package org.apache.knox.gateway.cloud.idbroker.s3a;

import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.google.common.annotations.VisibleForTesting;
import java.io.Closeable;
import java.io.IOException;
import java.time.OffsetDateTime;
import java.util.Locale;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.s3a.AWSCredentialProviderList;
import org.apache.hadoop.fs.s3a.auth.MarshalledCredentialBinding;
import org.apache.hadoop.fs.s3a.auth.MarshalledCredentials;
import org.apache.hadoop.fs.s3a.auth.NoAuthWithAWSException;
import org.apache.hadoop.fs.s3a.auth.RoleModel;
import org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding;
import org.apache.hadoop.fs.s3a.auth.delegation.AbstractS3ATokenIdentifier;
import org.apache.hadoop.fs.s3a.auth.delegation.DelegationTokenIOException;
import org.apache.hadoop.fs.s3a.auth.delegation.EncryptionSecrets;
import org.apache.hadoop.io.IOUtils;
import org.apache.hadoop.io.Text;
import org.apache.knox.gateway.cloud.idbroker.IDBConstants;
import org.apache.knox.gateway.cloud.idbroker.common.KnoxToken;
import org.apache.knox.gateway.cloud.idbroker.common.KnoxTokenMonitor;
import org.apache.knox.gateway.cloud.idbroker.common.UTCClock;
import org.apache.knox.gateway.cloud.idbroker.messages.RequestDTResponseMessage;
import org.apache.knox.gateway.shell.CloudAccessBrokerSession;
import org.apache.knox.gateway.shell.KnoxSession;
import org.apache.knox.gateway.util.Tokens;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/knox/gateway/cloud/idbroker/s3a/IDBDelegationTokenBinding.class */
public class IDBDelegationTokenBinding extends AbstractDelegationTokenBinding {
    private static final String E_NO_ACQUIRE_TOKEN_FROM_TOKEN = "Cannot acquire Knox token unless logged in; using %s";
    private static final String E_NO_ACQUIRE_TOKEN_WHEN_HAS_EXPIRED = "Knox token has expired; the current token is %s";
    private static final String E_NO_KNOX_DELEGATION_TOKEN = "No Knox token";
    private static final String E_NO_SESSION_TO_KNOX_AWS = "No session to knox AWS credential endpoint";
    protected static final Logger LOG = LoggerFactory.getLogger(IDBDelegationTokenBinding.class);
    private static final String NAME = "IDBDelegationToken";
    private static final String COMPONENT_NAME = "IDBDelegationToken";
    private AWSCredentialProviderList credentialProviders;
    private MarshalledCredentials marshalledCredentials;
    private S3AIDBClient idbClient;
    private UTCClock clock;
    private IDBS3ATokenIdentifier boundTokenIdentifier;
    private boolean collectAwsCredentials;
    private KnoxToken knoxToken;
    private KnoxTokenMonitor knoxTokenMonitor;
    private final Lock lock;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/knox/gateway/cloud/idbroker/s3a/IDBDelegationTokenBinding$GetKnoxTokenCommand.class */
    public class GetKnoxTokenCommand implements KnoxTokenMonitor.GetKnoxTokenCommand {
        private GetKnoxTokenCommand() {
        }

        @Override // org.apache.knox.gateway.cloud.idbroker.common.KnoxTokenMonitor.GetKnoxTokenCommand
        public void execute(KnoxToken knoxToken) throws IOException {
            IDBDelegationTokenBinding.this.lock.lock();
            try {
                IDBDelegationTokenBinding.this.getNewKnoxToken(knoxToken != null);
            } finally {
                IDBDelegationTokenBinding.this.lock.unlock();
            }
        }
    }

    /* loaded from: input_file:org/apache/knox/gateway/cloud/idbroker/s3a/IDBDelegationTokenBinding$IDBCredentials.class */
    private class IDBCredentials implements AWSCredentialsProvider {
        private IDBCredentials() {
        }

        public AWSCredentials getCredentials() {
            try {
                return fetchCredentials();
            } catch (IOException e) {
                IDBDelegationTokenBinding.LOG.warn("Failed to fetch credentials: " + e.getMessage());
                IDBDelegationTokenBinding.LOG.debug("Failed to fetch credentials: ", e);
                throw new NoAuthWithAWSException(e.getMessage(), e);
            }
        }

        public void refresh() {
            IDBDelegationTokenBinding.this.resetAWSCredentials();
        }

        AWSCredentials fetchCredentials() throws IOException {
            IDBDelegationTokenBinding.this.lock.lock();
            try {
                IDBDelegationTokenBinding.this.maybeRenewAccessToken("fetching AWS credentials");
                return MarshalledCredentialBinding.toAWSCredentials(IDBDelegationTokenBinding.this.collectAWSCredentials(), MarshalledCredentials.CredentialTypeRequired.SessionOnly, "IDBDelegationToken");
            } finally {
                IDBDelegationTokenBinding.this.lock.unlock();
            }
        }

        public String toString() {
            return "IDBCredentials for " + IDBDelegationTokenBinding.super.toString();
        }
    }

    public IDBDelegationTokenBinding() {
        this("IDBDelegationToken", IDBS3AConstants.IDB_TOKEN_KIND);
    }

    public IDBDelegationTokenBinding(String str, Text text) {
        super(str, text);
        this.clock = UTCClock.getClock();
        this.collectAwsCredentials = true;
        this.lock = new ReentrantLock(true);
    }

    private void initKnoxTokenMonitor() {
        if (this.knoxTokenMonitor == null && this.idbClient != null && this.idbClient.shouldInitKnoxTokenMonitor()) {
            this.knoxTokenMonitor = new KnoxTokenMonitor();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @VisibleForTesting
    public MarshalledCredentials fetchMarshalledAWSCredentials(S3AIDBClient s3AIDBClient, CloudAccessBrokerSession cloudAccessBrokerSession) throws IOException {
        return s3AIDBClient.fetchCloudCredentials(cloudAccessBrokerSession);
    }

    private void bondToRequestedToken(RequestDTResponseMessage requestDTResponseMessage) throws IOException {
        String extractTokenFromResponse = extractTokenFromResponse(requestDTResponseMessage);
        LOG.info("Bonded to Knox token {}", Tokens.getTokenDisplayText(extractTokenFromResponse));
        String extractGatewayCertificate = extractGatewayCertificate(requestDTResponseMessage);
        if (extractGatewayCertificate.isEmpty()) {
            LOG.warn("No certificate provided by gateway: renewals will not work");
        }
        this.knoxToken = new KnoxToken("", extractTokenFromResponse, requestDTResponseMessage.token_type, requestDTResponseMessage.expiryTimeSeconds(), extractGatewayCertificate, requestDTResponseMessage.managed);
        monitorKnoxToken();
    }

    private String extractGatewayCertificate(RequestDTResponseMessage requestDTResponseMessage) {
        String str = requestDTResponseMessage.endpoint_public_cert;
        if (str == null) {
            str = "";
        }
        return str;
    }

    private String extractTokenFromResponse(RequestDTResponseMessage requestDTResponseMessage) throws DelegationTokenIOException {
        String str = requestDTResponseMessage.access_token;
        if (StringUtils.isEmpty(str)) {
            throw new DelegationTokenIOException(E_NO_KNOX_DELEGATION_TOKEN);
        }
        return str;
    }

    public AbstractS3ATokenIdentifier createTokenIdentifier(Optional<RoleModel.Policy> optional, EncryptionSecrets encryptionSecrets, Text text) throws IOException {
        this.lock.lock();
        try {
            this.credentialProviders = new AWSCredentialProviderList();
            this.credentialProviders.add(new IDBCredentials());
            maybeRenewAccessToken("creating token identifier");
            String accessToken = this.knoxToken == null ? "" : this.knoxToken.getAccessToken();
            long expiry = this.knoxToken == null ? 0L : this.knoxToken.getExpiry();
            String endpointPublicCert = this.knoxToken == null ? "" : this.knoxToken.getEndpointPublicCert();
            boolean isManaged = this.knoxToken == null ? false : this.knoxToken.isManaged();
            String credentialsURL = this.idbClient.getCredentialsURL();
            IDBS3ATokenIdentifier iDBS3ATokenIdentifier = new IDBS3ATokenIdentifier(IDBS3AConstants.IDB_TOKEN_KIND, getOwnerText(), text, getCanonicalUri(), accessToken, expiry, collectAWSCredentialsForDelegation(), encryptionSecrets, Objects.toString(optional.orElse(null), ""), "Created from " + credentialsURL, System.currentTimeMillis(), getOwner().getUserName(), credentialsURL, endpointPublicCert, isManaged);
            LOG.info("Created token identifier {}", iDBS3ATokenIdentifier);
            this.lock.unlock();
            return iDBS3ATokenIdentifier;
        } catch (Throwable th) {
            this.lock.unlock();
            throw th;
        }
    }

    public AWSCredentialProviderList deployUnbonded() throws IOException {
        this.lock.lock();
        try {
            this.idbClient = S3AIDBClient.createFullIDBClient(getConfig(), getOwner(), getFileSystem());
            Configuration config = getConfig();
            this.credentialProviders = new AWSCredentialProviderList();
            this.credentialProviders.add(new IDBCredentials());
            this.collectAwsCredentials = config.getBoolean(S3AIDBProperty.IDBROKER_INIT_CAB_CREDENTIALS.getPropertyName(), Boolean.valueOf(S3AIDBProperty.IDBROKER_INIT_CAB_CREDENTIALS.getDefaultValue()).booleanValue());
            maybeRenewAccessToken("deploying unbonded token");
            return this.credentialProviders;
        } finally {
            this.lock.unlock();
        }
    }

    public AWSCredentialProviderList bindToTokenIdentifier(AbstractS3ATokenIdentifier abstractS3ATokenIdentifier) throws IOException {
        this.lock.lock();
        try {
            LOG.info(new StringBuilder().append("Binding to retrieved Delegation Token identifier: ").append(abstractS3ATokenIdentifier).toString() == null ? "N/A" : abstractS3ATokenIdentifier.toString());
            this.idbClient = S3AIDBClient.createLightIDBClient(getConfig(), getFileSystem());
            IDBS3ATokenIdentifier iDBS3ATokenIdentifier = (IDBS3ATokenIdentifier) convertTokenIdentifier(abstractS3ATokenIdentifier, IDBS3ATokenIdentifier.class);
            iDBS3ATokenIdentifier.validate();
            this.boundTokenIdentifier = iDBS3ATokenIdentifier;
            this.marshalledCredentials = extractMarshalledCredentials(iDBS3ATokenIdentifier);
            this.knoxToken = new KnoxToken(iDBS3ATokenIdentifier.getOrigin(), iDBS3ATokenIdentifier.getAccessToken(), iDBS3ATokenIdentifier.getExpiryTime(), iDBS3ATokenIdentifier.getCertificate(), iDBS3ATokenIdentifier.isManaged());
            monitorKnoxToken();
            if (StringUtils.isNotEmpty(this.knoxToken.getEndpointPublicCert())) {
                LOG.debug("Using Cloud Access Broker public cert from delegation token");
            }
            this.credentialProviders = new AWSCredentialProviderList();
            this.credentialProviders.add(new IDBCredentials());
            LOG.debug("Renewing AWS Credentials if needed");
            if (maybeResetAWSCredentials().booleanValue()) {
                LOG.info("New AWS credentials will be requested");
            }
            AWSCredentialProviderList aWSCredentialProviderList = this.credentialProviders;
            this.lock.unlock();
            return aWSCredentialProviderList;
        } catch (Throwable th) {
            this.lock.unlock();
            throw th;
        }
    }

    /* renamed from: createEmptyIdentifier, reason: merged with bridge method [inline-methods] */
    public IDBS3ATokenIdentifier m31createEmptyIdentifier() {
        return new IDBS3ATokenIdentifier();
    }

    public String toString() {
        this.lock.lock();
        try {
            return "IDBDelegationTokenBinding{marshaledCredentials=" + Objects.toString(this.marshalledCredentials, "<unset>") + ", accessToken=" + Objects.toString(this.knoxToken, "<unset>") + '}';
        } finally {
            this.lock.unlock();
        }
    }

    private RequestDTResponseMessage requestNewKnoxToken(boolean z) throws IOException {
        Pair<KnoxSession, String> newKnoxDelegationTokenSession = getNewKnoxDelegationTokenSession();
        Closeable closeable = (KnoxSession) newKnoxDelegationTokenSession.getLeft();
        if (closeable == null) {
            String errorMessageString = this.boundTokenIdentifier == null ? "" : this.boundTokenIdentifier.errorMessageString();
            throw new DelegationTokenIOException(z ? String.format(Locale.ROOT, E_NO_ACQUIRE_TOKEN_WHEN_HAS_EXPIRED, errorMessageString) : String.format(Locale.ROOT, E_NO_ACQUIRE_TOKEN_FROM_TOKEN, errorMessageString));
        }
        try {
            RequestDTResponseMessage requestKnoxDelegationToken = this.idbClient.requestKnoxDelegationToken(closeable, (String) newKnoxDelegationTokenSession.getRight(), getCanonicalUri());
            IOUtils.cleanupWithLogger(LOG, new Closeable[]{closeable});
            return requestKnoxDelegationToken;
        } catch (Throwable th) {
            IOUtils.cleanupWithLogger(LOG, new Closeable[]{closeable});
            throw th;
        }
    }

    private Pair<KnoxSession, String> getNewKnoxDelegationTokenSession() throws IOException {
        LOG.debug("Attempting to create a Knox delegation token session using local credentials (kerberos, simple)");
        Pair<KnoxSession, String> createKnoxDTSession = this.idbClient.createKnoxDTSession(getConfig());
        if (createKnoxDTSession.getLeft() != null) {
            LOG.debug("Created a Knox delegation token session using local credentials (kerberos, simple)");
        }
        if (createKnoxDTSession.getLeft() == null) {
            throw new IllegalStateException(this.knoxToken == null ? IDBConstants.MESSAGE_FAILURE_TO_AUTHENTICATE_TO_IDB_KERBEROS : IDBConstants.MESSAGE_FAILURE_TO_AUTHENTICATE_TO_IDB_DT);
        }
        return createKnoxDTSession;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void maybeRenewAccessToken(String str) throws IOException {
        LOG.debug("Maybe renewing Knox Token when {}", str);
        if (this.knoxToken != null && !StringUtils.isBlank(this.knoxToken.getAccessToken())) {
            LOG.debug("Using existing Knox Token: " + Tokens.getTokenDisplayText(this.knoxToken.getAccessToken()));
        } else if (this.idbClient.shouldExcludeUserFromGettingKnoxToken()) {
            LOG.info("'{}' is excluded from getting Knox Token from IDBroker", this.idbClient.getOwnerUserName());
        } else {
            LOG.info("There is no Knox Token available, fetching one from IDBroker...");
            getNewKnoxToken(true);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void getNewKnoxToken(boolean z) throws IOException {
        RequestDTResponseMessage requestNewKnoxToken = requestNewKnoxToken(!z);
        if (requestNewKnoxToken != null) {
            bondToRequestedToken(requestNewKnoxToken);
        }
    }

    private MarshalledCredentials collectAWSCredentialsForDelegation() throws IOException {
        return this.collectAwsCredentials ? collectAWSCredentials() : MarshalledCredentials.empty();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public MarshalledCredentials collectAWSCredentials() throws IOException {
        if (maybeResetAWSCredentials().booleanValue()) {
            updateAWSCredentials();
        }
        LOG.debug("AWS credentials: {}", this.marshalledCredentials.toString());
        return this.marshalledCredentials;
    }

    @VisibleForTesting
    void updateAWSCredentials() throws IOException {
        LOG.debug("Requesting AWS credentials from IDBroker");
        CloudAccessBrokerSession createKnoxCABSession = this.idbClient.createKnoxCABSession(this.knoxToken);
        if (createKnoxCABSession == null) {
            throw new DelegationTokenIOException(E_NO_SESSION_TO_KNOX_AWS);
        }
        this.marshalledCredentials = fetchMarshalledAWSCredentials(this.idbClient, createKnoxCABSession);
    }

    @VisibleForTesting
    Boolean maybeResetAWSCredentials() {
        if (!areAWSCredentialsNeeded()) {
            return false;
        }
        resetAWSCredentials();
        return true;
    }

    private boolean areAWSCredentialsNeeded() {
        LOG.debug("Checking if AWS credentials are needed");
        LOG.debug("Clock current time: {}", this.clock.getCurrentTime());
        if (this.marshalledCredentials == null) {
            return true;
        }
        Optional<OffsetDateTime> expirationDateTime = this.marshalledCredentials.getExpirationDateTime();
        LOG.debug("Credential expiration time: {}", expirationDateTime);
        return this.clock.hasExpired(expirationDateTime);
    }

    @VisibleForTesting
    void resetAWSCredentials() {
        LOG.debug("Resetting AWS credentials");
        this.marshalledCredentials = null;
    }

    @VisibleForTesting
    static MarshalledCredentials extractMarshalledCredentials(IDBS3ATokenIdentifier iDBS3ATokenIdentifier) {
        MarshalledCredentials marshalledCredentials = iDBS3ATokenIdentifier.getMarshalledCredentials();
        if (marshalledCredentials.isValid(MarshalledCredentials.CredentialTypeRequired.SessionOnly)) {
            return marshalledCredentials;
        }
        return null;
    }

    protected void serviceStop() throws Exception {
        stopKnoxTokenMonitor();
        super.serviceStop();
    }

    private void monitorKnoxToken() {
        initKnoxTokenMonitor();
        if (this.knoxTokenMonitor != null) {
            this.knoxTokenMonitor.monitorKnoxToken(this.knoxToken, getConfig().getLong(S3AIDBProperty.IDBROKER_DT_EXPIRATION_OFFSET.getPropertyName(), Long.parseLong(S3AIDBProperty.IDBROKER_DT_EXPIRATION_OFFSET.getDefaultValue())), new GetKnoxTokenCommand());
        }
    }

    private void stopKnoxTokenMonitor() {
        if (this.knoxTokenMonitor != null) {
            this.knoxTokenMonitor.shutdown();
        }
    }
}
