package com.yahoo.vespa.hosted.athenz.instanceproviderservice;

import com.google.inject.Inject;
import com.yahoo.jdisc.http.ssl.impl.TlsContextBasedProvider;
import com.yahoo.security.KeyStoreBuilder;
import com.yahoo.security.KeyStoreType;
import com.yahoo.security.KeyUtils;
import com.yahoo.security.SslContextBuilder;
import com.yahoo.security.tls.DefaultTlsContext;
import com.yahoo.security.tls.MutableX509KeyManager;
import com.yahoo.security.tls.PeerAuthentication;
import com.yahoo.security.tls.TlsContext;
import com.yahoo.vespa.athenz.api.AthenzService;
import com.yahoo.vespa.athenz.client.zts.DefaultZtsClient;
import com.yahoo.vespa.athenz.client.zts.ZtsClient;
import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider;
import com.yahoo.vespa.athenz.utils.SiaUtils;
import com.yahoo.vespa.defaults.Defaults;
import com.yahoo.vespa.hosted.athenz.instanceproviderservice.config.AthenzProviderServiceConfig;
import java.net.URI;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Optional;
import java.util.UUID;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;

/* loaded from: input_file:com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider.class */
public class ConfigserverSslContextFactoryProvider extends TlsContextBasedProvider {
    private static final String CERTIFICATE_ALIAS = "athenz";
    private static final Duration EXPIRATION_MARGIN = Duration.ofHours(6);
    private static final Path VESPA_SIA_DIRECTORY = Paths.get(Defaults.getDefaults().underVespaHome("var/vespa/sia"), new String[0]);
    private static final Logger log = Logger.getLogger(ConfigserverSslContextFactoryProvider.class.getName());
    private final TlsContext tlsContext;
    private final MutableX509KeyManager keyManager = new MutableX509KeyManager();
    private final ScheduledExecutorService scheduler = Executors.newSingleThreadScheduledExecutor(runnable -> {
        return new Thread(runnable, "configserver-ssl-context-factory-provider");
    });
    private final ZtsClient ztsClient;
    private final KeyProvider keyProvider;
    private final AthenzProviderServiceConfig athenzProviderServiceConfig;
    private final AthenzService configserverIdentity;

    /* loaded from: input_file:com/yahoo/vespa/hosted/athenz/instanceproviderservice/ConfigserverSslContextFactoryProvider$KeystoreUpdater.class */
    private class KeystoreUpdater implements Runnable {
        final MutableX509KeyManager keyManager;

        KeystoreUpdater(MutableX509KeyManager mutableX509KeyManager) {
            this.keyManager = mutableX509KeyManager;
        }

        @Override // java.lang.Runnable
        public void run() {
            try {
                ConfigserverSslContextFactoryProvider.log.log(Level.INFO, "Updating configserver provider certificate from ZTS");
                char[] generateKeystorePassword = ConfigserverSslContextFactoryProvider.generateKeystorePassword();
                this.keyManager.updateKeystore(ConfigserverSslContextFactoryProvider.updateKeystore(ConfigserverSslContextFactoryProvider.this.configserverIdentity, generateKeystorePassword, ConfigserverSslContextFactoryProvider.this.keyProvider, ConfigserverSslContextFactoryProvider.this.ztsClient, ConfigserverSslContextFactoryProvider.this.athenzProviderServiceConfig), generateKeystorePassword);
                ConfigserverSslContextFactoryProvider.log.log(Level.INFO, "Certificate successfully updated");
            } catch (Throwable th) {
                ConfigserverSslContextFactoryProvider.log.log(Level.SEVERE, "Failed to update certificate from ZTS: " + th.getMessage(), th);
            }
        }
    }

    @Inject
    public ConfigserverSslContextFactoryProvider(ServiceIdentityProvider serviceIdentityProvider, KeyProvider keyProvider, AthenzProviderServiceConfig athenzProviderServiceConfig) {
        this.athenzProviderServiceConfig = athenzProviderServiceConfig;
        this.ztsClient = new DefaultZtsClient.Builder(URI.create(this.athenzProviderServiceConfig.ztsUrl())).withIdentityProvider(serviceIdentityProvider).build();
        this.keyProvider = keyProvider;
        this.configserverIdentity = new AthenzService(this.athenzProviderServiceConfig.domain(), this.athenzProviderServiceConfig.serviceName());
        Duration ofDays = Duration.ofDays(athenzProviderServiceConfig.updatePeriodDays());
        this.tlsContext = createTlsContext(keyProvider, this.keyManager, Paths.get(athenzProviderServiceConfig.athenzCaTrustStore(), new String[0]), ofDays, this.configserverIdentity, this.ztsClient, this.athenzProviderServiceConfig);
        this.scheduler.scheduleAtFixedRate(new KeystoreUpdater(this.keyManager), ofDays.toDays(), ofDays.toDays(), TimeUnit.DAYS);
    }

    protected TlsContext getTlsContext(String str, int i) {
        return this.tlsContext;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Instant getCertificateNotAfter() {
        return this.keyManager.currentManager().getCertificateChain(CERTIFICATE_ALIAS)[0].getNotAfter().toInstant();
    }

    public void deconstruct() {
        try {
            this.scheduler.shutdownNow();
            this.scheduler.awaitTermination(30L, TimeUnit.SECONDS);
            this.ztsClient.close();
            super.deconstruct();
        } catch (InterruptedException e) {
            throw new RuntimeException("Failed to shutdown Athenz certificate updater on time", e);
        }
    }

    private static TlsContext createTlsContext(KeyProvider keyProvider, MutableX509KeyManager mutableX509KeyManager, Path path, Duration duration, AthenzService athenzService, ZtsClient ztsClient, AthenzProviderServiceConfig athenzProviderServiceConfig) {
        mutableX509KeyManager.updateKeystore(tryReadKeystoreFile(athenzService, duration).orElseGet(() -> {
            return updateKeystore(athenzService, generateKeystorePassword(), keyProvider, ztsClient, athenzProviderServiceConfig);
        }), new char[0]);
        return new DefaultTlsContext(new SslContextBuilder().withTrustStore(path, KeyStoreType.JKS).withKeyManager(mutableX509KeyManager).build(), PeerAuthentication.WANT);
    }

    private static Optional<KeyStore> tryReadKeystoreFile(AthenzService athenzService, Duration duration) {
        Optional readCertificateFile = SiaUtils.readCertificateFile(VESPA_SIA_DIRECTORY, athenzService);
        if (!readCertificateFile.isPresent()) {
            return Optional.empty();
        }
        Optional readPrivateKeyFile = SiaUtils.readPrivateKeyFile(VESPA_SIA_DIRECTORY, athenzService);
        if (readPrivateKeyFile.isPresent()) {
            return ((X509Certificate) readCertificateFile.get()).getNotAfter().toInstant().isBefore(Instant.now().plus((TemporalAmount) duration).plus((TemporalAmount) EXPIRATION_MARGIN)) ? Optional.empty() : Optional.of(KeyStoreBuilder.withType(KeyStoreType.JKS).withKeyEntry(CERTIFICATE_ALIAS, (PrivateKey) readPrivateKeyFile.get(), (X509Certificate) readCertificateFile.get()).build());
        }
        return Optional.empty();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static KeyStore updateKeystore(AthenzService athenzService, char[] cArr, KeyProvider keyProvider, ZtsClient ztsClient, AthenzProviderServiceConfig athenzProviderServiceConfig) {
        PrivateKey privateKey = keyProvider.getPrivateKey(athenzProviderServiceConfig.secretVersion());
        X509Certificate certificate = ztsClient.getServiceIdentity(athenzService, Integer.toString(athenzProviderServiceConfig.secretVersion()), new KeyPair(KeyUtils.extractPublicKey(privateKey), privateKey), athenzProviderServiceConfig.certDnsSuffix()).certificate();
        SiaUtils.writeCertificateFile(VESPA_SIA_DIRECTORY, athenzService, certificate);
        SiaUtils.writePrivateKeyFile(VESPA_SIA_DIRECTORY, athenzService, privateKey);
        Instant instant = certificate.getNotAfter().toInstant();
        log.log(Level.INFO, String.format("Got Athenz x509 certificate with expiry %s (expires %s)", Duration.between(certificate.getNotBefore().toInstant(), instant), instant));
        return KeyStoreBuilder.withType(KeyStoreType.JKS).withKeyEntry(CERTIFICATE_ALIAS, privateKey, cArr, certificate).build();
    }

    private static char[] generateKeystorePassword() {
        return UUID.randomUUID().toString().toCharArray();
    }
}
