package io.grpc.xds.internal.rbac.engine;

import com.google.auto.value.AutoValue;
import com.google.common.base.Joiner;
import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.UnmodifiableIterator;
import com.google.common.io.BaseEncoding;
import io.grpc.Grpc;
import io.grpc.Metadata;
import io.grpc.ServerCall;
import io.grpc.xds.internal.Matchers;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.security.cert.Certificate;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.annotation.Nullable;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import org.apache.http.client.methods.HttpPost;

/* loaded from: classes5.dex */
public final class GrpcAuthorizationEngine {
    public static final Logger b = Logger.getLogger(GrpcAuthorizationEngine.class.getName());

    /* renamed from: a, reason: collision with root package name */
    public final AuthConfig f11864a;

    /* loaded from: classes5.dex */
    public enum Action {
        ALLOW,
        DENY
    }

    @AutoValue
    /* loaded from: classes5.dex */
    public static abstract class AlwaysTrueMatcher implements Matcher {

        /* renamed from: a, reason: collision with root package name */
        public static AlwaysTrueMatcher f11866a = new AutoValue_GrpcAuthorizationEngine_AlwaysTrueMatcher();

        @Override // io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.Matcher
        public boolean a(EvaluateArgs evaluateArgs) {
            return true;
        }
    }

    @AutoValue
    /* loaded from: classes5.dex */
    public static abstract class AndMatcher implements Matcher {
        public static AndMatcher c(List<? extends Matcher> list) {
            Preconditions.u(list, "matchers");
            Iterator<? extends Matcher> it = list.iterator();
            while (it.hasNext()) {
                Preconditions.u(it.next(), "matcher");
            }
            return new AutoValue_GrpcAuthorizationEngine_AndMatcher(ImmutableList.A(list));
        }

        @Override // io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.Matcher
        public boolean a(EvaluateArgs evaluateArgs) {
            UnmodifiableIterator<? extends Matcher> it = b().iterator();
            while (it.hasNext()) {
                if (!it.next().a(evaluateArgs)) {
                    return false;
                }
            }
            return true;
        }

        public abstract ImmutableList<? extends Matcher> b();
    }

    @AutoValue
    /* loaded from: classes5.dex */
    public static abstract class AuthConfig {
        public static AuthConfig b(List<PolicyMatcher> list, Action action) {
            return new AutoValue_GrpcAuthorizationEngine_AuthConfig(ImmutableList.A(list), action);
        }

        public abstract Action a();

        public abstract ImmutableList<PolicyMatcher> c();
    }

    @AutoValue
    /* loaded from: classes5.dex */
    public static abstract class AuthDecision {
        public static AuthDecision a(Action action, @Nullable String str) {
            return new AutoValue_GrpcAuthorizationEngine_AuthDecision(action, str);
        }

        public abstract Action b();

        @Nullable
        public abstract String c();
    }

    @AutoValue
    /* loaded from: classes5.dex */
    public static abstract class AuthHeaderMatcher implements Matcher {
        public static AuthHeaderMatcher b(Matchers.HeaderMatcher headerMatcher) {
            return new AutoValue_GrpcAuthorizationEngine_AuthHeaderMatcher(headerMatcher);
        }

        @Override // io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.Matcher
        public boolean a(EvaluateArgs evaluateArgs) {
            return c().m(evaluateArgs.k(c().n()));
        }

        public abstract Matchers.HeaderMatcher c();
    }

    @AutoValue
    /* loaded from: classes5.dex */
    public static abstract class AuthenticatedMatcher implements Matcher {
        public static AuthenticatedMatcher b(@Nullable Matchers.StringMatcher stringMatcher) {
            return new AutoValue_GrpcAuthorizationEngine_AuthenticatedMatcher(stringMatcher);
        }

        @Override // io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.Matcher
        public boolean a(EvaluateArgs evaluateArgs) {
            Collection m = evaluateArgs.m();
            GrpcAuthorizationEngine.b.log(Level.FINER, "Matching principal names: {0}", new Object[]{m});
            if (m == null) {
                return false;
            }
            if (c() == null) {
                return true;
            }
            Iterator it = m.iterator();
            while (it.hasNext()) {
                if (c().j((String) it.next())) {
                    return true;
                }
            }
            return false;
        }

        @Nullable
        public abstract Matchers.StringMatcher c();
    }

    @AutoValue
    /* loaded from: classes5.dex */
    public static abstract class DestinationIpMatcher implements Matcher {
        public static DestinationIpMatcher b(Matchers.CidrMatcher cidrMatcher) {
            return new AutoValue_GrpcAuthorizationEngine_DestinationIpMatcher(cidrMatcher);
        }

        @Override // io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.Matcher
        public boolean a(EvaluateArgs evaluateArgs) {
            return c().c(evaluateArgs.i());
        }

        public abstract Matchers.CidrMatcher c();
    }

    @AutoValue
    /* loaded from: classes5.dex */
    public static abstract class DestinationPortMatcher implements Matcher {
        public static DestinationPortMatcher b(int i) {
            return new AutoValue_GrpcAuthorizationEngine_DestinationPortMatcher(i);
        }

        @Override // io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.Matcher
        public boolean a(EvaluateArgs evaluateArgs) {
            return c() == evaluateArgs.j();
        }

        public abstract int c();
    }

    @AutoValue
    /* loaded from: classes5.dex */
    public static abstract class DestinationPortRangeMatcher implements Matcher {
        public static DestinationPortRangeMatcher b(int i, int i2) {
            return new AutoValue_GrpcAuthorizationEngine_DestinationPortRangeMatcher(i, i2);
        }

        @Override // io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.Matcher
        public boolean a(EvaluateArgs evaluateArgs) {
            int j = evaluateArgs.j();
            return j >= d() && j < c();
        }

        public abstract int c();

        public abstract int d();
    }

    /* loaded from: classes5.dex */
    public static final class EvaluateArgs {

        /* renamed from: a, reason: collision with root package name */
        public final Metadata f11867a;
        public final ServerCall<?, ?> b;

        public EvaluateArgs(Metadata metadata, ServerCall<?, ?> serverCall) {
            this.f11867a = metadata;
            this.b = serverCall;
        }

        @Nullable
        public final String h(String str) {
            if (!str.endsWith("-bin")) {
                try {
                    Iterable<? extends Object> m = this.f11867a.m(Metadata.Key.e(str, Metadata.e));
                    if (m == null) {
                        return null;
                    }
                    return Joiner.i(",").e(m);
                } catch (IllegalArgumentException unused) {
                    return null;
                }
            }
            try {
                Iterable m2 = this.f11867a.m(Metadata.Key.f(str, Metadata.d));
                if (m2 == null) {
                    return null;
                }
                ArrayList arrayList = new ArrayList();
                Iterator it = m2.iterator();
                while (it.hasNext()) {
                    arrayList.add(BaseEncoding.b().p().h((byte[]) it.next()));
                }
                return Joiner.i(",").e(arrayList);
            } catch (IllegalArgumentException unused2) {
                return null;
            }
        }

        public final InetAddress i() {
            SocketAddress socketAddress = (SocketAddress) this.b.b().b(Grpc.b);
            if (socketAddress == null) {
                return null;
            }
            return ((InetSocketAddress) socketAddress).getAddress();
        }

        public final int j() {
            SocketAddress socketAddress = (SocketAddress) this.b.b().b(Grpc.b);
            if (socketAddress == null) {
                return -1;
            }
            return ((InetSocketAddress) socketAddress).getPort();
        }

        @Nullable
        public final String k(String str) {
            String lowerCase = str.toLowerCase(Locale.ROOT);
            if ("te".equals(lowerCase)) {
                return null;
            }
            if (":authority".equals(lowerCase)) {
                lowerCase = "host";
            }
            return "host".equals(lowerCase) ? this.b.c() : ":path".equals(lowerCase) ? l() : ":method".equals(lowerCase) ? HttpPost.METHOD_NAME : h(lowerCase);
        }

        public final String l() {
            return "/" + this.b.d().c();
        }

        @Nullable
        public final Collection<String> m() {
            SSLSession sSLSession = (SSLSession) this.b.b().b(Grpc.c);
            if (sSLSession == null) {
                return null;
            }
            try {
                Certificate[] peerCertificates = sSLSession.getPeerCertificates();
                if (peerCertificates != null && peerCertificates.length >= 1) {
                    X509Certificate x509Certificate = (X509Certificate) peerCertificates[0];
                    if (x509Certificate == null) {
                        return Collections.singleton("");
                    }
                    Collection<List<?>> subjectAlternativeNames = x509Certificate.getSubjectAlternativeNames();
                    ArrayList arrayList = new ArrayList();
                    if (subjectAlternativeNames != null) {
                        for (List<?> list : subjectAlternativeNames) {
                            if (6 == ((Integer) list.get(0)).intValue()) {
                                arrayList.add((String) list.get(1));
                            }
                        }
                        if (!arrayList.isEmpty()) {
                            return Collections.unmodifiableCollection(arrayList);
                        }
                        for (List<?> list2 : subjectAlternativeNames) {
                            if (2 == ((Integer) list2.get(0)).intValue()) {
                                arrayList.add((String) list2.get(1));
                            }
                        }
                        if (!arrayList.isEmpty()) {
                            return Collections.unmodifiableCollection(arrayList);
                        }
                    }
                    if (x509Certificate.getSubjectDN() != null && x509Certificate.getSubjectDN().getName() != null) {
                        return Collections.singleton(x509Certificate.getSubjectDN().getName());
                    }
                    return Collections.singleton("");
                }
                return Collections.singleton("");
            } catch (CertificateParsingException | SSLPeerUnverifiedException e) {
                GrpcAuthorizationEngine.b.log(Level.FINE, "Unexpected getPrincipalNames error.", e);
                return Collections.singleton("");
            }
        }

        public final String n() {
            return "";
        }

        public final InetAddress o() {
            SocketAddress socketAddress = (SocketAddress) this.b.b().b(Grpc.f9500a);
            if (socketAddress == null) {
                return null;
            }
            return ((InetSocketAddress) socketAddress).getAddress();
        }
    }

    @AutoValue
    /* loaded from: classes5.dex */
    public static abstract class InvertMatcher implements Matcher {
        public static InvertMatcher b(Matcher matcher) {
            return new AutoValue_GrpcAuthorizationEngine_InvertMatcher(matcher);
        }

        @Override // io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.Matcher
        public boolean a(EvaluateArgs evaluateArgs) {
            return !c().a(evaluateArgs);
        }

        public abstract Matcher c();
    }

    /* loaded from: classes5.dex */
    public interface Matcher {
        boolean a(EvaluateArgs evaluateArgs);
    }

    @AutoValue
    /* loaded from: classes5.dex */
    public static abstract class OrMatcher implements Matcher {
        public static OrMatcher c(List<? extends Matcher> list) {
            Preconditions.u(list, "matchers");
            Iterator<? extends Matcher> it = list.iterator();
            while (it.hasNext()) {
                Preconditions.u(it.next(), "matcher");
            }
            return new AutoValue_GrpcAuthorizationEngine_OrMatcher(ImmutableList.A(list));
        }

        @Override // io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.Matcher
        public boolean a(EvaluateArgs evaluateArgs) {
            UnmodifiableIterator<? extends Matcher> it = b().iterator();
            while (it.hasNext()) {
                if (it.next().a(evaluateArgs)) {
                    return true;
                }
            }
            return false;
        }

        public abstract ImmutableList<? extends Matcher> b();
    }

    @AutoValue
    /* loaded from: classes5.dex */
    public static abstract class PathMatcher implements Matcher {
        public static PathMatcher b(Matchers.StringMatcher stringMatcher) {
            return new AutoValue_GrpcAuthorizationEngine_PathMatcher(stringMatcher);
        }

        @Override // io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.Matcher
        public boolean a(EvaluateArgs evaluateArgs) {
            return c().j(evaluateArgs.l());
        }

        public abstract Matchers.StringMatcher c();
    }

    @AutoValue
    /* loaded from: classes5.dex */
    public static abstract class PolicyMatcher implements Matcher {
        public static PolicyMatcher b(String str, OrMatcher orMatcher, OrMatcher orMatcher2) {
            return new AutoValue_GrpcAuthorizationEngine_PolicyMatcher(str, orMatcher, orMatcher2);
        }

        @Override // io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.Matcher
        public boolean a(EvaluateArgs evaluateArgs) {
            return d().a(evaluateArgs) && e().a(evaluateArgs);
        }

        public abstract String c();

        public abstract OrMatcher d();

        public abstract OrMatcher e();
    }

    @AutoValue
    /* loaded from: classes5.dex */
    public static abstract class RequestedServerNameMatcher implements Matcher {
        public static RequestedServerNameMatcher b(Matchers.StringMatcher stringMatcher) {
            return new AutoValue_GrpcAuthorizationEngine_RequestedServerNameMatcher(stringMatcher);
        }

        @Override // io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.Matcher
        public boolean a(EvaluateArgs evaluateArgs) {
            return c().j(evaluateArgs.n());
        }

        public abstract Matchers.StringMatcher c();
    }

    @AutoValue
    /* loaded from: classes5.dex */
    public static abstract class SourceIpMatcher implements Matcher {
        public static SourceIpMatcher b(Matchers.CidrMatcher cidrMatcher) {
            return new AutoValue_GrpcAuthorizationEngine_SourceIpMatcher(cidrMatcher);
        }

        @Override // io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.Matcher
        public boolean a(EvaluateArgs evaluateArgs) {
            return c().c(evaluateArgs.o());
        }

        public abstract Matchers.CidrMatcher c();
    }

    public GrpcAuthorizationEngine(AuthConfig authConfig) {
        this.f11864a = authConfig;
    }

    /* JADX WARN: Multi-variable type inference failed */
    public AuthDecision b(Metadata metadata, ServerCall<?, ?> serverCall) {
        Preconditions.u(metadata, "metadata");
        Preconditions.u(serverCall, "serverCall");
        String str = null;
        EvaluateArgs evaluateArgs = new EvaluateArgs(metadata, serverCall);
        UnmodifiableIterator<PolicyMatcher> it = this.f11864a.c().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            PolicyMatcher next = it.next();
            if (next.a(evaluateArgs)) {
                str = next.c();
                break;
            }
        }
        Action action = Action.DENY;
        if (action.equals(this.f11864a.a()) == (str == null)) {
            action = Action.ALLOW;
        }
        return AuthDecision.a(action, str);
    }
}
