package io.grpc.xds.internal.certprovider;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.util.concurrent.ThreadFactoryBuilder;
import com.xiaomi.mipush.sdk.Constants;
import io.grpc.internal.BackoffPolicy;
import io.grpc.internal.ExponentialBackoffPolicy;
import io.grpc.internal.JsonUtil;
import io.grpc.internal.TimeProvider;
import io.grpc.xds.internal.certprovider.CertificateProvider;
import io.grpc.xds.internal.certprovider.MeshCaCertificateProvider;
import io.grpc.xds.internal.sts.StsCredentials;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

/* loaded from: classes4.dex */
public final class MeshCaCertificateProviderProvider implements CertificateProviderProvider {
    public static final String AUDIENCE_PREFIX = "identitynamespace:";

    @VisibleForTesting
    public static final long CERT_VALIDITY_SECONDS_DEFAULT = 32400;
    public static final String CERT_VALIDITY_SECONDS_KEY = "certificate_lifetime";
    public static final Pattern CLUSTER_URL_PATTERN = Pattern.compile(".*/projects/(.*)/(?:locations|zones)/(.*)/clusters/.*");
    public static final String GKECLUSTER_URL_KEY = "location";
    public static final String GKE_SA_JWT_LOCATION_KEY = "subject_token_path";

    @VisibleForTesting
    public static final String KEY_ALGO_DEFAULT = "RSA";
    public static final String KEY_ALGO_KEY = "key_type";

    @VisibleForTesting
    public static final int KEY_SIZE_DEFAULT = 2048;
    public static final String KEY_SIZE_KEY = "key_size";

    @VisibleForTesting
    public static final int MAX_RETRY_ATTEMPTS_DEFAULT = 3;

    @VisibleForTesting
    public static final String MESHCA_URL_DEFAULT = "meshca.googleapis.com";
    public static final String MESHCA_URL_KEY = "target_uri";
    public static final String MESH_CA_NAME = "meshCA";

    @VisibleForTesting
    public static final long RENEWAL_GRACE_PERIOD_SECONDS_DEFAULT = 3600;
    public static final String RENEWAL_GRACE_PERIOD_SECONDS_KEY = "renewal_grace_period";

    @VisibleForTesting
    public static final long RPC_TIMEOUT_SECONDS = 10;

    @VisibleForTesting
    public static final long RPC_TIMEOUT_SECONDS_DEFAULT = 5;
    public static final String RPC_TIMEOUT_SECONDS_KEY = "time_out";
    public static final String SERVER_CONFIG_KEY = "server";

    @VisibleForTesting
    public static final String SIGNATURE_ALGO_DEFAULT = "SHA256withRSA";
    public static final String STS_SERVICE_KEY = "sts_service";

    @VisibleForTesting
    public static final String STS_URL_DEFAULT = "https://securetoken.googleapis.com/v1/identitybindingtoken";
    public static final String TOKEN_EXCHANGE_SERVICE_KEY = "token_exchange_service";
    public static final String TRUST_DOMAIN_SUFFIX = ".svc.id.goog";
    public final BackoffPolicy.Provider backoffPolicyProvider;
    public final MeshCaCertificateProvider.Factory meshCaCertificateProviderFactory;
    public final MeshCaCertificateProvider.MeshCaChannelFactory meshCaChannelFactory;
    public final ScheduledExecutorServiceFactory scheduledExecutorServiceFactory;
    public final StsCredentials.Factory stsCredentialsFactory;
    public final TimeProvider timeProvider;

    @VisibleForTesting
    /* loaded from: classes4.dex */
    public static class Config {
        public Long certValiditySeconds;
        public String gkeClusterUrl;
        public String gkeSaJwtLocation;
        public String keyAlgo;
        public Integer keySize;
        public Integer maxRetryAttempts;
        public String meshCaUrl;
        public String project;
        public Long renewalGracePeriodSeconds;
        public Long rpcTimeoutSeconds;
        public String signatureAlgo;
        public String stsUrl;
        public String zone;
    }

    /* loaded from: classes4.dex */
    public static abstract class ScheduledExecutorServiceFactory {
        public static final ScheduledExecutorServiceFactory DEFAULT_INSTANCE = new ScheduledExecutorServiceFactory() { // from class: io.grpc.xds.internal.certprovider.MeshCaCertificateProviderProvider.ScheduledExecutorServiceFactory.1
            @Override // io.grpc.xds.internal.certprovider.MeshCaCertificateProviderProvider.ScheduledExecutorServiceFactory
            public ScheduledExecutorService create(String str) {
                return Executors.newSingleThreadScheduledExecutor(new ThreadFactoryBuilder().setNameFormat("meshca-" + str + "-%d").setDaemon(true).build());
            }
        };

        public static ScheduledExecutorServiceFactory getInstance() {
            return DEFAULT_INSTANCE;
        }

        public abstract ScheduledExecutorService create(String str);
    }

    static {
        CertificateProviderRegistry.getInstance().register(new MeshCaCertificateProviderProvider(StsCredentials.Factory.getInstance(), MeshCaCertificateProvider.MeshCaChannelFactory.getInstance(), new ExponentialBackoffPolicy.Provider(), MeshCaCertificateProvider.Factory.getInstance(), ScheduledExecutorServiceFactory.DEFAULT_INSTANCE, TimeProvider.SYSTEM_TIME_PROVIDER));
    }

    @VisibleForTesting
    public MeshCaCertificateProviderProvider(StsCredentials.Factory factory, MeshCaCertificateProvider.MeshCaChannelFactory meshCaChannelFactory, BackoffPolicy.Provider provider, MeshCaCertificateProvider.Factory factory2, ScheduledExecutorServiceFactory scheduledExecutorServiceFactory, TimeProvider timeProvider) {
        this.stsCredentialsFactory = factory;
        this.meshCaChannelFactory = meshCaChannelFactory;
        this.backoffPolicyProvider = provider;
        this.meshCaCertificateProviderFactory = factory2;
        this.scheduledExecutorServiceFactory = scheduledExecutorServiceFactory;
        this.timeProvider = timeProvider;
    }

    public static void extractMeshCaServerConfig(Config config, Map<String, ?> map) {
        config.meshCaUrl = MESHCA_URL_DEFAULT;
        config.rpcTimeoutSeconds = 5L;
        config.stsUrl = STS_URL_DEFAULT;
        if (map != null) {
            Preconditions.checkArgument("GRPC".equals(JsonUtil.getString(map, "api_type")), "Only GRPC api_type supported");
            for (Map map2 : (List) Preconditions.checkNotNull(JsonUtil.getListOfObjects(map, "grpc_services"), "grpc_services not found")) {
                Map<String, ?> object = JsonUtil.getObject(map2, "google_grpc");
                if (object != null) {
                    String string = JsonUtil.getString(object, MESHCA_URL_KEY);
                    if (string != null) {
                        config.meshCaUrl = string;
                    }
                    Map<String, ?> object2 = JsonUtil.getObject(object, "channel_credentials");
                    if (object2 != null) {
                        Preconditions.checkArgument(((Map) Preconditions.checkNotNull(JsonUtil.getObject(object2, "google_default"), "channel_credentials need to be google_default!")).isEmpty(), "google_default credentials contain illegal value");
                    }
                    Iterator<Map<String, ?>> it = JsonUtil.getListOfObjects(object, "call_credentials").iterator();
                    while (it.hasNext()) {
                        Map<String, ?> object3 = JsonUtil.getObject(it.next(), STS_SERVICE_KEY);
                        if (object3 != null) {
                            String string2 = JsonUtil.getString(object3, TOKEN_EXCHANGE_SERVICE_KEY);
                            if (string2 != null) {
                                config.stsUrl = string2;
                            }
                            config.gkeSaJwtLocation = JsonUtil.getString(object3, GKE_SA_JWT_LOCATION_KEY);
                        }
                    }
                    config.rpcTimeoutSeconds = getSeconds(JsonUtil.getObject(map2, RPC_TIMEOUT_SECONDS_KEY), 5L);
                }
            }
        }
        Preconditions.checkNotNull(config.gkeSaJwtLocation, "'subject_token_path' is required in the config");
    }

    public static Long getSeconds(Map<String, ?> map, long j2) {
        return map != null ? JsonUtil.getNumberAsLong(map, "seconds") : Long.valueOf(j2);
    }

    public static void parseProjectAndZone(String str, Config config) {
        Matcher matcher = CLUSTER_URL_PATTERN.matcher(str);
        Preconditions.checkState(matcher.find(), "gkeClusterUrl does not have correct format");
        Preconditions.checkState(matcher.groupCount() == 2, "gkeClusterUrl does not have project and location parts");
        config.project = matcher.group(1);
        config.zone = matcher.group(2);
    }

    public static Config validateAndTranslateConfig(Object obj) {
        Preconditions.checkArgument(obj instanceof Map, "Only Map supported for config");
        Map map = (Map) obj;
        Config config = new Config();
        extractMeshCaServerConfig(config, JsonUtil.getObject(map, SERVER_CONFIG_KEY));
        config.certValiditySeconds = getSeconds(JsonUtil.getObject(map, CERT_VALIDITY_SECONDS_KEY), CERT_VALIDITY_SECONDS_DEFAULT);
        config.renewalGracePeriodSeconds = getSeconds(JsonUtil.getObject(map, RENEWAL_GRACE_PERIOD_SECONDS_KEY), 3600L);
        String string = JsonUtil.getString(map, KEY_ALGO_KEY);
        Preconditions.checkArgument(string == null || string.equals("RSA"), "key_type can only be null or 'RSA'");
        config.maxRetryAttempts = 3;
        config.keyAlgo = "RSA";
        config.signatureAlgo = "SHA256withRSA";
        Integer numberAsInteger = JsonUtil.getNumberAsInteger(map, KEY_SIZE_KEY);
        config.keySize = numberAsInteger;
        if (numberAsInteger == null) {
            config.keySize = 2048;
        }
        String str = (String) Preconditions.checkNotNull(JsonUtil.getString(map, "location"), "'location' is required in the config");
        config.gkeClusterUrl = str;
        parseProjectAndZone(str, config);
        return config;
    }

    @Override // io.grpc.xds.internal.certprovider.CertificateProviderProvider
    public CertificateProvider createCertificateProvider(Object obj, CertificateProvider.DistributorWatcher distributorWatcher, boolean z) {
        Config validateAndTranslateConfig = validateAndTranslateConfig(obj);
        return this.meshCaCertificateProviderFactory.create(distributorWatcher, z, validateAndTranslateConfig.meshCaUrl, validateAndTranslateConfig.zone, validateAndTranslateConfig.certValiditySeconds.longValue(), validateAndTranslateConfig.keySize.intValue(), validateAndTranslateConfig.keyAlgo, validateAndTranslateConfig.signatureAlgo, this.meshCaChannelFactory, this.backoffPolicyProvider, validateAndTranslateConfig.renewalGracePeriodSeconds.longValue(), validateAndTranslateConfig.maxRetryAttempts.intValue(), this.stsCredentialsFactory.create(validateAndTranslateConfig.stsUrl, AUDIENCE_PREFIX + validateAndTranslateConfig.project + TRUST_DOMAIN_SUFFIX + Constants.COLON_SEPARATOR + validateAndTranslateConfig.gkeClusterUrl, validateAndTranslateConfig.gkeSaJwtLocation), this.scheduledExecutorServiceFactory.create(validateAndTranslateConfig.meshCaUrl), this.timeProvider, TimeUnit.SECONDS.toMillis(10L));
    }

    @Override // io.grpc.xds.internal.certprovider.CertificateProviderProvider
    public String getName() {
        return MESH_CA_NAME;
    }
}
