package com.uid2.shared.secure.azurecc;

import com.google.common.base.Strings;
import com.uid2.shared.secure.AttestationClientException;
import com.uid2.shared.secure.AttestationFailure;
import com.uid2.shared.util.UrlEquivalenceValidator;

/* loaded from: input_file:com/uid2/shared/secure/azurecc/PolicyValidator.class */
public class PolicyValidator implements IPolicyValidator {
    private static final String LOCATION_CHINA = "china";
    private static final String LOCATION_EU = "europe";
    private String attestationUrl;

    public PolicyValidator(String str) {
        this.attestationUrl = str;
    }

    @Override // com.uid2.shared.secure.azurecc.IPolicyValidator
    public String validate(MaaTokenPayload maaTokenPayload, String str) throws AttestationClientException {
        verifyVM(maaTokenPayload);
        verifyLocation(maaTokenPayload);
        verifyPublicKey(maaTokenPayload, str);
        verifyAttestationUrl(maaTokenPayload);
        return maaTokenPayload.getCcePolicyDigest();
    }

    private void verifyPublicKey(MaaTokenPayload maaTokenPayload, String str) throws AttestationClientException {
        if (Strings.isNullOrEmpty(str)) {
            throw new AttestationClientException("public key to check is null or empty", AttestationFailure.BAD_FORMAT);
        }
        String publicKey = maaTokenPayload.getRuntimeData().getPublicKey();
        if (!str.equals(publicKey)) {
            throw new AttestationClientException(String.format("Public key in payload does not match expected value. More info: runtime(%s), expected(%s)", publicKey, str), AttestationFailure.BAD_FORMAT);
        }
    }

    private void verifyAttestationUrl(MaaTokenPayload maaTokenPayload) throws AttestationClientException {
        String decodedAttestationUrl = maaTokenPayload.getRuntimeData().getDecodedAttestationUrl();
        if (decodedAttestationUrl != null && !UrlEquivalenceValidator.areUrlsEquivalent(decodedAttestationUrl, this.attestationUrl).booleanValue()) {
            throw new AttestationClientException("The given attestation URL is unknown. Given URL: " + decodedAttestationUrl, AttestationFailure.UNKNOWN_ATTESTATION_URL);
        }
    }

    private void verifyVM(MaaTokenPayload maaTokenPayload) throws AttestationClientException {
        if (!maaTokenPayload.isSevSnpVM()) {
            throw new AttestationClientException("Not in SevSnp VM", AttestationFailure.BAD_FORMAT);
        }
        if (!maaTokenPayload.isUtilityVMCompliant()) {
            throw new AttestationClientException("Not run in Azure Compliance Utility VM", AttestationFailure.BAD_FORMAT);
        }
        if (maaTokenPayload.isVmDebuggable()) {
            throw new AttestationClientException("The underlying hardware should not run in debug mode", AttestationFailure.BAD_FORMAT);
        }
    }

    private void verifyLocation(MaaTokenPayload maaTokenPayload) throws AttestationClientException {
        String location = maaTokenPayload.getRuntimeData().getLocation();
        if (Strings.isNullOrEmpty(location)) {
            throw new AttestationClientException("Location is not specified.", AttestationFailure.BAD_PAYLOAD);
        }
        String lowerCase = location.toLowerCase();
        if (lowerCase.contains(LOCATION_CHINA) || lowerCase.contains("europe")) {
            throw new AttestationClientException("Location is not supported. Value: " + location, AttestationFailure.BAD_PAYLOAD);
        }
    }
}
