package com.yahoo.vespa.hosted.node.admin.maintenance.identity;

import com.yahoo.security.KeyAlgorithm;
import com.yahoo.security.KeyStoreType;
import com.yahoo.security.KeyUtils;
import com.yahoo.security.Pkcs10Csr;
import com.yahoo.security.SslContextBuilder;
import com.yahoo.security.X509CertificateUtils;
import com.yahoo.vespa.athenz.api.AthenzIdentity;
import com.yahoo.vespa.athenz.client.zts.DefaultZtsClient;
import com.yahoo.vespa.athenz.client.zts.InstanceIdentity;
import com.yahoo.vespa.athenz.client.zts.ZtsClientException;
import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider;
import com.yahoo.vespa.athenz.identityprovider.api.EntityBindingsMapper;
import com.yahoo.vespa.athenz.identityprovider.api.IdentityDocumentClient;
import com.yahoo.vespa.athenz.identityprovider.api.SignedIdentityDocument;
import com.yahoo.vespa.athenz.identityprovider.client.CsrGenerator;
import com.yahoo.vespa.athenz.identityprovider.client.DefaultIdentityDocumentClient;
import com.yahoo.vespa.athenz.tls.AthenzIdentityVerifier;
import com.yahoo.vespa.athenz.utils.SiaUtils;
import com.yahoo.vespa.hosted.dockerapi.ContainerName;
import com.yahoo.vespa.hosted.node.admin.component.ConfigServerInfo;
import com.yahoo.vespa.hosted.node.admin.nodeagent.NodeAgentContext;
import com.yahoo.vespa.hosted.node.admin.nodeagent.NodeAgentTask;
import com.yahoo.vespa.hosted.node.admin.task.util.file.FileFinder;
import com.yahoo.vespa.hosted.node.admin.task.util.file.UnixPath;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.net.URI;
import java.nio.file.FileSystem;
import java.nio.file.FileSystems;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.attribute.FileAttribute;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.logging.Level;
import java.util.logging.Logger;

/* loaded from: input_file:com/yahoo/vespa/hosted/node/admin/maintenance/identity/AthenzCredentialsMaintainer.class */
public class AthenzCredentialsMaintainer implements CredentialsMaintainer {
    private static final Logger logger = Logger.getLogger(AthenzCredentialsMaintainer.class.getName());
    private static final Duration EXPIRY_MARGIN = Duration.ofDays(1);
    private static final Duration REFRESH_PERIOD = Duration.ofDays(1);
    private static final Duration REFRESH_BACKOFF = Duration.ofHours(1);
    private static final Path CONTAINER_SIA_DIRECTORY = Paths.get("/var/lib/sia", new String[0]);
    private final URI ztsEndpoint;
    private final Path trustStorePath;
    private final AthenzIdentity configserverIdentity;
    private final Clock clock;
    private final ServiceIdentityProvider hostIdentityProvider;
    private final FileSystem fileSystem;
    private final IdentityDocumentClient identityDocumentClient;
    private final CsrGenerator csrGenerator;
    private final boolean useInternalZts;
    private final Map<ContainerName, Instant> lastRefreshAttempt;

    public AthenzCredentialsMaintainer(URI uri, Path path, ConfigServerInfo configServerInfo, String str, ServiceIdentityProvider serviceIdentityProvider, boolean z) {
        this(uri, path, configServerInfo, str, serviceIdentityProvider, z, Clock.systemUTC(), FileSystems.getDefault());
    }

    public AthenzCredentialsMaintainer(URI uri, Path path, ConfigServerInfo configServerInfo, String str, ServiceIdentityProvider serviceIdentityProvider, boolean z, Clock clock, FileSystem fileSystem) {
        this.lastRefreshAttempt = new ConcurrentHashMap();
        this.ztsEndpoint = uri;
        this.trustStorePath = path;
        this.configserverIdentity = configServerInfo.getConfigServerIdentity();
        this.csrGenerator = new CsrGenerator(str, this.configserverIdentity.getFullName());
        this.hostIdentityProvider = serviceIdentityProvider;
        this.fileSystem = fileSystem;
        this.identityDocumentClient = new DefaultIdentityDocumentClient(configServerInfo.getLoadBalancerEndpoint(), serviceIdentityProvider, new AthenzIdentityVerifier(Set.of(this.configserverIdentity)));
        this.clock = clock;
        this.useInternalZts = z;
    }

    @Override // com.yahoo.vespa.hosted.node.admin.maintenance.identity.CredentialsMaintainer
    public boolean converge(NodeAgentContext nodeAgentContext) {
        if (nodeAgentContext.isDisabled(NodeAgentTask.CredentialsMaintainer)) {
            return false;
        }
        try {
            nodeAgentContext.log(logger, Level.FINE, "Checking certificate");
            Path pathOnHostFromPathInNode = nodeAgentContext.pathOnHostFromPathInNode(CONTAINER_SIA_DIRECTORY);
            Path privateKeyFile = SiaUtils.getPrivateKeyFile(pathOnHostFromPathInNode, nodeAgentContext.identity());
            Path certificateFile = SiaUtils.getCertificateFile(pathOnHostFromPathInNode, nodeAgentContext.identity());
            Path resolve = pathOnHostFromPathInNode.resolve("vespa-node-identity-document.json");
            if (!Files.exists(privateKeyFile, new LinkOption[0]) || !Files.exists(certificateFile, new LinkOption[0]) || !Files.exists(resolve, new LinkOption[0])) {
                nodeAgentContext.log(logger, "Certificate/private key/identity document file does not exist");
                Files.createDirectories(privateKeyFile.getParent(), new FileAttribute[0]);
                Files.createDirectories(certificateFile.getParent(), new FileAttribute[0]);
                Files.createDirectories(resolve.getParent(), new FileAttribute[0]);
                registerIdentity(nodeAgentContext, privateKeyFile, certificateFile, resolve);
                return true;
            }
            X509Certificate readCertificateFromFile = readCertificateFromFile(certificateFile);
            Instant instant = this.clock.instant();
            Instant instant2 = readCertificateFromFile.getNotAfter().toInstant();
            if (isCertificateExpired(instant2, instant)) {
                nodeAgentContext.log(logger, "Certificate has expired (expiry=%s)", instant2.toString());
                registerIdentity(nodeAgentContext, privateKeyFile, certificateFile, resolve);
                return true;
            }
            Duration between = Duration.between(readCertificateFromFile.getNotBefore().toInstant(), instant);
            if (!shouldRefreshCredentials(between)) {
                nodeAgentContext.log(logger, Level.FINE, "Certificate is still valid");
                return false;
            }
            nodeAgentContext.log(logger, "Certificate is ready to be refreshed (age=%s)", between.toString());
            if (shouldThrottleRefreshAttempts(nodeAgentContext.containerName(), instant)) {
                nodeAgentContext.log(logger, Level.WARNING, String.format("Skipping refresh attempt as last refresh was on %s (less than %s ago)", this.lastRefreshAttempt.get(nodeAgentContext.containerName()).toString(), REFRESH_BACKOFF.toString()));
                return false;
            }
            this.lastRefreshAttempt.put(nodeAgentContext.containerName(), instant);
            refreshIdentity(nodeAgentContext, privateKeyFile, certificateFile, resolve);
            return true;
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }

    @Override // com.yahoo.vespa.hosted.node.admin.maintenance.identity.CredentialsMaintainer
    public void clearCredentials(NodeAgentContext nodeAgentContext) {
        FileFinder.files(nodeAgentContext.pathOnHostFromPathInNode(CONTAINER_SIA_DIRECTORY)).deleteRecursively(nodeAgentContext);
        this.lastRefreshAttempt.remove(nodeAgentContext.containerName());
    }

    @Override // com.yahoo.vespa.hosted.node.admin.maintenance.identity.CredentialsMaintainer
    public Duration certificateLifetime(NodeAgentContext nodeAgentContext) {
        Path certificateFile = SiaUtils.getCertificateFile(this.fileSystem.getPath(nodeAgentContext.pathOnHostFromPathInNode(CONTAINER_SIA_DIRECTORY).toString(), new String[0]), nodeAgentContext.identity());
        try {
            return Duration.between(this.clock.instant(), readCertificateFromFile(certificateFile).getNotAfter().toInstant());
        } catch (IOException e) {
            nodeAgentContext.log(logger, Level.SEVERE, "Unable to read certificate at " + certificateFile, e);
            return Duration.ZERO;
        }
    }

    @Override // com.yahoo.vespa.hosted.node.admin.maintenance.identity.CredentialsMaintainer
    public String name() {
        return "node-certificate";
    }

    private boolean shouldRefreshCredentials(Duration duration) {
        return duration.compareTo(REFRESH_PERIOD) >= 0;
    }

    private boolean shouldThrottleRefreshAttempts(ContainerName containerName, Instant instant) {
        return REFRESH_BACKOFF.compareTo(Duration.between(this.lastRefreshAttempt.getOrDefault(containerName, Instant.EPOCH), instant)) > 0;
    }

    private void registerIdentity(NodeAgentContext nodeAgentContext, Path path, Path path2, Path path3) {
        KeyPair generateKeypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
        SignedIdentityDocument nodeIdentityDocument = this.identityDocumentClient.getNodeIdentityDocument(nodeAgentContext.hostname().value());
        Pkcs10Csr generateInstanceCsr = this.csrGenerator.generateInstanceCsr(nodeAgentContext.identity(), nodeIdentityDocument.providerUniqueId(), nodeIdentityDocument.ipAddresses(), generateKeypair);
        DefaultZtsClient build = new DefaultZtsClient.Builder(this.ztsEndpoint).withIdentityProvider(this.hostIdentityProvider).withHostnameVerifier(this.useInternalZts ? new AthenzIdentityVerifier(Set.of(this.configserverIdentity)) : null).build();
        try {
            InstanceIdentity registerInstance = build.registerInstance(this.configserverIdentity, nodeAgentContext.identity(), EntityBindingsMapper.toAttestationData(nodeIdentityDocument), generateInstanceCsr);
            EntityBindingsMapper.writeSignedIdentityDocumentToFile(path3, nodeIdentityDocument);
            writePrivateKeyAndCertificate(nodeAgentContext.vespaUserOnHost(), path, generateKeypair.getPrivate(), path2, registerInstance.certificate());
            nodeAgentContext.log(logger, "Instance successfully registered and credentials written to file");
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private void refreshIdentity(NodeAgentContext nodeAgentContext, Path path, Path path2, Path path3) {
        DefaultZtsClient build;
        SignedIdentityDocument readSignedIdentityDocumentFromFile = EntityBindingsMapper.readSignedIdentityDocumentFromFile(path3);
        KeyPair generateKeypair = KeyUtils.generateKeypair(KeyAlgorithm.RSA);
        Pkcs10Csr generateInstanceCsr = this.csrGenerator.generateInstanceCsr(nodeAgentContext.identity(), readSignedIdentityDocumentFromFile.providerUniqueId(), readSignedIdentityDocumentFromFile.ipAddresses(), generateKeypair);
        try {
            try {
                build = new DefaultZtsClient.Builder(this.ztsEndpoint).withSslContext(new SslContextBuilder().withKeyStore(path, path2).withTrustStore(this.trustStorePath, KeyStoreType.JKS).build()).withHostnameVerifier(this.useInternalZts ? new AthenzIdentityVerifier(Set.of(this.configserverIdentity)) : null).build();
            } catch (ZtsClientException e) {
                if (e.getErrorCode() != 403 || !e.getDescription().startsWith("Certificate revoked")) {
                    throw e;
                }
                nodeAgentContext.log(logger, Level.SEVERE, "Certificate cannot be refreshed as it is revoked by ZTS - re-registering the instance now", e);
                registerIdentity(nodeAgentContext, path, path2, path3);
            }
            try {
                writePrivateKeyAndCertificate(nodeAgentContext.vespaUserOnHost(), path, generateKeypair.getPrivate(), path2, build.refreshInstance(this.configserverIdentity, nodeAgentContext.identity(), readSignedIdentityDocumentFromFile.providerUniqueId().asDottedString(), generateInstanceCsr).certificate());
                nodeAgentContext.log(logger, "Instance successfully refreshed and credentials written to file");
                if (build != null) {
                    build.close();
                }
            } catch (Throwable th) {
                if (build != null) {
                    try {
                        build.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (Exception e2) {
            nodeAgentContext.log(logger, Level.SEVERE, "Certificate refresh failed: " + e2.getMessage(), e2);
        }
    }

    private static void writePrivateKeyAndCertificate(String str, Path path, PrivateKey privateKey, Path path2, X509Certificate x509Certificate) {
        writeFile(path, str, KeyUtils.toPem(privateKey));
        writeFile(path2, str, X509CertificateUtils.toPem(x509Certificate));
    }

    private static void writeFile(Path path, String str, String str2) {
        new UnixPath(path.toString() + ".tmp").deleteIfExists().createNewFile("r--------").setOwner(str).writeUtf8File(str2, new OpenOption[0]).atomicMove(path);
    }

    private static X509Certificate readCertificateFromFile(Path path) throws IOException {
        return X509CertificateUtils.fromPem(new String(Files.readAllBytes(path)));
    }

    private static boolean isCertificateExpired(Instant instant, Instant instant2) {
        return instant2.isAfter(instant.minus((TemporalAmount) EXPIRY_MARGIN));
    }
}
