokenAttestationData, sb);
        if (StringUtil.isEmpty(validateIssuer)) {
            throw error("Issuer is invalid or issuer validation failed. Additional details=" + String.valueOf(sb));
        }
        if (!kubernetesDistributionValidator.validateAttestationData(instanceConfirmation, idTokenAttestationData, validateIssuer, sb)) {
            throw error("id_token in the attestation data is invalid. Additional details=" + String.valueOf(sb));
        }
        if (!kubernetesDistributionValidator.validateSanDNSEntries(instanceConfirmation, sb)) {
            throw error("Unable to validate certificate request hostnames. Additional details=" + String.valueOf(sb));
        }
        HashMap hashMap = new HashMap();
        hashMap.put(InstanceProvider.ZTS_CERT_EXPIRY_TIME, Long.toString(this.certValidityTime));
        hashMap.put(InstanceProvider.ZTS_CERT_REFRESH, "false");
        instanceConfirmation.setAttributes(hashMap);
        return instanceConfirmation;
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public InstanceConfirmation refreshInstance(InstanceConfirmation instanceConfirmation) throws ProviderResourceException {
        throw error("Generic K8S X.509 Certificates cannot be refreshed");
    }
}
