package com.uid2.shared.secure.gcp;

import com.google.api.client.googleapis.javanet.GoogleNetHttpTransport;
import com.google.api.client.json.gson.GsonFactory;
import com.google.api.gax.paging.Page;
import com.google.api.services.compute.Compute;
import com.google.api.services.compute.model.AttachedDisk;
import com.google.api.services.compute.model.Disk;
import com.google.api.services.compute.model.Instance;
import com.google.api.services.compute.model.Metadata;
import com.google.auth.http.HttpCredentialsAdapter;
import com.google.auth.oauth2.GoogleCredentials;
import com.google.cloud.audit.AuditLog;
import com.google.cloud.logging.LogEntry;
import com.google.cloud.logging.Logging;
import com.google.cloud.logging.LoggingOptions;
import com.google.protobuf.Any;
import com.google.protobuf.InvalidProtocolBufferException;
import com.uid2.shared.Utils;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.regex.Pattern;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/uid2/shared/secure/gcp/VmConfigVerifier.class */
public class VmConfigVerifier {
    private static final Logger LOGGER = LoggerFactory.getLogger(VmConfigVerifier.class);
    private static final String ENCLAVE_PARAM_PREFIX = "UID2_ENCLAVE_";
    private final GoogleCredentials credentials;
    public static final boolean VALIDATE_AUDITLOGS = true;
    public static final boolean VALIDATE_VMCONFIG = true;
    private final Set<String> enclaveParams;
    private final Set<String> allowedMethodsFromInstanceAuditLogs = new HashSet(Collections.singletonList("v1.compute.instances.insert"));
    private final Set<String> forbiddenMetadataKeys = new HashSet(Arrays.asList("startup-script", "startup-script-url", "shutdown-script", "shutdown-script-url", "sysprep-specialize-script-ps1", "sysprep-specialize-script-cmd", "sysprep-specialize-script-bat", "sysprep-specialize-script-url", "windows-startup-script-ps1", "windows-startup-script-cmd", "windows-startup-script-bat", "windows-startup-script-url", "windows-shutdown-script-cmd"));
    private final Compute computeApi;
    private final Logging loggingApi;

    public VmConfigVerifier(GoogleCredentials googleCredentials, Set<String> set) throws Exception {
        this.credentials = googleCredentials;
        if (this.credentials != null) {
            LOGGER.info("Using Using Google Service Account: " + googleCredentials.toString());
            this.computeApi = new Compute.Builder(GoogleNetHttpTransport.newTrustedTransport(), GsonFactory.getDefaultInstance(), new HttpCredentialsAdapter(googleCredentials)).setApplicationName("UID-Operator/2.0").build();
            this.loggingApi = LoggingOptions.newBuilder().setCredentials(googleCredentials).build().getService();
        } else {
            this.computeApi = null;
            this.loggingApi = null;
        }
        this.enclaveParams = set;
        if (this.enclaveParams != null) {
            Iterator<String> it = this.enclaveParams.iterator();
            while (it.hasNext()) {
                LOGGER.info("Allowed Enclave Parameter: " + normalizeEnclaveParam(it.next()));
            }
        }
    }

    public VmConfigId getVmConfigId(InstanceDocument instanceDocument) {
        try {
            LOGGER.debug("Issuing instance get request...");
            Instance instance = (Instance) this.computeApi.instances().get(instanceDocument.getProjectId(), instanceDocument.getZone(), instanceDocument.getInstanceId()).execute();
            StringBuilder sb = new StringBuilder();
            for (AttachedDisk attachedDisk : instance.getDisks()) {
                if (!attachedDisk.getAutoDelete().booleanValue()) {
                    return VmConfigId.failure("!disk.autodelete", instanceDocument.getProjectId());
                }
                if (!attachedDisk.getBoot().booleanValue()) {
                    return VmConfigId.failure("!disk.getboot", instanceDocument.getProjectId());
                }
                sb.append(getSha256Base64Encoded(getDiskSourceImage(attachedDisk.getSource())));
            }
            for (Metadata.Items items : instance.getMetadata().getItems()) {
                if (items.getKey().equals("user-data")) {
                    sb.append(getSha256Base64Encoded(templatizeVmConfig(items.getValue())));
                } else if (this.forbiddenMetadataKeys.contains(items.getKey())) {
                    LOGGER.debug("gcp-vmid attestation got forbidden metadata key: " + items.getKey());
                    return VmConfigId.failure("forbidden metadata key: " + items.getKey(), instanceDocument.getProjectId());
                }
            }
            String findUnauthorizedAuditLog = findUnauthorizedAuditLog(instanceDocument);
            if (findUnauthorizedAuditLog == null) {
                return VmConfigId.success(getSha256Base64Encoded(sb.toString()), instanceDocument.getProjectId());
            }
            LOGGER.debug("attestation failed because of audit log: " + findUnauthorizedAuditLog);
            return VmConfigId.failure("bad audit log: " + findUnauthorizedAuditLog, instanceDocument.getProjectId());
        } catch (Exception e) {
            LOGGER.error("getVmConfigId error " + e.getMessage(), e);
            return VmConfigId.failure(e.getMessage(), instanceDocument.getProjectId());
        }
    }

    public String templatizeVmConfig(String str) {
        if (this.enclaveParams == null) {
            return str;
        }
        Iterator<String> it = this.enclaveParams.iterator();
        while (it.hasNext()) {
            str = Pattern.compile(String.format("^([ \t]*Environment=.%s)=.+?\"$", normalizeEnclaveParam(it.next())), 8).matcher(str).replaceAll("$1=dummy\"");
        }
        return str;
    }

    private String getAuditLogFilter(InstanceDocument instanceDocument) {
        return String.format("resource.type=gce_instance  AND (    logName=projects/%s/logs/cloudaudit.googleapis.com%%2Factivity    OR logName=projects/%s/logs/cloudaudit.googleapis.com%%2Fdata_access  )  AND protoPayload.\"@type\"=\"type.googleapis.com/google.cloud.audit.AuditLog\"  AND resource.labels.instance_id=%s", instanceDocument.getProjectId(), instanceDocument.getProjectId(), instanceDocument.getInstanceId());
    }

    private String findUnauthorizedAuditLog(InstanceDocument instanceDocument) throws InvalidProtocolBufferException {
        LOGGER.debug("Searching AuditLogs...");
        Page listLogEntries = this.loggingApi.listLogEntries(new Logging.EntryListOption[]{Logging.EntryListOption.filter(getAuditLogFilter(instanceDocument))});
        do {
            Iterator it = listLogEntries.iterateAll().iterator();
            while (it.hasNext()) {
                AuditLog parseFrom = AuditLog.parseFrom(((Any) ((LogEntry) it.next()).getPayload().getData()).getValue());
                if (!validateAuditLog(parseFrom)) {
                    return parseFrom.getMethodName();
                }
            }
            listLogEntries = listLogEntries.getNextPage();
        } while (listLogEntries != null);
        return null;
    }

    private boolean validateAuditLog(AuditLog auditLog) {
        LOGGER.debug("Validating AuditLog for operation: " + auditLog.getMethodName());
        if (this.allowedMethodsFromInstanceAuditLogs.contains(auditLog.getMethodName())) {
            return true;
        }
        LOGGER.warn("gcp-vmid attestation receives unauthorized method: " + auditLog.getMethodName());
        return false;
    }

    private String getDiskSourceImage(String str) throws IOException {
        String[] split = str.split("/");
        String str2 = split[6];
        String str3 = split[8];
        String str4 = split[10];
        LOGGER.debug("Issuing disk get request for " + str4 + "...");
        return ((Disk) this.computeApi.disks().get(str2, str3, str4).execute()).getSourceImage();
    }

    private String getSha256Base64Encoded(String str) throws NoSuchAlgorithmException {
        MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
        messageDigest.update(str.getBytes(StandardCharsets.US_ASCII));
        return Utils.toBase64String(messageDigest.digest());
    }

    private static String normalizeEnclaveParam(String str) {
        return "UID2_ENCLAVE_" + str.toUpperCase();
    }
}
