package org.apache.pulsar.broker.authentication.oidc;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.ObjectReader;
import com.github.benmanes.caffeine.cache.AsyncLoadingCache;
import com.github.benmanes.caffeine.cache.Caffeine;
import io.kubernetes.client.openapi.ApiCallback;
import io.kubernetes.client.openapi.ApiClient;
import io.kubernetes.client.openapi.ApiException;
import io.kubernetes.client.openapi.apis.WellKnownApi;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.TimeUnit;
import javax.naming.AuthenticationException;
import org.apache.pulsar.broker.ServiceConfiguration;
import org.apache.pulsar.broker.authentication.AuthenticationProvider;
import org.apache.pulsar.common.stats.CacheMetricsCollector;
import org.asynchttpclient.AsyncHttpClient;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/apache/pulsar/broker/authentication/oidc/OpenIDProviderMetadataCache.class */
public class OpenIDProviderMetadataCache {
    private final ObjectReader reader = new ObjectMapper().readerFor(OpenIDProviderMetadata.class);
    private final AuthenticationProvider authenticationProvider;
    private final AsyncHttpClient httpClient;
    private final WellKnownApi wellKnownApi;
    private final AsyncLoadingCache<Optional<String>, OpenIDProviderMetadata> cache;
    private static final String WELL_KNOWN_OPENID_CONFIG = ".well-known/openid-configuration";
    private static final String SLASH_WELL_KNOWN_OPENID_CONFIG = "/.well-known/openid-configuration";

    /* JADX INFO: Access modifiers changed from: package-private */
    public OpenIDProviderMetadataCache(AuthenticationProvider authenticationProvider, ServiceConfiguration serviceConfiguration, AsyncHttpClient asyncHttpClient, ApiClient apiClient) {
        this.authenticationProvider = authenticationProvider;
        int configValueAsInt = ConfigUtils.getConfigValueAsInt(serviceConfiguration, "openIDCacheSize", 5);
        int configValueAsInt2 = ConfigUtils.getConfigValueAsInt(serviceConfiguration, "openIDCacheRefreshAfterWriteSeconds", 64800);
        int configValueAsInt3 = ConfigUtils.getConfigValueAsInt(serviceConfiguration, "openIDCacheExpirationSeconds", 86400);
        this.httpClient = asyncHttpClient;
        this.wellKnownApi = apiClient != null ? new WellKnownApi(apiClient) : null;
        this.cache = Caffeine.newBuilder().recordStats().maximumSize(configValueAsInt).refreshAfterWrite(configValueAsInt2, TimeUnit.SECONDS).expireAfterWrite(configValueAsInt3, TimeUnit.SECONDS).buildAsync((optional, executor) -> {
            return optional.isPresent() ? loadOpenIDProviderMetadataForIssuer((String) optional.get()) : loadOpenIDProviderMetadataForKubernetesApiServer();
        });
        CacheMetricsCollector.CAFFEINE.addCache("open-id-provider-metadata", this.cache);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CompletableFuture<OpenIDProviderMetadata> getOpenIDProviderMetadataForIssuer(String str) {
        return this.cache.get(Optional.of(str));
    }

    private CompletableFuture<OpenIDProviderMetadata> loadOpenIDProviderMetadataForIssuer(String str) {
        return this.httpClient.prepareGet(str.endsWith("/") ? str + ".well-known/openid-configuration" : str + "/.well-known/openid-configuration").execute().toCompletableFuture().thenCompose(response -> {
            CompletableFuture completableFuture = new CompletableFuture();
            try {
                OpenIDProviderMetadata openIDProviderMetadata = (OpenIDProviderMetadata) this.reader.readValue(response.getResponseBodyAsBytes());
                verifyIssuer(str, openIDProviderMetadata, false);
                completableFuture.complete(openIDProviderMetadata);
            } catch (Exception e) {
                this.authenticationProvider.incrementFailureMetric(AuthenticationExceptionCode.ERROR_RETRIEVING_PROVIDER_METADATA);
                completableFuture.completeExceptionally(new AuthenticationException("Error retrieving OpenID Provider Metadata at " + str + ": " + e.getMessage()));
            } catch (AuthenticationException e2) {
                this.authenticationProvider.incrementFailureMetric(AuthenticationExceptionCode.ERROR_RETRIEVING_PROVIDER_METADATA);
                completableFuture.completeExceptionally(e2);
            }
            return completableFuture;
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CompletableFuture<OpenIDProviderMetadata> getOpenIDProviderMetadataForKubernetesApiServer(String str) {
        return this.cache.get(Optional.empty()).thenCompose(openIDProviderMetadata -> {
            CompletableFuture completableFuture = new CompletableFuture();
            try {
                verifyIssuer(str, openIDProviderMetadata, true);
                completableFuture.complete(openIDProviderMetadata);
            } catch (AuthenticationException e) {
                this.authenticationProvider.incrementFailureMetric(AuthenticationExceptionCode.ERROR_RETRIEVING_PROVIDER_METADATA);
                completableFuture.completeExceptionally(e);
            }
            return completableFuture;
        });
    }

    private CompletableFuture<OpenIDProviderMetadata> loadOpenIDProviderMetadataForKubernetesApiServer() {
        final CompletableFuture<OpenIDProviderMetadata> completableFuture = new CompletableFuture<>();
        try {
            this.wellKnownApi.getServiceAccountIssuerOpenIDConfigurationAsync(new ApiCallback<String>() { // from class: org.apache.pulsar.broker.authentication.oidc.OpenIDProviderMetadataCache.1
                public void onFailure(ApiException apiException, int i, Map<String, List<String>> map) {
                    OpenIDProviderMetadataCache.this.authenticationProvider.incrementFailureMetric(AuthenticationExceptionCode.ERROR_RETRIEVING_PROVIDER_METADATA);
                    completableFuture.completeExceptionally(new AuthenticationException("Error retrieving OpenID Provider Metadata from Kubernetes API server. Message: " + apiException.getMessage() + " Response body: " + apiException.getResponseBody()));
                }

                public void onSuccess(String str, int i, Map<String, List<String>> map) {
                    try {
                        completableFuture.complete((OpenIDProviderMetadata) OpenIDProviderMetadataCache.this.reader.readValue(str));
                    } catch (Exception e) {
                        OpenIDProviderMetadataCache.this.authenticationProvider.incrementFailureMetric(AuthenticationExceptionCode.ERROR_RETRIEVING_PROVIDER_METADATA);
                        completableFuture.completeExceptionally(new AuthenticationException("Error retrieving OpenID Provider Metadata from Kubernetes API Server: " + e.getMessage()));
                    }
                }

                public void onUploadProgress(long j, long j2, boolean z) {
                }

                public void onDownloadProgress(long j, long j2, boolean z) {
                }

                public /* bridge */ /* synthetic */ void onSuccess(Object obj, int i, Map map) {
                    onSuccess((String) obj, i, (Map<String, List<String>>) map);
                }
            });
        } catch (ApiException e) {
            this.authenticationProvider.incrementFailureMetric(AuthenticationExceptionCode.ERROR_RETRIEVING_PROVIDER_METADATA);
            completableFuture.completeExceptionally(new AuthenticationException("Error retrieving OpenID Provider Metadata from Kubernetes API server: " + e.getMessage()));
        }
        return completableFuture;
    }

    private void verifyIssuer(String str, OpenIDProviderMetadata openIDProviderMetadata, boolean z) throws AuthenticationException {
        if (str.equals(openIDProviderMetadata.getIssuer())) {
            return;
        }
        if (z) {
            this.authenticationProvider.incrementFailureMetric(AuthenticationExceptionCode.UNSUPPORTED_ISSUER);
            throw new AuthenticationException("Issuer not allowed: " + str);
        }
        this.authenticationProvider.incrementFailureMetric(AuthenticationExceptionCode.ISSUER_MISMATCH);
        throw new AuthenticationException(String.format("Issuer URL mismatch: [%s] should match [%s]", str, openIDProviderMetadata.getIssuer()));
    }
}
