package com.yahoo.vespa.hosted.node.admin.maintenance.identity;

import com.yahoo.vespa.athenz.api.AthenzService;
import com.yahoo.vespa.athenz.client.zts.DefaultZtsClient;
import com.yahoo.vespa.athenz.client.zts.InstanceIdentity;
import com.yahoo.vespa.athenz.client.zts.ZtsClientException;
import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider;
import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper;
import com.yahoo.vespa.athenz.identityprovider.api.IdentityDocumentClient;
import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument;
import com.yahoo.vespa.athenz.identityprovider.client.DefaultIdentityDocumentClient;
import com.yahoo.vespa.athenz.identityprovider.client.InstanceCsrGenerator;
import com.yahoo.vespa.athenz.tls.AthenzIdentityVerifier;
import com.yahoo.vespa.athenz.tls.KeyAlgorithm;
import com.yahoo.vespa.athenz.tls.KeyStoreType;
import com.yahoo.vespa.athenz.tls.KeyUtils;
import com.yahoo.vespa.athenz.tls.Pkcs10Csr;
import com.yahoo.vespa.athenz.tls.SslContextBuilder;
import com.yahoo.vespa.athenz.tls.X509CertificateUtils;
import com.yahoo.vespa.athenz.utils.SiaUtils;
import com.yahoo.vespa.hosted.dockerapi.ContainerName;
import com.yahoo.vespa.hosted.node.admin.component.Environment;
import com.yahoo.vespa.hosted.node.admin.util.PrefixLogger;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.net.URI;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardCopyOption;
import java.nio.file.attribute.FileAttribute;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Collections;

/* loaded from: input_file:com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.class */
public class AthenzCredentialsMaintainer {
    private static final Duration EXPIRY_MARGIN = Duration.ofDays(1);
    private static final Duration REFRESH_PERIOD = Duration.ofDays(1);
    private static final Duration REFRESH_BACKOFF = Duration.ofHours(1);
    private static final Path CONTAINER_SIA_DIRECTORY = Paths.get("/var/lib/sia", new String[0]);
    private final boolean enabled;
    private final PrefixLogger log;
    private final String hostname;
    private final Path trustStorePath;
    private final Path privateKeyFile;
    private final Path certificateFile;
    private final Path identityDocumentFile;
    private final AthenzService containerIdentity;
    private final URI ztsEndpoint;
    private final Clock clock;
    private final ServiceIdentityProvider hostIdentityProvider;
    private final IdentityDocumentClient identityDocumentClient;
    private final InstanceCsrGenerator csrGenerator;
    private final AthenzService configserverIdentity;
    private Instant lastRefreshAttempt = Instant.EPOCH;

    public AthenzCredentialsMaintainer(String str, Environment environment, ServiceIdentityProvider serviceIdentityProvider) {
        ContainerName fromHostname = ContainerName.fromHostname(str);
        Path pathInNodeAdminFromPathInNode = environment.pathInNodeAdminFromPathInNode(fromHostname, CONTAINER_SIA_DIRECTORY);
        this.enabled = environment.isNodeAgentCertEnabled();
        this.log = PrefixLogger.getNodeAgentLogger(AthenzCredentialsMaintainer.class, fromHostname);
        this.hostname = str;
        this.containerIdentity = environment.getNodeAthenzIdentity();
        this.ztsEndpoint = environment.getZtsUri();
        this.configserverIdentity = environment.getConfigserverAthenzIdentity();
        this.csrGenerator = new InstanceCsrGenerator(environment.getCertificateDnsSuffix());
        this.trustStorePath = environment.getTrustStorePath();
        this.privateKeyFile = SiaUtils.getPrivateKeyFile(pathInNodeAdminFromPathInNode, this.containerIdentity);
        this.certificateFile = SiaUtils.getCertificateFile(pathInNodeAdminFromPathInNode, this.containerIdentity);
        this.identityDocumentFile = pathInNodeAdminFromPathInNode.resolve("vespa-node-identity-document.json");
        this.hostIdentityProvider = serviceIdentityProvider;
        this.identityDocumentClient = new DefaultIdentityDocumentClient(environment.getConfigserverLoadBalancerEndpoint(), serviceIdentityProvider, new AthenzIdentityVerifier(Collections.singleton(this.configserverIdentity)));
        this.clock = Clock.systemUTC();
    }

    public void converge() {
        try {
            if (!this.enabled) {
                this.log.debug("Feature disabled on this host - not fetching certificate");
                return;
            }
            this.log.debug("Checking certificate");
            Instant instant = this.clock.instant();
            if (!Files.exists(this.privateKeyFile, new LinkOption[0]) || !Files.exists(this.certificateFile, new LinkOption[0]) || !Files.exists(this.identityDocumentFile, new LinkOption[0])) {
                this.log.info("Certificate/private key/identity document file does not exist");
                Files.createDirectories(this.privateKeyFile.getParent(), new FileAttribute[0]);
                Files.createDirectories(this.certificateFile.getParent(), new FileAttribute[0]);
                Files.createDirectories(this.identityDocumentFile.getParent(), new FileAttribute[0]);
                registerIdentity();
                return;
            }
            X509Certificate readCertificateFromFile = readCertificateFromFile();
            Instant instant2 = readCertificateFromFile.getNotAfter().toInstant();
            if (isCertificateExpired(instant2, instant)) {
                this.log.info(String.format("Certificate has expired (expiry=%s)", instant2.toString()));
                registerIdentity();
                return;
            }
            Duration between = Duration.between(readCertificateFromFile.getNotBefore().toInstant(), instant);
            if (!shouldRefreshCredentials(between)) {
                this.log.debug("Certificate is still valid");
                return;
            }
            this.log.info(String.format("Certificate is ready to be refreshed (age=%s)", between.toString()));
            if (shouldThrottleRefreshAttempts(instant)) {
                this.log.warning(String.format("Skipping refresh attempt as last refresh was on %s (less than %s ago)", this.lastRefreshAttempt.toString(), REFRESH_BACKOFF.toString()));
            } else {
                this.lastRefreshAttempt = instant;
                refreshIdentity();
            }
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }

    public void clearCredentials() {
        if (this.enabled) {
            try {
                if (Files.deleteIfExists(this.privateKeyFile)) {
                    this.log.info(String.format("Deleted private key file (path=%s)", this.privateKeyFile));
                }
                if (Files.deleteIfExists(this.certificateFile)) {
                    this.log.info(String.format("Deleted certificate file (path=%s)", this.certificateFile));
                }
                if (Files.deleteIfExists(this.identityDocumentFile)) {
                    this.log.info(String.format("Deleted identity document file (path=%s)", this.certificateFile));
                }
            } catch (IOException e) {
                throw new UncheckedIOException(e);
            }
        }
    }

    private boolean shouldRefreshCredentials(Duration duration) {
        return duration.compareTo(REFRESH_PERIOD) >= 0;
    }

    private boolean shouldThrottleRefreshAttempts(Instant instant) {
        return REFRESH_BACKOFF.compareTo(Duration.between(this.lastRefreshAttempt, instant)) > 0;
    }

    private X509Certificate readCertificateFromFile() throws IOException {
        return X509CertificateUtils.fromPem(new String(Files.readAllBytes(this.certificateFile)));
    }

    private boolean isCertificateExpired(Instant instant, Instant instant2) {
        return instant2.isAfter(instant.minus((TemporalAmount) EXPIRY_MARGIN));
    }

    private void registerIdentity() {
        KeyPair generateKeypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
        SignedIdentityDocument nodeIdentityDocument = this.identityDocumentClient.getNodeIdentityDocument(this.hostname);
        Pkcs10Csr generateCsr = this.csrGenerator.generateCsr(this.containerIdentity, nodeIdentityDocument.providerUniqueId(), nodeIdentityDocument.ipAddresses(), generateKeypair);
        try {
            DefaultZtsClient defaultZtsClient = new DefaultZtsClient(this.ztsEndpoint, this.hostIdentityProvider);
            Throwable th = null;
            try {
                try {
                    InstanceIdentity registerInstance = defaultZtsClient.registerInstance(this.configserverIdentity, this.containerIdentity, nodeIdentityDocument.providerUniqueId().asDottedString(), EntityBindingsMapper.toAttestationData(nodeIdentityDocument), false, generateCsr);
                    EntityBindingsMapper.writeSignedIdentityDocumentToFile(this.identityDocumentFile, nodeIdentityDocument);
                    writePrivateKeyAndCertificate(generateKeypair.getPrivate(), registerInstance.certificate());
                    this.log.info("Instance successfully registered and credentials written to file");
                    if (defaultZtsClient != null) {
                        if (0 != 0) {
                            try {
                                defaultZtsClient.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            defaultZtsClient.close();
                        }
                    }
                } finally {
                }
            } finally {
            }
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }

    private void refreshIdentity() {
        DefaultZtsClient defaultZtsClient;
        Throwable th;
        SignedIdentityDocument readSignedIdentityDocumentFromFile = EntityBindingsMapper.readSignedIdentityDocumentFromFile(this.identityDocumentFile);
        KeyPair generateKeypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
        Pkcs10Csr generateCsr = this.csrGenerator.generateCsr(this.containerIdentity, readSignedIdentityDocumentFromFile.providerUniqueId(), readSignedIdentityDocumentFromFile.ipAddresses(), generateKeypair);
        try {
            try {
                defaultZtsClient = new DefaultZtsClient(this.ztsEndpoint, this.containerIdentity, new SslContextBuilder().withKeyStore(this.privateKeyFile.toFile(), this.certificateFile.toFile()).withTrustStore(this.trustStorePath.toFile(), KeyStoreType.JKS).build());
                th = null;
            } catch (ZtsClientException e) {
                if (e.getErrorCode() != 403 || !e.getDescription().startsWith("Certificate revoked")) {
                    throw e;
                }
                this.log.error("Certificate cannot be refreshed as it is revoked by ZTS - re-registering the instance now", e);
                registerIdentity();
            }
            try {
                try {
                    writePrivateKeyAndCertificate(generateKeypair.getPrivate(), defaultZtsClient.refreshInstance(this.configserverIdentity, this.containerIdentity, readSignedIdentityDocumentFromFile.providerUniqueId().asDottedString(), false, generateCsr).certificate());
                    this.log.info("Instance successfully refreshed and credentials written to file");
                    if (defaultZtsClient != null) {
                        if (0 != 0) {
                            try {
                                defaultZtsClient.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            defaultZtsClient.close();
                        }
                    }
                } catch (Throwable th3) {
                    th = th3;
                    throw th3;
                }
            } catch (Throwable th4) {
                if (defaultZtsClient != null) {
                    if (th != null) {
                        try {
                            defaultZtsClient.close();
                        } catch (Throwable th5) {
                            th.addSuppressed(th5);
                        }
                    } else {
                        defaultZtsClient.close();
                    }
                }
                throw th4;
            }
        } catch (Exception e2) {
            this.log.error("Certificate refresh failed: " + e2.getMessage(), e2);
        }
    }

    private void writePrivateKeyAndCertificate(PrivateKey privateKey, X509Certificate x509Certificate) throws IOException {
        Path tempPath = toTempPath(this.privateKeyFile);
        Files.write(tempPath, KeyUtils.toPem(privateKey).getBytes(), new OpenOption[0]);
        Path tempPath2 = toTempPath(this.certificateFile);
        Files.write(tempPath2, X509CertificateUtils.toPem(x509Certificate).getBytes(), new OpenOption[0]);
        Files.move(tempPath, this.privateKeyFile, StandardCopyOption.ATOMIC_MOVE);
        Files.move(tempPath2, this.certificateFile, StandardCopyOption.ATOMIC_MOVE);
    }

    private static Path toTempPath(Path path) {
        return Paths.get(path.toAbsolutePath().toString() + ".tmp", new String[0]);
    }
}
