package org.apache.flink.fs.obs.shaded.com.huawei.mrs;

import java.io.IOException;
import java.net.URI;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.HashMap;
import mrs.shaded.provider.okhttp3.MediaType;
import mrs.shaded.provider.okhttp3.RequestBody;
import org.apache.flink.fs.obs.shaded.com.obs.services.EcsObsCredentialsProvider;
import org.apache.flink.fs.obs.shaded.com.obs.services.IObsCredentialsProvider;
import org.apache.flink.fs.obs.shaded.com.obs.services.internal.security.SecurityKey;
import org.apache.flink.fs.obs.shaded.com.obs.services.internal.security.SecurityKeyBean;
import org.apache.flink.fs.obs.shaded.com.obs.services.model.ISecurityKey;
import org.apache.flink.fs.shaded.hadoop3.org.apache.hadoop.conf.Configuration;
import org.apache.flink.fs.shaded.hadoop3.org.apache.hadoop.fs.obs.OBSFileSystem;
import org.apache.flink.fs.shaded.hadoop3.org.apache.hadoop.security.UserGroupInformation;
import org.mortbay.log.Log;
import org.slf4j.Logger;

/* loaded from: input_file:org/apache/flink/fs/obs/shaded/com/huawei/mrs/MrsObsCredentialsProvider.class */
public class MrsObsCredentialsProvider extends EcsObsCredentialsProvider implements IObsCredentialsProvider {
    private final String MAPPING_KEY_NAME = "fs.obs.auth.agency-mapping.localpath";
    private final String NODE_CACHE_ENABLE = "fs.obs.auth.node-cache.enable";
    private final String MRS_META_URL = "fs.obs.mrs.meta.url";
    private final String ECS_MEAT_URL = "fs.obs.ecs.meta.url";
    private final String OBTAIN_KEY_MAX_RETRY = "mrs.provider.key.max.retry";
    private final int DEFAULT_OBTAIN_KEY_MAX_RETRY = 3;
    private String agencyMappingLocalPath;
    private String iamDomainUrl;
    private String userDomainName;
    private String userDomainId;
    private String clusterAgencyName;
    private boolean nodeCacheEnable;
    private String metaUrl;
    private Configuration conf;
    private UserGroupInformation userInfo;
    private HashMap<UserGroupInformation, ISecurityKey> securityKeyCacheMap;
    private IassHttpClient httpclient;
    private int securityKeyMaxRetry;
    private static EcsObsCredentialsProvider ecsObsCredentialsProvider = new EcsObsCredentialsProvider();
    public static final MediaType JSON = MediaType.get("application/json; charset=utf-8");
    private static final Logger LOG = OBSFileSystem.LOG;

    public MrsObsCredentialsProvider() throws Exception {
        this(null, new Configuration());
    }

    public MrsObsCredentialsProvider(URI uri, Configuration configuration) throws Exception {
        this.MAPPING_KEY_NAME = "fs.obs.auth.agency-mapping.localpath";
        this.NODE_CACHE_ENABLE = "fs.obs.auth.node-cache.enable";
        this.MRS_META_URL = "fs.obs.mrs.meta.url";
        this.ECS_MEAT_URL = "fs.obs.ecs.meta.url";
        this.OBTAIN_KEY_MAX_RETRY = "mrs.provider.key.max.retry";
        this.DEFAULT_OBTAIN_KEY_MAX_RETRY = 3;
        this.securityKeyCacheMap = new HashMap<>();
        this.httpclient = new IassHttpClient();
        this.conf = configuration;
        this.agencyMappingLocalPath = configuration.get("fs.obs.auth.agency-mapping.localpath", "");
        this.nodeCacheEnable = configuration.getBoolean("fs.obs.auth.node-cache.enable", true);
        this.metaUrl = configuration.get("fs.obs.mrs.meta.url", "http://127.0.0.1:23443/rest/meta/security_key");
        try {
            this.userInfo = UserGroupInformation.getCurrentUser();
        } catch (IOException e) {
            LOG.warn("Get user group information failed" + e);
            this.userInfo = null;
        }
        IassHttpClient.init(true);
        EcsMeta metadata = ECSMetaHolder.getInstance().getMetadata();
        if (metadata != null) {
            this.iamDomainUrl = metadata.getIamUrl();
            this.userDomainName = metadata.getUserDomainName();
            this.userDomainId = metadata.getUserDomainId();
            this.clusterAgencyName = metadata.getAgencyName();
        } else {
            Log.warn("Get ecs meta is null, will disable assume role.");
        }
        this.securityKeyMaxRetry = configuration.getInt("mrs.provider.key.max.retry", 3);
    }

    @Override // org.apache.flink.fs.obs.shaded.com.obs.services.EcsObsCredentialsProvider, org.apache.flink.fs.obs.shaded.com.obs.services.IObsCredentialsProvider
    public void setSecurityKey(ISecurityKey iSecurityKey) {
        throw new UnsupportedOperationException("EcsObsCredentialsProvider class does not support this method");
    }

    @Override // org.apache.flink.fs.obs.shaded.com.obs.services.EcsObsCredentialsProvider, org.apache.flink.fs.obs.shaded.com.obs.services.IObsCredentialsProvider
    public ISecurityKey getSecurityKey() {
        org.apache.flink.fs.obs.shaded.com.obs.services.internal.security.LimitedTimeSecurityKey newSecurityKey;
        ISecurityKey iSecurityKey = this.securityKeyCacheMap.get(this.userInfo);
        if ((iSecurityKey instanceof org.apache.flink.fs.obs.shaded.com.obs.services.internal.security.LimitedTimeSecurityKey) && !((org.apache.flink.fs.obs.shaded.com.obs.services.internal.security.LimitedTimeSecurityKey) iSecurityKey).aboutToExpire() && !((org.apache.flink.fs.obs.shaded.com.obs.services.internal.security.LimitedTimeSecurityKey) iSecurityKey).willSoonExpire()) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("SecurityKey cache is not expire, return securityKey from cache, expire date" + ((org.apache.flink.fs.obs.shaded.com.obs.services.internal.security.LimitedTimeSecurityKey) iSecurityKey).getExpiryDate());
            }
            return iSecurityKey;
        }
        if (this.nodeCacheEnable) {
            String str = null;
            if (!this.agencyMappingLocalPath.isEmpty()) {
                str = AgencyMappingLoader.matchMappingAgent(this.userInfo, this.agencyMappingLocalPath);
            }
            newSecurityKey = this.httpclient.getKeyFromNodeCache(this.iamDomainUrl, this.userDomainName, this.userDomainId, str, this.metaUrl);
            if (newSecurityKey == null) {
                LOG.warn("Failed to get security key from mrs meta");
                newSecurityKey = getNewSecurityKey();
            }
        } else {
            newSecurityKey = getNewSecurityKey();
        }
        LOG.info("Get security key expired at: " + newSecurityKey.getExpiryDate());
        this.securityKeyCacheMap.put(this.userInfo, newSecurityKey);
        return newSecurityKey;
    }

    private org.apache.flink.fs.obs.shaded.com.obs.services.internal.security.LimitedTimeSecurityKey getNewSecurityKey() {
        org.apache.flink.fs.obs.shaded.com.obs.services.internal.security.LimitedTimeSecurityKey limitedTimeSecurityKey = null;
        int i = 1;
        boolean z = false;
        do {
            try {
                limitedTimeSecurityKey = (org.apache.flink.fs.obs.shaded.com.obs.services.internal.security.LimitedTimeSecurityKey) ecsObsCredentialsProvider.getSecurityKey();
                z = true;
            } catch (Exception e) {
                if (i >= this.securityKeyMaxRetry) {
                    LOG.error("Failed to get security key, exceed max retry time " + this.securityKeyMaxRetry, e);
                    throw e;
                }
                int i2 = i;
                i++;
                LOG.warn("Failed to get security key with exception, tries = " + i2 + "", e);
            }
        } while (!z);
        if (this.agencyMappingLocalPath.isEmpty()) {
            LOG.warn("Return default agency as agency mapping local is empty. User info:" + this.userInfo);
            return limitedTimeSecurityKey;
        }
        String matchMappingAgent = AgencyMappingLoader.matchMappingAgent(this.userInfo, this.agencyMappingLocalPath);
        if (null == matchMappingAgent) {
            LOG.info("Assume agent name is null, return cluster agency security key. Agency name:" + this.clusterAgencyName);
            return limitedTimeSecurityKey;
        }
        LOG.info("Get new security key of User: " + this.userInfo + " Assume agency Name is: " + matchMappingAgent);
        if (isAnyParameterNull()) {
            LOG.error("Iam domain url is empty or user domain name is empty: " + this.iamDomainUrl + this.userDomainName);
            return limitedTimeSecurityKey;
        }
        String bowlingJson = bowlingJson(this.userDomainName, matchMappingAgent);
        RequestBody create = RequestBody.create(JSON, bowlingJson);
        if (LOG.isDebugEnabled()) {
            LOG.debug("request body string format: " + bowlingJson + " request body json format: " + create);
            LOG.debug("request param user domain id: " + this.userDomainId);
        }
        SecurityKey iamAssumeRoleToken = new JavaSdkClient().getIamAssumeRoleToken(this.iamDomainUrl, limitedTimeSecurityKey.getSecurityToken(), limitedTimeSecurityKey.getAccessKey(), limitedTimeSecurityKey.getSecretKey(), bowlingJson, this.userDomainId);
        if (iamAssumeRoleToken == null) {
            LOG.warn("Invalid securityKey");
            return limitedTimeSecurityKey;
        }
        new Date();
        SecurityKeyBean bean = iamAssumeRoleToken.getBean();
        try {
            SimpleDateFormat simpleDateFormat = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS");
            String expiresDate = bean.getExpiresDate();
            return new org.apache.flink.fs.obs.shaded.com.obs.services.internal.security.LimitedTimeSecurityKey(bean.getAccessKey(), bean.getSecretKey(), bean.getSecurityToken(), simpleDateFormat.parse(expiresDate.substring(0, expiresDate.length() - 4)));
        } catch (ParseException e2) {
            throw new IllegalArgumentException("Date parse failed :" + e2.getMessage());
        }
    }

    private boolean isAnyParameterNull() {
        return null == this.iamDomainUrl || null == this.userDomainId || null == this.userDomainName || this.iamDomainUrl.isEmpty() || this.userDomainId.isEmpty() || this.userDomainName.isEmpty();
    }

    String bowlingJson(String str, String str2) {
        return "{'auth': {'identity': { 'methods': ['assume_role'],'assume_role': {'domain_name': '" + str + "','agency_name': '" + str2 + "','duration-seconds': '21600'}}}}";
    }

    public void setEcsObsCredentialsProvider(EcsObsCredentialsProvider ecsObsCredentialsProvider2) {
        ecsObsCredentialsProvider = ecsObsCredentialsProvider2;
    }

    public void setHttpclient(IassHttpClient iassHttpClient) {
        this.httpclient = iassHttpClient;
    }
}
