package com.google.cloud.spark.bigquery.repackaged.io.grpc.internal;

import com.google.cloud.spark.bigquery.repackaged.com.google.common.base.Optional;
import com.google.cloud.spark.bigquery.repackaged.com.google.common.base.Preconditions;
import com.google.cloud.spark.bigquery.repackaged.com.google.common.base.Splitter;
import com.google.cloud.spark.bigquery.repackaged.com.google.common.collect.ImmutableList;
import com.google.cloud.spark.bigquery.repackaged.com.google.common.collect.ImmutableMap;
import com.google.cloud.spark.bigquery.repackaged.com.google.common.io.Files;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertificateParsingException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;

/* loaded from: input_file:com/google/cloud/spark/bigquery/repackaged/io/grpc/internal/SpiffeUtil.class */
public final class SpiffeUtil {
    private static final Integer URI_SAN_TYPE;
    private static final String USE_PARAMETER_VALUE = "x509-svid";
    private static final String KTY_PARAMETER_VALUE = "RSA";
    private static final String CERTIFICATE_PREFIX = "-----BEGIN CERTIFICATE-----\n";
    private static final String CERTIFICATE_SUFFIX = "-----END CERTIFICATE-----";
    private static final String PREFIX = "spiffe://";
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:com/google/cloud/spark/bigquery/repackaged/io/grpc/internal/SpiffeUtil$SpiffeBundle.class */
    public static final class SpiffeBundle {
        private final ImmutableMap<String, Long> sequenceNumbers;
        private final ImmutableMap<String, ImmutableList<X509Certificate>> bundleMap;

        private SpiffeBundle(Map<String, Long> map, Map<String, List<X509Certificate>> map2) {
            this.sequenceNumbers = ImmutableMap.copyOf((Map) map);
            ImmutableMap.Builder builder = ImmutableMap.builder();
            for (Map.Entry<String, List<X509Certificate>> entry : map2.entrySet()) {
                builder.put(entry.getKey(), ImmutableList.copyOf((Collection) entry.getValue()));
            }
            this.bundleMap = builder.build();
        }

        public ImmutableMap<String, Long> getSequenceNumbers() {
            return this.sequenceNumbers;
        }

        public ImmutableMap<String, ImmutableList<X509Certificate>> getBundleMap() {
            return this.bundleMap;
        }
    }

    /* loaded from: input_file:com/google/cloud/spark/bigquery/repackaged/io/grpc/internal/SpiffeUtil$SpiffeId.class */
    public static class SpiffeId {
        private final String trustDomain;
        private final String path;

        private SpiffeId(String str, String str2) {
            this.trustDomain = str;
            this.path = str2;
        }

        public String getTrustDomain() {
            return this.trustDomain;
        }

        public String getPath() {
            return this.path;
        }
    }

    private SpiffeUtil() {
    }

    public static SpiffeId parse(String str) {
        String str2;
        String str3;
        doInitialUriValidation(str);
        Preconditions.checkArgument(str.toLowerCase(Locale.US).startsWith(PREFIX), "Spiffe Id must start with spiffe://");
        String substring = str.substring(PREFIX.length());
        if (substring.contains("/")) {
            String[] split = substring.split("/", 2);
            str2 = split[0];
            str3 = split[1];
            Preconditions.checkArgument(!str3.isEmpty(), "Path must not include a trailing '/'");
        } else {
            str2 = substring;
            str3 = "";
        }
        validateTrustDomain(str2);
        validatePath(str3);
        if (!str3.isEmpty()) {
            str3 = "/" + str3;
        }
        return new SpiffeId(str2, str3);
    }

    private static void doInitialUriValidation(String str) {
        Preconditions.checkArgument(((String) Preconditions.checkNotNull(str, "uri")).length() > 0, "Spiffe Id can't be empty");
        Preconditions.checkArgument(str.length() <= 2048, "Spiffe Id maximum length is 2048 characters");
        Preconditions.checkArgument(!str.contains("#"), "Spiffe Id must not contain query fragments");
        Preconditions.checkArgument(!str.contains("?"), "Spiffe Id must not contain query parameters");
    }

    private static void validateTrustDomain(String str) {
        Preconditions.checkArgument(!str.isEmpty(), "Trust Domain can't be empty");
        Preconditions.checkArgument(str.length() < 256, "Trust Domain maximum length is 255 characters");
        Preconditions.checkArgument(str.matches("[a-z0-9._-]+"), "Trust Domain must contain only letters, numbers, dots, dashes, and underscores ([a-z0-9.-_])");
    }

    private static void validatePath(String str) {
        if (str.isEmpty()) {
            return;
        }
        Preconditions.checkArgument(!str.endsWith("/"), "Path must not include a trailing '/'");
        Iterator<String> it = Splitter.on("/").split(str).iterator();
        while (it.hasNext()) {
            validatePathSegment(it.next());
        }
    }

    private static void validatePathSegment(String str) {
        Preconditions.checkArgument(!str.isEmpty(), "Individual path segments must not be empty");
        Preconditions.checkArgument((str.equals(".") || str.equals("..")) ? false : true, "Individual path segments must not be relative path modifiers (i.e. ., ..)");
        Preconditions.checkArgument(str.matches("[a-zA-Z0-9._-]+"), "Individual path segments must contain only letters, numbers, dots, dashes, and underscores ([a-zA-Z0-9.-_])");
    }

    public static Optional<SpiffeId> extractSpiffeId(X509Certificate[] x509CertificateArr) throws CertificateParsingException {
        Preconditions.checkArgument(((X509Certificate[]) Preconditions.checkNotNull(x509CertificateArr, "certChain")).length > 0, "certChain can't be empty");
        Collection<List<?>> subjectAlternativeNames = x509CertificateArr[0].getSubjectAlternativeNames();
        if (subjectAlternativeNames == null) {
            return Optional.absent();
        }
        String str = null;
        for (List<?> list : subjectAlternativeNames) {
            if (list.size() >= 2 && URI_SAN_TYPE.equals(list.get(0))) {
                if (str != null) {
                    throw new IllegalArgumentException("Multiple URI SAN values found in the leaf cert.");
                }
                str = (String) list.get(1);
            }
        }
        return str == null ? Optional.absent() : Optional.of(parse(str));
    }

    public static SpiffeBundle loadTrustBundleFromFile(String str) throws IOException {
        Map<String, ?> readTrustDomainsFromFile = readTrustDomainsFromFile(str);
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        for (String str2 : readTrustDomainsFromFile.keySet()) {
            Map<String, ?> object = JsonUtil.getObject(readTrustDomainsFromFile, str2);
            if (object.size() == 0) {
                hashMap.put(str2, Collections.emptyList());
            } else {
                Long numberAsLong = JsonUtil.getNumberAsLong(object, "spiffe_sequence");
                hashMap2.put(str2, Long.valueOf(numberAsLong == null ? -1L : numberAsLong.longValue()));
                List<Map<String, ?>> listOfObjects = JsonUtil.getListOfObjects(object, "keys");
                if (listOfObjects == null || listOfObjects.size() == 0) {
                    hashMap.put(str2, Collections.emptyList());
                } else {
                    hashMap.put(str2, extractCert(listOfObjects, str2));
                }
            }
        }
        return new SpiffeBundle(hashMap2, hashMap);
    }

    private static Map<String, ?> readTrustDomainsFromFile(String str) throws IOException {
        Object parse = JsonParser.parse(new String(Files.toByteArray(new File((String) Preconditions.checkNotNull(str, "trustBundleFile"))), StandardCharsets.UTF_8));
        if (!(parse instanceof Map)) {
            throw new IllegalArgumentException("SPIFFE Trust Bundle should be a JSON object. Found: " + (parse == null ? null : parse.getClass()));
        }
        Map<String, ?> object = JsonUtil.getObject((Map) parse, "trust_domains");
        Preconditions.checkNotNull(object, "Mandatory trust_domains element is missing");
        Preconditions.checkArgument(object.size() > 0, "Mandatory trust_domains element is missing");
        return object;
    }

    private static void checkJwkEntry(Map<String, ?> map, String str) {
        String string = JsonUtil.getString(map, "kty");
        if (string == null || !string.equals(KTY_PARAMETER_VALUE)) {
            throw new IllegalArgumentException(String.format("'kty' parameter must be '%s' but '%s' found. Certificate loading for trust domain '%s' failed.", KTY_PARAMETER_VALUE, string, str));
        }
        if (map.containsKey("kid")) {
            throw new IllegalArgumentException(String.format("'kid' parameter must not be set. Certificate loading for trust domain '%s' failed.", str));
        }
        String string2 = JsonUtil.getString(map, "use");
        if (string2 == null || !string2.equals(USE_PARAMETER_VALUE)) {
            throw new IllegalArgumentException(String.format("'use' parameter must be '%s' but '%s' found. Certificate loading for trust domain '%s' failed.", USE_PARAMETER_VALUE, string2, str));
        }
    }

    private static List<X509Certificate> extractCert(List<Map<String, ?>> list, String str) {
        ArrayList arrayList = new ArrayList();
        for (Map<String, ?> map : list) {
            checkJwkEntry(map, str);
            List<String> listOfStrings = JsonUtil.getListOfStrings(map, "x5c");
            if (listOfStrings == null) {
                break;
            }
            if (listOfStrings.size() != 1) {
                throw new IllegalArgumentException(String.format("Exactly 1 certificate is expected, but %s found. Certificate loading for trust domain '%s' failed.", Integer.valueOf(listOfStrings.size()), str));
            }
            try {
                X509Certificate[] x509CertificateArr = (X509Certificate[]) CertificateFactory.getInstance("X509").generateCertificates(new ByteArrayInputStream((CERTIFICATE_PREFIX + listOfStrings.get(0) + "\n" + CERTIFICATE_SUFFIX).getBytes(StandardCharsets.UTF_8))).toArray(new X509Certificate[0]);
                if (!$assertionsDisabled && x509CertificateArr.length != 1) {
                    throw new AssertionError();
                }
                arrayList.add(x509CertificateArr[0]);
            } catch (CertificateException e) {
                throw new IllegalArgumentException(String.format("Certificate can't be parsed. Certificate loading for trust domain '%s' failed.", str), e);
            }
        }
        return arrayList;
    }

    static {
        $assertionsDisabled = !SpiffeUtil.class.desiredAssertionStatus();
        URI_SAN_TYPE = 6;
    }
}
