package com.huawei.dlcatalog.credential.services.internal;

import com.huawei.dlcatalog.constant.DLCatalogConstants;
import com.huawei.dlcatalog.exception.DlCatalogException;
import com.huawei.dlcatalog.util.DatacraftCipherUtil;
import com.huawei.mrs.AgencyMappingLoader;
import com.huawei.mrs.ECSMetaHolder;
import com.huawei.mrs.EcsMeta;
import com.huawei.mrs.IassHttpClient;
import com.obs.services.EcsObsCredentialsProvider;
import com.obs.services.IObsCredentialsProvider;
import com.obs.services.internal.security.LimitedTimeSecurityKey;
import com.obs.services.internal.security.SecurityKey;
import com.obs.services.internal.security.SecurityKeyBean;
import com.obs.services.model.ISecurityKey;
import java.io.IOException;
import java.net.URI;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.security.auth.login.LoginException;
import obs.shaded.okhttp3.MediaType;
import obs.shaded.okhttp3.RequestBody;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/huawei/dlcatalog/credential/services/internal/UserDLCatalogCredentialsProvider.class */
public class UserDLCatalogCredentialsProvider implements IObsCredentialsProvider {
    private static final String MAPPING_KEY_NAME = "fs.obs.auth.agency-mapping.localpath";
    private static final String OBTAIN_KEY_MAX_RETRY = "mrs.provider.key.max.retry";
    private static final int DEFAULT_OBTAIN_KEY_MAX_RETRY = 3;
    private Configuration conf;
    private UserGroupInformation userInfo;
    private String iamDomainUrl;
    private String iamAuthTokenUrl;
    private String userDomainName;
    private String userDomainId;
    private String clusterAgencyName;
    private String agencyMappingLocalPath;
    private Map<UserGroupInformation, ISecurityKey> securityKeyCacheMap;
    private int securityKeyMaxRetry;
    private static final Logger LOGGER = LoggerFactory.getLogger(UserDLCatalogCredentialsProvider.class);
    private static final MediaType JSON = MediaType.get("application/json; charset=utf-8");
    private static EcsObsCredentialsProvider ecsObsCredentialsProvider = new EcsObsCredentialsProvider();
    private static final Pattern PATTERN = Pattern.compile("(https?)://[-A-Za-z0-9.]+");

    public UserDLCatalogCredentialsProvider() {
        this(null, new Configuration());
    }

    public UserDLCatalogCredentialsProvider(Configuration configuration) {
        this(null, configuration);
    }

    public UserDLCatalogCredentialsProvider(URI uri, Configuration configuration) {
        this.securityKeyCacheMap = new ConcurrentHashMap();
        this.conf = configuration;
        this.agencyMappingLocalPath = configuration.get(MAPPING_KEY_NAME, "");
        this.agencyMappingLocalPath = configuration.get(MAPPING_KEY_NAME, "");
        this.userInfo = getRealUser();
        try {
            IassHttpClient.init(true);
            IamSdkClient.init(true);
        } catch (Exception e) {
            LOGGER.error("IassHttpClient init failed, cannot get provider.");
        }
        EcsMeta metadata = ECSMetaHolder.getInstance().getMetadata();
        if (metadata != null) {
            this.iamDomainUrl = metadata.getIamUrl();
            this.userDomainName = metadata.getUserDomainName();
            this.userDomainId = metadata.getUserDomainId();
            this.clusterAgencyName = metadata.getAgencyName();
            Matcher matcher = PATTERN.matcher(this.iamDomainUrl);
            if (!matcher.find()) {
                LOGGER.error("Iam domain url is find failed!" + this.iamDomainUrl + this.userDomainName);
            }
            this.iamAuthTokenUrl = matcher.group(0) + "/v3/auth/tokens";
        } else {
            LOGGER.warn("Get ecs meta is null, will disable assume role.");
        }
        this.securityKeyMaxRetry = configuration.getInt(OBTAIN_KEY_MAX_RETRY, 3);
    }

    public void setSecurityKey(ISecurityKey iSecurityKey) {
        throw new UnsupportedOperationException("EnvironmentVariableObsCredentialsProvider class does not support this method");
    }

    public ISecurityKey getSecurityKey() {
        LimitedTimeSecurityKey limitedTimeSecurityKey = (ISecurityKey) this.securityKeyCacheMap.get(this.userInfo);
        if ((limitedTimeSecurityKey instanceof LimitedTimeSecurityKey) && !limitedTimeSecurityKey.aboutToExpire() && !limitedTimeSecurityKey.willSoonExpire()) {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("SecurityKey cache is not expire, return securityKey from cache, expire date" + limitedTimeSecurityKey.getExpiryDate());
            }
            return limitedTimeSecurityKey;
        }
        LimitedTimeSecurityKey newSecurityKeyByUser = StringUtils.isNotBlank(this.conf.get("dlcatalog.password")) ? getNewSecurityKeyByUser() : getNewSecurityKey();
        LOGGER.info("Get security key expired at: " + newSecurityKeyByUser.getExpiryDate());
        this.securityKeyCacheMap.put(this.userInfo, newSecurityKeyByUser);
        return newSecurityKeyByUser;
    }

    public LimitedTimeSecurityKey getNewSecurityKeyByUser() {
        String matchMappingAgent;
        LOGGER.info("get security key by getNewSecurityKeyByUser.");
        String str = this.conf.get("dlcatalog.user", "dlcatalog");
        String str2 = this.conf.get("dlcatalog.password", "password");
        LOGGER.info("dlcatalog password encrypt is {}", DatacraftCipherUtil.encrypt(str2));
        String decrypt2String = DatacraftCipherUtil.decrypt2String(str2);
        if (StringUtils.isBlank(this.userDomainName)) {
            this.userDomainName = this.conf.get(DLCatalogConstants.DOMAIN_ID);
        }
        RequestBody create = RequestBody.create(JSON, builtUserBody(str, decrypt2String, this.userDomainName));
        IamSdkClient iamSdkClient = new IamSdkClient();
        String tokenFromIam = iamSdkClient.getTokenFromIam(this.iamAuthTokenUrl, create);
        if (this.agencyMappingLocalPath.isEmpty()) {
            matchMappingAgent = this.conf.get("dlcatalog.assumeRole");
        } else {
            matchMappingAgent = AgencyMappingLoader.matchMappingAgent(this.userInfo, this.agencyMappingLocalPath);
            if (StringUtils.isBlank(matchMappingAgent)) {
                matchMappingAgent = this.conf.get("dlcatalog.assumeRole");
            }
        }
        LOGGER.info("Get new security key of User: " + this.userInfo + " Assume agency Name is: " + matchMappingAgent);
        String bowlingJson = bowlingJson(this.userDomainName, matchMappingAgent);
        LOGGER.info("get Assume Body is {}", bowlingJson);
        return iamSdkClient.getKeyFromIam(this.iamAuthTokenUrl, RequestBody.create(JSON, bowlingJson), tokenFromIam);
    }

    private LimitedTimeSecurityKey getNewSecurityKey() {
        LOGGER.info("get security key by getNewSecurityKey.");
        LimitedTimeSecurityKey limitedTimeSecurityKey = null;
        int i = 1;
        boolean z = false;
        do {
            try {
                limitedTimeSecurityKey = (LimitedTimeSecurityKey) ecsObsCredentialsProvider.getSecurityKey();
                z = true;
            } catch (Exception e) {
                if (i >= this.securityKeyMaxRetry) {
                    LOGGER.error("Failed to get security key, exceed max retry time " + this.securityKeyMaxRetry, e);
                    throw e;
                }
                int i2 = i;
                i++;
                LOGGER.warn("Failed to get security key with exception, tries = " + i2 + "", e);
            }
        } while (!z);
        String agencyName = getAgencyName();
        LOGGER.info("Get new security key of User: " + this.userInfo + " Assume agency Name is: " + agencyName);
        if (isAnyParameterNull()) {
            LOGGER.error("Iam domain url is empty or user domain name is empty: " + this.iamDomainUrl + this.userDomainName);
            return limitedTimeSecurityKey;
        }
        String bowlingJson = bowlingJson(this.userDomainName, agencyName);
        RequestBody create = RequestBody.create(JSON, bowlingJson);
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("request body string format: " + bowlingJson + " request body json format: " + create);
            LOGGER.debug("request param user domain id: " + this.userDomainId);
        }
        SecurityKey iamAssumeRoleToken = new IamSdkClient().getIamAssumeRoleToken(this.iamAuthTokenUrl, limitedTimeSecurityKey.getSecurityToken(), limitedTimeSecurityKey.getAccessKey(), limitedTimeSecurityKey.getSecretKey(), bowlingJson, this.userDomainId);
        if (iamAssumeRoleToken == null) {
            LOGGER.warn("Invalid securityKey");
            return limitedTimeSecurityKey;
        }
        new Date();
        SecurityKeyBean bean = iamAssumeRoleToken.getBean();
        try {
            SimpleDateFormat simpleDateFormat = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS");
            String expiresDate = bean.getExpiresDate();
            return new LimitedTimeSecurityKey(bean.getAccessKey(), bean.getSecretKey(), bean.getSecurityToken(), simpleDateFormat.parse(expiresDate.substring(0, expiresDate.length() - 4)));
        } catch (ParseException e2) {
            throw new IllegalArgumentException("Date parse failed :" + e2.getMessage());
        }
    }

    private String getAgencyName() {
        String matchMappingAgent = this.agencyMappingLocalPath.isEmpty() ? StringUtils.isNotBlank(this.conf.get("dlcatalog.assumeRole")) ? this.conf.get("dlcatalog.assumeRole") : "DLCATALOG_DEFAULT_AGENCY" : AgencyMappingLoader.matchMappingAgent(this.userInfo, this.agencyMappingLocalPath);
        if (StringUtils.isBlank(matchMappingAgent)) {
            matchMappingAgent = StringUtils.isNotBlank(this.conf.get("dlcatalog.assumeRole")) ? this.conf.get("dlcatalog.assumeRole") : "DLCATALOG_DEFAULT_AGENCY";
        }
        return matchMappingAgent;
    }

    private boolean isAnyParameterNull() {
        return null == this.iamDomainUrl || null == this.userDomainId || null == this.userDomainName || this.iamDomainUrl.isEmpty() || this.userDomainId.isEmpty() || this.userDomainName.isEmpty();
    }

    String builtUserBody(String str, String str2, String str3) {
        return "{    \"auth\": {        \"identity\": {            \"methods\": [                \"password\"            ],            \"password\": {                \"user\": {                    \"name\": \"" + str + "\",                    \"password\": \"" + str2 + "\",                    \"domain\": {                        \"name\": \"" + str3 + "\"                    }                }            }        }    }}";
    }

    static String bowlingJson(String str, String str2) {
        return "{'auth': {'identity': { 'methods': ['assume_role'],'assume_role': {'domain_name': '" + str + "','agency_name': '" + str2 + "','duration-seconds': '21600'}}}}";
    }

    private UserGroupInformation getRealUser() {
        try {
            return (UserGroupInformation.getLoginUser() == null || UserGroupInformation.getLoginUser().getRealUser() == null) ? getUGI() : UserGroupInformation.getLoginUser().getRealUser();
        } catch (IOException | LoginException e) {
            LOGGER.error("get userInfo from ugi failed!", e);
            throw new DlCatalogException("get userInfo from ugi failed!", e);
        }
    }

    public static UserGroupInformation getUGI() throws LoginException, IOException {
        String str = System.getenv("HADOOP_USER_NAME");
        return (str == null || str.length() <= 0) ? UserGroupInformation.getCurrentUser() : UserGroupInformation.createProxyUser(str, UserGroupInformation.getLoginUser());
    }
}
