package com.netflix.spinnaker.fiat.permissions;

import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.github.benmanes.caffeine.cache.Caffeine;
import com.github.benmanes.caffeine.cache.LoadingCache;
import com.netflix.spinnaker.fiat.config.UnrestrictedResourceConfig;
import com.netflix.spinnaker.fiat.model.UserPermission;
import com.netflix.spinnaker.fiat.model.resources.Resource;
import com.netflix.spinnaker.fiat.model.resources.ResourceType;
import com.netflix.spinnaker.fiat.model.resources.Role;
import com.netflix.spinnaker.kork.exceptions.IntegrationException;
import com.netflix.spinnaker.kork.exceptions.SpinnakerException;
import com.netflix.spinnaker.kork.jedis.RedisClientDelegate;
import io.github.resilience4j.retry.RetryRegistry;
import java.io.IOException;
import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.ForkJoinPool;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Function;
import java.util.stream.Collectors;
import lombok.NonNull;
import net.jpountz.lz4.LZ4CompressorWithLength;
import net.jpountz.lz4.LZ4DecompressorWithLength;
import net.jpountz.lz4.LZ4Factory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import redis.clients.jedis.Response;
import redis.clients.jedis.commands.BinaryJedisCommands;
import redis.clients.jedis.util.SafeEncoder;

/* loaded from: input_file:com/netflix/spinnaker/fiat/permissions/RedisPermissionsRepository.class */
public class RedisPermissionsRepository implements PermissionsRepository {
    private static final String REDIS_READ_RETRY = "permissionsRepositoryRedisRead";
    private static final String KEY_PERMISSIONS = "permissions";
    private static final String KEY_PERMISSIONS_V2 = "permissions-v2";
    private static final String KEY_ROLES = "roles";
    private static final String KEY_ALL_USERS = "users";
    private static final String KEY_ADMIN = "admin";
    private static final String KEY_ACCOUNT_MANAGERS = "accountmanagers";
    private static final String KEY_LAST_MODIFIED = "last_modified";
    private static final String NO_LAST_MODIFIED = "unknown_last_modified";
    private final Clock clock;
    private final ObjectMapper objectMapper;
    private final RedisClientDelegate redisClientDelegate;
    private final List<Resource> resources;
    private final RedisPermissionRepositoryConfigProps configProps;
    private final RetryRegistry retryRegistry;
    private final AtomicReference<String> fallbackLastModified;
    private final LZ4CompressorWithLength lz4Compressor;
    private final LZ4DecompressorWithLength lz4Decompressor;
    private final LoadingCache<String, UserPermission> unrestrictedPermission;
    private final String prefix;
    private final byte[] allUsersKey;
    private final byte[] adminKey;
    private final byte[] accountManagersKey;
    private final ForkJoinPool syncThreadPool;
    private static final Logger log = LoggerFactory.getLogger(RedisPermissionsRepository.class);
    private static final String UNRESTRICTED = UnrestrictedResourceConfig.UNRESTRICTED_USERNAME;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/netflix/spinnaker/fiat/permissions/RedisPermissionsRepository$PutUpdateData.class */
    public static class PutUpdateData {
        public byte[] userResourceKey;
        public byte[] compressedData;

        private PutUpdateData() {
        }
    }

    @FunctionalInterface
    /* loaded from: input_file:com/netflix/spinnaker/fiat/permissions/RedisPermissionsRepository$ThrowingFunction.class */
    private interface ThrowingFunction<T, R> extends Function<T, R> {
        @Override // java.util.function.Function
        default R apply(T t) {
            try {
                return applyThrows(t);
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }

        R applyThrows(T t) throws Exception;
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/netflix/spinnaker/fiat/permissions/RedisPermissionsRepository$TimeoutContext.class */
    public static class TimeoutContext {
        private final String name;
        private final Instant expiry;
        private final Clock clock;
        private final Duration timeout;

        public TimeoutContext(String str, Clock clock, Duration duration) {
            this(str, clock, duration, Instant.now(clock));
        }

        public TimeoutContext(String str, Clock clock, Duration duration, Instant instant) {
            this.name = str;
            this.expiry = instant.plus((TemporalAmount) duration);
            this.clock = clock;
            this.timeout = duration;
        }

        boolean isTimedOut() {
            return Instant.now(this.clock).isAfter(this.expiry);
        }

        String getName() {
            return this.name;
        }

        Duration getTimeout() {
            return this.timeout;
        }
    }

    RedisPermissionsRepository(Clock clock, ObjectMapper objectMapper, RedisClientDelegate redisClientDelegate, List<Resource> list, RedisPermissionRepositoryConfigProps redisPermissionRepositoryConfigProps, RetryRegistry retryRegistry) {
        this.fallbackLastModified = new AtomicReference<>(null);
        this.unrestrictedPermission = Caffeine.newBuilder().expireAfterAccess(Duration.ofSeconds(10L)).build(this::reloadUnrestricted);
        this.clock = clock;
        this.objectMapper = objectMapper;
        this.redisClientDelegate = redisClientDelegate;
        this.configProps = redisPermissionRepositoryConfigProps;
        this.prefix = redisPermissionRepositoryConfigProps.getPrefix();
        this.resources = list;
        this.retryRegistry = retryRegistry;
        LZ4Factory fastestInstance = LZ4Factory.fastestInstance();
        this.lz4Compressor = new LZ4CompressorWithLength(fastestInstance.fastCompressor());
        this.lz4Decompressor = new LZ4DecompressorWithLength(fastestInstance.fastDecompressor());
        this.allUsersKey = SafeEncoder.encode(String.format("%s:%s", this.prefix, KEY_ALL_USERS));
        this.adminKey = SafeEncoder.encode(String.format("%s:%s:%s", this.prefix, KEY_PERMISSIONS, KEY_ADMIN));
        this.accountManagersKey = SafeEncoder.encode(String.format("%s:%s", this.prefix, KEY_ACCOUNT_MANAGERS));
        this.syncThreadPool = new ForkJoinPool(redisPermissionRepositoryConfigProps.getRepository().getSyncThreads());
    }

    public RedisPermissionsRepository(ObjectMapper objectMapper, RedisClientDelegate redisClientDelegate, List<Resource> list, RedisPermissionRepositoryConfigProps redisPermissionRepositoryConfigProps, RetryRegistry retryRegistry) {
        this(Clock.systemUTC(), objectMapper, redisClientDelegate, list, redisPermissionRepositoryConfigProps, retryRegistry);
    }

    private UserPermission reloadUnrestricted(String str) {
        return (UserPermission) getFromRedis(UNRESTRICTED).map(userPermission -> {
            log.debug("reloaded user {} for key {} as {}", new Object[]{UNRESTRICTED, str, userPermission});
            return userPermission;
        }).orElseThrow(() -> {
            log.error("loading user {} for key {} failed, no permissions returned", UNRESTRICTED, str);
            return new PermissionRepositoryException("Failed to read unrestricted user");
        });
    }

    private UserPermission getUnrestrictedUserPermission() {
        String str = NO_LAST_MODIFIED;
        byte[] bArr = (byte[]) redisRead(new TimeoutContext("checkLastModified", this.clock, this.configProps.getRepository().getCheckLastModifiedTimeout()), binaryJedisCommands -> {
            return binaryJedisCommands.get(SafeEncoder.encode(unrestrictedLastModifiedKey()));
        });
        if (bArr == null || bArr.length == 0) {
            log.debug("no last modified time available in redis for user {} using default of {}", UNRESTRICTED, NO_LAST_MODIFIED);
        } else {
            str = SafeEncoder.encode(bArr);
        }
        try {
            UserPermission userPermission = (UserPermission) this.unrestrictedPermission.get(str);
            if (userPermission != null && !str.equals(NO_LAST_MODIFIED)) {
                this.fallbackLastModified.set(str);
            }
            return userPermission;
        } catch (Throwable th) {
            log.error("failed reading user {} from cache for key {}", new Object[]{UNRESTRICTED, str, th});
            String str2 = this.fallbackLastModified.get();
            if (str2 != null) {
                UserPermission userPermission2 = (UserPermission) this.unrestrictedPermission.getIfPresent(str2);
                if (userPermission2 != null) {
                    log.warn("serving fallback permission for user {} from key {} as {}", new Object[]{UNRESTRICTED, str2, userPermission2});
                    return userPermission2;
                }
                log.warn("no fallback entry remaining in cache for key {}", str2);
            }
            if (th instanceof RuntimeException) {
                throw ((RuntimeException) th);
            }
            throw new IntegrationException(th);
        }
    }

    @Override // com.netflix.spinnaker.fiat.permissions.PermissionsRepository
    public RedisPermissionsRepository put(@NonNull UserPermission userPermission) {
        if (userPermission == null) {
            throw new IllegalArgumentException("permission is marked non-null but is null");
        }
        String id = userPermission.getId();
        byte[] encode = SafeEncoder.encode(id);
        List<ResourceType> list = (List) this.resources.stream().map((v0) -> {
            return v0.getResourceType();
        }).collect(Collectors.toList());
        HashMap hashMap = new HashMap(list.size());
        userPermission.getAllResources().forEach(resource -> {
            ((Map) hashMap.computeIfAbsent(resource.getResourceType(), resourceType -> {
                return new HashMap();
            })).put(resource.getName(), resource);
        });
        try {
            HashSet hashSet = new HashSet(getUserRoleMapFromRedis(id).values());
            ArrayList arrayList = new ArrayList();
            for (ResourceType resourceType : list) {
                Map map = (Map) hashMap.get(resourceType);
                byte[] userKey = userKey(id, resourceType);
                PutUpdateData putUpdateData = new PutUpdateData();
                putUpdateData.userResourceKey = userKey;
                if (map == null || map.size() == 0) {
                    putUpdateData.compressedData = null;
                } else {
                    putUpdateData.compressedData = this.lz4Compressor.compress(this.objectMapper.writeValueAsBytes(map));
                }
                arrayList.add(putUpdateData);
            }
            AtomicReference atomicReference = new AtomicReference();
            this.redisClientDelegate.withMultiKeyPipeline(pipeline -> {
                if (userPermission.isAdmin()) {
                    pipeline.sadd(this.adminKey, (byte[][]) new byte[]{encode});
                } else {
                    pipeline.srem(this.adminKey, (byte[][]) new byte[]{encode});
                }
                if (userPermission.isAccountManager()) {
                    pipeline.sadd(this.accountManagersKey, (byte[][]) new byte[]{encode});
                } else {
                    pipeline.srem(this.accountManagersKey, (byte[][]) new byte[]{encode});
                }
                userPermission.getRoles().forEach(role -> {
                    pipeline.sadd(roleKey(role), (byte[][]) new byte[]{encode});
                });
                hashSet.stream().filter(role2 -> {
                    return !userPermission.getRoles().contains(role2);
                }).forEach(role3 -> {
                    pipeline.srem(roleKey(role3), (byte[][]) new byte[]{encode});
                });
                Iterator it = arrayList.iterator();
                while (it.hasNext()) {
                    PutUpdateData putUpdateData2 = (PutUpdateData) it.next();
                    if (putUpdateData2.compressedData == null) {
                        pipeline.del(putUpdateData2.userResourceKey);
                    } else {
                        byte[] encode2 = SafeEncoder.encode(UUID.randomUUID().toString());
                        pipeline.set(encode2, putUpdateData2.compressedData);
                        pipeline.rename(encode2, putUpdateData2.userResourceKey);
                    }
                }
                atomicReference.set(pipeline.time());
                pipeline.sadd(this.allUsersKey, (byte[][]) new byte[]{encode});
                pipeline.sync();
            });
            if (UNRESTRICTED.equals(id)) {
                String str = (String) ((List) ((Response) atomicReference.get()).get()).get(0);
                this.redisClientDelegate.withCommandsClient(jedisCommands -> {
                    log.debug("set last modified for user {} to {}", UNRESTRICTED, str);
                    jedisCommands.set(unrestrictedLastModifiedKey(), str);
                });
            }
        } catch (Exception e) {
            log.error("Storage exception writing {} entry.", id, e);
        }
        return this;
    }

    @Override // com.netflix.spinnaker.fiat.permissions.PermissionsRepository
    public void putAllById(Map<String, UserPermission> map) {
        if (map == null || map.values() == null) {
            return;
        }
        Iterator<UserPermission> it = map.values().iterator();
        while (it.hasNext()) {
            put(it.next());
        }
    }

    @Override // com.netflix.spinnaker.fiat.permissions.PermissionsRepository
    public Optional<UserPermission> get(@NonNull String str) {
        if (str == null) {
            throw new IllegalArgumentException("id is marked non-null but is null");
        }
        return UNRESTRICTED.equals(str) ? Optional.of(getUnrestrictedUserPermission()) : getFromRedis(str);
    }

    private byte[] getUserResourceBytesFromRedis(String str, ResourceType resourceType) {
        TimeoutContext timeoutContext = new TimeoutContext(String.format("get user resource from redis: %s (%s)", str, resourceType), this.clock, this.configProps.getRepository().getGetUserResourceTimeout());
        byte[] userKey = userKey(str, resourceType);
        byte[] bArr = (byte[]) redisRead(timeoutContext, binaryJedisCommands -> {
            return binaryJedisCommands.get(userKey);
        });
        if (bArr == null || bArr.length == 0) {
            return null;
        }
        return this.lz4Decompressor.decompress(bArr);
    }

    private Map<String, Resource> getUserResourceMapFromRedis(String str, ResourceType resourceType) throws IOException {
        byte[] userResourceBytesFromRedis = getUserResourceBytesFromRedis(str, resourceType);
        if (userResourceBytesFromRedis == null) {
            return new HashMap();
        }
        return (Map) this.objectMapper.readerForMapOf(this.resources.stream().filter(resource -> {
            return resource.getResourceType().equals(resourceType);
        }).findFirst().orElseThrow(IllegalArgumentException::new).getClass()).readValue(userResourceBytesFromRedis);
    }

    private Map<String, Role> getUserRoleMapFromRedis(String str) throws IOException {
        byte[] userResourceBytesFromRedis = getUserResourceBytesFromRedis(str, ResourceType.ROLE);
        return userResourceBytesFromRedis == null ? new HashMap() : (Map) this.objectMapper.readValue(userResourceBytesFromRedis, new TypeReference<Map<String, Role>>() { // from class: com.netflix.spinnaker.fiat.permissions.RedisPermissionsRepository.1
        });
    }

    private Optional<UserPermission> getFromRedis(@NonNull String str) {
        if (str == null) {
            throw new IllegalArgumentException("id is marked non-null but is null");
        }
        try {
            TimeoutContext timeoutContext = new TimeoutContext(String.format("getPermission for user: %s", str), this.clock, this.configProps.getRepository().getGetPermissionTimeout());
            if (!(UNRESTRICTED.equals(str) || ((Boolean) redisRead(timeoutContext, binaryJedisCommands -> {
                return binaryJedisCommands.sismember(this.allUsersKey, SafeEncoder.encode(str));
            })).booleanValue())) {
                log.debug("request for user {} not found in redis", str);
                return Optional.empty();
            }
            UserPermission id = new UserPermission().setId(str);
            Iterator<Resource> it = this.resources.iterator();
            while (it.hasNext()) {
                Map<String, Resource> userResourceMapFromRedis = getUserResourceMapFromRedis(str, it.next().getResourceType());
                if (userResourceMapFromRedis != null && !userResourceMapFromRedis.isEmpty()) {
                    id.addResources(userResourceMapFromRedis.values());
                }
            }
            if (!UNRESTRICTED.equals(str)) {
                id.setAdmin(((Boolean) redisRead(timeoutContext, binaryJedisCommands2 -> {
                    return binaryJedisCommands2.sismember(this.adminKey, SafeEncoder.encode(str));
                })).booleanValue());
                id.setAccountManager(((Boolean) redisRead(timeoutContext, binaryJedisCommands3 -> {
                    return binaryJedisCommands3.sismember(this.accountManagersKey, SafeEncoder.encode(str));
                })).booleanValue());
                id.merge(getUnrestrictedUserPermission());
            }
            return Optional.of(id);
        } catch (Throwable th) {
            String format = String.format("Storage exception reading %s entry.", str);
            log.error(format, th);
            if (th instanceof SpinnakerException) {
                throw th;
            }
            throw new PermissionReadException(format, th);
        }
    }

    @Override // com.netflix.spinnaker.fiat.permissions.PermissionsRepository
    public Map<String, Set<Role>> getAllById() {
        return getRolesOf((Set) scanSet(this.allUsersKey).stream().map((v0) -> {
            return v0.toLowerCase();
        }).collect(Collectors.toSet()));
    }

    @Override // com.netflix.spinnaker.fiat.permissions.PermissionsRepository
    public Map<String, Set<Role>> getAllByRoles(List<String> list) {
        if (list == null) {
            return getAllById();
        }
        if (list.isEmpty()) {
            return getRolesOf(Set.of(UNRESTRICTED));
        }
        Set<String> hashSet = new HashSet();
        try {
            hashSet = (Set) this.syncThreadPool.submit(() -> {
                return (Set) new HashSet(list).parallelStream().flatMap(str -> {
                    return scanSet(roleKey(str)).stream().map((v0) -> {
                        return v0.toLowerCase();
                    });
                }).collect(Collectors.toSet());
            }).get();
        } catch (InterruptedException e) {
            log.error("Interrupted exception reading usernames for roles", e);
        } catch (ExecutionException e2) {
            log.error("Execution exception reading usernames for roles", e2);
        }
        hashSet.add(UNRESTRICTED);
        return getRolesOf(hashSet);
    }

    @Override // com.netflix.spinnaker.fiat.permissions.PermissionsRepository
    public void remove(@NonNull String str) {
        if (str == null) {
            throw new IllegalArgumentException("id is marked non-null but is null");
        }
        try {
            Map<String, Role> userRoleMapFromRedis = getUserRoleMapFromRedis(str);
            byte[] encode = SafeEncoder.encode(str);
            this.redisClientDelegate.withMultiKeyPipeline(pipeline -> {
                pipeline.srem(this.allUsersKey, (byte[][]) new byte[]{encode});
                userRoleMapFromRedis.keySet().forEach(str2 -> {
                    pipeline.srem(roleKey(str2), (byte[][]) new byte[]{encode});
                });
                this.resources.stream().map((v0) -> {
                    return v0.getResourceType();
                }).forEach(resourceType -> {
                    pipeline.del(userKey(str, resourceType));
                });
                pipeline.srem(this.adminKey, (byte[][]) new byte[]{encode});
                pipeline.srem(this.accountManagersKey, (byte[][]) new byte[]{encode});
                pipeline.sync();
            });
        } catch (Exception e) {
            log.error("Storage exception reading " + str + " entry.", e);
        }
    }

    private Map<String, Set<Role>> getRolesOf(Set<String> set) {
        if (set.isEmpty()) {
            return new HashMap(0);
        }
        HashMap hashMap = new HashMap(set.size());
        for (String str : set) {
            try {
                hashMap.put(str, (Set) getUserResourceMapFromRedis(str, ResourceType.ROLE).values().stream().map(resource -> {
                    return (Role) resource;
                }).collect(Collectors.toSet()));
            } catch (Throwable th) {
                String format = String.format("Storage exception reading %s entry.", str);
                log.error(format, th);
                if (th instanceof SpinnakerException) {
                    throw th;
                }
                throw new PermissionReadException(format, th);
            }
        }
        return hashMap;
    }

    private Set<String> scanSet(byte[] bArr) {
        return (Set) ((Set) this.redisClientDelegate.withBinaryClient(binaryJedisCommands -> {
            return binaryJedisCommands.smembers(bArr);
        })).stream().map(SafeEncoder::encode).collect(Collectors.toSet());
    }

    private byte[] userKey(String str, ResourceType resourceType) {
        return SafeEncoder.encode(String.format("%s:%s:%s:%s", this.prefix, KEY_PERMISSIONS_V2, str, resourceType.keySuffix()));
    }

    private byte[] roleKey(Role role) {
        return roleKey(role.getName());
    }

    private byte[] roleKey(String str) {
        return SafeEncoder.encode(String.format("%s:%s:%s", this.prefix, KEY_ROLES, str));
    }

    private String lastModifiedKey(String str) {
        return String.format("%s:%s:%s", this.prefix, KEY_LAST_MODIFIED, str);
    }

    private String unrestrictedLastModifiedKey() {
        return lastModifiedKey(UNRESTRICTED);
    }

    private <T> T redisRead(TimeoutContext timeoutContext, Function<BinaryJedisCommands, T> function) {
        return (T) this.retryRegistry.retry(REDIS_READ_RETRY).executeSupplier(() -> {
            if (timeoutContext.isTimedOut()) {
                throw new PermissionReadException(String.format("request processing timeout after %s for %s", timeoutContext.getTimeout(), timeoutContext.getName()));
            }
            return this.redisClientDelegate.withBinaryClient(function);
        });
    }
}
