package com.yahoo.vespa.hosted.provision.restapi.v2.filter;

import com.yahoo.config.provision.NodeType;
import com.yahoo.config.provision.SystemName;
import com.yahoo.vespa.athenz.api.AthenzIdentity;
import com.yahoo.vespa.athenz.api.AthenzService;
import com.yahoo.vespa.hosted.provision.Node;
import com.yahoo.vespa.hosted.provision.NodeRepository;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.function.BiPredicate;
import java.util.stream.Collectors;
import org.apache.http.client.utils.URLEncodedUtils;

/* loaded from: input_file:com/yahoo/vespa/hosted/provision/restapi/v2/filter/Authorizer.class */
public class Authorizer implements BiPredicate<NodePrincipal, URI> {
    private final NodeRepository nodeRepository;
    private final Set<String> whitelistedHostnames;
    private final Set<AthenzIdentity> trustedIdentities;

    public Authorizer(SystemName systemName, NodeRepository nodeRepository, Set<String> set) {
        this.nodeRepository = nodeRepository;
        this.whitelistedHostnames = set;
        this.trustedIdentities = getTrustedIdentities(systemName);
    }

    @Override // java.util.function.BiPredicate
    public boolean test(NodePrincipal nodePrincipal, URI uri) {
        if (nodePrincipal.getAthenzIdentityName().isPresent() && this.trustedIdentities.contains(nodePrincipal.getAthenzIdentityName().get())) {
            return true;
        }
        if (!nodePrincipal.getHostname().isPresent()) {
            return false;
        }
        String str = nodePrincipal.getHostname().get();
        return isAthenzProviderApi(uri) ? str.equals("zts.athenz.ouroath.com") || str.equals("zts.athens.yahoo.com") : canAccessAll(hostnamesFrom(uri), nodePrincipal, this::isSelfOrParent) || canAccessAny(nodeTypesFor(uri), nodePrincipal, this::isNodeType) || this.whitelistedHostnames.contains(str);
    }

    private static boolean isAthenzProviderApi(URI uri) {
        return "/athenz/v1/provider/instance".equals(uri.getPath()) || "/athenz/v1/provider/refresh".equals(uri.getPath());
    }

    private boolean isSelfOrParent(String str, NodePrincipal nodePrincipal) {
        if (nodePrincipal.getHostname().get().equals(str)) {
            return true;
        }
        return ((Boolean) getNode(str).flatMap((v0) -> {
            return v0.parentHostname();
        }).map(str2 -> {
            return Boolean.valueOf(nodePrincipal.getHostname().get().equals(str2));
        }).orElse(false)).booleanValue();
    }

    private boolean isNodeType(NodeType nodeType, NodePrincipal nodePrincipal) {
        return ((Boolean) getNode(nodePrincipal.getHostname().get()).map(node -> {
            return Boolean.valueOf(node.type() == nodeType);
        }).orElse(false)).booleanValue();
    }

    private <T> boolean canAccessAll(List<T> list, NodePrincipal nodePrincipal, BiPredicate<T, NodePrincipal> biPredicate) {
        return !list.isEmpty() && list.stream().allMatch(obj -> {
            return biPredicate.test(obj, nodePrincipal);
        });
    }

    private <T> boolean canAccessAny(List<T> list, NodePrincipal nodePrincipal, BiPredicate<T, NodePrincipal> biPredicate) {
        return !list.isEmpty() && list.stream().anyMatch(obj -> {
            return biPredicate.test(obj, nodePrincipal);
        });
    }

    private static Set<AthenzIdentity> getTrustedIdentities(SystemName systemName) {
        HashSet hashSet = new HashSet();
        hashSet.add(new AthenzService("vespa.vespa", "configserver"));
        hashSet.add(systemName == SystemName.main ? new AthenzService("vespa.vespa", "hosting") : new AthenzService("vespa.vespa.cd", "hosting"));
        return hashSet;
    }

    private Optional<Node> getNode(String str) {
        return str.chars().allMatch(i -> {
            return i == 46;
        }) ? Optional.empty() : this.nodeRepository.getNode(str, new Node.State[0]);
    }

    private static List<String> hostnamesFromQuery(URI uri) {
        return (List) URLEncodedUtils.parse(uri, StandardCharsets.UTF_8.name()).stream().filter(nameValuePair -> {
            return "hostname".equals(nameValuePair.getName()) || "parentHost".equals(nameValuePair.getName());
        }).map((v0) -> {
            return v0.getValue();
        }).filter(str -> {
            return !str.isEmpty();
        }).collect(Collectors.toList());
    }

    private static List<String> hostnamesFrom(URI uri) {
        if (isChildOf("/nodes/v2/acl/", uri.getPath()) || isChildOf("/nodes/v2/node/", uri.getPath()) || isChildOf("/nodes/v2/state/", uri.getPath())) {
            return Collections.singletonList(lastChildOf(uri.getPath()));
        }
        if (isChildOf("/orchestrator/v1/hosts/", uri.getPath())) {
            return (List) firstChildOf("/orchestrator/v1/hosts/", uri.getPath()).map((v0) -> {
                return Collections.singletonList(v0);
            }).orElseGet(Collections::emptyList);
        }
        if (!isChildOf("/orchestrator/v1/suspensions/hosts/", uri.getPath())) {
            return (isChildOf("/nodes/v2/command/", uri.getPath()) || "/nodes/v2/node/".equals(uri.getPath())) ? hostnamesFromQuery(uri) : isChildOf("/athenz/v1/provider/identity-document", uri.getPath()) ? Collections.singletonList(lastChildOf(uri.getPath())) : Collections.emptyList();
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(lastChildOf(uri.getPath()));
        arrayList.addAll(hostnamesFromQuery(uri));
        return arrayList;
    }

    private static List<NodeType> nodeTypesFor(URI uri) {
        return isChildOf("/routing/v1/", uri.getPath()) ? Arrays.asList(NodeType.proxy, NodeType.proxyhost) : Collections.emptyList();
    }

    private static boolean isChildOf(String str, String str2) {
        return str2.startsWith(str) && str2.length() > str.length();
    }

    private static Optional<String> firstChildOf(String str, String str2) {
        if (!isChildOf(str, str2)) {
            return Optional.empty();
        }
        String substring = str2.substring(str.length(), str2.length());
        int indexOf = substring.indexOf(47);
        return indexOf == -1 ? Optional.of(substring) : Optional.of(substring.substring(0, indexOf));
    }

    private static String lastChildOf(String str) {
        if (str.endsWith("/")) {
            str = str.substring(0, str.length() - 1);
        }
        int lastIndexOf = str.lastIndexOf("/");
        return lastIndexOf == -1 ? str : str.substring(lastIndexOf + 1, str.length());
    }
}
