package org.apache.pulsar.client.impl.auth;

import com.google.common.io.CharStreams;
import com.yahoo.athenz.auth.impl.SimpleServiceIdentityProvider;
import com.yahoo.athenz.auth.util.Crypto;
import com.yahoo.athenz.auth.util.CryptoException;
import com.yahoo.athenz.zts.ZTSClient;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.URISyntaxException;
import java.net.URLConnection;
import java.security.PrivateKey;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import org.apache.commons.lang3.StringUtils;
import org.apache.pulsar.client.api.Authentication;
import org.apache.pulsar.client.api.AuthenticationDataProvider;
import org.apache.pulsar.client.api.EncodedAuthenticationParameterSupport;
import org.apache.pulsar.client.api.PulsarClientException;
import org.apache.pulsar.client.api.url.URL;
import org.apache.pulsar.client.impl.AuthenticationUtil;

/* loaded from: input_file:org/apache/pulsar/client/impl/auth/AuthenticationAthenz.class */
public class AuthenticationAthenz implements Authentication, EncodedAuthenticationParameterSupport {
    private static final long serialVersionUID = 1;
    private static final String APPLICATION_X_PEM_FILE = "application/x-pem-file";
    private String ztsUrl;
    private String tenantDomain;
    private String tenantService;
    private String providerDomain;
    private PrivateKey privateKey;
    private long cachedRoleTokenTimestamp;
    private String roleToken;
    private transient ZTSClient ztsClient = null;
    private String keyId = "0";
    private String roleHeader = null;
    private boolean autoPrefetchEnabled = false;
    private final int minValidity = 7200;
    private final int maxValidity = 86400;
    private final int cacheDurationInHour = 1;

    public String getAuthMethodName() {
        return "athenz";
    }

    public synchronized AuthenticationDataProvider getAuthData() throws PulsarClientException {
        if (cachedRoleTokenIsValid()) {
            return new AuthenticationDataAthenz(this.roleToken, StringUtils.isNotBlank(this.roleHeader) ? this.roleHeader : ZTSClient.getHeader());
        }
        try {
            this.roleToken = getZtsClient().getRoleToken(this.providerDomain, (String) null, 7200, 86400, false).getToken();
            this.cachedRoleTokenTimestamp = System.nanoTime();
            return new AuthenticationDataAthenz(this.roleToken, StringUtils.isNotBlank(this.roleHeader) ? this.roleHeader : ZTSClient.getHeader());
        } catch (Throwable th) {
            throw new PulsarClientException.GettingAuthenticationDataException(th);
        }
    }

    private boolean cachedRoleTokenIsValid() {
        return this.roleToken != null && System.nanoTime() - this.cachedRoleTokenTimestamp < TimeUnit.HOURS.toNanos(serialVersionUID);
    }

    public void configure(String str) {
        if (StringUtils.isBlank(str)) {
            throw new IllegalArgumentException("authParams must not be empty");
        }
        try {
            setAuthParams(AuthenticationUtil.configureFromJsonString(str));
        } catch (IOException e) {
            throw new IllegalArgumentException("Failed to parse authParams", e);
        }
    }

    @Deprecated
    public void configure(Map<String, String> map) {
        setAuthParams(map);
    }

    private void setAuthParams(Map<String, String> map) {
        this.tenantDomain = map.get("tenantDomain");
        this.tenantService = map.get("tenantService");
        this.providerDomain = map.get("providerDomain");
        if (StringUtils.isBlank(map.get("privateKey")) && StringUtils.isNotBlank(map.get("privateKeyPath"))) {
            this.privateKey = loadPrivateKey(map.get("privateKeyPath"));
        } else {
            this.privateKey = loadPrivateKey(map.get("privateKey"));
        }
        if (this.privateKey == null) {
            throw new IllegalArgumentException("Failed to load private key from privateKey or privateKeyPath field");
        }
        this.keyId = map.getOrDefault("keyId", "0");
        this.autoPrefetchEnabled = Boolean.valueOf(map.getOrDefault("autoPrefetchEnabled", "false")).booleanValue();
        if (StringUtils.isNotBlank(map.get("athenzConfPath"))) {
            System.setProperty("athenz.athenz_conf", map.get("athenzConfPath"));
        }
        if (StringUtils.isNotBlank(map.get("principalHeader"))) {
            System.setProperty("athenz.auth.principal.header", map.get("principalHeader"));
        }
        if (StringUtils.isNotBlank(map.get("roleHeader"))) {
            this.roleHeader = map.get("roleHeader");
            System.setProperty("athenz.auth.role.header", this.roleHeader);
        }
        if (StringUtils.isNotBlank(map.get("ztsUrl"))) {
            this.ztsUrl = map.get("ztsUrl");
        }
    }

    public void start() throws PulsarClientException {
    }

    public void close() throws IOException {
        if (this.ztsClient != null) {
            this.ztsClient.close();
        }
    }

    private ZTSClient getZtsClient() {
        if (this.ztsClient == null) {
            this.ztsClient = new ZTSClient(this.ztsUrl, this.tenantDomain, this.tenantService, new SimpleServiceIdentityProvider(this.tenantDomain, this.tenantService, this.privateKey, this.keyId));
            ZTSClient zTSClient = this.ztsClient;
            ZTSClient.setPrefetchAutoEnable(this.autoPrefetchEnabled);
        }
        return this.ztsClient;
    }

    private PrivateKey loadPrivateKey(String str) {
        PrivateKey privateKey;
        URLConnection openConnection;
        try {
            openConnection = new URL(str).openConnection();
        } catch (URISyntaxException e) {
            throw new IllegalArgumentException("Invalid privateKey format", e);
        } catch (CryptoException | IOException | IllegalAccessException | InstantiationException e2) {
            privateKey = null;
        }
        if ("data".equals(openConnection.getURL().getProtocol()) && !APPLICATION_X_PEM_FILE.equals(openConnection.getContentType())) {
            throw new IllegalArgumentException("Unsupported media type or encoding format: " + openConnection.getContentType());
        }
        privateKey = Crypto.loadPrivateKey(CharStreams.toString(new InputStreamReader((InputStream) openConnection.getContent())));
        return privateKey;
    }
}
