package org.apache.pulsar.functions.auth;

import io.kubernetes.client.openapi.ApiException;
import io.kubernetes.client.openapi.apis.CoreV1Api;
import io.kubernetes.client.openapi.models.V1DeleteOptions;
import io.kubernetes.client.openapi.models.V1ObjectMeta;
import io.kubernetes.client.openapi.models.V1PodSpec;
import io.kubernetes.client.openapi.models.V1Secret;
import io.kubernetes.client.openapi.models.V1SecretVolumeSource;
import io.kubernetes.client.openapi.models.V1StatefulSet;
import io.kubernetes.client.openapi.models.V1Volume;
import io.kubernetes.client.openapi.models.V1VolumeMount;
import java.nio.file.Paths;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.Function;
import javax.naming.AuthenticationException;
import org.apache.pulsar.broker.authentication.AuthenticationDataSource;
import org.apache.pulsar.broker.authentication.AuthenticationProviderToken;
import org.apache.pulsar.client.impl.auth.AuthenticationToken;
import org.apache.pulsar.functions.instance.AuthenticationConfig;
import org.apache.pulsar.functions.proto.Function;
import org.apache.pulsar.functions.utils.Actions;
import org.apache.pulsar.functions.utils.FunctionCommon;
import org.apache.pulsar.shade.com.google.common.annotations.VisibleForTesting;
import org.apache.pulsar.shade.org.apache.commons.lang3.RandomStringUtils;
import org.apache.pulsar.shade.org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/pulsar/functions/auth/KubernetesSecretsTokenAuthProvider.class */
public class KubernetesSecretsTokenAuthProvider implements KubernetesFunctionAuthProvider {
    private static final Logger log = LoggerFactory.getLogger(KubernetesSecretsTokenAuthProvider.class);
    private static final int NUM_RETRIES = 5;
    private static final long SLEEP_BETWEEN_RETRIES_MS = 500;
    private static final String SECRET_NAME = "function-auth";
    private static final String DEFAULT_SECRET_MOUNT_DIR = "/etc/auth";
    private static final String FUNCTION_AUTH_TOKEN = "token";
    private static final String FUNCTION_CA_CERT = "ca.pem";
    private CoreV1Api coreClient;
    private byte[] caBytes;
    private Function<Function.FunctionDetails, String> getNamespaceFromDetails;

    @Override // org.apache.pulsar.functions.auth.KubernetesFunctionAuthProvider
    public void initialize(CoreV1Api coreV1Api) {
        this.coreClient = coreV1Api;
    }

    @Override // org.apache.pulsar.functions.auth.KubernetesFunctionAuthProvider
    public void setCaBytes(byte[] bArr) {
        this.caBytes = bArr;
    }

    @Override // org.apache.pulsar.functions.auth.KubernetesFunctionAuthProvider
    public void setNamespaceProviderFunc(java.util.function.Function<Function.FunctionDetails, String> function) {
        this.getNamespaceFromDetails = function;
    }

    private String getKubeNamespace(Function.FunctionDetails functionDetails) {
        return this.getNamespaceFromDetails.apply(functionDetails);
    }

    @Override // org.apache.pulsar.functions.auth.KubernetesFunctionAuthProvider
    public void configureAuthDataStatefulSet(V1StatefulSet v1StatefulSet, Optional<FunctionAuthData> optional) {
        if (optional.isPresent()) {
            V1PodSpec spec = v1StatefulSet.getSpec().getTemplate().getSpec();
            spec.setVolumes(Collections.singletonList(new V1Volume().name(SECRET_NAME).secret(new V1SecretVolumeSource().secretName(getSecretName(new String(optional.get().getData()))))));
            spec.getContainers().forEach(v1Container -> {
                v1Container.setVolumeMounts(Collections.singletonList(new V1VolumeMount().name(SECRET_NAME).mountPath(DEFAULT_SECRET_MOUNT_DIR).readOnly(true)));
            });
        }
    }

    @Override // org.apache.pulsar.functions.auth.FunctionAuthProvider
    public void configureAuthenticationConfig(AuthenticationConfig authenticationConfig, Optional<FunctionAuthData> optional) {
        if (!optional.isPresent()) {
            authenticationConfig.setClientAuthenticationPlugin(null);
            authenticationConfig.setClientAuthenticationParameters(null);
            return;
        }
        authenticationConfig.setClientAuthenticationPlugin(AuthenticationToken.class.getName());
        authenticationConfig.setClientAuthenticationParameters(Paths.get(DEFAULT_SECRET_MOUNT_DIR, "token").toUri().toString());
        if (this.caBytes != null) {
            authenticationConfig.setTlsTrustCertsFilePath(String.format("%s/%s", DEFAULT_SECRET_MOUNT_DIR, FUNCTION_CA_CERT));
        }
    }

    @Override // org.apache.pulsar.functions.auth.FunctionAuthProvider
    public Optional<FunctionAuthData> cacheAuthData(Function.FunctionDetails functionDetails, AuthenticationDataSource authenticationDataSource) {
        String str = null;
        String tenant = functionDetails.getTenant();
        String namespace = functionDetails.getNamespace();
        String name = functionDetails.getName();
        try {
            String token = AuthenticationProviderToken.getToken(authenticationDataSource);
            if (token != null) {
                str = createSecret(token, functionDetails);
            }
        } catch (Exception e) {
            log.warn("Failed to get token for function {}", FunctionCommon.getFullyQualifiedName(tenant, namespace, name), e);
        }
        return str != null ? Optional.of(FunctionAuthData.builder().data(str.getBytes()).build()) : Optional.empty();
    }

    @Override // org.apache.pulsar.functions.auth.FunctionAuthProvider
    public void cleanUpAuthData(Function.FunctionDetails functionDetails, Optional<FunctionAuthData> optional) throws Exception {
        if (optional.isPresent()) {
            String fullyQualifiedName = FunctionCommon.getFullyQualifiedName(functionDetails.getTenant(), functionDetails.getNamespace(), functionDetails.getName());
            String str = new String(optional.get().getData());
            if (StringUtils.isBlank(str)) {
                log.warn("Secret name for function {} is empty.", fullyQualifiedName);
                return;
            }
            String secretName = getSecretName(str);
            String kubeNamespace = getKubeNamespace(functionDetails);
            Actions.Action build = Actions.Action.builder().actionName(String.format("Deleting secrets for function %s", fullyQualifiedName)).numRetries(5).sleepBetweenInvocationsMs(500L).supplier(() -> {
                try {
                    this.coreClient.deleteNamespacedSecret(secretName, kubeNamespace, (String) null, (String) null, 0, (Boolean) null, "Foreground", (V1DeleteOptions) null);
                    return Actions.ActionResult.builder().success(true).build();
                } catch (ApiException e) {
                    if (e.getCode() != 404) {
                        return Actions.ActionResult.builder().success(false).errorMsg(e.getResponseBody() != null ? e.getResponseBody() : e.getMessage()).build();
                    }
                    log.warn("Secrets for function {} does not exist", fullyQualifiedName);
                    return Actions.ActionResult.builder().success(true).build();
                }
            }).build();
            Actions.Action build2 = Actions.Action.builder().actionName(String.format("Waiting for secrets for function %s to complete deletion", fullyQualifiedName)).numRetries(5).sleepBetweenInvocationsMs(500L).supplier(() -> {
                try {
                    this.coreClient.readNamespacedSecret(secretName, kubeNamespace, (String) null);
                    return Actions.ActionResult.builder().success(false).build();
                } catch (ApiException e) {
                    if (e.getCode() == 404) {
                        return Actions.ActionResult.builder().success(true).build();
                    }
                    return Actions.ActionResult.builder().success(false).errorMsg(e.getResponseBody() != null ? e.getResponseBody() : e.getMessage()).build();
                }
            }).build();
            AtomicBoolean atomicBoolean = new AtomicBoolean(false);
            Actions.newBuilder().addAction(build.toBuilder().continueOn(true).build()).addAction(build2.toBuilder().continueOn(false).onSuccess(actionResult -> {
                atomicBoolean.set(true);
            }).build()).addAction(build.toBuilder().continueOn(true).build()).addAction(build2.toBuilder().onSuccess(actionResult2 -> {
                atomicBoolean.set(true);
            }).build()).run();
            if (!atomicBoolean.get()) {
                throw new RuntimeException(String.format("Failed to delete secrets for function %s", fullyQualifiedName));
            }
        }
    }

    @Override // org.apache.pulsar.functions.auth.FunctionAuthProvider
    public Optional<FunctionAuthData> updateAuthData(Function.FunctionDetails functionDetails, Optional<FunctionAuthData> optional, AuthenticationDataSource authenticationDataSource) throws Exception {
        String str = (String) optional.map(functionAuthData -> {
            return new String(functionAuthData.getData());
        }).orElseGet(() -> {
            return RandomStringUtils.random(5, true, true).toLowerCase();
        });
        try {
            String token = AuthenticationProviderToken.getToken(authenticationDataSource);
            if (token == null) {
                return optional;
            }
            upsertSecret(token, functionDetails, getSecretName(str));
            return Optional.of(FunctionAuthData.builder().data(str.getBytes()).build());
        } catch (AuthenticationException e) {
            cleanUpAuthData(functionDetails, optional);
            return Optional.empty();
        }
    }

    @VisibleForTesting
    Map<String, byte[]> buildSecretMap(String str) {
        HashMap hashMap = new HashMap();
        hashMap.put("token", str.getBytes());
        if (this.caBytes != null) {
            hashMap.put(FUNCTION_CA_CERT, this.caBytes);
        }
        return hashMap;
    }

    private void upsertSecret(String str, Function.FunctionDetails functionDetails, String str2) throws InterruptedException {
        String tenant = functionDetails.getTenant();
        String namespace = functionDetails.getNamespace();
        String name = functionDetails.getName();
        String kubeNamespace = getKubeNamespace(functionDetails);
        Actions.Action build = Actions.Action.builder().actionName(String.format("Upsert authentication secret for function %s/%s/%s", tenant, namespace, name)).numRetries(5).sleepBetweenInvocationsMs(500L).supplier(() -> {
            RandomStringUtils.random(5, true, true).toLowerCase();
            V1Secret data = new V1Secret().metadata(new V1ObjectMeta().name(str2)).data(buildSecretMap(str));
            try {
                this.coreClient.createNamespacedSecret(kubeNamespace, data, (String) null, (String) null, (String) null, (String) null);
                return Actions.ActionResult.builder().success(true).build();
            } catch (ApiException e) {
                if (e.getCode() != 409) {
                    return Actions.ActionResult.builder().success(false).errorMsg(e.getResponseBody() != null ? e.getResponseBody() : e.getMessage()).build();
                }
                try {
                    this.coreClient.replaceNamespacedSecret(str2, kubeNamespace, data, (String) null, (String) null, (String) null, (String) null);
                    return Actions.ActionResult.builder().success(true).build();
                } catch (ApiException e2) {
                    return Actions.ActionResult.builder().success(false).errorMsg(e.getResponseBody() != null ? e.getResponseBody() : e.getMessage()).build();
                }
            }
        }).build();
        AtomicBoolean atomicBoolean = new AtomicBoolean(false);
        Actions.newBuilder().addAction(build.toBuilder().onSuccess(actionResult -> {
            atomicBoolean.set(true);
        }).build()).run();
        if (!atomicBoolean.get()) {
            throw new RuntimeException(String.format("Failed to upsert authentication secret for function %s/%s/%s", tenant, namespace, name));
        }
    }

    private String createSecret(String str, Function.FunctionDetails functionDetails) throws ApiException, InterruptedException {
        String kubeNamespace = getKubeNamespace(functionDetails);
        String tenant = functionDetails.getTenant();
        String namespace = functionDetails.getNamespace();
        String name = functionDetails.getName();
        StringBuilder sb = new StringBuilder();
        Actions.Action build = Actions.Action.builder().actionName(String.format("Creating authentication secret for function %s/%s/%s", tenant, namespace, name)).numRetries(5).sleepBetweenInvocationsMs(500L).supplier(() -> {
            String lowerCase = RandomStringUtils.random(5, true, true).toLowerCase();
            try {
                this.coreClient.createNamespacedSecret(kubeNamespace, new V1Secret().metadata(new V1ObjectMeta().name(getSecretName(lowerCase))).data(buildSecretMap(str)), (String) null, (String) null, (String) null, (String) null);
                sb.append(lowerCase.toCharArray());
                return Actions.ActionResult.builder().success(true).build();
            } catch (ApiException e) {
                if (e.getCode() == 409) {
                    return Actions.ActionResult.builder().errorMsg(String.format("Secret %s already present", lowerCase)).success(false).build();
                }
                return Actions.ActionResult.builder().success(false).errorMsg(e.getResponseBody() != null ? e.getResponseBody() : e.getMessage()).build();
            }
        }).build();
        AtomicBoolean atomicBoolean = new AtomicBoolean(false);
        Actions.newBuilder().addAction(build.toBuilder().onSuccess(actionResult -> {
            atomicBoolean.set(true);
        }).build()).run();
        if (atomicBoolean.get()) {
            return sb.toString();
        }
        throw new RuntimeException(String.format("Failed to create authentication secret for function %s/%s/%s", tenant, namespace, name));
    }

    private String getSecretName(String str) {
        return "pf-secret-" + str;
    }
}
