package com.spotify.styx.docker;

import com.google.api.services.iam.v1.model.ServiceAccountKey;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.common.collect.ImmutableMap;
import com.google.common.hash.Hashing;
import com.google.common.util.concurrent.UncheckedExecutionException;
import com.spotify.styx.ServiceAccountKeyManager;
import com.spotify.styx.StyxScheduler;
import com.spotify.styx.util.GcpUtil;
import io.fabric8.kubernetes.api.model.Pod;
import io.fabric8.kubernetes.api.model.PodList;
import io.fabric8.kubernetes.api.model.Secret;
import io.fabric8.kubernetes.api.model.SecretBuilder;
import io.fabric8.kubernetes.api.model.SecretList;
import io.fabric8.kubernetes.client.KubernetesClient;
import io.fabric8.kubernetes.client.KubernetesClientException;
import io.fabric8.kubernetes.client.NamespacedKubernetesClient;
import io.fabric8.kubernetes.client.dsl.Resource;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/spotify/styx/docker/KubernetesGCPServiceAccountSecretManager.class */
public class KubernetesGCPServiceAccountSecretManager {
    private static final String STYX_WORKFLOW_SA_ID_ANNOTATION = "styx-wf-sa";
    private static final String STYX_WORKFLOW_SA_EPOCH_ANNOTATION = "styx-wf-sa-epoch";
    private static final String STYX_WORKFLOW_SA_JSON_KEY_NAME_ANNOTATION = "styx-wf-sa-json-key-name";
    private static final String STYX_WORKFLOW_SA_P12_KEY_NAME_ANNOTATION = "styx-wf-sa-p12-key-name";
    private static final String STYX_WORKFLOW_SA_SECRET_NAME = "styx-wf-sa-keys";
    private static final String STYX_WORKFLOW_SA_JSON_KEY = "styx-wf-sa.json";
    private static final String STYX_WORKFLOW_SA_P12_KEY = "styx-wf-sa.p12";
    private final KubernetesClient client;
    private final ServiceAccountKeyManager keyManager;
    private final EpochProvider epochProvider;
    private final Clock clock;
    private final Cache<String, String> serviceAccountSecretCache;
    private static final Logger LOG = LoggerFactory.getLogger(KubernetesGCPServiceAccountSecretManager.class);
    private static final Duration DEFAULT_SECRET_EPOCH_PERIOD = Duration.ofDays(7);
    private static final EpochProvider DEFAULT_SECRET_EPOCH_PROVIDER = KubernetesGCPServiceAccountSecretManager::smearedEpoch;
    private static final Clock DEFAULT_CLOCK = Clock.systemUTC();
    private static final Duration SECRET_GC_GRACE_PERIOD = DEFAULT_SECRET_EPOCH_PERIOD.plusHours(24);

    /* loaded from: input_file:com/spotify/styx/docker/KubernetesGCPServiceAccountSecretManager$EpochProvider.class */
    interface EpochProvider {
        long epoch(long j, String str);
    }

    KubernetesGCPServiceAccountSecretManager(NamespacedKubernetesClient namespacedKubernetesClient, ServiceAccountKeyManager serviceAccountKeyManager, EpochProvider epochProvider, Clock clock) {
        this.serviceAccountSecretCache = CacheBuilder.newBuilder().expireAfterWrite(30L, TimeUnit.SECONDS).build();
        this.client = (KubernetesClient) Objects.requireNonNull(namespacedKubernetesClient);
        this.keyManager = (ServiceAccountKeyManager) Objects.requireNonNull(serviceAccountKeyManager);
        this.epochProvider = (EpochProvider) Objects.requireNonNull(epochProvider);
        this.clock = (Clock) Objects.requireNonNull(clock);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public KubernetesGCPServiceAccountSecretManager(NamespacedKubernetesClient namespacedKubernetesClient, ServiceAccountKeyManager serviceAccountKeyManager) {
        this(namespacedKubernetesClient, serviceAccountKeyManager, DEFAULT_SECRET_EPOCH_PROVIDER, DEFAULT_CLOCK);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String ensureServiceAccountKeySecret(String str, String str2) {
        long epoch = this.epochProvider.epoch(this.clock.millis(), str2);
        String buildSecretName = buildSecretName(str2, epoch);
        LOG.info("[AUDIT] Workflow {} refers to secret {} storing keys of {}", new Object[]{str, buildSecretName, str2});
        try {
            return (String) this.serviceAccountSecretCache.get(str2, () -> {
                return getOrCreateSecret(str, str2, epoch, buildSecretName);
            });
        } catch (ExecutionException | UncheckedExecutionException e) {
            Throwable cause = e.getCause();
            if (cause instanceof InvalidExecutionException) {
                throw ((InvalidExecutionException) cause);
            }
            if (GcpUtil.isPermissionDenied(cause)) {
                throw new InvalidExecutionException("Permission denied to service account: " + str2);
            }
            if (GcpUtil.isResourceExhausted(cause)) {
                throw new InvalidExecutionException("Maximum number of keys on service account reached: " + str2);
            }
            throw new RuntimeException(e);
        }
    }

    private String getOrCreateSecret(String str, String str2, long j, String str3) throws IOException {
        if (!this.keyManager.serviceAccountExists(str2)) {
            LOG.warn("[AUDIT] Workflow {} refers to non-existent service account {}", str, str2);
            throw new InvalidExecutionException("Referenced service account " + str2 + " was not found");
        }
        Secret secret = (Secret) ((Resource) this.client.secrets().withName(str3)).get();
        if (secret != null) {
            Map annotations = secret.getMetadata().getAnnotations();
            String str4 = (String) annotations.get(STYX_WORKFLOW_SA_JSON_KEY_NAME_ANNOTATION);
            String str5 = (String) annotations.get(STYX_WORKFLOW_SA_P12_KEY_NAME_ANNOTATION);
            if (keyExists(str4) && keyExists(str5)) {
                return str3;
            }
            LOG.info("[AUDIT] Service account keys have been deleted for {}, recreating", str2);
            this.keyManager.deleteKey(str4);
            this.keyManager.deleteKey(str5);
            deleteSecret(secret);
        }
        createKeysAndSecret(str, str2, j, str3);
        return str3;
    }

    private void createKeysAndSecret(String str, String str2, long j, String str3) throws IOException {
        try {
            ServiceAccountKey createJsonKey = this.keyManager.createJsonKey(str2);
            try {
                ServiceAccountKey createP12Key = this.keyManager.createP12Key(str2);
                try {
                    this.client.secrets().create(new Secret[]{((SecretBuilder) new SecretBuilder().withNewMetadata().withName(str3).withAnnotations(ImmutableMap.of(STYX_WORKFLOW_SA_JSON_KEY_NAME_ANNOTATION, createJsonKey.getName(), STYX_WORKFLOW_SA_P12_KEY_NAME_ANNOTATION, createP12Key.getName(), STYX_WORKFLOW_SA_ID_ANNOTATION, str2, STYX_WORKFLOW_SA_EPOCH_ANNOTATION, Long.toString(j))).endMetadata()).withData(ImmutableMap.of(STYX_WORKFLOW_SA_JSON_KEY, createJsonKey.getPrivateKeyData(), STYX_WORKFLOW_SA_P12_KEY, createP12Key.getPrivateKeyData())).build()});
                    LOG.info("[AUDIT] Secret {} created to store keys of {} referred by workflow {}, jsonKey: {}, p12Key: {}", new Object[]{str3, str2, str, createJsonKey.getName(), createP12Key.getName()});
                } catch (KubernetesClientException e) {
                    this.keyManager.tryDeleteKey(createJsonKey.getName());
                    this.keyManager.tryDeleteKey(createP12Key.getName());
                }
            } catch (IOException e2) {
                this.keyManager.tryDeleteKey(createJsonKey.getName());
                throw e2;
            }
        } catch (IOException e3) {
            LOG.warn("[AUDIT] Failed to create keys for {} used by workflow {}", new Object[]{str2, str, e3});
            throw e3;
        }
    }

    private boolean keyExists(String str) {
        try {
            return this.keyManager.keyExists(str);
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    public void cleanup() throws IOException {
        Set set = (Set) ((PodList) this.client.pods().list()).getItems().stream().filter(pod -> {
            return !isTerminatedPod(pod);
        }).flatMap(pod2 -> {
            return pod2.getSpec().getVolumes().stream();
        }).map(volume -> {
            return volume.getSecret().getSecretName();
        }).collect(Collectors.toSet());
        long millis = this.clock.millis();
        Instant minus = this.clock.instant().minus((TemporalAmount) SECRET_GC_GRACE_PERIOD);
        for (Secret secret : (List) ((SecretList) this.client.secrets().list()).getItems().stream().filter(secret2 -> {
            return secret2.getMetadata().getName().startsWith(STYX_WORKFLOW_SA_SECRET_NAME);
        }).filter(secret3 -> {
            return !Long.toString(this.epochProvider.epoch(millis, serviceAccount(secret3))).equals(secretEpoch(secret3));
        }).filter(secret4 -> {
            return Instant.parse(secret4.getMetadata().getCreationTimestamp()).isBefore(minus);
        }).filter(secret5 -> {
            return !set.contains(secret5.getMetadata().getName());
        }).collect(Collectors.toList())) {
            Map annotations = secret.getMetadata().getAnnotations();
            try {
                this.keyManager.deleteKey((String) annotations.get(STYX_WORKFLOW_SA_JSON_KEY_NAME_ANNOTATION));
                this.keyManager.deleteKey((String) annotations.get(STYX_WORKFLOW_SA_P12_KEY_NAME_ANNOTATION));
                deleteSecret(secret);
            } catch (KubernetesClientException | IOException e) {
                LOG.warn("Failed to cleanup secret or keys for service account {}", annotations.get(STYX_WORKFLOW_SA_ID_ANNOTATION));
            }
        }
    }

    private boolean isTerminatedPod(Pod pod) {
        String phase = pod.getStatus().getPhase();
        boolean z = -1;
        switch (phase.hashCode()) {
            case -1345265087:
                if (phase.equals("Succeeded")) {
                    z = false;
                    break;
                }
                break;
            case 2096857181:
                if (phase.equals("Failed")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case StyxScheduler.TRIGGER_MANAGER_TICK_INTERVAL_SECONDS /* 1 */:
                return true;
            default:
                return false;
        }
    }

    private String secretEpoch(Secret secret) {
        return (String) secret.getMetadata().getAnnotations().get(STYX_WORKFLOW_SA_EPOCH_ANNOTATION);
    }

    private String serviceAccount(Secret secret) {
        return (String) secret.getMetadata().getAnnotations().get(STYX_WORKFLOW_SA_ID_ANNOTATION);
    }

    private void deleteSecret(Secret secret) {
        LOG.info("[AUDIT] Deleting service account {} secret {}", serviceAccount(secret), secret.getMetadata().getName());
        try {
            this.client.secrets().delete(new Secret[]{secret});
        } catch (KubernetesClientException e) {
            if (e.getCode() == 404) {
                LOG.debug("Couldn't find secret to delete {}", secret.getMetadata().getName());
            } else {
                LOG.warn("[AUDIT] Failed to delete secret {}", secret.getMetadata().getName());
                throw e;
            }
        }
    }

    private static String buildSecretName(String str, long j) {
        return "styx-wf-sa-keys-" + j + '-' + Hashing.sha256().hashString(str, StandardCharsets.UTF_8);
    }

    @VisibleForTesting
    static long smearedEpoch(long j, String str) {
        return (j + (Math.abs(str.hashCode()) % DEFAULT_SECRET_EPOCH_PERIOD.toMillis())) / DEFAULT_SECRET_EPOCH_PERIOD.toMillis();
    }
}
