package com.yahoo.vespa.hosted.node.admin.configserver.certificate;

import com.yahoo.log.LogLevel;
import com.yahoo.vespa.athenz.tls.KeyAlgorithm;
import com.yahoo.vespa.athenz.tls.KeyStoreBuilder;
import com.yahoo.vespa.athenz.tls.KeyUtils;
import com.yahoo.vespa.athenz.tls.Pkcs10Csr;
import com.yahoo.vespa.athenz.tls.Pkcs10CsrBuilder;
import com.yahoo.vespa.athenz.tls.SignatureAlgorithm;
import com.yahoo.vespa.hosted.node.admin.configserver.ConfigServerApi;
import com.yahoo.vespa.hosted.node.admin.util.KeyStoreOptions;
import java.security.KeyPair;
import java.security.KeyStoreException;
import java.security.cert.X509Certificate;
import java.time.Clock;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.x500.X500Principal;

/* loaded from: input_file:com/yahoo/vespa/hosted/node/admin/configserver/certificate/ConfigServerKeyStoreRefresher.class */
public class ConfigServerKeyStoreRefresher {
    private static final String KEY_STORE_ALIAS = "alias";
    static final long MINIMUM_SECONDS_BETWEEN_REFRESH_RETRY = 3600;
    static final String CONFIG_SERVER_CERTIFICATE_SIGNING_PATH = "/athenz/v1/provider/sign";
    private final ScheduledExecutorService executor;
    private final KeyStoreOptions keyStoreOptions;
    private final Runnable keyStoreUpdatedCallback;
    private final ConfigServerApi configServerApi;
    private final Clock clock;
    private final String hostname;
    private static final Logger logger = Logger.getLogger(ConfigServerKeyStoreRefresher.class.getName());
    static final SignatureAlgorithm SIGNER_ALGORITHM = SignatureAlgorithm.SHA256_WITH_RSA;

    public ConfigServerKeyStoreRefresher(KeyStoreOptions keyStoreOptions, Runnable runnable, ConfigServerApi configServerApi, String str) {
        this(keyStoreOptions, runnable, configServerApi, Executors.newScheduledThreadPool(1), Clock.systemUTC(), str);
    }

    ConfigServerKeyStoreRefresher(KeyStoreOptions keyStoreOptions, Runnable runnable, ConfigServerApi configServerApi, ScheduledExecutorService scheduledExecutorService, Clock clock, String str) {
        this.keyStoreOptions = keyStoreOptions;
        this.keyStoreUpdatedCallback = runnable;
        this.configServerApi = configServerApi;
        this.executor = scheduledExecutorService;
        this.clock = clock;
        this.hostname = str;
    }

    public void start() {
        this.executor.schedule(this::refresh, getSecondsUntilNextRefresh(), TimeUnit.SECONDS);
    }

    void refresh() {
        try {
            if (refreshKeyStoreIfNeeded()) {
                this.keyStoreUpdatedCallback.run();
            }
            long secondsUntilNextRefresh = getSecondsUntilNextRefresh();
            this.executor.schedule(this::refresh, secondsUntilNextRefresh, TimeUnit.SECONDS);
            logger.log(Level.INFO, "Successfully updated keystore, scheduled next refresh in " + secondsUntilNextRefresh + "sec");
        } catch (Exception e) {
            logger.log(Level.WARNING, "Failed to update keystore on schedule, will try again in 3600sec", (Throwable) e);
            this.executor.schedule(this::refresh, MINIMUM_SECONDS_BETWEEN_REFRESH_RETRY, TimeUnit.SECONDS);
        }
    }

    public void stop() {
        this.executor.shutdownNow();
        do {
            try {
                this.executor.awaitTermination(Long.MAX_VALUE, TimeUnit.NANOSECONDS);
            } catch (InterruptedException e) {
                logger.info("Interrupted while waiting for ConfigServerKeyStoreRefresher thread to shutdown");
            }
        } while (!this.executor.isTerminated());
    }

    public boolean refreshKeyStoreIfNeeded() {
        if (!shouldRefreshCertificate()) {
            return false;
        }
        KeyPair generateKeyPair = generateKeyPair();
        X509Certificate sendCsr = sendCsr(generateCsr(generateKeyPair, this.hostname));
        storeCertificate(generateKeyPair, sendCsr);
        logger.log(LogLevel.INFO, "Key store certificate refreshed, expires " + sendCsr.getNotAfter().toInstant());
        return true;
    }

    private long getSecondsUntilNextRefresh() {
        long j = 0;
        try {
            j = getSecondsUntilCertificateShouldBeRefreshed();
        } catch (Exception e) {
            logger.log(Level.WARNING, "Failed to get remaining certificate lifetime", (Throwable) e);
        }
        return Math.max(MINIMUM_SECONDS_BETWEEN_REFRESH_RETRY, j);
    }

    private boolean shouldRefreshCertificate() {
        try {
            return getSecondsUntilCertificateShouldBeRefreshed() <= 0;
        } catch (Exception e) {
            return true;
        }
    }

    private long getSecondsUntilCertificateShouldBeRefreshed() throws KeyStoreException {
        X509Certificate configServerCertificate = getConfigServerCertificate();
        long time = configServerCertificate.getNotBefore().getTime() / 1000;
        long time2 = configServerCertificate.getNotAfter().getTime() / 1000;
        return Math.max(0L, (time + ((time2 - time) / 3)) - (this.clock.millis() / 1000));
    }

    X509Certificate getConfigServerCertificate() throws KeyStoreException {
        return (X509Certificate) this.keyStoreOptions.loadKeyStore().getCertificate(KEY_STORE_ALIAS);
    }

    private void storeCertificate(KeyPair keyPair, X509Certificate x509Certificate) {
        this.keyStoreOptions.path.getParent().toFile().mkdirs();
        this.keyStoreOptions.storeKeyStore(KeyStoreBuilder.withType(this.keyStoreOptions.keyStoreType).withKeyEntry(KEY_STORE_ALIAS, keyPair.getPrivate(), this.keyStoreOptions.password, x509Certificate).build());
    }

    private X509Certificate sendCsr(Pkcs10Csr pkcs10Csr) {
        return ((CertificateSerializedPayload) this.configServerApi.post(CONFIG_SERVER_CERTIFICATE_SIGNING_PATH, new CsrSerializedPayload(pkcs10Csr), CertificateSerializedPayload.class)).certificate;
    }

    static KeyPair generateKeyPair() {
        return KeyUtils.generateKeypair(KeyAlgorithm.RSA, 2048);
    }

    private static Pkcs10Csr generateCsr(KeyPair keyPair, String str) {
        return Pkcs10CsrBuilder.fromKeypair(new X500Principal("CN=" + str), keyPair, SIGNER_ALGORITHM).build();
    }
}
