package com.yahoo.vespa.hosted.node.admin.maintenance.identity;

import com.yahoo.jdisc.Timer;
import com.yahoo.security.KeyAlgorithm;
import com.yahoo.security.KeyUtils;
import com.yahoo.security.Pkcs10Csr;
import com.yahoo.security.SslContextBuilder;
import com.yahoo.security.X509CertificateUtils;
import com.yahoo.vespa.athenz.api.AthenzIdentity;
import com.yahoo.vespa.athenz.api.AthenzRole;
import com.yahoo.vespa.athenz.client.zts.DefaultZtsClient;
import com.yahoo.vespa.athenz.client.zts.InstanceIdentity;
import com.yahoo.vespa.athenz.client.zts.ZtsClient;
import com.yahoo.vespa.athenz.client.zts.ZtsClientException;
import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider;
import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper;
import com.yahoo.vespa.athenz.identityprovider.api.IdentityDocument;
import com.yahoo.vespa.athenz.identityprovider.api.IdentityDocumentClient;
import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument;
import com.yahoo.vespa.athenz.identityprovider.client.CsrGenerator;
import com.yahoo.vespa.athenz.identityprovider.client.DefaultIdentityDocumentClient;
import com.yahoo.vespa.athenz.tls.AthenzIdentityVerifier;
import com.yahoo.vespa.athenz.utils.SiaUtils;
import com.yahoo.vespa.hosted.node.admin.component.ConfigServerInfo;
import com.yahoo.vespa.hosted.node.admin.container.ContainerName;
import com.yahoo.vespa.hosted.node.admin.nodeagent.NodeAgentContext;
import com.yahoo.vespa.hosted.node.admin.nodeagent.NodeAgentTask;
import com.yahoo.vespa.hosted.node.admin.task.util.file.FileFinder;
import com.yahoo.vespa.hosted.node.admin.task.util.file.UnixPath;
import com.yahoo.vespa.hosted.node.admin.task.util.fs.ContainerPath;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.net.URI;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.attribute.FileAttribute;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.HostnameVerifier;

/* loaded from: input_file:com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.class */
public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
    private static final Logger logger = Logger.getLogger(AthenzCredentialsMaintainer.class.getName());
    private static final Duration EXPIRY_MARGIN = Duration.ofDays(1);
    private static final Duration REFRESH_PERIOD = Duration.ofDays(1);
    private static final Duration REFRESH_BACKOFF = Duration.ofHours(1);
    private static final String CONTAINER_SIA_DIRECTORY = "/var/lib/sia";
    private static final String LEGACY_SIA_DIRECTORY = "/opt/vespa/var/vespa/sia";
    private final Path ztsTrustStorePath;
    private final Timer timer;
    private final String certificateDnsSuffix;
    private final ServiceIdentityProvider hostIdentityProvider;
    private final IdentityDocumentClient identityDocumentClient;
    private final Map<ContainerName, Instant> lastRefreshAttempt = new ConcurrentHashMap();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer$IdentityType.class */
    public enum IdentityType {
        NODE("vespa-node-identity-document.json"),
        TENANT("vespa-tenant-identity-document.json");

        private final String identityDocument;

        IdentityType(String str) {
            this.identityDocument = str;
        }

        public String getIdentityDocument() {
            return this.identityDocument;
        }
    }

    public AthenzCredentialsMaintainer(Path path, ConfigServerInfo configServerInfo, String str, ServiceIdentityProvider serviceIdentityProvider, Timer timer) {
        this.ztsTrustStorePath = path;
        this.certificateDnsSuffix = str;
        this.hostIdentityProvider = serviceIdentityProvider;
        this.identityDocumentClient = new DefaultIdentityDocumentClient(configServerInfo.getLoadBalancerEndpoint(), serviceIdentityProvider, new AthenzIdentityVerifier(Set.of(configServerInfo.getConfigServerIdentity())));
        this.timer = timer;
    }

    @Override // com.yahoo.vespa.hosted.node.admin.maintenance.identity.CredentialsMaintainer
    public boolean converge(NodeAgentContext nodeAgentContext) {
        boolean maintain = false | maintain(nodeAgentContext, IdentityType.NODE);
        return nodeAgentContext.zone().getSystemName().isPublic() ? maintain : maintain | maintain(nodeAgentContext, IdentityType.TENANT);
    }

    private boolean maintain(NodeAgentContext nodeAgentContext, IdentityType identityType) {
        if (nodeAgentContext.isDisabled(NodeAgentTask.CredentialsMaintainer)) {
            return false;
        }
        try {
            boolean z = false;
            nodeAgentContext.log(logger, Level.FINE, "Checking certificate");
            ContainerPath of = nodeAgentContext.paths().of(CONTAINER_SIA_DIRECTORY, nodeAgentContext.users().vespa());
            ContainerPath resolve = of.resolve(identityType.getIdentityDocument());
            Optional<AthenzIdentity> athenzIdentity = getAthenzIdentity(nodeAgentContext, identityType, resolve);
            if (athenzIdentity.isEmpty()) {
                return false;
            }
            AthenzIdentity athenzIdentity2 = athenzIdentity.get();
            ContainerPath containerPath = (ContainerPath) SiaUtils.getPrivateKeyFile(of, athenzIdentity2);
            ContainerPath containerPath2 = (ContainerPath) SiaUtils.getCertificateFile(of, athenzIdentity2);
            if (!Files.exists(containerPath, new LinkOption[0]) || !Files.exists(containerPath2, new LinkOption[0]) || !Files.exists(resolve, new LinkOption[0])) {
                nodeAgentContext.log(logger, "Certificate/private key/identity document file does not exist");
                Files.createDirectories(containerPath.getParent(), new FileAttribute[0]);
                Files.createDirectories(containerPath2.getParent(), new FileAttribute[0]);
                Files.createDirectories(resolve.getParent(), new FileAttribute[0]);
                registerIdentity(nodeAgentContext, containerPath, containerPath2, resolve, identityType, athenzIdentity2);
                z = true;
            }
            X509Certificate readCertificateFromFile = readCertificateFromFile(containerPath2);
            Instant currentTime = this.timer.currentTime();
            Instant instant = readCertificateFromFile.getNotAfter().toInstant();
            SignedIdentityDocument readSignedIdentityDocumentFromFile = EntityBindingsMapper.readSignedIdentityDocumentFromFile(resolve);
            if (refreshIdentityDocument(readSignedIdentityDocumentFromFile, nodeAgentContext)) {
                nodeAgentContext.log(logger, "Identity document is outdated (version=%d)", Integer.valueOf(readSignedIdentityDocumentFromFile.documentVersion()));
                registerIdentity(nodeAgentContext, containerPath, containerPath2, resolve, identityType, athenzIdentity2);
                z = true;
            } else if (isCertificateExpired(instant, currentTime)) {
                nodeAgentContext.log(logger, "Certificate has expired (expiry=%s)", instant.toString());
                registerIdentity(nodeAgentContext, containerPath, containerPath2, resolve, identityType, athenzIdentity2);
                z = true;
            }
            Duration between = Duration.between(readCertificateFromFile.getNotBefore().toInstant(), currentTime);
            if (shouldRefreshCredentials(between)) {
                nodeAgentContext.log(logger, "Certificate is ready to be refreshed (age=%s)", between.toString());
                if (shouldThrottleRefreshAttempts(nodeAgentContext.containerName(), currentTime)) {
                    nodeAgentContext.log(logger, Level.WARNING, String.format("Skipping refresh attempt as last refresh was on %s (less than %s ago)", this.lastRefreshAttempt.get(nodeAgentContext.containerName()).toString(), REFRESH_BACKOFF.toString()));
                } else {
                    this.lastRefreshAttempt.put(nodeAgentContext.containerName(), currentTime);
                    refreshIdentity(nodeAgentContext, containerPath, containerPath2, resolve, readSignedIdentityDocumentFromFile.identityDocument(), identityType, athenzIdentity2);
                    z = true;
                }
            }
            if (identityType == IdentityType.TENANT) {
                z |= maintainRoleCertificates(nodeAgentContext, of, containerPath, containerPath2, athenzIdentity2, readSignedIdentityDocumentFromFile.identityDocument());
                copyCredsToLegacyPath(nodeAgentContext, containerPath, containerPath2);
            }
            return z;
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }

    private boolean maintainRoleCertificates(NodeAgentContext nodeAgentContext, ContainerPath containerPath, ContainerPath containerPath2, ContainerPath containerPath3, AthenzIdentity athenzIdentity, IdentityDocument identityDocument) {
        boolean z = false;
        for (String str : getRoleList(nodeAgentContext)) {
            try {
                ContainerPath resolve = containerPath.resolve("certs").resolve(String.format("%s.cert.pem", str));
                ContainerPath resolve2 = containerPath.resolve("keys").resolve(String.format("%s.key.pem", str));
                if (Files.notExists(resolve, new LinkOption[0])) {
                    writeRoleCredentials(nodeAgentContext, containerPath2, containerPath3, resolve, resolve2, athenzIdentity, identityDocument, str);
                    z = true;
                } else if (shouldRefreshCertificate(nodeAgentContext, resolve)) {
                    writeRoleCredentials(nodeAgentContext, containerPath2, containerPath3, resolve, resolve2, athenzIdentity, identityDocument, str);
                    z = true;
                }
            } catch (IOException e) {
                nodeAgentContext.log(logger, Level.WARNING, "Failed to maintain role certificate " + str, e);
            }
        }
        return z;
    }

    private boolean shouldRefreshCertificate(NodeAgentContext nodeAgentContext, ContainerPath containerPath) throws IOException {
        X509Certificate readCertificateFromFile = readCertificateFromFile(containerPath);
        Instant currentTime = this.timer.currentTime();
        return !shouldThrottleRefreshAttempts(nodeAgentContext.containerName(), currentTime) && (currentTime.isAfter(readCertificateFromFile.getNotAfter().toInstant()) || currentTime.isAfter(readCertificateFromFile.getNotBefore().toInstant().plus((TemporalAmount) REFRESH_PERIOD)));
    }

    private void writeRoleCredentials(NodeAgentContext nodeAgentContext, ContainerPath containerPath, ContainerPath containerPath2, ContainerPath containerPath3, ContainerPath containerPath4, AthenzIdentity athenzIdentity, IdentityDocument identityDocument, String str) throws IOException {
        HostnameVerifier hostnameVerifier = (str2, sSLSession) -> {
            return true;
        };
        KeyPair generateKeypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
        AthenzRole fromResourceNameString = AthenzRole.fromResourceNameString(str);
        ZtsClient ztsClient = ztsClient(identityDocument.ztsUrl(), containerPath, containerPath2, hostnameVerifier);
        try {
            writePrivateKeyAndCertificate(containerPath4, generateKeypair.getPrivate(), containerPath3, ztsClient.getRoleCertificate(fromResourceNameString, new CsrGenerator(this.certificateDnsSuffix, identityDocument.providerService().getFullName()).generateRoleCsr(athenzIdentity, fromResourceNameString, identityDocument.providerUniqueId(), identityDocument.clusterType(), generateKeypair)));
            nodeAgentContext.log(logger, "Role certificate successfully retrieved written to file " + containerPath3.pathInContainer());
            if (ztsClient != null) {
                ztsClient.close();
            }
        } catch (Throwable th) {
            if (ztsClient != null) {
                try {
                    ztsClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private boolean refreshIdentityDocument(SignedIdentityDocument signedIdentityDocument, NodeAgentContext nodeAgentContext) {
        return signedIdentityDocument.outdated() || signedIdentityDocument.documentVersion() != documentVersion(nodeAgentContext);
    }

    @Override // com.yahoo.vespa.hosted.node.admin.maintenance.identity.CredentialsMaintainer
    public void clearCredentials(NodeAgentContext nodeAgentContext) {
        FileFinder.files(nodeAgentContext.paths().of(CONTAINER_SIA_DIRECTORY)).deleteRecursively(nodeAgentContext);
        this.lastRefreshAttempt.remove(nodeAgentContext.containerName());
    }

    @Override // com.yahoo.vespa.hosted.node.admin.maintenance.identity.CredentialsMaintainer
    public Duration certificateLifetime(NodeAgentContext nodeAgentContext) {
        ContainerPath containerPath = (ContainerPath) SiaUtils.getCertificateFile(nodeAgentContext.paths().of(CONTAINER_SIA_DIRECTORY), nodeAgentContext.identity());
        try {
            return Duration.between(this.timer.currentTime(), readCertificateFromFile(containerPath).getNotAfter().toInstant());
        } catch (IOException e) {
            nodeAgentContext.log(logger, Level.SEVERE, "Unable to read certificate at " + containerPath, e);
            return Duration.ZERO;
        }
    }

    @Override // com.yahoo.vespa.hosted.node.admin.maintenance.identity.CredentialsMaintainer
    public String name() {
        return "node-certificate";
    }

    private boolean shouldRefreshCredentials(Duration duration) {
        return duration.compareTo(REFRESH_PERIOD) >= 0;
    }

    private boolean shouldThrottleRefreshAttempts(ContainerName containerName, Instant instant) {
        return REFRESH_BACKOFF.compareTo(Duration.between(this.lastRefreshAttempt.getOrDefault(containerName, Instant.EPOCH), instant)) > 0;
    }

    private void registerIdentity(NodeAgentContext nodeAgentContext, ContainerPath containerPath, ContainerPath containerPath2, ContainerPath containerPath3, IdentityType identityType, AthenzIdentity athenzIdentity) {
        KeyPair generateKeypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
        SignedIdentityDocument signedIdentityDocument = signedIdentityDocument(nodeAgentContext, identityType);
        IdentityDocument identityDocument = signedIdentityDocument.identityDocument();
        Pkcs10Csr generateInstanceCsr = new CsrGenerator(this.certificateDnsSuffix, identityDocument.providerService().getFullName()).generateInstanceCsr(athenzIdentity, identityDocument.providerUniqueId(), identityDocument.ipAddresses(), identityDocument.clusterType(), generateKeypair);
        ZtsClient ztsClient = ztsClient(identityDocument.ztsUrl(), this.hostIdentityProvider.privateKeyPath(), this.hostIdentityProvider.certificatePath(), (str, sSLSession) -> {
            return true;
        });
        try {
            InstanceIdentity registerInstance = ztsClient.registerInstance(identityDocument.providerService(), athenzIdentity, EntityBindingsMapper.toAttestationData(signedIdentityDocument), generateInstanceCsr);
            EntityBindingsMapper.writeSignedIdentityDocumentToFile(containerPath3, signedIdentityDocument);
            writePrivateKeyAndCertificate(containerPath, generateKeypair.getPrivate(), containerPath2, registerInstance.certificate());
            nodeAgentContext.log(logger, "Instance successfully registered and credentials written to file");
            if (ztsClient != null) {
                ztsClient.close();
            }
        } catch (Throwable th) {
            if (ztsClient != null) {
                try {
                    ztsClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private void refreshIdentity(NodeAgentContext nodeAgentContext, ContainerPath containerPath, ContainerPath containerPath2, ContainerPath containerPath3, IdentityDocument identityDocument, IdentityType identityType, AthenzIdentity athenzIdentity) {
        ZtsClient ztsClient;
        try {
            KeyPair keyPair = KeyUtils.toKeyPair(readPrivateKeyFromFile(containerPath));
            Pkcs10Csr generateInstanceCsr = new CsrGenerator(this.certificateDnsSuffix, identityDocument.providerService().getFullName()).generateInstanceCsr(athenzIdentity, identityDocument.providerUniqueId(), identityDocument.ipAddresses(), identityDocument.clusterType(), keyPair);
            try {
                ztsClient = ztsClient(identityDocument.ztsUrl(), containerPath, containerPath2, (str, sSLSession) -> {
                    return true;
                });
            } catch (ZtsClientException e) {
                if (e.getErrorCode() != 403 || !e.getDescription().startsWith("Certificate revoked")) {
                    throw e;
                }
                nodeAgentContext.log(logger, Level.SEVERE, "Certificate cannot be refreshed as it is revoked by ZTS - re-registering the instance now", e);
                registerIdentity(nodeAgentContext, containerPath, containerPath2, containerPath3, identityType, athenzIdentity);
            }
            try {
                writePrivateKeyAndCertificate(containerPath, keyPair.getPrivate(), containerPath2, ztsClient.refreshInstance(identityDocument.providerService(), athenzIdentity, identityDocument.providerUniqueId().asDottedString(), generateInstanceCsr).certificate());
                nodeAgentContext.log(logger, "Instance successfully refreshed and credentials written to file");
                if (ztsClient != null) {
                    ztsClient.close();
                }
            } catch (Throwable th) {
                if (ztsClient != null) {
                    try {
                        ztsClient.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (Exception e2) {
            nodeAgentContext.log(logger, Level.SEVERE, "Certificate refresh failed: " + e2.getMessage(), e2);
        }
    }

    private static void writePrivateKeyAndCertificate(ContainerPath containerPath, PrivateKey privateKey, ContainerPath containerPath2, X509Certificate x509Certificate) {
        writeFile(containerPath, KeyUtils.toPem(privateKey));
        writeFile(containerPath2, X509CertificateUtils.toPem(x509Certificate));
    }

    private static void writeFile(ContainerPath containerPath, String str) {
        new UnixPath(containerPath.resolveSibling(containerPath.getFileName() + ".tmp")).writeUtf8File(str, "r--------", new OpenOption[0]).atomicMove(containerPath);
    }

    private static X509Certificate readCertificateFromFile(ContainerPath containerPath) throws IOException {
        return X509CertificateUtils.fromPem(new String(Files.readAllBytes(containerPath)));
    }

    private static PrivateKey readPrivateKeyFromFile(ContainerPath containerPath) throws IOException {
        return KeyUtils.fromPemEncodedPrivateKey(new String(Files.readAllBytes(containerPath)));
    }

    private static boolean isCertificateExpired(Instant instant, Instant instant2) {
        return instant2.isAfter(instant.minus((TemporalAmount) EXPIRY_MARGIN));
    }

    private SignedIdentityDocument signedIdentityDocument(NodeAgentContext nodeAgentContext, IdentityType identityType) {
        switch (identityType) {
            case NODE:
                return this.identityDocumentClient.getNodeIdentityDocument(nodeAgentContext.hostname().value(), documentVersion(nodeAgentContext));
            case TENANT:
                return (SignedIdentityDocument) this.identityDocumentClient.getTenantIdentityDocument(nodeAgentContext.hostname().value(), documentVersion(nodeAgentContext)).get();
            default:
                throw new IncompatibleClassChangeError();
        }
    }

    private Optional<AthenzIdentity> getAthenzIdentity(NodeAgentContext nodeAgentContext, IdentityType identityType, ContainerPath containerPath) {
        switch (identityType) {
            case NODE:
                return Optional.of(nodeAgentContext.identity());
            case TENANT:
                return getTenantIdentity(nodeAgentContext, containerPath);
            default:
                throw new IncompatibleClassChangeError();
        }
    }

    private Optional<AthenzIdentity> getTenantIdentity(NodeAgentContext nodeAgentContext, ContainerPath containerPath) {
        return Files.exists(containerPath, new LinkOption[0]) ? Optional.of(EntityBindingsMapper.readSignedIdentityDocumentFromFile(containerPath).identityDocument().serviceIdentity()) : this.identityDocumentClient.getTenantIdentityDocument(nodeAgentContext.hostname().value(), documentVersion(nodeAgentContext)).map(signedIdentityDocument -> {
            return signedIdentityDocument.identityDocument().serviceIdentity();
        });
    }

    private void copyCredsToLegacyPath(NodeAgentContext nodeAgentContext, ContainerPath containerPath, ContainerPath containerPath2) throws IOException {
        ContainerPath of = nodeAgentContext.paths().of(LEGACY_SIA_DIRECTORY, nodeAgentContext.users().vespa());
        ContainerPath resolve = of.resolve("keys");
        ContainerPath resolve2 = of.resolve("certs");
        Files.createDirectories(resolve, new FileAttribute[0]);
        Files.createDirectories(resolve2, new FileAttribute[0]);
        writeFile(resolve2.resolve(containerPath2.getFileName()), Files.readString(containerPath2));
        writeFile(resolve.resolve(containerPath.getFileName()), Files.readString(containerPath));
    }

    private int documentVersion(NodeAgentContext nodeAgentContext) {
        return 4;
    }

    private ZtsClient ztsClient(URI uri, Path path, Path path2, HostnameVerifier hostnameVerifier) {
        return new DefaultZtsClient.Builder(uri).withSslContext(new SslContextBuilder().withKeyStore(path, path2).withTrustStore(this.ztsTrustStorePath).build()).withHostnameVerifier(hostnameVerifier).build();
    }

    private List<String> getRoleList(NodeAgentContext nodeAgentContext) {
        try {
            return this.identityDocumentClient.getNodeRoles(nodeAgentContext.hostname().value());
        } catch (Exception e) {
            nodeAgentContext.log(logger, Level.WARNING, "Failed to retrieve role list", e);
            return List.of();
        }
    }
}
