package com.yahoo.athenz.zts;

import athenz.shade.zts.com.fasterxml.jackson.core.JsonProcessingException;
import athenz.shade.zts.com.fasterxml.jackson.databind.DeserializationFeature;
import athenz.shade.zts.com.fasterxml.jackson.databind.ObjectMapper;
import athenz.shade.zts.javax.ws.rs.client.ClientBuilder;
import athenz.shade.zts.org.apache.http.HttpHost;
import athenz.shade.zts.org.apache.http.HttpStatus;
import athenz.shade.zts.org.apache.http.config.Registry;
import athenz.shade.zts.org.apache.http.config.RegistryBuilder;
import athenz.shade.zts.org.apache.http.conn.socket.ConnectionSocketFactory;
import athenz.shade.zts.org.apache.http.conn.socket.PlainConnectionSocketFactory;
import athenz.shade.zts.org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import athenz.shade.zts.org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
import athenz.shade.zts.org.glassfish.jersey.apache.connector.ApacheClientProperties;
import athenz.shade.zts.org.glassfish.jersey.apache.connector.ApacheConnectorProvider;
import athenz.shade.zts.org.glassfish.jersey.client.ClientConfig;
import athenz.shade.zts.org.glassfish.jersey.client.ClientProperties;
import athenz.shade.zts.org.glassfish.jersey.jackson.internal.jackson.jaxrs.json.JacksonJaxbJsonProvider;
import com.amazonaws.auth.AWSCredentialsProvider;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
import com.amazonaws.services.securitytoken.model.AssumeRoleRequest;
import com.amazonaws.services.securitytoken.model.Credentials;
import com.oath.auth.KeyRefresher;
import com.oath.auth.KeyRefresherException;
import com.oath.auth.KeyRefresherListener;
import com.oath.auth.Utils;
import com.yahoo.athenz.auth.Principal;
import com.yahoo.athenz.auth.PrivateKeyStore;
import com.yahoo.athenz.auth.ServiceIdentityProvider;
import com.yahoo.athenz.auth.token.RoleToken;
import com.yahoo.athenz.auth.token.jwts.JwtsSigningKeyResolver;
import com.yahoo.athenz.auth.util.Crypto;
import com.yahoo.athenz.auth.util.CryptoException;
import com.yahoo.athenz.common.config.AthenzConfig;
import com.yahoo.athenz.common.utils.SSLUtils;
import com.yahoo.athenz.zts.ZTSClientCache;
import com.yahoo.athenz.zts.ZTSClientService;
import com.yahoo.rdl.JSON;
import java.io.Closeable;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Queue;
import java.util.ServiceLoader;
import java.util.Set;
import java.util.Timer;
import java.util.TimerTask;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentLinkedQueue;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicLong;
import java.util.concurrent.atomic.AtomicReference;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import org.bouncycastle.asn1.DERIA5String;
import org.bouncycastle.asn1.x509.GeneralName;
import org.bouncycastle.operator.OperatorCreationException;
import org.ehcache.Cache;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yahoo/athenz/zts/ZTSClient.class */
public class ZTSClient implements Closeable {
    private String ztsUrl;
    private String proxyUrl;
    private String domain;
    private String service;
    private SSLContext sslContext;
    private ZTSClientNotificationSender notificationSender;
    ZTSRDLGeneratedClient ztsClient;
    ServiceIdentityProvider siaProvider;
    Principal principal;
    ZTSClientCache ztsClientCache;
    private boolean enablePrefetch;
    private boolean ztsClientOverride;
    public static final String ZTS_CLIENT_PROP_ATHENZ_CONF = "athenz.athenz_conf";
    public static final String ZTS_CLIENT_PROP_TOKEN_MIN_EXPIRY_TIME = "athenz.zts.client.token_min_expiry_time";
    public static final String ZTS_CLIENT_PROP_READ_TIMEOUT = "athenz.zts.client.read_timeout";
    public static final String ZTS_CLIENT_PROP_CONNECT_TIMEOUT = "athenz.zts.client.connect_timeout";
    public static final String ZTS_CLIENT_PROP_PREFETCH_SLEEP_INTERVAL = "athenz.zts.client.prefetch_sleep_interval";
    public static final String ZTS_CLIENT_PROP_PREFETCH_AUTO_ENABLE = "athenz.zts.client.prefetch_auto_enable";
    public static final String ZTS_CLIENT_PROP_X509CERT_DNS_NAME = "athenz.zts.client.x509cert_dns_name";
    public static final String ZTS_CLIENT_PROP_X509CSR_DN = "athenz.zts.client.x509csr_dn";
    public static final String ZTS_CLIENT_PROP_X509CSR_DOMAIN = "athenz.zts.client.x509csr_domain";
    public static final String ZTS_CLIENT_PROP_DISABLE_CACHE = "athenz.zts.client.disable_cache";
    public static final String ZTS_CLIENT_PROP_CERT_ALIAS = "athenz.zts.client.cert_alias";
    public static final String ZTS_CLIENT_PROP_KEYSTORE_PATH = "athenz.zts.client.keystore_path";
    public static final String ZTS_CLIENT_PROP_KEYSTORE_TYPE = "athenz.zts.client.keystore_type";
    public static final String ZTS_CLIENT_PROP_KEYSTORE_PASSWORD = "athenz.zts.client.keystore_password";
    public static final String ZTS_CLIENT_PROP_KEYSTORE_PWD_APP_NAME = "athenz.zts.client.keystore_pwd_app_name";
    public static final String ZTS_CLIENT_PROP_KEY_MANAGER_PASSWORD = "athenz.zts.client.keymanager_password";
    public static final String ZTS_CLIENT_PROP_KEY_MANAGER_PWD_APP_NAME = "athenz.zts.client.keymanager_pwd_app_name";
    public static final String ZTS_CLIENT_PROP_TRUSTSTORE_PATH = "athenz.zts.client.truststore_path";
    public static final String ZTS_CLIENT_PROP_TRUSTSTORE_TYPE = "athenz.zts.client.truststore_type";
    public static final String ZTS_CLIENT_PROP_TRUSTSTORE_PASSWORD = "athenz.zts.client.truststore_password";
    public static final String ZTS_CLIENT_PROP_TRUSTSTORE_PWD_APP_NAME = "athenz.zts.client.truststore_pwd_app_name";
    public static final String ZTS_CLIENT_PROP_POOL_MAX_PER_ROUTE = "athenz.zts.client.http_pool_max_per_route";
    public static final String ZTS_CLIENT_PROP_POOL_MAX_TOTAL = "athenz.zts.client.http_pool_max_total";
    public static final String ZTS_CLIENT_PROP_PRIVATE_KEY_STORE_FACTORY_CLASS = "athenz.zts.client.private_keystore_factory_class";
    public static final String ZTS_CLIENT_PROP_CLIENT_PROTOCOL = "athenz.zts.client.client_ssl_protocol";
    public static final String ZTS_CLIENT_PKEY_STORE_FACTORY_CLASS = "com.yahoo.athenz.auth.impl.FilePrivateKeyStoreFactory";
    public static final String ZTS_CLIENT_DEFAULT_CLIENT_SSL_PROTOCOL = "TLSv1.2";
    private static Timer FETCH_TIMER;
    private static ServiceLoader<ZTSClientService> ztsTokenProviders;
    private static AtomicReference<Set<String>> svcLoaderCacheKeys;
    private static ZTSAccessTokenFileLoader ztsAccessTokenFileLoader;
    private static final Logger LOG = LoggerFactory.getLogger(ZTSClient.class);
    private static boolean cacheDisabled = false;
    private static int tokenMinExpiryTime = 900;
    private static int tokenMaxExpiryOffset = HttpStatus.SC_MULTIPLE_CHOICES;
    private static long prefetchInterval = 60;
    private static boolean prefetchAutoEnable = true;
    private static String x509CsrDn = null;
    private static String x509CsrDomain = null;
    private static int reqReadTimeout = 30000;
    private static int reqConnectTimeout = 30000;
    private static String x509CertDNSName = null;
    private static String confZtsUrl = null;
    private static JwtsSigningKeyResolver resolver = null;
    private static boolean initialized = initConfigValues();
    public static final String ROLE_TOKEN_HEADER = System.getProperty("athenz.auth.role.header", "Athenz-Role-Auth");
    static final ConcurrentHashMap<String, RoleToken> ROLE_TOKEN_CACHE = new ConcurrentHashMap<>();
    static final ConcurrentHashMap<String, AccessTokenResponseCacheEntry> ACCESS_TOKEN_CACHE = new ConcurrentHashMap<>();
    static final ConcurrentHashMap<String, AWSTemporaryCredentials> AWS_CREDS_CACHE = new ConcurrentHashMap<>();
    private static final Queue<PrefetchTokenScheduledItem> PREFETCH_SCHEDULED_ITEMS = new ConcurrentLinkedQueue();
    private static final Object TIMER_LOCK = new Object();
    static AtomicLong FETCHER_LAST_RUN_AT = new AtomicLong(-1);
    static final ClientKeyRefresherListener KEY_REFRESHER_LISTENER = new ClientKeyRefresherListener();
    private static PrivateKeyStore PRIVATE_KEY_STORE = loadServicePrivateKey();

    /* loaded from: input_file:com/yahoo/athenz/zts/ZTSClient$AWSHostNameVerifier.class */
    public class AWSHostNameVerifier implements HostnameVerifier {
        String dnsHostname;

        public AWSHostNameVerifier(String str) {
            this.dnsHostname = str;
        }

        @Override // javax.net.ssl.HostnameVerifier
        public boolean verify(String str, SSLSession sSLSession) {
            Certificate[] certificateArr = null;
            try {
                certificateArr = sSLSession.getPeerCertificates();
            } catch (SSLPeerUnverifiedException e) {
            }
            if (certificateArr == null) {
                return false;
            }
            for (Certificate certificate : certificateArr) {
                if (matchDnsHostname(((X509Certificate) certificate).getSubjectAlternativeNames())) {
                    return true;
                }
            }
            return false;
        }

        boolean matchDnsHostname(Collection<List<?>> collection) {
            if (collection == null) {
                return false;
            }
            for (List<?> list : collection) {
                if (((Integer) list.get(0)).intValue() == 2) {
                    if (this.dnsHostname.equalsIgnoreCase((String) list.get(1))) {
                        return true;
                    }
                }
            }
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/yahoo/athenz/zts/ZTSClient$ClientKeyRefresherListener.class */
    public static class ClientKeyRefresherListener implements KeyRefresherListener {
        long lastCertRefreshTime = 0;

        ClientKeyRefresherListener() {
        }

        public void onKeyChangeEvent() {
            this.lastCertRefreshTime = System.currentTimeMillis() / 1000;
        }

        long getLastCertRefreshTime() {
            return this.lastCertRefreshTime;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/yahoo/athenz/zts/ZTSClient$PrefetchTokenScheduledItem.class */
    public static class PrefetchTokenScheduledItem {
        String providedZTSUrl;
        ServiceIdentityProvider siaProvider;
        ZTSRDLGeneratedClient ztsClient;
        String identityDomain;
        String identityName;
        String domainName;
        String cacheKey;
        String roleName;
        List<String> roleNames;
        String proxyForPrincipal;
        String externalId;
        String authorizationDetails;
        String idTokenServiceName;
        Integer minDuration;
        Integer maxDuration;
        int tokenMinExpiryTime;
        SSLContext sslContext;
        String proxyUrl;
        TokenType tokenType = TokenType.ACCESS;
        boolean isInvalid = false;
        long expiresAtUTC = 0;
        long fetchTime = 0;
        ZTSClientNotificationSender notificationSender = null;
        long lastFailTime = 0;
        long lastNotificationTime = 0;

        PrefetchTokenScheduledItem() {
        }

        PrefetchTokenScheduledItem setTokenType(TokenType tokenType) {
            this.tokenType = tokenType;
            return this;
        }

        PrefetchTokenScheduledItem setProvidedZTSUrl(String str) {
            this.providedZTSUrl = str;
            return this;
        }

        PrefetchTokenScheduledItem setSiaIdentityProvider(ServiceIdentityProvider serviceIdentityProvider) {
            this.siaProvider = serviceIdentityProvider;
            return this;
        }

        PrefetchTokenScheduledItem setZtsClient(ZTSRDLGeneratedClient zTSRDLGeneratedClient) {
            this.ztsClient = zTSRDLGeneratedClient;
            return this;
        }

        PrefetchTokenScheduledItem setIsInvalid(boolean z) {
            this.isInvalid = z;
            return this;
        }

        PrefetchTokenScheduledItem setIdentityDomain(String str) {
            this.identityDomain = str;
            return this;
        }

        PrefetchTokenScheduledItem setIdentityName(String str) {
            this.identityName = str;
            return this;
        }

        PrefetchTokenScheduledItem setDomainName(String str) {
            this.domainName = str;
            return this;
        }

        PrefetchTokenScheduledItem setCacheKey(String str) {
            this.cacheKey = str;
            return this;
        }

        PrefetchTokenScheduledItem setRoleName(String str) {
            this.roleName = str;
            return this;
        }

        PrefetchTokenScheduledItem setRoleNames(List<String> list) {
            this.roleNames = list;
            return this;
        }

        PrefetchTokenScheduledItem setProxyForPrincipal(String str) {
            this.proxyForPrincipal = str;
            return this;
        }

        PrefetchTokenScheduledItem setExternalId(String str) {
            this.externalId = str;
            return this;
        }

        PrefetchTokenScheduledItem setAuthorizationDetails(String str) {
            this.authorizationDetails = str;
            return this;
        }

        PrefetchTokenScheduledItem setIdTokenServiceName(String str) {
            this.idTokenServiceName = str;
            return this;
        }

        PrefetchTokenScheduledItem setMinDuration(Integer num) {
            this.minDuration = num;
            return this;
        }

        PrefetchTokenScheduledItem setMaxDuration(Integer num) {
            this.maxDuration = num;
            return this;
        }

        PrefetchTokenScheduledItem setExpiresAtUTC(long j) {
            this.expiresAtUTC = j;
            return this;
        }

        PrefetchTokenScheduledItem setFetchTime(long j) {
            this.fetchTime = j;
            return this;
        }

        PrefetchTokenScheduledItem setNotificationSender(ZTSClientNotificationSender zTSClientNotificationSender) {
            this.notificationSender = zTSClientNotificationSender;
            return this;
        }

        PrefetchTokenScheduledItem setLastFailTime(long j) {
            this.lastFailTime = j;
            return this;
        }

        PrefetchTokenScheduledItem setLastNotificationTime(long j) {
            this.lastNotificationTime = j;
            return this;
        }

        PrefetchTokenScheduledItem setTokenMinExpiryTime(int i) {
            this.tokenMinExpiryTime = i;
            return this;
        }

        PrefetchTokenScheduledItem setSslContext(SSLContext sSLContext) {
            this.sslContext = sSLContext;
            return this;
        }

        PrefetchTokenScheduledItem setProxyUrl(String str) {
            this.proxyUrl = str;
            return this;
        }

        public int hashCode() {
            return (31 * ((31 * ((31 * ((31 * ((31 * ((31 * ((31 * ((31 * ((31 * ((31 * ((31 * ((31 * 1) + (this.domainName == null ? 0 : this.domainName.hashCode()))) + (this.identityDomain == null ? 0 : this.identityDomain.hashCode()))) + (this.identityName == null ? 0 : this.identityName.hashCode()))) + (this.roleName == null ? 0 : this.roleName.hashCode()))) + (this.roleNames == null ? 0 : this.roleNames.hashCode()))) + (this.proxyForPrincipal == null ? 0 : this.proxyForPrincipal.hashCode()))) + (this.externalId == null ? 0 : this.externalId.hashCode()))) + (this.idTokenServiceName == null ? 0 : this.idTokenServiceName.hashCode()))) + (this.sslContext == null ? 0 : this.sslContext.hashCode()))) + (this.proxyUrl == null ? 0 : this.proxyUrl.hashCode()))) + this.tokenType.hashCode())) + Boolean.hashCode(this.isInvalid);
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            PrefetchTokenScheduledItem prefetchTokenScheduledItem = (PrefetchTokenScheduledItem) obj;
            if (this.domainName == null) {
                if (prefetchTokenScheduledItem.domainName != null) {
                    return false;
                }
            } else if (!this.domainName.equals(prefetchTokenScheduledItem.domainName)) {
                return false;
            }
            if (this.identityDomain == null) {
                if (prefetchTokenScheduledItem.identityDomain != null) {
                    return false;
                }
            } else if (!this.identityDomain.equals(prefetchTokenScheduledItem.identityDomain)) {
                return false;
            }
            if (this.identityName == null) {
                if (prefetchTokenScheduledItem.identityName != null) {
                    return false;
                }
            } else if (!this.identityName.equals(prefetchTokenScheduledItem.identityName)) {
                return false;
            }
            if (this.roleName == null) {
                if (prefetchTokenScheduledItem.roleName != null) {
                    return false;
                }
            } else if (!this.roleName.equals(prefetchTokenScheduledItem.roleName)) {
                return false;
            }
            if (this.roleNames == null) {
                if (prefetchTokenScheduledItem.roleNames != null) {
                    return false;
                }
            } else if (!this.roleNames.equals(prefetchTokenScheduledItem.roleNames)) {
                return false;
            }
            if (this.proxyForPrincipal == null) {
                if (prefetchTokenScheduledItem.proxyForPrincipal != null) {
                    return false;
                }
            } else if (!this.proxyForPrincipal.equals(prefetchTokenScheduledItem.proxyForPrincipal)) {
                return false;
            }
            if (this.externalId == null) {
                if (prefetchTokenScheduledItem.externalId != null) {
                    return false;
                }
            } else if (!this.externalId.equals(prefetchTokenScheduledItem.externalId)) {
                return false;
            }
            if (this.idTokenServiceName == null) {
                if (prefetchTokenScheduledItem.idTokenServiceName != null) {
                    return false;
                }
            } else if (!this.idTokenServiceName.equals(prefetchTokenScheduledItem.idTokenServiceName)) {
                return false;
            }
            if (this.isInvalid == prefetchTokenScheduledItem.isInvalid && this.tokenType == prefetchTokenScheduledItem.tokenType) {
                return this.sslContext == null ? prefetchTokenScheduledItem.sslContext == null : this.sslContext.equals(prefetchTokenScheduledItem.sslContext);
            }
            return false;
        }

        public boolean shouldSendNotification() {
            if (this.notificationSender == null) {
                return false;
            }
            if (this.lastFailTime != 0) {
                return this.lastNotificationTime == 0;
            }
            this.lastNotificationTime = 0L;
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/yahoo/athenz/zts/ZTSClient$TokenPrefetchTask.class */
    public static class TokenPrefetchTask extends TimerTask {
        TokenPrefetchTask() {
        }

        ZTSClient getZTSClient(PrefetchTokenScheduledItem prefetchTokenScheduledItem) {
            return prefetchTokenScheduledItem.sslContext != null ? new ZTSClient(prefetchTokenScheduledItem.providedZTSUrl, prefetchTokenScheduledItem.proxyUrl, prefetchTokenScheduledItem.sslContext) : new ZTSClient(prefetchTokenScheduledItem.providedZTSUrl, prefetchTokenScheduledItem.identityDomain, prefetchTokenScheduledItem.identityName, prefetchTokenScheduledItem.siaProvider);
        }

        boolean shouldRefresh(TokenType tokenType, long j, long j2, long j3, long j4) {
            if (tokenType == TokenType.ACCESS && j2 < ZTSClient.KEY_REFRESHER_LISTENER.getLastCertRefreshTime()) {
                return true;
            }
            if (((j4 - j2) / 2) + j2 > j) {
                return false;
            }
            return j3 == 0 || ((j4 - j3) / 2) + j3 <= j;
        }

        @Override // java.util.TimerTask, java.lang.Runnable
        public void run() {
            long currentTimeMillis = System.currentTimeMillis() / 1000;
            ZTSClient.FETCHER_LAST_RUN_AT.set(currentTimeMillis);
            if (ZTSClient.LOG.isDebugEnabled()) {
                ZTSClient.LOG.debug("PrefetchTask: Fetching tokens from the scheduled queue. Size={}", Integer.valueOf(ZTSClient.PREFETCH_SCHEDULED_ITEMS.size()));
            }
            if (ZTSClient.PREFETCH_SCHEDULED_ITEMS.isEmpty()) {
                if (ZTSClient.LOG.isDebugEnabled()) {
                    ZTSClient.LOG.debug("PrefetchTask: No items to fetch. Queue is empty");
                    return;
                }
                return;
            }
            ArrayList<PrefetchTokenScheduledItem> arrayList = new ArrayList();
            boolean z = false;
            for (PrefetchTokenScheduledItem prefetchTokenScheduledItem : ZTSClient.PREFETCH_SCHEDULED_ITEMS) {
                if (ZTSClient.LOG.isDebugEnabled()) {
                    ZTSClient.LOG.debug("PrefetchTask: item={} type={} domain={} roleName={} fetch/fail/expire times {}/{}/{}", new Object[]{prefetchTokenScheduledItem.sslContext == null ? prefetchTokenScheduledItem.identityDomain + "." + prefetchTokenScheduledItem.identityName : prefetchTokenScheduledItem.sslContext.toString(), prefetchTokenScheduledItem.tokenType, prefetchTokenScheduledItem.domainName, prefetchTokenScheduledItem.roleName, Long.valueOf(prefetchTokenScheduledItem.fetchTime), Long.valueOf(prefetchTokenScheduledItem.lastFailTime), Long.valueOf(prefetchTokenScheduledItem.expiresAtUTC)});
                }
                if (shouldRefresh(prefetchTokenScheduledItem.tokenType, currentTimeMillis, prefetchTokenScheduledItem.fetchTime, prefetchTokenScheduledItem.lastFailTime, prefetchTokenScheduledItem.expiresAtUTC)) {
                    if (ZTSClient.LOG.isDebugEnabled()) {
                        ZTSClient.LOG.debug("PrefetchTask: domain={} roleName={}. Refresh this item.", prefetchTokenScheduledItem.domainName, prefetchTokenScheduledItem.roleName);
                    }
                    arrayList.add(prefetchTokenScheduledItem);
                    if (prefetchTokenScheduledItem.tokenType == TokenType.SVC_ROLE) {
                        z = true;
                    }
                }
            }
            if (arrayList.isEmpty()) {
                return;
            }
            Set set = null;
            if (z) {
                try {
                    set = ZTSClient.access$200();
                } catch (Exception e) {
                    ZTSClient.LOG.error("Unable to load service provider tokens", e);
                }
            }
            for (PrefetchTokenScheduledItem prefetchTokenScheduledItem2 : arrayList) {
                ZTSClient zTSClient = getZTSClient(prefetchTokenScheduledItem2);
                Throwable th = null;
                try {
                    try {
                        ZTSClient.processPrefetchTask(prefetchTokenScheduledItem2, zTSClient, set, currentTimeMillis);
                        if (zTSClient != null) {
                            if (0 != 0) {
                                try {
                                    zTSClient.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                zTSClient.close();
                            }
                        }
                    } catch (Throwable th3) {
                        th = th3;
                        throw th3;
                    }
                } catch (Throwable th4) {
                    if (zTSClient != null) {
                        if (th != null) {
                            try {
                                zTSClient.close();
                            } catch (Throwable th5) {
                                th.addSuppressed(th5);
                            }
                        } else {
                            zTSClient.close();
                        }
                    }
                    throw th4;
                }
            }
            arrayList.clear();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/yahoo/athenz/zts/ZTSClient$TokenType.class */
    public enum TokenType {
        ROLE,
        ACCESS,
        AWS,
        SVC_ROLE
    }

    static boolean initConfigValues() {
        loadSvcProviderTokens();
        setTokenMinExpiryTime(Integer.parseInt(System.getProperty(ZTS_CLIENT_PROP_TOKEN_MIN_EXPIRY_TIME, "900")));
        setPrefetchInterval(Integer.parseInt(System.getProperty(ZTS_CLIENT_PROP_PREFETCH_SLEEP_INTERVAL, "60")));
        setPrefetchAutoEnable(Boolean.parseBoolean(System.getProperty(ZTS_CLIENT_PROP_PREFETCH_AUTO_ENABLE, "true")));
        setCacheDisable(Boolean.parseBoolean(System.getProperty(ZTS_CLIENT_PROP_DISABLE_CACHE, "false")));
        setX509CsrDetails(System.getProperty(ZTS_CLIENT_PROP_X509CSR_DN), System.getProperty(ZTS_CLIENT_PROP_X509CSR_DOMAIN));
        setConnectionTimeouts(Integer.parseInt(System.getProperty(ZTS_CLIENT_PROP_CONNECT_TIMEOUT, "30000")), Integer.parseInt(System.getProperty(ZTS_CLIENT_PROP_READ_TIMEOUT, "30000")));
        setX509CertDnsName(System.getProperty(ZTS_CLIENT_PROP_X509CERT_DNS_NAME));
        lookupZTSUrl();
        initZTSAccessTokenFileLoader();
        return true;
    }

    public static void setX509CertDnsName(String str) {
        x509CertDNSName = str;
    }

    public static void setConnectionTimeouts(int i, int i2) {
        reqConnectTimeout = i;
        reqReadTimeout = i2;
    }

    public static void setX509CsrDetails(String str, String str2) {
        x509CsrDn = str;
        x509CsrDomain = str2;
    }

    public static void setCacheDisable(boolean z) {
        cacheDisabled = z;
    }

    public static void setPrefetchAutoEnable(boolean z) {
        prefetchAutoEnable = z;
    }

    public static void setPrefetchInterval(int i) {
        prefetchInterval = i;
        if (prefetchInterval >= tokenMinExpiryTime) {
            prefetchInterval = 60L;
        }
    }

    public static void setTokenMinExpiryTime(int i) {
        tokenMinExpiryTime = i;
        if (tokenMinExpiryTime < 0) {
            tokenMinExpiryTime = 900;
        }
    }

    public static void lookupZTSUrl() {
        String str = System.getenv("ROOT");
        if (str == null) {
            str = "/home/athenz";
        }
        String property = System.getProperty(ZTS_CLIENT_PROP_ATHENZ_CONF, str + "/conf/athenz/athenz.conf");
        try {
            confZtsUrl = ((AthenzConfig) JSON.fromBytes(Files.readAllBytes(Paths.get(property, new String[0])), AthenzConfig.class)).getZtsUrl();
        } catch (Exception e) {
            LOG.warn("Unable to extract ZTS Url from conf file {}, exc: {}", property, e.getMessage());
            if (svcLoaderCacheKeys.get().isEmpty()) {
                return;
            }
            confZtsUrl = "https://localhost:4443/";
        }
    }

    public static void initZTSAccessTokenFileLoader() {
        if (resolver == null) {
            resolver = new JwtsSigningKeyResolver((String) null, (SSLContext) null);
        }
        ztsAccessTokenFileLoader = new ZTSAccessTokenFileLoader(resolver);
        ztsAccessTokenFileLoader.preload();
    }

    public static void setAccessTokenSignKeyResolver(JwtsSigningKeyResolver jwtsSigningKeyResolver) {
        resolver = jwtsSigningKeyResolver;
    }

    public ZTSClient() {
        this.ztsUrl = null;
        this.proxyUrl = null;
        this.domain = null;
        this.service = null;
        this.sslContext = null;
        this.notificationSender = null;
        this.ztsClient = null;
        this.siaProvider = null;
        this.principal = null;
        this.ztsClientCache = ZTSClientCache.getInstance();
        this.enablePrefetch = true;
        this.ztsClientOverride = false;
        initClient(null, null, null, null, null);
        this.enablePrefetch = false;
    }

    public ZTSClient(String str) {
        this.ztsUrl = null;
        this.proxyUrl = null;
        this.domain = null;
        this.service = null;
        this.sslContext = null;
        this.notificationSender = null;
        this.ztsClient = null;
        this.siaProvider = null;
        this.principal = null;
        this.ztsClientCache = ZTSClientCache.getInstance();
        this.enablePrefetch = true;
        this.ztsClientOverride = false;
        initClient(str, null, null, null, null);
        this.enablePrefetch = false;
    }

    public ZTSClient(Principal principal) {
        this((String) null, principal);
    }

    public ZTSClient(String str, Principal principal) {
        this.ztsUrl = null;
        this.proxyUrl = null;
        this.domain = null;
        this.service = null;
        this.sslContext = null;
        this.notificationSender = null;
        this.ztsClient = null;
        this.siaProvider = null;
        this.principal = null;
        this.ztsClientCache = ZTSClientCache.getInstance();
        this.enablePrefetch = true;
        this.ztsClientOverride = false;
        if (principal == null) {
            throw new IllegalArgumentException("Principal object must be specified");
        }
        if (principal.getAuthority() == null) {
            throw new IllegalArgumentException("Principal Authority cannot be null");
        }
        initClient(str, principal, null, null, null);
        this.enablePrefetch = false;
    }

    public ZTSClient(String str, SSLContext sSLContext) {
        this(str, (String) null, sSLContext);
    }

    public ZTSClient(String str, String str2, SSLContext sSLContext) {
        this.ztsUrl = null;
        this.proxyUrl = null;
        this.domain = null;
        this.service = null;
        this.sslContext = null;
        this.notificationSender = null;
        this.ztsClient = null;
        this.siaProvider = null;
        this.principal = null;
        this.ztsClientCache = ZTSClientCache.getInstance();
        this.enablePrefetch = true;
        this.ztsClientOverride = false;
        if (sSLContext == null) {
            throw new IllegalArgumentException("SSLContext object must be specified");
        }
        this.sslContext = sSLContext;
        this.proxyUrl = str2;
        initClient(str, null, null, null, null);
    }

    public ZTSClient(String str, String str2, ServiceIdentityProvider serviceIdentityProvider) {
        this(null, str, str2, serviceIdentityProvider);
    }

    public ZTSClient(String str, String str2, String str3, ServiceIdentityProvider serviceIdentityProvider) {
        this.ztsUrl = null;
        this.proxyUrl = null;
        this.domain = null;
        this.service = null;
        this.sslContext = null;
        this.notificationSender = null;
        this.ztsClient = null;
        this.siaProvider = null;
        this.principal = null;
        this.ztsClientCache = ZTSClientCache.getInstance();
        this.enablePrefetch = true;
        this.ztsClientOverride = false;
        if (isEmpty(str2)) {
            throw new IllegalArgumentException("Domain name must be specified");
        }
        if (isEmpty(str3)) {
            throw new IllegalArgumentException("Service name must be specified");
        }
        if (serviceIdentityProvider == null) {
            throw new IllegalArgumentException("Service Identity Provider must be specified");
        }
        initClient(str, null, str2, str3, serviceIdentityProvider);
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        this.ztsClient.close();
    }

    public void setEnablePrefetch(boolean z) {
        this.enablePrefetch = z;
    }

    public void setProperty(String str, Object obj) {
        if (this.ztsClient != null) {
            this.ztsClient.setProperty(str, obj);
        }
    }

    public void setNotificationSender(ZTSClientNotificationSender zTSClientNotificationSender) {
        this.notificationSender = zTSClientNotificationSender;
    }

    public static void cancelPrefetch() {
        PREFETCH_SCHEDULED_ITEMS.clear();
        if (FETCH_TIMER != null) {
            FETCH_TIMER.purge();
            FETCH_TIMER.cancel();
            FETCH_TIMER = null;
        }
    }

    public String getZTSUrl() {
        return this.ztsUrl;
    }

    public void setZTSRDLGeneratedClient(ZTSRDLGeneratedClient zTSRDLGeneratedClient) {
        this.ztsClient = zTSRDLGeneratedClient;
        this.ztsClientOverride = true;
    }

    public void setZTSClientCache(ZTSClientCache zTSClientCache) {
        this.ztsClientCache = zTSClientCache;
    }

    public SSLContext createSSLContext(String str, char[] cArr, String str2, String str3, boolean z) throws InterruptedException, KeyRefresherException, IOException {
        KeyRefresher generateKeyRefresher = Utils.generateKeyRefresher(str, cArr, str2, str3, KEY_REFRESHER_LISTENER);
        SSLContext buildSSLContext = Utils.buildSSLContext(generateKeyRefresher.getKeyManagerProxy(), generateKeyRefresher.getTrustManagerProxy());
        if (z) {
            generateKeyRefresher.startup();
        }
        return buildSSLContext;
    }

    private SSLContext createSSLContext() {
        String property = System.getProperty(ZTS_CLIENT_PROP_KEYSTORE_PATH);
        if (isEmpty(property)) {
            return null;
        }
        String property2 = System.getProperty(ZTS_CLIENT_PROP_KEYSTORE_TYPE);
        String property3 = System.getProperty(ZTS_CLIENT_PROP_KEYSTORE_PASSWORD);
        char[] cArr = null;
        if (!isEmpty(property3)) {
            cArr = property3.toCharArray();
        }
        String property4 = System.getProperty(ZTS_CLIENT_PROP_KEYSTORE_PWD_APP_NAME);
        char[] cArr2 = null;
        String property5 = System.getProperty(ZTS_CLIENT_PROP_KEY_MANAGER_PASSWORD);
        if (!isEmpty(property5)) {
            cArr2 = property5.toCharArray();
        }
        String property6 = System.getProperty(ZTS_CLIENT_PROP_KEY_MANAGER_PWD_APP_NAME);
        String property7 = System.getProperty(ZTS_CLIENT_PROP_TRUSTSTORE_PATH);
        String property8 = System.getProperty(ZTS_CLIENT_PROP_TRUSTSTORE_TYPE);
        String property9 = System.getProperty(ZTS_CLIENT_PROP_TRUSTSTORE_PASSWORD);
        char[] cArr3 = null;
        if (!isEmpty(property9)) {
            cArr3 = property9.toCharArray();
        }
        String property10 = System.getProperty(ZTS_CLIENT_PROP_TRUSTSTORE_PWD_APP_NAME);
        String property11 = System.getProperty(ZTS_CLIENT_PROP_CERT_ALIAS);
        SSLUtils.ClientSSLContextBuilder keyStorePath = new SSLUtils.ClientSSLContextBuilder(System.getProperty(ZTS_CLIENT_PROP_CLIENT_PROTOCOL, ZTS_CLIENT_DEFAULT_CLIENT_SSL_PROTOCOL)).privateKeyStore(PRIVATE_KEY_STORE).keyStorePath(property);
        if (!isEmpty(property11)) {
            keyStorePath.certAlias(property11);
        }
        if (!isEmpty(property2)) {
            keyStorePath.keyStoreType(property2);
        }
        if (null != cArr) {
            keyStorePath.keyStorePassword(cArr);
        }
        if (null != property4) {
            keyStorePath.keyStorePasswordAppName(property4);
        }
        if (null != cArr2) {
            keyStorePath.keyManagerPassword(cArr2);
        }
        if (null != property6) {
            keyStorePath.keyManagerPasswordAppName(property6);
        }
        if (!isEmpty(property7)) {
            keyStorePath.trustStorePath(property7);
        }
        if (!isEmpty(property8)) {
            keyStorePath.trustStoreType(property8);
        }
        if (null != cArr3) {
            keyStorePath.trustStorePassword(cArr3);
        }
        if (null != property10) {
            keyStorePath.trustStorePasswordAppName(property10);
        }
        return keyStorePath.build();
    }

    static PrivateKeyStore loadServicePrivateKey() {
        return SSLUtils.loadServicePrivateKey(System.getProperty(ZTS_CLIENT_PROP_PRIVATE_KEY_STORE_FACTORY_CLASS, ZTS_CLIENT_PKEY_STORE_FACTORY_CLASS));
    }

    ClientBuilder getClientBuilder() {
        return ClientBuilder.newBuilder();
    }

    private void initClient(String str, Principal principal, String str2, String str3, ServiceIdentityProvider serviceIdentityProvider) {
        this.ztsUrl = str == null ? confZtsUrl : str;
        if (!isEmpty(this.ztsUrl) && !this.ztsUrl.endsWith("/zts/v1")) {
            if (this.ztsUrl.charAt(this.ztsUrl.length() - 1) != '/') {
                this.ztsUrl += '/';
            }
            this.ztsUrl += "zts/v1";
        }
        AWSHostNameVerifier aWSHostNameVerifier = null;
        if (!isEmpty(x509CertDNSName)) {
            aWSHostNameVerifier = new AWSHostNameVerifier(x509CertDNSName);
        }
        if (this.sslContext == null) {
            this.sslContext = createSSLContext();
        }
        ClientConfig clientConfig = new ClientConfig(new JacksonJaxbJsonProvider().configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false));
        PoolingHttpClientConnectionManager createConnectionManager = createConnectionManager(this.sslContext, aWSHostNameVerifier);
        if (createConnectionManager != null) {
            clientConfig.property2(ApacheClientProperties.CONNECTION_MANAGER, (Object) createConnectionManager);
        }
        clientConfig.connectorProvider(new ApacheConnectorProvider());
        if (this.proxyUrl != null) {
            clientConfig.property2(ClientProperties.PROXY_URI, (Object) this.proxyUrl);
        }
        ClientBuilder clientBuilder = getClientBuilder();
        if (this.sslContext != null) {
            clientBuilder = clientBuilder.sslContext(this.sslContext);
            this.enablePrefetch = true;
        }
        this.ztsClient = new ZTSRDLGeneratedClient(this.ztsUrl, clientBuilder.withConfig(clientConfig).hostnameVerifier(aWSHostNameVerifier).readTimeout(reqReadTimeout, TimeUnit.MILLISECONDS).connectTimeout(reqConnectTimeout, TimeUnit.MILLISECONDS).build());
        this.principal = principal;
        this.domain = str2;
        this.service = str3;
        this.siaProvider = serviceIdentityProvider;
        if (this.principal != null) {
            this.domain = this.principal.getDomain();
            this.service = this.principal.getName();
            this.ztsClient.addCredentials(principal.getAuthority().getHeader(), principal.getCredentials());
        }
    }

    PoolingHttpClientConnectionManager createConnectionManager(SSLContext sSLContext, HostnameVerifier hostnameVerifier) {
        if (sSLContext == null) {
            return null;
        }
        PoolingHttpClientConnectionManager poolingHttpClientConnectionManager = new PoolingHttpClientConnectionManager((Registry<ConnectionSocketFactory>) RegistryBuilder.create().register("https", hostnameVerifier == null ? new SSLConnectionSocketFactory(sSLContext) : new SSLConnectionSocketFactory(sSLContext, hostnameVerifier)).register(HttpHost.DEFAULT_SCHEME_NAME, new PlainConnectionSocketFactory()).build());
        int parseInt = Integer.parseInt(System.getProperty(ZTS_CLIENT_PROP_POOL_MAX_PER_ROUTE, "2"));
        int parseInt2 = Integer.parseInt(System.getProperty(ZTS_CLIENT_PROP_POOL_MAX_TOTAL, "20"));
        poolingHttpClientConnectionManager.setDefaultMaxPerRoute(parseInt);
        poolingHttpClientConnectionManager.setMaxTotal(parseInt2);
        return poolingHttpClientConnectionManager;
    }

    void setPrefetchInterval(long j) {
        prefetchInterval = j;
    }

    long getPrefetchInterval() {
        return prefetchInterval;
    }

    public static String getHeader() {
        return ROLE_TOKEN_HEADER;
    }

    public ZTSClient addCredentials(Principal principal) {
        return addPrincipalCredentials(principal, true);
    }

    public void addCredentials(String str, String str2) {
        this.ztsClient.addCredentials(str, str2);
    }

    public ZTSClient clearCredentials() {
        if (this.principal != null) {
            this.ztsClient.addCredentials(this.principal.getAuthority().getHeader(), null);
            this.principal = null;
        }
        return this;
    }

    ZTSClient addPrincipalCredentials(Principal principal, boolean z) {
        if (principal != null && principal.getAuthority() != null) {
            this.ztsClient.addCredentials(principal.getAuthority().getHeader(), principal.getCredentials());
        }
        if (z) {
            this.siaProvider = null;
        }
        this.principal = principal;
        return this;
    }

    boolean sameCredentialsAsBefore(Principal principal) {
        String credentials;
        if (this.principal == null || (credentials = this.principal.getCredentials()) == null) {
            return false;
        }
        return credentials.equals(principal.getCredentials());
    }

    boolean updateServicePrincipal() {
        if (this.siaProvider == null) {
            return false;
        }
        Principal identity = this.siaProvider.getIdentity(this.domain, this.service);
        if (identity == null) {
            String str = "UpdateServicePrincipal: Unable to get PrincipalToken from SIA Provider for " + this.domain + "." + this.service;
            LOG.error(str);
            throw new IllegalArgumentException(str);
        }
        if (sameCredentialsAsBefore(identity)) {
            return false;
        }
        addPrincipalCredentials(identity, false);
        return true;
    }

    public HostServices getHostServices(String str) {
        updateServicePrincipal();
        try {
            return this.ztsClient.getHostServices(str);
        } catch (ResourceException e) {
            throw new ZTSClientException(e.getCode(), e.getData());
        } catch (Exception e2) {
            throw new ZTSClientException(400, e2.getMessage());
        }
    }

    public JWKList getJWKList(boolean z) {
        updateServicePrincipal();
        try {
            return this.ztsClient.getJWKList(Boolean.valueOf(z));
        } catch (ResourceException e) {
            throw new ZTSClientException(e.getCode(), e.getData());
        } catch (Exception e2) {
            throw new ZTSClientException(400, e2.getMessage());
        }
    }

    public JWKList getJWKList() {
        return getJWKList(false);
    }

    public RoleToken getRoleToken(String str) {
        return getRoleToken(str, null, null, null, false, null);
    }

    public RoleToken getRoleToken(String str, String str2) {
        if (isEmpty(str2)) {
            throw new IllegalArgumentException("RoleNames cannot be null or empty");
        }
        return getRoleToken(str, str2, null, null, false, null);
    }

    public RoleToken getRoleToken(String str, String str2, Integer num, Integer num2, boolean z) {
        return getRoleToken(str, str2, num, num2, z, null);
    }

    public RoleToken getRoleToken(String str, String str2, Integer num, Integer num2, boolean z, String str3) {
        RoleToken lookupRoleTokenInCache;
        RoleToken lookupRoleTokenInCache2;
        String str4 = null;
        if (!cacheDisabled) {
            str4 = getRoleTokenCacheKey(str, str2, str3);
            if (str4 != null && !z) {
                RoleToken lookupRoleTokenInCache3 = lookupRoleTokenInCache(str4, num, num2, tokenMinExpiryTime);
                if (lookupRoleTokenInCache3 != null) {
                    return lookupRoleTokenInCache3;
                }
                if (this.enablePrefetch && prefetchAutoEnable) {
                    if (prefetchRoleToken(str, str2, num, num2, str3)) {
                        lookupRoleTokenInCache3 = lookupRoleTokenInCache(str4, num, num2, tokenMinExpiryTime);
                    }
                    if (lookupRoleTokenInCache3 != null) {
                        return lookupRoleTokenInCache3;
                    }
                    LOG.error("GetRoleToken: cache prefetch and lookup error");
                }
            }
        }
        Iterator<ZTSClientService> it = ztsTokenProviders.iterator();
        while (it.hasNext()) {
            ZTSClientService next = it.next();
            if (LOG.isDebugEnabled()) {
                LOG.debug("getRoleToken: found service provider={}", next);
            }
            RoleToken fetchToken = next.fetchToken(this.domain, this.service, str, str2, num, num2, str3);
            if (fetchToken != null) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("getRoleToken: service provider={} returns token", next);
                }
                return fetchToken;
            }
        }
        updateServicePrincipal();
        try {
            RoleToken roleToken = this.ztsClient.getRoleToken(str, str2, num, num2, str3);
            if (!cacheDisabled) {
                if (str4 == null) {
                    str4 = getRoleTokenCacheKey(str, str2, str3);
                }
                if (str4 != null) {
                    ROLE_TOKEN_CACHE.put(str4, roleToken);
                }
            }
            return roleToken;
        } catch (ResourceException e) {
            if (str4 == null || z || (lookupRoleTokenInCache2 = lookupRoleTokenInCache(str4, null, null, 1)) == null) {
                throw new ZTSClientException(e.getCode(), e.getData());
            }
            return lookupRoleTokenInCache2;
        } catch (Exception e2) {
            if (str4 == null || z || (lookupRoleTokenInCache = lookupRoleTokenInCache(str4, null, null, 1)) == null) {
                throw new ZTSClientException(400, e2.getMessage());
            }
            return lookupRoleTokenInCache;
        }
    }

    public AccessTokenResponse getAccessToken(String str, List<String> list, long j) {
        return getAccessToken(str, list, null, null, null, j, false);
    }

    public AccessTokenResponse getAccessToken(String str, String str2, String str3, long j) {
        return getAccessToken(str, Collections.singletonList(str2), null, null, str3, j, false);
    }

    public AccessTokenResponse getAccessToken(String str, List<String> list, String str2, long j, boolean z) {
        return getAccessToken(str, list, str2, null, null, j, z);
    }

    public AccessTokenResponse getAccessToken(String str, List<String> list, String str2, String str3, String str4, long j, boolean z) {
        AccessTokenResponse lookupAccessTokenResponseInCache;
        AccessTokenResponse lookupAccessTokenResponseInCache2;
        AccessTokenResponse accessTokenResponse = null;
        String str5 = null;
        if (!cacheDisabled) {
            str5 = getAccessTokenCacheKey(str, list, str2, str3, str4);
            if (str5 != null && !z) {
                accessTokenResponse = lookupAccessTokenResponseInCache(str5, j);
                if (accessTokenResponse != null) {
                    return accessTokenResponse;
                }
                if (this.enablePrefetch && prefetchAutoEnable) {
                    if (prefetchAccessToken(str, list, str2, str3, str4, j)) {
                        accessTokenResponse = lookupAccessTokenResponseInCache(str5, j);
                    }
                    if (accessTokenResponse != null) {
                        return accessTokenResponse;
                    }
                    LOG.error("GetAccessToken: cache prefetch and lookup error");
                }
            }
        }
        try {
            accessTokenResponse = ztsAccessTokenFileLoader.lookupAccessTokenFromDisk(str, list);
        } catch (IOException e) {
            LOG.error("GetAccessToken: failed to load access token from disk {}", e.getMessage());
        }
        if (accessTokenResponse == null) {
            updateServicePrincipal();
            try {
                accessTokenResponse = this.ztsClient.postAccessTokenRequest(generateAccessTokenRequestBody(str, list, str2, str3, str4, j));
            } catch (ResourceException e2) {
                if (str5 == null || z || (lookupAccessTokenResponseInCache2 = lookupAccessTokenResponseInCache(str5, -1L)) == null) {
                    throw new ZTSClientException(e2.getCode(), e2.getData());
                }
                return lookupAccessTokenResponseInCache2;
            } catch (Exception e3) {
                if (str5 == null || z || (lookupAccessTokenResponseInCache = lookupAccessTokenResponseInCache(str5, -1L)) == null) {
                    throw new ZTSClientException(400, e3.getMessage());
                }
                return lookupAccessTokenResponseInCache;
            }
        }
        if (!cacheDisabled) {
            if (str5 == null) {
                str5 = getAccessTokenCacheKey(str, list, str2, str3, str4);
            }
            if (str5 != null) {
                ACCESS_TOKEN_CACHE.put(str5, new AccessTokenResponseCacheEntry(accessTokenResponse));
            }
        }
        return accessTokenResponse;
    }

    String generateAccessTokenRequestBody(String str, List<String> list, String str2, String str3, String str4, long j) throws UnsupportedEncodingException {
        StringBuilder sb = new StringBuilder(256);
        sb.append("grant_type=client_credentials");
        if (j > 0) {
            sb.append("&expires_in=").append(j);
        }
        StringBuilder sb2 = new StringBuilder(256);
        if (isEmpty(list)) {
            sb2.append(str).append(":domain");
        } else {
            for (String str5 : list) {
                if (sb2.length() != 0) {
                    sb2.append(' ');
                }
                sb2.append(str).append(":role.").append(str5);
            }
        }
        if (!isEmpty(str2)) {
            sb2.append(" openid ").append(str).append(":service.").append(str2);
        }
        sb.append("&scope=").append(URLEncoder.encode(sb2.toString(), "UTF-8"));
        if (!isEmpty(str3)) {
            sb.append("&proxy_for_principal=").append(URLEncoder.encode(str3, "UTF-8"));
        }
        if (!isEmpty(str4)) {
            sb.append("&authorization_details=").append(URLEncoder.encode(str4, "UTF-8"));
        }
        return sb.toString();
    }

    @Deprecated
    public RoleToken postRoleCertificateRequest(String str, String str2, RoleCertificateRequest roleCertificateRequest) {
        updateServicePrincipal();
        try {
            return this.ztsClient.postRoleCertificateRequest(str, str2, roleCertificateRequest);
        } catch (ResourceException e) {
            throw new ZTSClientException(e.getCode(), e.getMessage());
        } catch (Exception e2) {
            throw new ZTSClientException(400, e2.getMessage());
        }
    }

    public RoleCertificate postRoleCertificateRequest(RoleCertificateRequest roleCertificateRequest) {
        updateServicePrincipal();
        try {
            return this.ztsClient.postRoleCertificateRequestExt(roleCertificateRequest);
        } catch (ResourceException e) {
            throw new ZTSClientException(e.getCode(), e.getMessage());
        } catch (Exception e2) {
            throw new ZTSClientException(400, e2.getMessage());
        }
    }

    public static RoleCertificateRequest generateRoleCertificateRequest(String str, String str2, String str3, String str4, PrivateKey privateKey, String str5, String str6, int i) {
        if (str == null || str2 == null) {
            throw new IllegalArgumentException("Principal's Domain and Service must be specified");
        }
        if (str3 == null || str4 == null) {
            throw new IllegalArgumentException("Role DomainName and Name must be specified");
        }
        if (str6 == null) {
            throw new IllegalArgumentException("X509 CSR Domain must be specified");
        }
        String lowerCase = str.toLowerCase();
        String lowerCase2 = str2.toLowerCase();
        String str7 = "cn=" + str3.toLowerCase() + ":role." + str4.toLowerCase();
        if (str5 != null) {
            str7 = str7.concat(",").concat(str5);
        }
        try {
            return new RoleCertificateRequest().setCsr(Crypto.generateX509CSR(privateKey, str7, new GeneralName[]{new GeneralName(2, new DERIA5String(lowerCase2 + '.' + lowerCase.replace('.', '-') + '.' + str6)), new GeneralName(1, new DERIA5String(lowerCase + "." + lowerCase2 + "@" + str6))})).setExpiryTime(i);
        } catch (OperatorCreationException | IOException e) {
            throw new ZTSClientException(400, e.getMessage());
        }
    }

    public static RoleCertificateRequest generateRoleCertificateRequest(String str, String str2, String str3, String str4, PrivateKey privateKey, String str5, int i) {
        if (str5 == null) {
            throw new IllegalArgumentException("Cloud Environment must be specified");
        }
        return generateRoleCertificateRequest(str, str2, str3, str4, privateKey, x509CsrDn, x509CsrDomain != null ? str5 + "." + x509CsrDomain : str5, i);
    }

    public static InstanceRefreshRequest generateInstanceRefreshRequest(String str, String str2, PrivateKey privateKey, String str3, String str4, int i) {
        if (str == null || str2 == null) {
            throw new IllegalArgumentException("Principal's Domain and Service must be specified");
        }
        if (str4 == null) {
            throw new IllegalArgumentException("X509 CSR Domain must be specified");
        }
        String lowerCase = str.toLowerCase();
        String lowerCase2 = str2.toLowerCase();
        String str5 = "cn=" + (lowerCase + "." + lowerCase2);
        if (str3 != null) {
            str5 = str5.concat(",").concat(str3);
        }
        try {
            return new InstanceRefreshRequest().setCsr(Crypto.generateX509CSR(privateKey, str5, new GeneralName[]{new GeneralName(2, new DERIA5String(lowerCase2 + '.' + lowerCase.replace('.', '-') + '.' + str4))})).setExpiryTime(Integer.valueOf(i));
        } catch (OperatorCreationException | IOException e) {
            throw new ZTSClientException(400, e.getMessage());
        }
    }

    public static InstanceRefreshRequest generateInstanceRefreshRequest(String str, String str2, PrivateKey privateKey, String str3, int i) {
        if (str3 == null) {
            throw new IllegalArgumentException("Cloud Environment must be specified");
        }
        return generateInstanceRefreshRequest(str, str2, privateKey, x509CsrDn, x509CsrDomain != null ? str3 + "." + x509CsrDomain : str3, i);
    }

    static void processPrefetchTask(PrefetchTokenScheduledItem prefetchTokenScheduledItem, ZTSClient zTSClient, Set<String> set, long j) {
        ZTSRDLGeneratedClient zTSRDLGeneratedClient = zTSClient.ztsClient;
        if (prefetchTokenScheduledItem.ztsClient != null) {
            zTSClient.ztsClient = prefetchTokenScheduledItem.ztsClient;
        }
        try {
            switch (prefetchTokenScheduledItem.tokenType) {
                case ROLE:
                    prefetchTokenScheduledItem.setExpiresAtUTC(zTSClient.getRoleToken(prefetchTokenScheduledItem.domainName, prefetchTokenScheduledItem.roleName, prefetchTokenScheduledItem.minDuration, prefetchTokenScheduledItem.maxDuration, true, prefetchTokenScheduledItem.proxyForPrincipal).getExpiryTime());
                    break;
                case ACCESS:
                    prefetchTokenScheduledItem.setExpiresAtUTC((System.currentTimeMillis() / 1000) + zTSClient.getAccessToken(prefetchTokenScheduledItem.domainName, prefetchTokenScheduledItem.roleNames, prefetchTokenScheduledItem.idTokenServiceName, prefetchTokenScheduledItem.proxyForPrincipal, prefetchTokenScheduledItem.authorizationDetails, prefetchTokenScheduledItem.maxDuration.intValue(), true).getExpires_in().intValue());
                    break;
                case AWS:
                    prefetchTokenScheduledItem.setExpiresAtUTC(zTSClient.getAWSTemporaryCredentials(prefetchTokenScheduledItem.domainName, prefetchTokenScheduledItem.roleName, prefetchTokenScheduledItem.externalId, prefetchTokenScheduledItem.minDuration, prefetchTokenScheduledItem.maxDuration, true).getExpiration().millis() / 1000);
                    break;
                case SVC_ROLE:
                    if (set != null && !set.contains(prefetchTokenScheduledItem.cacheKey)) {
                        prefetchTokenScheduledItem.setIsInvalid(true);
                        PREFETCH_SCHEDULED_ITEMS.remove(prefetchTokenScheduledItem);
                        break;
                    }
                    break;
            }
            prefetchTokenScheduledItem.setFetchTime(j);
            prefetchTokenScheduledItem.setLastFailTime(0L);
        } catch (ZTSClientException e) {
            LOG.error("PrefetchTask: Error while trying to prefetch token", e);
            int code = e.getCode();
            if (code == 401 || code == 403) {
                prefetchTokenScheduledItem.setIsInvalid(true);
                prefetchTokenScheduledItem.setLastFailTime(j);
                PREFETCH_SCHEDULED_ITEMS.remove(prefetchTokenScheduledItem);
            } else {
                prefetchTokenScheduledItem.setLastFailTime(j);
            }
        } catch (Exception e2) {
            prefetchTokenScheduledItem.setLastFailTime(j);
            prefetchTokenScheduledItem.setIsInvalid(true);
            PREFETCH_SCHEDULED_ITEMS.remove(prefetchTokenScheduledItem);
            LOG.error("PrefetchTask: Error while trying to prefetch token", e2);
        }
        if (prefetchTokenScheduledItem.shouldSendNotification()) {
            ZTSClientNotification zTSClientNotification = new ZTSClientNotification(zTSClient.getZTSUrl(), prefetchTokenScheduledItem.roleName, prefetchTokenScheduledItem.tokenType.toString(), prefetchTokenScheduledItem.expiresAtUTC, prefetchTokenScheduledItem.isInvalid, prefetchTokenScheduledItem.domainName);
            prefetchTokenScheduledItem.lastNotificationTime = j;
            prefetchTokenScheduledItem.notificationSender.sendNotification(zTSClientNotification);
        }
        zTSClient.ztsClient = zTSRDLGeneratedClient;
    }

    int getScheduledItemsSize() {
        return PREFETCH_SCHEDULED_ITEMS.size();
    }

    boolean prefetchRoleToken(String str, String str2, Integer num, Integer num2) {
        return prefetchRoleToken(str, str2, num, num2, null);
    }

    boolean prefetchRoleToken(String str, String str2, Integer num, Integer num2, String str3) {
        if (str == null || str.trim().isEmpty()) {
            throw new ZTSClientException(400, "Domain Name cannot be empty");
        }
        RoleToken roleToken = getRoleToken(str, str2, num, num2, true, str3);
        if (roleToken != null) {
            return prefetchToken(str, str2, null, num, num2, str3, null, null, null, roleToken.getExpiryTime(), TokenType.ROLE);
        }
        LOG.error("PrefetchToken: No token fetchable using domain={}, roleSuffix={}", str, str2);
        return false;
    }

    boolean prefetchAwsCreds(String str, String str2, String str3, Integer num, Integer num2) {
        if (str == null || str.trim().isEmpty()) {
            throw new ZTSClientException(400, "Domain Name cannot be empty");
        }
        AWSTemporaryCredentials aWSTemporaryCredentials = getAWSTemporaryCredentials(str, str2, str3, num, num2, true);
        if (aWSTemporaryCredentials != null) {
            return prefetchToken(str, str2, null, num, num2, null, str3, null, null, aWSTemporaryCredentials.getExpiration().millis() / 1000, TokenType.AWS);
        }
        LOG.error("PrefetchToken: No aws credential fetchable using domain={}, roleName={}", str, str2);
        return false;
    }

    public boolean prefetchAccessToken(String str, List<String> list, String str2, String str3, String str4, long j) {
        if (str == null || str.trim().isEmpty()) {
            throw new ZTSClientException(400, "Domain Name cannot be empty");
        }
        if (getAccessToken(str, list, str2, str3, str4, j, true) == null) {
            LOG.error("PrefetchToken: No access token fetchable using domain={}", str);
            return false;
        }
        return prefetchToken(str, null, list, null, Integer.valueOf((int) j), str3, null, str2, str4, (System.currentTimeMillis() / 1000) + r0.getExpires_in().intValue(), TokenType.ACCESS);
    }

    boolean prefetchToken(String str, String str2, List<String> list, Integer num, Integer num2, String str3, String str4, String str5, String str6, long j, TokenType tokenType) {
        if (this.sslContext == null && (isEmpty(this.domain) || isEmpty(this.service))) {
            if (!LOG.isWarnEnabled()) {
                return false;
            }
            LOG.warn("PrefetchToken: setup failure. Both domain({}) and service({}) are required", this.domain, this.service);
            return false;
        }
        PrefetchTokenScheduledItem notificationSender = new PrefetchTokenScheduledItem().setTokenType(tokenType).setFetchTime(System.currentTimeMillis() / 1000).setDomainName(str).setRoleName(str2).setRoleNames(list).setProxyForPrincipal(str3).setExternalId(str4).setMinDuration(num).setMaxDuration(num2).setExpiresAtUTC(j).setIdTokenServiceName(str5).setAuthorizationDetails(str6).setIdentityDomain(this.domain).setIdentityName(this.service).setTokenMinExpiryTime(tokenMinExpiryTime).setProvidedZTSUrl(this.ztsUrl).setSiaIdentityProvider(this.siaProvider).setSslContext(this.sslContext).setProxyUrl(this.proxyUrl).setNotificationSender(this.notificationSender);
        if (this.ztsClientOverride) {
            notificationSender.setZtsClient(this.ztsClient);
        }
        PREFETCH_SCHEDULED_ITEMS.remove(notificationSender);
        PREFETCH_SCHEDULED_ITEMS.add(notificationSender);
        startPrefetch();
        return true;
    }

    String getAccessTokenCacheKey(String str, List<String> list, String str2, String str3, String str4) {
        String str5 = this.domain;
        if (this.domain == null && this.sslContext != null) {
            str5 = this.sslContext.toString();
        }
        return getAccessTokenCacheKey(str5, this.service, str, list, str2, str3, str4);
    }

    String getAccessTokenCacheKey(String str, String str2, String str3, List<String> list, String str4, String str5, String str6) {
        if (str == null) {
            return null;
        }
        StringBuilder sb = new StringBuilder(256);
        sb.append("p=");
        sb.append(str);
        if (str2 != null) {
            sb.append(".").append(str2);
        }
        sb.append(";d=");
        sb.append(str3);
        if (!isEmpty(list)) {
            sb.append(";r=");
            sb.append(multipleRoleKey(list));
        }
        if (!isEmpty(str4)) {
            sb.append(";o=");
            sb.append(str4);
        }
        if (!isEmpty(str5)) {
            sb.append(";u=");
            sb.append(str5);
        }
        if (!isEmpty(str6)) {
            sb.append(";z=");
            sb.append(Base64.getUrlEncoder().withoutPadding().encodeToString(Crypto.sha256(str6)));
        }
        return sb.toString();
    }

    String getRoleTokenCacheKey(String str, String str2, String str3) {
        String str4 = this.domain;
        if (this.domain == null && this.sslContext != null) {
            str4 = this.sslContext.toString();
        }
        return getRoleTokenCacheKey(str4, this.service, str, str2, str3);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String getRoleTokenCacheKey(String str, String str2, String str3, String str4, String str5) {
        if (str == null) {
            return null;
        }
        StringBuilder sb = new StringBuilder(256);
        sb.append("p=");
        sb.append(str);
        if (str2 != null) {
            sb.append(".").append(str2);
        }
        sb.append(";d=");
        sb.append(str3);
        if (str4 != null && !str4.isEmpty()) {
            sb.append(";r=");
            if (str4.indexOf(44) == -1) {
                sb.append(str4);
            } else {
                sb.append(multipleRoleKey(Arrays.asList(str4.split(","))));
            }
        }
        if (str5 != null && !str5.isEmpty()) {
            sb.append(";u=");
            sb.append(str5);
        }
        return sb.toString();
    }

    static boolean isExpiredToken(long j, Integer num, Integer num2, int i) {
        if (num != null && j < num.intValue()) {
            return true;
        }
        if (num2 == null || j <= num2.intValue() + tokenMaxExpiryOffset) {
            return num == null && num2 == null && j < ((long) i);
        }
        return true;
    }

    RoleToken lookupRoleTokenInCache(String str, Integer num, Integer num2, int i) {
        RoleToken roleToken = ROLE_TOKEN_CACHE.get(str);
        if (roleToken == null) {
            if (!LOG.isInfoEnabled()) {
                return null;
            }
            LOG.info("LookupRoleTokenInCache: cache-lookup key: {} result: not found", str);
            return null;
        }
        long expiryTime = roleToken.getExpiryTime() - (System.currentTimeMillis() / 1000);
        if (!isExpiredToken(expiryTime, num, num2, i)) {
            return roleToken;
        }
        if (LOG.isInfoEnabled()) {
            LOG.info("LookupRoleTokenInCache: role-cache-lookup key: {} token-expiry: {} req-min-expiry: {} req-max-expiry: {} client-min-expiry: {} result: expired", new Object[]{str, Long.valueOf(expiryTime), num, num2, Integer.valueOf(i)});
        }
        if (expiryTime >= 1) {
            return null;
        }
        ROLE_TOKEN_CACHE.remove(str);
        return null;
    }

    AccessTokenResponse lookupAccessTokenResponseInCache(String str, long j) {
        AccessTokenResponseCacheEntry accessTokenResponseCacheEntry = ACCESS_TOKEN_CACHE.get(str);
        if (accessTokenResponseCacheEntry == null) {
            if (!LOG.isInfoEnabled()) {
                return null;
            }
            LOG.info("LookupAccessTokenResponseInCache: cache-lookup key: {} result: not found", str);
            return null;
        }
        if (!accessTokenResponseCacheEntry.isExpired(j)) {
            return accessTokenResponseCacheEntry.accessTokenResponse();
        }
        if (!accessTokenResponseCacheEntry.isExpired(-1L)) {
            return null;
        }
        ACCESS_TOKEN_CACHE.remove(str);
        return null;
    }

    AWSTemporaryCredentials lookupAwsCredInCache(String str, Integer num, Integer num2) {
        AWSTemporaryCredentials aWSTemporaryCredentials = AWS_CREDS_CACHE.get(str);
        if (aWSTemporaryCredentials == null) {
            if (!LOG.isInfoEnabled()) {
                return null;
            }
            LOG.info("LookupAwsCredInCache: aws-cache-lookup key: {} result: not found", str);
            return null;
        }
        long millis = (aWSTemporaryCredentials.getExpiration().millis() - System.currentTimeMillis()) / 1000;
        if (!isExpiredToken(millis, num, num2, tokenMinExpiryTime)) {
            return aWSTemporaryCredentials;
        }
        if (LOG.isInfoEnabled()) {
            LOG.info("LookupAwsCredInCache: aws-cache-lookup key: {} token-expiry: {} req-min-expiry: {} req-max-expiry: {} client-min-expiry: {} result: expired", new Object[]{str, Long.valueOf(millis), num, num2, Integer.valueOf(tokenMinExpiryTime)});
        }
        if (millis >= 1) {
            return null;
        }
        AWS_CREDS_CACHE.remove(str);
        return null;
    }

    public RoleAccess getRoleAccess(String str, String str2) {
        updateServicePrincipal();
        ZTSClientCache.DomainAndPrincipal domainAndPrincipal = null;
        Cache<ZTSClientCache.DomainAndPrincipal, RoleAccess> roleAccessCache = this.ztsClientCache.getRoleAccessCache();
        if (roleAccessCache != null) {
            domainAndPrincipal = new ZTSClientCache.DomainAndPrincipal(str, str2);
            RoleAccess roleAccess = (RoleAccess) roleAccessCache.get(domainAndPrincipal);
            if (roleAccess != null) {
                return roleAccess;
            }
        }
        try {
            RoleAccess roleAccess2 = this.ztsClient.getRoleAccess(str, str2);
            if (roleAccessCache != null) {
                roleAccessCache.put(domainAndPrincipal, roleAccess2);
            }
            return roleAccess2;
        } catch (ResourceException e) {
            throw new ZTSClientException(e.getCode(), e.getMessage());
        } catch (Exception e2) {
            throw new ZTSClientException(400, e2.getMessage());
        }
    }

    public ServiceIdentity getServiceIdentity(String str, String str2) {
        updateServicePrincipal();
        try {
            return this.ztsClient.getServiceIdentity(str, str2);
        } catch (ResourceException e) {
            throw new ZTSClientException(e.getCode(), e.getData());
        } catch (Exception e2) {
            throw new ZTSClientException(400, e2.getMessage());
        }
    }

    public PublicKeyEntry getPublicKeyEntry(String str, String str2, String str3) {
        try {
            return this.ztsClient.getPublicKeyEntry(str, str2, str3);
        } catch (ResourceException e) {
            throw new ZTSClientException(e.getCode(), e.getData());
        } catch (Exception e2) {
            throw new ZTSClientException(400, e2.getMessage());
        }
    }

    public ServiceIdentityList getServiceIdentityList(String str) {
        updateServicePrincipal();
        try {
            return this.ztsClient.getServiceIdentityList(str);
        } catch (ResourceException e) {
            throw new ZTSClientException(e.getCode(), e.getData());
        } catch (Exception e2) {
            throw new ZTSClientException(400, e2.getMessage());
        }
    }

    public TenantDomains getTenantDomains(String str, String str2, String str3, String str4) {
        updateServicePrincipal();
        try {
            return this.ztsClient.getTenantDomains(str, str2, str3, str4);
        } catch (ResourceException e) {
            throw new ZTSClientException(e.getCode(), e.getData());
        } catch (Exception e2) {
            throw new ZTSClientException(400, e2.getMessage());
        }
    }

    public Identity postInstanceRefreshRequest(String str, String str2, InstanceRefreshRequest instanceRefreshRequest) {
        updateServicePrincipal();
        try {
            return this.ztsClient.postInstanceRefreshRequest(str, str2, instanceRefreshRequest);
        } catch (ResourceException e) {
            throw new ZTSClientException(e.getCode(), e.getData());
        } catch (Exception e2) {
            throw new ZTSClientException(400, e2.getMessage());
        }
    }

    public AWSLambdaIdentity getAWSLambdaServiceCertificate(String str, String str2, String str3, String str4) {
        if (str == null || str2 == null) {
            throw new IllegalArgumentException("Domain and Service must be specified");
        }
        if (str3 == null || str4 == null) {
            throw new IllegalArgumentException("AWS Account and Provider must be specified");
        }
        if (x509CsrDomain == null) {
            throw new IllegalArgumentException("X509 CSR Domain must be specified");
        }
        AWSLambdaIdentity aWSLambdaIdentity = new AWSLambdaIdentity();
        try {
            aWSLambdaIdentity.setPrivateKey(Crypto.generateRSAPrivateKey(2048));
            InstanceRegisterInformation instanceRegisterInformation = new InstanceRegisterInformation();
            instanceRegisterInformation.setDomain(str.toLowerCase());
            instanceRegisterInformation.setService(str2.toLowerCase());
            instanceRegisterInformation.setProvider(str4.toLowerCase());
            String str5 = instanceRegisterInformation.getDomain() + "." + instanceRegisterInformation.getService();
            StringBuilder sb = new StringBuilder(128);
            sb.append("cn=");
            sb.append(str5);
            if (x509CsrDn != null) {
                sb.append(',');
                sb.append(x509CsrDn);
            }
            try {
                instanceRegisterInformation.setCsr(Crypto.generateX509CSR(aWSLambdaIdentity.getPrivateKey(), sb.toString(), new GeneralName[]{new GeneralName(2, new DERIA5String(instanceRegisterInformation.getService() + '.' + instanceRegisterInformation.getDomain().replace('.', '-') + '.' + x509CsrDomain)), new GeneralName(2, new DERIA5String("lambda-" + str3 + '-' + instanceRegisterInformation.getService() + ".instanceid.athenz." + x509CsrDomain)), new GeneralName(6, new DERIA5String("spiffe://" + instanceRegisterInformation.getDomain() + "/sa/" + instanceRegisterInformation.getService()))}));
                instanceRegisterInformation.setAttestationData(getAWSLambdaAttestationData(str5, str3));
                InstanceIdentity postInstanceRegisterInformation = postInstanceRegisterInformation(instanceRegisterInformation, new HashMap());
                try {
                    aWSLambdaIdentity.setX509Certificate(Crypto.loadX509Certificate(postInstanceRegisterInformation.getX509Certificate()));
                    aWSLambdaIdentity.setCaCertificates(postInstanceRegisterInformation.getX509CertificateSigner());
                    return aWSLambdaIdentity;
                } catch (CryptoException e) {
                    throw new ZTSClientException(400, e.getMessage());
                }
            } catch (OperatorCreationException | IOException e2) {
                throw new ZTSClientException(400, e2.getMessage());
            }
        } catch (CryptoException e3) {
            throw new ZTSClientException(400, e3.getMessage());
        }
    }

    String getAWSLambdaAttestationData(String str, String str2) {
        AWSAttestationData aWSAttestationData = new AWSAttestationData();
        aWSAttestationData.setRole(str);
        Credentials assumeAWSRole = assumeAWSRole(str2, str);
        aWSAttestationData.setAccess(assumeAWSRole.getAccessKeyId());
        aWSAttestationData.setSecret(assumeAWSRole.getSecretAccessKey());
        aWSAttestationData.setToken(assumeAWSRole.getSessionToken());
        String str3 = null;
        try {
            str3 = new ObjectMapper().writeValueAsString(aWSAttestationData);
        } catch (JsonProcessingException e) {
            LOG.error("Unable to generate attestation json data: {}", e.getMessage());
        }
        return str3;
    }

    AssumeRoleRequest getAssumeRoleRequest(String str, String str2) {
        AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest();
        assumeRoleRequest.setRoleArn("arn:aws:iam::" + str + ":role/" + str2);
        assumeRoleRequest.setRoleSessionName(str2);
        return assumeRoleRequest;
    }

    Credentials assumeAWSRole(String str, String str2) {
        try {
            return AWSSecurityTokenServiceClientBuilder.defaultClient().assumeRole(getAssumeRoleRequest(str, str2)).getCredentials();
        } catch (Exception e) {
            LOG.error("assumeAWSRole - unable to assume role: {}", e.getMessage());
            return null;
        }
    }

    public AWSCredentialsProvider getAWSCredentialProvider(String str, String str2) {
        return new AWSCredentialsProviderImpl(this, str, str2);
    }

    public AWSCredentialsProvider getAWSCredentialProvider(String str, String str2, String str3, Integer num, Integer num2) {
        return new AWSCredentialsProviderImpl(this, str, str2, str3, num, num2);
    }

    public AWSTemporaryCredentials getAWSTemporaryCredentials(String str, String str2) {
        return getAWSTemporaryCredentials(str, str2, null, null, null, false);
    }

    public AWSTemporaryCredentials getAWSTemporaryCredentials(String str, String str2, boolean z) {
        return getAWSTemporaryCredentials(str, str2, null, null, null, z);
    }

    public AWSTemporaryCredentials getAWSTemporaryCredentials(String str, String str2, String str3, Integer num, Integer num2) {
        return getAWSTemporaryCredentials(str, str2, str3, num, num2, false);
    }

    public AWSTemporaryCredentials getAWSTemporaryCredentials(String str, String str2, String str3, Integer num, Integer num2, boolean z) {
        AWSTemporaryCredentials lookupAwsCredInCache;
        AWSTemporaryCredentials lookupAwsCredInCache2;
        try {
            str2 = URLEncoder.encode(str2, "UTF-8");
        } catch (UnsupportedEncodingException e) {
            LOG.error("Unable to encode {} - error {}", str2, e.getMessage());
        }
        String roleTokenCacheKey = getRoleTokenCacheKey(str, str2, null);
        if (roleTokenCacheKey != null && !z) {
            AWSTemporaryCredentials lookupAwsCredInCache3 = lookupAwsCredInCache(roleTokenCacheKey, num, num2);
            if (lookupAwsCredInCache3 != null) {
                return lookupAwsCredInCache3;
            }
            if (this.enablePrefetch && prefetchAutoEnable) {
                if (prefetchAwsCreds(str, str2, str3, num, num2)) {
                    lookupAwsCredInCache3 = lookupAwsCredInCache(roleTokenCacheKey, num, num2);
                }
                if (lookupAwsCredInCache3 != null) {
                    return lookupAwsCredInCache3;
                }
                LOG.error("GetAWSTemporaryCredentials: cache prefetch and lookup error");
            }
        }
        updateServicePrincipal();
        try {
            AWSTemporaryCredentials aWSTemporaryCredentials = this.ztsClient.getAWSTemporaryCredentials(str, str2, num2, str3);
            if (aWSTemporaryCredentials != null) {
                if (roleTokenCacheKey == null) {
                    roleTokenCacheKey = getRoleTokenCacheKey(str, str2, null);
                }
                if (roleTokenCacheKey != null) {
                    AWS_CREDS_CACHE.put(roleTokenCacheKey, aWSTemporaryCredentials);
                }
            }
            return aWSTemporaryCredentials;
        } catch (ResourceException e2) {
            if (roleTokenCacheKey == null || z || (lookupAwsCredInCache2 = lookupAwsCredInCache(roleTokenCacheKey, null, null)) == null) {
                throw new ZTSClientException(e2.getCode(), e2.getData());
            }
            return lookupAwsCredInCache2;
        } catch (Exception e3) {
            if (roleTokenCacheKey == null || z || (lookupAwsCredInCache = lookupAwsCredInCache(roleTokenCacheKey, null, null)) == null) {
                throw new ZTSClientException(400, e3.getMessage());
            }
            return lookupAwsCredInCache;
        }
    }

    public DomainSignedPolicyData getDomainSignedPolicyData(String str, String str2, Map<String, List<String>> map) {
        try {
            return this.ztsClient.getDomainSignedPolicyData(str, str2, map);
        } catch (ResourceException e) {
            throw new ZTSClientException(e.getCode(), e.getData());
        } catch (Exception e2) {
            throw new ZTSClientException(400, e2.getMessage());
        }
    }

    public Access getAccess(String str, String str2, String str3) {
        updateServicePrincipal();
        try {
            return this.ztsClient.getAccess(str, str2, str3);
        } catch (ResourceException e) {
            throw new ZTSClientException(e.getCode(), e.getData());
        } catch (Exception e2) {
            throw new ZTSClientException(400, e2.getMessage());
        }
    }

    public ResourceAccess getResourceAccess(String str, String str2, String str3, String str4) {
        updateServicePrincipal();
        try {
            return this.ztsClient.getResourceAccess(str, str2, str3, str4);
        } catch (ResourceException e) {
            throw new ZTSClientException(e.getCode(), e.getMessage());
        } catch (Exception e2) {
            throw new ZTSClientException(400, e2.getMessage());
        }
    }

    public ResourceAccess getResourceAccessExt(String str, String str2, String str3, String str4) {
        updateServicePrincipal();
        try {
            return this.ztsClient.getResourceAccessExt(str, str2, str3, str4);
        } catch (ResourceException e) {
            throw new ZTSClientException(e.getCode(), e.getMessage());
        } catch (Exception e2) {
            throw new ZTSClientException(400, e2.getMessage());
        }
    }

    public InstanceIdentity postInstanceRegisterInformation(InstanceRegisterInformation instanceRegisterInformation, Map<String, List<String>> map) {
        updateServicePrincipal();
        try {
            return this.ztsClient.postInstanceRegisterInformation(instanceRegisterInformation, map);
        } catch (ResourceException e) {
            throw new ZTSClientException(e.getCode(), e.getData());
        } catch (Exception e2) {
            throw new ZTSClientException(400, e2.getMessage());
        }
    }

    public InstanceIdentity postInstanceRefreshInformation(String str, String str2, String str3, String str4, InstanceRefreshInformation instanceRefreshInformation) {
        updateServicePrincipal();
        try {
            return this.ztsClient.postInstanceRefreshInformation(str, str2, str3, str4, instanceRefreshInformation);
        } catch (ResourceException e) {
            throw new ZTSClientException(e.getCode(), e.getData());
        } catch (Exception e2) {
            throw new ZTSClientException(400, e2.getMessage());
        }
    }

    public void deleteInstanceIdentity(String str, String str2, String str3, String str4) {
        updateServicePrincipal();
        try {
            this.ztsClient.deleteInstanceIdentity(str, str2, str3, str4);
        } catch (ResourceException e) {
            throw new ZTSClientException(e.getCode(), e.getData());
        } catch (Exception e2) {
            throw new ZTSClientException(400, e2.getMessage());
        }
    }

    public CertificateAuthorityBundle getCertificateAuthorityBundle(String str) {
        updateServicePrincipal();
        try {
            return this.ztsClient.getCertificateAuthorityBundle(str);
        } catch (ResourceException e) {
            throw new ZTSClientException(e.getCode(), e.getData());
        } catch (Exception e2) {
            throw new ZTSClientException(400, e2.getMessage());
        }
    }

    private static Set<String> loadSvcProviderTokens() {
        String cacheSvcProvRoleToken;
        ztsTokenProviders = ServiceLoader.load(ZTSClientService.class);
        svcLoaderCacheKeys = new AtomicReference<>();
        HashSet hashSet = new HashSet();
        Iterator<ZTSClientService> it = ztsTokenProviders.iterator();
        while (it.hasNext()) {
            ZTSClientService next = it.next();
            Collection<ZTSClientService.RoleTokenDescriptor> loadTokens = next.loadTokens();
            if (loadTokens != null) {
                for (ZTSClientService.RoleTokenDescriptor roleTokenDescriptor : loadTokens) {
                    if (roleTokenDescriptor.signedToken != null && (cacheSvcProvRoleToken = cacheSvcProvRoleToken(roleTokenDescriptor)) != null) {
                        hashSet.add(cacheSvcProvRoleToken);
                    }
                }
            } else if (LOG.isInfoEnabled()) {
                LOG.info("loadSvcProviderTokens: provider didn't return tokens: prov={}", next);
            }
        }
        svcLoaderCacheKeys.set(hashSet);
        return hashSet;
    }

    boolean isEmpty(String str) {
        return str == null || str.isEmpty();
    }

    boolean isEmpty(List<String> list) {
        return list == null || list.isEmpty();
    }

    static String multipleRoleKey(List<String> list) {
        if (list == null || list.isEmpty()) {
            return null;
        }
        if (list.size() == 1) {
            return list.get(0);
        }
        ArrayList arrayList = new ArrayList(list);
        Collections.sort(arrayList);
        return String.join(",", arrayList);
    }

    static String cacheSvcProvRoleToken(ZTSClientService.RoleTokenDescriptor roleTokenDescriptor) {
        if (cacheDisabled) {
            return null;
        }
        RoleToken roleToken = new RoleToken(roleTokenDescriptor.getSignedToken());
        String domain = roleToken.getDomain();
        String principal = roleToken.getPrincipal();
        String multipleRoleKey = roleToken.getDomainCompleteRoleSet() ? null : multipleRoleKey(roleToken.getRoles());
        int lastIndexOf = principal.lastIndexOf(46);
        if (lastIndexOf == -1) {
            LOG.error("cacheSvcProvRoleToken: Invalid principal in token: {}", roleToken.getSignedToken());
            return null;
        }
        String substring = principal.substring(0, lastIndexOf);
        String substring2 = principal.substring(lastIndexOf + 1);
        Long valueOf = Long.valueOf(roleToken.getExpiryTime());
        RoleToken expiryTime = new RoleToken().setToken(roleTokenDescriptor.getSignedToken()).setExpiryTime(valueOf.longValue());
        String roleTokenCacheKey = getRoleTokenCacheKey(substring, substring2, domain, multipleRoleKey, null);
        if (LOG.isInfoEnabled()) {
            LOG.info("cacheSvcProvRoleToken: cache-add key: {} expiry: {}", roleTokenCacheKey, valueOf);
        }
        ROLE_TOKEN_CACHE.put(roleTokenCacheKey, expiryTime);
        prefetchSvcProvTokens(substring, substring2, domain, roleTokenCacheKey, multipleRoleKey, null, null, valueOf, null);
        return roleTokenCacheKey;
    }

    static void prefetchSvcProvTokens(String str, String str2, String str3, String str4, String str5, Integer num, Integer num2, Long l, String str6) {
        if (str3 == null || str3.trim().isEmpty()) {
            throw new ZTSClientException(400, "Domain Name cannot be empty");
        }
        PrefetchTokenScheduledItem tokenMinExpiryTime2 = new PrefetchTokenScheduledItem().setTokenType(TokenType.SVC_ROLE).setCacheKey(str4).setDomainName(str3).setRoleName(str5).setProxyForPrincipal(str6).setMinDuration(num).setMaxDuration(num2).setExpiresAtUTC(l.longValue()).setIdentityDomain(str).setIdentityName(str2).setTokenMinExpiryTime(tokenMinExpiryTime);
        PREFETCH_SCHEDULED_ITEMS.remove(tokenMinExpiryTime2);
        PREFETCH_SCHEDULED_ITEMS.add(tokenMinExpiryTime2);
        startPrefetch();
    }

    static void startPrefetch() {
        if (FETCH_TIMER != null) {
            return;
        }
        synchronized (TIMER_LOCK) {
            if (FETCH_TIMER == null) {
                FETCH_TIMER = new Timer(true);
                FETCH_TIMER.schedule(new TokenPrefetchTask(), 0L, prefetchInterval * 1000);
            }
        }
    }

    static /* synthetic */ Set access$200() {
        return loadSvcProviderTokens();
    }
}
