package io.confluent.security.auth.client.rest;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import io.confluent.security.auth.client.RestClientConfig;
import io.confluent.security.auth.client.provider.BuiltInAuthProviders;
import io.confluent.security.auth.client.provider.HttpBasicCredentialProvider;
import io.confluent.security.auth.client.provider.HttpCredentialProvider;
import io.confluent.security.auth.client.rest.entities.AuthenticationResponse;
import io.confluent.security.auth.client.rest.entities.ErrorMessage;
import io.confluent.security.auth.client.rest.exceptions.RestClientException;
import io.confluent.security.auth.common.JwtBearerToken;
import io.confluent.security.authorizer.utils.JsonMapper;
import java.io.Closeable;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.Future;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.SynchronousQueue;
import java.util.concurrent.ThreadPoolExecutor;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicReference;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLSocketFactory;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.config.SslConfigs;
import org.apache.kafka.common.config.internals.BalancerConfigs;
import org.apache.kafka.common.errors.AuthenticationException;
import org.apache.kafka.common.errors.TimeoutException;
import org.apache.kafka.common.network.Mode;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
import org.apache.kafka.common.security.ssl.DefaultSslEngineFactory;
import org.apache.kafka.common.security.ssl.SslFactory;
import org.apache.kafka.common.utils.ExponentialBackoff;
import org.apache.kafka.common.utils.Time;
import org.apache.kafka.common.utils.Utils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/security/auth/client/rest/RestClient.class */
public class RestClient implements Closeable {
    protected static final String HTTP_EXCEPTION_MSG = "Unexpected exception sending HTTP Request.";
    private static final int HTTP_CONNECT_TIMEOUT_MS = 60000;
    private static final int HTTP_READ_TIMEOUT_MS = 60000;
    private static final String ACTIVE_NODES_ENDPOINT = "/activenodes/%s";
    private static final String AUTHENTICATE_ENDPOINT = "/authenticate";
    private final Time time;
    private final int requestTimeout;
    private final int httpRequestTimeout;
    private final List<String> bootstrapMetadataServerURLs;
    private volatile List<String> activeMetadataServerURLs;
    private final String protocol;
    private SSLSocketFactory sslSocketFactory;
    private final HostnameVerifier hostNameVerifier;
    private final AtomicReference<HttpCredentialProvider> credentialProvider;
    private ScheduledExecutorService urlRefreshscheduler;
    private RequestSender requestSender;
    private static final Logger log = LoggerFactory.getLogger((Class<?>) RestClient.class);
    private static final TypeReference<List<String>> ACTIVE_URLS_RESPONSE_TYPE = new TypeReference<List<String>>() { // from class: io.confluent.security.auth.client.rest.RestClient.1
    };
    private static final TypeReference<AuthenticationResponse> AUTHENTICATION_RESPONSE_TYPE = new TypeReference<AuthenticationResponse>() { // from class: io.confluent.security.auth.client.rest.RestClient.2
    };
    private static ObjectMapper objectMapper = JsonMapper.objectMapper();
    private static final Map<String, String> DEFAULT_REQUEST_PROPERTIES = new HashMap();

    /* loaded from: input_file:io/confluent/security/auth/client/rest/RestClient$HTTPRequestSender.class */
    private class HTTPRequestSender implements RequestSender {
        ExecutorService executor;

        private HTTPRequestSender() {
            this.executor = new ThreadPoolExecutor(0, Integer.MAX_VALUE, 1L, TimeUnit.MINUTES, new SynchronousQueue());
        }

        @Override // io.confluent.security.auth.client.rest.RequestSender
        public <T> T send(RestRequest restRequest, long j) throws IOException, RestClientException {
            try {
                return submit(restRequest).get(Math.min(j, RestClient.this.httpRequestTimeout), TimeUnit.MILLISECONDS);
            } catch (Throwable th) {
                th = th;
                if (th instanceof ExecutionException) {
                    th = th.getCause();
                }
                if (th instanceof RestClientException) {
                    throw ((RestClientException) th);
                }
                if (th instanceof IOException) {
                    throw ((IOException) th);
                }
                throw new RuntimeException(th);
            }
        }

        private <T> Future<T> submit(RestRequest restRequest) {
            if (this.executor.isShutdown()) {
                throw new RequestSenderShutdownException();
            }
            return this.executor.submit(() -> {
                HttpURLConnection httpURLConnection = null;
                try {
                    try {
                        URL build = restRequest.build();
                        HttpURLConnection httpURLConnection2 = (HttpURLConnection) build.openConnection();
                        httpURLConnection2.setConnectTimeout(BalancerConfigs.DEFAULT_RESOURCE_UTILIZATION_DETECTOR_INTERVAL_MS);
                        httpURLConnection2.setReadTimeout(BalancerConfigs.DEFAULT_RESOURCE_UTILIZATION_DETECTOR_INTERVAL_MS);
                        RestClient.this.setupSsl(httpURLConnection2);
                        restRequest.configureConnection(httpURLConnection2);
                        httpURLConnection2.setUseCaches(false);
                        for (Map.Entry entry : RestClient.DEFAULT_REQUEST_PROPERTIES.entrySet()) {
                            httpURLConnection2.setRequestProperty((String) entry.getKey(), (String) entry.getValue());
                        }
                        if (httpURLConnection2.getDoOutput()) {
                            try {
                                OutputStream outputStream = httpURLConnection2.getOutputStream();
                                Throwable th = null;
                                try {
                                    try {
                                        restRequest.writeRequestBody(outputStream);
                                        outputStream.flush();
                                        if (outputStream != null) {
                                            if (0 != 0) {
                                                try {
                                                    outputStream.close();
                                                } catch (Throwable th2) {
                                                    th.addSuppressed(th2);
                                                }
                                            } else {
                                                outputStream.close();
                                            }
                                        }
                                    } finally {
                                    }
                                } catch (Throwable th3) {
                                    if (outputStream != null) {
                                        if (th != null) {
                                            try {
                                                outputStream.close();
                                            } catch (Throwable th4) {
                                                th.addSuppressed(th4);
                                            }
                                        } else {
                                            outputStream.close();
                                        }
                                    }
                                    throw th3;
                                }
                            } catch (IOException e) {
                                RestClient.log.error("Failed to send HTTP request to endpoint: " + build, (Throwable) e);
                                throw e;
                            }
                        }
                        int responseCode = httpURLConnection2.getResponseCode();
                        if (responseCode == 200) {
                            InputStream inputStream = httpURLConnection2.getInputStream();
                            Object readResponse = restRequest.readResponse(inputStream);
                            inputStream.close();
                            if (httpURLConnection2 != null) {
                                httpURLConnection2.disconnect();
                            }
                            return readResponse;
                        }
                        if (responseCode != 204) {
                            ErrorMessage processHTTPError = processHTTPError(httpURLConnection2);
                            throw new RestClientException(processHTTPError.message(), responseCode, processHTTPError.errorCode());
                        }
                        if (httpURLConnection2 != null) {
                            httpURLConnection2.disconnect();
                        }
                        return null;
                    } catch (Throwable th5) {
                        if (0 != 0) {
                            httpURLConnection.disconnect();
                        }
                        throw th5;
                    }
                } catch (Throwable th6) {
                    RestClient.log.error(RestClient.HTTP_EXCEPTION_MSG, th6);
                    throw th6;
                }
            });
        }

        private ErrorMessage processHTTPError(HttpURLConnection httpURLConnection) throws IOException {
            InputStream errorStream = httpURLConnection.getErrorStream();
            int responseCode = httpURLConnection.getResponseCode();
            if (errorStream != null) {
                try {
                    ErrorMessage errorMessage = (ErrorMessage) RestClient.objectMapper.readValue(errorStream, ErrorMessage.class);
                    errorStream.close();
                    return errorMessage;
                } catch (JsonProcessingException e) {
                    errorStream.close();
                } catch (Throwable th) {
                    errorStream.close();
                    throw th;
                }
            }
            return new ErrorMessage(responseCode, httpURLConnection.getResponseMessage());
        }

        @Override // java.io.Closeable, java.lang.AutoCloseable
        public void close() {
            this.executor.shutdownNow();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/confluent/security/auth/client/rest/RestClient$RequestSenderShutdownException.class */
    public class RequestSenderShutdownException extends RuntimeException {
        private RequestSenderShutdownException() {
        }
    }

    public RestClient(Map<String, ?> map) {
        this(map, Time.SYSTEM);
    }

    public RestClient(Map<String, ?> map, Time time) {
        this.requestSender = new HTTPRequestSender();
        this.time = time;
        RestClientConfig restClientConfig = new RestClientConfig(map);
        this.bootstrapMetadataServerURLs = restClientConfig.getList(RestClientConfig.BOOTSTRAP_METADATA_SERVER_URLS_PROP);
        if (this.bootstrapMetadataServerURLs.isEmpty()) {
            throw new ConfigException("Missing required bootstrap metadata server url list.");
        }
        this.protocol = protocol(this.bootstrapMetadataServerURLs);
        this.requestTimeout = restClientConfig.getInt(RestClientConfig.REQUEST_TIMEOUT_MS_CONFIG).intValue();
        this.httpRequestTimeout = restClientConfig.getInt(RestClientConfig.HTTP_REQUEST_TIMEOUT_MS_CONFIG).intValue();
        String string = restClientConfig.getString(RestClientConfig.HTTP_AUTH_CREDENTIALS_PROVIDER_PROP);
        this.credentialProvider = new AtomicReference<>();
        if (string != null && !string.isEmpty()) {
            setCredentialProvider(BuiltInAuthProviders.loadHttpCredentialProviders(string));
            credentialProvider().configure(map);
        }
        Map<String, ?> sslClientConfigs = restClientConfig.sslClientConfigs();
        if ("https".equals(this.protocol) && sslClientConfigs.get(SslConfigs.SSL_TRUSTSTORE_LOCATION_CONFIG) != null) {
            this.sslSocketFactory = createSslSocketFactory(sslClientConfigs);
        }
        this.hostNameVerifier = createHostNameVerifier(sslClientConfigs);
        this.activeMetadataServerURLs = this.bootstrapMetadataServerURLs;
        if (restClientConfig.getBoolean(RestClientConfig.ENABLE_METADATA_SERVER_URL_REFRESH).booleanValue()) {
            scheduleMetadataServiceUrlRefresh(restClientConfig);
        }
    }

    private HttpCredentialProvider credentialProvider() {
        return this.credentialProvider.get();
    }

    private String protocol(List<String> list) {
        try {
            return new URL(list.get(0)).getProtocol();
        } catch (MalformedURLException e) {
            throw new IllegalArgumentException("Error while fetching URL protocol", e);
        }
    }

    private void scheduleMetadataServiceUrlRefresh(final RestClientConfig restClientConfig) {
        Long l = restClientConfig.getLong(RestClientConfig.METADATA_SERVER_URL_MAX_AGE_PROP);
        this.urlRefreshscheduler = Executors.newSingleThreadScheduledExecutor(runnable -> {
            Thread newThread = Executors.defaultThreadFactory().newThread(runnable);
            newThread.setDaemon(true);
            return newThread;
        });
        this.urlRefreshscheduler.scheduleAtFixedRate(new Runnable() { // from class: io.confluent.security.auth.client.rest.RestClient.1MetadataServerUrlFetcher
            @Override // java.lang.Runnable
            public void run() {
                Integer num = restClientConfig.getInt(RestClientConfig.METADATA_SERVER_URL_MAX_RETRIES_PROP);
                int i = 0;
                ExponentialBackoff exponentialBackoff = new ExponentialBackoff(100L, 2, 5000L, 0.1d);
                while (true) {
                    try {
                        RestClient.this.activeMetadataServerURLs = RestClient.this.getActiveMetadataServerURLs();
                        RestClient.log.debug("Successfully fetched MDS URLs ({})", RestClient.this.activeMetadataServerURLs);
                        return;
                    } catch (Exception e) {
                        if (e instanceof RestClientException) {
                            RestClientException restClientException = (RestClientException) e;
                            if (restClientException.errorCode() == 401 && restClientConfig.getBoolean(RestClientConfig.METADATA_SERVER_URL_FAIL_ON_401_PROP).booleanValue()) {
                                RestClient.log.error("Connection attempt failed with bad authorization", (Throwable) restClientException);
                                return;
                            }
                        }
                        RestClient.log.error("Error while refreshing active metadata server urls, retrying", (Throwable) e);
                        if (num.intValue() >= 0 && i >= num.intValue()) {
                            RestClient.log.error("Failed to fetch MDS URLs", (Throwable) e);
                            return;
                        }
                        try {
                            Thread.sleep(exponentialBackoff.backoff(i));
                            i++;
                        } catch (InterruptedException e2) {
                            throw new RuntimeException(e2);
                        }
                    }
                }
            }
        }, 0L, l.longValue(), TimeUnit.MILLISECONDS);
    }

    private SSLSocketFactory createSslSocketFactory(Map<String, ?> map) {
        SslFactory sslFactory = new SslFactory(Mode.CLIENT);
        sslFactory.configure(map);
        return DefaultSslEngineFactory.castOrThrow(sslFactory.sslEngineFactory()).sslContext().getSocketFactory();
    }

    private HostnameVerifier createHostNameVerifier(Map<String, ?> map) {
        String str = (String) map.get(SslConfigs.SSL_ENDPOINT_IDENTIFICATION_ALGORITHM_CONFIG);
        if (str != null && !str.isEmpty()) {
            return HttpsURLConnection.getDefaultHostnameVerifier();
        }
        log.debug("SSL Endpoint Identification Algorithm was empty, disabling hostname verification.");
        return (str2, sSLSession) -> {
            return true;
        };
    }

    HostnameVerifier getHostNameVerifier() {
        return this.hostNameVerifier;
    }

    List<String> activeMetadataServerURLs() {
        return this.activeMetadataServerURLs;
    }

    List<String> getActiveMetadataServerURLs() throws RestClientException, URISyntaxException {
        RestRequest newRequest = newRequest(String.format(ACTIVE_NODES_ENDPOINT, this.protocol));
        newRequest.setCredentialProvider(credentialProvider());
        newRequest.setResponse(ACTIVE_URLS_RESPONSE_TYPE);
        return (List) Stream.of((Object[]) new List[]{(List) sendRequest(newRequest), this.bootstrapMetadataServerURLs}).flatMap((v0) -> {
            return v0.stream();
        }).distinct().collect(Collectors.toList());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void setupSsl(HttpURLConnection httpURLConnection) {
        if ((httpURLConnection instanceof HttpsURLConnection) && this.sslSocketFactory != null) {
            ((HttpsURLConnection) httpURLConnection).setSSLSocketFactory(this.sslSocketFactory);
        }
        if (!(httpURLConnection instanceof HttpsURLConnection) || this.hostNameVerifier == null) {
            return;
        }
        ((HttpsURLConnection) httpURLConnection).setHostnameVerifier(this.hostNameVerifier);
    }

    void requestSender(RequestSender requestSender) {
        this.requestSender = requestSender;
    }

    public void setCredentialProvider(HttpCredentialProvider httpCredentialProvider) {
        this.credentialProvider.set(httpCredentialProvider);
    }

    public RestRequest newRequest(String str) {
        RestRequest restRequest = new RestRequest(this.protocol, str);
        restRequest.setCredentialProvider(credentialProvider());
        return restRequest;
    }

    public OAuthBearerToken login() throws AuthenticationException {
        return login(credentialProvider());
    }

    public OAuthBearerToken login(String str) {
        return login(new HttpBasicCredentialProvider(str));
    }

    public OAuthBearerToken login(HttpCredentialProvider httpCredentialProvider) {
        RestRequest newRequest = newRequest(AUTHENTICATE_ENDPOINT);
        newRequest.setCredentialProvider(httpCredentialProvider);
        newRequest.setResponse(AUTHENTICATION_RESPONSE_TYPE);
        try {
            return new JwtBearerToken(((AuthenticationResponse) sendRequest(newRequest)).authenticationToken());
        } catch (Exception e) {
            throw new AuthenticationException("Failed to authenticate", e);
        }
    }

    public <T> T sendRequest(RestRequest restRequest) throws RestClientException, URISyntaxException {
        long milliseconds = this.time.milliseconds();
        long j = this.requestTimeout;
        UrlSelector urlSelector = new UrlSelector(this.activeMetadataServerURLs);
        while (true) {
            try {
                URI uri = new URI(urlSelector.current());
                restRequest.setHost(uri.getHost());
                restRequest.setPort(uri.getPort());
                if (urlSelector.failures() > 0) {
                    log.debug("HTTP Request: Failures: {}, Host: {}, Port: {}, URI: {}, requestTimeout: {}", Integer.valueOf(urlSelector.failures()), uri.getHost(), Integer.valueOf(uri.getPort()), uri, Integer.valueOf(this.requestTimeout));
                }
                return (T) this.requestSender.send(restRequest, j);
            } catch (RequestSenderShutdownException e) {
                log.debug("Http request failed. Client has already been closed.", (Throwable) e);
                throw new RuntimeException("Http request failed. Client has already been closed.");
            } catch (IOException | RuntimeException e2) {
                log.debug(String.format("Http request to %s failed, selecting next url.", urlSelector.current()), e2);
                urlSelector.fail();
                long milliseconds2 = this.time.milliseconds() - milliseconds;
                if (milliseconds2 >= this.requestTimeout) {
                    throw new TimeoutException(String.format("Request aborted due to timeout (%s).", Integer.valueOf(this.requestTimeout)));
                }
                j = this.requestTimeout - milliseconds2;
                this.time.sleep(Math.min(500, urlSelector.round() * 20));
            }
        }
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        if (this.urlRefreshscheduler != null) {
            this.urlRefreshscheduler.shutdownNow();
        }
        if (this.requestSender != null) {
            Utils.closeQuietly(this.requestSender, "requestSender");
        }
    }

    static {
        DEFAULT_REQUEST_PROPERTIES.put("Content-Type", "application/json");
    }
}
