package io.grpc.xds.internal.rbac.engine;

import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableMap;
import io.grpc.xds.internal.rbac.engine.AuthorizationDecision;
import io.grpc.xds.internal.rbac.engine.cel.Activation;
import io.grpc.xds.internal.rbac.engine.cel.DefaultDispatcher;
import io.grpc.xds.internal.rbac.engine.cel.DefaultInterpreter;
import io.grpc.xds.internal.rbac.engine.cel.DescriptorMessageProvider;
import io.grpc.xds.internal.rbac.engine.cel.IncompleteData;
import io.grpc.xds.internal.rbac.engine.cel.InterpreterException;
import io.grpc.xds.shaded.com.google.api.expr.v1alpha1.Expr;
import io.grpc.xds.shaded.io.envoyproxy.envoy.config.rbac.v2.Policy;
import io.grpc.xds.shaded.io.envoyproxy.envoy.config.rbac.v2.RBAC;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;

/* loaded from: input_file:io/grpc/xds/internal/rbac/engine/AuthorizationEngine.class */
public class AuthorizationEngine {
    private static final Logger log = Logger.getLogger(AuthorizationEngine.class.getName());
    private final RbacEngine allowEngine;
    private final RbacEngine denyEngine;

    /* loaded from: input_file:io/grpc/xds/internal/rbac/engine/AuthorizationEngine$RbacEngine.class */
    private static class RbacEngine {
        private final RBAC.Action action;
        private final ImmutableMap<String, Expr> conditions;

        public RbacEngine(RBAC.Action action, ImmutableMap<String, Expr> immutableMap) {
            this.action = (RBAC.Action) Preconditions.checkNotNull(action);
            this.conditions = (ImmutableMap) Preconditions.checkNotNull(immutableMap);
        }
    }

    public AuthorizationEngine(RBAC rbac) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        for (Map.Entry<String, Policy> entry : rbac.getPoliciesMap().entrySet()) {
            linkedHashMap.put(entry.getKey(), entry.getValue().getCondition());
        }
        this.allowEngine = rbac.getAction() == RBAC.Action.ALLOW ? new RbacEngine(RBAC.Action.ALLOW, ImmutableMap.copyOf(linkedHashMap)) : null;
        this.denyEngine = rbac.getAction() == RBAC.Action.DENY ? new RbacEngine(RBAC.Action.DENY, ImmutableMap.copyOf(linkedHashMap)) : null;
    }

    public AuthorizationEngine(RBAC rbac, RBAC rbac2) {
        Preconditions.checkArgument(rbac.getAction() == RBAC.Action.DENY && rbac2.getAction() == RBAC.Action.ALLOW, "Invalid RBAC list, must provide a RBAC with DENY action followed by a RBAC with ALLOW action. ");
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        for (Map.Entry<String, Policy> entry : rbac.getPoliciesMap().entrySet()) {
            linkedHashMap.put(entry.getKey(), entry.getValue().getCondition());
        }
        this.denyEngine = new RbacEngine(RBAC.Action.DENY, ImmutableMap.copyOf(linkedHashMap));
        LinkedHashMap linkedHashMap2 = new LinkedHashMap();
        for (Map.Entry<String, Policy> entry2 : rbac2.getPoliciesMap().entrySet()) {
            linkedHashMap2.put(entry2.getKey(), entry2.getValue().getCondition());
        }
        this.allowEngine = new RbacEngine(RBAC.Action.ALLOW, ImmutableMap.copyOf(linkedHashMap2));
    }

    public AuthorizationDecision evaluate(EvaluateArgs evaluateArgs) {
        ArrayList arrayList = new ArrayList();
        Activation copyOf = Activation.copyOf(evaluateArgs.generateEnvoyAttributes());
        if (this.denyEngine != null) {
            AuthorizationDecision evaluateEngine = evaluateEngine(this.denyEngine.conditions.entrySet(), AuthorizationDecision.Output.DENY, arrayList, copyOf);
            if (evaluateEngine != null) {
                return evaluateEngine;
            }
            if (!arrayList.isEmpty()) {
                return new AuthorizationDecision(AuthorizationDecision.Output.UNKNOWN, arrayList);
            }
        }
        if (this.allowEngine != null) {
            AuthorizationDecision evaluateEngine2 = evaluateEngine(this.allowEngine.conditions.entrySet(), AuthorizationDecision.Output.ALLOW, arrayList, copyOf);
            if (evaluateEngine2 != null) {
                return evaluateEngine2;
            }
            if (!arrayList.isEmpty()) {
                return new AuthorizationDecision(AuthorizationDecision.Output.UNKNOWN, arrayList);
            }
        }
        return (this.allowEngine != null || this.denyEngine == null) ? new AuthorizationDecision(AuthorizationDecision.Output.DENY, new ArrayList()) : new AuthorizationDecision(AuthorizationDecision.Output.ALLOW, new ArrayList());
    }

    protected AuthorizationDecision evaluateEngine(Set<Map.Entry<String, Expr>> set, AuthorizationDecision.Output output, List<String> list, Activation activation) {
        for (Map.Entry<String, Expr> entry : set) {
            try {
            } catch (InterpreterException e) {
                list.add(entry.getKey());
            }
            if (matches(entry.getValue(), activation)) {
                return new AuthorizationDecision(output, new ArrayList(Arrays.asList(entry.getKey())));
            }
            continue;
        }
        return null;
    }

    protected boolean matches(Expr expr, Activation activation) throws InterpreterException {
        try {
            Object eval = new DefaultInterpreter(DescriptorMessageProvider.dynamicMessages(new ArrayList()), DefaultDispatcher.create()).createInterpretable(expr).eval(activation);
            if (eval instanceof Boolean) {
                return Boolean.parseBoolean(eval.toString());
            }
            if (eval instanceof IncompleteData) {
                throw new InterpreterException.Builder("Envoy Attributes gotten are incomplete.", new Object[0]).build();
            }
            return false;
        } catch (InterpreterException e) {
            log.log(Level.WARNING, e.toString(), (Throwable) e);
            throw e;
        }
    }
}
