package org.apache.pulsar.client.impl.auth;

import com.google.common.base.Preconditions;
import com.google.common.io.CharStreams;
import com.oath.auth.KeyRefresher;
import com.oath.auth.KeyRefresherException;
import com.oath.auth.Utils;
import com.yahoo.athenz.auth.impl.SimpleServiceIdentityProvider;
import com.yahoo.athenz.auth.util.Crypto;
import com.yahoo.athenz.auth.util.CryptoException;
import com.yahoo.athenz.zts.ZTSClient;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.URISyntaxException;
import java.net.URL;
import java.net.URLConnection;
import java.nio.charset.Charset;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.PrivateKey;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReadWriteLock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import org.apache.commons.lang3.StringUtils;
import org.apache.pulsar.client.api.Authentication;
import org.apache.pulsar.client.api.AuthenticationDataProvider;
import org.apache.pulsar.client.api.EncodedAuthenticationParameterSupport;
import org.apache.pulsar.client.api.PulsarClientException;
import org.apache.pulsar.client.impl.AuthenticationUtil;

/* loaded from: input_file:org/apache/pulsar/client/impl/auth/AuthenticationAthenz.class */
public class AuthenticationAthenz implements Authentication, EncodedAuthenticationParameterSupport {
    private static final long serialVersionUID = 1;
    private static final String APPLICATION_X_PEM_FILE = "application/x-pem-file";
    private String tenantDomain;
    private String tenantService;
    private String providerDomain;
    private volatile long cachedRoleTokenTimestamp;
    private String roleToken;
    private static final int minValidity = 7200;
    private static final int maxValidity = 86400;
    private static final int cacheDurationInMinutes = 90;
    private static final int retryFrequencyInMillis = 3600000;
    private transient KeyRefresher keyRefresher = null;
    private transient ZTSClient ztsClient = null;
    private String ztsUrl = null;
    private PrivateKey privateKey = null;
    private String keyId = "0";
    private String privateKeyPath = null;
    private String x509CertChainPath = null;
    private String caCertPath = null;
    private String roleHeader = null;
    private boolean autoPrefetchEnabled = false;
    private final ReadWriteLock cachedRoleTokenLock = new ReentrantReadWriteLock();

    public String getAuthMethodName() {
        return "athenz";
    }

    public AuthenticationDataProvider getAuthData() throws PulsarClientException {
        PulsarClientException.GettingAuthenticationDataException gettingAuthenticationDataException;
        Lock readLock = this.cachedRoleTokenLock.readLock();
        readLock.lock();
        try {
            if (cachedRoleTokenIsValid()) {
                return new AuthenticationDataAthenz(this.roleToken, StringUtils.isNotBlank(this.roleHeader) ? this.roleHeader : ZTSClient.getHeader());
            }
            Lock writeLock = this.cachedRoleTokenLock.writeLock();
            writeLock.lock();
            try {
                try {
                    this.roleToken = getZtsClient().getRoleToken(this.providerDomain, (String) null, Integer.valueOf(minValidity), Integer.valueOf(maxValidity), false).getToken();
                    this.cachedRoleTokenTimestamp = System.nanoTime();
                    AuthenticationDataAthenz authenticationDataAthenz = new AuthenticationDataAthenz(this.roleToken, StringUtils.isNotBlank(this.roleHeader) ? this.roleHeader : ZTSClient.getHeader());
                    writeLock.unlock();
                    return authenticationDataAthenz;
                } finally {
                }
            } catch (Throwable th) {
                writeLock.unlock();
                throw th;
            }
        } finally {
            readLock.unlock();
        }
    }

    private boolean cachedRoleTokenIsValid() {
        return this.roleToken != null && System.nanoTime() - this.cachedRoleTokenTimestamp < TimeUnit.MINUTES.toNanos(90L);
    }

    public void configure(String str) {
        Preconditions.checkArgument(StringUtils.isNotBlank(str), "authParams must not be empty");
        try {
            setAuthParams(AuthenticationUtil.configureFromJsonString(str));
        } catch (IOException e) {
            throw new IllegalArgumentException("Failed to parse authParams", e);
        }
    }

    @Deprecated
    public void configure(Map<String, String> map) {
        setAuthParams(map);
    }

    private void setAuthParams(Map<String, String> map) {
        this.tenantDomain = map.get("tenantDomain");
        this.tenantService = map.get("tenantService");
        this.providerDomain = map.get("providerDomain");
        this.keyId = map.getOrDefault("keyId", "0");
        this.autoPrefetchEnabled = Boolean.parseBoolean(map.getOrDefault("autoPrefetchEnabled", "false"));
        if (StringUtils.isNotBlank(map.get("x509CertChain"))) {
            checkRequiredParams(map, "privateKey", "caCert", "providerDomain");
            this.x509CertChainPath = getAbsolutePathFromUrl(map.get("x509CertChain"));
            this.privateKeyPath = getAbsolutePathFromUrl(map.get("privateKey"));
            this.caCertPath = getAbsolutePathFromUrl(map.get("caCert"));
        } else {
            checkRequiredParams(map, "tenantDomain", "tenantService", "providerDomain");
            if (StringUtils.isBlank(map.get("privateKey")) && StringUtils.isNotBlank(map.get("privateKeyPath"))) {
                this.privateKey = loadPrivateKey(map.get("privateKeyPath"));
            } else {
                this.privateKey = loadPrivateKey(map.get("privateKey"));
            }
            if (this.privateKey == null) {
                throw new IllegalArgumentException("Failed to load private key from privateKey or privateKeyPath field");
            }
        }
        if (StringUtils.isNotBlank(map.get("athenzConfPath"))) {
            System.setProperty("athenz.athenz_conf", map.get("athenzConfPath"));
        }
        if (StringUtils.isNotBlank(map.get("principalHeader"))) {
            System.setProperty("athenz.auth.principal.header", map.get("principalHeader"));
        }
        if (StringUtils.isNotBlank(map.get("roleHeader"))) {
            this.roleHeader = map.get("roleHeader");
            System.setProperty("athenz.auth.role.header", this.roleHeader);
        }
        if (StringUtils.isNotBlank(map.get("ztsUrl"))) {
            this.ztsUrl = map.get("ztsUrl");
        }
    }

    public void start() throws PulsarClientException {
    }

    public void close() throws IOException {
        if (this.ztsClient != null) {
            this.ztsClient.close();
        }
        if (this.keyRefresher != null) {
            this.keyRefresher.shutdown();
        }
    }

    private ZTSClient getZtsClient() throws InterruptedException, IOException, KeyRefresherException {
        if (this.ztsClient == null) {
            if (this.x509CertChainPath != null) {
                if (this.keyRefresher == null) {
                    this.keyRefresher = Utils.generateKeyRefresherFromCaCert(this.caCertPath, this.x509CertChainPath, this.privateKeyPath);
                    this.keyRefresher.startup(retryFrequencyInMillis);
                }
                this.ztsClient = new ZTSClient(this.ztsUrl, Utils.buildSSLContext(this.keyRefresher.getKeyManagerProxy(), this.keyRefresher.getTrustManagerProxy()));
            } else {
                this.ztsClient = new ZTSClient(this.ztsUrl, this.tenantDomain, this.tenantService, new SimpleServiceIdentityProvider(this.tenantDomain, this.tenantService, this.privateKey, this.keyId));
            }
            ZTSClient zTSClient = this.ztsClient;
            ZTSClient.setPrefetchAutoEnable(this.autoPrefetchEnabled);
        }
        return this.ztsClient;
    }

    private static void checkRequiredParams(Map<String, String> map, String... strArr) {
        for (String str : strArr) {
            Preconditions.checkArgument(StringUtils.isNotBlank(map.get(str)), "Missing required parameter: %s", str);
        }
    }

    private static String getAbsolutePathFromUrl(String str) {
        try {
            URL url = new org.apache.pulsar.client.api.url.URL(str).openConnection().getURL();
            Preconditions.checkArgument("file".equals(url.getProtocol()), "Unsupported protocol: %s", url.getProtocol());
            Path path = Paths.get(url.getPath(), new String[0]);
            return path.isAbsolute() ? path.toString() : path.toAbsolutePath().toString();
        } catch (IOException | IllegalAccessException | InstantiationException e) {
            throw new IllegalArgumentException("Cannnot get absolute path from specified URL", e);
        } catch (URISyntaxException e2) {
            throw new IllegalArgumentException("Invalid URL format", e2);
        }
    }

    private static PrivateKey loadPrivateKey(String str) {
        PrivateKey privateKey;
        URLConnection openConnection;
        try {
            openConnection = new org.apache.pulsar.client.api.url.URL(str).openConnection();
        } catch (URISyntaxException e) {
            throw new IllegalArgumentException("Invalid privateKey format", e);
        } catch (CryptoException | IOException | IllegalAccessException | InstantiationException e2) {
            privateKey = null;
        }
        if ("data".equals(openConnection.getURL().getProtocol()) && !APPLICATION_X_PEM_FILE.equals(openConnection.getContentType())) {
            throw new IllegalArgumentException("Unsupported media type or encoding format: " + openConnection.getContentType());
        }
        privateKey = Crypto.loadPrivateKey(CharStreams.toString(new InputStreamReader((InputStream) openConnection.getContent(), Charset.defaultCharset())));
        return privateKey;
    }
}
