package com.yahoo.vespa.hosted.provision.restapi.v2.filter;

import com.google.common.base.Supplier;
import com.google.common.base.Suppliers;
import com.yahoo.config.provision.ApplicationId;
import com.yahoo.config.provision.Zone;
import com.yahoo.security.SubjectAlternativeName;
import com.yahoo.security.X509CertificateUtils;
import com.yahoo.vespa.athenz.identityprovider.api.VespaUniqueInstanceId;
import com.yahoo.vespa.hosted.provision.Node;
import com.yahoo.vespa.hosted.provision.NodeRepository;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;

/* loaded from: input_file:com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifier.class */
class NodeIdentifier {
    static final String TENANT_DOCKER_HOST_IDENTITY = "vespa.vespa.tenant-host";
    static final String PROXY_HOST_IDENTITY = "vespa.vespa.proxy";
    static final String CONFIGSERVER_HOST_IDENTITY = "vespa.vespa.configserver";
    static final String TENANT_DOCKER_CONTAINER_IDENTITY = "vespa.vespa.tenant";
    static final String ZTS_ON_PREM_IDENTITY = "zts.athens.yahoo.com";
    static final String ZTS_AWS_IDENTITY = "zts.athenz.ouroath.com";
    private static final String INSTANCE_ID_DELIMITER = ".instanceid.athenz.";
    private final Zone zone;
    private final NodeRepository nodeRepository;
    private final Supplier<List<Node>> nodeCache;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/yahoo/vespa/hosted/provision/restapi/v2/filter/NodeIdentifier$NodeIdentifierException.class */
    public static class NodeIdentifierException extends RuntimeException {
        NodeIdentifierException(String str) {
            super(str);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public NodeIdentifier(Zone zone, NodeRepository nodeRepository) {
        this.zone = zone;
        this.nodeRepository = nodeRepository;
        nodeRepository.getClass();
        this.nodeCache = Suppliers.memoizeWithExpiration(() -> {
            return nodeRepository.getNodes(new Node.State[0]);
        }, 1L, TimeUnit.MINUTES);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public NodePrincipal resolveNode(List<X509Certificate> list) throws NodeIdentifierException {
        X509Certificate x509Certificate = list.get(0);
        String str = (String) X509CertificateUtils.getSubjectCommonNames(x509Certificate).stream().findFirst().orElseThrow(() -> {
            return new NodeIdentifierException("Certificate subject common name is missing!");
        });
        if (!isAthenzIssued(x509Certificate)) {
            if (str.equals(ZTS_ON_PREM_IDENTITY) || str.equals(ZTS_AWS_IDENTITY)) {
                return NodePrincipal.withLegacyIdentity(str, list);
            }
            throw new NodeIdentifierException(String.format("Unknown certificate (subject=%s, issuer=%s)", str, X509CertificateUtils.getIssuerCommonNames(x509Certificate)));
        }
        List<SubjectAlternativeName> subjectAlternativeNames = X509CertificateUtils.getSubjectAlternativeNames(x509Certificate);
        boolean z = -1;
        switch (str.hashCode()) {
            case -1933333508:
                if (str.equals(PROXY_HOST_IDENTITY)) {
                    z = true;
                    break;
                }
                break;
            case -582837321:
                if (str.equals(CONFIGSERVER_HOST_IDENTITY)) {
                    z = 3;
                    break;
                }
                break;
            case 264964089:
                if (str.equals(TENANT_DOCKER_HOST_IDENTITY)) {
                    z = false;
                    break;
                }
                break;
            case 298662108:
                if (str.equals(TENANT_DOCKER_CONTAINER_IDENTITY)) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case true:
                return NodePrincipal.withAthenzIdentity(str, getHostFromCalypsoOrAwsCertificate(subjectAlternativeNames), list);
            case true:
                return NodePrincipal.withAthenzIdentity(str, getHostFromVespaCertificate(subjectAlternativeNames), list);
            case true:
            default:
                return NodePrincipal.withAthenzIdentity(str, list);
        }
    }

    private boolean isAthenzIssued(X509Certificate x509Certificate) {
        String str = (String) X509CertificateUtils.getIssuerCommonNames(x509Certificate).stream().findFirst().orElseThrow(() -> {
            return new NodeIdentifierException("Certificate issuer common name is missing!");
        });
        return str.equals("Yahoo Athenz CA") || str.equals("Athenz AWS CA");
    }

    private String getHostFromCalypsoOrAwsCertificate(List<SubjectAlternativeName> list) {
        return getHostFromCalypsoCertificate(list);
    }

    private String getHostFromCalypsoCertificate(List<SubjectAlternativeName> list) {
        String uniqueInstanceId = getUniqueInstanceId(list);
        return (String) ((List) this.nodeCache.get()).stream().filter(node -> {
            return node.openStackId().equals(uniqueInstanceId);
        }).map((v0) -> {
            return v0.hostname();
        }).findFirst().orElseThrow(() -> {
            return new NodeIdentifierException(String.format("Cannot find node with openstack-id '%s' in node repository (SANs=%s)", uniqueInstanceId, list.stream().map((v0) -> {
                return v0.getValue();
            }).collect(Collectors.joining(",", "[", "]"))));
        });
    }

    private String getHostFromVespaCertificate(List<SubjectAlternativeName> list) {
        if (list.stream().anyMatch(subjectAlternativeName -> {
            return subjectAlternativeName.getValue().endsWith("ostk.yahoo.cloud");
        })) {
            return getHostFromCalypsoCertificate(list);
        }
        VespaUniqueInstanceId fromDottedString = VespaUniqueInstanceId.fromDottedString(getUniqueInstanceId(list));
        if (!this.zone.environment().value().equals(fromDottedString.environment())) {
            throw new NodeIdentifierException("Invalid environment: " + fromDottedString.environment());
        }
        if (this.zone.region().value().equals(fromDottedString.region())) {
            return (String) this.nodeRepository.getNodes(ApplicationId.from(fromDottedString.tenant(), fromDottedString.application(), fromDottedString.instance()), new Node.State[0]).stream().filter(node -> {
                return ((Boolean) node.allocation().map(allocation -> {
                    return Boolean.valueOf(allocation.membership().index() == fromDottedString.clusterIndex() && allocation.membership().cluster().id().value().equals(fromDottedString.clusterId()));
                }).orElse(false)).booleanValue();
            }).map((v0) -> {
                return v0.hostname();
            }).findFirst().orElseThrow(() -> {
                return new NodeIdentifierException("Could not find any node with instance id: " + fromDottedString.asDottedString());
            });
        }
        throw new NodeIdentifierException("Invalid region(): " + fromDottedString.region());
    }

    private static String getUniqueInstanceId(List<SubjectAlternativeName> list) {
        return (String) list.stream().filter(subjectAlternativeName -> {
            return subjectAlternativeName.getType() == SubjectAlternativeName.Type.DNS_NAME;
        }).map((v0) -> {
            return v0.getValue();
        }).filter(str -> {
            return (str.endsWith("yahoo.cloud") || str.endsWith("oath.cloud")) && str.contains(INSTANCE_ID_DELIMITER);
        }).map(str2 -> {
            return str2.substring(0, str2.indexOf(INSTANCE_ID_DELIMITER));
        }).findFirst().orElseThrow(() -> {
            return new NodeIdentifierException("Could not find unique instance id from SAN addresses: " + list);
        });
    }
}
