package org.apache.knox.gateway.service.idbroker.gcp;

import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.jackson2.JacksonFactory;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.CharBuffer;
import java.nio.charset.StandardCharsets;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Properties;
import java.util.concurrent.ExecutionException;
import org.apache.commons.lang3.SerializationUtils;
import org.apache.http.HttpEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.util.EntityUtils;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;
import org.apache.knox.gateway.service.idbroker.AbstractKnoxCloudCredentialsClient;
import org.apache.knox.gateway.service.idbroker.CloudClientConfiguration;
import org.apache.knox.gateway.service.idbroker.IdentityBrokerResource;
import org.apache.knox.gateway.services.security.AliasServiceException;
import org.apache.knox.gateway.services.security.EncryptionResult;
import org.apache.knox.gateway.util.JsonUtils;

/* loaded from: input_file:org/apache/knox/gateway/service/idbroker/gcp/KnoxGCPClient.class */
public class KnoxGCPClient extends AbstractKnoxCloudCredentialsClient {
    private static final String NAME = "GCP";
    private static final String KEY_ID_ALIAS = "gcp.credential.key";
    private static final String KEY_SECRET_ALIAS = "gcp.credential.secret";
    private static final String CONFIG_TARGET_SERVICE_ACCOUNT_ID = "target.service.account.id";
    private static final String CONFIG_TOKEN_LIFETIME = "token.lifetime";
    private static final String CONFIG_TOKEN_SCOPES = "token.scopes";
    private static final String DEFAULT_TOKEN_LIFETIME = "3600s";
    private static final String SERVICE_ACCOUNTS_ENDPOINT = "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/";
    private long expirationOffset = 30000;
    private String tokenLifetime;
    private GoogleCredential idBrokerCredential;
    private static final String DEFAULT_TOKEN_SCOPES = "https://www.googleapis.com/auth/cloud-platform";
    private static final Collection<String> DEFAULT_SCOPES = Collections.singletonList(DEFAULT_TOKEN_SCOPES);
    private static GCPClientMessages LOG = (GCPClientMessages) MessagesFactory.get(GCPClientMessages.class);

    @Override // org.apache.knox.gateway.service.idbroker.AbstractKnoxCloudCredentialsClient, org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClient
    public void init(Properties properties) {
        super.init(properties);
        this.tokenLifetime = properties.getProperty(CONFIG_TOKEN_LIFETIME);
        if (this.tokenLifetime == null || this.tokenLifetime.isEmpty()) {
            this.tokenLifetime = DEFAULT_TOKEN_LIFETIME;
        }
    }

    @Override // org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClient
    public String getName() {
        return NAME;
    }

    @Override // org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClient
    public Object getCredentials() {
        return getCredentialsForRole(getRole());
    }

    @Override // org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClient
    public Object getCredentialsForRole(String str) {
        return getCachedAccessToken(str);
    }

    private Object getCachedAccessToken(String str) {
        try {
            EncryptionResult encryptionResult = (EncryptionResult) this.credentialCache.get(str, () -> {
                return this.cryptoService.encryptForCluster(this.topologyName, IdentityBrokerResource.CREDENTIAL_CACHE_ALIAS, SerializationUtils.serialize(generateAccessToken(getConfigProvider().getConfig(), str)));
            });
            return SerializationUtils.deserialize(this.cryptoService.decryptForCluster(this.topologyName, IdentityBrokerResource.CREDENTIAL_CACHE_ALIAS, encryptionResult.cipher, encryptionResult.iv, encryptionResult.salt));
        } catch (ExecutionException e) {
            LOG.cacheException(str, e.toString());
            throw new RuntimeException(e);
        }
    }

    private GoogleCredential getIDBrokerCredential(CloudClientConfiguration cloudClientConfiguration) {
        if (this.idBrokerCredential == null) {
            LOG.authenticateCAB();
            PrivateKey privateKey = null;
            String keyID = getKeyID();
            if (keyID == null) {
                LOG.configError("Missing required credential alias: gcp.credential.key");
            } else {
                LOG.configuredServiceAccount(keyID);
                privateKey = getPrivateKey();
                if (privateKey == null) {
                    LOG.configError("Missing required credential alias: gcp.credential.secret");
                }
            }
            if (privateKey != null) {
                try {
                    GoogleCredential build = new GoogleCredential.Builder().setTransport(new NetHttpTransport()).setJsonFactory(new JacksonFactory()).setServiceAccountId(keyID).setServiceAccountPrivateKey(privateKey).setServiceAccountScopes(DEFAULT_SCOPES).build();
                    build.refreshToken();
                    this.idBrokerCredential = build;
                    LOG.cabAuthenticated();
                } catch (Exception e) {
                    LOG.exception(e);
                }
            }
        }
        return this.idBrokerCredential;
    }

    private String generateAccessToken(CloudClientConfiguration cloudClientConfiguration, String str) {
        String str2 = null;
        CloseableHttpClient build = HttpClientBuilder.create().build();
        String property = cloudClientConfiguration.getProperty(CONFIG_TOKEN_SCOPES);
        if (property == null || property.isEmpty()) {
            property = DEFAULT_TOKEN_SCOPES;
        }
        String[] split = property.split(",");
        HttpPost httpPost = new HttpPost(SERVICE_ACCOUNTS_ENDPOINT + (str != null ? str : cloudClientConfiguration.getProperty(CONFIG_TARGET_SERVICE_ACCOUNT_ID)) + ":generateAccessToken");
        GoogleCredential iDBrokerCredential = getIDBrokerCredential(cloudClientConfiguration);
        if (iDBrokerCredential == null) {
            throw new RuntimeException("Unable to authenticate the Cloud Access Broker.");
        }
        if (iDBrokerCredential.getExpirationTimeMilliseconds().longValue() - this.expirationOffset < System.currentTimeMillis()) {
            try {
                iDBrokerCredential.refreshToken();
            } catch (IOException e) {
                LOG.exception(e);
            }
        }
        String accessToken = iDBrokerCredential.getAccessToken();
        if (accessToken == null) {
            LOG.failedToAcquireAuthTokenForCAB();
            throw new RuntimeException("Failed to acquire token for the Cloud Access Broker.");
        }
        httpPost.addHeader("Authorization", "Bearer " + accessToken);
        HashMap hashMap = new HashMap();
        hashMap.put("delegates", Collections.emptyList());
        hashMap.put("scope", Arrays.asList(split));
        hashMap.put("lifetime", this.tokenLifetime);
        httpPost.setEntity(new StringEntity(JsonUtils.renderAsJsonString(hashMap), StandardCharsets.UTF_8));
        httpPost.addHeader("Content-Type", "application/json");
        try {
            CloseableHttpResponse execute = build.execute(httpPost);
            if (200 == execute.getStatusLine().getStatusCode()) {
                HttpEntity entity = execute.getEntity();
                if (entity != null) {
                    str2 = EntityUtils.toString(entity, StandardCharsets.UTF_8);
                }
            } else {
                LOG.remoteErrorResponseStatus(execute.getStatusLine().getStatusCode());
                HttpEntity entity2 = execute.getEntity();
                if (entity2 != null) {
                    LOG.remoteErrorResponse(EntityUtils.toString(entity2, StandardCharsets.UTF_8));
                }
            }
        } catch (IOException e2) {
            LOG.exception(e2);
        }
        return str2;
    }

    private String getKeyID() {
        String str = null;
        try {
            char[] passwordFromAliasForCluster = this.aliasService.getPasswordFromAliasForCluster(this.topologyName, KEY_ID_ALIAS);
            if (passwordFromAliasForCluster != null) {
                str = new String(passwordFromAliasForCluster);
            }
        } catch (AliasServiceException e) {
            LOG.exception(e);
        }
        return str;
    }

    private char[] getKeySecret() {
        char[] cArr = null;
        try {
            cArr = this.aliasService.getPasswordFromAliasForCluster(this.topologyName, KEY_SECRET_ALIAS);
        } catch (AliasServiceException e) {
            LOG.exception(e);
        }
        return cArr;
    }

    private PrivateKey getPrivateKey() {
        PrivateKey privateKey = null;
        char[] keySecret = getKeySecret();
        if (keySecret != null && keySecret.length > 0) {
            try {
                privateKey = KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(Base64.getDecoder().decode(charsToBytes(replaceNewlineChars(keySecret)))));
            } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
                LOG.exception(e);
            }
        }
        return privateKey;
    }

    private byte[] charsToBytes(char[] cArr) {
        ByteBuffer encode = StandardCharsets.UTF_8.encode(CharBuffer.wrap(replaceNewlineChars(cArr)));
        byte[] copyOfRange = Arrays.copyOfRange(encode.array(), encode.position(), encode.limit());
        Arrays.fill(encode.array(), (byte) 0);
        return copyOfRange;
    }

    private static char[] replaceNewlineChars(char[] cArr) {
        char[] cArr2 = new char[cArr.length];
        int i = 0;
        int i2 = 0;
        while (i2 < cArr.length) {
            char c = cArr[i2];
            if (c == '\\' && cArr[i2 + 1] == 'n') {
                i2++;
                int i3 = i;
                i++;
                cArr2[i3] = '\n';
            } else if (c != '\n') {
                int i4 = i;
                i++;
                cArr2[i4] = c;
            }
            i2++;
        }
        return i == cArr.length ? cArr : Arrays.copyOfRange(cArr2, 0, i);
    }
}
