package com.yahoo.vespa.hosted.athenz.instanceproviderservice;

import com.google.common.net.InetAddresses;
import com.google.inject.Inject;
import com.yahoo.config.model.api.ApplicationInfo;
import com.yahoo.config.model.api.ServiceInfo;
import com.yahoo.config.model.api.SuperModelProvider;
import com.yahoo.config.provision.ApplicationId;
import com.yahoo.vespa.athenz.api.AthenzService;
import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper;
import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument;
import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId;
import com.yahoo.vespa.athenz.identityprovider.client.IdentityDocumentSigner;
import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig;
import com.yahoo.vespa.hosted.provision.Node;
import com.yahoo.vespa.hosted.provision.NodeRepository;
import java.util.Arrays;
import java.util.List;
import java.util.Optional;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import java.util.stream.Stream;

/* loaded from: input_file:com/yahoo/vespa/hosted/athenz/instanceproviderservice/InstanceValidator.class */
public class InstanceValidator {
    private static final Logger log = Logger.getLogger(InstanceValidator.class.getName());
    static final String SERVICE_PROPERTIES_DOMAIN_KEY = "identity.domain";
    static final String SERVICE_PROPERTIES_SERVICE_KEY = "identity.service";
    static final String INSTANCE_ID_DELIMITER = ".instanceid.athenz.";
    public static final String SAN_IPS_ATTRNAME = "sanIP";
    public static final String SAN_DNS_ATTRNAME = "sanDNS";
    private final AthenzService tenantDockerContainerIdentity;
    private final IdentityDocumentSigner signer;
    private final KeyProvider keyProvider;
    private final SuperModelProvider superModelProvider;
    private final NodeRepository nodeRepository;

    @Inject
    public InstanceValidator(KeyProvider keyProvider, SuperModelProvider superModelProvider, NodeRepository nodeRepository, AthenzProviderServiceConfig athenzProviderServiceConfig) {
        this(keyProvider, superModelProvider, nodeRepository, new IdentityDocumentSigner(), new AthenzService(athenzProviderServiceConfig.tenantService()));
    }

    public InstanceValidator(KeyProvider keyProvider, SuperModelProvider superModelProvider, NodeRepository nodeRepository, IdentityDocumentSigner identityDocumentSigner, AthenzService athenzService) {
        this.keyProvider = keyProvider;
        this.superModelProvider = superModelProvider;
        this.nodeRepository = nodeRepository;
        this.signer = identityDocumentSigner;
        this.tenantDockerContainerIdentity = athenzService;
    }

    public boolean isValidInstance(InstanceConfirmation instanceConfirmation) {
        SignedIdentityDocument signedIdentityDocument = EntityBindingsMapper.toSignedIdentityDocument(instanceConfirmation.signedIdentityDocument);
        VespaUniqueInstanceId providerUniqueId = signedIdentityDocument.providerUniqueId();
        ApplicationId from = ApplicationId.from(providerUniqueId.tenant(), providerUniqueId.application(), providerUniqueId.instance());
        VespaUniqueInstanceId vespaUniqueInstanceId = getVespaUniqueInstanceId(instanceConfirmation);
        if (!providerUniqueId.equals(vespaUniqueInstanceId)) {
            log.log(Level.WARNING, String.format("Instance %s has invalid provider unique ID in CSR (%s)", providerUniqueId, vespaUniqueInstanceId));
            return false;
        }
        if (!isSameIdentityAsInServicesXml(from, instanceConfirmation.domain, instanceConfirmation.service)) {
            return false;
        }
        log.log(Level.FINE, () -> {
            return String.format("Validating instance %s.", providerUniqueId);
        });
        if (!this.signer.hasValidSignature(signedIdentityDocument, this.keyProvider.getPublicKey(signedIdentityDocument.signingKeyVersion()))) {
            log.log(Level.SEVERE, () -> {
                return String.format("Instance %s has invalid signature.", providerUniqueId);
            });
            return false;
        }
        if (!validateAttributes(instanceConfirmation, providerUniqueId)) {
            return false;
        }
        log.log(Level.FINE, () -> {
            return String.format("Instance %s is valid.", providerUniqueId);
        });
        return true;
    }

    public boolean isValidRefresh(InstanceConfirmation instanceConfirmation) {
        log.log(Level.FINE, () -> {
            return String.format("Accepting refresh for instance with identity '%s', provider '%s', instanceId '%s'.", new AthenzService(instanceConfirmation.domain, instanceConfirmation.service).getFullName(), instanceConfirmation.provider, instanceConfirmation.attributes.get(SAN_DNS_ATTRNAME));
        });
        try {
            return validateAttributes(instanceConfirmation, getVespaUniqueInstanceId(instanceConfirmation));
        } catch (Exception e) {
            log.log(Level.WARNING, "Encountered exception while refreshing certificate for confirmation: " + instanceConfirmation, (Throwable) e);
            return false;
        }
    }

    private VespaUniqueInstanceId getVespaUniqueInstanceId(InstanceConfirmation instanceConfirmation) {
        return (VespaUniqueInstanceId) ((List) ((Stream) Optional.ofNullable(instanceConfirmation.attributes.get(SAN_DNS_ATTRNAME)).map(str -> {
            return str.split(",");
        }).map((v0) -> {
            return Arrays.asList(v0);
        }).map((v0) -> {
            return v0.stream();
        }).orElse(Stream.empty())).collect(Collectors.toList())).stream().filter(str2 -> {
            return str2.contains(INSTANCE_ID_DELIMITER);
        }).findFirst().map(str3 -> {
            return str3.replaceAll(".instanceid.athenz..*", "");
        }).map(VespaUniqueInstanceId::fromDottedString).orElse(null);
    }

    private boolean validateAttributes(InstanceConfirmation instanceConfirmation, VespaUniqueInstanceId vespaUniqueInstanceId) {
        if (vespaUniqueInstanceId == null) {
            log.log(Level.WARNING, "Unable to find unique instance ID in refresh request: " + instanceConfirmation.toString());
            return false;
        }
        Node node = (Node) this.nodeRepository.nodes().list(new Node.State[0]).stream().filter(node2 -> {
            return node2.allocation().isPresent();
        }).filter(node3 -> {
            return nodeMatchesVespaUniqueId(node3, vespaUniqueInstanceId);
        }).findFirst().orElse(null);
        if (node == null) {
            log.log(Level.WARNING, "Invalid InstanceConfirmation, No nodes matching uniqueId: " + vespaUniqueInstanceId);
            return false;
        }
        if (((List) node.ipConfig().primary().stream().map(InetAddresses::forString).collect(Collectors.toList())).containsAll((List) ((Stream) Optional.ofNullable(instanceConfirmation.attributes.get(SAN_IPS_ATTRNAME)).map(str -> {
            return str.split(",");
        }).map((v0) -> {
            return Arrays.asList(v0);
        }).map((v0) -> {
            return v0.stream();
        }).orElse(Stream.empty())).map(InetAddresses::forString).collect(Collectors.toList()))) {
            return true;
        }
        log.log(Level.WARNING, "Invalid InstanceConfirmation, wrong ip in : " + vespaUniqueInstanceId);
        return false;
    }

    private boolean nodeMatchesVespaUniqueId(Node node, VespaUniqueInstanceId vespaUniqueInstanceId) {
        return ((Boolean) node.allocation().map(allocation -> {
            return Boolean.valueOf(allocation.membership().index() == vespaUniqueInstanceId.clusterIndex() && allocation.membership().cluster().id().value().equals(vespaUniqueInstanceId.clusterId()) && allocation.owner().instance().value().equals(vespaUniqueInstanceId.instance()) && allocation.owner().application().value().equals(vespaUniqueInstanceId.application()) && allocation.owner().tenant().value().equals(vespaUniqueInstanceId.tenant()));
        }).orElse(false)).booleanValue();
    }

    private boolean isSameIdentityAsInServicesXml(ApplicationId applicationId, String str, String str2) {
        Optional applicationInfo = this.superModelProvider.getSuperModel().getApplicationInfo(applicationId);
        if (!applicationInfo.isPresent()) {
            log.info(String.format("Could not find application info for %s, existing applications: %s", applicationId.serializedForm(), this.superModelProvider.getSuperModel().getAllApplicationInfos()));
            return false;
        }
        if (this.tenantDockerContainerIdentity.equals(new AthenzService(str, str2))) {
            return true;
        }
        Optional findFirst = ((ApplicationInfo) applicationInfo.get()).getModel().getHosts().stream().flatMap(hostInfo -> {
            return hostInfo.getServices().stream();
        }).filter(serviceInfo -> {
            return serviceInfo.getProperty(SERVICE_PROPERTIES_DOMAIN_KEY).isPresent();
        }).filter(serviceInfo2 -> {
            return serviceInfo2.getProperty(SERVICE_PROPERTIES_SERVICE_KEY).isPresent();
        }).findFirst();
        if (!findFirst.isPresent()) {
            log.info(String.format("Application %s has not specified domain/service", applicationId.serializedForm()));
            return false;
        }
        String str3 = (String) ((ServiceInfo) findFirst.get()).getProperty(SERVICE_PROPERTIES_DOMAIN_KEY).get();
        String str4 = (String) ((ServiceInfo) findFirst.get()).getProperty(SERVICE_PROPERTIES_SERVICE_KEY).get();
        if (str3.equals(str) && str4.equals(str2)) {
            return true;
        }
        log.warning(String.format("domain '%s' or service '%s' does not match the one in config for application %s", str, str2, applicationId.serializedForm()));
        return false;
    }
}
