package io.confluent.auditlog.emitter.translator;

import com.google.protobuf.ProtocolStringList;
import io.confluent.auditlog.emitter.errormappers.ValidatorException;
import io.confluent.auditlog.emitter.utils.LogOptions;
import io.confluent.protobuf.events.auditlog.v2.AuditLog;
import io.confluent.protobuf.events.auditlog.v2.AuthenticationInfo;
import io.confluent.protobuf.events.auditlog.v2.Credentials;
import io.confluent.protobuf.events.auditlog.v2.ExternalAccount;
import io.confluent.protobuf.events.auditlog.v2.FullyQualifiedCloudResourceRef;
import io.confluent.protobuf.events.auditlog.v2.Principal;
import io.confluent.protobuf.events.auditlog.v2.RequestMetadata;
import io.confluent.protobuf.events.auditlog.v2.ResourceRef;
import io.confluent.protobuf.events.auditlog.v2.TypedCloudResourceRef;
import java.util.Iterator;
import java.util.List;
import org.apache.commons.lang3.StringUtils;

/* loaded from: input_file:io/confluent/auditlog/emitter/translator/Validator.class */
public class Validator {
    private static void validateRequestMetadata(RequestMetadata requestMetadata, LogOptions logOptions) {
        ProtocolStringList requestIdList = requestMetadata.getRequestIdList();
        if (requestIdList.size() == 0) {
            throw new ValidatorException("request metadata must have at least one request id");
        }
        Iterator<String> it = requestIdList.iterator();
        while (it.hasNext()) {
            if (StringUtils.isBlank(it.next())) {
                throw new ValidatorException("request metadata request id cannot be empty");
            }
        }
        boolean z = false;
        if (logOptions != null) {
            z = logOptions.isAllowEmptyIpAddress();
        }
        if (z) {
            return;
        }
        List<RequestMetadata.Address> clientAddressList = requestMetadata.getClientAddressList();
        if (clientAddressList.size() == 0) {
            throw new ValidatorException("request metadata must have at least one client ip address");
        }
        Iterator<RequestMetadata.Address> it2 = clientAddressList.iterator();
        while (it2.hasNext()) {
            if (StringUtils.isBlank(it2.next().getIp())) {
                throw new ValidatorException("request metadata client ip cannot be empty");
            }
        }
    }

    private static void validateResourceRef(ResourceRef resourceRef) {
        if (StringUtils.isBlank(resourceRef.getResourceId()) && StringUtils.isBlank(resourceRef.getInternalId())) {
            throw new ValidatorException("resource ref cannot have an empty resource id and an empty internal id");
        }
    }

    private static void validateExternalAccount(ExternalAccount externalAccount) {
        if (StringUtils.isBlank(externalAccount.getSubject())) {
            throw new ValidatorException("authentication info external account cannot have an empty subject");
        }
        for (ExternalAccount.Namespace namespace : externalAccount.getNamespaceList()) {
            if (StringUtils.isBlank(namespace.getType()) || StringUtils.isBlank(namespace.getId())) {
                throw new ValidatorException("authentication info external account namespaces must contain both type and id");
            }
        }
    }

    private static void validatePrincipal(AuthenticationInfo authenticationInfo, LogOptions logOptions) {
        if (logOptions == null || !logOptions.isAllowEmptyPrincipal()) {
            if (!authenticationInfo.hasPrincipal()) {
                throw new ValidatorException("authentication info must have a principal");
            }
            Principal principal = authenticationInfo.getPrincipal();
            if (principal.getAccountCase() == Principal.AccountCase.ACCOUNT_NOT_SET) {
                throw new ValidatorException("authentication info principal account cannot be unset");
            }
            if (principal.hasExternalAccount()) {
                validateExternalAccount(principal.getExternalAccount());
            }
            if (principal.hasConfluentUser()) {
                validateResourceRef(principal.getConfluentUser());
            }
            if (principal.hasConfluentServiceAccount()) {
                validateResourceRef(principal.getConfluentServiceAccount());
            }
            if (principal.hasIdentityPool()) {
                validateResourceRef(principal.getIdentityPool());
            }
        }
    }

    private static void validateAuthenticationInfo(AuthenticationInfo authenticationInfo, LogOptions logOptions) {
        validatePrincipal(authenticationInfo, logOptions);
        if (authenticationInfo.hasCredentials() && authenticationInfo.getCredentials().getMechanism() == Credentials.Mechanism.UNSET) {
            throw new ValidatorException("authentication info credentials cannot be " + Credentials.Mechanism.UNSET);
        }
    }

    private static void validateCloudResource(TypedCloudResourceRef typedCloudResourceRef) {
        if (StringUtils.isBlank(typedCloudResourceRef.getResourceId())) {
            throw new ValidatorException("cloud resource ref cannot have an empty resource id");
        }
    }

    private static void validateCloudResources(List<FullyQualifiedCloudResourceRef> list) {
        if (list.isEmpty()) {
            throw new ValidatorException("must have at least one cloud resource");
        }
        for (FullyQualifiedCloudResourceRef fullyQualifiedCloudResourceRef : list) {
            if (fullyQualifiedCloudResourceRef.hasScope()) {
                Iterator<TypedCloudResourceRef> it = fullyQualifiedCloudResourceRef.getScope().getResourcesList().iterator();
                while (it.hasNext()) {
                    validateCloudResource(it.next());
                }
            }
            if (!fullyQualifiedCloudResourceRef.hasResource()) {
                throw new ValidatorException("cannot have unset target resource");
            }
            validateCloudResource(fullyQualifiedCloudResourceRef.getResource());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static void validateAuditEntry(AuditLog auditLog, LogOptions logOptions) {
        if (auditLog == null) {
            throw new ValidatorException("audit entry cannot be null");
        }
        if (StringUtils.isBlank(auditLog.getMethodName())) {
            throw new ValidatorException("method name cannot be empty");
        }
        validateCloudResources(auditLog.getCloudResourcesList());
        if (!auditLog.hasAuthenticationInfo()) {
            throw new ValidatorException("audit entry must have an authentication info");
        }
        validateAuthenticationInfo(auditLog.getAuthenticationInfo(), logOptions);
        if (!auditLog.hasRequestMetadata()) {
            throw new ValidatorException("audit entry must have request metadata");
        }
        validateRequestMetadata(auditLog.getRequestMetadata(), logOptions);
    }
}
