package io.grpc.xds.internal.certprovider;

import com.google.auth.oauth2.GoogleCredentials;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableList;
import com.google.protobuf.Duration;
import com.google.protobuf.ProtocolStringList;
import io.grpc.CallOptions;
import io.grpc.Channel;
import io.grpc.ClientCall;
import io.grpc.ClientInterceptor;
import io.grpc.ForwardingClientCall;
import io.grpc.InternalLogId;
import io.grpc.ManagedChannel;
import io.grpc.ManagedChannelBuilder;
import io.grpc.Metadata;
import io.grpc.MethodDescriptor;
import io.grpc.Status;
import io.grpc.SynchronizationContext;
import io.grpc.auth.MoreCallCredentials;
import io.grpc.internal.BackoffPolicy;
import io.grpc.internal.TimeProvider;
import io.grpc.xds.internal.certprovider.CertificateProvider;
import io.grpc.xds.internal.sds.trust.CertificateUtils;
import io.grpc.xds.shaded.com.google.security.meshca.v1.MeshCertificateRequest;
import io.grpc.xds.shaded.com.google.security.meshca.v1.MeshCertificateResponse;
import io.grpc.xds.shaded.com.google.security.meshca.v1.MeshCertificateServiceGrpc;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.StringWriter;
import java.lang.Thread;
import java.nio.charset.StandardCharsets;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.EnumSet;
import java.util.Iterator;
import java.util.List;
import java.util.UUID;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import org.bouncycastle.util.io.pem.PemObject;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:io/grpc/xds/internal/certprovider/MeshCaCertificateProvider.class */
public final class MeshCaCertificateProvider extends CertificateProvider {

    @VisibleForTesting
    static final long INITIAL_DELAY_SECONDS = 4;
    private final SynchronizationContext syncContext;
    private final ScheduledExecutorService scheduledExecutorService;
    private final int maxRetryAttempts;
    private final ZoneInfoClientInterceptor headerInterceptor;
    private final BackoffPolicy.Provider backoffPolicyProvider;
    private final String meshCaUrl;
    private final long validitySeconds;
    private final long renewalGracePeriodSeconds;
    private final int keySize;
    private final String signatureAlg;
    private final GoogleCredentials oauth2Creds;
    private final TimeProvider timeProvider;
    private final MeshCaChannelFactory meshCaChannelFactory;

    @VisibleForTesting
    SynchronizationContext.ScheduledHandle scheduledHandle;
    private final long rpcTimeoutMillis;
    private static final Logger logger = Logger.getLogger(MeshCaCertificateProvider.class.getName());

    @VisibleForTesting
    static final Metadata.Key<String> KEY_FOR_ZONE_INFO = Metadata.Key.of("x-goog-request-params", Metadata.ASCII_STRING_MARSHALLER);
    private static final EnumSet<Status.Code> RETRIABLE_CODES = EnumSet.of(Status.Code.CANCELLED, Status.Code.UNKNOWN, Status.Code.DEADLINE_EXCEEDED, Status.Code.RESOURCE_EXHAUSTED, Status.Code.ABORTED, Status.Code.INTERNAL, Status.Code.UNAVAILABLE);

    /* loaded from: input_file:io/grpc/xds/internal/certprovider/MeshCaCertificateProvider$Factory.class */
    static abstract class Factory {
        private static final Factory DEFAULT_INSTANCE = new Factory() { // from class: io.grpc.xds.internal.certprovider.MeshCaCertificateProvider.Factory.1
            @Override // io.grpc.xds.internal.certprovider.MeshCaCertificateProvider.Factory
            MeshCaCertificateProvider create(CertificateProvider.DistributorWatcher distributorWatcher, boolean z, String str, String str2, long j, int i, String str3, String str4, MeshCaChannelFactory meshCaChannelFactory, BackoffPolicy.Provider provider, long j2, int i2, GoogleCredentials googleCredentials, ScheduledExecutorService scheduledExecutorService, TimeProvider timeProvider, long j3) {
                return new MeshCaCertificateProvider(distributorWatcher, z, str, str2, j, i, str3, str4, meshCaChannelFactory, provider, j2, i2, googleCredentials, scheduledExecutorService, timeProvider, j3);
            }
        };

        Factory() {
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public static Factory getInstance() {
            return DEFAULT_INSTANCE;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public abstract MeshCaCertificateProvider create(CertificateProvider.DistributorWatcher distributorWatcher, boolean z, String str, String str2, long j, int i, String str3, String str4, MeshCaChannelFactory meshCaChannelFactory, BackoffPolicy.Provider provider, long j2, int i2, GoogleCredentials googleCredentials, ScheduledExecutorService scheduledExecutorService, TimeProvider timeProvider, long j3);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/grpc/xds/internal/certprovider/MeshCaCertificateProvider$MeshCaChannelFactory.class */
    public static abstract class MeshCaChannelFactory {
        private static final MeshCaChannelFactory DEFAULT_INSTANCE = new MeshCaChannelFactory() { // from class: io.grpc.xds.internal.certprovider.MeshCaCertificateProvider.MeshCaChannelFactory.1
            @Override // io.grpc.xds.internal.certprovider.MeshCaCertificateProvider.MeshCaChannelFactory
            ManagedChannel createChannel(String str) {
                Preconditions.checkArgument((str == null || str.isEmpty()) ? false : true, "serverUri is null/empty!");
                MeshCaCertificateProvider.logger.log(Level.INFO, "Creating channel to {0}", str);
                return ManagedChannelBuilder.forTarget(str).keepAliveTime(1L, TimeUnit.MINUTES).build();
            }
        };

        MeshCaChannelFactory() {
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public static MeshCaChannelFactory getInstance() {
            return DEFAULT_INSTANCE;
        }

        abstract ManagedChannel createChannel(String str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    /* loaded from: input_file:io/grpc/xds/internal/certprovider/MeshCaCertificateProvider$RefreshCertificateTask.class */
    public class RefreshCertificateTask implements Runnable {
        RefreshCertificateTask() {
        }

        @Override // java.lang.Runnable
        public void run() {
            try {
                MeshCaCertificateProvider.this.refreshCertificate();
            } catch (NoSuchAlgorithmException | OperatorCreationException | IOException e) {
                MeshCaCertificateProvider.logger.log(Level.SEVERE, "refreshing certificate", e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/grpc/xds/internal/certprovider/MeshCaCertificateProvider$ZoneInfoClientInterceptor.class */
    public class ZoneInfoClientInterceptor implements ClientInterceptor {
        private final String zone;

        ZoneInfoClientInterceptor(String str) {
            this.zone = str;
        }

        public <ReqT, RespT> ClientCall<ReqT, RespT> interceptCall(MethodDescriptor<ReqT, RespT> methodDescriptor, CallOptions callOptions, Channel channel) {
            return new ForwardingClientCall.SimpleForwardingClientCall<ReqT, RespT>(channel.newCall(methodDescriptor, callOptions)) { // from class: io.grpc.xds.internal.certprovider.MeshCaCertificateProvider.ZoneInfoClientInterceptor.1
                public void start(ClientCall.Listener<RespT> listener, Metadata metadata) {
                    metadata.put(MeshCaCertificateProvider.KEY_FOR_ZONE_INFO, "location=locations/" + ZoneInfoClientInterceptor.this.zone);
                    super.start(listener, metadata);
                }
            };
        }
    }

    MeshCaCertificateProvider(CertificateProvider.DistributorWatcher distributorWatcher, boolean z, String str, String str2, long j, int i, String str3, String str4, MeshCaChannelFactory meshCaChannelFactory, BackoffPolicy.Provider provider, long j2, int i2, GoogleCredentials googleCredentials, ScheduledExecutorService scheduledExecutorService, TimeProvider timeProvider, long j3) {
        super(distributorWatcher, z);
        this.meshCaUrl = (String) Preconditions.checkNotNull(str, "meshCaUrl");
        Preconditions.checkArgument(j > INITIAL_DELAY_SECONDS, "validitySeconds must be greater than 4");
        this.validitySeconds = j;
        this.keySize = i;
        this.signatureAlg = (String) Preconditions.checkNotNull(str4, "signatureAlg");
        this.meshCaChannelFactory = (MeshCaChannelFactory) Preconditions.checkNotNull(meshCaChannelFactory, "meshCaChannelFactory");
        this.backoffPolicyProvider = (BackoffPolicy.Provider) Preconditions.checkNotNull(provider, "backoffPolicyProvider");
        Preconditions.checkArgument(j2 > 0 && j2 < j, "renewalGracePeriodSeconds should be between 0 and " + j);
        this.renewalGracePeriodSeconds = j2;
        Preconditions.checkArgument(i2 >= 0, "maxRetryAttempts must be >= 0");
        this.maxRetryAttempts = i2;
        this.oauth2Creds = (GoogleCredentials) Preconditions.checkNotNull(googleCredentials, "oauth2Creds");
        this.scheduledExecutorService = (ScheduledExecutorService) Preconditions.checkNotNull(scheduledExecutorService, "scheduledExecutorService");
        this.timeProvider = (TimeProvider) Preconditions.checkNotNull(timeProvider, "timeProvider");
        this.headerInterceptor = new ZoneInfoClientInterceptor((String) Preconditions.checkNotNull(str2, "zone"));
        this.syncContext = createSynchronizationContext(str);
        this.rpcTimeoutMillis = j3;
    }

    private SynchronizationContext createSynchronizationContext(String str) {
        final InternalLogId allocate = InternalLogId.allocate("MeshCaCertificateProvider", str);
        return new SynchronizationContext(new Thread.UncaughtExceptionHandler() { // from class: io.grpc.xds.internal.certprovider.MeshCaCertificateProvider.1
            private boolean panicMode;

            @Override // java.lang.Thread.UncaughtExceptionHandler
            public void uncaughtException(Thread thread, Throwable th) {
                MeshCaCertificateProvider.logger.log(Level.SEVERE, "[" + allocate + "] Uncaught exception in the SynchronizationContext. Panic!", th);
                panic(th);
            }

            void panic(Throwable th) {
                if (this.panicMode) {
                    return;
                }
                this.panicMode = true;
                MeshCaCertificateProvider.this.close();
            }
        });
    }

    @Override // io.grpc.xds.internal.certprovider.CertificateProvider
    public void start() {
        scheduleNextRefreshCertificate(INITIAL_DELAY_SECONDS);
    }

    @Override // io.grpc.xds.internal.certprovider.CertificateProvider, io.grpc.xds.internal.sds.Closeable, java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        if (this.scheduledHandle != null) {
            this.scheduledHandle.cancel();
            this.scheduledHandle = null;
        }
        getWatcher().close();
    }

    private void scheduleNextRefreshCertificate(long j) {
        if (this.scheduledHandle != null && this.scheduledHandle.isPending()) {
            logger.log(Level.SEVERE, "Pending task found: inconsistent state in scheduledHandle!");
            this.scheduledHandle.cancel();
        }
        this.scheduledHandle = this.syncContext.schedule(new RefreshCertificateTask(), j, TimeUnit.SECONDS, this.scheduledExecutorService);
    }

    @VisibleForTesting
    void refreshCertificate() throws NoSuchAlgorithmException, IOException, OperatorCreationException {
        long computeRefreshSecondsFromCurrentCertExpiry = computeRefreshSecondsFromCurrentCertExpiry();
        ManagedChannel createChannel = this.meshCaChannelFactory.createChannel(this.meshCaUrl);
        try {
            String uuid = UUID.randomUUID().toString();
            Duration build = Duration.newBuilder().setSeconds(this.validitySeconds).build();
            KeyPair generateKeyPair = generateKeyPair();
            List<X509Certificate> makeRequestWithRetries = makeRequestWithRetries(createStubToMeshCa(createChannel), uuid, build, generateCsr(generateKeyPair));
            if (makeRequestWithRetries != null) {
                computeRefreshSecondsFromCurrentCertExpiry = computeDelaySecondsToCertExpiry(makeRequestWithRetries.get(0)) - this.renewalGracePeriodSeconds;
                getWatcher().updateCertificate(generateKeyPair.getPrivate(), makeRequestWithRetries);
                getWatcher().updateTrustedRoots(ImmutableList.of(makeRequestWithRetries.get(makeRequestWithRetries.size() - 1)));
            }
        } finally {
            shutdownChannel(createChannel);
            scheduleNextRefreshCertificate(computeRefreshSecondsFromCurrentCertExpiry);
        }
    }

    private MeshCertificateServiceGrpc.MeshCertificateServiceBlockingStub createStubToMeshCa(ManagedChannel managedChannel) {
        return MeshCertificateServiceGrpc.newBlockingStub(managedChannel).withCallCredentials(MoreCallCredentials.from(this.oauth2Creds)).withInterceptors(new ClientInterceptor[]{this.headerInterceptor});
    }

    private List<X509Certificate> makeRequestWithRetries(MeshCertificateServiceGrpc.MeshCertificateServiceBlockingStub meshCertificateServiceBlockingStub, String str, Duration duration, String str2) {
        MeshCertificateRequest m1705build = MeshCertificateRequest.newBuilder().setValidity(duration).setCsr(str2).setRequestId(str).m1705build();
        BackoffPolicy backoffPolicy = this.backoffPolicyProvider.get();
        Throwable th = null;
        for (int i = 0; i <= this.maxRetryAttempts; i++) {
            try {
                return getX509CertificatesFromResponse(meshCertificateServiceBlockingStub.withDeadlineAfter(this.rpcTimeoutMillis, TimeUnit.MILLISECONDS).createCertificate(m1705build));
            } catch (Throwable th2) {
                if (!retriable(th2)) {
                    generateErrorIfCurrentCertExpired(th2);
                    return null;
                }
                th = th2;
                sleepForNanos(backoffPolicy.nextBackoffNanos());
            }
        }
        generateErrorIfCurrentCertExpired(th);
        return null;
    }

    private void sleepForNanos(long j) {
        try {
            this.scheduledExecutorService.schedule(new Runnable() { // from class: io.grpc.xds.internal.certprovider.MeshCaCertificateProvider.2
                @Override // java.lang.Runnable
                public void run() {
                }
            }, j, TimeUnit.NANOSECONDS).get(j, TimeUnit.NANOSECONDS);
        } catch (InterruptedException e) {
            logger.log(Level.SEVERE, "Inside sleep", (Throwable) e);
            Thread.currentThread().interrupt();
        } catch (ExecutionException | TimeoutException e2) {
            logger.log(Level.SEVERE, "Inside sleep", e2);
        }
    }

    private static boolean retriable(Throwable th) {
        return RETRIABLE_CODES.contains(Status.fromThrowable(th).getCode());
    }

    private void generateErrorIfCurrentCertExpired(Throwable th) {
        X509Certificate lastIdentityCert = getWatcher().getLastIdentityCert();
        if (lastIdentityCert != null) {
            if (computeDelaySecondsToCertExpiry(lastIdentityCert) > INITIAL_DELAY_SECONDS) {
                return;
            } else {
                getWatcher().clearValues();
            }
        }
        getWatcher().onError(Status.fromThrowable(th));
    }

    private KeyPair generateKeyPair() throws NoSuchAlgorithmException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(this.keySize);
        return keyPairGenerator.generateKeyPair();
    }

    private String generateCsr(KeyPair keyPair) throws IOException, OperatorCreationException {
        PemObject pemObject = new PemObject("NEW CERTIFICATE REQUEST", new JcaPKCS10CertificationRequestBuilder(new X500Principal("CN=EXAMPLE.COM"), keyPair.getPublic()).build(new JcaContentSignerBuilder(this.signatureAlg).build(keyPair.getPrivate())).getEncoded());
        StringWriter stringWriter = new StringWriter();
        try {
            JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(stringWriter);
            Throwable th = null;
            try {
                try {
                    jcaPEMWriter.writeObject(pemObject);
                    $closeResource(null, jcaPEMWriter);
                    String stringWriter2 = stringWriter.toString();
                    $closeResource(null, stringWriter);
                    return stringWriter2;
                } finally {
                }
            } catch (Throwable th2) {
                $closeResource(th, jcaPEMWriter);
                throw th2;
            }
        } catch (Throwable th3) {
            $closeResource(null, stringWriter);
            throw th3;
        }
    }

    private long computeRefreshSecondsFromCurrentCertExpiry() {
        X509Certificate lastIdentityCert = getWatcher().getLastIdentityCert();
        return lastIdentityCert == null ? INITIAL_DELAY_SECONDS : Math.max(computeDelaySecondsToCertExpiry(lastIdentityCert) / 2, INITIAL_DELAY_SECONDS);
    }

    private long computeDelaySecondsToCertExpiry(X509Certificate x509Certificate) {
        Preconditions.checkNotNull(x509Certificate, "lastCert");
        return TimeUnit.NANOSECONDS.toSeconds(TimeUnit.MILLISECONDS.toNanos(x509Certificate.getNotAfter().getTime()) - this.timeProvider.currentTimeNanos());
    }

    private static void shutdownChannel(ManagedChannel managedChannel) {
        managedChannel.shutdown();
        try {
            managedChannel.awaitTermination(10L, TimeUnit.SECONDS);
        } catch (InterruptedException e) {
            logger.log(Level.SEVERE, "awaiting channel Termination", (Throwable) e);
            managedChannel.shutdownNow();
            Thread.currentThread().interrupt();
        }
    }

    private List<X509Certificate> getX509CertificatesFromResponse(MeshCertificateResponse meshCertificateResponse) throws CertificateException, IOException {
        ProtocolStringList mo1720getCertChainList = meshCertificateResponse.mo1720getCertChainList();
        ArrayList arrayList = new ArrayList(mo1720getCertChainList.size());
        Iterator it = mo1720getCertChainList.iterator();
        while (it.hasNext()) {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(((String) it.next()).getBytes(StandardCharsets.UTF_8));
            Throwable th = null;
            try {
                try {
                    arrayList.add(CertificateUtils.toX509Certificate(byteArrayInputStream));
                    $closeResource(null, byteArrayInputStream);
                } finally {
                }
            } catch (Throwable th2) {
                $closeResource(th, byteArrayInputStream);
                throw th2;
            }
        }
        return arrayList;
    }

    private static /* synthetic */ void $closeResource(Throwable th, AutoCloseable autoCloseable) {
        if (th == null) {
            autoCloseable.close();
            return;
        }
        try {
            autoCloseable.close();
        } catch (Throwable th2) {
            th.addSuppressed(th2);
        }
    }
}
