package ch.usp.core.waap.spec.v1.render.origin;

import ch.usp.core.waap.spec.v1.spec.WaapSpec;
import ch.usp.core.waap.spec.v1.spec.WaapSpecValidationException;
import ch.usp.core.waap.spec.v1.spec.origin.WaapOriginBlocking;
import ch.usp.core.waap.spec.v1.spec.route.WaapRoute;
import com.google.protobuf.Any;
import com.google.protobuf.UInt32Value;
import io.envoyproxy.envoy.config.core.v3.CidrRange;
import io.envoyproxy.envoy.config.rbac.v3.Permission;
import io.envoyproxy.envoy.config.rbac.v3.Policy;
import io.envoyproxy.envoy.config.rbac.v3.Principal;
import io.envoyproxy.envoy.config.rbac.v3.RBAC;
import io.envoyproxy.envoy.config.route.v3.Route;
import io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBAC;
import io.envoyproxy.envoy.extensions.filters.http.rbac.v3.RBACPerRoute;
import io.envoyproxy.envoy.extensions.filters.network.http_connection_manager.v3.HttpFilter;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import org.apache.commons.net.util.SubnetUtils;

/* loaded from: input_file:ch/usp/core/waap/spec/v1/render/origin/WaapToEnvoyOriginBlocking.class */
public final class WaapToEnvoyOriginBlocking {
    private static final String POLICY_NAME_LISTENER_IPS = "core.waap.listener.policy.originBlocking.ips";
    private static final String POLICY_NAME_LISTENER_ALLOW_ANY = "core.waap.listener.policy.allowAny";
    private static final String POLICY_NAME_ROUTE_IPS = "core.waap.route.policy.originBlocking.ips";
    private static final String ENVOY_FILTERS_HTTP_RBAC_NAME = "envoy.filters.http.rbac";
    private static final String NETMASK_DELIMITER = "/";
    private static final String SINGLE_IP_NETMASK = "/32";

    private WaapToEnvoyOriginBlocking() {
    }

    public static void addListenerFilterIfConfigured(WaapSpec waapSpec, List<HttpFilter> list) {
        if (hasListenerOriginBlocking(waapSpec) || hasRouteOriginBlockings(waapSpec)) {
            list.add(HttpFilter.newBuilder().setName(ENVOY_FILTERS_HTTP_RBAC_NAME).setTypedConfig(Any.pack(hasListenerOriginBlocking(waapSpec) ? RBAC.newBuilder().setRules(toNamedRbacConfig(waapSpec.getOriginBlocking(), POLICY_NAME_LISTENER_IPS)).build() : RBAC.newBuilder().setRules(getListenerAllowAnyRbacConfig()).build())).build());
        }
    }

    public static void addRouteFilterIfConfigured(WaapRoute waapRoute, Route.Builder builder) {
        Optional<WaapOriginBlocking> maybeOriginBlocking = maybeOriginBlocking(waapRoute);
        if (maybeOriginBlocking.isEmpty()) {
            return;
        }
        builder.putTypedPerFilterConfig(ENVOY_FILTERS_HTTP_RBAC_NAME, Any.pack(RBACPerRoute.newBuilder().setRbac(RBAC.newBuilder().setRules(toNamedRbacConfig(maybeOriginBlocking.get(), POLICY_NAME_ROUTE_IPS)).build()).build()));
    }

    private static io.envoyproxy.envoy.config.rbac.v3.RBAC getListenerAllowAnyRbacConfig() {
        return io.envoyproxy.envoy.config.rbac.v3.RBAC.newBuilder().setAction(RBAC.Action.ALLOW).putPolicies(POLICY_NAME_LISTENER_ALLOW_ANY, Policy.newBuilder().addPermissions(Permission.newBuilder().setAny(true).build()).addPrincipals(Principal.newBuilder().setAny(true).build()).build()).build();
    }

    private static io.envoyproxy.envoy.config.rbac.v3.RBAC toNamedRbacConfig(WaapOriginBlocking waapOriginBlocking, String str) {
        return io.envoyproxy.envoy.config.rbac.v3.RBAC.newBuilder().setAction(toRbacAction(waapOriginBlocking.getPolicy())).putPolicies(str, Policy.newBuilder().addPermissions(Permission.newBuilder().setAny(true).build()).addAllPrincipals(toRemoteIpPrincipals(waapOriginBlocking.getIps())).build()).build();
    }

    private static boolean hasListenerOriginBlocking(WaapSpec waapSpec) {
        return waapSpec.getOriginBlocking() != null;
    }

    private static boolean hasRouteOriginBlockings(WaapSpec waapSpec) {
        return waapSpec.getRoutes().stream().map(WaapToEnvoyOriginBlocking::maybeOriginBlocking).filter((v0) -> {
            return v0.isPresent();
        }).map((v0) -> {
            return v0.get();
        }).findAny().isPresent();
    }

    private static Optional<WaapOriginBlocking> maybeOriginBlocking(WaapRoute waapRoute) {
        return Optional.ofNullable(waapRoute.getMatch()).map((v0) -> {
            return v0.getFilters();
        }).map((v0) -> {
            return v0.getOriginBlocking();
        });
    }

    private static RBAC.Action toRbacAction(WaapOriginBlocking.Policy policy) {
        return WaapOriginBlocking.Policy.ALLOW.equals(policy) ? RBAC.Action.ALLOW : RBAC.Action.DENY;
    }

    private static Iterable<Principal> toRemoteIpPrincipals(Set<String> set) {
        return set.stream().map(WaapToEnvoyOriginBlocking::toCidrRange).map(WaapToEnvoyOriginBlocking::toRemoteIpPrincipal).toList();
    }

    private static CidrRange toCidrRange(String str) {
        try {
            if (!str.contains("/")) {
                str = str + "/32";
            }
            String[] split = new SubnetUtils(str).getInfo().getCidrSignature().split("/");
            return CidrRange.newBuilder().setAddressPrefix(split[0]).setPrefixLen(UInt32Value.newBuilder().setValue(Integer.parseInt(split[1])).build()).build();
        } catch (IllegalArgumentException e) {
            throw new WaapSpecValidationException("Invalid CIDR format of IP in origin blocking");
        }
    }

    private static Principal toRemoteIpPrincipal(CidrRange cidrRange) {
        return Principal.newBuilder().setRemoteIp(cidrRange).build();
    }
}
