package com.yahoo.security.tls;

import com.yahoo.security.SealedSharedKey;
import com.yahoo.security.SubjectAlternativeName;
import com.yahoo.security.X509CertificateUtils;
import com.yahoo.security.tls.RequiredPeerCredential;
import java.security.cert.X509Certificate;
import java.util.HashSet;
import java.util.List;
import java.util.logging.Logger;

/* loaded from: input_file:com/yahoo/security/tls/PeerAuthorizer.class */
public class PeerAuthorizer {
    private static final Logger log = Logger.getLogger(PeerAuthorizer.class.getName());
    private final AuthorizedPeers authorizedPeers;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.yahoo.security.tls.PeerAuthorizer$1, reason: invalid class name */
    /* loaded from: input_file:com/yahoo/security/tls/PeerAuthorizer$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$yahoo$security$tls$RequiredPeerCredential$Field = new int[RequiredPeerCredential.Field.values().length];

        static {
            try {
                $SwitchMap$com$yahoo$security$tls$RequiredPeerCredential$Field[RequiredPeerCredential.Field.CN.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$yahoo$security$tls$RequiredPeerCredential$Field[RequiredPeerCredential.Field.SAN_DNS.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$com$yahoo$security$tls$RequiredPeerCredential$Field[RequiredPeerCredential.Field.SAN_URI.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    public PeerAuthorizer(AuthorizedPeers authorizedPeers) {
        this.authorizedPeers = authorizedPeers;
    }

    public ConnectionAuthContext authorizePeer(X509Certificate x509Certificate) {
        return authorizePeer(List.of(x509Certificate));
    }

    public ConnectionAuthContext authorizePeer(List<X509Certificate> list) {
        if (this.authorizedPeers.isEmpty()) {
            return ConnectionAuthContext.defaultAllCapabilities(list);
        }
        X509Certificate x509Certificate = list.get(0);
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        String orElse = X509CertificateUtils.getSubjectCommonName(x509Certificate).orElse(null);
        List<String> subjectAlternativeNames = getSubjectAlternativeNames(x509Certificate);
        log.fine(() -> {
            return String.format("Subject info from x509 certificate: CN=[%s], 'SAN=%s", orElse, subjectAlternativeNames);
        });
        for (PeerPolicy peerPolicy : this.authorizedPeers.peerPolicies()) {
            if (matchesPolicy(peerPolicy, orElse, subjectAlternativeNames)) {
                hashSet.add(peerPolicy.policyName());
                hashSet2.add(peerPolicy.capabilities());
            }
        }
        return new ConnectionAuthContext(list, CapabilitySet.ofSets(hashSet2), hashSet, TransportSecurityUtils.getCapabilityMode());
    }

    private static boolean matchesPolicy(PeerPolicy peerPolicy, String str, List<String> list) {
        return peerPolicy.requiredCredentials().stream().allMatch(requiredPeerCredential -> {
            return matchesRequiredCredentials(requiredPeerCredential, str, list);
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean matchesRequiredCredentials(RequiredPeerCredential requiredPeerCredential, String str, List<String> list) {
        switch (AnonymousClass1.$SwitchMap$com$yahoo$security$tls$RequiredPeerCredential$Field[requiredPeerCredential.field().ordinal()]) {
            case 1:
                return str != null && requiredPeerCredential.pattern().matches(str);
            case SealedSharedKey.CURRENT_TOKEN_VERSION /* 2 */:
            case 3:
                return list.stream().anyMatch(str2 -> {
                    return requiredPeerCredential.pattern().matches(str2);
                });
            default:
                throw new RuntimeException("Unknown field: " + requiredPeerCredential.field());
        }
    }

    private static List<String> getSubjectAlternativeNames(X509Certificate x509Certificate) {
        return X509CertificateUtils.getSubjectAlternativeNames(x509Certificate).stream().filter(subjectAlternativeName -> {
            return subjectAlternativeName.getType() == SubjectAlternativeName.Type.DNS || subjectAlternativeName.getType() == SubjectAlternativeName.Type.IP || subjectAlternativeName.getType() == SubjectAlternativeName.Type.URI;
        }).map((v0) -> {
            return v0.getValue();
        }).toList();
    }
}
