package com.yahoo.vespa.config.server.rpc.security;

import com.yahoo.cloud.config.SentinelConfig;
import com.yahoo.concurrent.DaemonThreadFactory;
import com.yahoo.config.FileReference;
import com.yahoo.config.provision.ApplicationId;
import com.yahoo.config.provision.NodeType;
import com.yahoo.config.provision.TenantName;
import com.yahoo.config.provision.security.NodeIdentifier;
import com.yahoo.config.provision.security.NodeIdentifierException;
import com.yahoo.config.provision.security.NodeIdentity;
import com.yahoo.jrt.Request;
import com.yahoo.jrt.SecurityContext;
import com.yahoo.security.tls.MixedMode;
import com.yahoo.security.tls.TransportSecurityUtils;
import com.yahoo.vespa.config.ConfigKey;
import com.yahoo.vespa.config.protocol.JRTServerConfigRequestV3;
import com.yahoo.vespa.config.server.RequestHandler;
import com.yahoo.vespa.config.server.host.HostRegistry;
import com.yahoo.vespa.config.server.rpc.RequestHandlerProvider;
import com.yahoo.vespa.config.server.rpc.security.AuthorizationException;
import com.yahoo.yolean.Exceptions;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.Executor;
import java.util.concurrent.Executors;
import java.util.function.BiConsumer;
import java.util.logging.Level;
import java.util.logging.Logger;

/* loaded from: input_file:com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer.class */
public class MultiTenantRpcAuthorizer implements RpcAuthorizer {
    private static final Logger log = Logger.getLogger(MultiTenantRpcAuthorizer.class.getName());
    private final NodeIdentifier nodeIdentifier;
    private final HostRegistry hostRegistry;
    private final RequestHandlerProvider handlerProvider;
    private final Executor executor;

    /* renamed from: com.yahoo.vespa.config.server.rpc.security.MultiTenantRpcAuthorizer$1, reason: invalid class name */
    /* loaded from: input_file:com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$yahoo$config$provision$NodeType = new int[NodeType.values().length];

        static {
            try {
                $SwitchMap$com$yahoo$config$provision$NodeType[NodeType.config.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$yahoo$config$provision$NodeType[NodeType.proxy.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$com$yahoo$config$provision$NodeType[NodeType.tenant.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$com$yahoo$config$provision$NodeType[NodeType.host.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/yahoo/vespa/config/server/rpc/security/MultiTenantRpcAuthorizer$JrtErrorCode.class */
    public enum JrtErrorCode {
        UNAUTHORIZED(1),
        AUTHORIZATION_FAILED(2);

        final int code;

        JrtErrorCode(int i) {
            this.code = 131072 + i;
        }
    }

    public MultiTenantRpcAuthorizer(NodeIdentifier nodeIdentifier, HostRegistry hostRegistry, RequestHandlerProvider requestHandlerProvider, int i) {
        this(nodeIdentifier, hostRegistry, requestHandlerProvider, Executors.newFixedThreadPool(i, new DaemonThreadFactory("multi-tenant-rpc-authorizer-")));
    }

    MultiTenantRpcAuthorizer(NodeIdentifier nodeIdentifier, HostRegistry hostRegistry, RequestHandlerProvider requestHandlerProvider, Executor executor) {
        this.nodeIdentifier = nodeIdentifier;
        this.hostRegistry = hostRegistry;
        this.handlerProvider = requestHandlerProvider;
        this.executor = executor;
    }

    @Override // com.yahoo.vespa.config.server.rpc.security.RpcAuthorizer
    public CompletableFuture<Void> authorizeConfigRequest(Request request) {
        return doAsyncAuthorization(request, this::doConfigRequestAuthorization);
    }

    @Override // com.yahoo.vespa.config.server.rpc.security.RpcAuthorizer
    public CompletableFuture<Void> authorizeFileRequest(Request request) {
        return doAsyncAuthorization(request, this::doFileRequestAuthorization);
    }

    private CompletableFuture<Void> doAsyncAuthorization(Request request, BiConsumer<Request, NodeIdentity> biConsumer) {
        return CompletableFuture.runAsync(() -> {
            try {
                getPeerIdentity(request).ifPresent(nodeIdentity -> {
                    biConsumer.accept(request, nodeIdentity);
                });
                log.log(Level.FINE, () -> {
                    return String.format("Authorization succeeded for request '%s' from '%s'", request.methodName(), request.target().toString());
                });
            } catch (Throwable th) {
                handleAuthorizationFailure(request, th);
            }
        }, this.executor);
    }

    private void doConfigRequestAuthorization(Request request, NodeIdentity nodeIdentity) {
        switch (AnonymousClass1.$SwitchMap$com$yahoo$config$provision$NodeType[nodeIdentity.nodeType().ordinal()]) {
            case 1:
                return;
            case 2:
            case 3:
            case 4:
                JRTServerConfigRequestV3 createFromRequest = JRTServerConfigRequestV3.createFromRequest(request);
                ConfigKey configKey = createFromRequest.getConfigKey();
                if (isConfigKeyForGlobalConfig(configKey)) {
                    GlobalConfigAuthorizationPolicy.verifyAccessAllowed(configKey, nodeIdentity.nodeType());
                    return;
                }
                String clientHostName = createFromRequest.getClientHostName();
                ApplicationId keyForHost = this.hostRegistry.getKeyForHost(clientHostName);
                if (keyForHost == null) {
                    if (!isConfigKeyForSentinelConfig(configKey)) {
                        throw new AuthorizationException(AuthorizationException.Type.SILENT, String.format("Host '%s' not found in host registry for [%s]", clientHostName, configKey));
                    }
                    return;
                } else {
                    ApplicationId resolveApplicationId = getTenantHandler(keyForHost.tenant()).resolveApplicationId(clientHostName);
                    ApplicationId applicationId = applicationId(nodeIdentity);
                    if (!applicationId.equals(resolveApplicationId)) {
                        throw new AuthorizationException(String.format("Peer is not allowed to access config owned by %s. Peer is owned by %s", resolveApplicationId.toShortString(), applicationId.toShortString()));
                    }
                    return;
                }
            default:
                throw new AuthorizationException(String.format("'%s' nodes are not allowed to access config", nodeIdentity.nodeType()));
        }
    }

    private void doFileRequestAuthorization(Request request, NodeIdentity nodeIdentity) {
        switch (AnonymousClass1.$SwitchMap$com$yahoo$config$provision$NodeType[nodeIdentity.nodeType().ordinal()]) {
            case 1:
                return;
            case 2:
            case 3:
            case 4:
                ApplicationId applicationId = applicationId(nodeIdentity);
                FileReference fileReference = new FileReference(request.parameters().get(0).asString());
                Set<FileReference> listFileReferences = getTenantHandler(applicationId.tenant()).listFileReferences(applicationId);
                if (!listFileReferences.contains(fileReference)) {
                    throw new AuthorizationException(String.format("Peer is not allowed to access file reference %s. Peer is owned by %s. File references owned by this application: %s", fileReference.value(), applicationId.toShortString(), listFileReferences));
                }
                return;
            default:
                throw new AuthorizationException(String.format("'%s' nodes are not allowed to access files", nodeIdentity.nodeType()));
        }
    }

    private void handleAuthorizationFailure(Request request, Throwable th) {
        boolean z = th instanceof AuthorizationException;
        String format = String.format("For request '%s' from '%s': %s", request.methodName(), request.target().toString(), th.getMessage());
        if (!z || ((AuthorizationException) th).type() != AuthorizationException.Type.SILENT) {
            log.log(Level.INFO, format);
        }
        Logger logger = log;
        Level level = Level.FINE;
        Objects.requireNonNull(th);
        logger.log(level, th, th::getMessage);
        request.setError((z ? JrtErrorCode.UNAUTHORIZED : JrtErrorCode.AUTHORIZATION_FAILED).code, format);
        request.returnRequest();
        Exceptions.throwUnchecked(th);
    }

    private Optional<NodeIdentity> getPeerIdentity(Request request) {
        Optional securityContext = request.target().getSecurityContext();
        if (securityContext.isEmpty()) {
            if (TransportSecurityUtils.getInsecureMixedMode() == MixedMode.DISABLED) {
                throw new IllegalStateException("Security context missing");
            }
            return Optional.empty();
        }
        List peerCertificateChain = ((SecurityContext) securityContext.get()).peerCertificateChain();
        if (peerCertificateChain.isEmpty()) {
            throw new IllegalStateException("Client authentication is not enforced!");
        }
        try {
            NodeIdentity identifyNode = this.nodeIdentifier.identifyNode(peerCertificateChain);
            log.log(Level.FINE, () -> {
                return String.format("Client '%s' identified as %s", request.target().toString(), identifyNode.toString());
            });
            return Optional.of(identifyNode);
        } catch (NodeIdentifierException e) {
            throw new AuthorizationException("Failed to identify peer: " + e.getMessage(), (Throwable) e);
        }
    }

    private static boolean isConfigKeyForGlobalConfig(ConfigKey<?> configKey) {
        return "*".equals(configKey.getConfigId());
    }

    private static boolean isConfigKeyForSentinelConfig(ConfigKey<?> configKey) {
        return SentinelConfig.getDefName().equals(configKey.getName()) && SentinelConfig.getDefNamespace().equals(configKey.getNamespace());
    }

    private static ApplicationId applicationId(NodeIdentity nodeIdentity) {
        return (ApplicationId) nodeIdentity.applicationId().orElseThrow(() -> {
            return new AuthorizationException("Peer node is not associated with an application: " + nodeIdentity.toString());
        });
    }

    private RequestHandler getTenantHandler(TenantName tenantName) {
        return this.handlerProvider.getRequestHandler(tenantName).orElseThrow(() -> {
            return new AuthorizationException(String.format("No handler exists for tenant '%s'", tenantName.value()));
        });
    }
}
