package io.grpc.xds;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.protobuf.Any;
import com.google.protobuf.InvalidProtocolBufferException;
import com.google.protobuf.Message;
import io.grpc.Status;
import io.grpc.q2;
import io.grpc.xds.c1;
import io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine;
import io.grpc.xds.shaded.io.envoyproxy.envoy.config.core.v3.CidrRange;
import io.grpc.xds.shaded.io.envoyproxy.envoy.config.rbac.v3.Permission;
import io.grpc.xds.shaded.io.envoyproxy.envoy.config.rbac.v3.Policy;
import io.grpc.xds.shaded.io.envoyproxy.envoy.config.rbac.v3.Principal;
import io.grpc.xds.shaded.io.envoyproxy.envoy.config.rbac.v3.RBAC;
import io.grpc.xds.shaded.io.envoyproxy.envoy.config.route.v3.HeaderMatcher;
import io.grpc.xds.shaded.io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBACPerRoute;
import io.grpc.xds.shaded.io.envoyproxy.envoy.type.matcher.v3.PathMatcher;
import io.grpc.xds.shaded.io.envoyproxy.envoy.type.matcher.v3.StringMatcher;
import io.grpc.xds.shaded.io.envoyproxy.envoy.type.v3.Int32Range;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import okhttp3.internal.http2.Header;

/* loaded from: classes6.dex */
public final class x1 implements c1, c1.d {

    /* renamed from: a, reason: collision with root package name */
    public static final Logger f26912a = Logger.getLogger(x1.class.getName());

    /* renamed from: b, reason: collision with root package name */
    public static final x1 f26913b = new Object();

    /* renamed from: c, reason: collision with root package name */
    public static final String f26914c = "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC";

    /* renamed from: d, reason: collision with root package name */
    public static final String f26915d = "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute";

    /* loaded from: classes6.dex */
    public class a implements io.grpc.u2 {

        /* renamed from: a, reason: collision with root package name */
        public final /* synthetic */ GrpcAuthorizationEngine f26916a;

        /* JADX INFO: Add missing generic type declarations: [ReqT] */
        /* renamed from: io.grpc.xds.x1$a$a, reason: collision with other inner class name */
        /* loaded from: classes6.dex */
        public class C0374a<ReqT> extends q2.a<ReqT> {
            public C0374a() {
            }
        }

        public a(GrpcAuthorizationEngine grpcAuthorizationEngine) {
            this.f26916a = grpcAuthorizationEngine;
        }

        /* JADX WARN: Type inference failed for: r8v2, types: [io.grpc.x1, java.lang.Object] */
        @Override // io.grpc.u2
        public <ReqT, RespT> q2.a<ReqT> a(io.grpc.q2<ReqT, RespT> q2Var, io.grpc.x1 x1Var, io.grpc.s2<ReqT, RespT> s2Var) {
            GrpcAuthorizationEngine.e b10 = this.f26916a.b(x1Var, q2Var);
            Logger logger = x1.f26912a;
            Level level = Level.FINE;
            if (logger.isLoggable(level)) {
                x1.f26912a.log(level, "Authorization result for serverCall {0}: {1}, matching policy: {2}.", new Object[]{q2Var, b10.b(), b10.c()});
            }
            if (!GrpcAuthorizationEngine.Action.DENY.equals(b10.b())) {
                return s2Var.a(q2Var, x1Var);
            }
            q2Var.a(Status.f14139l.u("Access Denied"), new Object());
            return new C0374a();
        }
    }

    /* loaded from: classes6.dex */
    public static /* synthetic */ class b {

        /* renamed from: a, reason: collision with root package name */
        public static final /* synthetic */ int[] f26919a;

        /* renamed from: b, reason: collision with root package name */
        public static final /* synthetic */ int[] f26920b;

        /* renamed from: c, reason: collision with root package name */
        public static final /* synthetic */ int[] f26921c;

        /* renamed from: d, reason: collision with root package name */
        public static final /* synthetic */ int[] f26922d;

        static {
            int[] iArr = new int[PathMatcher.RuleCase.values().length];
            f26922d = iArr;
            try {
                iArr[PathMatcher.RuleCase.PATH.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                f26922d[PathMatcher.RuleCase.RULE_NOT_SET.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
            int[] iArr2 = new int[Principal.IdentifierCase.values().length];
            f26921c = iArr2;
            try {
                iArr2[Principal.IdentifierCase.OR_IDS.ordinal()] = 1;
            } catch (NoSuchFieldError unused3) {
            }
            try {
                f26921c[Principal.IdentifierCase.AND_IDS.ordinal()] = 2;
            } catch (NoSuchFieldError unused4) {
            }
            try {
                f26921c[Principal.IdentifierCase.ANY.ordinal()] = 3;
            } catch (NoSuchFieldError unused5) {
            }
            try {
                f26921c[Principal.IdentifierCase.AUTHENTICATED.ordinal()] = 4;
            } catch (NoSuchFieldError unused6) {
            }
            try {
                f26921c[Principal.IdentifierCase.DIRECT_REMOTE_IP.ordinal()] = 5;
            } catch (NoSuchFieldError unused7) {
            }
            try {
                f26921c[Principal.IdentifierCase.REMOTE_IP.ordinal()] = 6;
            } catch (NoSuchFieldError unused8) {
            }
            try {
                f26921c[Principal.IdentifierCase.SOURCE_IP.ordinal()] = 7;
            } catch (NoSuchFieldError unused9) {
            }
            try {
                f26921c[Principal.IdentifierCase.HEADER.ordinal()] = 8;
            } catch (NoSuchFieldError unused10) {
            }
            try {
                f26921c[Principal.IdentifierCase.NOT_ID.ordinal()] = 9;
            } catch (NoSuchFieldError unused11) {
            }
            try {
                f26921c[Principal.IdentifierCase.URL_PATH.ordinal()] = 10;
            } catch (NoSuchFieldError unused12) {
            }
            try {
                f26921c[Principal.IdentifierCase.METADATA.ordinal()] = 11;
            } catch (NoSuchFieldError unused13) {
            }
            try {
                f26921c[Principal.IdentifierCase.IDENTIFIER_NOT_SET.ordinal()] = 12;
            } catch (NoSuchFieldError unused14) {
            }
            int[] iArr3 = new int[Permission.RuleCase.values().length];
            f26920b = iArr3;
            try {
                iArr3[Permission.RuleCase.AND_RULES.ordinal()] = 1;
            } catch (NoSuchFieldError unused15) {
            }
            try {
                f26920b[Permission.RuleCase.OR_RULES.ordinal()] = 2;
            } catch (NoSuchFieldError unused16) {
            }
            try {
                f26920b[Permission.RuleCase.ANY.ordinal()] = 3;
            } catch (NoSuchFieldError unused17) {
            }
            try {
                f26920b[Permission.RuleCase.HEADER.ordinal()] = 4;
            } catch (NoSuchFieldError unused18) {
            }
            try {
                f26920b[Permission.RuleCase.URL_PATH.ordinal()] = 5;
            } catch (NoSuchFieldError unused19) {
            }
            try {
                f26920b[Permission.RuleCase.DESTINATION_IP.ordinal()] = 6;
            } catch (NoSuchFieldError unused20) {
            }
            try {
                f26920b[Permission.RuleCase.DESTINATION_PORT.ordinal()] = 7;
            } catch (NoSuchFieldError unused21) {
            }
            try {
                f26920b[Permission.RuleCase.DESTINATION_PORT_RANGE.ordinal()] = 8;
            } catch (NoSuchFieldError unused22) {
            }
            try {
                f26920b[Permission.RuleCase.NOT_RULE.ordinal()] = 9;
            } catch (NoSuchFieldError unused23) {
            }
            try {
                f26920b[Permission.RuleCase.METADATA.ordinal()] = 10;
            } catch (NoSuchFieldError unused24) {
            }
            try {
                f26920b[Permission.RuleCase.REQUESTED_SERVER_NAME.ordinal()] = 11;
            } catch (NoSuchFieldError unused25) {
            }
            try {
                f26920b[Permission.RuleCase.RULE_NOT_SET.ordinal()] = 12;
            } catch (NoSuchFieldError unused26) {
            }
            int[] iArr4 = new int[RBAC.Action.values().length];
            f26919a = iArr4;
            try {
                iArr4[RBAC.Action.ALLOW.ordinal()] = 1;
            } catch (NoSuchFieldError unused27) {
            }
            try {
                f26919a[RBAC.Action.DENY.ordinal()] = 2;
            } catch (NoSuchFieldError unused28) {
            }
            try {
                f26919a[RBAC.Action.LOG.ordinal()] = 3;
            } catch (NoSuchFieldError unused29) {
            }
            try {
                f26919a[RBAC.Action.UNRECOGNIZED.ordinal()] = 4;
            } catch (NoSuchFieldError unused30) {
            }
        }
    }

    public static GrpcAuthorizationEngine.h c(CidrRange cidrRange) {
        return new io.grpc.xds.internal.rbac.engine.g(new b8.a(r(cidrRange), cidrRange.getPrefixLen().getValue()));
    }

    public static GrpcAuthorizationEngine.i d(int i10) {
        return new io.grpc.xds.internal.rbac.engine.h(i10);
    }

    public static GrpcAuthorizationEngine.r e(CidrRange cidrRange) {
        return new io.grpc.xds.internal.rbac.engine.o(new b8.a(r(cidrRange), cidrRange.getPrefixLen().getValue()));
    }

    public static /* synthetic */ int g(Map.Entry entry, Map.Entry entry2) {
        return ((String) entry.getKey()).compareTo((String) entry2.getKey());
    }

    public static GrpcAuthorizationEngine.g h(Principal.Authenticated authenticated) {
        return new io.grpc.xds.internal.rbac.engine.f(b8.h.b(authenticated.getPrincipalName()));
    }

    public static GrpcAuthorizationEngine.j i(Int32Range int32Range) {
        return new io.grpc.xds.internal.rbac.engine.i(int32Range.getStart(), int32Range.getEnd());
    }

    public static GrpcAuthorizationEngine.f j(HeaderMatcher headerMatcher) {
        if (headerMatcher.getName().startsWith("grpc-")) {
            throw new IllegalArgumentException("Invalid header matcher config: [grpc-] prefixed header name is not allowed.");
        }
        if (Header.TARGET_SCHEME_UTF8.equals(headerMatcher.getName())) {
            throw new IllegalArgumentException("Invalid header matcher config: header name [:scheme] is not allowed.");
        }
        return new io.grpc.xds.internal.rbac.engine.e(b8.h.a(headerMatcher));
    }

    public static GrpcAuthorizationEngine.o k(PathMatcher pathMatcher) {
        if (b.f26922d[pathMatcher.getRuleCase().ordinal()] == 1) {
            return new io.grpc.xds.internal.rbac.engine.l(b8.h.b(pathMatcher.getPath()));
        }
        throw new IllegalArgumentException("Unknown path matcher rule type: " + pathMatcher.getRuleCase());
    }

    public static GrpcAuthorizationEngine.m l(Permission permission) {
        switch (b.f26920b[permission.getRuleCase().ordinal()]) {
            case 1:
                ArrayList arrayList = new ArrayList();
                Iterator<Permission> it = permission.getAndRules().getRulesList().iterator();
                while (it.hasNext()) {
                    arrayList.add(l(it.next()));
                }
                return GrpcAuthorizationEngine.c.c(arrayList);
            case 2:
                return m(permission.getOrRules().getRulesList());
            case 3:
                return GrpcAuthorizationEngine.b.f22557a;
            case 4:
                return j(permission.getHeader());
            case 5:
                return k(permission.getUrlPath());
            case 6:
                return c(permission.getDestinationIp());
            case 7:
                return new io.grpc.xds.internal.rbac.engine.h(permission.getDestinationPort());
            case 8:
                return i(permission.getDestinationPortRange());
            case 9:
                return new io.grpc.xds.internal.rbac.engine.j(l(permission.getNotRule()));
            case 10:
                return new io.grpc.xds.internal.rbac.engine.j(GrpcAuthorizationEngine.b.f22557a);
            case 11:
                return q(permission.getRequestedServerName());
            default:
                throw new IllegalArgumentException("Unknown permission rule case: " + permission.getRuleCase());
        }
    }

    public static GrpcAuthorizationEngine.n m(List<Permission> list) {
        ArrayList arrayList = new ArrayList();
        Iterator<Permission> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(l(it.next()));
        }
        return GrpcAuthorizationEngine.n.c(arrayList);
    }

    public static GrpcAuthorizationEngine.m n(Principal principal) {
        switch (b.f26921c[principal.getIdentifierCase().ordinal()]) {
            case 1:
                return o(principal.getOrIds().getIdsList());
            case 2:
                ArrayList arrayList = new ArrayList();
                Iterator<Principal> it = principal.getAndIds().getIdsList().iterator();
                while (it.hasNext()) {
                    arrayList.add(n(it.next()));
                }
                return GrpcAuthorizationEngine.c.c(arrayList);
            case 3:
                return GrpcAuthorizationEngine.b.f22557a;
            case 4:
                return h(principal.getAuthenticated());
            case 5:
                return e(principal.getDirectRemoteIp());
            case 6:
                return e(principal.getRemoteIp());
            case 7:
                return e(principal.getSourceIp());
            case 8:
                return j(principal.getHeader());
            case 9:
                return new io.grpc.xds.internal.rbac.engine.j(n(principal.getNotId()));
            case 10:
                return k(principal.getUrlPath());
            case 11:
                return new io.grpc.xds.internal.rbac.engine.j(GrpcAuthorizationEngine.b.f22557a);
            default:
                throw new IllegalArgumentException("Unknown principal identifier case: " + principal.getIdentifierCase());
        }
    }

    public static GrpcAuthorizationEngine.n o(List<Principal> list) {
        ArrayList arrayList = new ArrayList();
        Iterator<Principal> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(n(it.next()));
        }
        return GrpcAuthorizationEngine.n.c(arrayList);
    }

    /* JADX WARN: Multi-variable type inference failed */
    @VisibleForTesting
    public static y0<v1> p(io.grpc.xds.shaded.io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBAC rbac) {
        GrpcAuthorizationEngine.Action action;
        if (!rbac.hasRules()) {
            return new y0<>(new r(null));
        }
        RBAC rules = rbac.getRules();
        int i10 = b.f26919a[rules.getAction().ordinal()];
        if (i10 == 1) {
            action = GrpcAuthorizationEngine.Action.ALLOW;
        } else {
            if (i10 != 2) {
                if (i10 == 3) {
                    return new y0<>(new r(null));
                }
                return new y0<>("Unknown rbacConfig action type: " + rules.getAction());
            }
            action = GrpcAuthorizationEngine.Action.DENY;
        }
        ArrayList arrayList = new ArrayList();
        for (Map.Entry entry : (List) rules.getPoliciesMap().entrySet().stream().sorted(new Object()).collect(Collectors.toList())) {
            try {
                Policy policy = (Policy) entry.getValue();
                if (!policy.hasCondition() && !policy.hasCheckedCondition()) {
                    arrayList.add(new io.grpc.xds.internal.rbac.engine.m((String) entry.getKey(), m(policy.getPermissionsList()), o(policy.getPrincipalsList())));
                }
                return new y0<>("Policy.condition and Policy.checked_condition must not set: " + ((String) entry.getKey()));
            } catch (Exception e10) {
                return new y0<>("Encountered error parsing policy: " + e10);
            }
        }
        return new y0<>(new r(GrpcAuthorizationEngine.d.b(arrayList, action)));
    }

    public static GrpcAuthorizationEngine.q q(StringMatcher stringMatcher) {
        return new io.grpc.xds.internal.rbac.engine.n(b8.h.b(stringMatcher));
    }

    public static InetAddress r(CidrRange cidrRange) {
        try {
            return InetAddress.getByName(cidrRange.getAddressPrefix());
        } catch (UnknownHostException e10) {
            throw new IllegalArgumentException("IP address can not be found: " + e10);
        }
    }

    @Override // io.grpc.xds.c1.d
    @lb.j
    public io.grpc.u2 buildServerInterceptor(c1.b bVar, @lb.j c1.b bVar2) {
        Preconditions.checkNotNull(bVar, "config");
        if (bVar2 != null) {
            bVar = bVar2;
        }
        GrpcAuthorizationEngine.d b10 = ((v1) bVar).b();
        if (b10 == null) {
            return null;
        }
        return f(b10);
    }

    public final io.grpc.u2 f(GrpcAuthorizationEngine.d dVar) {
        Preconditions.checkNotNull(dVar, "config");
        return new a(new GrpcAuthorizationEngine(dVar));
    }

    @Override // io.grpc.xds.c1
    public y0<v1> parseFilterConfig(Message message) {
        if (!(message instanceof Any)) {
            return new y0<>("Invalid config type: " + message.getClass());
        }
        try {
            return p((io.grpc.xds.shaded.io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBAC) ((Any) message).unpack(io.grpc.xds.shaded.io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBAC.class));
        } catch (InvalidProtocolBufferException e10) {
            return new y0<>("Invalid proto: " + e10);
        }
    }

    @Override // io.grpc.xds.c1
    public y0<v1> parseFilterConfigOverride(Message message) {
        if (!(message instanceof Any)) {
            return new y0<>("Invalid config type: " + message.getClass());
        }
        try {
            RBACPerRoute rBACPerRoute = (RBACPerRoute) ((Any) message).unpack(RBACPerRoute.class);
            return rBACPerRoute.hasRbac() ? p(rBACPerRoute.getRbac()) : new y0<>(new r(null));
        } catch (InvalidProtocolBufferException e10) {
            return new y0<>("Invalid proto: " + e10);
        }
    }

    @Override // io.grpc.xds.c1
    public String[] typeUrls() {
        return new String[]{f26914c, f26915d};
    }
}
