package io.confluent.shaded.io.confluent.telemetry.config.remote.polling.kubernetes;

import io.confluent.shaded.com.fasterxml.jackson.core.JsonProcessingException;
import io.confluent.shaded.com.fasterxml.jackson.databind.DeserializationFeature;
import io.confluent.shaded.com.fasterxml.jackson.databind.ObjectMapper;
import io.confluent.shaded.com.google.common.annotations.VisibleForTesting;
import io.confluent.shaded.io.confluent.telemetry.config.remote.polling.PollingRemoteConfigurationSource;
import io.confluent.shaded.io.confluent.telemetry.config.remote.v1.RemoteConfiguration;
import java.io.BufferedInputStream;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Consumer;
import java.util.stream.Collectors;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/shaded/io/confluent/telemetry/config/remote/polling/kubernetes/KubernetesConfigMapRemoteConfigurationSource.class */
public class KubernetesConfigMapRemoteConfigurationSource extends PollingRemoteConfigurationSource {
    private static final String KUBERNETES_SERVICE_HOST_ENV_VAR = "KUBERNETES_SERVICE_HOST";
    private static final String KUBERNETES_SERVICE_PORT_ENV_VAR = "KUBERNETES_SERVICE_PORT";
    private static final String SERVICE_ACCOUNT_TOKEN_PATH = "/var/run/secrets/kubernetes.io/serviceaccount/token";
    private static final String CERTIFICATE_AUTHORITY = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt";
    private final ObjectMapper mapper;
    private String latestResourceVersion;
    private final List<URL> endpoints;
    private final SSLSocketFactory sslSocketFactory;
    private String serviceAccountToken;
    private static final Logger log = LoggerFactory.getLogger(KubernetesConfigMapRemoteConfigurationSource.class);
    private static final String REPORTER_VERSION = RemoteConfiguration.getSchemaVersion();

    public KubernetesConfigMapRemoteConfigurationSource(KubernetesConfigMapRemoteConfigurationConfig kubernetesConfigMapRemoteConfigurationConfig, Optional<String> optional, Consumer<RemoteConfiguration> consumer) throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException, KeyManagementException {
        super(kubernetesConfigMapRemoteConfigurationConfig.getRefreshInterval().longValue(), consumer);
        this.mapper = new ObjectMapper().configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false).configure(DeserializationFeature.FAIL_ON_MISSING_CREATOR_PROPERTIES, true).configure(DeserializationFeature.FAIL_ON_NULL_CREATOR_PROPERTIES, true);
        ArrayList arrayList = new ArrayList();
        if (optional.isPresent()) {
            arrayList.add(new URL(parseEndpointFromEnv(kubernetesConfigMapRemoteConfigurationConfig, optional.get())));
        }
        arrayList.add(new URL(parseDefaultEndpointFromEnv(kubernetesConfigMapRemoteConfigurationConfig)));
        this.endpoints = arrayList;
        this.sslSocketFactory = buildSSLSocketFactory();
        this.serviceAccountToken = getKubeServiceAccountToken();
    }

    @VisibleForTesting
    KubernetesConfigMapRemoteConfigurationSource(KubernetesConfigMapRemoteConfigurationConfig kubernetesConfigMapRemoteConfigurationConfig, List<URL> list, Consumer<RemoteConfiguration> consumer) throws NoSuchAlgorithmException, KeyStoreException, KeyManagementException, IOException, CertificateException {
        super(kubernetesConfigMapRemoteConfigurationConfig.getRefreshInterval().longValue(), consumer);
        this.mapper = new ObjectMapper().configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false).configure(DeserializationFeature.FAIL_ON_MISSING_CREATOR_PROPERTIES, true).configure(DeserializationFeature.FAIL_ON_NULL_CREATOR_PROPERTIES, true);
        this.endpoints = list;
        this.sslSocketFactory = buildSSLSocketFactory();
        this.serviceAccountToken = getKubeServiceAccountToken();
    }

    @VisibleForTesting
    static SSLSocketFactory buildSSLSocketFactory() throws CertificateException, IOException, KeyStoreException, NoSuchAlgorithmException, KeyManagementException {
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(null, null);
        BufferedInputStream bufferedInputStream = new BufferedInputStream(Files.newInputStream(Paths.get(CERTIFICATE_AUTHORITY, new String[0]), new OpenOption[0]));
        Throwable th = null;
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            int i = 0;
            while (bufferedInputStream.available() > 0) {
                keyStore.setCertificateEntry("ca" + i, certificateFactory.generateCertificate(bufferedInputStream));
                i++;
            }
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(keyStore);
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            sSLContext.init(null, trustManagerFactory.getTrustManagers(), null);
            return sSLContext.getSocketFactory();
        } finally {
            if (bufferedInputStream != null) {
                if (0 != 0) {
                    try {
                        bufferedInputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    bufferedInputStream.close();
                }
            }
        }
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:7:0x005d. Please report as an issue. */
    @Override // io.confluent.shaded.io.confluent.telemetry.config.remote.polling.PollingRemoteConfigurationSource
    protected Optional<RemoteConfiguration> requestConfig() {
        HttpURLConnection httpURLConnection;
        int responseCode;
        Iterator<URL> it = this.endpoints.iterator();
        while (it.hasNext()) {
            try {
                httpURLConnection = (HttpURLConnection) it.next().openConnection();
                httpURLConnection.setRequestMethod("GET");
                httpURLConnection.setRequestProperty("Authorization", "Bearer " + this.serviceAccountToken);
                ((HttpsURLConnection) httpURLConnection).setSSLSocketFactory(this.sslSocketFactory);
                responseCode = httpURLConnection.getResponseCode();
            } catch (IOException e) {
                log.error("Error configuring connection to Kube API Server: " + e);
            }
            switch (responseCode) {
                case 200:
                    InputStream inputStream = httpURLConnection.getInputStream();
                    Throwable th = null;
                    try {
                        Optional<RemoteConfiguration> validateConfigResponse = validateConfigResponse((V1ConfigMap) this.mapper.readValue(inputStream, V1ConfigMap.class));
                        if (inputStream != null) {
                            if (0 != 0) {
                                try {
                                    inputStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                inputStream.close();
                            }
                        }
                        return validateConfigResponse;
                    } finally {
                    }
                case 401:
                    this.serviceAccountToken = getKubeServiceAccountToken();
                    log.warn("Auth denied for ConfigMap. Refreshing service account token.");
                    return Optional.empty();
                case 404:
                default:
                    InputStream errorStream = httpURLConnection.getErrorStream();
                    Throwable th3 = null;
                    try {
                        try {
                            log.error("Error querying for ConfigMap. Status code: {} with body: {}", Integer.valueOf(responseCode), new BufferedReader(new InputStreamReader(errorStream, StandardCharsets.UTF_8)).lines().collect(Collectors.joining("\n")));
                            if (errorStream != null) {
                                if (0 != 0) {
                                    try {
                                        errorStream.close();
                                    } catch (Throwable th4) {
                                        th3.addSuppressed(th4);
                                    }
                                } else {
                                    errorStream.close();
                                }
                            }
                        } catch (Throwable th5) {
                            th3 = th5;
                            throw th5;
                            break;
                        }
                    } finally {
                    }
            }
        }
        return Optional.empty();
    }

    private Optional<RemoteConfiguration> validateConfigResponse(V1ConfigMap v1ConfigMap) {
        if (v1ConfigMap.getMetadata().getResourceVersion() == null || (this.latestResourceVersion != null && Objects.equals(v1ConfigMap.getMetadata().getResourceVersion(), this.latestResourceVersion))) {
            return Optional.empty();
        }
        try {
            Optional<RemoteConfiguration> compatibleConfigVersion = ConfigSet.parseConfigYaml((String) ((Map) Objects.requireNonNull(v1ConfigMap.getData())).get("configs")).getCompatibleConfigVersion(REPORTER_VERSION);
            this.latestResourceVersion = v1ConfigMap.getMetadata().getResourceVersion();
            log.info("Propagating configmap: " + v1ConfigMap.getMetadata().getName());
            return compatibleConfigVersion;
        } catch (JsonProcessingException e) {
            log.error("Can't parse configmap yaml", e);
            return Optional.empty();
        }
    }

    public static String parseEndpointFromEnv(KubernetesConfigMapRemoteConfigurationConfig kubernetesConfigMapRemoteConfigurationConfig, String str) {
        String str2 = "/api/v1/namespaces/" + kubernetesConfigMapRemoteConfigurationConfig.getNamespace() + "/configmaps/" + str;
        String str3 = System.getenv(KUBERNETES_SERVICE_HOST_ENV_VAR);
        return Objects.isNull(str3) ? "https://kubernetes.default.svc" + str2 : "https://" + str3 + ":" + System.getenv(KUBERNETES_SERVICE_PORT_ENV_VAR) + str2;
    }

    public static String parseDefaultEndpointFromEnv(KubernetesConfigMapRemoteConfigurationConfig kubernetesConfigMapRemoteConfigurationConfig) {
        return parseEndpointFromEnv(kubernetesConfigMapRemoteConfigurationConfig, kubernetesConfigMapRemoteConfigurationConfig.getConfigMapNameConfig());
    }

    @VisibleForTesting
    static String getKubeServiceAccountToken() throws IOException {
        return new String(Files.readAllBytes(Paths.get(SERVICE_ACCOUNT_TOKEN_PATH, new String[0])));
    }

    @VisibleForTesting
    void setLatestResourceVersion(String str) {
        this.latestResourceVersion = str;
    }
}
