package org.apache.knox.gateway.cloud.idbroker.google;

import com.google.cloud.hadoop.fs.gcs.auth.AbstractDelegationTokenBinding;
import com.google.cloud.hadoop.fs.gcs.auth.DelegationTokenIOException;
import com.google.cloud.hadoop.util.AccessTokenProvider;
import com.google.common.annotations.VisibleForTesting;
import java.io.Closeable;
import java.io.IOException;
import java.net.URI;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.io.IOUtils;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier;
import org.apache.knox.gateway.cloud.idbroker.IDBClient;
import org.apache.knox.gateway.cloud.idbroker.IDBConstants;
import org.apache.knox.gateway.cloud.idbroker.common.KnoxToken;
import org.apache.knox.gateway.cloud.idbroker.common.KnoxTokenMonitor;
import org.apache.knox.gateway.cloud.idbroker.common.UTCClock;
import org.apache.knox.gateway.cloud.idbroker.messages.RequestDTResponseMessage;
import org.apache.knox.gateway.shell.KnoxSession;
import org.apache.knox.gateway.util.Tokens;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/knox/gateway/cloud/idbroker/google/CABDelegationTokenBinding.class */
public class CABDelegationTokenBinding extends AbstractDelegationTokenBinding {
    protected static final Logger LOG = LoggerFactory.getLogger(CABDelegationTokenBinding.class);
    static final String E_INVALID_DT_RESPONSE = "Invalid delegation token response";
    static final String E_FAILED_DT_SESSION = "Error establishing session with delegation token provider";
    static final String E_FAILED_CLOUD_SESSION = "Error establishing session with Cloud Access Broker credential provider";
    static final String E_NO_SESSION_TO_KNOX_CREDS = "No session with Knox credential endpoint";
    static final String E_MISSING_DT_USERNAME_CONFIG = "Missing Cloud Access Broker delegation token username configuration in fs.gs.ext.cab.username";
    protected IDBClient<AccessTokenProvider.AccessToken> cabClient;
    private KnoxToken knoxToken;
    private KnoxTokenMonitor knoxTokenMonitor;
    private final Lock lock;
    private GoogleTempCredentials marshalledCredentials;
    private TokenProvider accessTokenProvider;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/knox/gateway/cloud/idbroker/google/CABDelegationTokenBinding$GetKnoxTokenCommand.class */
    public class GetKnoxTokenCommand implements KnoxTokenMonitor.GetKnoxTokenCommand {
        private GetKnoxTokenCommand() {
        }

        @Override // org.apache.knox.gateway.cloud.idbroker.common.KnoxTokenMonitor.GetKnoxTokenCommand
        public void execute(KnoxToken knoxToken) throws IOException {
            CABDelegationTokenBinding.this.lock.lock();
            try {
                CABDelegationTokenBinding.this.getNewKnoxToken();
            } finally {
                CABDelegationTokenBinding.this.lock.unlock();
            }
        }
    }

    public CABDelegationTokenBinding() {
        super("IDBDelegationTokenBinding", CloudAccessBrokerBindingConstants.CAB_TOKEN_KIND);
        this.lock = new ReentrantLock(true);
    }

    private void initKnoxTokenMonitor() {
        IDBClient<AccessTokenProvider.AccessToken> client;
        if (this.knoxTokenMonitor == null && (client = getClient()) != null && client.shouldInitKnoxTokenMonitor()) {
            this.knoxTokenMonitor = new KnoxTokenMonitor();
        }
    }

    protected void serviceStart() throws Exception {
        super.serviceStart();
    }

    protected void serviceStop() throws Exception {
        stopKnoxTokenMonitor();
        super.serviceStop();
    }

    private void stopKnoxTokenMonitor() {
        if (this.knoxTokenMonitor != null) {
            this.knoxTokenMonitor.shutdown();
        }
    }

    IDBClient<AccessTokenProvider.AccessToken> getClient() {
        this.lock.lock();
        try {
            if (this.cabClient == null) {
                try {
                    this.cabClient = CABUtils.newClient(getConf(), UserGroupInformation.getCurrentUser());
                    if (this.cabClient == null) {
                        LOG.error("cabClient has not been initialized.");
                    }
                } catch (Throwable th) {
                    LOG.error("Error creating new IDBroker client for Google Cloud Platform.", th);
                }
            }
            return this.cabClient;
        } finally {
            this.lock.unlock();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Configuration getConf() {
        return getFileSystem().getConf();
    }

    public AccessTokenProvider deployUnbonded() throws IOException {
        this.lock.lock();
        try {
            maybeRenewAccessToken();
            return getAccessTokenProvider();
        } finally {
            this.lock.unlock();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public TokenProvider getAccessTokenProvider() {
        if (this.accessTokenProvider == null) {
            LOG.debug("No existing accessTokenProvider");
            String str = null;
            long j = -1;
            if (this.marshalledCredentials != null) {
                LOG.debug("Using existing marshalled credentials");
                str = this.marshalledCredentials.getToken();
                j = this.marshalledCredentials.getExpiration();
            }
            LOG.debug("Creating new accessTokenProvider");
            this.accessTokenProvider = new CloudAccessBrokerTokenProvider(getClient(), this.knoxToken, str, Long.valueOf(j));
        }
        return this.accessTokenProvider;
    }

    public DelegationTokenIdentifier createTokenIdentifier(Text text) throws IOException {
        this.lock.lock();
        try {
            String cloudAccessBrokerURL = CABUtils.getCloudAccessBrokerURL(getConf(), getClient().getGatewayAddress());
            maybeRenewAccessToken();
            CABGCPTokenIdentifier cABGCPTokenIdentifier = new CABGCPTokenIdentifier(getKind(), getOwnerText(UserGroupInformation.getCurrentUser()), text, getCanonicalUri(), this.knoxToken == null ? "" : this.knoxToken.getAccessToken(), this.knoxToken == null ? 0L : this.knoxToken.getExpiry(), null, cloudAccessBrokerURL, this.knoxToken == null ? "" : this.knoxToken.getEndpointPublicCert(), getConf().getBoolean("fs.gs.ext.cab.init.credentials", true) ? collectGCPCredentials() : new GoogleTempCredentials(), "Created from " + getClient().getGatewayAddress(), this.knoxToken == null ? false : this.knoxToken.isManaged());
            LOG.info("Created delegation token identifier {}", cABGCPTokenIdentifier);
            this.lock.unlock();
            return cABGCPTokenIdentifier;
        } catch (Throwable th) {
            this.lock.unlock();
            throw th;
        }
    }

    public DelegationTokenIdentifier createTokenIdentifier() throws IOException {
        return createTokenIdentifier(null);
    }

    public DelegationTokenIdentifier createEmptyIdentifier() {
        return null;
    }

    private void maybeRenewAccessToken() throws IOException {
        if (this.knoxToken != null && !StringUtils.isBlank(this.knoxToken.getAccessToken())) {
            LOG.debug("Using existing Knox Token: " + Tokens.getTokenDisplayText(this.knoxToken.getAccessToken()));
            maybeReplaceExpiredKnoxTokenFromUGI();
            enforceKnoxTokenNotExpired();
        } else if (getClient().shouldExcludeUserFromGettingKnoxToken()) {
            LOG.info("'{}' is excluded from getting Knox Token from IDBroker", getClient().getOwnerUserName());
        } else {
            LOG.info("There is no Knox Token available, fetching one from IDBroker...");
            getNewKnoxToken();
        }
    }

    private void enforceKnoxTokenNotExpired() throws IOException {
        if (this.knoxTokenMonitor == null) {
            if (this.knoxToken.isAboutToExpire(getConfig().getLong(GoogleIDBProperty.IDBROKER_DT_EXPIRATION_OFFSET.getPropertyName(), Long.parseLong(GoogleIDBProperty.IDBROKER_DT_EXPIRATION_OFFSET.getDefaultValue()))) && getClient().hasKerberosCredentials()) {
                getNewKnoxToken();
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void getNewKnoxToken() throws IOException {
        Pair<RequestDTResponseMessage, String> requestDelegationToken = requestDelegationToken();
        if (requestDelegationToken != null) {
            bondToRequestedToken(requestDelegationToken);
        }
    }

    private boolean hasExpired(long j) {
        return j < System.currentTimeMillis();
    }

    public AccessTokenProvider bindToTokenIdentifier(DelegationTokenIdentifier delegationTokenIdentifier) throws IOException {
        this.lock.lock();
        try {
            LOG.info(new StringBuilder().append("Binding to retrieved Delegation Token identifier: ").append(delegationTokenIdentifier).toString() == null ? "N/A" : delegationTokenIdentifier.toString());
            CABGCPTokenIdentifier cABGCPTokenIdentifier = (CABGCPTokenIdentifier) convertTokenIdentifier(delegationTokenIdentifier, CABGCPTokenIdentifier.class);
            String certificate = cABGCPTokenIdentifier.getCertificate();
            if (certificate != null) {
                LOG.debug("Using Cloud Access Broker public cert from delegation token");
            }
            updateAndMonitorKnoxToken(new KnoxToken("origin", cABGCPTokenIdentifier.getAccessToken(), cABGCPTokenIdentifier.getTokenType(), cABGCPTokenIdentifier.getExpiryTime(), certificate, cABGCPTokenIdentifier.isManaged()));
            this.marshalledCredentials = cABGCPTokenIdentifier.getMarshalledCredentials();
            LOG.debug("Marshalled GCP credentials: " + this.marshalledCredentials.toString());
            TokenProvider accessTokenProvider = getAccessTokenProvider();
            accessTokenProvider.updateDelegationToken(this.knoxToken);
            this.lock.unlock();
            return accessTokenProvider;
        } catch (Throwable th) {
            this.lock.unlock();
            throw th;
        }
    }

    private void updateAndMonitorKnoxToken(KnoxToken knoxToken) {
        this.knoxToken = knoxToken;
        monitorKnoxToken();
    }

    private void bondToRequestedToken(Pair<RequestDTResponseMessage, String> pair) throws IOException {
        if (pair == null || pair.getLeft() == null) {
            throw new DelegationTokenIOException(E_INVALID_DT_RESPONSE);
        }
        updateAndMonitorKnoxToken(KnoxToken.fromDTResponse((String) pair.getRight(), (RequestDTResponseMessage) pair.getLeft()));
        getAccessTokenProvider().updateDelegationToken(this.knoxToken);
        LOG.info("Bonded to Knox token {}, expires {}", this.knoxToken.getPrintableAccessToken(), UTCClock.secondsToDateTime(this.knoxToken.getExpiry()).map((v0) -> {
            return v0.toString();
        }).orElse("undefined"));
        if (this.knoxToken.getEndpointPublicCert() != null) {
            LOG.debug("Including public cert in the delegation token.");
        }
    }

    private Pair<RequestDTResponseMessage, String> requestDelegationToken() throws IOException {
        Pair<KnoxSession, String> dTSession = getDTSession();
        Closeable closeable = (KnoxSession) dTSession.getLeft();
        String str = (String) dTSession.getRight();
        try {
            Pair<RequestDTResponseMessage, String> of = Pair.of(getClient().requestKnoxDelegationToken(closeable, str, getCanonicalUri()), str);
            IOUtils.cleanupWithLogger(LOG, new Closeable[]{closeable});
            return of;
        } catch (Throwable th) {
            IOUtils.cleanupWithLogger(LOG, new Closeable[]{closeable});
            throw th;
        }
    }

    private GoogleTempCredentials collectGCPCredentials() throws IOException {
        if (needsGCPCredentials()) {
            this.marshalledCredentials = updateGCPCredentials();
        }
        return this.marshalledCredentials;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public synchronized GoogleTempCredentials updateGCPCredentials() throws IOException {
        Closeable createKnoxCABSession = getClient().createKnoxCABSession(this.knoxToken);
        try {
            GoogleTempCredentials googleTempCredentials = new GoogleTempCredentials(getClient().fetchCloudCredentials(createKnoxCABSession));
            IOUtils.cleanupWithLogger(LOG, new Closeable[]{createKnoxCABSession});
            return googleTempCredentials;
        } catch (Throwable th) {
            IOUtils.cleanupWithLogger(LOG, new Closeable[]{createKnoxCABSession});
            throw th;
        }
    }

    private void maybeReplaceExpiredKnoxTokenFromUGI() throws IOException {
        if (this.knoxToken.isExpired()) {
            CABGCPTokenIdentifier fromUGI = CABGCPTokenIdentifier.fromUGI(UserGroupInformation.getCurrentUser(), getService());
            if (fromUGI == null) {
                LOG.warn("Token {} expired but no new token was found in UGI", Tokens.getTokenDisplayText(this.knoxToken.getAccessToken()));
            } else {
                updateAndMonitorKnoxToken(new KnoxToken(fromUGI.getOrigin(), fromUGI.getAccessToken(), fromUGI.getExpiryTime(), fromUGI.getCertificate(), fromUGI.isManaged()));
                LOG.info("Updated knoxToken from UGI to {}", Tokens.getTokenDisplayText(this.knoxToken.getAccessToken()));
            }
        }
    }

    @VisibleForTesting
    boolean needsGCPCredentials() {
        boolean z = true;
        if (this.marshalledCredentials == null || this.marshalledCredentials.isEmpty()) {
            LOG.debug("No marshalled GCP credentials");
        } else {
            long calculateExpirationWithOffset = calculateExpirationWithOffset(this.marshalledCredentials.getExpiration());
            if (calculateExpirationWithOffset <= 0 || !hasExpired(calculateExpirationWithOffset)) {
                LOG.debug("Current GCP credentials are still valid");
                z = false;
            } else {
                LOG.debug("Expiring current GCP credentials");
                resetGCPCredentials();
            }
        }
        return z;
    }

    private long calculateExpirationWithOffset(long j) {
        long j2 = getConf().getLong(GoogleIDBProperty.GCP_CAB_CREDENTIALS_EXPIRATION_OFFSET.getPropertyName(), Long.parseLong(GoogleIDBProperty.GCP_CAB_CREDENTIALS_EXPIRATION_OFFSET.getDefaultValue()));
        long j3 = j;
        if (j3 > 0) {
            j3 -= j2 * 1000;
        }
        LOG.debug("Credential expiration time with {} seconds offset: {}", Long.valueOf(j2), Long.valueOf(j3));
        return j3;
    }

    private void resetGCPCredentials() {
        this.marshalledCredentials = null;
    }

    private Pair<KnoxSession, String> getDTSession() throws IOException {
        IDBClient<AccessTokenProvider.AccessToken> client = getClient();
        LOG.debug("Attempting to create a Knox delegation token session using local credentials (kerberos, simple)");
        Pair<KnoxSession, String> createKnoxDTSession = client.createKnoxDTSession(getConf());
        if (createKnoxDTSession.getLeft() != null) {
            LOG.debug("Created a Knox delegation token session using local credentials (kerberos, simple)");
        }
        if (createKnoxDTSession.getLeft() == null) {
            throw new IllegalStateException(this.knoxToken == null ? IDBConstants.MESSAGE_FAILURE_TO_AUTHENTICATE_TO_IDB_KERBEROS : IDBConstants.MESSAGE_FAILURE_TO_AUTHENTICATE_TO_IDB_DT);
        }
        return createKnoxDTSession;
    }

    private Text getOwnerText(UserGroupInformation userGroupInformation) {
        return new Text(userGroupInformation.getUserName());
    }

    private URI getCanonicalUri() {
        return getFileSystem().getUri();
    }

    private void monitorKnoxToken() {
        initKnoxTokenMonitor();
        if (this.knoxTokenMonitor != null) {
            this.knoxTokenMonitor.monitorKnoxToken(this.knoxToken, getConf().getLong(GoogleIDBProperty.IDBROKER_DT_EXPIRATION_OFFSET.getPropertyName(), Long.parseLong(GoogleIDBProperty.IDBROKER_DT_EXPIRATION_OFFSET.getDefaultValue())), new GetKnoxTokenCommand());
        }
    }
}
