package org.apache.knox.gateway.services.security.impl;

import java.nio.charset.StandardCharsets;
import java.security.cert.Certificate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang3.StringUtils;
import org.apache.knox.gateway.GatewayCommandLine;
import org.apache.knox.gateway.GatewayMessages;
import org.apache.knox.gateway.config.GatewayConfig;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;
import org.apache.knox.gateway.services.ServiceLifecycleException;
import org.apache.knox.gateway.services.config.client.RemoteConfigurationRegistryClient;
import org.apache.knox.gateway.services.config.client.RemoteConfigurationRegistryClientService;
import org.apache.knox.gateway.services.security.AbstractAliasService;
import org.apache.knox.gateway.services.security.AliasService;
import org.apache.knox.gateway.services.security.AliasServiceException;
import org.apache.knox.gateway.services.security.EncryptionResult;
import org.apache.knox.gateway.services.security.MasterService;
import org.apache.knox.gateway.services.token.RemoteTokenStateChangeListener;
import org.apache.knox.gateway.util.PasswordUtils;

/* loaded from: input_file:org/apache/knox/gateway/services/security/impl/ZookeeperRemoteAliasService.class */
public class ZookeeperRemoteAliasService extends AbstractAliasService {
    public static final String TYPE = "zookeeper";
    public static final String PATH_KNOX = "/knox";
    public static final String PATH_KNOX_SECURITY = "/knox/security";
    public static final String PATH_KNOX_ALIAS_STORE_TOPOLOGY = "/knox/security/topology";
    public static final String PATH_SEPARATOR = "/";
    private static final String BASE_SUB_NODE = "/knox/security/topology/";
    private static final String GATEWAY_SUB_NODE = "/knox/security/topology/__gateway";
    public static final String OPTION_NAME_SHOULD_CREATE_TOKENS_SUB_NODE = "zkShouldCreateTokenSubnodes";
    public static final String OPTION_NAME_SHOULD_USE_LOCAL_ALIAS = "zkShouldUseLocalAlias";
    public static final String TOKENS_SUB_NODE_NAME = "tokens";
    public static final String TOKENS_SUB_NODE_PATH = "/tokens";
    private static final GatewayMessages LOG = (GatewayMessages) MessagesFactory.get(GatewayMessages.class);
    private static final RemoteConfigurationRegistryClient.EntryACL AUTHENTICATED_USERS_ALL = new RemoteConfigurationRegistryClient.EntryACL() { // from class: org.apache.knox.gateway.services.security.impl.ZookeeperRemoteAliasService.1
        public String getId() {
            return "";
        }

        public String getType() {
            return "auth";
        }

        public Object getPermissions() {
            return 31;
        }

        public boolean canRead() {
            return true;
        }

        public boolean canWrite() {
            return true;
        }
    };
    private static final RemoteConfigurationRegistryClient.EntryACL KERBEROS_KNOX_ALL = new RemoteConfigurationRegistryClient.EntryACL() { // from class: org.apache.knox.gateway.services.security.impl.ZookeeperRemoteAliasService.2
        public String getId() {
            return GatewayCommandLine.COMMAND_NAME;
        }

        public String getType() {
            return "sasl";
        }

        public Object getPermissions() {
            return 31;
        }

        public boolean canRead() {
            return true;
        }

        public boolean canWrite() {
            return true;
        }
    };
    private final AliasService localAliasService;
    private final MasterService ms;
    private final RemoteConfigurationRegistryClientService remoteConfigurationRegistryClientService;
    private final Collection<RemoteTokenStateChangeListener> remoteTokenStateChangeListeners = new HashSet();
    private RemoteConfigurationRegistryClient remoteClient;
    private ConfigurableEncryptor encryptor;
    private GatewayConfig config;
    private boolean shouldCreateTokensSubNode;
    private boolean shouldUseLocalAliasService;

    /* renamed from: org.apache.knox.gateway.services.security.impl.ZookeeperRemoteAliasService$3, reason: invalid class name */
    /* loaded from: input_file:org/apache/knox/gateway/services/security/impl/ZookeeperRemoteAliasService$3.class */
    static /* synthetic */ class AnonymousClass3 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$knox$gateway$services$config$client$RemoteConfigurationRegistryClient$ChildEntryListener$Type = new int[RemoteConfigurationRegistryClient.ChildEntryListener.Type.values().length];

        static {
            try {
                $SwitchMap$org$apache$knox$gateway$services$config$client$RemoteConfigurationRegistryClient$ChildEntryListener$Type[RemoteConfigurationRegistryClient.ChildEntryListener.Type.REMOVED.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$knox$gateway$services$config$client$RemoteConfigurationRegistryClient$ChildEntryListener$Type[RemoteConfigurationRegistryClient.ChildEntryListener.Type.ADDED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    /* loaded from: input_file:org/apache/knox/gateway/services/security/impl/ZookeeperRemoteAliasService$RemoteAliasChildListener.class */
    private class RemoteAliasChildListener implements RemoteConfigurationRegistryClient.ChildEntryListener {
        final ZookeeperRemoteAliasService remoteAliasService;

        RemoteAliasChildListener(ZookeeperRemoteAliasService zookeeperRemoteAliasService) {
            this.remoteAliasService = zookeeperRemoteAliasService;
        }

        public void childEvent(RemoteConfigurationRegistryClient remoteConfigurationRegistryClient, RemoteConfigurationRegistryClient.ChildEntryListener.Type type, String str) {
            String str2;
            String substringAfter = StringUtils.substringAfter(str, ZookeeperRemoteAliasService.BASE_SUB_NODE);
            String[] split = StringUtils.split(substringAfter, '/');
            String str3 = split.length > 1 ? split[0] : "";
            if (substringAfter.contains(ZookeeperRemoteAliasService.TOKENS_SUB_NODE_NAME)) {
                str2 = split.length == 4 ? split[3] : "";
            } else {
                str2 = split.length == 2 ? split[1] : "";
            }
            switch (AnonymousClass3.$SwitchMap$org$apache$knox$gateway$services$config$client$RemoteConfigurationRegistryClient$ChildEntryListener$Type[type.ordinal()]) {
                case 1:
                    try {
                        remoteConfigurationRegistryClient.removeEntryListener(str);
                        if (!str2.isEmpty()) {
                            Iterator it = ZookeeperRemoteAliasService.this.remoteTokenStateChangeListeners.iterator();
                            while (it.hasNext()) {
                                ((RemoteTokenStateChangeListener) it.next()).onRemoved(str2);
                            }
                            if (ZookeeperRemoteAliasService.this.shouldUseLocalAliasService) {
                                ZookeeperRemoteAliasService.LOG.removeAliasLocally(str3, str2);
                                ZookeeperRemoteAliasService.this.localAliasService.removeAliasForCluster(str3, str2);
                            }
                        }
                        return;
                    } catch (Exception e) {
                        ZookeeperRemoteAliasService.LOG.errorRemovingAliasLocally(str3, str2, e.toString());
                        return;
                    }
                case 2:
                    if (!str2.isEmpty()) {
                        try {
                            remoteConfigurationRegistryClient.addEntryListener(str, new RemoteAliasEntryListener(str3, str2, ZookeeperRemoteAliasService.this.localAliasService));
                            return;
                        } catch (Exception e2) {
                            ZookeeperRemoteAliasService.LOG.errorAddingRemoteAliasEntryListener(str3, str2, e2.toString());
                            return;
                        }
                    }
                    if (ZookeeperRemoteAliasService.BASE_SUB_NODE.equals(str)) {
                        return;
                    }
                    ZookeeperRemoteAliasService.LOG.addRemoteListener(str);
                    try {
                        remoteConfigurationRegistryClient.addChildEntryListener(str, new RemoteAliasChildListener(this.remoteAliasService));
                        return;
                    } catch (Exception e3) {
                        ZookeeperRemoteAliasService.LOG.errorAddingRemoteListener(str, e3.toString());
                        return;
                    }
                default:
                    return;
            }
        }
    }

    /* loaded from: input_file:org/apache/knox/gateway/services/security/impl/ZookeeperRemoteAliasService$RemoteAliasEntryListener.class */
    private class RemoteAliasEntryListener implements RemoteConfigurationRegistryClient.EntryListener {
        final String cluster;
        final String alias;
        final AliasService localAliasService;

        RemoteAliasEntryListener(String str, String str2, AliasService aliasService) {
            this.cluster = str;
            this.alias = str2;
            this.localAliasService = aliasService;
        }

        public void entryChanged(RemoteConfigurationRegistryClient remoteConfigurationRegistryClient, String str, byte[] bArr) {
            if (ZookeeperRemoteAliasService.TOKENS_SUB_NODE_NAME.equals(this.alias) || !isAliasPath(str)) {
                return;
            }
            try {
                String decrypt = ZookeeperRemoteAliasService.this.decrypt(new String(bArr, StandardCharsets.UTF_8));
                if (str.contains(ZookeeperRemoteAliasService.TOKENS_SUB_NODE_PATH)) {
                    Iterator it = ZookeeperRemoteAliasService.this.remoteTokenStateChangeListeners.iterator();
                    while (it.hasNext()) {
                        ((RemoteTokenStateChangeListener) it.next()).onChanged(this.alias, decrypt);
                    }
                }
                if (ZookeeperRemoteAliasService.this.shouldUseLocalAliasService) {
                    try {
                        ZookeeperRemoteAliasService.LOG.addAliasLocally(this.cluster, this.alias);
                        this.localAliasService.addAliasForCluster(this.cluster, this.alias, decrypt);
                    } catch (Exception e) {
                        ZookeeperRemoteAliasService.LOG.errorAddingAliasLocally(this.cluster, this.alias, e.toString());
                    }
                }
            } catch (Exception e2) {
                throw new IllegalArgumentException("An error occurred while trying to decrypt data for alias " + this.alias, e2);
            }
        }

        private boolean isAliasPath(String str) {
            String substringAfter = StringUtils.substringAfter(str, ZookeeperRemoteAliasService.BASE_SUB_NODE);
            String[] split = StringUtils.split(substringAfter, '/');
            return substringAfter.contains(ZookeeperRemoteAliasService.TOKENS_SUB_NODE_NAME) ? split.length == 4 : split.length == 2;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ZookeeperRemoteAliasService(AliasService aliasService, MasterService masterService, RemoteConfigurationRegistryClientService remoteConfigurationRegistryClientService) {
        this.localAliasService = aliasService;
        this.ms = masterService;
        this.remoteConfigurationRegistryClientService = remoteConfigurationRegistryClientService;
    }

    public void registerRemoteTokenStateChangeListener(RemoteTokenStateChangeListener remoteTokenStateChangeListener) {
        this.remoteTokenStateChangeListeners.add(remoteTokenStateChangeListener);
    }

    private String buildAliasEntryName(String str, String str2) {
        StringBuilder sb = new StringBuilder(buildClusterEntryName(str));
        String lowerCase = str2.toLowerCase(Locale.ROOT);
        if (this.shouldCreateTokensSubNode) {
            sb.append(TOKENS_SUB_NODE_PATH);
            ensureEntry(sb.toString(), this.remoteClient);
            sb.append(PATH_SEPARATOR).append(lowerCase.length() < 2 ? lowerCase : lowerCase.substring(0, 2));
            ensureEntry(sb.toString(), this.remoteClient);
        }
        return sb.append(PATH_SEPARATOR).append(lowerCase).toString();
    }

    private static String buildClusterEntryName(String str) {
        return BASE_SUB_NODE + str;
    }

    private static void ensureEntry(String str, RemoteConfigurationRegistryClient remoteConfigurationRegistryClient) {
        if (!remoteConfigurationRegistryClient.entryExists(str)) {
            remoteConfigurationRegistryClient.createEntry(str);
            return;
        }
        for (RemoteConfigurationRegistryClient.EntryACL entryACL : remoteConfigurationRegistryClient.getACL(str)) {
            if ("world".equals(entryACL.getType()) && "anyone".equals(entryACL.getId())) {
                LOG.suspectWritableRemoteConfigurationEntry(str);
                if (remoteConfigurationRegistryClient.isAuthenticationConfigured()) {
                    LOG.correctingSuspectWritableRemoteConfigurationEntry(str);
                    if (!"Kerberos".equalsIgnoreCase(remoteConfigurationRegistryClient.authenticationType()) || remoteConfigurationRegistryClient.isBackwardsCompatible()) {
                        remoteConfigurationRegistryClient.setACL(str, Collections.singletonList(AUTHENTICATED_USERS_ALL));
                    } else {
                        remoteConfigurationRegistryClient.setACL(str, Collections.singletonList(KERBEROS_KNOX_ALL));
                    }
                }
            }
        }
    }

    private static void checkPathsExist(RemoteConfigurationRegistryClient remoteConfigurationRegistryClient) {
        ensureEntry(PATH_KNOX, remoteConfigurationRegistryClient);
        ensureEntry(PATH_KNOX_SECURITY, remoteConfigurationRegistryClient);
        ensureEntry(PATH_KNOX_ALIAS_STORE_TOPOLOGY, remoteConfigurationRegistryClient);
        ensureEntry(GATEWAY_SUB_NODE, remoteConfigurationRegistryClient);
    }

    public List<String> getAliasesForCluster(String str) throws AliasServiceException {
        List<String> aliasesForCluster = this.shouldUseLocalAliasService ? this.localAliasService.getAliasesForCluster(str) : null;
        if (aliasesForCluster != null && !aliasesForCluster.isEmpty()) {
            return aliasesForCluster;
        }
        if (this.remoteClient == null) {
            return new ArrayList();
        }
        List<String> list = null;
        String buildClusterEntryName = buildClusterEntryName(str);
        if (this.remoteClient.entryExists(buildClusterEntryName)) {
            list = this.remoteClient.listChildEntries(buildClusterEntryName);
        }
        return list == null ? new ArrayList() : list;
    }

    public void addAliasForCluster(String str, String str2, String str3) throws AliasServiceException {
        if (this.remoteClient != null) {
            String buildAliasEntryName = buildAliasEntryName(str, str2);
            checkPathsExist(this.remoteClient);
            ensureEntry(buildClusterEntryName(str), this.remoteClient);
            try {
                if (this.remoteClient.entryExists(buildAliasEntryName)) {
                    this.remoteClient.setEntryData(buildAliasEntryName, encrypt(str3));
                } else {
                    this.remoteClient.createEntry(buildAliasEntryName, encrypt(str3));
                }
                if (this.remoteClient.getEntryData(buildAliasEntryName) == null) {
                    throw new IllegalStateException(String.format(Locale.ROOT, "Failed to store alias %s for cluster %s in remote registry", str2, str));
                }
            } catch (Exception e) {
                throw new AliasServiceException(e);
            }
        }
    }

    public void addAliasesForCluster(String str, Map<String, String> map) throws AliasServiceException {
        for (Map.Entry<String, String> entry : map.entrySet()) {
            addAliasForCluster(str, entry.getKey(), entry.getValue());
        }
    }

    public void removeAliasForCluster(String str, String str2) throws AliasServiceException {
        if (this.remoteClient != null) {
            String buildAliasEntryName = buildAliasEntryName(str, str2);
            if (this.remoteClient.entryExists(buildAliasEntryName)) {
                this.remoteClient.deleteEntry(buildAliasEntryName);
                if (this.remoteClient.entryExists(buildAliasEntryName)) {
                    throw new IllegalStateException(String.format(Locale.ROOT, "Failed to delete alias %s for cluster %s in remote registry", str2, str));
                }
            }
        }
    }

    public void removeAliasesForCluster(String str, Set<String> set) throws AliasServiceException {
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            removeAliasForCluster(str, it.next());
        }
    }

    public char[] getPasswordFromAliasForCluster(String str, String str2) throws AliasServiceException {
        return getPasswordFromAliasForCluster(str, str2, false);
    }

    public char[] getPasswordFromAliasForCluster(String str, String str2, boolean z) throws AliasServiceException {
        char[] passwordFromAliasForCluster = this.shouldUseLocalAliasService ? this.localAliasService.getPasswordFromAliasForCluster(str, str2, z) : null;
        if (passwordFromAliasForCluster == null && this.remoteClient != null) {
            checkPathsExist(this.remoteClient);
            String str3 = null;
            if (this.remoteClient.entryExists(buildAliasEntryName(str, str2))) {
                str3 = this.remoteClient.getEntryData(buildAliasEntryName(str, str2));
            }
            if (str3 != null) {
                try {
                    passwordFromAliasForCluster = decrypt(str3).toCharArray();
                } catch (Exception e) {
                    throw new AliasServiceException(e);
                }
            } else if (z) {
                generateAliasForCluster(str, str2);
                passwordFromAliasForCluster = getPasswordFromAliasForCluster(str, str2);
            }
        }
        return passwordFromAliasForCluster;
    }

    public void generateAliasForCluster(String str, String str2) throws AliasServiceException {
        addAliasForCluster(str, str2, PasswordUtils.generatePassword(16));
    }

    public char[] getPasswordFromAliasForGateway(String str) throws AliasServiceException {
        return getPasswordFromAliasForCluster("__gateway", str);
    }

    public char[] getGatewayIdentityPassphrase() throws AliasServiceException {
        return getPasswordFromAliasForGateway(this.config.getIdentityKeyPassphraseAlias());
    }

    public char[] getGatewayIdentityKeystorePassword() throws AliasServiceException {
        return getPasswordFromAliasForGateway(this.config.getIdentityKeystorePasswordAlias());
    }

    public char[] getSigningKeyPassphrase() throws AliasServiceException {
        return getPasswordFromAliasForGateway(this.config.getSigningKeyPassphraseAlias());
    }

    public char[] getSigningKeystorePassword() throws AliasServiceException {
        return getPasswordFromAliasForGateway(this.config.getSigningKeystorePasswordAlias());
    }

    public void generateAliasForGateway(String str) throws AliasServiceException {
        generateAliasForCluster("__gateway", str);
    }

    public Certificate getCertificateForGateway(String str) throws AliasServiceException {
        throw new AliasServiceException(new UnsupportedOperationException());
    }

    public void init(GatewayConfig gatewayConfig, Map<String, String> map) throws ServiceLifecycleException {
        this.config = gatewayConfig;
        String remoteConfigurationMonitorClientName = gatewayConfig.getRemoteConfigurationMonitorClientName();
        if (remoteConfigurationMonitorClientName == null || this.remoteConfigurationRegistryClientService == null) {
            LOG.missingClientConfigurationForRemoteMonitoring();
            return;
        }
        this.remoteClient = this.remoteConfigurationRegistryClientService.get(remoteConfigurationMonitorClientName);
        ensureEntries(this.remoteClient);
        if (this.remoteClient.listChildEntries(PATH_KNOX_ALIAS_STORE_TOPOLOGY) == null) {
            throw new IllegalStateException("Unable to access remote path: /knox/security/topology");
        }
        this.shouldUseLocalAliasService = Boolean.parseBoolean(map.getOrDefault(OPTION_NAME_SHOULD_USE_LOCAL_ALIAS, "true"));
        try {
            this.remoteClient.addChildEntryListener(PATH_KNOX_ALIAS_STORE_TOPOLOGY, new RemoteAliasChildListener(this));
            this.encryptor = new ConfigurableEncryptor(new String(this.ms.getMasterSecret()));
            this.encryptor.init(gatewayConfig);
            this.shouldCreateTokensSubNode = Boolean.parseBoolean(map.getOrDefault(OPTION_NAME_SHOULD_CREATE_TOKENS_SUB_NODE, "false"));
        } catch (Exception e) {
            throw new IllegalStateException("Unable to add listener for path /knox/security/topology", e);
        }
    }

    public void start() throws ServiceLifecycleException {
    }

    public void stop() throws ServiceLifecycleException {
        if (this.remoteClient != null) {
            try {
                this.remoteClient.removeEntryListener(PATH_KNOX_ALIAS_STORE_TOPOLOGY);
            } catch (Exception e) {
                LOG.errorRemovingRemoteListener(PATH_KNOX_ALIAS_STORE_TOPOLOGY, e.toString());
            }
        }
    }

    String encrypt(String str) throws Exception {
        EncryptionResult encrypt = this.encryptor.encrypt(str);
        return Base64.encodeBase64String((Base64.encodeBase64String(encrypt.salt) + "::" + Base64.encodeBase64String(encrypt.iv) + "::" + Base64.encodeBase64String(encrypt.cipher)).getBytes(StandardCharsets.UTF_8));
    }

    String decrypt(String str) throws Exception {
        String[] split = new String(Base64.decodeBase64(str), StandardCharsets.UTF_8).split("::");
        if (split.length != 3) {
            throw new IllegalArgumentException("Data should have 3 parts split by ::");
        }
        return new String(this.encryptor.decrypt(Base64.decodeBase64(split[0]), Base64.decodeBase64(split[1]), Base64.decodeBase64(split[2])), StandardCharsets.UTF_8);
    }

    private void ensureEntries(RemoteConfigurationRegistryClient remoteConfigurationRegistryClient) {
        ensureEntry(PATH_KNOX, remoteConfigurationRegistryClient);
        ensureEntry(PATH_KNOX_SECURITY, remoteConfigurationRegistryClient);
        ensureEntry(PATH_KNOX_ALIAS_STORE_TOPOLOGY, remoteConfigurationRegistryClient);
        ensureEntry(GATEWAY_SUB_NODE, remoteConfigurationRegistryClient);
    }
}
