package com.netflix.spinnaker.fiat.roles;

import com.netflix.spectator.api.Id;
import com.netflix.spectator.api.Registry;
import com.netflix.spinnaker.fiat.config.ResourceProvidersHealthIndicator;
import com.netflix.spinnaker.fiat.config.UnrestrictedResourceConfig;
import com.netflix.spinnaker.fiat.model.UserPermission;
import com.netflix.spinnaker.fiat.model.resources.Role;
import com.netflix.spinnaker.fiat.model.resources.ServiceAccount;
import com.netflix.spinnaker.fiat.permissions.ExternalUser;
import com.netflix.spinnaker.fiat.permissions.PermissionResolutionException;
import com.netflix.spinnaker.fiat.permissions.PermissionsRepository;
import com.netflix.spinnaker.fiat.permissions.PermissionsResolver;
import com.netflix.spinnaker.fiat.providers.ProviderException;
import com.netflix.spinnaker.fiat.providers.ResourceProvider;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.Callable;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.actuate.health.Status;
import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
import org.springframework.stereotype.Component;
import org.springframework.util.backoff.BackOffExecution;
import org.springframework.util.backoff.FixedBackOff;

@Component
@ConditionalOnExpression("${fiat.write-mode.enabled:true}")
/* loaded from: input_file:com/netflix/spinnaker/fiat/roles/Synchronizer.class */
public class Synchronizer {
    private static final Logger log = LoggerFactory.getLogger(Synchronizer.class);
    private final ResourceProvidersHealthIndicator healthIndicator;
    private final PermissionsResolver permissionsResolver;
    private final PermissionsRepository permissionsRepository;
    private final ResourceProvider<ServiceAccount> serviceAccountProvider;
    private final Registry registry;
    private final long retryIntervalMs;
    private final long syncDelayTimeoutMs;

    public Synchronizer(ResourceProvidersHealthIndicator resourceProvidersHealthIndicator, PermissionsResolver permissionsResolver, PermissionsRepository permissionsRepository, ResourceProvider<ServiceAccount> resourceProvider, Registry registry, @Value("${fiat.write-mode.retry-interval-ms:10000}") long j, @Value("${fiat.write-mode.sync-delay-ms:600000}") long j2) {
        this.retryIntervalMs = j;
        this.syncDelayTimeoutMs = j2;
        this.permissionsResolver = permissionsResolver;
        this.permissionsRepository = permissionsRepository;
        this.serviceAccountProvider = resourceProvider;
        this.registry = registry;
        this.healthIndicator = resourceProvidersHealthIndicator;
    }

    public long syncAndReturn(List<String> list) {
        FixedBackOff fixedBackOff = new FixedBackOff();
        fixedBackOff.setInterval(this.retryIntervalMs);
        fixedBackOff.setMaxAttempts(Math.floorDiv(this.syncDelayTimeoutMs, this.retryIntervalMs) + 1);
        BackOffExecution start = fixedBackOff.start();
        long currentTimeMillis = System.currentTimeMillis() + this.syncDelayTimeoutMs;
        if (!isServerHealthy()) {
            log.warn("Server is currently UNHEALTHY. User permission role synchronization and resolution may not complete until this server becomes healthy again.");
        }
        this.permissionsResolver.clearCache();
        while (true) {
            try {
                try {
                    HashMap hashMap = new HashMap();
                    hashMap.put(UnrestrictedResourceConfig.UNRESTRICTED_USERNAME, new HashSet());
                    Map<String, Set<Role>> userPermissions = getUserPermissions(list);
                    if (!userPermissions.isEmpty()) {
                        hashMap.putAll(userPermissions);
                    }
                    Map<String, Set<Role>> serviceAccountsAsMap = getServiceAccountsAsMap(list);
                    if (!serviceAccountsAsMap.isEmpty()) {
                        hashMap.putAll(serviceAccountsAsMap);
                    }
                    long updateUserPermissions = updateUserPermissions(hashMap);
                    isServerHealthy();
                    return updateUserPermissions;
                } catch (PermissionResolutionException | ProviderException e) {
                    this.registry.counter(metricName("syncFailure"), new String[]{"cause", e.getClass().getSimpleName()}).increment();
                    Status status = this.healthIndicator.health().getStatus();
                    long nextBackOff = start.nextBackOff();
                    if (nextBackOff == -1 || System.currentTimeMillis() > currentTimeMillis) {
                        this.registry.counter("syncAborted", new String[]{"cause", nextBackOff == -1 ? "backoff-exhausted" : "timeout"}).increment();
                        log.error("Unable to resolve service account permissions.", e);
                        isServerHealthy();
                        return 0L;
                    }
                    String str = "User permission sync failed. Server status is " + status + ". Trying again in " + nextBackOff + " ms. Cause:" + e.getMessage();
                    if (log.isDebugEnabled()) {
                        log.debug(str, e);
                    } else {
                        log.warn(str);
                    }
                    try {
                        Thread.sleep(nextBackOff);
                    } catch (InterruptedException e2) {
                    }
                    isServerHealthy();
                }
            } catch (Throwable th) {
                isServerHealthy();
                throw th;
            }
        }
    }

    public long syncServiceAccount(String str, List<String> list) {
        this.permissionsResolver.clearCache();
        this.permissionsRepository.put(this.permissionsResolver.resolveAndMerge(new ExternalUser().setId(str.toLowerCase()).setExternalRoles((List) list.stream().map(str2 -> {
            return new Role().setSource(Role.Source.EXTERNAL).setName(str2);
        }).collect(Collectors.toList()))));
        this.permissionsRepository.putAllById(this.permissionsResolver.resolveResources((Map) this.permissionsRepository.getAllByRoles(list).entrySet().stream().filter(entry -> {
            return ((Set) ((Set) entry.getValue()).stream().map((v0) -> {
                return v0.getName();
            }).collect(Collectors.toSet())).containsAll(list);
        }).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, (v0) -> {
            return v0.getValue();
        }))));
        return r0.size();
    }

    private boolean isServerHealthy() {
        return this.healthIndicator.health().getStatus() == Status.UP;
    }

    private Map<String, Set<Role>> getUserPermissions(List<String> list) {
        return (list == null || list.isEmpty()) ? this.permissionsRepository.getAllById() : this.permissionsRepository.getAllByRoles(list);
    }

    private long updateUserPermissions(Map<String, Set<Role>> map) {
        if (map.remove(UnrestrictedResourceConfig.UNRESTRICTED_USERNAME) != null) {
            timeIt("syncAnonymous", () -> {
                this.permissionsRepository.put(this.permissionsResolver.resolveUnrestrictedUser());
                log.info("Synced anonymous user role.");
            });
        }
        List list = (List) map.entrySet().stream().map(entry -> {
            return new ExternalUser().setId((String) entry.getKey()).setExternalRoles((List) ((Set) entry.getValue()).stream().filter(role -> {
                return role.getSource() == Role.Source.EXTERNAL;
            }).collect(Collectors.toList()));
        }).collect(Collectors.toList());
        if (list.isEmpty()) {
            log.info("Found no non-anonymous user roles to sync.");
            return 0L;
        }
        long intValue = ((Integer) timeIt("syncUsers", () -> {
            Map<String, UserPermission> resolve = this.permissionsResolver.resolve(list);
            this.permissionsRepository.putAllById(resolve);
            return Integer.valueOf(resolve.size());
        })).intValue();
        log.info("Synced {} non-anonymous user roles.", Long.valueOf(intValue));
        return intValue;
    }

    private Map<String, Set<Role>> getServiceAccountsAsMap(List<String> list) {
        List list2 = (List) this.serviceAccountProvider.getAll().stream().map((v0) -> {
            return v0.toUserPermission();
        }).collect(Collectors.toList());
        return (list == null || list.isEmpty()) ? (Map) list2.stream().collect(Collectors.toMap((v0) -> {
            return v0.getId();
        }, (v0) -> {
            return v0.getRoles();
        })) : (Map) list2.stream().filter(userPermission -> {
            Stream map = userPermission.getRoles().stream().map((v0) -> {
                return v0.getName();
            });
            Objects.requireNonNull(list);
            return map.anyMatch((v1) -> {
                return r1.contains(v1);
            });
        }).collect(Collectors.toMap((v0) -> {
            return v0.getId();
        }, (v0) -> {
            return v0.getRoles();
        }));
    }

    private void timeIt(String str, Runnable runnable) {
        timeIt(str, () -> {
            runnable.run();
            return null;
        });
    }

    private <T> T timeIt(String str, Callable<T> callable) {
        long nanoTime = System.nanoTime();
        try {
            try {
                T call = callable.call();
                boolean z = 0 == 0;
                Id withTag = this.registry.createId(metricName(str)).withTag("success", z);
                this.registry.timer(z ? withTag : withTag.withTag("cause", (String) null)).record(System.nanoTime() - nanoTime, TimeUnit.NANOSECONDS);
                return call;
            } catch (RuntimeException e) {
                e.getClass().getSimpleName();
                throw e;
            } catch (Exception e2) {
                e2.getClass().getSimpleName();
                throw new RuntimeException(e2);
            }
        } catch (Throwable th) {
            boolean z2 = 0 == 0;
            Id withTag2 = this.registry.createId(metricName(str)).withTag("success", z2);
            this.registry.timer(z2 ? withTag2 : withTag2.withTag("cause", (String) null)).record(System.nanoTime() - nanoTime, TimeUnit.NANOSECONDS);
            throw th;
        }
    }

    private static String metricName(String str) {
        return "fiat.userRoles." + str;
    }
}
