package io.confluent.security.mtls;

import io.confluent.security.policyapi.cel.TrustPolicyCelLibrary;
import io.confluent.security.policyapi.exception.PolicyEngineException;
import io.confluent.security.policyapi.exception.PolicyViolationException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.stream.Collectors;
import org.projectnessie.cel.Env;
import org.projectnessie.cel.EnvOption;
import org.projectnessie.cel.Program;
import org.projectnessie.cel.ProgramOption;
import org.projectnessie.cel.checker.Decls;
import org.projectnessie.cel.common.types.BoolT;
import org.projectnessie.cel.common.types.Err;
import org.projectnessie.cel.common.types.ListT;
import org.projectnessie.cel.common.types.NullT;
import org.projectnessie.cel.common.types.StringT;
import org.projectnessie.cel.common.types.pb.ProtoTypeRegistry;
import org.projectnessie.cel.common.types.ref.Type;
import org.projectnessie.cel.common.types.ref.TypeEnum;
import org.projectnessie.cel.common.types.ref.Val;

/* loaded from: input_file:io/confluent/security/mtls/CertIdentityPoolFilter.class */
public class CertIdentityPoolFilter {
    private static final Env ENV = getEnv();
    private final Map<String, Program> cacheCompiledFilters = new ConcurrentHashMap();

    public boolean filter(String str, Map<String, String> map) {
        if (str == null || str.isEmpty() || map == null || map.isEmpty()) {
            return false;
        }
        try {
            return evaluatePolicy(compilePolicy(str), map);
        } catch (Throwable th) {
            return false;
        }
    }

    public void validate(String str) {
        evaluatePolicy(compilePolicy(str), new HashMap());
    }

    Program compilePolicy(String str) {
        Program program = this.cacheCompiledFilters.get(str);
        if (program != null) {
            return program;
        }
        try {
            Env.AstIssuesTuple compile = ENV.compile(str);
            if (compile.hasIssues()) {
                throw new PolicyViolationException(String.format("Failed to load pool filter '%s', violation: %s", str, compile.getIssues().toString()));
            }
            Program program2 = ENV.program(compile.getAst(), new ProgramOption[0]);
            this.cacheCompiledFilters.put(str, program2);
            return program2;
        } catch (Throwable th) {
            throw new PolicyEngineException(String.format("Failed to load pool filter '%s'", str), th);
        }
    }

    static boolean evaluatePolicy(Program program, Map<String, String> map) {
        Program.EvalResult eval = program.eval(map);
        if (Err.isError(eval.getVal())) {
            return false;
        }
        Val val = eval.getVal();
        if (val.type().typeEnum() != TypeEnum.Bool) {
            throw new PolicyEngineException(String.format("Pool filter fails to evaluate as boolean: %s", program));
        }
        return val.booleanValue();
    }

    private static Env getEnv() {
        List asList = Arrays.asList(EnvOption.declarations((List) CertMetadataIdentifier.IDENTIFIERS.stream().map(str -> {
            return Decls.newVar(str, Decls.String);
        }).collect(Collectors.toList())), TrustPolicyCelLibrary.customEnvOption());
        ProtoTypeRegistry newEmptyRegistry = ProtoTypeRegistry.newEmptyRegistry();
        newEmptyRegistry.registerType(new Type[]{NullT.NullType});
        newEmptyRegistry.registerType(new Type[]{BoolT.BoolType});
        newEmptyRegistry.registerType(new Type[]{StringT.StringType});
        newEmptyRegistry.registerType(new Type[]{ListT.ListType});
        return Env.newCustomEnv(newEmptyRegistry, asList);
    }
}
