package com.google.api.server.spi.auth;

import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import com.google.api.client.googleapis.auth.oauth2.GooglePublicKeysManager;
import com.google.api.server.spi.Client;
import com.google.api.server.spi.EnvUtil;
import com.google.api.server.spi.config.PeerAuthenticator;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableSet;
import java.io.IOException;
import java.net.InetAddress;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.logging.Logger;
import javax.servlet.http.HttpServletRequest;

/* loaded from: input_file:com/google/api/server/spi/auth/EndpointsPeerAuthenticator.class */
public class EndpointsPeerAuthenticator implements PeerAuthenticator {

    @VisibleForTesting
    static final String ISSUER = "https://www.cloudendpointsapis.com";

    @VisibleForTesting
    static final String SIGNER = "cloud-endpoints-signer@system.gserviceaccount.com";

    @VisibleForTesting
    static final String HEADER_APPENGINE_PEER = "X-Appengine-Peer";

    @VisibleForTesting
    static final String APPENGINE_PEER = "apiserving";

    @VisibleForTesting
    static final String HEADER_PEER_AUTHORIZATION = "Peer-Authorization";
    private static final String PUBLIC_CERT_URL = "https://www.googleapis.com/service_accounts/v1/metadata/x509/cloud-endpoints-signer@system.gserviceaccount.com";
    private static final Logger logger = Logger.getLogger(EndpointsPeerAuthenticator.class.getName());
    private static final ImmutableSet<String> localHostAddresses = getLocalHostAddresses();
    private final GoogleJwtAuthenticator jwtAuthenticator;

    private static ImmutableSet<String> getLocalHostAddresses() {
        ImmutableSet.Builder builder = new ImmutableSet.Builder();
        try {
            builder.add((ImmutableSet.Builder) InetAddress.getLocalHost().getHostAddress());
        } catch (IOException e) {
        }
        try {
            builder.add((ImmutableSet.Builder) InetAddress.getByName(null).getHostAddress());
        } catch (IOException e2) {
        }
        try {
            for (InetAddress inetAddress : InetAddress.getAllByName("localhost")) {
                builder.add((ImmutableSet.Builder) inetAddress.getHostAddress());
            }
        } catch (IOException e3) {
        }
        ImmutableSet<String> build = builder.build();
        if (build.isEmpty()) {
            logger.warning("Unable to lookup local addresses.");
        }
        return build;
    }

    public EndpointsPeerAuthenticator() {
        Client client = Client.getInstance();
        this.jwtAuthenticator = new GoogleJwtAuthenticator(new GoogleIdTokenVerifier.Builder(new GooglePublicKeysManager.Builder(client.getHttpTransport(), client.getJsonFactory()).setPublicCertsEncodedUrl(PUBLIC_CERT_URL).build()).setIssuer(ISSUER).build());
    }

    @VisibleForTesting
    public EndpointsPeerAuthenticator(GoogleJwtAuthenticator googleJwtAuthenticator) {
        this.jwtAuthenticator = googleJwtAuthenticator;
    }

    @Override // com.google.api.server.spi.config.PeerAuthenticator
    public boolean authenticate(HttpServletRequest httpServletRequest) {
        if (EnvUtil.isRunningOnAppEngine()) {
            return APPENGINE_PEER.equals(httpServletRequest.getHeader(HEADER_APPENGINE_PEER));
        }
        if (localHostAddresses.contains(httpServletRequest.getRemoteAddr())) {
            logger.fine("Skip endpoints peer verication from localhost.");
            return true;
        }
        GoogleIdToken verifyToken = this.jwtAuthenticator.verifyToken(httpServletRequest.getHeader(HEADER_PEER_AUTHORIZATION));
        return verifyToken != null && SIGNER.equals(verifyToken.getPayload().getEmail()) && matchHostAndPort(verifyToken, httpServletRequest);
    }

    private boolean matchHostAndPort(GoogleIdToken googleIdToken, HttpServletRequest httpServletRequest) {
        try {
            URL url = new URL((String) googleIdToken.getPayload().getAudience());
            URL url2 = new URL(httpServletRequest.getRequestURL().toString());
            if (url.getHost().equals(url2.getHost())) {
                if (getPort(url) == getPort(url2)) {
                    return true;
                }
            }
            return false;
        } catch (MalformedURLException e) {
            logger.warning("Invalid URL from request");
            return false;
        }
    }

    private int getPort(URL url) {
        int port = url.getPort();
        return port == -1 ? url.getDefaultPort() : port;
    }
}
