package io.cellery.security.cell.sts.server.core.service;

import com.google.protobuf.InvalidProtocolBufferException;
import com.google.rpc.Status;
import io.cellery.security.cell.sts.server.core.CellStsUtils;
import io.cellery.security.cell.sts.server.core.generated.envoy.core.Base;
import io.cellery.security.cell.sts.server.core.generated.envoy.service.auth.v2alpha.AttributeContextOuterClass;
import io.cellery.security.cell.sts.server.core.generated.envoy.service.auth.v2alpha.AuthorizationGrpc;
import io.cellery.security.cell.sts.server.core.generated.envoy.service.auth.v2alpha.ExternalAuth;
import io.cellery.security.cell.sts.server.core.generated.istio.mixer.v1.AttributesOuterClass;
import io.cellery.security.cell.sts.server.core.model.CellStsRequest;
import io.cellery.security.cell.sts.server.core.model.CellStsResponse;
import io.cellery.security.cell.sts.server.core.model.RequestContext;
import io.cellery.security.cell.sts.server.core.model.RequestDestination;
import io.cellery.security.cell.sts.server.core.model.RequestSource;
import io.grpc.stub.StreamObserver;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.Collections;
import java.util.Map;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.MDC;

/* loaded from: input_file:io/cellery/security/cell/sts/server/core/service/CelleryCellInterceptorService.class */
public abstract class CelleryCellInterceptorService extends AuthorizationGrpc.AuthorizationImplBase {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) CelleryCellInterceptorService.class);
    private static final String REQUEST_ID = "request.id";
    private static final String CELL_NAME = "cell.name";
    private static final String REQUEST_ID_HEADER = "x-request-id";
    private static final String DESTINATION_HEADER = ":authority";
    private static final String CELL_NAME_ENV_VARIABLE = "CELL_NAME";
    private static final String ISTIO_ATTRIBUTES_HEADER = "x-istio-attributes";
    private static final String ISTIO_INGRESS_PREFIX = "istio-ingressgateway";
    protected CelleryCellStsService cellStsService;

    public CelleryCellInterceptorService(CelleryCellStsService celleryCellStsService) throws CelleryCellSTSException {
        this.cellStsService = celleryCellStsService;
    }

    @Override // io.cellery.security.cell.sts.server.core.generated.envoy.service.auth.v2alpha.AuthorizationGrpc.AuthorizationImplBase
    public final void check(ExternalAuth.CheckRequest checkRequest, StreamObserver<ExternalAuth.CheckResponse> streamObserver) {
        ExternalAuth.CheckResponse buildErrorResponse;
        try {
            try {
                MDC.put(REQUEST_ID, getRequestId(checkRequest));
                MDC.put(CELL_NAME, getMyCellName());
                String destination = getDestination(checkRequest);
                log.debug("Request from Istio-Proxy (destination:{}):\n{}", destination, checkRequest);
                CellStsRequest buildCellStsRequest = buildCellStsRequest(checkRequest);
                AttributesOuterClass.Attributes attributesFromRequest = getAttributesFromRequest(checkRequest);
                log.debug("Request Attributes: \n" + (attributesFromRequest != null ? attributesFromRequest.getAttributesMap() : Collections.emptyMap()));
                CellStsResponse cellStsResponse = new CellStsResponse();
                handleRequest(buildCellStsRequest, cellStsResponse);
                buildErrorResponse = ExternalAuth.CheckResponse.newBuilder().setStatus(Status.newBuilder().setCode(0).build()).setOkResponse(buildOkHttpResponseWithHeaders(cellStsResponse.getResponseHeaders())).build();
                log.debug("Response to istio-proxy (destination:{}):\n{}", destination, buildErrorResponse);
                MDC.clear();
            } catch (CelleryCellSTSException e) {
                log.error("Error while handling request from istio-proxy to (destination:{})", getDestination(checkRequest), e);
                buildErrorResponse = buildErrorResponse();
                MDC.clear();
            }
            streamObserver.onNext(buildErrorResponse);
            streamObserver.onCompleted();
        } catch (Throwable th) {
            MDC.clear();
            throw th;
        }
    }

    protected abstract void handleRequest(CellStsRequest cellStsRequest, CellStsResponse cellStsResponse) throws CelleryCellSTSException;

    private ExternalAuth.CheckResponse buildErrorResponse() {
        return ExternalAuth.CheckResponse.newBuilder().setStatus(Status.newBuilder().setCode(7).build()).build();
    }

    private ExternalAuth.OkHttpResponse buildOkHttpResponseWithHeaders(Map<String, String> map) {
        ExternalAuth.OkHttpResponse.Builder newBuilder = ExternalAuth.OkHttpResponse.newBuilder();
        map.forEach((str, str2) -> {
            newBuilder.addHeaders(buildHeader(str, str2));
        });
        return newBuilder.build();
    }

    private Base.HeaderValueOption buildHeader(String str, String str2) {
        return Base.HeaderValueOption.newBuilder().setHeader(Base.HeaderValue.newBuilder().setKey(str).setValue(str2)).build();
    }

    private String getRequestId(ExternalAuth.CheckRequest checkRequest) throws CelleryCellSTSException {
        String str = checkRequest.getAttributes().getRequest().getHttp().getHeadersMap().get(REQUEST_ID_HEADER);
        if (StringUtils.isBlank(str)) {
            throw new CelleryCellSTSException("Request Id cannot be found in the header: x-request-id");
        }
        return str;
    }

    private String getDestination(ExternalAuth.CheckRequest checkRequest) {
        AttributesOuterClass.Attributes.AttributeValue attributeValue;
        String str = "";
        AttributesOuterClass.Attributes attributesFromRequest = getAttributesFromRequest(checkRequest);
        if (attributesFromRequest != null && (attributeValue = attributesFromRequest.getAttributesMap().get("destination.service.name")) != null) {
            str = attributeValue.getStringValue();
        }
        if (StringUtils.isEmpty(str)) {
            log.debug("Destination cannot be found in request attributes.");
            str = checkRequest.getAttributes().getRequest().getHttp().getHeadersMap().get(DESTINATION_HEADER);
            if (StringUtils.isBlank(str)) {
                str = checkRequest.getAttributes().getRequest().getHttp().getHost();
                log.debug("Destination is picked from host value in the request.");
            }
        }
        return str;
    }

    private String getMyCellName() throws CelleryCellSTSException {
        String str = System.getenv(CELL_NAME_ENV_VARIABLE);
        if (StringUtils.isBlank(str)) {
            throw new CelleryCellSTSException("Environment variable 'CELL_NAME' is empty.");
        }
        return str;
    }

    private CellStsRequest buildCellStsRequest(ExternalAuth.CheckRequest checkRequest) throws CelleryCellSTSException {
        return new CellStsRequest.CellStsRequestBuilder().setRequestId(getRequestId(checkRequest)).setRequestHeaders(checkRequest.getAttributes().getRequest().getHttp().getHeaders()).setSource(buildRequestSource(checkRequest)).setDestination(buildRequestDestination(checkRequest)).setRequestContext(buildRequestContext(checkRequest)).build();
    }

    private AttributesOuterClass.Attributes getAttributesFromRequest(ExternalAuth.CheckRequest checkRequest) {
        String mixerAttributesHeader = getMixerAttributesHeader(checkRequest);
        if (!StringUtils.isNotBlank(mixerAttributesHeader)) {
            return null;
        }
        try {
            return AttributesOuterClass.Attributes.parseFrom(Base64.getDecoder().decode(mixerAttributesHeader.getBytes(StandardCharsets.UTF_8)));
        } catch (InvalidProtocolBufferException e) {
            log.error("Error while trying to decode mixer attributes from '{}' header", ISTIO_ATTRIBUTES_HEADER);
            return null;
        }
    }

    private String getMixerAttributesHeader(ExternalAuth.CheckRequest checkRequest) {
        return checkRequest.getAttributes().getRequest().getHttp().getHeadersMap().get(ISTIO_ATTRIBUTES_HEADER);
    }

    private RequestContext buildRequestContext(ExternalAuth.CheckRequest checkRequest) {
        AttributeContextOuterClass.AttributeContext.HttpRequest http = checkRequest.getAttributes().getRequest().getHttp();
        return new RequestContext().setHost(http.getHost()).setProtocol(http.getProtocol()).setMethod(http.getMethod()).setPath(http.getPath());
    }

    private RequestSource buildRequestSource(ExternalAuth.CheckRequest checkRequest) {
        AttributesOuterClass.Attributes.AttributeValue attributeValue;
        AttributesOuterClass.Attributes attributesFromRequest = getAttributesFromRequest(checkRequest);
        RequestSource.RequestSourceBuilder requestSourceBuilder = new RequestSource.RequestSourceBuilder();
        if (attributesFromRequest != null && (attributeValue = attributesFromRequest.getAttributesMap().get("source.uid")) != null) {
            String replace = attributeValue.getStringValue().replace("kubernetes://", "");
            requestSourceBuilder.setWorkload(replace).setCellName(extractCellNameFromWorkloadName(replace));
        }
        return requestSourceBuilder.build();
    }

    private String extractCellNameFromWorkloadName(String str) {
        if (!(StringUtils.isNotEmpty(str) && str.startsWith(ISTIO_INGRESS_PREFIX)) && str.contains("--")) {
            return str.split("--")[0];
        }
        return null;
    }

    private RequestDestination buildRequestDestination(ExternalAuth.CheckRequest checkRequest) {
        RequestDestination.RequestDestinationBuilder requestDestinationBuilder = new RequestDestination.RequestDestinationBuilder();
        String destination = getDestination(checkRequest);
        if (StringUtils.isNotBlank(destination)) {
            requestDestinationBuilder.setWorkload(destination);
        }
        if (CellStsUtils.isWorkloadExternalToCellery(destination)) {
            requestDestinationBuilder.setExternalToCellery(true);
        } else {
            requestDestinationBuilder.setCellName(extractCellNameFromWorkloadName(destination));
        }
        return requestDestinationBuilder.build();
    }
}
