package org.apache.knox.gateway.cloud.idbroker;

import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.StringWriter;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.file.AccessDeniedException;
import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import javax.annotation.Nullable;
import javax.net.ssl.SSLHandshakeException;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.util.JsonSerialization;
import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.util.EntityUtils;
import org.apache.knox.gateway.cloud.idbroker.IDBClient;
import org.apache.knox.gateway.cloud.idbroker.common.CommonUtils;
import org.apache.knox.gateway.cloud.idbroker.common.DefaultRequestExecutor;
import org.apache.knox.gateway.cloud.idbroker.common.KnoxToken;
import org.apache.knox.gateway.cloud.idbroker.common.Preconditions;
import org.apache.knox.gateway.cloud.idbroker.common.RequestErrorHandlingAttributes;
import org.apache.knox.gateway.cloud.idbroker.common.RequestExecutor;
import org.apache.knox.gateway.cloud.idbroker.messages.RequestDTResponseMessage;
import org.apache.knox.gateway.cloud.idbroker.messages.ValidationFailure;
import org.apache.knox.gateway.shell.BasicResponse;
import org.apache.knox.gateway.shell.ClientContext;
import org.apache.knox.gateway.shell.CloudAccessBrokerSession;
import org.apache.knox.gateway.shell.ErrorResponse;
import org.apache.knox.gateway.shell.KnoxSession;
import org.apache.knox.gateway.shell.KnoxShellException;
import org.apache.knox.gateway.shell.idbroker.Credentials;
import org.apache.knox.gateway.shell.idbroker.Group;
import org.apache.knox.gateway.shell.knox.token.CloudAccessBrokerTokenGet;
import org.apache.knox.gateway.shell.knox.token.CloudAccessBrokerTokenMarkUnused;
import org.apache.knox.gateway.shell.knox.token.Token;
import org.apache.knox.gateway.shell.knox.token.TokenLifecycleResponse;
import org.apache.knox.gateway.util.Tokens;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/knox/gateway/cloud/idbroker/AbstractIDBClient.class */
public abstract class AbstractIDBClient<CloudCredentialType> implements IDBClient<CloudCredentialType> {
    private static final Logger LOG = LoggerFactory.getLogger(AbstractIDBClient.class);
    protected static final String E_IDB_GATEWAY_UNDEFINED = "No IDB gateways have been defined";
    protected static final String E_NO_PRINCIPAL = "Unable to obtain Principal Name for authentication";
    protected static final String E_NO_KAUTH = "Trying to request full IDBroker session but not logged in with Kerberos.";
    private Configuration config;
    protected RequestExecutor requestExecutor;
    private boolean useCertificateFromDT;
    private String truststore;
    private String truststorePass;
    private String specificGroup;
    private String specificRole;
    private boolean onlyUser;
    private boolean onlyGroups;
    private UserGroupInformation owner;
    private String proxyUser;
    private Set<String> unusedKnoxTokenIds = ConcurrentHashMap.newKeySet();

    /* JADX INFO: Access modifiers changed from: protected */
    public AbstractIDBClient(Configuration configuration, UserGroupInformation userGroupInformation) throws IOException {
        initializeAsFullIDBClient(configuration, userGroupInformation);
    }

    protected AbstractIDBClient() {
    }

    public List<String> getGatewayBaseURLs() {
        return this.requestExecutor.getConfiguredEndpoints();
    }

    public String getTruststorePath() {
        return this.truststore;
    }

    public String getTruststorePassword() {
        return this.truststorePass;
    }

    public String getCredentialsURL() {
        checkGatewayConfigured();
        return getCredentialsURL(this.config);
    }

    public String getIdbTokensURL() {
        checkGatewayConfigured();
        return getDelegationTokensURL(this.config);
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.IDBClient
    public boolean hasKerberosCredentials() {
        return this.owner != null && this.owner.hasKerberosCredentials();
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.IDBClient
    public boolean shouldUseKerberos() {
        return hasKerberosCredentials() && !preferKnoxTokenOverKerberos(this.config);
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.IDBClient
    public boolean shouldExcludeUserFromGettingKnoxToken() {
        Collection<String> tokenClientExclusions = getTokenClientExclusions(this.config);
        return !tokenClientExclusions.isEmpty() && shouldUseKerberos() && tokenClientExclusions.contains(getOwnerUserName());
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.IDBClient
    public String getOwnerUserName() {
        return this.owner == null ? "" : this.owner.getShortUserName();
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.IDBClient
    public Pair<KnoxSession, String> createKnoxDTSession(Configuration configuration) throws IOException {
        KnoxSession knoxSession = null;
        Object obj = null;
        String credentialsType = getCredentialsType(configuration);
        LOG.debug("IDBroker credentials type is {}", credentialsType);
        boolean equals = credentialsType.equals(IDBConstants.IDBROKER_CREDENTIALS_BASIC_AUTH);
        String str = configuration.get(IDBConstants.HADOOP_SECURITY_AUTHENTICATION, IDBConstants.HADOOP_AUTH_SIMPLE);
        boolean equalsIgnoreCase = IDBConstants.HADOOP_AUTH_SIMPLE.equalsIgnoreCase(str);
        if (equals || equalsIgnoreCase) {
            LOG.info("Authenticating with IDBroker for DT session via username and password");
            String str2 = equals ? "Authentication with username and password enabled" : "No kerberos session -falling back to username and password";
            String username = getUsername(configuration);
            if (StringUtils.isEmpty(username)) {
                throw new IOException(str2 + " -missing configuration option: " + getUsernamePropertyName());
            }
            String password = getPassword(configuration);
            if (StringUtils.isEmpty(password)) {
                throw new IOException(str2 + " -missing configuration option: " + getPasswordPropertyName());
            }
            obj = "local credentials";
            knoxSession = createKnoxDTSession(username, password);
        } else if ("kerberos".equalsIgnoreCase(str)) {
            LOG.info("Authenticating with IDBroker requires Kerberos");
            if (hasKerberosCredentials()) {
                LOG.info("Kerberos credentials are available, using Kerberos to establish a session. UGI=" + this.owner.toString());
                obj = "local kerberos";
                knoxSession = createKnoxDTSession(this.owner);
            } else {
                LOG.warn("Kerberos credentials are not available, unable to establish a session.");
            }
        } else {
            LOG.warn("Unknown IDBroker authentication mechanism, unable to establish a session: \"{}\"", str);
        }
        return Pair.of(knoxSession, obj);
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.IDBClient
    public CloudAccessBrokerSession createKnoxCABSession(KnoxToken knoxToken) throws IOException {
        if (shouldUseKerberos()) {
            LOG.info("Creating Knox CAB session using Kerberos...");
            return createKnoxCABSessionUsingKerberos();
        }
        LOG.info("Creating Knox CAB session using Knox DT {} ...", Tokens.getTokenDisplayText(knoxToken.getAccessToken()));
        return createKnoxCABSession(knoxToken.getAccessToken(), knoxToken.getTokenType(), knoxToken.getEndpointPublicCert());
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.IDBClient
    public CloudAccessBrokerSession createKnoxCABSession(String str, String str2) throws IOException {
        return createKnoxSession(str, getCredentialsURL(), str2, this.useCertificateFromDT);
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.IDBClient
    public CloudAccessBrokerSession createKnoxCABSession(String str, String str2, String str3) throws IOException {
        return createKnoxSession(str, str2, getCredentialsURL(), str3, this.useCertificateFromDT);
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.IDBClient
    public KnoxSession createKnoxDTSession() throws IOException {
        String idbTokensURL = getIdbTokensURL();
        Preconditions.checkNotNull(idbTokensURL, "No DT URL specified");
        try {
            LOG.debug("Logging in to {} using Kerberos", idbTokensURL);
            return CloudAccessBrokerSession.create(createKnoxClientContext(idbTokensURL, true));
        } catch (URISyntaxException e) {
            throw new IOException(e);
        }
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.IDBClient
    public KnoxSession createKnoxDTSession(UserGroupInformation userGroupInformation) throws IOException {
        if (userGroupInformation == null) {
            return createKnoxDTSession();
        }
        try {
            return (KnoxSession) userGroupInformation.doAs(this::createKnoxDTSession);
        } catch (InterruptedException e) {
            throw new IOException(e);
        }
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.IDBClient
    public KnoxSession createKnoxDTSession(String str, String str2) throws IOException {
        if (StringUtils.isEmpty(str)) {
            throw new AccessDeniedException("No IDBroker Username");
        }
        String idbTokensURL = getIdbTokensURL();
        try {
            LOG.debug("Logging in to {} as {}", idbTokensURL, str);
            return CloudAccessBrokerSession.create(createKnoxClientContext(idbTokensURL, str, str2));
        } catch (URISyntaxException e) {
            throw new IOException(e);
        }
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.IDBClient
    public KnoxSession createKnoxDTSession(KnoxToken knoxToken) throws IOException {
        String idbTokensURL = getIdbTokensURL();
        LOG.debug("Logging in to {} using a Knox DT", idbTokensURL);
        return createKnoxSession(knoxToken, idbTokensURL, this.useCertificateFromDT);
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.IDBClient
    public CloudCredentialType fetchCloudCredentials(CloudAccessBrokerSession cloudAccessBrokerSession) throws IOException {
        Group.Request request;
        HttpEntity entity;
        BasicResponse basicResponse;
        LOG.debug("Fetching cloud credentials from {}", cloudAccessBrokerSession.base());
        switch (determineIDBMethodToCall()) {
            case SPECIFIC_GROUP:
                request = Credentials.forGroup(cloudAccessBrokerSession).groupName(this.specificGroup);
                break;
            case SPECIFIC_ROLE:
                request = Credentials.forRole(cloudAccessBrokerSession).roleid(this.specificRole);
                break;
            case GROUPS_ONLY:
                request = Credentials.forGroup(cloudAccessBrokerSession);
                break;
            case USER_ONLY:
                request = Credentials.forUser(cloudAccessBrokerSession);
                break;
            case DEFAULT:
            default:
                request = Credentials.get(cloudAccessBrokerSession);
                break;
        }
        try {
            if (shouldUseKerberos()) {
                if (this.owner.isFromKeytab()) {
                    this.owner.checkTGTAndReloginFromKeytab();
                } else {
                    this.owner.reloginFromTicketCache();
                }
                Group.Request request2 = request;
                basicResponse = (BasicResponse) this.owner.doAs(() -> {
                    return (BasicResponse) this.requestExecutor.execute(request2);
                });
            } else {
                basicResponse = (BasicResponse) this.requestExecutor.execute(request);
            }
            return extractCloudCredentialsFromResponse(basicResponse);
        } catch (ErrorResponse e) {
            HttpResponse response = e.getResponse();
            if (response.getStatusLine().getStatusCode() != 200 && (entity = response.getEntity()) != null) {
                String entityUtils = EntityUtils.toString(entity);
                LOG.error("Cloud Access Broker response: " + entityUtils);
                if (entity.getContentType().getValue().contains(IDBConstants.MIME_TYPE_JSON)) {
                    throw new IOException(parseErrorResponse(entityUtils));
                }
            }
            throw e;
        }
    }

    private String parseErrorResponse(String str) {
        StringWriter stringWriter = new StringWriter();
        try {
            Map map = (Map) new ObjectMapper().readValue(str, new TypeReference<Map<String, String>>() { // from class: org.apache.knox.gateway.cloud.idbroker.AbstractIDBClient.1
            });
            stringWriter.append((CharSequence) map.get("error"));
            String str2 = (String) map.get("auth_id");
            if (str2 != null && !str2.isEmpty()) {
                stringWriter.append((CharSequence) " (user: ").append((CharSequence) str2).append((CharSequence) ")");
            }
            String str3 = (String) map.get("group_id");
            if (str3 != null && !str3.isEmpty()) {
                stringWriter.append((CharSequence) " (group: ").append((CharSequence) str3).append((CharSequence) ")");
            }
        } catch (IOException e) {
            LOG.error("Failed parsing error response: " + e.getMessage());
        }
        return stringWriter.toString();
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.IDBClient
    public RequestDTResponseMessage requestKnoxDelegationToken(KnoxSession knoxSession, String str, URI uri) throws IOException {
        BasicResponse basicResponse;
        LOG.trace("Getting a new Knox Delegation Token");
        Preconditions.checkNotNull(knoxSession, "Missing KnoxSession");
        CloudAccessBrokerTokenGet cloudAccessBrokerTokenGet = new CloudAccessBrokerTokenGet(Token.get(knoxSession, this.proxyUser));
        LOG.debug("Fetching IDB access token from {} (session origin {})", cloudAccessBrokerTokenGet.getRequestURI(), str);
        try {
            if (hasKerberosCredentials()) {
                if (this.owner.isFromKeytab()) {
                    this.owner.checkTGTAndReloginFromKeytab();
                } else {
                    this.owner.reloginFromTicketCache();
                }
                basicResponse = (BasicResponse) this.owner.doAs(() -> {
                    return (BasicResponse) this.requestExecutor.execute(cloudAccessBrokerTokenGet);
                });
            } else {
                basicResponse = (BasicResponse) this.requestExecutor.execute(cloudAccessBrokerTokenGet);
            }
            RequestDTResponseMessage requestDTResponseMessage = (RequestDTResponseMessage) processGet(RequestDTResponseMessage.class, cloudAccessBrokerTokenGet.getRequestURI(), basicResponse);
            ValidationFailure.verify(StringUtils.isNotEmpty(requestDTResponseMessage.access_token), "No access token from knox login of %s (session origin %s)", cloudAccessBrokerTokenGet.getRequestURI(), str);
            return requestDTResponseMessage;
        } catch (KnoxShellException e) {
            throw translateException(cloudAccessBrokerTokenGet.getRequestURI(), "origin=" + str + "; " + buildDiagnosticsString(uri, this.owner), e);
        } catch (Throwable th) {
            LOG.error(th.toString(), th);
            throw new IOException(th.toString(), th);
        }
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.IDBClient
    public RequestDTResponseMessage updateDelegationToken(KnoxToken knoxToken) throws Exception {
        return requestKnoxDelegationToken(createKnoxCABSession(knoxToken), knoxToken.getOrigin(), null);
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.IDBClient
    public IDBClient.IDBMethod determineIDBMethodToCall() {
        IDBClient.IDBMethod iDBMethod = IDBClient.IDBMethod.DEFAULT;
        if (this.onlyGroups) {
            iDBMethod = IDBClient.IDBMethod.GROUPS_ONLY;
        }
        if (this.specificGroup != null) {
            iDBMethod = IDBClient.IDBMethod.SPECIFIC_GROUP;
        }
        if (this.onlyUser) {
            iDBMethod = IDBClient.IDBMethod.USER_ONLY;
        }
        if (this.specificRole != null) {
            iDBMethod = IDBClient.IDBMethod.SPECIFIC_ROLE;
        }
        return iDBMethod;
    }

    public static String buildDiagnosticsString(URI uri, UserGroupInformation userGroupInformation) {
        StringBuilder sb = new StringBuilder(32);
        sb.append("filesystem =").append(uri != null ? uri : "(null").append("; owner=").append(userGroupInformation != null ? userGroupInformation.getUserName() : "(null)").append("; ");
        if (userGroupInformation != null) {
            sb.append("tokens=[");
            Iterator it = userGroupInformation.getTokens().iterator();
            while (it.hasNext()) {
                sb.append(((org.apache.hadoop.security.token.Token) it.next()).toString()).append(';');
            }
            sb.append(']');
        }
        return sb.toString();
    }

    public String toString() {
        return "IDBClient{gateway=" + getGatewayAddress() + '}';
    }

    protected abstract boolean getOnlyUser(Configuration configuration);

    protected abstract boolean getOnlyGroups(Configuration configuration);

    protected abstract String getSpecificRole(Configuration configuration);

    protected abstract String getSpecificGroup(Configuration configuration);

    protected abstract String getTruststorePath(Configuration configuration);

    protected abstract char[] getTruststorePassword(Configuration configuration) throws IOException;

    protected abstract boolean getUseCertificateFromDT(Configuration configuration);

    protected abstract String getDelegationTokensURL(Configuration configuration);

    protected abstract String getCredentialsURL(Configuration configuration);

    protected abstract String getCredentialsType(Configuration configuration);

    protected abstract String[] getGatewayAddress(Configuration configuration);

    protected abstract String getUsername(Configuration configuration);

    protected abstract String getUsernamePropertyName();

    protected abstract String getPassword(Configuration configuration);

    protected abstract String getPasswordPropertyName();

    protected abstract boolean preferKnoxTokenOverKerberos(Configuration configuration);

    protected abstract Collection<String> getTokenClientExclusions(Configuration configuration);

    protected abstract boolean isTokenMonitorConfigured(Configuration configuration);

    protected abstract RequestErrorHandlingAttributes getRequestErrorHandlingAttributes(Configuration configuration);

    @Override // org.apache.knox.gateway.cloud.idbroker.IDBClient
    public boolean shouldInitKnoxTokenMonitor() {
        return hasKerberosCredentials() && preferKnoxTokenOverKerberos(this.config) && isTokenMonitorConfigured(this.config);
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.IDBClient
    public String getGatewayAddress() {
        return this.requestExecutor.getEndpoint();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String buildUrl(String str, String str2) {
        StringBuilder sb = new StringBuilder(maybeAddTrailingSlash(str));
        if (StringUtils.isNotEmpty(str2)) {
            sb.append(maybeRemoveLeadingSlash(str2));
        }
        return sb.toString();
    }

    protected IOException translateException(URI uri, String str, KnoxShellException knoxShellException) {
        IOException iOException;
        String uri2 = uri.toString();
        ErrorResponse cause = knoxShellException.getCause();
        if (cause instanceof ErrorResponse) {
            int statusCode = cause.getResponse().getStatusLine().getStatusCode();
            String format = String.format(Locale.ROOT, "Error %03d from %s", Integer.valueOf(statusCode), uri2);
            if (!str.isEmpty()) {
                format = format + " " + str;
            }
            switch (statusCode) {
                case 401:
                case 403:
                    iOException = new AccessDeniedException(uri2, null, format);
                    iOException.initCause(knoxShellException);
                    break;
                case 402:
                case 405:
                case 406:
                case 407:
                case 408:
                case 409:
                default:
                    iOException = new IOException(format + "  " + knoxShellException, knoxShellException);
                    break;
                case 404:
                case 410:
                    iOException = new FileNotFoundException(format);
                    iOException.initCause(knoxShellException);
                    break;
            }
        } else if (cause instanceof SSLHandshakeException) {
            Locale locale = Locale.ROOT;
            Object[] objArr = new Object[3];
            objArr[0] = uri2;
            objArr[1] = knoxShellException.toString();
            objArr[2] = str.isEmpty() ? "" : " (" + str + ")";
            iOException = new IOException(String.format(locale, "While connecting to %s: %s%s", objArr), knoxShellException);
            LOG.error(iOException.toString());
        } else {
            String knoxShellException2 = knoxShellException.toString();
            if (knoxShellException2.contains(E_NO_PRINCIPAL)) {
                knoxShellException2 = knoxShellException2 + " - Trying to request full IDBroker session but not logged in with Kerberos.";
            }
            iOException = new IOException("From " + uri2 + " " + knoxShellException2 + (str.isEmpty() ? "" : " " + str), knoxShellException);
        }
        return iOException;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public <T> T processGet(Class<T> cls, @Nullable URI uri, BasicResponse basicResponse) throws IOException {
        int statusCode = basicResponse.getStatusCode();
        String contentType = basicResponse.getContentType();
        String uri2 = uri != null ? uri.toString() : "path under " + getGatewayAddress();
        if (statusCode != 200) {
            String string = basicResponse.getString();
            LOG.error("Bad response {} content-type {}\n{}", new Object[]{Integer.valueOf(statusCode), contentType, string});
            ValidationFailure.verify(false, "Wrong status code %s from session auth to %s: %s", Integer.valueOf(statusCode), uri2, string);
        }
        ValidationFailure.verify(basicResponse.getContentLength() > 0, "No content in response from %s; content type %s", uri2, contentType);
        if (!IDBConstants.MIME_TYPE_JSON.equals(contentType)) {
            String string2 = basicResponse.getString();
            LOG.error("Bad response {} content-type {}\n{}", new Object[]{Integer.valueOf(statusCode), contentType, string2});
            ValidationFailure.verify(false, "Wrong content type %s from session auth under %s: %s", contentType, getGatewayAddress(), string2);
        }
        return (T) new JsonSerialization(cls, false, true).fromJsonStream(basicResponse.getStream());
    }

    protected String getPropertyValue(Configuration configuration, IDBProperty iDBProperty, boolean z) {
        String trimmed = z ? configuration.getTrimmed(iDBProperty.getPropertyName(), iDBProperty.getDefaultValue()) : configuration.get(iDBProperty.getPropertyName(), iDBProperty.getDefaultValue());
        if (trimmed != null && trimmed.isEmpty()) {
            trimmed = iDBProperty.getDefaultValue();
        }
        return trimmed;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getPropertyValue(Configuration configuration, IDBProperty iDBProperty) {
        return getPropertyValue(configuration, iDBProperty, true);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Boolean getPropertyValueAsBoolean(Configuration configuration, IDBProperty iDBProperty) {
        return Boolean.valueOf(configuration.getBoolean(iDBProperty.getPropertyName(), Boolean.parseBoolean(iDBProperty.getDefaultValue())));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Integer getPropertyValueAsInteger(IDBProperty iDBProperty) {
        return Integer.valueOf(getPropertyValue(this.config, iDBProperty));
    }

    private static String maybeAddTrailingSlash(String str) {
        return str.endsWith("/") ? str : str + "/";
    }

    private static String maybeRemoveLeadingSlash(String str) {
        return str.startsWith("/") ? str.substring(1) : str;
    }

    private void initializeAsFullIDBClient(Configuration configuration, UserGroupInformation userGroupInformation) throws IOException {
        this.owner = userGroupInformation;
        if (userGroupInformation != null && UserGroupInformation.isSecurityEnabled()) {
            if (LOG.isDebugEnabled()) {
                UserGroupInformation.logAllUserInfo(LOG, this.owner);
            }
            UserGroupInformation realUser = this.owner.getRealUser();
            if (realUser != null) {
                this.proxyUser = this.owner.getShortUserName();
                this.owner = realUser;
            }
        }
        this.config = configuration;
        CommonUtils.ensureSSLClientConfigLoaded(this.config);
        String[] gatewayAddress = getGatewayAddress(configuration);
        Preconditions.checkState(gatewayAddress != null && gatewayAddress.length > 0, "At least one CloudAccessBroker endpoint must be configured.");
        this.requestExecutor = new DefaultRequestExecutor((List<String>) Arrays.asList(gatewayAddress), getRequestErrorHandlingAttributes(configuration));
        if (LOG.isDebugEnabled()) {
            List<String> gatewayBaseURLs = getGatewayBaseURLs();
            if (gatewayBaseURLs.size() == 1) {
                LOG.debug("The configured IDBroker gateway is {}", gatewayBaseURLs.get(0));
            } else {
                LOG.debug("The following IDBroker gateways have been configured, using {} (for now): \n\t{}", getGatewayAddress(), String.join("\n\t", gatewayBaseURLs));
            }
        }
        LOG.debug("IDBroker credentials URL is {}", getCredentialsURL());
        LOG.debug("IDBroker Knox Tokens URL is {}", getIdbTokensURL());
        this.useCertificateFromDT = getUseCertificateFromDT(configuration);
        this.truststore = getTruststorePath(configuration);
        if (this.truststore == null) {
            this.truststore = configuration.getTrimmed("ssl.client.truststore.location");
        }
        LOG.debug("Trust store is {}", this.truststore != null ? this.truststore : "unset -using default path");
        if (this.truststore != null) {
            File file = new File(this.truststore);
            if (!file.exists()) {
                throw new FileNotFoundException("Truststore not found: " + file.getAbsolutePath());
            }
        }
        try {
            char[] truststorePassword = getTruststorePassword(configuration);
            if (truststorePassword == null) {
                truststorePassword = configuration.getPassword("ssl.client.truststore.password");
            }
            if (truststorePassword != null) {
                this.truststorePass = new String(truststorePassword);
            }
        } catch (IOException e) {
            LOG.debug("Problem with Configuration.getPassword()", e);
            this.truststorePass = IDBConstants.DEFAULT_CERTIFICATE_PASSWORD;
        }
        this.specificGroup = getSpecificGroup(configuration);
        this.specificRole = getSpecificRole(configuration);
        this.onlyGroups = getOnlyGroups(configuration);
        this.onlyUser = getOnlyUser(configuration);
        LOG.debug("Created client to {}", getGatewayAddress());
    }

    private void checkGatewayConfigured() {
        Preconditions.checkState(!StringUtils.isBlank(getGatewayAddress()), E_IDB_GATEWAY_UNDEFINED);
    }

    private CloudAccessBrokerSession createKnoxSession(KnoxToken knoxToken, String str, boolean z) throws IOException {
        Preconditions.checkNotNull(knoxToken, "Empty KnoxToken");
        return createKnoxSession(knoxToken.getAccessToken(), str, knoxToken.getEndpointPublicCert(), z);
    }

    private CloudAccessBrokerSession createKnoxSession(String str, String str2, String str3, boolean z) throws IOException {
        return createKnoxSession(str, "Bearer", str2, str3, z);
    }

    private CloudAccessBrokerSession createKnoxSession(String str, String str2, String str3, String str4, boolean z) throws IOException {
        Preconditions.checkArgument(StringUtils.isNotEmpty(str), "Empty delegation token");
        Preconditions.checkArgument(StringUtils.isNotEmpty(str3), "Empty endpoint");
        if (LOG.isDebugEnabled()) {
            Logger logger = LOG;
            Object[] objArr = new Object[3];
            objArr[0] = str3;
            objArr[1] = StringUtils.isEmpty(str4) ? "<N/A>" : str4.substring(0, 4);
            objArr[2] = z ? "" : " [disabled by request]";
            logger.debug("Establishing Knox session with Cloud Access Broker at {}\n\tcert: {}{}", objArr);
        }
        try {
            CloudAccessBrokerSession create = CloudAccessBrokerSession.create(createKnoxClientContext(str3, str4, z));
            create.setHeaders(Collections.singletonMap("Authorization", (str2 == null ? "Bearer" : str2) + " " + str));
            return create;
        } catch (URISyntaxException e) {
            throw new IOException(e);
        }
    }

    private CloudAccessBrokerSession createKnoxCABSessionUsingKerberos() throws IOException {
        try {
            return hasKerberosCredentials() ? (CloudAccessBrokerSession) this.owner.doAs(new PrivilegedExceptionAction<CloudAccessBrokerSession>() { // from class: org.apache.knox.gateway.cloud.idbroker.AbstractIDBClient.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public CloudAccessBrokerSession run() throws Exception {
                    return CloudAccessBrokerSession.create(AbstractIDBClient.this.createKnoxClientContext(AbstractIDBClient.this.getCredentialsURL(), true));
                }
            }) : CloudAccessBrokerSession.create(createKnoxClientContext(getCredentialsURL(), true));
        } catch (InterruptedException | URISyntaxException e) {
            throw new IOException(e);
        }
    }

    private ClientContext createKnoxClientContext(String str, String str2, String str3) {
        return updateKnoxClientContext(ClientContext.with(str2, str3, str), null, false, false);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public ClientContext createKnoxClientContext(String str, boolean z) {
        return updateKnoxClientContext(ClientContext.with(str), null, false, z);
    }

    private ClientContext createKnoxClientContext(String str, String str2, boolean z) {
        return updateKnoxClientContext(ClientContext.with(str), str2, z, false);
    }

    private ClientContext updateKnoxClientContext(ClientContext clientContext, String str, boolean z, boolean z2) {
        if (z2) {
            LOG.debug("Creating Knox client context enabling support for Kerberos");
            clientContext.kerberos().enable(true).debug(LOG.isDebugEnabled());
        }
        String truststorePath = getTruststorePath();
        if (StringUtils.isNotEmpty(truststorePath)) {
            LOG.debug("Creating Knox client context using the supplied truststore: {}", truststorePath);
            clientContext.connection().withTruststore(truststorePath, getTruststorePassword());
        }
        if (z && StringUtils.isNotEmpty(str)) {
            LOG.debug("Creating Knox client context using a supplied endpoint certificate");
            clientContext.connection().withPublicCertPem(str);
        }
        return clientContext;
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.IDBClient
    public boolean markTokenUnused(KnoxToken knoxToken) {
        boolean z = false;
        if (shouldUseKerberos() && !this.unusedKnoxTokenIds.contains(knoxToken.getAccessToken()) && requestMarkTokenUnused(knoxToken)) {
            this.unusedKnoxTokenIds.add(knoxToken.getAccessToken());
            LOG.info("Knox token " + Tokens.getTokenDisplayText(knoxToken.getAccessToken()) + " marked unused");
            z = true;
        }
        return z;
    }

    private boolean requestMarkTokenUnused(KnoxToken knoxToken) {
        TokenLifecycleResponse tokenLifecycleResponse;
        boolean z = false;
        String accessToken = knoxToken.getAccessToken();
        String tokenDisplayText = Tokens.getTokenDisplayText(accessToken);
        try {
            CloudAccessBrokerTokenMarkUnused cloudAccessBrokerTokenMarkUnused = new CloudAccessBrokerTokenMarkUnused(Token.markUnused(createKnoxDTSession(), accessToken, this.owner.getShortUserName()));
            if (hasKerberosCredentials()) {
                if (this.owner.isFromKeytab()) {
                    this.owner.checkTGTAndReloginFromKeytab();
                } else {
                    this.owner.reloginFromTicketCache();
                }
                tokenLifecycleResponse = (TokenLifecycleResponse) this.owner.doAs(() -> {
                    return (TokenLifecycleResponse) this.requestExecutor.execute(cloudAccessBrokerTokenMarkUnused);
                });
            } else {
                tokenLifecycleResponse = (TokenLifecycleResponse) this.requestExecutor.execute(cloudAccessBrokerTokenMarkUnused);
            }
            String string = tokenLifecycleResponse.getString();
            int statusCode = tokenLifecycleResponse.getStatusCode();
            if (statusCode != 200) {
                LOG.error("Failed to mark token " + tokenDisplayText + " unused: " + statusCode);
                if (string != null) {
                    LOG.error(string);
                }
            } else if (tokenLifecycleResponse.getContentLength() > 0 && IDBConstants.MIME_TYPE_JSON.equals(tokenLifecycleResponse.getContentType())) {
                Map map = (Map) new ObjectMapper().readValue(string, new TypeReference<Map<String, Object>>() { // from class: org.apache.knox.gateway.cloud.idbroker.AbstractIDBClient.3
                });
                if (Boolean.parseBoolean((String) map.getOrDefault("markedUnused", "false"))) {
                    LOG.debug("Token " + tokenDisplayText + " marked unused");
                    z = true;
                } else {
                    LOG.warn("Token could not be marked unused: " + map.get("error"));
                }
            }
        } catch (Exception e) {
            LOG.error("Failed to mark token " + tokenDisplayText + " unused", e);
        }
        return z;
    }
}
