package io.grpc.xds;

import com.google.auto.value.AutoValue;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.MoreObjects;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.protobuf.Duration;
import com.google.protobuf.InvalidProtocolBufferException;
import com.google.protobuf.Message;
import com.google.protobuf.Struct;
import com.google.protobuf.util.Durations;
import com.google.pubsub.kafka.source.CloudPubSubSourceConnector;
import io.grpc.LoadBalancerRegistry;
import io.grpc.internal.ServiceConfigUtil;
import io.grpc.xds.AutoValue_XdsClusterResource_CdsUpdate;
import io.grpc.xds.EnvoyServerProtoData;
import io.grpc.xds.client.Bootstrapper;
import io.grpc.xds.client.XdsClient;
import io.grpc.xds.client.XdsResourceType;
import io.grpc.xds.shaded.io.envoyproxy.envoy.config.cluster.v3.CircuitBreakers;
import io.grpc.xds.shaded.io.envoyproxy.envoy.config.cluster.v3.Cluster;
import io.grpc.xds.shaded.io.envoyproxy.envoy.config.cluster.v3.OutlierDetection;
import io.grpc.xds.shaded.io.envoyproxy.envoy.config.core.v3.RoutingPriority;
import io.grpc.xds.shaded.io.envoyproxy.envoy.config.core.v3.SocketAddress;
import io.grpc.xds.shaded.io.envoyproxy.envoy.config.endpoint.v3.ClusterLoadAssignment;
import io.grpc.xds.shaded.io.envoyproxy.envoy.config.endpoint.v3.LbEndpoint;
import io.grpc.xds.shaded.io.envoyproxy.envoy.extensions.clusters.aggregate.v3.ClusterConfig;
import io.grpc.xds.shaded.io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext;
import io.grpc.xds.shaded.io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.CommonTlsContext;
import io.grpc.xds.shaded.io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext;
import java.util.Collection;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import javax.annotation.Nullable;

/* loaded from: input_file:io/grpc/xds/XdsClusterResource.class */
class XdsClusterResource extends XdsResourceType<CdsUpdate> {

    @VisibleForTesting
    static boolean enableLeastRequest;

    @VisibleForTesting
    static final String AGGREGATE_CLUSTER_TYPE_NAME = "envoy.clusters.aggregate";
    static final String ADS_TYPE_URL_CDS = "type.googleapis.com/envoy.config.cluster.v3.Cluster";
    private static final String TYPE_URL_UPSTREAM_TLS_CONTEXT = "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext";
    private static final String TYPE_URL_UPSTREAM_TLS_CONTEXT_V2 = "type.googleapis.com/envoy.api.v2.auth.UpstreamTlsContext";
    private final LoadBalancerRegistry loadBalancerRegistry = LoadBalancerRegistry.getDefaultRegistry();
    private static final XdsClusterResource instance;

    /* JADX INFO: Access modifiers changed from: package-private */
    @AutoValue
    /* loaded from: input_file:io/grpc/xds/XdsClusterResource$CdsUpdate.class */
    public static abstract class CdsUpdate implements XdsClient.ResourceUpdate {

        /* JADX INFO: Access modifiers changed from: package-private */
        @AutoValue.Builder
        /* loaded from: input_file:io/grpc/xds/XdsClusterResource$CdsUpdate$Builder.class */
        public static abstract class Builder {
            protected abstract Builder clusterName(String str);

            protected abstract Builder clusterType(ClusterType clusterType);

            protected abstract Builder lbPolicyConfig(ImmutableMap<String, ?> immutableMap);

            Builder roundRobinLbPolicy() {
                return lbPolicyConfig(ImmutableMap.of(CloudPubSubSourceConnector.DEFAULT_KAFKA_PARTITION_SCHEME, ImmutableMap.of()));
            }

            Builder ringHashLbPolicy(Long l, Long l2) {
                return lbPolicyConfig(ImmutableMap.of("ring_hash_experimental", ImmutableMap.of("minRingSize", Double.valueOf(l.doubleValue()), "maxRingSize", Double.valueOf(l2.doubleValue()))));
            }

            Builder leastRequestLbPolicy(Integer num) {
                return lbPolicyConfig(ImmutableMap.of("least_request_experimental", ImmutableMap.of("choiceCount", Double.valueOf(num.doubleValue()))));
            }

            protected abstract Builder choiceCount(int i);

            protected abstract Builder minRingSize(long j);

            protected abstract Builder maxRingSize(long j);

            protected abstract Builder edsServiceName(String str);

            protected abstract Builder dnsHostName(String str);

            protected abstract Builder lrsServerInfo(Bootstrapper.ServerInfo serverInfo);

            protected abstract Builder maxConcurrentRequests(Long l);

            protected abstract Builder upstreamTlsContext(EnvoyServerProtoData.UpstreamTlsContext upstreamTlsContext);

            protected abstract Builder prioritizedClusterNames(List<String> list);

            protected abstract Builder outlierDetection(EnvoyServerProtoData.OutlierDetection outlierDetection);

            protected abstract Builder filterMetadata(ImmutableMap<String, Struct> immutableMap);

            abstract CdsUpdate build();
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        /* loaded from: input_file:io/grpc/xds/XdsClusterResource$CdsUpdate$ClusterType.class */
        public enum ClusterType {
            EDS,
            LOGICAL_DNS,
            AGGREGATE
        }

        /* loaded from: input_file:io/grpc/xds/XdsClusterResource$CdsUpdate$LbPolicy.class */
        enum LbPolicy {
            ROUND_ROBIN,
            RING_HASH,
            LEAST_REQUEST
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract String clusterName();

        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract ClusterType clusterType();

        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract ImmutableMap<String, ?> lbPolicyConfig();

        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract long minRingSize();

        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract long maxRingSize();

        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract int choiceCount();

        /* JADX INFO: Access modifiers changed from: package-private */
        @Nullable
        public abstract String edsServiceName();

        /* JADX INFO: Access modifiers changed from: package-private */
        @Nullable
        public abstract String dnsHostName();

        /* JADX INFO: Access modifiers changed from: package-private */
        @Nullable
        public abstract Bootstrapper.ServerInfo lrsServerInfo();

        /* JADX INFO: Access modifiers changed from: package-private */
        @Nullable
        public abstract Long maxConcurrentRequests();

        /* JADX INFO: Access modifiers changed from: package-private */
        @Nullable
        public abstract EnvoyServerProtoData.UpstreamTlsContext upstreamTlsContext();

        /* JADX INFO: Access modifiers changed from: package-private */
        @Nullable
        public abstract ImmutableList<String> prioritizedClusterNames();

        /* JADX INFO: Access modifiers changed from: package-private */
        @Nullable
        public abstract EnvoyServerProtoData.OutlierDetection outlierDetection();

        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract ImmutableMap<String, Struct> filterMetadata();

        private static Builder newBuilder(String str) {
            return new AutoValue_XdsClusterResource_CdsUpdate.Builder().clusterName(str).minRingSize(0L).maxRingSize(0L).choiceCount(0).filterMetadata(ImmutableMap.of());
        }

        static Builder forAggregate(String str, List<String> list) {
            Preconditions.checkNotNull(list, "prioritizedClusterNames");
            return newBuilder(str).clusterType(ClusterType.AGGREGATE).prioritizedClusterNames(ImmutableList.copyOf((Collection) list));
        }

        static Builder forEds(String str, @Nullable String str2, @Nullable Bootstrapper.ServerInfo serverInfo, @Nullable Long l, @Nullable EnvoyServerProtoData.UpstreamTlsContext upstreamTlsContext, @Nullable EnvoyServerProtoData.OutlierDetection outlierDetection) {
            return newBuilder(str).clusterType(ClusterType.EDS).edsServiceName(str2).lrsServerInfo(serverInfo).maxConcurrentRequests(l).upstreamTlsContext(upstreamTlsContext).outlierDetection(outlierDetection);
        }

        static Builder forLogicalDns(String str, String str2, @Nullable Bootstrapper.ServerInfo serverInfo, @Nullable Long l, @Nullable EnvoyServerProtoData.UpstreamTlsContext upstreamTlsContext) {
            return newBuilder(str).clusterType(ClusterType.LOGICAL_DNS).dnsHostName(str2).lrsServerInfo(serverInfo).maxConcurrentRequests(l).upstreamTlsContext(upstreamTlsContext);
        }

        public final String toString() {
            return MoreObjects.toStringHelper(this).add("clusterName", clusterName()).add("clusterType", clusterType()).add("lbPolicyConfig", lbPolicyConfig()).add("minRingSize", minRingSize()).add("maxRingSize", maxRingSize()).add("choiceCount", choiceCount()).add("edsServiceName", edsServiceName()).add("dnsHostName", dnsHostName()).add("lrsServerInfo", lrsServerInfo()).add("maxConcurrentRequests", maxConcurrentRequests()).add("prioritizedClusterNames", prioritizedClusterNames()).toString();
        }
    }

    XdsClusterResource() {
    }

    public static XdsClusterResource getInstance() {
        return instance;
    }

    @Override // io.grpc.xds.client.XdsResourceType
    @Nullable
    protected String extractResourceName(Message message) {
        if (message instanceof Cluster) {
            return ((Cluster) message).getName();
        }
        return null;
    }

    @Override // io.grpc.xds.client.XdsResourceType
    public String typeName() {
        return "CDS";
    }

    @Override // io.grpc.xds.client.XdsResourceType
    public String typeUrl() {
        return ADS_TYPE_URL_CDS;
    }

    @Override // io.grpc.xds.client.XdsResourceType
    public boolean shouldRetrieveResourceKeysForArgs() {
        return true;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // io.grpc.xds.client.XdsResourceType
    public boolean isFullStateOfTheWorld() {
        return true;
    }

    @Override // io.grpc.xds.client.XdsResourceType
    protected Class<Cluster> unpackedClassName() {
        return Cluster.class;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Can't rename method to resolve collision */
    @Override // io.grpc.xds.client.XdsResourceType
    public CdsUpdate doParse(XdsResourceType.Args args, Message message) throws XdsResourceType.ResourceInvalidException {
        if (!(message instanceof Cluster)) {
            throw new XdsResourceType.ResourceInvalidException("Invalid message type: " + message.getClass());
        }
        ImmutableSet<String> immutableSet = null;
        if (args.getBootstrapInfo() != null && args.getBootstrapInfo().certProviders() != null) {
            immutableSet = args.getBootstrapInfo().certProviders().keySet();
        }
        return processCluster((Cluster) message, immutableSet, args.getServerInfo(), this.loadBalancerRegistry);
    }

    @VisibleForTesting
    static CdsUpdate processCluster(Cluster cluster, Set<String> set, Bootstrapper.ServerInfo serverInfo, LoadBalancerRegistry loadBalancerRegistry) throws XdsResourceType.ResourceInvalidException {
        XdsResourceType.StructOrError<CdsUpdate.Builder> parseAggregateCluster;
        switch (cluster.getClusterDiscoveryTypeCase()) {
            case TYPE:
                parseAggregateCluster = parseNonAggregateCluster(cluster, set, serverInfo);
                break;
            case CLUSTER_TYPE:
                parseAggregateCluster = parseAggregateCluster(cluster);
                break;
            case CLUSTERDISCOVERYTYPE_NOT_SET:
            default:
                throw new XdsResourceType.ResourceInvalidException("Cluster " + cluster.getName() + ": unspecified cluster discovery type");
        }
        if (parseAggregateCluster.getErrorDetail() != null) {
            throw new XdsResourceType.ResourceInvalidException(parseAggregateCluster.getErrorDetail());
        }
        CdsUpdate.Builder struct = parseAggregateCluster.getStruct();
        ImmutableMap<String, ?> newConfig = LoadBalancerConfigFactory.newConfig(cluster, enableLeastRequest);
        ServiceConfigUtil.LbConfig unwrapLoadBalancingConfig = ServiceConfigUtil.unwrapLoadBalancingConfig(newConfig);
        if (loadBalancerRegistry.getProvider(unwrapLoadBalancingConfig.getPolicyName()).parseLoadBalancingPolicyConfig(unwrapLoadBalancingConfig.getRawConfigValue()).getError() != null) {
            throw new XdsResourceType.ResourceInvalidException(parseAggregateCluster.getErrorDetail());
        }
        struct.lbPolicyConfig(newConfig);
        struct.filterMetadata(ImmutableMap.copyOf((Map) cluster.getMetadata().getFilterMetadataMap()));
        return struct.build();
    }

    private static XdsResourceType.StructOrError<CdsUpdate.Builder> parseAggregateCluster(Cluster cluster) {
        String name = cluster.getName();
        Cluster.CustomClusterType clusterType = cluster.getClusterType();
        String name2 = clusterType.getName();
        if (!name2.equals(AGGREGATE_CLUSTER_TYPE_NAME)) {
            return XdsResourceType.StructOrError.fromError("Cluster " + name + ": unsupported custom cluster type: " + name2);
        }
        try {
            return XdsResourceType.StructOrError.fromStruct(CdsUpdate.forAggregate(name, ((ClusterConfig) unpackCompatibleType(clusterType.getTypedConfig(), ClusterConfig.class, "type.googleapis.com/envoy.extensions.clusters.aggregate.v3.ClusterConfig", null)).getClustersList()));
        } catch (InvalidProtocolBufferException e) {
            return XdsResourceType.StructOrError.fromError("Cluster " + name + ": malformed ClusterConfig: " + e);
        }
    }

    private static XdsResourceType.StructOrError<CdsUpdate.Builder> parseNonAggregateCluster(Cluster cluster, Set<String> set, Bootstrapper.ServerInfo serverInfo) {
        String name = cluster.getName();
        Bootstrapper.ServerInfo serverInfo2 = null;
        Long l = null;
        EnvoyServerProtoData.UpstreamTlsContext upstreamTlsContext = null;
        EnvoyServerProtoData.OutlierDetection outlierDetection = null;
        if (cluster.hasLrsServer()) {
            if (!cluster.getLrsServer().hasSelf()) {
                return XdsResourceType.StructOrError.fromError("Cluster " + name + ": only support LRS for the same management server");
            }
            serverInfo2 = serverInfo;
        }
        if (cluster.hasCircuitBreakers()) {
            for (CircuitBreakers.Thresholds thresholds : cluster.getCircuitBreakers().getThresholdsList()) {
                if (thresholds.getPriority() == RoutingPriority.DEFAULT && thresholds.hasMaxRequests()) {
                    l = Long.valueOf(thresholds.getMaxRequests().getValue());
                }
            }
        }
        if (cluster.getTransportSocketMatchesCount() > 0) {
            return XdsResourceType.StructOrError.fromError("Cluster " + name + ": transport-socket-matches not supported.");
        }
        if (cluster.hasTransportSocket()) {
            if (!"envoy.transport_sockets.tls".equals(cluster.getTransportSocket().getName())) {
                return XdsResourceType.StructOrError.fromError("transport-socket with name " + cluster.getTransportSocket().getName() + " not supported.");
            }
            try {
                upstreamTlsContext = EnvoyServerProtoData.UpstreamTlsContext.fromEnvoyProtoUpstreamTlsContext(validateUpstreamTlsContext((UpstreamTlsContext) unpackCompatibleType(cluster.getTransportSocket().getTypedConfig(), UpstreamTlsContext.class, TYPE_URL_UPSTREAM_TLS_CONTEXT, TYPE_URL_UPSTREAM_TLS_CONTEXT_V2), set));
            } catch (InvalidProtocolBufferException | XdsResourceType.ResourceInvalidException e) {
                return XdsResourceType.StructOrError.fromError("Cluster " + name + ": malformed UpstreamTlsContext: " + e);
            }
        }
        if (cluster.hasOutlierDetection()) {
            try {
                outlierDetection = EnvoyServerProtoData.OutlierDetection.fromEnvoyOutlierDetection(validateOutlierDetection(cluster.getOutlierDetection()));
            } catch (XdsResourceType.ResourceInvalidException e2) {
                return XdsResourceType.StructOrError.fromError("Cluster " + name + ": malformed outlier_detection: " + e2);
            }
        }
        Cluster.DiscoveryType type = cluster.getType();
        if (type == Cluster.DiscoveryType.EDS) {
            Cluster.EdsClusterConfig edsClusterConfig = cluster.getEdsClusterConfig();
            if (!edsClusterConfig.getEdsConfig().hasAds() && !edsClusterConfig.getEdsConfig().hasSelf()) {
                return XdsResourceType.StructOrError.fromError("Cluster " + name + ": field eds_cluster_config must be set to indicate to use EDS over ADS or self ConfigSource");
            }
            String serviceName = edsClusterConfig.getServiceName().isEmpty() ? null : edsClusterConfig.getServiceName();
            return (serviceName == null && name.toLowerCase(Locale.ROOT).startsWith(Bootstrapper.XDSTP_SCHEME)) ? XdsResourceType.StructOrError.fromError("EDS service_name must be set when Cluster resource has an xdstp name") : XdsResourceType.StructOrError.fromStruct(CdsUpdate.forEds(name, serviceName, serverInfo2, l, upstreamTlsContext, outlierDetection));
        }
        if (!type.equals(Cluster.DiscoveryType.LOGICAL_DNS)) {
            return XdsResourceType.StructOrError.fromError("Cluster " + name + ": unsupported built-in discovery type: " + type);
        }
        if (!cluster.hasLoadAssignment()) {
            return XdsResourceType.StructOrError.fromError("Cluster " + name + ": LOGICAL_DNS clusters must have a single host");
        }
        ClusterLoadAssignment loadAssignment = cluster.getLoadAssignment();
        if (loadAssignment.getEndpointsCount() != 1 || loadAssignment.getEndpoints(0).getLbEndpointsCount() != 1) {
            return XdsResourceType.StructOrError.fromError("Cluster " + name + ": LOGICAL_DNS clusters must have a single locality_lb_endpoint and a single lb_endpoint");
        }
        LbEndpoint lbEndpoints = loadAssignment.getEndpoints(0).getLbEndpoints(0);
        if (!lbEndpoints.hasEndpoint() || !lbEndpoints.getEndpoint().hasAddress() || !lbEndpoints.getEndpoint().getAddress().hasSocketAddress()) {
            return XdsResourceType.StructOrError.fromError("Cluster " + name + ": LOGICAL_DNS clusters must have an endpoint with address and socket_address");
        }
        SocketAddress socketAddress = lbEndpoints.getEndpoint().getAddress().getSocketAddress();
        return !socketAddress.getResolverName().isEmpty() ? XdsResourceType.StructOrError.fromError("Cluster " + name + ": LOGICAL DNS clusters must NOT have a custom resolver name set") : socketAddress.getPortSpecifierCase() != SocketAddress.PortSpecifierCase.PORT_VALUE ? XdsResourceType.StructOrError.fromError("Cluster " + name + ": LOGICAL DNS clusters socket_address must have port_value") : XdsResourceType.StructOrError.fromStruct(CdsUpdate.forLogicalDns(name, String.format(Locale.US, "%s:%d", socketAddress.getAddress(), Integer.valueOf(socketAddress.getPortValue())), serverInfo2, l, upstreamTlsContext));
    }

    static OutlierDetection validateOutlierDetection(OutlierDetection outlierDetection) throws XdsResourceType.ResourceInvalidException {
        if (outlierDetection.hasInterval()) {
            if (!Durations.isValid(outlierDetection.getInterval())) {
                throw new XdsResourceType.ResourceInvalidException("outlier_detection interval is not a valid Duration");
            }
            if (hasNegativeValues(outlierDetection.getInterval())) {
                throw new XdsResourceType.ResourceInvalidException("outlier_detection interval has a negative value");
            }
        }
        if (outlierDetection.hasBaseEjectionTime()) {
            if (!Durations.isValid(outlierDetection.getBaseEjectionTime())) {
                throw new XdsResourceType.ResourceInvalidException("outlier_detection base_ejection_time is not a valid Duration");
            }
            if (hasNegativeValues(outlierDetection.getBaseEjectionTime())) {
                throw new XdsResourceType.ResourceInvalidException("outlier_detection base_ejection_time has a negative value");
            }
        }
        if (outlierDetection.hasMaxEjectionTime()) {
            if (!Durations.isValid(outlierDetection.getMaxEjectionTime())) {
                throw new XdsResourceType.ResourceInvalidException("outlier_detection max_ejection_time is not a valid Duration");
            }
            if (hasNegativeValues(outlierDetection.getMaxEjectionTime())) {
                throw new XdsResourceType.ResourceInvalidException("outlier_detection max_ejection_time has a negative value");
            }
        }
        if (outlierDetection.hasMaxEjectionPercent() && outlierDetection.getMaxEjectionPercent().getValue() > 100) {
            throw new XdsResourceType.ResourceInvalidException("outlier_detection max_ejection_percent is > 100");
        }
        if (outlierDetection.hasEnforcingSuccessRate() && outlierDetection.getEnforcingSuccessRate().getValue() > 100) {
            throw new XdsResourceType.ResourceInvalidException("outlier_detection enforcing_success_rate is > 100");
        }
        if (outlierDetection.hasFailurePercentageThreshold() && outlierDetection.getFailurePercentageThreshold().getValue() > 100) {
            throw new XdsResourceType.ResourceInvalidException("outlier_detection failure_percentage_threshold is > 100");
        }
        if (!outlierDetection.hasEnforcingFailurePercentage() || outlierDetection.getEnforcingFailurePercentage().getValue() <= 100) {
            return outlierDetection;
        }
        throw new XdsResourceType.ResourceInvalidException("outlier_detection enforcing_failure_percentage is > 100");
    }

    static boolean hasNegativeValues(Duration duration) {
        return duration.getSeconds() < 0 || duration.getNanos() < 0;
    }

    @VisibleForTesting
    static UpstreamTlsContext validateUpstreamTlsContext(UpstreamTlsContext upstreamTlsContext, Set<String> set) throws XdsResourceType.ResourceInvalidException {
        if (!upstreamTlsContext.hasCommonTlsContext()) {
            throw new XdsResourceType.ResourceInvalidException("common-tls-context is required in upstream-tls-context");
        }
        validateCommonTlsContext(upstreamTlsContext.getCommonTlsContext(), set, false);
        return upstreamTlsContext;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    public static void validateCommonTlsContext(CommonTlsContext commonTlsContext, Set<String> set, boolean z) throws XdsResourceType.ResourceInvalidException {
        if (commonTlsContext.hasCustomHandshaker()) {
            throw new XdsResourceType.ResourceInvalidException("common-tls-context with custom_handshaker is not supported");
        }
        if (commonTlsContext.hasTlsParams()) {
            throw new XdsResourceType.ResourceInvalidException("common-tls-context with tls_params is not supported");
        }
        if (commonTlsContext.hasValidationContextSdsSecretConfig()) {
            throw new XdsResourceType.ResourceInvalidException("common-tls-context with validation_context_sds_secret_config is not supported");
        }
        if (commonTlsContext.hasValidationContextCertificateProvider()) {
            throw new XdsResourceType.ResourceInvalidException("common-tls-context with validation_context_certificate_provider is not supported");
        }
        if (commonTlsContext.hasValidationContextCertificateProviderInstance()) {
            throw new XdsResourceType.ResourceInvalidException("common-tls-context with validation_context_certificate_provider_instance is not supported");
        }
        String identityCertInstanceName = getIdentityCertInstanceName(commonTlsContext);
        if (identityCertInstanceName == null) {
            if (z) {
                throw new XdsResourceType.ResourceInvalidException("tls_certificate_provider_instance is required in downstream-tls-context");
            }
            if (commonTlsContext.getTlsCertificatesCount() > 0) {
                throw new XdsResourceType.ResourceInvalidException("tls_certificate_provider_instance is unset");
            }
            if (commonTlsContext.getTlsCertificateSdsSecretConfigsCount() > 0) {
                throw new XdsResourceType.ResourceInvalidException("tls_certificate_provider_instance is unset");
            }
            if (commonTlsContext.hasTlsCertificateCertificateProvider()) {
                throw new XdsResourceType.ResourceInvalidException("tls_certificate_provider_instance is unset");
            }
        } else if (set == null || !set.contains(identityCertInstanceName)) {
            throw new XdsResourceType.ResourceInvalidException("CertificateProvider instance name '" + identityCertInstanceName + "' not defined in the bootstrap file.");
        }
        String rootCertInstanceName = getRootCertInstanceName(commonTlsContext);
        if (rootCertInstanceName == null) {
            if (!z) {
                throw new XdsResourceType.ResourceInvalidException("ca_certificate_provider_instance is required in upstream-tls-context");
            }
            return;
        }
        if (set == null || !set.contains(rootCertInstanceName)) {
            throw new XdsResourceType.ResourceInvalidException("ca_certificate_provider_instance name '" + rootCertInstanceName + "' not defined in the bootstrap file.");
        }
        CertificateValidationContext certificateValidationContext = null;
        if (commonTlsContext.hasValidationContext()) {
            certificateValidationContext = commonTlsContext.getValidationContext();
        } else if (commonTlsContext.hasCombinedValidationContext() && commonTlsContext.getCombinedValidationContext().hasDefaultValidationContext()) {
            certificateValidationContext = commonTlsContext.getCombinedValidationContext().getDefaultValidationContext();
        }
        if (certificateValidationContext != null) {
            if (certificateValidationContext.getMatchSubjectAltNamesCount() > 0 && z) {
                throw new XdsResourceType.ResourceInvalidException("match_subject_alt_names only allowed in upstream_tls_context");
            }
            if (certificateValidationContext.getVerifyCertificateSpkiCount() > 0) {
                throw new XdsResourceType.ResourceInvalidException("verify_certificate_spki in default_validation_context is not supported");
            }
            if (certificateValidationContext.getVerifyCertificateHashCount() > 0) {
                throw new XdsResourceType.ResourceInvalidException("verify_certificate_hash in default_validation_context is not supported");
            }
            if (certificateValidationContext.hasRequireSignedCertificateTimestamp()) {
                throw new XdsResourceType.ResourceInvalidException("require_signed_certificate_timestamp in default_validation_context is not supported");
            }
            if (certificateValidationContext.hasCrl()) {
                throw new XdsResourceType.ResourceInvalidException("crl in default_validation_context is not supported");
            }
            if (certificateValidationContext.hasCustomValidatorConfig()) {
                throw new XdsResourceType.ResourceInvalidException("custom_validator_config in default_validation_context is not supported");
            }
        }
    }

    private static String getIdentityCertInstanceName(CommonTlsContext commonTlsContext) {
        if (commonTlsContext.hasTlsCertificateProviderInstance()) {
            return commonTlsContext.getTlsCertificateProviderInstance().getInstanceName();
        }
        if (commonTlsContext.hasTlsCertificateCertificateProviderInstance()) {
            return commonTlsContext.getTlsCertificateCertificateProviderInstance().getInstanceName();
        }
        return null;
    }

    private static String getRootCertInstanceName(CommonTlsContext commonTlsContext) {
        if (commonTlsContext.hasValidationContext()) {
            if (commonTlsContext.getValidationContext().hasCaCertificateProviderInstance()) {
                return commonTlsContext.getValidationContext().getCaCertificateProviderInstance().getInstanceName();
            }
            return null;
        }
        if (!commonTlsContext.hasCombinedValidationContext()) {
            return null;
        }
        CommonTlsContext.CombinedCertificateValidationContext combinedValidationContext = commonTlsContext.getCombinedValidationContext();
        if (combinedValidationContext.hasDefaultValidationContext() && combinedValidationContext.getDefaultValidationContext().hasCaCertificateProviderInstance()) {
            return combinedValidationContext.getDefaultValidationContext().getCaCertificateProviderInstance().getInstanceName();
        }
        if (combinedValidationContext.hasValidationContextCertificateProviderInstance()) {
            return combinedValidationContext.getValidationContextCertificateProviderInstance().getInstanceName();
        }
        return null;
    }

    static {
        enableLeastRequest = !Strings.isNullOrEmpty(System.getenv("GRPC_EXPERIMENTAL_ENABLE_LEAST_REQUEST")) ? Boolean.parseBoolean(System.getenv("GRPC_EXPERIMENTAL_ENABLE_LEAST_REQUEST")) : Boolean.parseBoolean(System.getProperty("io.grpc.xds.experimentalEnableLeastRequest"));
        instance = new XdsClusterResource();
    }
}
