package io.hops.hopsworks.common.jupyter;

import com.auth0.jwt.exceptions.JWTDecodeException;
import io.hops.hopsworks.common.dao.airflow.MaterializedJWTFacade;
import io.hops.hopsworks.common.dao.jupyter.JupyterSettingsFacade;
import io.hops.hopsworks.common.dao.jupyter.config.JupyterFacade;
import io.hops.hopsworks.common.dao.project.ProjectFacade;
import io.hops.hopsworks.common.dao.user.UserFacade;
import io.hops.hopsworks.common.user.UsersController;
import io.hops.hopsworks.common.util.DateUtils;
import io.hops.hopsworks.common.util.Settings;
import io.hops.hopsworks.exceptions.ServiceException;
import io.hops.hopsworks.jwt.JWTController;
import io.hops.hopsworks.jwt.SignatureAlgorithm;
import io.hops.hopsworks.jwt.exception.InvalidationException;
import io.hops.hopsworks.jwt.exception.JWTException;
import io.hops.hopsworks.persistence.entity.airflow.MaterializedJWT;
import io.hops.hopsworks.persistence.entity.airflow.MaterializedJWTID;
import io.hops.hopsworks.persistence.entity.jupyter.JupyterProject;
import io.hops.hopsworks.persistence.entity.jupyter.JupyterSettings;
import io.hops.hopsworks.persistence.entity.project.Project;
import io.hops.hopsworks.persistence.entity.user.Users;
import io.hops.hopsworks.restutils.RESTCodes;
import java.io.IOException;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.GeneralSecurityException;
import java.time.LocalDateTime;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.ArrayList;
import java.util.Comparator;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Optional;
import java.util.TreeSet;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.annotation.PostConstruct;
import javax.annotation.Resource;
import javax.ejb.AccessTimeout;
import javax.ejb.DependsOn;
import javax.ejb.EJB;
import javax.ejb.Lock;
import javax.ejb.LockType;
import javax.ejb.Singleton;
import javax.ejb.Startup;
import javax.ejb.Timeout;
import javax.ejb.TimerConfig;
import javax.ejb.TimerService;
import javax.ejb.TransactionAttribute;
import javax.ejb.TransactionAttributeType;
import javax.inject.Inject;
import org.apache.commons.io.FileUtils;

@DependsOn({"Settings"})
@Singleton
@TransactionAttribute(TransactionAttributeType.NEVER)
@Startup
/* loaded from: input_file:io/hops/hopsworks/common/jupyter/JupyterJWTManager.class */
public class JupyterJWTManager {
    private static final Logger LOG = Logger.getLogger(JupyterJWTManager.class.getName());
    public static final String TOKEN_FILE_NAME = "token.jwt";
    private final TreeSet<JupyterJWT> jupyterJWTs = new TreeSet<>(new Comparator<JupyterJWT>() { // from class: io.hops.hopsworks.common.jupyter.JupyterJWTManager.1
        @Override // java.util.Comparator
        public int compare(JupyterJWT jupyterJWT, JupyterJWT jupyterJWT2) {
            if (jupyterJWT.equals(jupyterJWT2)) {
                return 0;
            }
            if (jupyterJWT.expiration.isBefore(jupyterJWT2.expiration)) {
                return -1;
            }
            return jupyterJWT.expiration.isAfter(jupyterJWT2.expiration) ? 1 : 0;
        }
    });
    private final HashMap<CidAndPort, JupyterJWT> pidAndPortToJWT = new HashMap<>();

    @EJB
    private Settings settings;

    @EJB
    private MaterializedJWTFacade materializedJWTFacade;

    @EJB
    private JWTController jwtController;

    @EJB
    private UsersController usersController;

    @EJB
    private JupyterFacade jupyterFacade;

    @Inject
    private JupyterManager jupyterManager;

    @EJB
    private JupyterSettingsFacade jupyterSettingsFacade;

    @EJB
    private ProjectFacade projectFacade;

    @EJB
    private UserFacade userFacade;

    @Inject
    private JupyterJWTTokenWriter jwtTokenWriter;

    @Resource
    private TimerService timerService;

    @TransactionAttribute(TransactionAttributeType.NOT_SUPPORTED)
    @PostConstruct
    public void init() {
        try {
            recover();
        } catch (Exception e) {
            LOG.log(Level.WARNING, "Exception while recovering Jupyter JWTs. Keep going on...", (Throwable) e);
        }
        this.timerService.createIntervalTimer(1000L, 5000L, new TimerConfig("Jupyter JWT renewal service", false));
    }

    private void addToken(JupyterJWT jupyterJWT) {
        this.jupyterJWTs.add(jupyterJWT);
        this.pidAndPortToJWT.put(jupyterJWT.pidAndPort, jupyterJWT);
    }

    private void removeToken(CidAndPort cidAndPort) {
        this.jupyterJWTs.remove(this.pidAndPortToJWT.remove(cidAndPort));
    }

    protected void recover() {
        JupyterJWT jupyterJWT;
        LOG.log(Level.INFO, "Starting Jupyter JWT manager recovery");
        ArrayList arrayList = new ArrayList();
        for (MaterializedJWT materializedJWT : this.materializedJWTFacade.findAll4Jupyter()) {
            LOG.log(Level.FINEST, "Recovering Jupyter JWT " + materializedJWT.getIdentifier());
            Project find = this.projectFacade.find(materializedJWT.getIdentifier().getProjectId());
            Users find2 = this.userFacade.find(materializedJWT.getIdentifier().getUserId());
            if (find == null || find2 == null) {
                LOG.log(Level.WARNING, "Tried to recover " + materializedJWT.getIdentifier() + " but could not find either Project or User");
                arrayList.add(materializedJWT);
            } else {
                Optional<JupyterProject> findByProjectUser = this.jupyterFacade.findByProjectUser(find, find2);
                if (findByProjectUser.isPresent()) {
                    JupyterProject jupyterProject = findByProjectUser.get();
                    if (this.jupyterManager.ping(jupyterProject)) {
                        Path constructTokenFilePath = constructTokenFilePath(this.jupyterSettingsFacade.findByProjectUser(find, find2.getEmail()));
                        String str = null;
                        CidAndPort cidAndPort = new CidAndPort(jupyterProject.getCid(), jupyterProject.getPort());
                        try {
                            str = FileUtils.readFileToString(constructTokenFilePath.toFile());
                            jupyterJWT = new JupyterJWT(find, find2, DateUtils.date2LocalDateTime(this.jwtController.verifyToken(str, this.settings.getJWTIssuer()).getExpiresAt()), cidAndPort);
                            jupyterJWT.token = str;
                            jupyterJWT.tokenFile = constructTokenFilePath;
                            LOG.log(Level.FINE, "Successfully read existing JWT from local filesystem");
                        } catch (IOException | JWTException | JWTDecodeException e) {
                            LOG.log(Level.FINE, "Could not recover Jupyter JWT from local filesystem, generating new!", (Throwable) e);
                            String[] strArr = {"api"};
                            LocalDateTime plus = LocalDateTime.now().plus(this.settings.getJWTLifetimeMs(), (TemporalUnit) ChronoUnit.MILLIS);
                            String[] strArr2 = (String[]) this.usersController.getUserRoles(find2).toArray(new String[1]);
                            try {
                                HashMap hashMap = new HashMap(3);
                                hashMap.put("renewable", false);
                                hashMap.put("expLeeway", Integer.valueOf(this.settings.getJWTExpLeewaySec()));
                                hashMap.put("roles", strArr2);
                                str = this.jwtController.createToken(this.settings.getJWTSigningKeyName(), false, this.settings.getJWTIssuer(), strArr, DateUtils.localDateTime2Date(plus), DateUtils.localDateTime2Date(DateUtils.getNow()), find2.getUsername(), hashMap, SignatureAlgorithm.valueOf(this.settings.getJWTSignatureAlg()));
                                jupyterJWT = new JupyterJWT(find, find2, plus, cidAndPort);
                                jupyterJWT.token = str;
                                jupyterJWT.tokenFile = constructTokenFilePath;
                                this.jwtTokenWriter.writeToken(this.settings, jupyterJWT);
                                LOG.log(Level.FINE, "Generated new Jupyter JWT cause could not recover existing");
                            } catch (IOException e2) {
                                LOG.log(Level.WARNING, "Failed to recover Jupyter JWT for " + materializedJWT.getIdentifier() + ", generated new valid JWT but failed to write to local filesystem. Invalidating new token! Continue recovering...");
                                if (str != null) {
                                    try {
                                        this.jwtController.invalidate(str);
                                    } catch (InvalidationException e3) {
                                    }
                                }
                                arrayList.add(materializedJWT);
                            } catch (GeneralSecurityException | JWTException e4) {
                                LOG.log(Level.WARNING, "Failed to recover Jupyter JWT for " + materializedJWT.getIdentifier() + ", tried to generate new token and it failed as well. Could not recover! Continue recovering...");
                                arrayList.add(materializedJWT);
                            }
                        }
                        addToken(jupyterJWT);
                    } else {
                        LOG.log(Level.FINEST, "Jupyter server is not running for " + materializedJWT.getIdentifier() + " Skip recovering...");
                        arrayList.add(materializedJWT);
                    }
                } else {
                    LOG.log(Level.FINEST, "There is no Jupyter configuration persisted for " + materializedJWT.getIdentifier());
                    arrayList.add(materializedJWT);
                }
            }
        }
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            this.materializedJWTFacade.delete(((MaterializedJWT) it.next()).getIdentifier());
        }
        LOG.log(Level.INFO, "Finished Jupyter JWT recovery");
    }

    private Path constructTokenFilePath(JupyterSettings jupyterSettings) {
        return Paths.get(this.settings.getStagingDir(), Settings.PRIVATE_DIRS, jupyterSettings.getSecret(), TOKEN_FILE_NAME);
    }

    @AccessTimeout(2000)
    @Lock(LockType.WRITE)
    public void materializeJWT(Users users, Project project, JupyterSettings jupyterSettings, String str, Integer num, String[] strArr) throws ServiceException {
        MaterializedJWTID materializedJWTID = new MaterializedJWTID(project.getId(), users.getUid(), MaterializedJWTID.USAGE.JUPYTER);
        if (this.materializedJWTFacade.exists(materializedJWTID)) {
            return;
        }
        LocalDateTime plus = LocalDateTime.now().plus(this.settings.getJWTLifetimeMs(), (TemporalUnit) ChronoUnit.MILLIS);
        JupyterJWT jupyterJWT = new JupyterJWT(project, users, plus, new CidAndPort(str, num));
        try {
            String[] strArr2 = (String[]) this.usersController.getUserRoles(users).toArray(new String[1]);
            this.materializedJWTFacade.persist(new MaterializedJWT(materializedJWTID));
            HashMap hashMap = new HashMap(3);
            hashMap.put("renewable", false);
            hashMap.put("expLeeway", Integer.valueOf(this.settings.getJWTExpLeewaySec()));
            hashMap.put("roles", strArr2);
            String createToken = this.jwtController.createToken(this.settings.getJWTSigningKeyName(), false, this.settings.getJWTIssuer(), strArr, DateUtils.localDateTime2Date(plus), DateUtils.localDateTime2Date(DateUtils.getNow()), users.getUsername(), hashMap, SignatureAlgorithm.valueOf(this.settings.getJWTSignatureAlg()));
            jupyterJWT.tokenFile = constructTokenFilePath(jupyterSettings);
            jupyterJWT.token = createToken;
            this.jwtTokenWriter.writeToken(this.settings, jupyterJWT);
            addToken(jupyterJWT);
        } catch (IOException e) {
            LOG.log(Level.SEVERE, "Error writing Jupyter JWT to file for " + jupyterJWT, (Throwable) e);
            this.materializedJWTFacade.delete(materializedJWTID);
            try {
                this.jwtController.invalidate(jupyterJWT.token);
            } catch (InvalidationException e2) {
                LOG.log(Level.FINE, "Could not invalidate Jupyter JWT after failure to write to file", (Throwable) e);
            }
            throw new ServiceException(RESTCodes.ServiceErrorCode.JUPYTER_START_ERROR, Level.SEVERE, "Could not write Jupyter JWT to file", e.getMessage(), e);
        } catch (GeneralSecurityException | JWTException e3) {
            LOG.log(Level.SEVERE, "Error generating Jupyter JWT for " + jupyterJWT, (Throwable) e3);
            this.materializedJWTFacade.delete(materializedJWTID);
            throw new ServiceException(RESTCodes.ServiceErrorCode.JUPYTER_START_ERROR, Level.SEVERE, "Could not generate Jupyter JWT", e3.getMessage(), e3);
        }
    }

    @Timeout
    @Lock(LockType.WRITE)
    @AccessTimeout(500)
    @TransactionAttribute(TransactionAttributeType.NOT_SUPPORTED)
    public void monitorJWT() {
        HashSet hashSet = new HashSet(this.jupyterJWTs.size());
        Iterator<JupyterJWT> it = this.jupyterJWTs.iterator();
        LocalDateTime now = DateUtils.getNow();
        while (it.hasNext()) {
            try {
                JupyterJWT next = it.next();
                if (!next.maybeRenew(now)) {
                    break;
                }
                LocalDateTime plus = now.plus(this.settings.getJWTLifetimeMs(), (TemporalUnit) ChronoUnit.MILLIS);
                String str = null;
                try {
                    try {
                        str = this.jwtController.renewToken(next.token, DateUtils.localDateTime2Date(plus), DateUtils.localDateTime2Date(now), true, new HashMap(3));
                        JupyterJWT jupyterJWT = new JupyterJWT(next.project, next.user, plus, next.pidAndPort);
                        jupyterJWT.tokenFile = next.tokenFile;
                        jupyterJWT.token = str;
                        this.jwtTokenWriter.writeToken(this.settings, jupyterJWT);
                        hashSet.add(jupyterJWT);
                    } catch (JWTException e) {
                        LOG.log(Level.WARNING, "Could not renew Jupyter JWT for " + next, e);
                    }
                } catch (IOException e2) {
                    LOG.log(Level.WARNING, "Could not write renewed Jupyter JWT to file for " + next, (Throwable) e2);
                    if (str != null) {
                        try {
                            this.jwtController.invalidate(str);
                        } catch (InvalidationException e3) {
                            LOG.log(Level.FINE, "Could not invalidate failed token", e3);
                        }
                    }
                } catch (Exception e4) {
                    LOG.log(Level.SEVERE, "Generic error renewing Jupyter JWT for " + next, (Throwable) e4);
                }
            } catch (Exception e5) {
                LOG.log(Level.SEVERE, "Got an exception while renewing jupyter jwt token", (Throwable) e5);
                return;
            }
        }
        hashSet.forEach(jupyterJWT2 -> {
            removeToken(jupyterJWT2.pidAndPort);
            addToken(jupyterJWT2);
        });
    }

    @TransactionAttribute(TransactionAttributeType.NOT_SUPPORTED)
    @Lock(LockType.WRITE)
    public void cleanJWT(String str, Integer num) {
        Optional ofNullable = Optional.ofNullable(this.pidAndPortToJWT.get(new CidAndPort(str, num)));
        if (!ofNullable.isPresent()) {
            LOG.log(Level.WARNING, "JupyterJWT not found for cid " + str + " and port " + num);
            return;
        }
        JupyterJWT jupyterJWT = (JupyterJWT) ofNullable.get();
        try {
            MaterializedJWTID materializedJWTID = new MaterializedJWTID(jupyterJWT.project.getId(), jupyterJWT.user.getUid(), MaterializedJWTID.USAGE.JUPYTER);
            MaterializedJWT findById = this.materializedJWTFacade.findById(materializedJWTID);
            this.jwtTokenWriter.deleteToken(jupyterJWT);
            if (findById != null) {
                this.materializedJWTFacade.delete(materializedJWTID);
            }
            removeToken(jupyterJWT.pidAndPort);
            this.jwtController.invalidate(jupyterJWT.token);
        } catch (Exception e) {
            LOG.log(Level.FINE, "Could not determine if Jupyter JWT for " + jupyterJWT + " is still valid. Renewing it...");
        }
    }
}
