package com.predic8.membrane.core.transport.ssl.acme;

import com.google.common.collect.ImmutableMap;
import com.google.common.collect.Lists;
import com.predic8.membrane.core.azure.api.dns.DnsProvisionable;
import com.predic8.membrane.core.config.security.acme.KubernetesStorage;
import com.predic8.membrane.core.http.Header;
import com.predic8.membrane.core.kubernetes.client.KubernetesApiException;
import com.predic8.membrane.core.kubernetes.client.KubernetesClient;
import com.predic8.membrane.core.kubernetes.client.KubernetesClientFactory;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.Arrays;
import java.util.Base64;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.TimeZone;
import java.util.UUID;
import javax.annotation.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/predic8/membrane/core/transport/ssl/acme/AcmeKubernetesStorageEngine.class */
public class AcmeKubernetesStorageEngine implements AcmeSynchronizedStorageEngine, DnsProvisionable {
    private static final Logger LOG = LoggerFactory.getLogger(AcmeKubernetesStorageEngine.class);
    private final KubernetesClient client;
    private final String namespace;
    private final String lease;
    private final String identity = UUID.randomUUID().toString();
    private final SimpleDateFormat sdf;
    private final SimpleDateFormat sdf2;
    private final String accountSecret;
    private final String prefix;

    /* loaded from: input_file:com/predic8/membrane/core/transport/ssl/acme/AcmeKubernetesStorageEngine$LeaseException.class */
    private static class LeaseException extends RuntimeException {
        public LeaseException(String str) {
            super(str);
        }

        public LeaseException(Throwable th) {
            super(th);
        }
    }

    public AcmeKubernetesStorageEngine(KubernetesStorage kubernetesStorage, @Nullable KubernetesClientFactory kubernetesClientFactory) {
        this.client = (kubernetesClientFactory == null ? new KubernetesClientFactory(null) : kubernetesClientFactory).createClient(kubernetesStorage.getBaseURL());
        this.namespace = kubernetesStorage.getNamespace() != null ? kubernetesStorage.getNamespace() : this.client.getNamespace();
        this.lease = kubernetesStorage.getMasterLease();
        LOG.info("acme: using identity " + this.identity + " for master election");
        this.sdf = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS000'Z'");
        this.sdf.setTimeZone(TimeZone.getTimeZone("UTC"));
        this.sdf2 = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'");
        this.sdf2.setTimeZone(TimeZone.getTimeZone("UTC"));
        this.accountSecret = kubernetesStorage.getAccountSecret();
        this.prefix = kubernetesStorage.getPrefix() == null ? "" : kubernetesStorage.getPrefix();
    }

    @Override // com.predic8.membrane.core.transport.ssl.acme.AcmeSynchronizedStorageEngine
    public String getAccountKey() {
        return getSecretEntry(this.accountSecret, "key");
    }

    @Override // com.predic8.membrane.core.transport.ssl.acme.AcmeSynchronizedStorageEngine
    public void setAccountKey(String str) {
        setSecretEntry(this.accountSecret, "key", str);
    }

    @Override // com.predic8.membrane.core.transport.ssl.acme.AcmeSynchronizedStorageEngine
    public String getAccountURL() {
        return getSecretEntry(this.accountSecret, "url");
    }

    @Override // com.predic8.membrane.core.transport.ssl.acme.AcmeSynchronizedStorageEngine
    public void setAccountURL(String str) {
        setSecretEntry(this.accountSecret, "url", str);
    }

    @Override // com.predic8.membrane.core.transport.ssl.acme.AcmeSynchronizedStorageEngine
    public String getAccountContacts() {
        return getSecretEntry(this.accountSecret, "contacts");
    }

    @Override // com.predic8.membrane.core.transport.ssl.acme.AcmeSynchronizedStorageEngine
    public void setAccountContacts(String str) {
        setSecretEntry(this.accountSecret, "contacts", str);
    }

    @Override // com.predic8.membrane.core.transport.ssl.acme.AcmeSynchronizedStorageEngine
    public void setKeyPair(String[] strArr, AcmeKeyPair acmeKeyPair) {
        setSecretEntry(this.prefix + id(strArr), "key-public", acmeKeyPair.getPublicKey(), "key-private", acmeKeyPair.getPrivateKey());
    }

    @Override // com.predic8.membrane.core.transport.ssl.acme.AcmeSynchronizedStorageEngine
    public String getPublicKey(String[] strArr) {
        return getSecretEntry(this.prefix + id(strArr), "key-public");
    }

    @Override // com.predic8.membrane.core.transport.ssl.acme.AcmeSynchronizedStorageEngine
    public String getPrivateKey(String[] strArr) {
        return getSecretEntry(this.prefix + id(strArr), "key-private");
    }

    @Override // com.predic8.membrane.core.transport.ssl.acme.AcmeSynchronizedStorageEngine
    public void setCertChain(String[] strArr, String str) {
        setSecretEntry(this.prefix + id(strArr), "certs", str);
    }

    @Override // com.predic8.membrane.core.transport.ssl.acme.AcmeSynchronizedStorageEngine
    public String getCertChain(String[] strArr) {
        return getSecretEntry(this.prefix + id(strArr), "certs");
    }

    @Override // com.predic8.membrane.core.transport.ssl.acme.AcmeSynchronizedStorageEngine
    public void setToken(String str, String str2) {
        setSecretEntry(this.prefix + str + "-token", "token", str2);
    }

    @Override // com.predic8.membrane.core.transport.ssl.acme.AcmeSynchronizedStorageEngine
    public String getToken(String str) {
        return getSecretEntry(this.prefix + str + "-token", "token");
    }

    @Override // com.predic8.membrane.core.transport.ssl.acme.AcmeSynchronizedStorageEngine
    public String getOAL(String[] strArr) {
        return getSecretEntry(this.prefix + id(strArr) + "-oal-current", "oal");
    }

    @Override // com.predic8.membrane.core.transport.ssl.acme.AcmeSynchronizedStorageEngine
    public void setOAL(String[] strArr, String str) {
        setSecretEntry(this.prefix + id(strArr) + "-oal-current", "oal", str);
    }

    @Override // com.predic8.membrane.core.transport.ssl.acme.AcmeSynchronizedStorageEngine
    public String getOALError(String[] strArr) {
        return getSecretEntry(this.prefix + id(strArr) + "-oal-current", "error");
    }

    @Override // com.predic8.membrane.core.transport.ssl.acme.AcmeSynchronizedStorageEngine
    public void setOALError(String[] strArr, String str) {
        setSecretEntry(this.prefix + id(strArr) + "-oal-current", "error", str);
    }

    @Override // com.predic8.membrane.core.transport.ssl.acme.AcmeSynchronizedStorageEngine
    public String getOALKey(String[] strArr) {
        return getSecretEntry(this.prefix + id(strArr) + "-oal-current", "key");
    }

    @Override // com.predic8.membrane.core.transport.ssl.acme.AcmeSynchronizedStorageEngine
    public void setOALKey(String[] strArr, String str) {
        setSecretEntry(this.prefix + id(strArr) + "-oal-current", "key", str);
    }

    @Override // com.predic8.membrane.core.transport.ssl.acme.AcmeSynchronizedStorageEngine
    public void archiveOAL(String[] strArr) {
        try {
            Map read = this.client.read("v1", "Secret", this.namespace, this.prefix + id(strArr) + "-oal-current");
            Map map = (Map) read.get("metadata");
            map.remove("managedFields");
            map.remove("creationTimestamp");
            map.remove("uid");
            map.remove("resourceVersion");
            map.put("name", this.prefix + id(strArr) + "-oal-" + System.currentTimeMillis());
            this.client.create(read);
            this.client.delete("v1", "Secret", this.namespace, this.prefix + id(strArr) + "-oal-current");
        } catch (KubernetesApiException | IOException e) {
            throw new RuntimeException(e);
        }
    }

    @Override // com.predic8.membrane.core.transport.ssl.acme.AcmeSynchronizedStorageEngine
    public boolean acquireLease(long j) {
        String format;
        synchronized (this.sdf) {
            format = this.sdf.format(new Date(System.currentTimeMillis() + j));
        }
        try {
            this.client.createAndEdit(ImmutableMap.of("apiVersion", "coordination.k8s.io/v1", "kind", "Lease", "metadata", ImmutableMap.of("name", this.lease, "namespace", this.namespace), "spec", ImmutableMap.of()), map -> {
                Map map = (Map) map.get("spec");
                if (map == null) {
                    map = new HashMap();
                    map.put("spec", map);
                }
                String str = (String) map.get("holderIdentity");
                if (str != null && !"".equals(str)) {
                    String str2 = (String) map.get("renewTime");
                    if (str2 == null || "".equals(str2)) {
                        throw new LeaseException("holder, but no renew time is set.");
                    }
                    try {
                        if (new Date().getTime() < parse(str2).getTime()) {
                            throw new LeaseException("lease is not expired yet.");
                        }
                    } catch (ParseException e) {
                        throw new LeaseException(e);
                    }
                }
                map.put("holderIdentity", this.identity);
                map.put("renewTime", format);
                map.put("leaseTransitions", Long.valueOf(longValue(map.get("leaseTransitions")) + 1));
            });
            return true;
        } catch (KubernetesApiException e) {
            LOG.warn("Could not acquire lease.", e);
            return false;
        } catch (LeaseException e2) {
            LOG.debug("Could not acquire lease.", e2);
            return false;
        } catch (IOException e3) {
            throw new RuntimeException(e3);
        }
    }

    private Date parse(String str) throws ParseException {
        Date parse;
        int indexOf = str.indexOf(90);
        if (indexOf > 7 && Character.isDigit(str.charAt(indexOf - 1)) && Character.isDigit(str.charAt(indexOf - 2)) && Character.isDigit(str.charAt(indexOf - 3)) && Character.isDigit(str.charAt(indexOf - 4)) && Character.isDigit(str.charAt(indexOf - 5)) && Character.isDigit(str.charAt(indexOf - 6))) {
            str = str.substring(0, indexOf - 3) + str.substring(indexOf);
        }
        synchronized (this.sdf2) {
            parse = this.sdf2.parse(str);
        }
        return parse;
    }

    private long longValue(Object obj) {
        if (obj == null) {
            return 0L;
        }
        if (obj instanceof Long) {
            return ((Long) obj).longValue();
        }
        if (obj instanceof Integer) {
            return ((Integer) obj).intValue();
        }
        if (obj instanceof Byte) {
            return ((Byte) obj).byteValue();
        }
        if (obj instanceof Short) {
            return ((Short) obj).shortValue();
        }
        throw new RuntimeException("Unhandled number type: " + obj.getClass().getName());
    }

    @Override // com.predic8.membrane.core.transport.ssl.acme.AcmeSynchronizedStorageEngine
    public boolean prolongLease(long j) {
        String format;
        synchronized (this.sdf) {
            format = this.sdf.format(new Date(System.currentTimeMillis() + j));
        }
        try {
            this.client.edit("coordination.k8s.io/v1", "Lease", this.namespace, this.lease, map -> {
                Map map = (Map) map.get("spec");
                if (!this.identity.equals((String) map.get("holderIdentity"))) {
                    throw new LeaseException("holder is not us.");
                }
                try {
                    if (new Date().getTime() > parse((String) map.get("renewTime")).getTime()) {
                        throw new LeaseException("lease has already expired.");
                    }
                    map.put("renewTime", format);
                } catch (ParseException e) {
                    throw new LeaseException(e);
                }
            });
            return true;
        } catch (KubernetesApiException | LeaseException e) {
            LOG.warn("could not prolong lease.", e);
            return false;
        } catch (IOException e2) {
            throw new RuntimeException(e2);
        }
    }

    @Override // com.predic8.membrane.core.transport.ssl.acme.AcmeSynchronizedStorageEngine
    public void releaseLease() {
        try {
            this.client.edit("coordination.k8s.io/v1", "Lease", this.namespace, this.lease, map -> {
                Map map = (Map) map.get("spec");
                if (!this.identity.equals((String) map.get("holderIdentity"))) {
                    throw new LeaseException("holder is not us.");
                }
                map.put("holderIdentity", "");
                map.remove("renewTime");
                map.put("leaseTransitions", Long.valueOf(longValue(map.get("leaseTransitions")) + 1));
            });
        } catch (KubernetesApiException | LeaseException e) {
            LOG.warn("could not release lease.", e);
        } catch (IOException e2) {
            throw new RuntimeException(e2);
        }
    }

    private String getSecretEntry(String str, String str2) {
        try {
            String str3 = (String) ((Map) this.client.read("v1", "Secret", this.namespace, str).get("data")).get(str2);
            if (str3 == null) {
                return null;
            }
            return new String(Base64.getDecoder().decode(str3), StandardCharsets.UTF_8);
        } catch (KubernetesApiException e) {
            if (e.getCode() == 404 && "NotFound".equals(e.getReason())) {
                return null;
            }
            throw new RuntimeException(e);
        } catch (IOException e2) {
            throw new RuntimeException(e2);
        }
    }

    private void setSecretEntry(String str, String str2, String str3) {
        setSecretEntry(str, str2, str3, null, null);
    }

    private void setSecretEntry(String str, String str2, String str3, String str4, String str5) {
        String encodeToString = Base64.getEncoder().encodeToString(str3.getBytes(StandardCharsets.UTF_8));
        String encodeToString2 = str4 == null ? null : Base64.getEncoder().encodeToString(str5.getBytes(StandardCharsets.UTF_8));
        try {
            this.client.createAndEdit(ImmutableMap.of("apiVersion", "v1", "data", ImmutableMap.of(), "kind", "Secret", "metadata", ImmutableMap.of("name", str, "namespace", this.namespace), "type", "Opaque"), map -> {
                Map map = (Map) map.get("data");
                if (map == null) {
                    map = new HashMap();
                    map.put("data", map);
                }
                map.put(str2, encodeToString);
                if (str4 != null) {
                    map.put(str4, encodeToString2);
                }
            });
        } catch (KubernetesApiException | IOException e) {
            throw new RuntimeException(e);
        }
    }

    private String id(String[] strArr) {
        int hashCode = Arrays.hashCode(strArr);
        if (hashCode < 0) {
            hashCode = Integer.MAX_VALUE + hashCode + 1;
        }
        return strArr[0].replaceAll("\\*\\.", "") + (strArr.length > 1 ? "-" + hashCode : "");
    }

    @Override // com.predic8.membrane.core.azure.api.dns.DnsProvisionable
    public void provisionDns(String str, String str2) {
        Object obj;
        Map of = ImmutableMap.of("apiVersion", "dns.predic8.de/v1beta1", "kind", "DnsRecord", "metadata", ImmutableMap.of("name", str + "-acme-challenge", "namespace", this.namespace), "spec", ImmutableMap.of("hostnames", Lists.newArrayList(new String[]{"_acme-challenge." + str}), "values", Lists.newArrayList(new Map[]{ImmutableMap.of("type", "TXT", Header.TIMEOUT, 300, "value", "\"" + str2 + "\"")})));
        try {
            try {
                this.client.read(of);
                this.client.delete(of);
            } catch (KubernetesApiException e) {
                if (e.getCode() != 404) {
                    throw new RuntimeException(e);
                }
            }
            this.client.apply(of);
            for (int i = 0; i < 60; i++) {
                Thread.sleep(500L);
                of = this.client.read(of);
                Object obj2 = of.get("status");
                if (obj2 != null && (obj = ((Map) obj2).get("success")) != null && obj.equals(true)) {
                    break;
                } else {
                    if (i == 59) {
                        throw new RuntimeException("DNS challenge did not become successful within one minute.");
                    }
                }
            }
            Thread.sleep(10000L);
        } catch (KubernetesApiException | IOException e2) {
            throw new RuntimeException(e2);
        } catch (InterruptedException e3) {
            Thread.currentThread().interrupt();
        }
    }
}
