package io.kroxylicious.kms.provider.aws.kms.credentials;

import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
import edu.umd.cs.findbugs.annotations.NonNull;
import io.kroxylicious.kms.provider.aws.kms.config.Ec2MetadataCredentialsProviderConfig;
import io.kroxylicious.kms.service.KmsException;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.nio.charset.StandardCharsets;
import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.util.Locale;
import java.util.Objects;
import java.util.Optional;
import java.util.Random;
import java.util.concurrent.CancellationException;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionException;
import java.util.concurrent.CompletionStage;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicLong;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Function;
import org.apache.kafka.common.utils.ExponentialBackoff;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/kroxylicious/kms/provider/aws/kms/credentials/Ec2MetadataCredentialsProvider.class */
public class Ec2MetadataCredentialsProvider implements CredentialsProvider {
    private static final Logger LOGGER = LoggerFactory.getLogger(Ec2MetadataCredentialsProvider.class);
    private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper().registerModule(new JavaTimeModule());
    private static final TypeReference<SecurityCredentials> SECURITY_CREDENTIALS_RESPONSE_TYPE_REF = new TypeReference<SecurityCredentials>() { // from class: io.kroxylicious.kms.provider.aws.kms.credentials.Ec2MetadataCredentialsProvider.1
    };
    private static final URI DEFAULT_IP4_METADATA_ENDPOINT = URI.create("http://169.254.169.254/");
    private static final Duration HTTP_REQUEST_TIMEOUT = Duration.ofSeconds(10);
    private static final Duration HTTP_CONNECT_TIMEOUT = Duration.ofSeconds(10);
    private static final String AWS_METADATA_TOKEN_TTL_SECONDS_HEADER = "X-aws-ec2-metadata-token-ttl-seconds";
    private static final String AWS_METADATA_TOKEN_HEADER = "X-aws-ec2-metadata-token";
    private static final String AWS_TOKEN_EXPIRATION_SECONDS = "60";
    private static final double DEFAULT_CREDENTIALS_LIFETIME_FACTOR = 0.8d;
    private static final String TOKEN_RETRIEVAL_ENDPOINT = "/latest/api/token";
    private static final String META_DATA_IAM_SECURITY_CREDENTIALS_ENDPOINT = "/latest/meta-data/iam/security-credentials/";
    private final Clock systemClock;
    private final AtomicReference<CompletableFuture<SecurityCredentials>> current;
    private final AtomicLong tokenRefreshErrorCount;
    private final Ec2MetadataCredentialsProviderConfig config;
    private final HttpClient client;
    private final ScheduledExecutorService executorService;
    private final ExponentialBackoff backoff;
    private final Double lifetimeFactor;
    private final URI uri;

    @JsonIgnoreProperties(ignoreUnknown = true)
    /* loaded from: input_file:io/kroxylicious/kms/provider/aws/kms/credentials/Ec2MetadataCredentialsProvider$SecurityCredentials.class */
    public static final class SecurityCredentials extends Record implements Credentials {

        @NonNull
        @JsonProperty("Code")
        private final String code;

        @NonNull
        @JsonProperty("AccessKeyId")
        private final String accessKeyId;

        @NonNull
        @JsonProperty("SecretAccessKey")
        private final String secretAccessKey;

        @NonNull
        @JsonProperty("Token")
        private final String token;

        @NonNull
        @JsonProperty("Expiration")
        private final Instant expiration;

        public SecurityCredentials(@NonNull @JsonProperty("Code") String str, @NonNull @JsonProperty("AccessKeyId") String str2, @NonNull @JsonProperty("SecretAccessKey") String str3, @NonNull @JsonProperty("Token") String str4, @NonNull @JsonProperty("Expiration") Instant instant) {
            Objects.requireNonNull(str);
            Objects.requireNonNull(str2);
            Objects.requireNonNull(str3);
            Objects.requireNonNull(str4);
            Objects.requireNonNull(instant);
            this.code = str;
            this.accessKeyId = str2;
            this.secretAccessKey = str3;
            this.token = str4;
            this.expiration = instant;
        }

        @Override // java.lang.Record
        public String toString() {
            return "SecurityCredentials{code='" + this.code + "', accessKeyId='" + this.accessKeyId + "', secretAccessKey='***************, token='***************', expiration=" + String.valueOf(this.expiration) + "}";
        }

        @Override // io.kroxylicious.kms.provider.aws.kms.credentials.Credentials
        @NonNull
        public Optional<String> securityToken() {
            return Optional.of(this.token);
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, SecurityCredentials.class), SecurityCredentials.class, "code;accessKeyId;secretAccessKey;token;expiration", "FIELD:Lio/kroxylicious/kms/provider/aws/kms/credentials/Ec2MetadataCredentialsProvider$SecurityCredentials;->code:Ljava/lang/String;", "FIELD:Lio/kroxylicious/kms/provider/aws/kms/credentials/Ec2MetadataCredentialsProvider$SecurityCredentials;->accessKeyId:Ljava/lang/String;", "FIELD:Lio/kroxylicious/kms/provider/aws/kms/credentials/Ec2MetadataCredentialsProvider$SecurityCredentials;->secretAccessKey:Ljava/lang/String;", "FIELD:Lio/kroxylicious/kms/provider/aws/kms/credentials/Ec2MetadataCredentialsProvider$SecurityCredentials;->token:Ljava/lang/String;", "FIELD:Lio/kroxylicious/kms/provider/aws/kms/credentials/Ec2MetadataCredentialsProvider$SecurityCredentials;->expiration:Ljava/time/Instant;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, SecurityCredentials.class, Object.class), SecurityCredentials.class, "code;accessKeyId;secretAccessKey;token;expiration", "FIELD:Lio/kroxylicious/kms/provider/aws/kms/credentials/Ec2MetadataCredentialsProvider$SecurityCredentials;->code:Ljava/lang/String;", "FIELD:Lio/kroxylicious/kms/provider/aws/kms/credentials/Ec2MetadataCredentialsProvider$SecurityCredentials;->accessKeyId:Ljava/lang/String;", "FIELD:Lio/kroxylicious/kms/provider/aws/kms/credentials/Ec2MetadataCredentialsProvider$SecurityCredentials;->secretAccessKey:Ljava/lang/String;", "FIELD:Lio/kroxylicious/kms/provider/aws/kms/credentials/Ec2MetadataCredentialsProvider$SecurityCredentials;->token:Ljava/lang/String;", "FIELD:Lio/kroxylicious/kms/provider/aws/kms/credentials/Ec2MetadataCredentialsProvider$SecurityCredentials;->expiration:Ljava/time/Instant;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        @NonNull
        @JsonProperty("Code")
        public String code() {
            return this.code;
        }

        @Override // io.kroxylicious.kms.provider.aws.kms.credentials.Credentials
        @NonNull
        @JsonProperty("AccessKeyId")
        public String accessKeyId() {
            return this.accessKeyId;
        }

        @Override // io.kroxylicious.kms.provider.aws.kms.credentials.Credentials
        @NonNull
        @JsonProperty("SecretAccessKey")
        public String secretAccessKey() {
            return this.secretAccessKey;
        }

        @NonNull
        @JsonProperty("Token")
        public String token() {
            return this.token;
        }

        @NonNull
        @JsonProperty("Expiration")
        public Instant expiration() {
            return this.expiration;
        }
    }

    public Ec2MetadataCredentialsProvider(@NonNull Ec2MetadataCredentialsProviderConfig ec2MetadataCredentialsProviderConfig) {
        this(ec2MetadataCredentialsProviderConfig, Clock.systemUTC());
    }

    Ec2MetadataCredentialsProvider(@NonNull Ec2MetadataCredentialsProviderConfig ec2MetadataCredentialsProviderConfig, @NonNull Clock clock) {
        this.current = new AtomicReference<>();
        this.tokenRefreshErrorCount = new AtomicLong();
        this.backoff = new ExponentialBackoff(500L, 2, 60000L, new Random().nextDouble());
        Objects.requireNonNull(ec2MetadataCredentialsProviderConfig);
        Objects.requireNonNull(clock);
        this.config = ec2MetadataCredentialsProviderConfig;
        this.systemClock = clock;
        this.lifetimeFactor = (Double) Optional.ofNullable(ec2MetadataCredentialsProviderConfig.credentialLifetimeFactor()).orElse(Double.valueOf(DEFAULT_CREDENTIALS_LIFETIME_FACTOR));
        this.uri = (URI) Optional.ofNullable(ec2MetadataCredentialsProviderConfig.metadataEndpoint()).orElse(DEFAULT_IP4_METADATA_ENDPOINT);
        this.executorService = Executors.newSingleThreadScheduledExecutor(runnable -> {
            Thread thread = new Thread(runnable, Ec2MetadataCredentialsProvider.class.getName() + "thread");
            thread.setDaemon(true);
            return thread;
        });
        this.client = createClient();
    }

    private HttpClient createClient() {
        return HttpClient.newBuilder().followRedirects(HttpClient.Redirect.NORMAL).connectTimeout(HTTP_CONNECT_TIMEOUT).build();
    }

    @Override // io.kroxylicious.kms.provider.aws.kms.credentials.CredentialsProvider
    @NonNull
    public CompletionStage<SecurityCredentials> getCredentials() {
        CompletableFuture<SecurityCredentials> completableFuture = new CompletableFuture<>();
        CompletableFuture<SecurityCredentials> compareAndExchange = this.current.compareAndExchange(null, completableFuture);
        if (compareAndExchange == null) {
            this.executorService.execute(() -> {
                refreshCredential(completableFuture);
            });
            return completableFuture.minimalCompletionStage();
        }
        if (!isExpired(compareAndExchange) && !compareAndExchange.isCompletedExceptionally()) {
            return compareAndExchange.minimalCompletionStage();
        }
        this.current.compareAndSet(compareAndExchange, null);
        return getCredentials();
    }

    private void scheduleCredentialRefresh(long j) {
        LOGGER.debug("Scheduling refresh of AWS credentials in {}ms", Long.valueOf(j));
        CompletableFuture completableFuture = new CompletableFuture();
        this.executorService.schedule(() -> {
            refreshCredential(completableFuture);
            completableFuture.thenApply(securityCredentials -> {
                Optional.ofNullable(this.current.getAndSet(completableFuture)).ifPresent(completableFuture2 -> {
                    completableFuture2.complete(securityCredentials);
                });
                return null;
            });
        }, j, TimeUnit.MILLISECONDS);
    }

    private boolean isExpired(CompletableFuture<SecurityCredentials> completableFuture) {
        if (!completableFuture.isDone() || completableFuture.isCompletedExceptionally()) {
            return false;
        }
        try {
            return ((Boolean) Optional.ofNullable(completableFuture.getNow(null)).map((v0) -> {
                return v0.expiration();
            }).map(instant -> {
                return Boolean.valueOf(this.systemClock.instant().isAfter(instant));
            }).orElse(false)).booleanValue();
        } catch (CancellationException | CompletionException e) {
            return false;
        }
    }

    private void refreshCredential(CompletableFuture<SecurityCredentials> completableFuture) {
        getToken().thenCompose(httpResponse -> {
            return this.client.sendAsync(createSecurityCredentialsRequest((String) httpResponse.body()), HttpResponse.BodyHandlers.ofByteArray());
        }).thenApply((Function<? super U, ? extends U>) Ec2MetadataCredentialsProvider::checkResponseStatus).thenApply((v0) -> {
            return v0.body();
        }).thenApply(this::toSecurityCredentials).thenApply(this::checkSuccessfulState).whenComplete((securityCredentials, th) -> {
            propagateResultToFuture(securityCredentials, th, completableFuture);
        });
    }

    private void propagateResultToFuture(SecurityCredentials securityCredentials, Throwable th, CompletableFuture<SecurityCredentials> completableFuture) {
        long max;
        if (th != null) {
            LOGGER.warn("Refresh of EC2 credentials failed. Is IAM role {} assigned to this EC2 instance?", this.config.iamRole(), th);
            this.tokenRefreshErrorCount.incrementAndGet();
            completableFuture.completeExceptionally(th);
            max = this.backoff.backoff(this.tokenRefreshErrorCount.get());
        } else {
            LOGGER.debug("Obtained AWS credentials from EC2 metadata using IAM role {}, expiry {}", this.config.iamRole(), securityCredentials.expiration());
            this.tokenRefreshErrorCount.set(0L);
            completableFuture.complete(securityCredentials);
            max = (long) Math.max(0.0d, this.lifetimeFactor.doubleValue() * (r0.toEpochMilli() - this.systemClock.instant().toEpochMilli()));
        }
        scheduleCredentialRefresh(max);
    }

    private CompletableFuture<HttpResponse<String>> getToken() {
        return this.client.sendAsync(createTokenRequest(), HttpResponse.BodyHandlers.ofString()).thenApply(Ec2MetadataCredentialsProvider::checkResponseStatus);
    }

    private HttpRequest createTokenRequest() {
        return HttpRequest.newBuilder().uri(getMetadataEndpoint().resolve(TOKEN_RETRIEVAL_ENDPOINT)).header(AWS_METADATA_TOKEN_TTL_SECONDS_HEADER, AWS_TOKEN_EXPIRATION_SECONDS).PUT(HttpRequest.BodyPublishers.noBody()).timeout(HTTP_REQUEST_TIMEOUT).build();
    }

    private HttpRequest createSecurityCredentialsRequest(String str) {
        return HttpRequest.newBuilder().uri(getMetadataEndpoint().resolve("/latest/meta-data/iam/security-credentials/" + this.config.iamRole())).header(AWS_METADATA_TOKEN_HEADER, str).timeout(HTTP_REQUEST_TIMEOUT).GET().build();
    }

    private URI getMetadataEndpoint() {
        return this.uri;
    }

    private SecurityCredentials toSecurityCredentials(byte[] bArr) {
        try {
            return (SecurityCredentials) OBJECT_MAPPER.readValue(bArr, SECURITY_CREDENTIALS_RESPONSE_TYPE_REF);
        } catch (IOException e) {
            throw new UncheckedIOException("Failed to unmarshal '%s' as a SecurityCredential." + bodyToString(bArr), e);
        }
    }

    private SecurityCredentials checkSuccessfulState(SecurityCredentials securityCredentials) {
        LOGGER.debug("AWS returned security credential : {} ", securityCredentials);
        if ("success".equals(securityCredentials.code().toLowerCase(Locale.ROOT))) {
            return securityCredentials;
        }
        throw new KmsException("Unexpected code value in SecurityCredentials object returned from AWS.  Expecting code='Success', got code='%s'".formatted(securityCredentials.code()));
    }

    @NonNull
    private static <O> HttpResponse<O> checkResponseStatus(@NonNull HttpResponse<O> httpResponse) {
        int statusCode = httpResponse.statusCode();
        if (statusCode >= 200 && statusCode < 300) {
            return httpResponse;
        }
        throw new KmsException("Operation failed, request uri: %s, HTTP status code %d, response: %s".formatted(httpResponse.request().uri(), Integer.valueOf(statusCode), bodyToString(httpResponse.body())));
    }

    @Override // io.kroxylicious.kms.provider.aws.kms.credentials.CredentialsProvider, java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        this.executorService.shutdownNow();
    }

    /* JADX WARN: Multi-variable type inference failed */
    private static <B> String bodyToString(B b) {
        return b instanceof byte[] ? new String((byte[]) b, StandardCharsets.UTF_8) : String.valueOf(b);
    }
}
