package org.apache.knox.gateway.service.idbroker.azure;

import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.ObjectWriter;
import com.google.gson.Gson;
import com.jayway.jsonpath.JsonPath;
import com.jayway.jsonpath.Predicate;
import com.microsoft.aad.adal4j.AuthenticationCallback;
import com.microsoft.aad.adal4j.AuthenticationContext;
import com.microsoft.aad.adal4j.AuthenticationResult;
import com.microsoft.aad.adal4j.ClientCredential;
import com.microsoft.azure.AzureEnvironment;
import java.io.IOException;
import java.net.MalformedURLException;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Locale;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.TimeUnit;
import java.util.regex.Pattern;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
import org.apache.commons.lang3.SerializationUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.exception.ExceptionUtils;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;
import org.apache.knox.gateway.service.idbroker.AbstractKnoxCloudCredentialsClient;
import org.apache.knox.gateway.service.idbroker.CloudClientConfiguration;
import org.apache.knox.gateway.service.idbroker.IdentityBrokerConfigException;
import org.apache.knox.gateway.service.idbroker.IdentityBrokerResource;
import org.apache.knox.gateway.services.security.AliasServiceException;
import org.apache.knox.gateway.services.security.EncryptionResult;

/* loaded from: input_file:org/apache/knox/gateway/service/idbroker/azure/KnoxAzureClient.class */
public class KnoxAzureClient extends AbstractKnoxCloudCredentialsClient {
    private static final String NAME = "ADLS2";
    private static final String CLIENT_ID = "azure.adls2.credential.%s.clientid";
    private static final String CLIENT_SECRET = "azure.adls2.credential.%s.secret";
    private static final String TENANT_NAME = "azure.adls2.tenantname";
    private static final String RESOURCE_NAME = "azure.adls2.resource";
    private static final String AZURE_INITIAL_REQUEST_RETRY_COUNT = "azure.initial.request.retry.count";
    private static final String ASSUMER_IDENTITY = "azure.vm.assumer.identity";
    private static final String AZURE_RETRY_DELAY = "azure.retry.delay";
    private static final int AZURE_INITIAL_REQUEST_RETRY_DEFAULT = 5;
    private static final int AZURE_RETRY_DELAY_DEFAULT = 5;
    private static final String AZURE_TOKEN_SKEW_OFFSET = "azure.token.skew.offset";
    private static final int AZURE_TOKEN_SKEW_OFFSET_DEFAULT = 120;
    private static final String DEFAULT_RESOURCE_NAME = "https://storage.azure.com/";
    private static final String SYSTEM_MSI_RESOURCE_NAME_FORMAT = "/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Compute/virtualMachines/%s";
    private static final String TOKEN_AUDIENCE_MANAGEMENT = "https://management.azure.com/";
    private final ObjectWriter mapper = new ObjectMapper().writer().withDefaultPrettyPrinter();
    private String systemMSIResourceName = "";
    private Set<String> userAssignedMSIIdentities = new HashSet();
    private boolean areUserAssignedIdentitiesInitialized;
    private Set<String> retrievedUserIdentities;
    private static final ExecutorService executorService = Executors.newFixedThreadPool(10);
    private static final AzureClientMessages LOG = (AzureClientMessages) MessagesFactory.get(AzureClientMessages.class);
    public static final String MSI_PATH_REGEX_NAMED = "\\/?subscriptions\\/(?<subscription>.*?)\\/resource[gG]roups\\/(?<resourceGroup>.*?)\\/providers\\/Microsoft\\.ManagedIdentity\\/userAssignedIdentities\\/(?<vmName>.*?)$";
    public static final Pattern MSI_PATH_PATTERN = Pattern.compile(MSI_PATH_REGEX_NAMED);

    /* loaded from: input_file:org/apache/knox/gateway/service/idbroker/azure/KnoxAzureClient$AzureToken.class */
    public class AzureToken {

        @JsonProperty("token_type")
        private String tokenType;

        @JsonProperty("access_token")
        private String accessToken;

        @JsonProperty("expires_on")
        private String expiresOn;

        public AzureToken(String str, String str2, String str3) {
            this.tokenType = str;
            this.accessToken = str2;
            this.expiresOn = str3;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/knox/gateway/service/idbroker/azure/KnoxAzureClient$MSIPayload.class */
    public static class MSIPayload {
        private Identity identity;

        /* JADX INFO: Access modifiers changed from: package-private */
        /* loaded from: input_file:org/apache/knox/gateway/service/idbroker/azure/KnoxAzureClient$MSIPayload$Identity.class */
        public static class Identity {
            private String type;
            Map<String, Object> UserAssignedIdentities = new HashMap();

            Identity(String str) {
                this.type = str;
            }

            public void addProp(String str, Object obj) {
                this.UserAssignedIdentities.put(str, obj);
            }
        }

        MSIPayload(Identity identity) {
            this.identity = identity;
        }
    }

    @Override // org.apache.knox.gateway.service.idbroker.AbstractKnoxCloudCredentialsClient, org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClient
    public void init(Properties properties) {
        super.init(properties);
    }

    @Override // org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClient
    public String getName() {
        return NAME;
    }

    @Override // org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClient
    public Object getCredentials() {
        return getCredentialsForRole(getRole());
    }

    @Override // org.apache.knox.gateway.service.idbroker.KnoxCloudCredentialsClient
    public Object getCredentialsForRole(String str) {
        String str2 = null;
        try {
            str2 = (String) getCachedAccessToken(str);
            int parseInt = Integer.parseInt(getConfigProvider().getConfig().getProperty(AZURE_TOKEN_SKEW_OFFSET, String.valueOf(AZURE_TOKEN_SKEW_OFFSET_DEFAULT)));
            int parseInt2 = Integer.parseInt(getConfigProvider().getConfig().getProperty(AZURE_RETRY_DELAY, String.valueOf(5)));
            long currentTimeMillis = System.currentTimeMillis() + TimeUnit.SECONDS.toMillis(parseInt);
            while (isTokenExpired(str2) && System.currentTimeMillis() < currentTimeMillis) {
                LOG.cacheTokenExpired(str);
                TimeUnit.SECONDS.sleep(parseInt2);
                str2 = generateAccessToken(getConfigProvider().getConfig(), str);
                this.credentialCache.put(str, this.cryptoService.encryptForCluster(this.topologyName, IdentityBrokerResource.CREDENTIAL_CACHE_ALIAS, SerializationUtils.serialize(str2)));
            }
        } catch (Exception e) {
            String message = e.getMessage() != null ? e.getMessage() : e.toString();
            LOG.accessTokenGenerationError(message);
            LOG.printStackTrace(ExceptionUtils.getStackTrace(e));
            throw new WebApplicationException(KnoxMSICredentials.errorResponseWrapper(Response.Status.FORBIDDEN, String.format(Locale.ROOT, "{ \"error\": \"error obtaining access token, cause: %s\" }", message)));
        } catch (WebApplicationException e2) {
            throw e2;
        } catch (InterruptedException e3) {
            LOG.cacheTokenRetryError(str, e3.toString());
        }
        return str2;
    }

    private void loadUserIdentities(CloudClientConfiguration cloudClientConfiguration) {
        this.userAssignedMSIIdentities = cloudClientConfiguration.getAllRoles();
        if (!StringUtils.isBlank(cloudClientConfiguration.getProperty(ASSUMER_IDENTITY))) {
            this.userAssignedMSIIdentities.add(cloudClientConfiguration.getProperty(ASSUMER_IDENTITY));
        }
        addIdentitiesToVM(cloudClientConfiguration, this.userAssignedMSIIdentities);
        this.areUserAssignedIdentitiesInitialized = true;
        LOG.foundUserMSI(this.userAssignedMSIIdentities.size(), this.topologyName);
    }

    private void addIdentitiesToVM(CloudClientConfiguration cloudClientConfiguration, Set<String> set) {
        KnoxMSICredentials knoxMSICredentials = new KnoxMSICredentials(AzureEnvironment.AZURE);
        String property = cloudClientConfiguration.getProperty(ASSUMER_IDENTITY);
        if (StringUtils.isBlank(property)) {
            LOG.noAssumerIdentityConfigured();
        } else if (MSI_PATH_PATTERN.matcher(property).matches()) {
            knoxMSICredentials.withIdentityId(property);
        } else {
            LOG.invalidAssumerMSI(property);
        }
        try {
            String str = (String) JsonPath.read(knoxMSICredentials.getToken(TOKEN_AUDIENCE_MANAGEMENT), "$.access_token", new Predicate[0]);
            try {
                if (areIdentitiesAttached(knoxMSICredentials, str, set)) {
                    LOG.identitiesAlreadyAttached();
                } else {
                    MSIPayload.Identity identity = new MSIPayload.Identity("UserAssigned");
                    for (String str2 : set) {
                        if (MSI_PATH_PATTERN.matcher(str2).matches()) {
                            identity.addProp(str2, new Object());
                        } else {
                            LOG.notValidMSISkipAttachment(str2);
                        }
                    }
                    String json = new Gson().toJson(new MSIPayload(identity));
                    forceUpdateAllCachedAccessToken();
                    knoxMSICredentials.attachIdentities(getSystemMSIResourceName(knoxMSICredentials), json, str);
                    LOG.attachIdentitiesSuccess(set.toString());
                    int i = 0;
                    int parseInt = Integer.parseInt(cloudClientConfiguration.getProperty(AZURE_INITIAL_REQUEST_RETRY_COUNT, String.valueOf(5)));
                    int parseInt2 = Integer.parseInt(cloudClientConfiguration.getProperty(AZURE_RETRY_DELAY, String.valueOf(5)));
                    while (true) {
                        if (i > parseInt) {
                            break;
                        }
                        if (i == parseInt) {
                            LOG.attachIdentitiesFailure();
                            break;
                        } else {
                            if (areIdentitiesAttached(knoxMSICredentials, str, set)) {
                                break;
                            }
                            LOG.retryCheckAssignedMSI(i);
                            i++;
                            TimeUnit.SECONDS.sleep(parseInt2);
                        }
                    }
                }
            } catch (Exception e) {
                LOG.attachIdentitiesError(e.toString());
                throw new RuntimeException(e);
            }
        } catch (Exception e2) {
            LOG.accessTokenGenerationError(e2.toString());
            throw new RuntimeException(e2);
        }
    }

    private boolean areIdentitiesAttached(KnoxMSICredentials knoxMSICredentials, String str, Set<String> set) throws InterruptedException {
        this.retrievedUserIdentities = knoxMSICredentials.getAssignedUserIdentityList(getSystemMSIResourceName(knoxMSICredentials), str);
        if (this.retrievedUserIdentities.containsAll(set)) {
            LOG.retrievedIdentityListMatches(this.retrievedUserIdentities.size());
            return true;
        }
        LOG.retrievedIdentityListNoMatches(this.retrievedUserIdentities.size(), set.size());
        return false;
    }

    private String getSystemMSIResourceName(KnoxMSICredentials knoxMSICredentials) throws InterruptedException {
        if (StringUtils.isBlank(this.systemMSIResourceName)) {
            String computeInstanceMetadata = knoxMSICredentials.getComputeInstanceMetadata(null);
            this.systemMSIResourceName = String.format(Locale.ROOT, SYSTEM_MSI_RESOURCE_NAME_FORMAT, JsonPath.read(computeInstanceMetadata, "$.subscriptionId", new Predicate[0]), JsonPath.read(computeInstanceMetadata, "$.resourceGroupName", new Predicate[0]), JsonPath.read(computeInstanceMetadata, "$.name", new Predicate[0]));
        }
        LOG.printSystemMSIResourceName(this.systemMSIResourceName);
        return this.systemMSIResourceName;
    }

    protected Object getCachedAccessToken(String str) {
        try {
            EncryptionResult encryptionResult = (EncryptionResult) this.credentialCache.get(str, () -> {
                return this.cryptoService.encryptForCluster(this.topologyName, IdentityBrokerResource.CREDENTIAL_CACHE_ALIAS, SerializationUtils.serialize(generateAccessToken(getConfigProvider().getConfig(), str)));
            });
            return SerializationUtils.deserialize(this.cryptoService.decryptForCluster(this.topologyName, IdentityBrokerResource.CREDENTIAL_CACHE_ALIAS, encryptionResult.cipher, encryptionResult.iv, encryptionResult.salt));
        } catch (ExecutionException e) {
            LOG.cacheException(str, e.toString());
            throw new RuntimeException(e);
        }
    }

    private void forceUpdateAllCachedAccessToken() throws IOException {
        if (this.areUserAssignedIdentitiesInitialized) {
            KnoxMSICredentials knoxMSICredentials = new KnoxMSICredentials(AzureEnvironment.AZURE);
            if (this.userAssignedMSIIdentities.size() > 1) {
                LOG.forceUpdateCachedTokens(this.userAssignedMSIIdentities.toString());
            }
            for (String str : this.userAssignedMSIIdentities) {
                if (this.retrievedUserIdentities != null && this.retrievedUserIdentities.contains(str)) {
                    knoxMSICredentials = knoxMSICredentials.withIdentityId(str);
                    this.credentialCache.put(str, this.cryptoService.encryptForCluster(this.topologyName, IdentityBrokerResource.CREDENTIAL_CACHE_ALIAS, SerializationUtils.serialize(knoxMSICredentials.getToken(DEFAULT_RESOURCE_NAME))));
                }
            }
        }
    }

    protected String generateAccessToken(CloudClientConfiguration cloudClientConfiguration, String str) {
        try {
            if (MSI_PATH_PATTERN.matcher(str).matches()) {
                LOG.usingMSIResource(str);
                return getAccessTokenUsingMSI(cloudClientConfiguration, str);
            }
            LOG.usingPrincipalResource(str);
            return getAccessTokenUsingServicePrincipal(cloudClientConfiguration, str);
        } catch (Exception e) {
            LOG.accessTokenGenerationError(e.toString());
            throw new RuntimeException(e);
        }
    }

    private boolean isTokenExpired(String str) {
        long epochSecond;
        if (!StringUtils.isBlank((CharSequence) JsonPath.read(str, "$.expires_on", new Predicate[0]))) {
            epochSecond = Long.parseLong((String) JsonPath.read(str, "$.expires_on", new Predicate[0]));
        } else {
            if (StringUtils.isBlank((CharSequence) JsonPath.read(str, "$.expires_in", new Predicate[0]))) {
                return true;
            }
            epochSecond = Instant.now().plus(Long.parseLong((String) JsonPath.read(str, "$.expires_in", new Predicate[0])), (TemporalUnit) ChronoUnit.SECONDS).getEpochSecond();
        }
        LOG.recordTokenExpiryTime(Date.from(Instant.ofEpochSecond(epochSecond)).toString(), Date.from(Instant.now()).toString());
        return Instant.ofEpochSecond(epochSecond).isBefore(Instant.now());
    }

    private String getAccessTokenUsingMSI(CloudClientConfiguration cloudClientConfiguration, String str) throws IOException {
        boolean z = false;
        KnoxMSICredentials knoxMSICredentials = new KnoxMSICredentials(AzureEnvironment.AZURE);
        if (!this.areUserAssignedIdentitiesInitialized) {
            loadUserIdentities(cloudClientConfiguration);
            z = true;
        }
        if (!this.userAssignedMSIIdentities.contains(str)) {
            this.userAssignedMSIIdentities.add(str);
            addIdentitiesToVM(cloudClientConfiguration, this.userAssignedMSIIdentities);
        }
        if (str != null) {
            knoxMSICredentials = knoxMSICredentials.withIdentityId(str);
        }
        if (!z) {
            return knoxMSICredentials.getToken(DEFAULT_RESOURCE_NAME);
        }
        String str2 = null;
        int i = 0;
        int parseInt = Integer.parseInt(cloudClientConfiguration.getProperty(AZURE_INITIAL_REQUEST_RETRY_COUNT, String.valueOf(5)));
        int parseInt2 = Integer.parseInt(cloudClientConfiguration.getProperty(AZURE_RETRY_DELAY, String.valueOf(5)));
        while (i < parseInt) {
            try {
                str2 = knoxMSICredentials.getToken(DEFAULT_RESOURCE_NAME);
                break;
            } catch (Exception e) {
                i++;
                LOG.failedRetryMSIaccessToken(str, i);
                if (i == parseInt - 1) {
                    throw e;
                }
                try {
                    TimeUnit.SECONDS.sleep(parseInt2);
                } catch (InterruptedException e2) {
                    throw new IOException(e2);
                }
            }
        }
        return str2;
    }

    private String getAccessTokenUsingServicePrincipal(CloudClientConfiguration cloudClientConfiguration, String str) throws MalformedURLException, ExecutionException, InterruptedException, JsonProcessingException {
        String property = cloudClientConfiguration.getProperty(TENANT_NAME);
        if (property == null || property.isEmpty()) {
            LOG.configError(String.format(Locale.ROOT, "Missing required tenant name, please configure it using the property %s", TENANT_NAME));
            throw new RuntimeException(String.format(Locale.ROOT, "Missing required tenant name, please configure it using the property %s", TENANT_NAME));
        }
        String property2 = cloudClientConfiguration.getProperty(RESOURCE_NAME);
        if (property2 == null || property2.isEmpty()) {
            property2 = DEFAULT_RESOURCE_NAME;
        }
        AuthenticationResult authenticationResult = (AuthenticationResult) new AuthenticationContext(String.format(Locale.ROOT, "https://login.microsoftonline.com/%s/", property), true, executorService).acquireToken(property2, new ClientCredential(getAliasValue(String.format(Locale.ROOT, CLIENT_ID, str)), getAliasValue(String.format(Locale.ROOT, CLIENT_SECRET, str))), (AuthenticationCallback) null).get();
        if (authenticationResult != null && authenticationResult.getAccessToken() != null) {
            return this.mapper.writeValueAsString(new AzureToken(authenticationResult.getAccessTokenType(), authenticationResult.getAccessToken(), Long.toString(authenticationResult.getExpiresOnDate().getTime())));
        }
        LOG.accessTokenGenerationError("Failed to get access token");
        return null;
    }

    private String getAliasValue(String str) {
        char[] passwordFromAliasForCluster;
        String str2 = null;
        try {
            passwordFromAliasForCluster = this.aliasService.getPasswordFromAliasForCluster(this.topologyName, str);
        } catch (AliasServiceException e) {
            LOG.exception(e);
        }
        if (passwordFromAliasForCluster == null) {
            LOG.aliasConfigurationError(str);
            throw new RuntimeException(new IdentityBrokerConfigException(String.format(Locale.ROOT, "Missing alias: %s, required for Cloud Access Broker", str)));
        }
        str2 = new String(passwordFromAliasForCluster);
        return str2;
    }
}
