package io.grpc.xds;

import com.google.common.base.Preconditions;
import com.google.protobuf.Any;
import com.google.protobuf.InvalidProtocolBufferException;
import com.google.protobuf.Message;
import io.grpc.Metadata;
import io.grpc.ServerCall;
import io.grpc.ServerCallHandler;
import io.grpc.ServerInterceptor;
import io.grpc.Status;
import io.grpc.xds.Filter;
import io.grpc.xds.internal.MatcherParser;
import io.grpc.xds.internal.Matchers;
import io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine;
import io.grpc.xds.shaded.io.envoyproxy.envoy.config.core.v3.CidrRange;
import io.grpc.xds.shaded.io.envoyproxy.envoy.config.rbac.v3.Permission;
import io.grpc.xds.shaded.io.envoyproxy.envoy.config.rbac.v3.Policy;
import io.grpc.xds.shaded.io.envoyproxy.envoy.config.rbac.v3.Principal;
import io.grpc.xds.shaded.io.envoyproxy.envoy.config.rbac.v3.RBAC;
import io.grpc.xds.shaded.io.envoyproxy.envoy.config.route.v3.HeaderMatcher;
import io.grpc.xds.shaded.io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBACPerRoute;
import io.grpc.xds.shaded.io.envoyproxy.envoy.type.matcher.v3.PathMatcher;
import io.grpc.xds.shaded.io.envoyproxy.envoy.type.matcher.v3.StringMatcher;
import io.grpc.xds.shaded.io.envoyproxy.envoy.type.v3.Int32Range;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.annotation.Nullable;
import okhttp3.internal.http2.Header;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: classes8.dex */
public final class RbacFilter implements Filter, Filter.ServerInterceptorBuilder {
    static final String TYPE_URL = "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC";
    private static final String TYPE_URL_OVERRIDE_CONFIG = "type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBACPerRoute";
    private static final Logger logger = Logger.getLogger(RbacFilter.class.getName());
    static final RbacFilter INSTANCE = new RbacFilter();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: io.grpc.xds.RbacFilter$2, reason: invalid class name */
    /* loaded from: classes8.dex */
    public static /* synthetic */ class AnonymousClass2 {
        static final /* synthetic */ int[] $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$Permission$RuleCase;
        static final /* synthetic */ int[] $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$Principal$IdentifierCase;
        static final /* synthetic */ int[] $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$RBAC$Action;
        static final /* synthetic */ int[] $SwitchMap$io$envoyproxy$envoy$type$matcher$v3$PathMatcher$RuleCase;

        static {
            int[] iArr = new int[PathMatcher.RuleCase.values().length];
            $SwitchMap$io$envoyproxy$envoy$type$matcher$v3$PathMatcher$RuleCase = iArr;
            try {
                iArr[PathMatcher.RuleCase.PATH.ordinal()] = 1;
            } catch (NoSuchFieldError unused) {
            }
            try {
                $SwitchMap$io$envoyproxy$envoy$type$matcher$v3$PathMatcher$RuleCase[PathMatcher.RuleCase.RULE_NOT_SET.ordinal()] = 2;
            } catch (NoSuchFieldError unused2) {
            }
            int[] iArr2 = new int[Principal.IdentifierCase.values().length];
            $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$Principal$IdentifierCase = iArr2;
            try {
                iArr2[Principal.IdentifierCase.OR_IDS.ordinal()] = 1;
            } catch (NoSuchFieldError unused3) {
            }
            try {
                $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$Principal$IdentifierCase[Principal.IdentifierCase.AND_IDS.ordinal()] = 2;
            } catch (NoSuchFieldError unused4) {
            }
            try {
                $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$Principal$IdentifierCase[Principal.IdentifierCase.ANY.ordinal()] = 3;
            } catch (NoSuchFieldError unused5) {
            }
            try {
                $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$Principal$IdentifierCase[Principal.IdentifierCase.AUTHENTICATED.ordinal()] = 4;
            } catch (NoSuchFieldError unused6) {
            }
            try {
                $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$Principal$IdentifierCase[Principal.IdentifierCase.DIRECT_REMOTE_IP.ordinal()] = 5;
            } catch (NoSuchFieldError unused7) {
            }
            try {
                $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$Principal$IdentifierCase[Principal.IdentifierCase.REMOTE_IP.ordinal()] = 6;
            } catch (NoSuchFieldError unused8) {
            }
            try {
                $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$Principal$IdentifierCase[Principal.IdentifierCase.SOURCE_IP.ordinal()] = 7;
            } catch (NoSuchFieldError unused9) {
            }
            try {
                $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$Principal$IdentifierCase[Principal.IdentifierCase.HEADER.ordinal()] = 8;
            } catch (NoSuchFieldError unused10) {
            }
            try {
                $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$Principal$IdentifierCase[Principal.IdentifierCase.NOT_ID.ordinal()] = 9;
            } catch (NoSuchFieldError unused11) {
            }
            try {
                $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$Principal$IdentifierCase[Principal.IdentifierCase.URL_PATH.ordinal()] = 10;
            } catch (NoSuchFieldError unused12) {
            }
            try {
                $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$Principal$IdentifierCase[Principal.IdentifierCase.METADATA.ordinal()] = 11;
            } catch (NoSuchFieldError unused13) {
            }
            try {
                $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$Principal$IdentifierCase[Principal.IdentifierCase.IDENTIFIER_NOT_SET.ordinal()] = 12;
            } catch (NoSuchFieldError unused14) {
            }
            int[] iArr3 = new int[Permission.RuleCase.values().length];
            $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$Permission$RuleCase = iArr3;
            try {
                iArr3[Permission.RuleCase.AND_RULES.ordinal()] = 1;
            } catch (NoSuchFieldError unused15) {
            }
            try {
                $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$Permission$RuleCase[Permission.RuleCase.OR_RULES.ordinal()] = 2;
            } catch (NoSuchFieldError unused16) {
            }
            try {
                $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$Permission$RuleCase[Permission.RuleCase.ANY.ordinal()] = 3;
            } catch (NoSuchFieldError unused17) {
            }
            try {
                $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$Permission$RuleCase[Permission.RuleCase.HEADER.ordinal()] = 4;
            } catch (NoSuchFieldError unused18) {
            }
            try {
                $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$Permission$RuleCase[Permission.RuleCase.URL_PATH.ordinal()] = 5;
            } catch (NoSuchFieldError unused19) {
            }
            try {
                $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$Permission$RuleCase[Permission.RuleCase.DESTINATION_IP.ordinal()] = 6;
            } catch (NoSuchFieldError unused20) {
            }
            try {
                $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$Permission$RuleCase[Permission.RuleCase.DESTINATION_PORT.ordinal()] = 7;
            } catch (NoSuchFieldError unused21) {
            }
            try {
                $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$Permission$RuleCase[Permission.RuleCase.DESTINATION_PORT_RANGE.ordinal()] = 8;
            } catch (NoSuchFieldError unused22) {
            }
            try {
                $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$Permission$RuleCase[Permission.RuleCase.NOT_RULE.ordinal()] = 9;
            } catch (NoSuchFieldError unused23) {
            }
            try {
                $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$Permission$RuleCase[Permission.RuleCase.METADATA.ordinal()] = 10;
            } catch (NoSuchFieldError unused24) {
            }
            try {
                $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$Permission$RuleCase[Permission.RuleCase.REQUESTED_SERVER_NAME.ordinal()] = 11;
            } catch (NoSuchFieldError unused25) {
            }
            try {
                $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$Permission$RuleCase[Permission.RuleCase.RULE_NOT_SET.ordinal()] = 12;
            } catch (NoSuchFieldError unused26) {
            }
            int[] iArr4 = new int[RBAC.Action.values().length];
            $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$RBAC$Action = iArr4;
            try {
                iArr4[RBAC.Action.ALLOW.ordinal()] = 1;
            } catch (NoSuchFieldError unused27) {
            }
            try {
                $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$RBAC$Action[RBAC.Action.DENY.ordinal()] = 2;
            } catch (NoSuchFieldError unused28) {
            }
            try {
                $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$RBAC$Action[RBAC.Action.LOG.ordinal()] = 3;
            } catch (NoSuchFieldError unused29) {
            }
            try {
                $SwitchMap$io$envoyproxy$envoy$config$rbac$v3$RBAC$Action[RBAC.Action.UNRECOGNIZED.ordinal()] = 4;
            } catch (NoSuchFieldError unused30) {
            }
        }
    }

    RbacFilter() {
    }

    private static GrpcAuthorizationEngine.DestinationIpMatcher createDestinationIpMatcher(CidrRange cidrRange) {
        return GrpcAuthorizationEngine.DestinationIpMatcher.create(Matchers.CidrMatcher.create(resolve(cidrRange), cidrRange.getPrefixLen().getValue()));
    }

    private static GrpcAuthorizationEngine.DestinationPortMatcher createDestinationPortMatcher(int i2) {
        return GrpcAuthorizationEngine.DestinationPortMatcher.create(i2);
    }

    private static GrpcAuthorizationEngine.SourceIpMatcher createSourceIpMatcher(CidrRange cidrRange) {
        return GrpcAuthorizationEngine.SourceIpMatcher.create(Matchers.CidrMatcher.create(resolve(cidrRange), cidrRange.getPrefixLen().getValue()));
    }

    private ServerInterceptor generateAuthorizationInterceptor(GrpcAuthorizationEngine.AuthConfig authConfig) {
        Preconditions.checkNotNull(authConfig, "config");
        final GrpcAuthorizationEngine grpcAuthorizationEngine = new GrpcAuthorizationEngine(authConfig);
        return new ServerInterceptor() { // from class: io.grpc.xds.RbacFilter.1
            @Override // io.grpc.ServerInterceptor
            public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(ServerCall<ReqT, RespT> serverCall, Metadata metadata, ServerCallHandler<ReqT, RespT> serverCallHandler) {
                GrpcAuthorizationEngine.AuthDecision evaluate = grpcAuthorizationEngine.evaluate(metadata, serverCall);
                if (RbacFilter.logger.isLoggable(Level.FINE)) {
                    RbacFilter.logger.log(Level.FINE, "Authorization result for serverCall {0}: {1}, matching policy: {2}.", new Object[]{serverCall, evaluate.decision(), evaluate.matchingPolicyName()});
                }
                if (!GrpcAuthorizationEngine.Action.DENY.equals(evaluate.decision())) {
                    return serverCallHandler.startCall(serverCall, metadata);
                }
                serverCall.close(Status.PERMISSION_DENIED.withDescription("Access Denied"), new Metadata());
                return new ServerCall.Listener<ReqT>() { // from class: io.grpc.xds.RbacFilter.1.1
                };
            }
        };
    }

    private static GrpcAuthorizationEngine.AuthenticatedMatcher parseAuthenticatedMatcher(Principal.Authenticated authenticated) {
        return GrpcAuthorizationEngine.AuthenticatedMatcher.create(MatcherParser.parseStringMatcher(authenticated.getPrincipalName()));
    }

    private static GrpcAuthorizationEngine.DestinationPortRangeMatcher parseDestinationPortRangeMatcher(Int32Range int32Range) {
        return GrpcAuthorizationEngine.DestinationPortRangeMatcher.create(int32Range.getStart(), int32Range.getEnd());
    }

    private static GrpcAuthorizationEngine.AuthHeaderMatcher parseHeaderMatcher(HeaderMatcher headerMatcher) {
        if (headerMatcher.getName().startsWith("grpc-")) {
            throw new IllegalArgumentException("Invalid header matcher config: [grpc-] prefixed header name is not allowed.");
        }
        if (Header.TARGET_SCHEME_UTF8.equals(headerMatcher.getName())) {
            throw new IllegalArgumentException("Invalid header matcher config: header name [:scheme] is not allowed.");
        }
        return GrpcAuthorizationEngine.AuthHeaderMatcher.create(MatcherParser.parseHeaderMatcher(headerMatcher));
    }

    private static GrpcAuthorizationEngine.PathMatcher parsePathMatcher(PathMatcher pathMatcher) {
        if (AnonymousClass2.$SwitchMap$io$envoyproxy$envoy$type$matcher$v3$PathMatcher$RuleCase[pathMatcher.getRuleCase().ordinal()] == 1) {
            return GrpcAuthorizationEngine.PathMatcher.create(MatcherParser.parseStringMatcher(pathMatcher.getPath()));
        }
        throw new IllegalArgumentException("Unknown path matcher rule type: " + pathMatcher.getRuleCase());
    }

    private static GrpcAuthorizationEngine.Matcher parsePermission(Permission permission) {
        switch (AnonymousClass2.$SwitchMap$io$envoyproxy$envoy$config$rbac$v3$Permission$RuleCase[permission.getRuleCase().ordinal()]) {
            case 1:
                ArrayList arrayList = new ArrayList();
                Iterator<Permission> it = permission.getAndRules().getRulesList().iterator();
                while (it.hasNext()) {
                    arrayList.add(parsePermission(it.next()));
                }
                return GrpcAuthorizationEngine.AndMatcher.create(arrayList);
            case 2:
                return parsePermissionList(permission.getOrRules().getRulesList());
            case 3:
                return GrpcAuthorizationEngine.AlwaysTrueMatcher.INSTANCE;
            case 4:
                return parseHeaderMatcher(permission.getHeader());
            case 5:
                return parsePathMatcher(permission.getUrlPath());
            case 6:
                return createDestinationIpMatcher(permission.getDestinationIp());
            case 7:
                return createDestinationPortMatcher(permission.getDestinationPort());
            case 8:
                return parseDestinationPortRangeMatcher(permission.getDestinationPortRange());
            case 9:
                return GrpcAuthorizationEngine.InvertMatcher.create(parsePermission(permission.getNotRule()));
            case 10:
                return GrpcAuthorizationEngine.InvertMatcher.create(GrpcAuthorizationEngine.AlwaysTrueMatcher.INSTANCE);
            case 11:
                return parseRequestedServerNameMatcher(permission.getRequestedServerName());
            default:
                throw new IllegalArgumentException("Unknown permission rule case: " + permission.getRuleCase());
        }
    }

    private static GrpcAuthorizationEngine.OrMatcher parsePermissionList(List<Permission> list) {
        ArrayList arrayList = new ArrayList();
        Iterator<Permission> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(parsePermission(it.next()));
        }
        return GrpcAuthorizationEngine.OrMatcher.create(arrayList);
    }

    private static GrpcAuthorizationEngine.Matcher parsePrincipal(Principal principal) {
        switch (AnonymousClass2.$SwitchMap$io$envoyproxy$envoy$config$rbac$v3$Principal$IdentifierCase[principal.getIdentifierCase().ordinal()]) {
            case 1:
                return parsePrincipalList(principal.getOrIds().getIdsList());
            case 2:
                ArrayList arrayList = new ArrayList();
                Iterator<Principal> it = principal.getAndIds().getIdsList().iterator();
                while (it.hasNext()) {
                    arrayList.add(parsePrincipal(it.next()));
                }
                return GrpcAuthorizationEngine.AndMatcher.create(arrayList);
            case 3:
                return GrpcAuthorizationEngine.AlwaysTrueMatcher.INSTANCE;
            case 4:
                return parseAuthenticatedMatcher(principal.getAuthenticated());
            case 5:
                return createSourceIpMatcher(principal.getDirectRemoteIp());
            case 6:
                return createSourceIpMatcher(principal.getRemoteIp());
            case 7:
                return createSourceIpMatcher(principal.getSourceIp());
            case 8:
                return parseHeaderMatcher(principal.getHeader());
            case 9:
                return GrpcAuthorizationEngine.InvertMatcher.create(parsePrincipal(principal.getNotId()));
            case 10:
                return parsePathMatcher(principal.getUrlPath());
            case 11:
                return GrpcAuthorizationEngine.InvertMatcher.create(GrpcAuthorizationEngine.AlwaysTrueMatcher.INSTANCE);
            default:
                throw new IllegalArgumentException("Unknown principal identifier case: " + principal.getIdentifierCase());
        }
    }

    private static GrpcAuthorizationEngine.OrMatcher parsePrincipalList(List<Principal> list) {
        ArrayList arrayList = new ArrayList();
        Iterator<Principal> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(parsePrincipal(it.next()));
        }
        return GrpcAuthorizationEngine.OrMatcher.create(arrayList);
    }

    static Filter.ConfigOrError<RbacConfig> parseRbacConfig(io.grpc.xds.shaded.io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBAC rbac) {
        GrpcAuthorizationEngine.Action action;
        if (!rbac.hasRules()) {
            return Filter.ConfigOrError.fromConfig(RbacConfig.create(null));
        }
        RBAC rules = rbac.getRules();
        int i2 = AnonymousClass2.$SwitchMap$io$envoyproxy$envoy$config$rbac$v3$RBAC$Action[rules.getAction().ordinal()];
        if (i2 == 1) {
            action = GrpcAuthorizationEngine.Action.ALLOW;
        } else {
            if (i2 != 2) {
                if (i2 == 3) {
                    return Filter.ConfigOrError.fromConfig(RbacConfig.create(null));
                }
                return Filter.ConfigOrError.fromError("Unknown rbacConfig action type: " + rules.getAction());
            }
            action = GrpcAuthorizationEngine.Action.DENY;
        }
        Map<String, Policy> policiesMap = rules.getPoliciesMap();
        ArrayList arrayList = new ArrayList();
        for (Map.Entry<String, Policy> entry : policiesMap.entrySet()) {
            try {
                Policy value = entry.getValue();
                if (!value.hasCondition() && !value.hasCheckedCondition()) {
                    arrayList.add(GrpcAuthorizationEngine.PolicyMatcher.create(entry.getKey(), parsePermissionList(value.getPermissionsList()), parsePrincipalList(value.getPrincipalsList())));
                }
                return Filter.ConfigOrError.fromError("Policy.condition and Policy.checked_condition must not set: " + entry.getKey());
            } catch (Exception e2) {
                return Filter.ConfigOrError.fromError("Encountered error parsing policy: " + e2);
            }
        }
        return Filter.ConfigOrError.fromConfig(RbacConfig.create(GrpcAuthorizationEngine.AuthConfig.create(arrayList, action)));
    }

    private static GrpcAuthorizationEngine.RequestedServerNameMatcher parseRequestedServerNameMatcher(StringMatcher stringMatcher) {
        return GrpcAuthorizationEngine.RequestedServerNameMatcher.create(MatcherParser.parseStringMatcher(stringMatcher));
    }

    private static InetAddress resolve(CidrRange cidrRange) {
        try {
            return InetAddress.getByName(cidrRange.getAddressPrefix());
        } catch (UnknownHostException e2) {
            throw new IllegalArgumentException("IP address can not be found: " + e2);
        }
    }

    @Override // io.grpc.xds.Filter.ServerInterceptorBuilder
    @Nullable
    public ServerInterceptor buildServerInterceptor(Filter.FilterConfig filterConfig, @Nullable Filter.FilterConfig filterConfig2) {
        Preconditions.checkNotNull(filterConfig, "config");
        if (filterConfig2 != null) {
            filterConfig = filterConfig2;
        }
        GrpcAuthorizationEngine.AuthConfig authConfig = ((RbacConfig) filterConfig).authConfig();
        if (authConfig == null) {
            return null;
        }
        return generateAuthorizationInterceptor(authConfig);
    }

    @Override // io.grpc.xds.Filter
    public Filter.ConfigOrError<RbacConfig> parseFilterConfig(Message message) {
        if (!(message instanceof Any)) {
            return Filter.ConfigOrError.fromError("Invalid config type: " + message.getClass());
        }
        try {
            return parseRbacConfig((io.grpc.xds.shaded.io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBAC) ((Any) message).unpack(io.grpc.xds.shaded.io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBAC.class));
        } catch (InvalidProtocolBufferException e2) {
            return Filter.ConfigOrError.fromError("Invalid proto: " + e2);
        }
    }

    @Override // io.grpc.xds.Filter
    public Filter.ConfigOrError<RbacConfig> parseFilterConfigOverride(Message message) {
        if (!(message instanceof Any)) {
            return Filter.ConfigOrError.fromError("Invalid config type: " + message.getClass());
        }
        try {
            RBACPerRoute rBACPerRoute = (RBACPerRoute) ((Any) message).unpack(RBACPerRoute.class);
            return rBACPerRoute.hasRbac() ? parseRbacConfig(rBACPerRoute.getRbac()) : Filter.ConfigOrError.fromConfig(RbacConfig.create(null));
        } catch (InvalidProtocolBufferException e2) {
            return Filter.ConfigOrError.fromError("Invalid proto: " + e2);
        }
    }

    @Override // io.grpc.xds.Filter
    public String[] typeUrls() {
        return new String[]{TYPE_URL, TYPE_URL_OVERRIDE_CONFIG};
    }
}
