package _ss_com.streamsets.lib.security.http;

import _ss_com.com.google.common.annotations.VisibleForTesting;
import _ss_com.com.google.common.collect.ImmutableMap;
import _ss_com.streamsets.datacollector.util.Configuration;
import _ss_com.streamsets.lib.security.http.RestClient;
import _ss_com.streamsets.pipeline.lib.parser.log.Constants;
import com.streamsets.pipeline.api.impl.Utils;
import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.URL;
import java.util.HashMap;
import java.util.Map;
import org.eclipse.jetty.util.URIUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:_ss_com/streamsets/lib/security/http/RemoteSSOService.class */
public class RemoteSSOService extends AbstractSSOService {
    private static final Logger LOG = LoggerFactory.getLogger(RemoteSSOService.class);
    public static final String DPM_BASE_URL_CONFIG = "dpm.base.url";
    public static final String DPM_BASE_URL_DEFAULT = "http://localhost:18631";
    public static final String SECURITY_SERVICE_APP_AUTH_TOKEN_CONFIG = "dpm.appAuthToken";
    public static final String SECURITY_SERVICE_COMPONENT_ID_CONFIG = "dpm.componentId";
    public static final String SECURITY_SERVICE_CONNECTION_TIMEOUT_CONFIG = "dpm.connectionTimeout.millis";
    public static final int DEFAULT_SECURITY_SERVICE_CONNECTION_TIMEOUT = 10000;
    public static final String DPM_ENABLED = "dpm.enabled";
    public static final boolean DPM_ENABLED_DEFAULT = false;
    public static final String DPM_REGISTRATION_RETRY_ATTEMPTS = "registration.retry.attempts";
    public static final int DPM_REGISTRATION_RETRY_ATTEMPTS_DEFAULT = 5;
    RestClient.Builder registerClientBuilder;
    RestClient.Builder userAuthClientBuilder;
    RestClient.Builder appAuthClientBuilder;
    private String appToken;
    private String componentId;
    private volatile int connTimeout;
    private int dpmRegistrationMaxRetryAttempts;
    private volatile boolean serviceActive;

    @Override // _ss_com.streamsets.lib.security.http.AbstractSSOService, _ss_com.streamsets.lib.security.http.SSOService
    public void setConfiguration(Configuration configuration) {
        super.setConfiguration(configuration);
        String str = getValidURL(configuration.get(DPM_BASE_URL_CONFIG, DPM_BASE_URL_DEFAULT)) + "security";
        Utils.checkArgument(str.toLowerCase().startsWith(URIUtil.HTTP_COLON) || str.toLowerCase().startsWith(URIUtil.HTTPS_COLON), Utils.formatL("Security service base URL must be HTTP/HTTPS '{}'", new Object[]{str}));
        if (str.toLowerCase().startsWith("http://")) {
            LOG.warn("Security service base URL is not secure '{}'", str);
        }
        setLoginPageUrl(str + "/login");
        setLogoutUrl(str + "/_logout");
        this.componentId = configuration.get(SECURITY_SERVICE_COMPONENT_ID_CONFIG, (String) null);
        this.appToken = configuration.get(SECURITY_SERVICE_APP_AUTH_TOKEN_CONFIG, (String) null);
        this.connTimeout = configuration.get(SECURITY_SERVICE_CONNECTION_TIMEOUT_CONFIG, DEFAULT_SECURITY_SERVICE_CONNECTION_TIMEOUT);
        this.dpmRegistrationMaxRetryAttempts = configuration.get(DPM_REGISTRATION_RETRY_ATTEMPTS, 5);
        this.registerClientBuilder = RestClient.builder(str).csrf(true).json(true).path("public-rest/v1/components/registration").timeout(this.connTimeout);
        this.userAuthClientBuilder = RestClient.builder(str).csrf(true).json(true).path("rest/v1/validateAuthToken/user").timeout(this.connTimeout);
        this.appAuthClientBuilder = RestClient.builder(str).csrf(true).json(true).path("rest/v1/validateAuthToken/component").timeout(this.connTimeout);
    }

    @VisibleForTesting
    public RestClient.Builder getRegisterClientBuilder() {
        return this.registerClientBuilder;
    }

    @VisibleForTesting
    public RestClient.Builder getUserAuthClientBuilder() {
        return this.userAuthClientBuilder;
    }

    @VisibleForTesting
    public RestClient.Builder getAppAuthClientBuilder() {
        return this.appAuthClientBuilder;
    }

    @VisibleForTesting
    void sleep(int i) {
        try {
            Thread.sleep(i * 1000);
        } catch (InterruptedException e) {
            LOG.error("Interrupted while attempting DPM registration");
            throw new RuntimeException("Interrupted while attempting DPM registration");
        }
    }

    void updateConnectionTimeout(RestClient.Response response) {
        String header = response.getHeader(SSOConstants.X_APP_CONNECTION_TIMEOUT);
        this.connTimeout = header == null ? this.connTimeout : Integer.parseInt(header);
    }

    boolean checkServiceActive() {
        boolean z;
        try {
            int responseCode = ((HttpURLConnection) new URL(getLoginPageUrl()).openConnection()).getResponseCode();
            z = responseCode == 200;
            if (!z) {
                LOG.warn("DPM reachable but returning '{}' HTTP status on login", Integer.valueOf(responseCode));
            }
        } catch (IOException e) {
            LOG.warn("DPM not reachable: {}", e.toString());
            z = false;
        }
        LOG.debug("DPM current status '{}'", z ? "ACTIVE" : "NON ACTIVE");
        return z;
    }

    public boolean isServiceActive(boolean z) {
        if (z) {
            this.serviceActive = checkServiceActive();
        }
        return this.serviceActive;
    }

    @Override // _ss_com.streamsets.lib.security.http.SSOService
    public void register(Map<String, String> map) {
        RestClient.Response post;
        if (this.appToken.isEmpty() || this.componentId.isEmpty()) {
            if (this.appToken.isEmpty()) {
                LOG.warn("Skipping component registration to DPM, application auth token is not set");
            }
            if (this.componentId.isEmpty()) {
                LOG.warn("Skipping component registration to DPM, component ID is not set");
            }
            throw new RuntimeException("Registration to DPM not done, missing component ID or app auth token");
        }
        LOG.debug("Doing component ID '{}' registration with DPM", this.componentId);
        HashMap hashMap = new HashMap();
        hashMap.put("authToken", this.appToken);
        hashMap.put("componentId", this.componentId);
        hashMap.put("attributes", map);
        int i = 1;
        int i2 = 0;
        boolean z = false;
        while (true) {
            if (i2 >= this.dpmRegistrationMaxRetryAttempts) {
                break;
            }
            if (i2 > 0) {
                i = Math.min(i * 2, 16);
                LOG.warn("DPM registration attempt '{}', waiting for '{}' seconds before retrying ...", Integer.valueOf(i2), Integer.valueOf(i));
                sleep(i);
            }
            i2++;
            try {
                post = getRegisterClientBuilder().build().post(hashMap);
            } catch (IOException e) {
                LOG.warn("DPM Registration failed: {}", e.toString());
            }
            if (post.getStatus() == 200) {
                updateConnectionTimeout(post);
                LOG.info("Registered with DPM");
                z = true;
                break;
            } else if (post.getStatus() == 503) {
                LOG.warn("DPM Registration unavailable");
            } else {
                if (post.getStatus() == 403) {
                    throw new RuntimeException(Utils.format("Failed registration for component ID '{}': {}", new Object[]{this.componentId, post.getError()}));
                }
                LOG.warn("Failed to registered to DPM, HTTP status '{}': {}", Integer.valueOf(post.getStatus()), post.getError());
            }
        }
        if (!z) {
            LOG.warn("DPM registration failed after '{}' attempts", Integer.valueOf(i2));
        } else {
            clearCaches();
            this.serviceActive = true;
        }
    }

    public void setComponentId(String str) {
        String trim = str != null ? str.trim() : null;
        Utils.checkArgument((trim == null || trim.isEmpty()) ? false : true, "Component ID cannot be NULL or empty");
        this.componentId = trim;
        this.registerClientBuilder.componentId(trim);
        this.userAuthClientBuilder.componentId(trim);
        this.appAuthClientBuilder.componentId(trim);
    }

    public void setApplicationAuthToken(String str) {
        String trim = str != null ? str.trim() : null;
        this.appToken = trim;
        this.registerClientBuilder.appAuthToken(trim);
        this.userAuthClientBuilder.appAuthToken(trim);
        this.appAuthClientBuilder.appAuthToken(trim);
    }

    private boolean checkServiceActiveIfInActive() {
        if (!this.serviceActive) {
            this.serviceActive = checkServiceActive();
        }
        return this.serviceActive;
    }

    @Override // _ss_com.streamsets.lib.security.http.AbstractSSOService
    protected SSOPrincipal validateUserTokenWithSecurityService(String str) throws ForbiddenException {
        Utils.checkState(checkServiceActiveIfInActive(), "Security service not active");
        ValidateUserAuthTokenJson validateUserAuthTokenJson = new ValidateUserAuthTokenJson();
        validateUserAuthTokenJson.setAuthToken(str);
        try {
            RestClient.Response post = getUserAuthClientBuilder().build().post(validateUserAuthTokenJson);
            if (post.getStatus() != 200) {
                if (post.getStatus() == 403) {
                    throw new ForbiddenException(post.getError());
                }
                throw new RuntimeException(Utils.format("Could not validate user token '{}', HTTP status '{}' message: {}", new Object[]{null, Integer.valueOf(post.getStatus()), post.getError()}));
            }
            updateConnectionTimeout(post);
            SSOPrincipalJson sSOPrincipalJson = (SSOPrincipalJson) post.getData(SSOPrincipalJson.class);
            if (sSOPrincipalJson != null) {
                sSOPrincipalJson.setTokenStr(str);
                sSOPrincipalJson.lock();
                LOG.debug("Validated user auth token for '{}'", sSOPrincipalJson.getPrincipalId());
            }
            return sSOPrincipalJson;
        } catch (IOException e) {
            LOG.warn("Could not do user token validation, going inactive: {}", e.toString());
            this.serviceActive = false;
            throw new ForbiddenException(ImmutableMap.of(Constants.MESSAGE, "Could not connect to security service: " + e.toString()));
        }
    }

    @Override // _ss_com.streamsets.lib.security.http.AbstractSSOService
    protected SSOPrincipal validateAppTokenWithSecurityService(String str, String str2) throws ForbiddenException {
        Utils.checkState(checkServiceActiveIfInActive(), "Security service not active");
        ValidateComponentAuthTokenJson validateComponentAuthTokenJson = new ValidateComponentAuthTokenJson();
        validateComponentAuthTokenJson.setComponentId(str2);
        validateComponentAuthTokenJson.setAuthToken(str);
        try {
            RestClient.Response post = getAppAuthClientBuilder().build().post(validateComponentAuthTokenJson);
            if (post.getStatus() != 200) {
                if (post.getStatus() == 403) {
                    throw new ForbiddenException(post.getError());
                }
                throw new RuntimeException(Utils.format("Could not validate app token for component ID '{}', HTTP status '{}' message: {}", new Object[]{str2, Integer.valueOf(post.getStatus()), post.getError()}));
            }
            updateConnectionTimeout(post);
            SSOPrincipalJson sSOPrincipalJson = (SSOPrincipalJson) post.getData(SSOPrincipalJson.class);
            if (sSOPrincipalJson != null) {
                sSOPrincipalJson.setTokenStr(str);
                sSOPrincipalJson.lock();
                LOG.debug("Validated app auth token for '{}'", sSOPrincipalJson.getPrincipalId());
            }
            return sSOPrincipalJson;
        } catch (IOException e) {
            LOG.warn("Could not do app token validation, going inactive: {}", e.toString());
            this.serviceActive = false;
            throw new ForbiddenException(ImmutableMap.of(Constants.MESSAGE, "Could not connect to seucirty service: " + e.toString()));
        }
    }

    public static String getValidURL(String str) {
        if (!str.endsWith(URIUtil.SLASH)) {
            str = str + URIUtil.SLASH;
        }
        return str;
    }

    @VisibleForTesting
    int getConnectionTimeout() {
        return this.connTimeout;
    }
}
