package io.grpc.xds;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.protobuf.Any;
import com.google.protobuf.InvalidProtocolBufferException;
import com.google.protobuf.Message;
import io.grpc.Metadata;
import io.grpc.ServerCall;
import io.grpc.ServerCallHandler;
import io.grpc.ServerInterceptor;
import io.grpc.Status;
import io.grpc.xds.Filter;
import io.grpc.xds.internal.MatcherParser;
import io.grpc.xds.internal.Matchers;
import io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine;
import io.grpc.xds.shaded.io.envoyproxy.envoy.config.core.v3.CidrRange;
import io.grpc.xds.shaded.io.envoyproxy.envoy.config.rbac.v3.Permission;
import io.grpc.xds.shaded.io.envoyproxy.envoy.config.rbac.v3.Policy;
import io.grpc.xds.shaded.io.envoyproxy.envoy.config.rbac.v3.Principal;
import io.grpc.xds.shaded.io.envoyproxy.envoy.config.rbac.v3.RBAC;
import io.grpc.xds.shaded.io.envoyproxy.envoy.config.route.v3.HeaderMatcher;
import io.grpc.xds.shaded.io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBACPerRoute;
import io.grpc.xds.shaded.io.envoyproxy.envoy.type.matcher.v3.PathMatcher;
import io.grpc.xds.shaded.io.envoyproxy.envoy.type.matcher.v3.StringMatcher;
import io.grpc.xds.shaded.io.envoyproxy.envoy.type.v3.Int32Range;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.annotation.Nullable;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes5.dex */
public final class RbacFilter implements Filter, Filter.ServerInterceptorBuilder {

    /* renamed from: a, reason: collision with root package name */
    public static final Logger f11737a = Logger.getLogger(RbacFilter.class.getName());
    public static final RbacFilter b = new RbacFilter();

    /* renamed from: io.grpc.xds.RbacFilter$2, reason: invalid class name */
    /* loaded from: classes5.dex */
    public static /* synthetic */ class AnonymousClass2 {

        /* renamed from: a, reason: collision with root package name */
        public static final /* synthetic */ int[] f11740a;
        public static final /* synthetic */ int[] b;
        public static final /* synthetic */ int[] c;
        public static final /* synthetic */ int[] d;

        static {
            int[] iArr = new int[PathMatcher.RuleCase.values().length];
            d = iArr;
            try {
                iArr[PathMatcher.RuleCase.PATH.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                d[PathMatcher.RuleCase.RULE_NOT_SET.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
            int[] iArr2 = new int[Principal.IdentifierCase.values().length];
            c = iArr2;
            try {
                iArr2[Principal.IdentifierCase.OR_IDS.ordinal()] = 1;
            } catch (NoSuchFieldError unused3) {
            }
            try {
                c[Principal.IdentifierCase.AND_IDS.ordinal()] = 2;
            } catch (NoSuchFieldError unused4) {
            }
            try {
                c[Principal.IdentifierCase.ANY.ordinal()] = 3;
            } catch (NoSuchFieldError unused5) {
            }
            try {
                c[Principal.IdentifierCase.AUTHENTICATED.ordinal()] = 4;
            } catch (NoSuchFieldError unused6) {
            }
            try {
                c[Principal.IdentifierCase.DIRECT_REMOTE_IP.ordinal()] = 5;
            } catch (NoSuchFieldError unused7) {
            }
            try {
                c[Principal.IdentifierCase.REMOTE_IP.ordinal()] = 6;
            } catch (NoSuchFieldError unused8) {
            }
            try {
                c[Principal.IdentifierCase.SOURCE_IP.ordinal()] = 7;
            } catch (NoSuchFieldError unused9) {
            }
            try {
                c[Principal.IdentifierCase.HEADER.ordinal()] = 8;
            } catch (NoSuchFieldError unused10) {
            }
            try {
                c[Principal.IdentifierCase.NOT_ID.ordinal()] = 9;
            } catch (NoSuchFieldError unused11) {
            }
            try {
                c[Principal.IdentifierCase.URL_PATH.ordinal()] = 10;
            } catch (NoSuchFieldError unused12) {
            }
            try {
                c[Principal.IdentifierCase.METADATA.ordinal()] = 11;
            } catch (NoSuchFieldError unused13) {
            }
            try {
                c[Principal.IdentifierCase.IDENTIFIER_NOT_SET.ordinal()] = 12;
            } catch (NoSuchFieldError unused14) {
            }
            int[] iArr3 = new int[Permission.RuleCase.values().length];
            b = iArr3;
            try {
                iArr3[Permission.RuleCase.AND_RULES.ordinal()] = 1;
            } catch (NoSuchFieldError unused15) {
            }
            try {
                b[Permission.RuleCase.OR_RULES.ordinal()] = 2;
            } catch (NoSuchFieldError unused16) {
            }
            try {
                b[Permission.RuleCase.ANY.ordinal()] = 3;
            } catch (NoSuchFieldError unused17) {
            }
            try {
                b[Permission.RuleCase.HEADER.ordinal()] = 4;
            } catch (NoSuchFieldError unused18) {
            }
            try {
                b[Permission.RuleCase.URL_PATH.ordinal()] = 5;
            } catch (NoSuchFieldError unused19) {
            }
            try {
                b[Permission.RuleCase.DESTINATION_IP.ordinal()] = 6;
            } catch (NoSuchFieldError unused20) {
            }
            try {
                b[Permission.RuleCase.DESTINATION_PORT.ordinal()] = 7;
            } catch (NoSuchFieldError unused21) {
            }
            try {
                b[Permission.RuleCase.DESTINATION_PORT_RANGE.ordinal()] = 8;
            } catch (NoSuchFieldError unused22) {
            }
            try {
                b[Permission.RuleCase.NOT_RULE.ordinal()] = 9;
            } catch (NoSuchFieldError unused23) {
            }
            try {
                b[Permission.RuleCase.METADATA.ordinal()] = 10;
            } catch (NoSuchFieldError unused24) {
            }
            try {
                b[Permission.RuleCase.REQUESTED_SERVER_NAME.ordinal()] = 11;
            } catch (NoSuchFieldError unused25) {
            }
            try {
                b[Permission.RuleCase.RULE_NOT_SET.ordinal()] = 12;
            } catch (NoSuchFieldError unused26) {
            }
            int[] iArr4 = new int[RBAC.Action.values().length];
            f11740a = iArr4;
            try {
                iArr4[RBAC.Action.ALLOW.ordinal()] = 1;
            } catch (NoSuchFieldError unused27) {
            }
            try {
                f11740a[RBAC.Action.DENY.ordinal()] = 2;
            } catch (NoSuchFieldError unused28) {
            }
            try {
                f11740a[RBAC.Action.LOG.ordinal()] = 3;
            } catch (NoSuchFieldError unused29) {
            }
            try {
                f11740a[RBAC.Action.UNRECOGNIZED.ordinal()] = 4;
            } catch (NoSuchFieldError unused30) {
            }
        }
    }

    public static GrpcAuthorizationEngine.DestinationIpMatcher c(CidrRange cidrRange) {
        return GrpcAuthorizationEngine.DestinationIpMatcher.b(Matchers.CidrMatcher.b(t(cidrRange), cidrRange.s0().p0()));
    }

    public static GrpcAuthorizationEngine.DestinationPortMatcher d(int i) {
        return GrpcAuthorizationEngine.DestinationPortMatcher.b(i);
    }

    public static GrpcAuthorizationEngine.SourceIpMatcher h(CidrRange cidrRange) {
        return GrpcAuthorizationEngine.SourceIpMatcher.b(Matchers.CidrMatcher.b(t(cidrRange), cidrRange.s0().p0()));
    }

    public static GrpcAuthorizationEngine.AuthenticatedMatcher j(Principal.Authenticated authenticated) {
        return GrpcAuthorizationEngine.AuthenticatedMatcher.b(MatcherParser.b(authenticated.p0()));
    }

    public static GrpcAuthorizationEngine.DestinationPortRangeMatcher k(Int32Range int32Range) {
        return GrpcAuthorizationEngine.DestinationPortRangeMatcher.b(int32Range.r0(), int32Range.q0());
    }

    public static GrpcAuthorizationEngine.AuthHeaderMatcher l(HeaderMatcher headerMatcher) {
        if (headerMatcher.z0().startsWith("grpc-")) {
            throw new IllegalArgumentException("Invalid header matcher config: [grpc-] prefixed header name is not allowed.");
        }
        if (":scheme".equals(headerMatcher.z0())) {
            throw new IllegalArgumentException("Invalid header matcher config: header name [:scheme] is not allowed.");
        }
        return GrpcAuthorizationEngine.AuthHeaderMatcher.b(MatcherParser.a(headerMatcher));
    }

    public static GrpcAuthorizationEngine.PathMatcher m(PathMatcher pathMatcher) {
        if (AnonymousClass2.d[pathMatcher.r0().ordinal()] == 1) {
            return GrpcAuthorizationEngine.PathMatcher.b(MatcherParser.b(pathMatcher.q0()));
        }
        throw new IllegalArgumentException("Unknown path matcher rule type: " + pathMatcher.r0());
    }

    public static GrpcAuthorizationEngine.Matcher n(Permission permission) {
        switch (AnonymousClass2.b[permission.C0().ordinal()]) {
            case 1:
                ArrayList arrayList = new ArrayList();
                Iterator<Permission> it = permission.n0().s0().iterator();
                while (it.hasNext()) {
                    arrayList.add(n(it.next()));
                }
                return GrpcAuthorizationEngine.AndMatcher.c(arrayList);
            case 2:
                return o(permission.A0().s0());
            case 3:
                return GrpcAuthorizationEngine.AlwaysTrueMatcher.f11866a;
            case 4:
                return l(permission.v0());
            case 5:
                return m(permission.D0());
            case 6:
                return c(permission.s0());
            case 7:
                return d(permission.t0());
            case 8:
                return k(permission.u0());
            case 9:
                return GrpcAuthorizationEngine.InvertMatcher.b(n(permission.z0()));
            case 10:
                return GrpcAuthorizationEngine.InvertMatcher.b(GrpcAuthorizationEngine.AlwaysTrueMatcher.f11866a);
            case 11:
                return s(permission.B0());
            default:
                throw new IllegalArgumentException("Unknown permission rule case: " + permission.C0());
        }
    }

    public static GrpcAuthorizationEngine.OrMatcher o(List<Permission> list) {
        ArrayList arrayList = new ArrayList();
        Iterator<Permission> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(n(it.next()));
        }
        return GrpcAuthorizationEngine.OrMatcher.c(arrayList);
    }

    public static GrpcAuthorizationEngine.Matcher p(Principal principal) {
        switch (AnonymousClass2.c[principal.v0().ordinal()]) {
            case 1:
                return q(principal.z0().s0());
            case 2:
                ArrayList arrayList = new ArrayList();
                Iterator<Principal> it = principal.n0().s0().iterator();
                while (it.hasNext()) {
                    arrayList.add(p(it.next()));
                }
                return GrpcAuthorizationEngine.AndMatcher.c(arrayList);
            case 3:
                return GrpcAuthorizationEngine.AlwaysTrueMatcher.f11866a;
            case 4:
                return j(principal.p0());
            case 5:
                return h(principal.t0());
            case 6:
                return h(principal.A0());
            case 7:
                return h(principal.B0());
            case 8:
                return l(principal.u0());
            case 9:
                return GrpcAuthorizationEngine.InvertMatcher.b(p(principal.y0()));
            case 10:
                return m(principal.C0());
            case 11:
                return GrpcAuthorizationEngine.InvertMatcher.b(GrpcAuthorizationEngine.AlwaysTrueMatcher.f11866a);
            default:
                throw new IllegalArgumentException("Unknown principal identifier case: " + principal.v0());
        }
    }

    public static GrpcAuthorizationEngine.OrMatcher q(List<Principal> list) {
        ArrayList arrayList = new ArrayList();
        Iterator<Principal> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(p(it.next()));
        }
        return GrpcAuthorizationEngine.OrMatcher.c(arrayList);
    }

    @VisibleForTesting
    public static ConfigOrError<RbacConfig> r(io.grpc.xds.shaded.io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBAC rbac) {
        GrpcAuthorizationEngine.Action action;
        if (!rbac.v0()) {
            return ConfigOrError.a(RbacConfig.c(null));
        }
        RBAC s0 = rbac.s0();
        int i = AnonymousClass2.f11740a[s0.q0().ordinal()];
        if (i == 1) {
            action = GrpcAuthorizationEngine.Action.ALLOW;
        } else {
            if (i != 2) {
                if (i == 3) {
                    return ConfigOrError.a(RbacConfig.c(null));
                }
                return ConfigOrError.b("Unknown rbacConfig action type: " + s0.q0());
            }
            action = GrpcAuthorizationEngine.Action.DENY;
        }
        Map<String, Policy> v0 = s0.v0();
        ArrayList arrayList = new ArrayList();
        for (Map.Entry<String, Policy> entry : v0.entrySet()) {
            try {
                Policy value = entry.getValue();
                if (!value.E0() && !value.D0()) {
                    arrayList.add(GrpcAuthorizationEngine.PolicyMatcher.b(entry.getKey(), o(value.A0()), q(value.C0())));
                }
                return ConfigOrError.b("Policy.condition and Policy.checked_condition must not set: " + entry.getKey());
            } catch (Exception e) {
                return ConfigOrError.b("Encountered error parsing policy: " + e);
            }
        }
        return ConfigOrError.a(RbacConfig.c(GrpcAuthorizationEngine.AuthConfig.b(arrayList, action)));
    }

    public static GrpcAuthorizationEngine.RequestedServerNameMatcher s(StringMatcher stringMatcher) {
        return GrpcAuthorizationEngine.RequestedServerNameMatcher.b(MatcherParser.b(stringMatcher));
    }

    public static InetAddress t(CidrRange cidrRange) {
        try {
            return InetAddress.getByName(cidrRange.o0());
        } catch (UnknownHostException e) {
            throw new IllegalArgumentException("IP address can not be found: " + e);
        }
    }

    @Override // io.grpc.xds.Filter
    public String[] a() {
        return new String[]{"type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC", "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute"};
    }

    @Override // io.grpc.xds.Filter
    public ConfigOrError<RbacConfig> e(Message message) {
        if (!(message instanceof Any)) {
            return ConfigOrError.b("Invalid config type: " + message.getClass());
        }
        try {
            RBACPerRoute rBACPerRoute = (RBACPerRoute) ((Any) message).E0(RBACPerRoute.class);
            return rBACPerRoute.q0() ? r(rBACPerRoute.p0()) : ConfigOrError.a(RbacConfig.c(null));
        } catch (InvalidProtocolBufferException e) {
            return ConfigOrError.b("Invalid proto: " + e);
        }
    }

    @Override // io.grpc.xds.Filter.ServerInterceptorBuilder
    @Nullable
    public ServerInterceptor f(Filter.FilterConfig filterConfig, @Nullable Filter.FilterConfig filterConfig2) {
        Preconditions.u(filterConfig, "config");
        if (filterConfig2 != null) {
            filterConfig = filterConfig2;
        }
        GrpcAuthorizationEngine.AuthConfig b2 = ((RbacConfig) filterConfig).b();
        if (b2 == null) {
            return null;
        }
        return i(b2);
    }

    @Override // io.grpc.xds.Filter
    public ConfigOrError<RbacConfig> g(Message message) {
        if (!(message instanceof Any)) {
            return ConfigOrError.b("Invalid config type: " + message.getClass());
        }
        try {
            return r((io.grpc.xds.shaded.io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBAC) ((Any) message).E0(io.grpc.xds.shaded.io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBAC.class));
        } catch (InvalidProtocolBufferException e) {
            return ConfigOrError.b("Invalid proto: " + e);
        }
    }

    public final ServerInterceptor i(GrpcAuthorizationEngine.AuthConfig authConfig) {
        Preconditions.u(authConfig, "config");
        final GrpcAuthorizationEngine grpcAuthorizationEngine = new GrpcAuthorizationEngine(authConfig);
        return new ServerInterceptor() { // from class: io.grpc.xds.RbacFilter.1
            @Override // io.grpc.ServerInterceptor
            public <ReqT, RespT> ServerCall.Listener<ReqT> a(ServerCall<ReqT, RespT> serverCall, Metadata metadata, ServerCallHandler<ReqT, RespT> serverCallHandler) {
                GrpcAuthorizationEngine.AuthDecision b2 = grpcAuthorizationEngine.b(metadata, serverCall);
                Logger logger = RbacFilter.f11737a;
                Level level = Level.FINE;
                if (logger.isLoggable(level)) {
                    RbacFilter.f11737a.log(level, "Authorization result for serverCall {0}: {1}, matching policy: {2}.", new Object[]{serverCall, b2.b(), b2.c()});
                }
                if (!GrpcAuthorizationEngine.Action.DENY.equals(b2.b())) {
                    return serverCallHandler.a(serverCall, metadata);
                }
                serverCall.a(Status.m.u("Access Denied"), new Metadata());
                return new ServerCall.Listener<ReqT>() { // from class: io.grpc.xds.RbacFilter.1.1
                };
            }
        };
    }
}
