package io.hops.security;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.util.concurrent.ThreadFactoryBuilder;
import com.google.gson.FieldNamingPolicy;
import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
import com.nimbusds.jwt.JWTParser;
import java.io.IOException;
import java.net.URISyntaxException;
import java.net.URL;
import java.nio.channels.FileChannel;
import java.nio.channels.FileLock;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardOpenOption;
import java.nio.file.attribute.PosixFilePermission;
import java.security.GeneralSecurityException;
import java.text.ParseException;
import java.time.LocalDateTime;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashSet;
import java.util.Set;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicReference;
import org.apache.commons.io.FileUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.hadoop.log.Log4Json;
import org.apache.hadoop.security.ssl.SSLFactory;
import org.apache.hadoop.service.AbstractService;
import org.apache.hadoop.util.BackOff;
import org.apache.hadoop.util.DateUtils;
import org.apache.hadoop.util.ExponentialBackOff;
import org.apache.http.Header;
import org.apache.http.HttpResponse;
import org.apache.http.client.methods.HttpDelete;
import org.apache.http.client.methods.HttpPut;
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.message.BasicHeader;
import org.apache.http.util.EntityUtils;

/* loaded from: input_file:io/hops/security/ServiceJWTManager.class */
public class ServiceJWTManager extends AbstractService {
    public static final String JWT_MANAGER_PREFIX = "hops.jwt-manager.";
    public static final String JWT_MANAGER_MASTER_TOKEN_KEY = "hops.jwt-manager.master-token";
    public static final String JWT_MANAGER_RENEW_TOKEN_PATTERN = "hops.jwt-manager.renew-token-%d";
    private static final String LOCK_FILE = ".ssl-server.lock";
    private final Gson jsonParser;
    private CloseableHttpClient httpClient;
    private final ExecutorService tokenRenewer;
    private CountDownLatch waiter;
    private Configuration sslConf;
    private URL serviceJWTRenewPath;
    private URL serviceJWTInvalidatePath;
    private long serviceJWTValidityPeriodSeconds;
    private final AtomicReference<String> masterToken;
    private LocalDateTime masterTokenExpiration;
    private String[] renewalTokens;
    private static final Log LOG = LogFactory.getLog(ServiceJWTManager.class);
    private static final Set<PosixFilePermission> LOCK_FILE_PERMISSIONS = new HashSet();

    /* loaded from: input_file:io/hops/security/ServiceJWTManager$JWTDTO.class */
    public static class JWTDTO {
        private String token;
        private String subject;
        private String keyName;
        private String audiences;
        private Boolean renewable;
        private Integer expLeeway;
        private Date expiresAt;
        private Date nbf;

        public String getToken() {
            return this.token;
        }

        public void setToken(String str) {
            this.token = str;
        }

        public String getSubject() {
            return this.subject;
        }

        public void setSubject(String str) {
            this.subject = str;
        }

        public String getKeyName() {
            return this.keyName;
        }

        public void setKeyName(String str) {
            this.keyName = str;
        }

        public String getAudiences() {
            return this.audiences;
        }

        public void setAudiences(String str) {
            this.audiences = str;
        }

        public Boolean getRenewable() {
            return this.renewable;
        }

        public void setRenewable(Boolean bool) {
            this.renewable = bool;
        }

        public Integer getExpLeeway() {
            return this.expLeeway;
        }

        public void setExpLeeway(Integer num) {
            this.expLeeway = num;
        }

        public Date getExpiresAt() {
            return this.expiresAt;
        }

        public void setExpiresAt(Date date) {
            this.expiresAt = date;
        }

        public Date getNbf() {
            return this.nbf;
        }

        public void setNbf(Date date) {
            this.nbf = date;
        }
    }

    /* loaded from: input_file:io/hops/security/ServiceJWTManager$ServiceTokenDTO.class */
    public class ServiceTokenDTO {
        private JWTDTO jwt;
        private String[] renewTokens;

        public ServiceTokenDTO() {
        }

        public JWTDTO getJwt() {
            return this.jwt;
        }

        public void setJwt(JWTDTO jwtdto) {
            this.jwt = jwtdto;
        }

        public String[] getRenewTokens() {
            return this.renewTokens;
        }

        public void setRenewTokens(String[] strArr) {
            this.renewTokens = strArr;
        }
    }

    /* loaded from: input_file:io/hops/security/ServiceJWTManager$TokenRenewer.class */
    private class TokenRenewer implements Runnable {
        private final BackOff backOff;
        private final long sleepPeriodSeconds;

        private TokenRenewer() {
            this.backOff = new ExponentialBackOff.Builder().setInitialIntervalMillis(1000L).setMaximumIntervalMillis(7000L).setMultiplier(2.0d).setMaximumRetries(Math.max(1, ServiceJWTManager.this.renewalTokens.length - 1)).build();
            this.sleepPeriodSeconds = ServiceJWTManager.this.serviceJWTValidityPeriodSeconds / 2;
        }

        /* JADX WARN: Code restructure failed: missing block: B:34:0x015d, code lost:
        
            r6.this$0.invalidateServiceJWT(r0);
         */
        /* JADX WARN: Removed duplicated region for block: B:60:0x030b A[SYNTHETIC] */
        /* JADX WARN: Removed duplicated region for block: B:67:0x0333 A[EXC_TOP_SPLITTER, SYNTHETIC] */
        @Override // java.lang.Runnable
        /*
            Code decompiled incorrectly, please refer to instructions dump.
            To view partially-correct add '--show-bad-code' argument
        */
        public void run() {
            /*
                Method dump skipped, instructions count: 859
                To view this dump add '--comments-level debug' option
            */
            throw new UnsupportedOperationException("Method not decompiled: io.hops.security.ServiceJWTManager.TokenRenewer.run():void");
        }
    }

    public ServiceJWTManager(String str) {
        super(str);
        this.jsonParser = new GsonBuilder().setFieldNamingPolicy(FieldNamingPolicy.IDENTITY).setDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ").create();
        this.masterToken = new AtomicReference<>();
        this.tokenRenewer = Executors.newSingleThreadExecutor(new ThreadFactoryBuilder().setNameFormat("JWT renewer thread").setDaemon(true).build());
    }

    public void setHTTPClient(CloseableHttpClient closeableHttpClient) {
        this.httpClient = closeableHttpClient;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.hadoop.service.AbstractService
    public void serviceInit(Configuration configuration) throws Exception {
        URL url = new URL(configuration.get(CommonConfigurationKeysPublic.HOPS_HOPSWORKS_HOST_KEY, "https://127.0.0.1"));
        this.sslConf = new Configuration(false);
        this.sslConf.addResource(configuration.get(SSLFactory.SSL_SERVER_CONF_KEY, SSLFactory.SSL_SERVER_CONF_DEFAULT));
        loadMasterJWT();
        loadRenewalJWTs();
        this.serviceJWTValidityPeriodSeconds = configuration.getTimeDuration(CommonConfigurationKeysPublic.JWT_MANAGER_MASTER_TOKEN_VALIDITY_PERIOD, CommonConfigurationKeysPublic.DEFAULT_JWT_MANAGER_MASTER_TOKEN_VALIDITY_PERIOD, TimeUnit.SECONDS);
        if (this.serviceJWTValidityPeriodSeconds == 0) {
            this.serviceJWTValidityPeriodSeconds = 30L;
        }
        String str = configuration.get(CommonConfigurationKeysPublic.JWT_MANAGER_SERVICE_RENEW_PATH, "/hopsworks-api/api/jwt/service");
        this.serviceJWTRenewPath = new URL(url, str);
        String str2 = configuration.get(CommonConfigurationKeysPublic.JWT_MANAGER_SERVICE_INVALIDATE_PATH, "/hopsworks-api/api/jwt/service");
        if (!str2.endsWith("/")) {
            str2 = str + "/";
        }
        this.serviceJWTInvalidatePath = new URL(url, str2);
        super.serviceInit(configuration);
    }

    private void createLockFileIfMissing() throws IOException {
        Path lockFilePath = getLockFilePath();
        if (lockFilePath.toFile().exists()) {
            return;
        }
        LOG.debug("Lock file " + lockFilePath.toString() + " does not exist");
        FileLock tryLock = FileChannel.open(lockFilePath, StandardOpenOption.CREATE, StandardOpenOption.WRITE).tryLock();
        Throwable th = null;
        if (tryLock == null) {
            if (tryLock != null) {
                if (0 == 0) {
                    tryLock.close();
                    return;
                }
                try {
                    tryLock.close();
                    return;
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                    return;
                }
            }
            return;
        }
        try {
            try {
                Files.setPosixFilePermissions(lockFilePath, LOCK_FILE_PERMISSIONS);
                if (tryLock != null) {
                    if (0 == 0) {
                        tryLock.close();
                        return;
                    }
                    try {
                        tryLock.close();
                    } catch (Throwable th3) {
                        th.addSuppressed(th3);
                    }
                }
            } catch (Throwable th4) {
                th = th4;
                throw th4;
            }
        } catch (Throwable th5) {
            if (tryLock != null) {
                if (th != null) {
                    try {
                        tryLock.close();
                    } catch (Throwable th6) {
                        th.addSuppressed(th6);
                    }
                } else {
                    tryLock.close();
                }
            }
            throw th5;
        }
    }

    private Path getLockFilePath() {
        return Paths.get(System.getProperty("java.io.tmpdir"), LOCK_FILE);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.hadoop.service.AbstractService
    public void serviceStart() throws Exception {
        createLockFileIfMissing();
        this.waiter = new CountDownLatch(1);
        this.tokenRenewer.execute(new TokenRenewer());
        super.serviceStart();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.hadoop.service.AbstractService
    public void serviceStop() throws Exception {
        FileLock tryLock;
        LOG.info("Stopping ServiceJWTManager");
        try {
            try {
                this.tokenRenewer.shutdown();
                if (!this.tokenRenewer.awaitTermination(100L, TimeUnit.MILLISECONDS)) {
                    this.tokenRenewer.shutdownNow();
                }
            } catch (InterruptedException e) {
                this.tokenRenewer.shutdownNow();
                Thread.currentThread().interrupt();
            }
            if (this.waiter != null) {
                this.waiter.await(100L, TimeUnit.MILLISECONDS);
            }
            super.serviceStop();
            Path lockFilePath = getLockFilePath();
            if (lockFilePath.toFile().exists()) {
                try {
                    tryLock = FileChannel.open(lockFilePath, StandardOpenOption.WRITE).tryLock();
                    Throwable th = null;
                    if (tryLock != null) {
                        try {
                            try {
                                FileUtils.deleteQuietly(lockFilePath.toFile());
                            } catch (Throwable th2) {
                                th = th2;
                                throw th2;
                            }
                        } finally {
                        }
                    }
                    if (tryLock != null) {
                        if (0 != 0) {
                            try {
                                tryLock.close();
                            } catch (Throwable th3) {
                                th.addSuppressed(th3);
                            }
                        } else {
                            tryLock.close();
                        }
                    }
                } catch (Exception e2) {
                    Thread.currentThread().interrupt();
                }
            }
        } catch (Throwable th4) {
            Path lockFilePath2 = getLockFilePath();
            if (lockFilePath2.toFile().exists()) {
                try {
                    tryLock = FileChannel.open(lockFilePath2, StandardOpenOption.WRITE).tryLock();
                    Throwable th5 = null;
                    if (tryLock != null) {
                        try {
                            try {
                                FileUtils.deleteQuietly(lockFilePath2.toFile());
                            } catch (Throwable th6) {
                                th5 = th6;
                                throw th6;
                            }
                        } finally {
                            if (tryLock != null) {
                                if (th5 != null) {
                                    try {
                                        tryLock.close();
                                    } catch (Throwable th7) {
                                        th5.addSuppressed(th7);
                                    }
                                } else {
                                    tryLock.close();
                                }
                            }
                        }
                    }
                    if (tryLock != null) {
                        if (0 != 0) {
                            try {
                                tryLock.close();
                            } catch (Throwable th8) {
                                th5.addSuppressed(th8);
                            }
                        } else {
                            tryLock.close();
                        }
                    }
                } catch (Exception e3) {
                    Thread.currentThread().interrupt();
                }
            }
            throw th4;
        }
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected void setMasterToken(String str) {
        this.masterToken.set(str);
    }

    public String getMasterToken() {
        return this.masterToken.get();
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected LocalDateTime getMasterTokenExpiration() {
        return this.masterTokenExpiration;
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected void setMasterTokenExpiration(LocalDateTime localDateTime) {
        this.masterTokenExpiration = localDateTime;
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected void setRenewalTokens(String[] strArr) {
        this.renewalTokens = strArr;
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected ExecutorService getExecutorService() {
        return this.tokenRenewer;
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected void loadMasterJWT() throws GeneralSecurityException {
        String str = this.sslConf.get(JWT_MANAGER_MASTER_TOKEN_KEY);
        if (str == null) {
            throw new GeneralSecurityException("Could not parse master JWT from configuration");
        }
        this.masterToken.set(str);
        try {
            this.masterTokenExpiration = DateUtils.date2LocalDateTime(JWTParser.parse(this.masterToken.get()).getJWTClaimsSet().getExpirationTime());
        } catch (ParseException e) {
            throw new GeneralSecurityException("Could not parse master JWT", e);
        }
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected void loadRenewalJWTs() throws GeneralSecurityException {
        ArrayList arrayList = new ArrayList();
        int i = 0;
        while (true) {
            String str = this.sslConf.get(String.format(JWT_MANAGER_RENEW_TOKEN_PATTERN, Integer.valueOf(i)), "");
            if (str.isEmpty()) {
                break;
            }
            arrayList.add(str);
            i++;
        }
        if (arrayList.isEmpty()) {
            throw new GeneralSecurityException("Could not load one-time renewal JWTs");
        }
        this.renewalTokens = (String[]) arrayList.toArray(new String[arrayList.size()]);
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected void reloadJWTs() throws GeneralSecurityException {
        this.sslConf.reloadConfiguration();
        loadMasterJWT();
        loadRenewalJWTs();
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected ServiceTokenDTO renewServiceJWT(String str, String str2, LocalDateTime localDateTime, LocalDateTime localDateTime2) throws URISyntaxException, IOException {
        HttpResponse httpResponse = null;
        try {
            JWTDTO jwtdto = new JWTDTO();
            jwtdto.token = str;
            jwtdto.expiresAt = DateUtils.localDateTime2Date(localDateTime);
            jwtdto.nbf = DateUtils.localDateTime2Date(localDateTime2);
            String json = this.jsonParser.toJson(jwtdto);
            HttpPut httpPut = new HttpPut(this.serviceJWTRenewPath.toURI());
            httpPut.addHeader(createAuthenticationHeader(str2));
            httpPut.setEntity(new StringEntity(json));
            httpPut.addHeader("Content-Type", Log4Json.JSON_TYPE);
            httpResponse = this.httpClient.execute(httpPut);
            checkHTTPResponseCode(httpResponse, "Could not make HTTP request to renew service JWT");
            ServiceTokenDTO serviceTokenDTO = (ServiceTokenDTO) this.jsonParser.fromJson(EntityUtils.toString(httpResponse.getEntity()), ServiceTokenDTO.class);
            if (httpResponse != null) {
                httpResponse.close();
            }
            return serviceTokenDTO;
        } catch (Throwable th) {
            if (httpResponse != null) {
                httpResponse.close();
            }
            throw th;
        }
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected void invalidateServiceJWT(String str) throws URISyntaxException, IOException {
        HttpResponse httpResponse = null;
        try {
            HttpDelete httpDelete = new HttpDelete(new URL(this.serviceJWTInvalidatePath, str).toURI());
            httpDelete.addHeader(createAuthenticationHeader(this.masterToken.get()));
            httpDelete.addHeader("Content-Type", Log4Json.JSON_TYPE);
            httpResponse = this.httpClient.execute(httpDelete);
            checkHTTPResponseCode(httpResponse, "Could not make HTTP request to invalidate master JWT");
            if (httpResponse != null) {
                httpResponse.close();
            }
        } catch (Throwable th) {
            if (httpResponse != null) {
                httpResponse.close();
            }
            throw th;
        }
    }

    private Header createAuthenticationHeader(String str) {
        return new BasicHeader("Authorization", String.format(AbstractSecurityActions.BEARER_AUTH_HEADER_CONTENT, str));
    }

    private void checkHTTPResponseCode(HttpResponse httpResponse, String str) throws IOException {
        int statusCode = httpResponse.getStatusLine().getStatusCode();
        if (statusCode != 200) {
            throw new IOException("HTTP error, response code " + statusCode + " Reason: " + httpResponse.getStatusLine().getReasonPhrase() + " Message: " + str);
        }
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected boolean isTime2Renew(LocalDateTime localDateTime, LocalDateTime localDateTime2) {
        return localDateTime.isAfter(localDateTime2) || localDateTime.isEqual(localDateTime2);
    }

    protected FileLock tryAndGetLock() {
        try {
            return FileChannel.open(getLockFilePath(), StandardOpenOption.WRITE, StandardOpenOption.CREATE).tryLock();
        } catch (Exception e) {
            return null;
        }
    }

    static {
        LOCK_FILE_PERMISSIONS.add(PosixFilePermission.OWNER_READ);
        LOCK_FILE_PERMISSIONS.add(PosixFilePermission.OWNER_WRITE);
        LOCK_FILE_PERMISSIONS.add(PosixFilePermission.OWNER_EXECUTE);
        LOCK_FILE_PERMISSIONS.add(PosixFilePermission.GROUP_READ);
        LOCK_FILE_PERMISSIONS.add(PosixFilePermission.GROUP_WRITE);
        LOCK_FILE_PERMISSIONS.add(PosixFilePermission.GROUP_EXECUTE);
    }
}
