package com.yahoo.vespa.hosted.ca.restapi;

import com.google.inject.Inject;
import com.yahoo.container.jdisc.HttpResponse;
import com.yahoo.container.jdisc.LoggingRequestHandler;
import com.yahoo.container.jdisc.secretstore.SecretStore;
import com.yahoo.jdisc.http.HttpRequest;
import com.yahoo.restapi.ErrorResponse;
import com.yahoo.restapi.Path;
import com.yahoo.restapi.SlimeJsonResponse;
import com.yahoo.security.KeyUtils;
import com.yahoo.security.SubjectAlternativeName;
import com.yahoo.security.X509CertificateUtils;
import com.yahoo.slime.Slime;
import com.yahoo.slime.SlimeUtils;
import com.yahoo.vespa.athenz.api.AthenzService;
import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper;
import com.yahoo.vespa.hosted.athenz.instanceproviderservice.InstanceConfirmation;
import com.yahoo.vespa.hosted.athenz.instanceproviderservice.InstanceValidator;
import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig;
import com.yahoo.vespa.hosted.ca.Certificates;
import com.yahoo.vespa.hosted.ca.instance.InstanceIdentity;
import com.yahoo.vespa.hosted.ca.instance.InstanceRefresh;
import com.yahoo.vespa.hosted.ca.instance.InstanceRegistration;
import com.yahoo.yolean.Exceptions;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.time.Clock;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Function;
import java.util.logging.Level;

/* loaded from: input_file:com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler.class */
public class CertificateAuthorityApiHandler extends LoggingRequestHandler {
    private final SecretStore secretStore;
    private final Certificates certificates;
    private final String caPrivateKeySecretName;
    private final String caCertificateSecretName;
    private final InstanceValidator instanceValidator;

    /* renamed from: com.yahoo.vespa.hosted.ca.restapi.CertificateAuthorityApiHandler$1, reason: invalid class name */
    /* loaded from: input_file:com/yahoo/vespa/hosted/ca/restapi/CertificateAuthorityApiHandler$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$yahoo$jdisc$http$HttpRequest$Method = new int[HttpRequest.Method.values().length];

        static {
            try {
                $SwitchMap$com$yahoo$jdisc$http$HttpRequest$Method[HttpRequest.Method.POST.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
        }
    }

    @Inject
    public CertificateAuthorityApiHandler(LoggingRequestHandler.Context context, SecretStore secretStore, AthenzProviderServiceConfig athenzProviderServiceConfig, InstanceValidator instanceValidator) {
        this(context, secretStore, new Certificates(Clock.systemUTC()), athenzProviderServiceConfig, instanceValidator);
    }

    CertificateAuthorityApiHandler(LoggingRequestHandler.Context context, SecretStore secretStore, Certificates certificates, AthenzProviderServiceConfig athenzProviderServiceConfig, InstanceValidator instanceValidator) {
        super(context);
        this.secretStore = secretStore;
        this.certificates = certificates;
        this.caPrivateKeySecretName = athenzProviderServiceConfig.secretName();
        this.caCertificateSecretName = athenzProviderServiceConfig.domain() + ".ca.cert";
        this.instanceValidator = instanceValidator;
    }

    public HttpResponse handle(com.yahoo.container.jdisc.HttpRequest httpRequest) {
        try {
            switch (AnonymousClass1.$SwitchMap$com$yahoo$jdisc$http$HttpRequest$Method[httpRequest.getMethod().ordinal()]) {
                case 1:
                    return handlePost(httpRequest);
                default:
                    return ErrorResponse.methodNotAllowed("Method " + httpRequest.getMethod() + " is unsupported");
            }
        } catch (IllegalArgumentException e) {
            return ErrorResponse.badRequest(httpRequest.getMethod() + " " + httpRequest.getUri() + " failed: " + Exceptions.toMessageString(e));
        } catch (RuntimeException e2) {
            this.log.log(Level.WARNING, "Unexpected error handling " + httpRequest.getMethod() + " " + httpRequest.getUri(), (Throwable) e2);
            return ErrorResponse.internalServerError(Exceptions.toMessageString(e2));
        }
    }

    private HttpResponse handlePost(com.yahoo.container.jdisc.HttpRequest httpRequest) {
        Path path = new Path(httpRequest.getUri());
        return path.matches("/ca/v1/instance/") ? registerInstance(httpRequest) : path.matches("/ca/v1/instance/{provider}/{domain}/{service}/{instanceId}") ? refreshInstance(httpRequest, path.get("provider"), path.get("service"), path.get("instanceId")) : ErrorResponse.notFoundError("Nothing at " + path);
    }

    private HttpResponse registerInstance(com.yahoo.container.jdisc.HttpRequest httpRequest) {
        InstanceRegistration instanceRegistration = (InstanceRegistration) deserializeRequest(httpRequest, InstanceSerializer::registrationFromSlime);
        InstanceConfirmation instanceConfirmation = new InstanceConfirmation(instanceRegistration.provider(), instanceRegistration.domain(), instanceRegistration.service(), EntityBindingsMapper.toSignedIdentityDocumentEntity(instanceRegistration.attestationData()));
        instanceConfirmation.set(InstanceValidator.SAN_IPS_ATTRNAME, Certificates.getSubjectAlternativeNames(instanceRegistration.csr(), SubjectAlternativeName.Type.IP_ADDRESS));
        instanceConfirmation.set(InstanceValidator.SAN_DNS_ATTRNAME, Certificates.getSubjectAlternativeNames(instanceRegistration.csr(), SubjectAlternativeName.Type.DNS_NAME));
        if (!this.instanceValidator.isValidInstance(instanceConfirmation)) {
            this.log.log(Level.INFO, "Invalid instance registration for " + instanceRegistration.toString());
            return ErrorResponse.forbidden("Unable to launch service: " + instanceRegistration.service());
        }
        X509Certificate create = this.certificates.create(instanceRegistration.csr(), caCertificate(), caPrivateKey());
        return new SlimeJsonResponse(InstanceSerializer.identityToSlime(new InstanceIdentity(instanceRegistration.provider(), instanceRegistration.service(), Certificates.instanceIdFrom(instanceRegistration.csr()), Optional.of(create))));
    }

    private HttpResponse refreshInstance(com.yahoo.container.jdisc.HttpRequest httpRequest, String str, String str2, String str3) {
        InstanceRefresh instanceRefresh = (InstanceRefresh) deserializeRequest(httpRequest, InstanceSerializer::refreshFromSlime);
        String instanceIdFrom = Certificates.instanceIdFrom(instanceRefresh.csr());
        AthenzService requestAthenzService = getRequestAthenzService(httpRequest);
        if (!instanceIdFrom.equals(str3)) {
            throw new IllegalArgumentException("Mismatch between instance ID in URL path and instance ID in CSR [instanceId=" + str3 + ",instanceIdFromCsr=" + instanceIdFrom + "]");
        }
        refreshesSameInstanceId(instanceIdFrom, httpRequest);
        refreshesSameService(instanceRefresh, requestAthenzService);
        InstanceConfirmation instanceConfirmation = new InstanceConfirmation(str, requestAthenzService.getDomain().getName(), requestAthenzService.getName(), null);
        instanceConfirmation.set(InstanceValidator.SAN_IPS_ATTRNAME, Certificates.getSubjectAlternativeNames(instanceRefresh.csr(), SubjectAlternativeName.Type.IP_ADDRESS));
        instanceConfirmation.set(InstanceValidator.SAN_DNS_ATTRNAME, Certificates.getSubjectAlternativeNames(instanceRefresh.csr(), SubjectAlternativeName.Type.DNS_NAME));
        return !this.instanceValidator.isValidRefresh(instanceConfirmation) ? ErrorResponse.forbidden("Unable to refresh cert: " + instanceRefresh.csr().getSubject().toString()) : new SlimeJsonResponse(InstanceSerializer.identityToSlime(new InstanceIdentity(str, str2, instanceIdFrom, Optional.of(this.certificates.create(instanceRefresh.csr(), caCertificate(), caPrivateKey())))));
    }

    public void refreshesSameInstanceId(String str, com.yahoo.container.jdisc.HttpRequest httpRequest) {
        String str2 = (String) getRequestCertificateChain(httpRequest).stream().map(Certificates::instanceIdFrom).filter((v0) -> {
            return v0.isPresent();
        }).map((v0) -> {
            return v0.get();
        }).findAny().orElseThrow(() -> {
            return new IllegalArgumentException("No client certificate with instance id in request.");
        });
        if (!Objects.equals(str2, str)) {
            throw new IllegalArgumentException("Mismatch between instance ID in client certificate and instance ID in CSR [instanceId=" + str2 + ",instanceIdFromCsr=" + str + "]");
        }
    }

    private void refreshesSameService(InstanceRefresh instanceRefresh, AthenzService athenzService) {
        List commonNames = X509CertificateUtils.getCommonNames(instanceRefresh.csr().getSubject());
        if (commonNames.size() != 1 && !Objects.equals(commonNames.get(0), athenzService.getFullName())) {
            throw new IllegalArgumentException(String.format("Invalid request, trying to refresh service %s using service %s.", instanceRefresh.csr().getSubject().getName(), athenzService.getFullName()));
        }
    }

    private X509Certificate caCertificate() {
        return X509CertificateUtils.fromPem(this.secretStore.getSecret(this.caCertificateSecretName));
    }

    private List<X509Certificate> getRequestCertificateChain(com.yahoo.container.jdisc.HttpRequest httpRequest) {
        Optional ofNullable = Optional.ofNullable(httpRequest.getJDiscRequest().context().get("jdisc.request.X509Certificate"));
        Class<X509Certificate[]> cls = X509Certificate[].class;
        Objects.requireNonNull(X509Certificate[].class);
        return (List) ofNullable.map(cls::cast).map((v0) -> {
            return Arrays.asList(v0);
        }).orElse(Collections.emptyList());
    }

    private AthenzService getRequestAthenzService(com.yahoo.container.jdisc.HttpRequest httpRequest) {
        return (AthenzService) getRequestCertificateChain(httpRequest).stream().findFirst().map(X509CertificateUtils::getSubjectCommonNames).map((v0) -> {
            return v0.stream();
        }).flatMap((v0) -> {
            return v0.findFirst();
        }).map(AthenzService::new).orElseThrow(() -> {
            return new RuntimeException("No certificate found");
        });
    }

    private PrivateKey caPrivateKey() {
        return KeyUtils.fromPemEncodedPrivateKey(this.secretStore.getSecret(this.caPrivateKeySecretName));
    }

    private static <T> T deserializeRequest(com.yahoo.container.jdisc.HttpRequest httpRequest, Function<Slime, T> function) {
        try {
            return function.apply(SlimeUtils.jsonToSlime(httpRequest.getData().readAllBytes()));
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }
}
