package org.apache.knox.gateway.cloud.idbroker.abfs;

import java.io.Closeable;
import java.io.IOException;
import java.net.URI;
import java.nio.charset.Charset;
import java.time.Instant;
import java.util.Date;
import java.util.Locale;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import javax.annotation.Nonnull;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.azurebfs.oauth2.AzureADToken;
import org.apache.hadoop.fs.azurebfs.services.AuthType;
import org.apache.hadoop.io.IOUtils;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.service.AbstractService;
import org.apache.hadoop.service.Service;
import org.apache.knox.gateway.cloud.idbroker.IDBConstants;
import org.apache.knox.gateway.cloud.idbroker.common.CommonUtils;
import org.apache.knox.gateway.cloud.idbroker.common.KnoxToken;
import org.apache.knox.gateway.cloud.idbroker.common.KnoxTokenMonitor;
import org.apache.knox.gateway.cloud.idbroker.common.OAuthPayload;
import org.apache.knox.gateway.cloud.idbroker.common.Preconditions;
import org.apache.knox.gateway.cloud.idbroker.messages.RequestDTResponseMessage;
import org.apache.knox.gateway.shell.CloudAccessBrokerSession;
import org.apache.knox.gateway.shell.KnoxSession;
import org.apache.knox.gateway.util.Tokens;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/apache/knox/gateway/cloud/idbroker/abfs/AbfsIDBIntegration.class */
public class AbfsIDBIntegration extends AbstractService {
    private URI fsUri;
    private Text service;
    private final Configuration configuration;
    private KnoxTokenMonitor knoxTokenMonitor;
    private final long knoxTokenExpirationOffsetSeconds;
    private final int retryCount;
    private UserGroupInformation owner;
    private AbfsIDBClient idbClient;
    private Token<AbfsIDBTokenIdentifier> deployedToken;
    private KnoxToken knoxToken;
    private AzureADToken adToken;
    private final Lock serviceStartLock;
    private final Lock getKnoxTokenLock;
    private final Lock getAzureADTokenLock;
    private String correlationId;
    private static final Logger LOG = LoggerFactory.getLogger(AbfsIDBIntegration.class);
    private static final SecretManager<AbfsIDBTokenIdentifier> secretManager = new TokenSecretManager();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/knox/gateway/cloud/idbroker/abfs/AbfsIDBIntegration$GetKnoxTokenCommand.class */
    public class GetKnoxTokenCommand implements KnoxTokenMonitor.GetKnoxTokenCommand {
        private GetKnoxTokenCommand() {
        }

        @Override // org.apache.knox.gateway.cloud.idbroker.common.KnoxTokenMonitor.GetKnoxTokenCommand
        public void execute(KnoxToken knoxToken) throws IOException {
            AbfsIDBIntegration.this.getKnoxTokenLock.lock();
            try {
                AbfsIDBIntegration.this.getNewKnoxToken();
            } finally {
                AbfsIDBIntegration.this.getKnoxTokenLock.unlock();
            }
        }
    }

    /* loaded from: input_file:org/apache/knox/gateway/cloud/idbroker/abfs/AbfsIDBIntegration$TokenSecretManager.class */
    protected static class TokenSecretManager extends SecretManager<AbfsIDBTokenIdentifier> {
        TokenSecretManager() {
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public byte[] createPassword(AbfsIDBTokenIdentifier abfsIDBTokenIdentifier) {
            return AbfsIDBIntegration.access$100();
        }

        public byte[] retrievePassword(AbfsIDBTokenIdentifier abfsIDBTokenIdentifier) {
            return AbfsIDBIntegration.access$100();
        }

        /* renamed from: createIdentifier, reason: merged with bridge method [inline-methods] */
        public AbfsIDBTokenIdentifier m8createIdentifier() {
            return AbfsIDBIntegration.access$200();
        }
    }

    private AbfsIDBIntegration(@Nonnull URI uri, @Nonnull Configuration configuration, @Nonnull String str) throws IOException {
        this("AbfsIDBIntegration", uri, configuration, str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AbfsIDBIntegration(@Nonnull String str, @Nonnull URI uri, @Nonnull Configuration configuration, @Nonnull String str2) throws IOException {
        super(str);
        this.serviceStartLock = new ReentrantLock(true);
        this.getKnoxTokenLock = new ReentrantLock(true);
        this.getAzureADTokenLock = new ReentrantLock(true);
        this.correlationId = UUID.randomUUID().toString();
        this.fsUri = (URI) Preconditions.checkNotNull(uri, "Filesystem URI");
        this.configuration = (Configuration) Preconditions.checkNotNull(configuration);
        this.owner = UserGroupInformation.getCurrentUser();
        this.service = new Text(uri.getScheme() + "://" + uri.getAuthority());
        if (LOG.isDebugEnabled() && !this.service.toString().equals(uri.toString())) {
            LOG.debug("Truncating service URI from {} to {} [{}]", new Object[]{uri, this.service, str2});
        }
        this.knoxTokenExpirationOffsetSeconds = configuration.getLong(AbfsIDBProperty.IDBROKER_DT_EXPIRATION_OFFSET.getPropertyName(), Long.parseLong(AbfsIDBProperty.IDBROKER_DT_EXPIRATION_OFFSET.getDefaultValue()));
        this.retryCount = configuration.getInt(AbfsIDBProperty.IDBROKER_RETRY_COUNT.getPropertyName(), Integer.parseInt(AbfsIDBProperty.IDBROKER_DT_EXPIRATION_OFFSET.getDefaultValue()));
        LOG.debug("Creating AbfsIDBIntegration:\n\tOrigin: {}\n\tService: {}\n\tOwner: {}", new Object[]{str2, this.service, this.owner.getUserName()});
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static AbfsIDBIntegration fromDelegationTokenManager(URI uri, Configuration configuration) throws IOException {
        AbfsIDBIntegration abfsIDBIntegration = new AbfsIDBIntegration(uri, configuration, "DelegationTokenManager");
        abfsIDBIntegration.init(configuration);
        abfsIDBIntegration.start();
        return abfsIDBIntegration;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static AbfsIDBIntegration fromAbfsCredentialProvider(URI uri, Configuration configuration) throws IOException {
        AbfsIDBIntegration abfsIDBIntegration = new AbfsIDBIntegration(uri, configuration, "CredentialProvider");
        abfsIDBIntegration.init(configuration);
        abfsIDBIntegration.start();
        return abfsIDBIntegration;
    }

    protected void serviceStart() throws Exception {
        this.serviceStartLock.lock();
        try {
            LOG.debug("Starting IDB integration for ABFS filesystem {}", this.fsUri);
            super.serviceStart();
            this.idbClient = getClient();
            initKnoxTokenMonitor();
            this.deployedToken = lookupTokenFromOwner();
            if (this.deployedToken != null) {
                AbfsIDBTokenIdentifier abfsIDBTokenIdentifier = (AbfsIDBTokenIdentifier) this.deployedToken.decodeIdentifier();
                this.correlationId = abfsIDBTokenIdentifier.getTrackingId();
                this.adToken = buildADTokenCredentials(abfsIDBTokenIdentifier);
                this.knoxToken = buildKnoxToken(abfsIDBTokenIdentifier);
                LOG.debug("Deployed for {} with token identifier {}", this.fsUri, abfsIDBTokenIdentifier);
            }
        } finally {
            this.serviceStartLock.unlock();
        }
    }

    private void initKnoxTokenMonitor() {
        if (this.knoxTokenMonitor == null && this.idbClient != null && this.idbClient.shouldInitKnoxTokenMonitor()) {
            this.knoxTokenMonitor = new KnoxTokenMonitor();
        }
    }

    private void monitorKnoxToken() {
        initKnoxTokenMonitor();
        if (this.knoxTokenMonitor != null) {
            this.knoxTokenMonitor.monitorKnoxToken(this.knoxToken, this.knoxTokenExpirationOffsetSeconds, new GetKnoxTokenCommand());
        }
    }

    private void stopKnoxTokenMonitor() {
        if (this.knoxTokenMonitor != null) {
            this.knoxTokenMonitor.shutdown();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AbfsIDBClient getClient() throws IOException {
        if (this.idbClient == null) {
            this.idbClient = new AbfsIDBClient(this.configuration, this.owner);
        }
        return this.idbClient;
    }

    protected void serviceStop() throws Exception {
        LOG.debug("Stopping IDB integration for ABFS filesystem {}", this.fsUri);
        stopKnoxTokenMonitor();
        super.serviceStop();
    }

    Text getOwnerText() {
        return new Text(getOwner().getUserName());
    }

    UserGroupInformation getOwner() {
        return this.owner;
    }

    private void checkStarted() {
        Preconditions.checkState(isInState(Service.STATE.STARTED), "Service is in wrong state %s", getServiceState());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Token<AbfsIDBTokenIdentifier> getDelegationToken(String str) throws IOException {
        this.getKnoxTokenLock.lock();
        try {
            LOG.debug("Delegation token requested");
            if (this.deployedToken != null) {
                LOG.debug("Returning existing delegation token");
                Token<AbfsIDBTokenIdentifier> token = this.deployedToken;
                this.getKnoxTokenLock.unlock();
                return token;
            }
            LOG.debug("Requesting new delegation token");
            ensureKnoxToken();
            ensureADToken();
            if (LOG.isDebugEnabled()) {
                LOG.debug("Knox token expires in {} seconds:\n\tExpiry: {}", Long.valueOf(this.knoxToken.getExpiry() - Instant.now().getEpochSecond()), Instant.ofEpochSecond(this.knoxToken.getExpiry()).toString());
            }
            AbfsIDBTokenIdentifier abfsIDBTokenIdentifier = new AbfsIDBTokenIdentifier(this.fsUri, getOwnerText(), str == null ? null : new Text(str), "origin", this.knoxToken == null ? "" : this.knoxToken.getAccessToken(), this.knoxToken == null ? 0L : this.knoxToken.getExpiry(), buildOAuthPayloadFromADToken(this.adToken), System.currentTimeMillis(), this.correlationId, this.idbClient.getCredentialsURL(), this.knoxToken == null ? "" : this.knoxToken.getEndpointPublicCert(), this.knoxToken == null ? false : this.knoxToken.isManaged());
            LOG.trace("New ABFS DT {}", abfsIDBTokenIdentifier);
            Token<AbfsIDBTokenIdentifier> token2 = new Token<>(abfsIDBTokenIdentifier, secretManager);
            token2.setService(this.service);
            this.getKnoxTokenLock.unlock();
            return token2;
        } catch (Throwable th) {
            this.getKnoxTokenLock.unlock();
            throw th;
        }
    }

    private void ensureADToken() throws IOException {
        this.adToken = getADToken(true);
    }

    private void ensureKnoxToken() throws IOException {
        if (this.knoxToken != null && !StringUtils.isBlank(this.knoxToken.getAccessToken())) {
            LOG.debug("Using existing Knox Token: " + Tokens.getTokenDisplayText(this.knoxToken.getAccessToken()));
            maybeReplaceExpiredKnoxTokenFromUGI();
            enforceKnoxTokenNotExpired();
        } else if (this.idbClient.shouldExcludeUserFromGettingKnoxToken()) {
            LOG.info("'{}' is excluded from getting Knox Token from IDBroker", this.idbClient.getOwnerUserName());
        } else {
            LOG.info("There is no Knox Token available, fetching one from IDBroker...");
            getNewKnoxToken();
        }
        Preconditions.checkNotNull(this.knoxToken, "Failed to retrieve a Knox Token from the IDBroker.");
    }

    private void maybeReplaceExpiredKnoxTokenFromUGI() throws IOException {
        if (this.knoxToken.isExpired()) {
            Token<AbfsIDBTokenIdentifier> lookupTokenFromOwner = lookupTokenFromOwner();
            if (lookupTokenFromOwner == null) {
                LOG.warn("Token {} expired but no new token was found in UGI", Tokens.getTokenDisplayText(this.knoxToken.getAccessToken()));
                return;
            }
            AbfsIDBTokenIdentifier decodeIdentifier = lookupTokenFromOwner.decodeIdentifier();
            updateAndMonitorKnoxToken(new KnoxToken(decodeIdentifier.getOrigin(), decodeIdentifier.getAccessToken(), decodeIdentifier.getExpiryTime(), decodeIdentifier.getCertificate(), decodeIdentifier.isManaged()));
            LOG.info("Updated knoxToken from UGI to {}", Tokens.getTokenDisplayText(this.knoxToken.getAccessToken()));
        }
    }

    private void updateAndMonitorKnoxToken(KnoxToken knoxToken) {
        this.knoxToken = knoxToken;
        monitorKnoxToken();
    }

    private void enforceKnoxTokenNotExpired() throws IOException {
        if (this.knoxTokenMonitor == null) {
            if (this.knoxToken.isAboutToExpire(getConfig().getLong(AbfsIDBProperty.IDBROKER_DT_EXPIRATION_OFFSET.getPropertyName(), Long.parseLong(AbfsIDBProperty.IDBROKER_DT_EXPIRATION_OFFSET.getDefaultValue()))) && getClient().hasKerberosCredentials()) {
                getNewKnoxToken();
            }
        }
    }

    private Token<AbfsIDBTokenIdentifier> lookupTokenFromOwner() throws IOException {
        return CommonUtils.lookupToken(this.owner.getCredentials(), this.service, AbfsIDBConstants.IDB_TOKEN_KIND);
    }

    private AzureADToken buildADTokenCredentials(AbfsIDBTokenIdentifier abfsIDBTokenIdentifier) {
        AzureADToken azureADToken;
        if (abfsIDBTokenIdentifier != null) {
            LOG.debug("Using existing delegation token for Azure Credentials");
            azureADToken = buildADTokenFromOAuth(abfsIDBTokenIdentifier.getMarshalledCredentials());
            if (LOG.isTraceEnabled()) {
                if (azureADToken == null) {
                    LOG.trace("AD Token: null");
                } else {
                    LOG.trace("AD Token:\n\tToken:{}\n\tExpiry:{}", azureADToken.getAccessToken(), azureADToken.getExpiry().toInstant().toString());
                }
            }
        } else {
            LOG.debug("Delaying token creation until needed");
            azureADToken = null;
        }
        return azureADToken;
    }

    private KnoxToken buildKnoxToken(AbfsIDBTokenIdentifier abfsIDBTokenIdentifier) {
        KnoxToken knoxToken = null;
        if (abfsIDBTokenIdentifier != null) {
            LOG.debug("Using existing delegation token for Knox Token");
            knoxToken = new KnoxToken(abfsIDBTokenIdentifier.getOrigin(), abfsIDBTokenIdentifier.getAccessToken(), abfsIDBTokenIdentifier.getExpiryTime(), abfsIDBTokenIdentifier.getCertificate(), abfsIDBTokenIdentifier.isManaged());
            monitorKnoxToken();
            if (LOG.isTraceEnabled()) {
                LOG.trace("Knox Token:\n\tToken:{}\n\tExpiry:{}", knoxToken.getPrintableAccessToken(), Instant.ofEpochSecond(knoxToken.getExpiry()).toString());
            }
        } else {
            LOG.debug("Delaying Knox token creation until needed");
        }
        return knoxToken;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AzureADToken getADToken(boolean z) throws IOException {
        this.getAzureADTokenLock.lock();
        try {
            LOG.trace("Get an AD Token");
            if (this.adToken == null || (z && isExpired(this.adToken))) {
                if (LOG.isDebugEnabled()) {
                    if (this.adToken == null) {
                        LOG.debug("No existing AD Token found, getting a new one.");
                    } else if (isExpired(this.adToken)) {
                        LOG.debug("Existing AD Token found, but expired, getting a new one.");
                    }
                }
                getNewAzureADToken();
                for (int i = 0; isExpired(this.adToken) && i <= this.retryCount; i++) {
                    if (i == this.retryCount) {
                        LOG.error(String.format(Locale.ROOT, "Reached maximum configured retries %s, token returned from IDBroker is expired, token expiry timestamp %s, current timestamp %s", Integer.valueOf(this.retryCount), this.adToken.getExpiry(), Long.valueOf(System.currentTimeMillis() / 1000)));
                        throw new IOException(String.format(Locale.ROOT, "Token returned from IDBroker is expired, token expiry timestamp %s, current timestamp %s", this.adToken.getExpiry(), Long.valueOf(System.currentTimeMillis() / 1000)));
                    }
                    try {
                        TimeUnit.SECONDS.sleep(5L);
                        LOG.info("Received token was expired, attempting to get a new AD token, retry count: " + i);
                        getNewAzureADToken();
                    } catch (InterruptedException e) {
                        throw new IOException(e);
                    }
                }
            } else {
                LOG.debug("Using existing AD Token");
            }
            AzureADToken azureADToken = this.adToken;
            this.getAzureADTokenLock.unlock();
            return azureADToken;
        } catch (Throwable th) {
            this.getAzureADTokenLock.unlock();
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getUserAgentSuffix() {
        return "correlationId=" + this.correlationId;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getCanonicalServiceName() {
        Preconditions.checkNotNull(this.fsUri, "Not bound to a filesystem URI");
        return this.fsUri.toString();
    }

    private static AbfsIDBTokenIdentifier createEmptyIdentifier() {
        return new AbfsIDBTokenIdentifier();
    }

    private static byte[] getSecretManagerPassword() {
        return "non-password".getBytes(Charset.forName("UTF-8"));
    }

    static AzureADToken buildADTokenFromOAuth(@Nonnull OAuthPayload oAuthPayload) {
        Preconditions.checkNotNull(oAuthPayload, "no OAuth payload");
        AzureADToken azureADToken = new AzureADToken();
        azureADToken.setAccessToken(oAuthPayload.getToken());
        azureADToken.setExpiry(new Date(oAuthPayload.getExpiration()));
        return azureADToken;
    }

    static OAuthPayload buildOAuthPayloadFromADToken(@Nonnull AzureADToken azureADToken) {
        Preconditions.checkNotNull(azureADToken, "no adToken");
        return new OAuthPayload(azureADToken.getAccessToken(), azureADToken.getExpiry().getTime());
    }

    public static void enable(Configuration configuration) {
        configuration.setEnum("fs.azure.account.auth.type", AuthType.Custom);
        configuration.set("fs.azure.account.oauth.provider.type", AbfsIDBCredentialProvider.class.getName());
        configuration.setBoolean("fs.azure.enable.delegation.token", true);
        configuration.set("fs.azure.delegation.token.provider.type", AbfsIDBDelegationTokenManager.NAME);
    }

    boolean isExpired(AzureADToken azureADToken) {
        if (azureADToken == null) {
            return true;
        }
        Date expiry = azureADToken.getExpiry();
        if (expiry != null) {
            expiry = calculateExpirationWithOffset(expiry);
        }
        return expiry == null || expiry.toInstant().isBefore(Instant.now());
    }

    private Date calculateExpirationWithOffset(Date date) {
        long j = this.configuration.getLong(AbfsIDBProperty.IDBROKER_CAB_CREDENTIALS_EXPIRATION_OFFSET.getPropertyName(), Long.parseLong(AbfsIDBProperty.IDBROKER_CAB_CREDENTIALS_EXPIRATION_OFFSET.getDefaultValue()));
        Instant minusSeconds = date.toInstant().minusSeconds(j);
        LOG.debug("Credential expiration time with {} seconds offset: {}", Long.valueOf(j), minusSeconds);
        return Date.from(minusSeconds);
    }

    private void getNewAzureADToken() throws IOException {
        LOG.trace("Getting a new Azure AD Token");
        Closeable knoxCredentialsSession = getKnoxCredentialsSession();
        Preconditions.checkNotNull(knoxCredentialsSession, "Failed to obtain a session with the IDBroker.");
        this.adToken = this.idbClient.fetchCloudCredentials(knoxCredentialsSession);
        if (LOG.isTraceEnabled()) {
            if (this.adToken == null) {
                LOG.trace("AD Token: null");
            } else {
                LOG.trace("AD Token:\n\tToken:{}\n\tExpiry:{}", this.adToken.getAccessToken(), this.adToken.getExpiry().toInstant().toString());
            }
        }
        IOUtils.cleanupWithLogger(LOG, new Closeable[]{knoxCredentialsSession});
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Finally extract failed */
    public void getNewKnoxToken() throws IOException {
        LOG.trace("Getting a new Knox Token");
        Pair<KnoxSession, String> newKnoxLoginSession = getNewKnoxLoginSession();
        Closeable closeable = (KnoxSession) newKnoxLoginSession.getLeft();
        String str = (String) newKnoxLoginSession.getRight();
        Preconditions.checkNotNull(closeable, "Failed to obtain a session with the IDBroker.");
        try {
            RequestDTResponseMessage requestKnoxDelegationToken = this.idbClient.requestKnoxDelegationToken(closeable, str, this.fsUri);
            IOUtils.cleanupWithLogger(LOG, new Closeable[]{closeable});
            Preconditions.checkNotNull(requestKnoxDelegationToken, "Failed to request a delegation token from the IDBroker.");
            this.knoxToken = KnoxToken.fromDTResponse(str, requestKnoxDelegationToken);
            if (LOG.isTraceEnabled()) {
                LOG.trace("Knox Token:\n\tToken:{}\n\tExpiry:{}", this.knoxToken.getPrintableAccessToken(), Instant.ofEpochSecond(this.knoxToken.getExpiry()).toString());
            }
            monitorKnoxToken();
        } catch (Throwable th) {
            IOUtils.cleanupWithLogger(LOG, new Closeable[]{closeable});
            throw th;
        }
    }

    private CloudAccessBrokerSession getKnoxCredentialsSession() throws IOException {
        ensureKnoxToken();
        return this.idbClient.createKnoxCABSession(this.knoxToken);
    }

    private Pair<KnoxSession, String> getNewKnoxLoginSession() throws IOException {
        checkStarted();
        LOG.debug("Attempting to create a Knox delegation token session using local credentials (kerberos, simple)");
        Pair<KnoxSession, String> createKnoxDTSession = this.idbClient.createKnoxDTSession(this.configuration);
        if (createKnoxDTSession.getLeft() != null) {
            LOG.debug("Created a Knox delegation token session using local credentials (kerberos, simple)");
        }
        if (createKnoxDTSession.getLeft() == null) {
            throw new IllegalStateException(this.knoxToken == null ? IDBConstants.MESSAGE_FAILURE_TO_AUTHENTICATE_TO_IDB_KERBEROS : IDBConstants.MESSAGE_FAILURE_TO_AUTHENTICATE_TO_IDB_DT);
        }
        return createKnoxDTSession;
    }

    static /* synthetic */ byte[] access$100() {
        return getSecretManagerPassword();
    }

    static /* synthetic */ AbfsIDBTokenIdentifier access$200() {
        return createEmptyIdentifier();
    }
}
