package com.uid2.shared.secure.gcpoidc;

import com.google.common.base.Strings;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.uid2.shared.Utils;
import com.uid2.shared.secure.AttestationClientException;
import com.uid2.shared.secure.AttestationException;
import com.uid2.shared.secure.AttestationFailure;
import com.uid2.shared.util.UrlEquivalenceValidator;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.collections4.MapUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/uid2/shared/secure/gcpoidc/PolicyValidator.class */
public class PolicyValidator implements IPolicyValidator {
    public static final String EU_REGION_PREFIX = "europe";
    private final String attestationUrl;
    private static final Logger LOGGER = LoggerFactory.getLogger(PolicyValidator.class);
    public static final String ENV_ENVIRONMENT = "DEPLOYMENT_ENVIRONMENT";
    public static final String ENV_OPERATOR_API_KEY_SECRET_NAME = "API_TOKEN_SECRET_NAME";
    private static final List<String> REQUIRED_ENV_OVERRIDES = ImmutableList.of(ENV_ENVIRONMENT, ENV_OPERATOR_API_KEY_SECRET_NAME);
    public static final String ENV_CORE_ENDPOINT = "CORE_BASE_URL";
    public static final String ENV_OPT_OUT_ENDPOINT = "OPTOUT_BASE_URL";
    public static final String ENV_DEBUG_MODE = "DEBUG_MODE";
    public static final String ENV_SKIP_VALIDATIONS = "SKIP_VALIDATIONS";
    private static final Map<Environment, List<String>> OPTIONAL_ENV_OVERRIDES_MAP = ImmutableMap.of(Environment.Production, ImmutableList.of(ENV_CORE_ENDPOINT, ENV_OPT_OUT_ENDPOINT), Environment.Integration, ImmutableList.of(ENV_CORE_ENDPOINT, ENV_OPT_OUT_ENDPOINT, ENV_DEBUG_MODE, ENV_SKIP_VALIDATIONS));

    public PolicyValidator(String str) {
        this.attestationUrl = str;
    }

    @Override // com.uid2.shared.secure.gcpoidc.IPolicyValidator
    public String getVersion() {
        return "V1";
    }

    @Override // com.uid2.shared.secure.gcpoidc.IPolicyValidator
    public String validate(TokenPayload tokenPayload) throws AttestationException {
        checkRegion(tokenPayload);
        boolean checkConfidentialSpace = checkConfidentialSpace(tokenPayload);
        String checkWorkload = checkWorkload(tokenPayload);
        checkCmdOverrides(tokenPayload);
        return generateEnclaveId(checkConfidentialSpace, checkWorkload, checkEnvOverrides(tokenPayload));
    }

    private static boolean checkConfidentialSpace(TokenPayload tokenPayload) throws AttestationException {
        if (!tokenPayload.isConfidentialSpaceSW()) {
            throw new AttestationClientException("Unexpected SW_NAME: " + tokenPayload.getSwName(), AttestationFailure.BAD_FORMAT);
        }
        boolean isDebugMode = tokenPayload.isDebugMode();
        if (isDebugMode || tokenPayload.isStableVersion()) {
            return isDebugMode;
        }
        throw new AttestationClientException("Confidential space image version is not stable.", AttestationFailure.BAD_FORMAT);
    }

    private static String checkWorkload(TokenPayload tokenPayload) throws AttestationException {
        if (tokenPayload.isRestartPolicyNever()) {
            return tokenPayload.getWorkloadImageDigest();
        }
        throw new AttestationClientException("Restart policy is not set to Never. Value: " + tokenPayload.getRestartPolicy(), AttestationFailure.BAD_FORMAT);
    }

    private static String checkRegion(TokenPayload tokenPayload) throws AttestationException {
        String gceZone = tokenPayload.getGceZone();
        if (Strings.isNullOrEmpty(gceZone) || gceZone.startsWith(EU_REGION_PREFIX)) {
            throw new AttestationClientException("Region is not supported. Value: " + gceZone, AttestationFailure.BAD_FORMAT);
        }
        return gceZone;
    }

    private static void checkCmdOverrides(TokenPayload tokenPayload) throws AttestationException {
        if (!CollectionUtils.isEmpty(tokenPayload.getCmdOverrides())) {
            throw new AttestationClientException("Payload should not have cmd overrides", AttestationFailure.BAD_FORMAT);
        }
    }

    private Environment checkEnvOverrides(TokenPayload tokenPayload) throws AttestationException {
        Map<String, String> envOverrides = tokenPayload.getEnvOverrides();
        if (MapUtils.isEmpty(envOverrides)) {
            throw new AttestationClientException("env overrides should not be empty", AttestationFailure.BAD_FORMAT);
        }
        HashMap hashMap = new HashMap(envOverrides);
        for (String str : REQUIRED_ENV_OVERRIDES) {
            if (Strings.isNullOrEmpty((String) hashMap.get(str))) {
                throw new AttestationClientException("Required env override is missing. key: " + str, AttestationFailure.BAD_FORMAT);
            }
        }
        Environment fromString = Environment.fromString((String) hashMap.get(ENV_ENVIRONMENT));
        if (fromString == null) {
            throw new AttestationClientException("Environment can not be parsed. " + ((String) hashMap.get(ENV_ENVIRONMENT)), AttestationFailure.BAD_FORMAT);
        }
        Iterator<String> it = REQUIRED_ENV_OVERRIDES.iterator();
        while (it.hasNext()) {
            hashMap.remove(it.next());
        }
        List<String> list = OPTIONAL_ENV_OVERRIDES_MAP.get(fromString);
        if (!CollectionUtils.isEmpty(list)) {
            Iterator<String> it2 = list.iterator();
            while (it2.hasNext()) {
                hashMap.remove(it2.next());
            }
        }
        checkAttestationUrl(new HashMap<>(envOverrides));
        if (hashMap.isEmpty()) {
            return fromString;
        }
        throw new AttestationClientException("More env overrides than allowed. " + String.valueOf(hashMap), AttestationFailure.BAD_FORMAT);
    }

    private void checkAttestationUrl(HashMap<String, String> hashMap) throws AttestationException {
        if (Strings.isNullOrEmpty(hashMap.get(ENV_CORE_ENDPOINT))) {
            return;
        }
        String str = hashMap.get(ENV_CORE_ENDPOINT);
        if (!UrlEquivalenceValidator.areUrlsEquivalent(str, this.attestationUrl).booleanValue()) {
            throw new AttestationClientException("The given attestation URL is unknown. Given URL: " + str, AttestationFailure.UNKNOWN_ATTESTATION_URL);
        }
    }

    private String generateEnclaveId(boolean z, String str, Environment environment) throws AttestationException {
        String format = String.format("%s,%s,%s", getVersion(), Boolean.valueOf(z), str);
        LOGGER.info("Meta used to generate GCP EnclaveId: " + format);
        try {
            return getSha256Base64Encoded(format);
        } catch (NoSuchAlgorithmException e) {
            throw new AttestationException(e);
        }
    }

    private static String getSha256Base64Encoded(String str) throws NoSuchAlgorithmException {
        MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
        messageDigest.update(str.getBytes(StandardCharsets.US_ASCII));
        return Utils.toBase64String(messageDigest.digest());
    }
}
