package com.yahoo.athenz.instance.provider.impl;

import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.yahoo.athenz.auth.KeyStore;
import com.yahoo.athenz.auth.token.OAuth2Token;
import com.yahoo.athenz.auth.token.jwts.JwtsHelper;
import com.yahoo.athenz.auth.token.jwts.JwtsSigningKeyResolver;
import com.yahoo.athenz.common.server.http.HttpDriver;
import com.yahoo.athenz.instance.provider.InstanceConfirmation;
import com.yahoo.athenz.instance.provider.InstanceProvider;
import com.yahoo.athenz.instance.provider.ResourceException;
import com.yahoo.athenz.zts.AccessTokenResponse;
import java.io.IOException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.SSLContext;
import org.eclipse.jetty.util.StringUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yahoo/athenz/instance/provider/impl/InstanceAzureProvider.class */
public class InstanceAzureProvider implements InstanceProvider {
    private static final Logger LOGGER = LoggerFactory.getLogger(InstanceAzureProvider.class);
    static final String AZURE_PROP_AKS_DNS_SUFFIX = "athenz.zts.azure_aks_dns_suffix";
    static final String AZURE_PROP_PROVIDER = "athenz.zts.azure_provider";
    static final String AZURE_PROP_ZTS_RESOURCE_URI = "athenz.zts.azure_resource_uri";
    static final String AZURE_PROP_DNS_SUFFIX = "athenz.zts.azure_dns_suffix";
    static final String AZURE_PROP_OPENID_CONFIG_URI = "athenz.zts.azure_openid_config_uri";
    static final String AZURE_PROP_TOKEN_UPDATE_TIMEOUT = "athenz.zts.azure_token_update_timeout";
    static final String AZURE_PROP_MGMT_BASE_URI = "athenz.zts.azure_mgmt_base_uri";
    static final String AZURE_PROP_META_BASE_URI = "athenz.zts.azure_meta_base_uri";
    static final String AZURE_PROP_MGMT_MAX_POOL_ROUTE = "athenz.zts.azure_mgmt_client_max_pool_route";
    static final String AZURE_PROP_MGMT_MAX_POOL_TOTAL = "athenz.zts.azure_mgmt_client_max_pool_total";
    static final String AZURE_PROP_MGMT_RETRY_INTERVAL_MS = "athenz.zts.azure_mgmt_client_retry_interval_ms";
    static final String AZURE_PROP_MGMT_MAX_RETRIES = "athenz.zts.azure_mgmt_client_max_retries";
    static final String AZURE_PROP_MGMT_CONNECT_TIMEOUT_MS = "athenz.zts.azure_mgmt_client_connect_timeout_ms";
    static final String AZURE_PROP_MGMT_READ_TIMEOUT_MS = "athenz.zts.azure_mgmt_client_read_timeout_ms";
    static final String AZURE_OPENID_CONFIG_URI = "https://login.microsoftonline.com/common/.well-known/openid-configuration";
    String azureProvider = null;
    Set<String> dnsSuffixes = null;
    List<String> aksDnsSuffixes = null;
    String azureJwksUri = null;
    HttpDriver httpDriver = null;
    ObjectMapper jsonMapper = null;
    String ztsResourceUri = null;
    JwtsSigningKeyResolver signingKeyResolver = null;
    String azureMgmtBaseUri = null;
    String azureMetaBaseUri = null;
    String accessToken = null;
    ScheduledExecutorService scheduledThreadPool = null;

    /* loaded from: input_file:com/yahoo/athenz/instance/provider/impl/InstanceAzureProvider$AzureCredentialsUpdater.class */
    class AzureCredentialsUpdater implements Runnable {
        AzureCredentialsUpdater() {
        }

        @Override // java.lang.Runnable
        public void run() {
            InstanceAzureProvider.LOGGER.info("AzureCredentialsUpdater: Starting Azure credentials updater task...");
            try {
                InstanceAzureProvider.this.fetchAccessToken();
            } catch (Exception e) {
                InstanceAzureProvider.LOGGER.error("AzureCredentialsUpdater: unable to fetch Azure access token", e);
            }
            InstanceAzureProvider.LOGGER.info("AzureCredentialsUpdater: Azure credentials updater task completed");
        }
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public InstanceProvider.Scheme getProviderScheme() {
        return InstanceProvider.Scheme.HTTP;
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public void initialize(String str, String str2, SSLContext sSLContext, KeyStore keyStore) {
        this.azureProvider = System.getProperty(AZURE_PROP_PROVIDER);
        this.azureMgmtBaseUri = System.getProperty(AZURE_PROP_MGMT_BASE_URI, "https://management.azure.com");
        this.azureMetaBaseUri = System.getProperty(AZURE_PROP_META_BASE_URI, "http://169.254.169.254");
        boolean z = true;
        this.azureJwksUri = new JwtsHelper().extractJwksUri(System.getProperty(AZURE_PROP_OPENID_CONFIG_URI, AZURE_OPENID_CONFIG_URI), sSLContext);
        if (StringUtil.isEmpty(this.azureJwksUri)) {
            LOGGER.error("Azure jwks uri not available - no instance requests will be authorized");
            z = false;
        }
        this.signingKeyResolver = new JwtsSigningKeyResolver(this.azureJwksUri, sSLContext, true);
        if (this.signingKeyResolver.publicKeyCount() == 0) {
            LOGGER.error("No Azure public keys available - no instance requests will be authorized");
            z = false;
        }
        this.dnsSuffixes = new HashSet();
        String property = System.getProperty(AZURE_PROP_DNS_SUFFIX);
        if (StringUtil.isEmpty(property)) {
            LOGGER.error("Azure Suffix not specified - no instance requests will be authorized");
            z = false;
        } else {
            this.dnsSuffixes.addAll(Arrays.asList(property.split(",")));
        }
        this.aksDnsSuffixes = InstanceUtils.processK8SDnsSuffixList(AZURE_PROP_AKS_DNS_SUFFIX);
        this.ztsResourceUri = System.getProperty(AZURE_PROP_ZTS_RESOURCE_URI);
        if (StringUtil.isEmpty(this.ztsResourceUri)) {
            LOGGER.error("Azure ZTS Resource URI not specified - no instance requests will be authorized");
            z = false;
        }
        this.jsonMapper = new ObjectMapper();
        this.jsonMapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
        try {
            this.httpDriver = getHttpDriver(sSLContext);
        } catch (Exception e) {
            LOGGER.error("Azure HTTP Client not created - no instance requests will be authorized");
            this.httpDriver = null;
            z = false;
        }
        if (z) {
            try {
                fetchAccessToken();
            } catch (Exception e2) {
                LOGGER.error("Unable to fetch VM access token", e2);
            }
            int parseInt = Integer.parseInt(System.getProperty(AZURE_PROP_TOKEN_UPDATE_TIMEOUT, "10"));
            this.scheduledThreadPool = Executors.newScheduledThreadPool(1);
            this.scheduledThreadPool.scheduleAtFixedRate(new AzureCredentialsUpdater(), parseInt, parseInt, TimeUnit.MINUTES);
        }
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public void close() {
        if (this.httpDriver != null) {
            this.httpDriver.close();
        }
        if (this.scheduledThreadPool != null) {
            this.scheduledThreadPool.shutdown();
        }
    }

    public ResourceException error(String str) {
        return error(ResourceException.FORBIDDEN, str);
    }

    public ResourceException error(int i, String str) {
        LOGGER.error(str);
        return new ResourceException(i, str);
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public InstanceConfirmation confirmInstance(InstanceConfirmation instanceConfirmation) {
        try {
            AzureAttestationData azureAttestationData = (AzureAttestationData) this.jsonMapper.readValue(instanceConfirmation.getAttestationData(), AzureAttestationData.class);
            Map<String, String> attributes = instanceConfirmation.getAttributes();
            String domain = instanceConfirmation.getDomain();
            String service = instanceConfirmation.getService();
            String instanceProperty = InstanceUtils.getInstanceProperty(attributes, InstanceProvider.ZTS_INSTANCE_AZURE_SUBSCRIPTION);
            if (StringUtil.isEmpty(instanceProperty)) {
                throw error("Unable to extract Azure Subscription id");
            }
            if (!instanceProperty.equals(azureAttestationData.getSubscriptionId())) {
                LOGGER.error("Azure Subscription Id mismatch {}/{}", instanceProperty, azureAttestationData.getSubscriptionId());
                throw error("Azure Subscription Id mismatch");
            }
            StringBuilder sb = new StringBuilder(256);
            if (!InstanceUtils.validateCertRequestSanDnsNames(attributes, domain, service, this.dnsSuffixes, this.aksDnsSuffixes, null, false, sb, null)) {
                throw error("Unable to validate certificate request hostnames");
            }
            setConfirmationAttributes(instanceConfirmation);
            if (verifyInstanceIdentity(azureAttestationData, instanceConfirmation.getProvider(), domain + "." + service, sb.toString())) {
                return instanceConfirmation;
            }
            throw error("Unable to verify instance identity credentials");
        } catch (Exception e) {
            LOGGER.error("Unable to parse attestation data {}", instanceConfirmation.getAttestationData(), e);
            throw error("Unable to parse attestation data");
        }
    }

    boolean verifyInstanceIdentity(AzureAttestationData azureAttestationData, String str, String str2, String str3) {
        OAuth2Token validateAccessToken = validateAccessToken(azureAttestationData.getToken());
        if (validateAccessToken == null) {
            LOGGER.error("Unable to validate VM access token for account {}", azureAttestationData.getSubscriptionId());
            return false;
        }
        if (!this.ztsResourceUri.equals(validateAccessToken.getAudience())) {
            LOGGER.error("Azure Token not issued for ZTS resource {}/{}", this.ztsResourceUri, validateAccessToken.getAudience());
            return false;
        }
        String fetchVMDetails = fetchVMDetails(azureAttestationData);
        if (fetchVMDetails == null) {
            LOGGER.error("Unable to fetch VM details for account {}", azureAttestationData.getSubscriptionId());
            return false;
        }
        AzureVmDetails parseVmDetails = parseVmDetails(fetchVMDetails);
        if (parseVmDetails == null) {
            LOGGER.error("Unable to parse VM details for account {}", azureAttestationData.getSubscriptionId());
            return false;
        }
        if (!validateAccessToken.getSubject().equals(parseVmDetails.getIdentity().getPrincipalId())) {
            LOGGER.error("Azure Token not issued for requested VM instance {}/{}", validateAccessToken.getSubject(), parseVmDetails.getIdentity().getPrincipalId());
            return false;
        }
        if (!str2.equals(parseVmDetails.getTags().getAthenz())) {
            LOGGER.error("Azure Service Name mismatch {}/{}", str2, parseVmDetails.getTags().getAthenz());
            return false;
        }
        if (!str3.equals(parseVmDetails.getProperties().getVmId())) {
            LOGGER.error("Azure VM Id mismatch {}/{}", str3, parseVmDetails.getProperties().getVmId());
            return false;
        }
        String str4 = StringUtil.isEmpty(this.azureProvider) ? "athenz.azure." + parseVmDetails.getLocation() : this.azureProvider;
        if (str.equals(str4)) {
            return true;
        }
        LOGGER.error("Azure Provider {}/{}", str, str4);
        return false;
    }

    AzureVmDetails parseVmDetails(String str) {
        try {
            return (AzureVmDetails) this.jsonMapper.readValue(str, AzureVmDetails.class);
        } catch (Exception e) {
            LOGGER.error("Unable to parse azure vm details {}", str, e);
            return null;
        }
    }

    String fetchVMDetails(AzureAttestationData azureAttestationData) {
        if (this.httpDriver == null) {
            LOGGER.error("No Azure HTTP Client available");
            return null;
        }
        if (this.accessToken == null) {
            LOGGER.error("No authorization access token available");
            return null;
        }
        String str = this.azureMgmtBaseUri + "/subscriptions/" + azureAttestationData.getSubscriptionId() + "/resourceGroups/" + azureAttestationData.getResourceGroupName() + "/providers/Microsoft.Compute/virtualMachines/" + azureAttestationData.getName() + "?api-version=2020-06-01";
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", this.accessToken);
        try {
            return this.httpDriver.doGet(str, hashMap);
        } catch (Exception e) {
            LOGGER.error("Unable to extract VM details: {}", str, e);
            return null;
        }
    }

    OAuth2Token validateAccessToken(String str) {
        OAuth2Token oAuth2Token = null;
        try {
            oAuth2Token = new OAuth2Token(str, this.signingKeyResolver);
        } catch (Exception e) {
            LOGGER.error("Unable to validate VM access token", e);
        }
        return oAuth2Token;
    }

    @Override // com.yahoo.athenz.instance.provider.InstanceProvider
    public InstanceConfirmation refreshInstance(InstanceConfirmation instanceConfirmation) {
        return confirmInstance(instanceConfirmation);
    }

    void setConfirmationAttributes(InstanceConfirmation instanceConfirmation) {
        instanceConfirmation.setAttributes(new HashMap());
    }

    private HttpDriver getHttpDriver(SSLContext sSLContext) {
        int parseInt = Integer.parseInt(System.getProperty(AZURE_PROP_MGMT_MAX_POOL_ROUTE, "45"));
        int parseInt2 = Integer.parseInt(System.getProperty(AZURE_PROP_MGMT_MAX_POOL_TOTAL, "50"));
        int parseInt3 = Integer.parseInt(System.getProperty(AZURE_PROP_MGMT_RETRY_INTERVAL_MS, "1000"));
        int parseInt4 = Integer.parseInt(System.getProperty(AZURE_PROP_MGMT_MAX_RETRIES, "2"));
        int parseInt5 = Integer.parseInt(System.getProperty(AZURE_PROP_MGMT_CONNECT_TIMEOUT_MS, "5000"));
        return new HttpDriver.Builder("", sSLContext).maxPoolPerRoute(parseInt).maxPoolTotal(parseInt2).clientRetryIntervalMs(parseInt3).clientMaxRetries(parseInt4).clientConnectTimeoutMs(parseInt5).clientReadTimeoutMs(Integer.parseInt(System.getProperty(AZURE_PROP_MGMT_READ_TIMEOUT_MS, "15000"))).build();
    }

    void fetchAccessToken() throws IOException {
        String str = this.azureMetaBaseUri + "/metadata/identity/oauth2/token?api-version=2020-06-01&resource=" + this.azureMgmtBaseUri;
        HashMap hashMap = new HashMap();
        hashMap.put("Metadata", "true");
        String doGet = this.httpDriver.doGet(str, hashMap);
        if (doGet == null) {
            throw error("Unable to fetch access token");
        }
        AccessTokenResponse accessTokenResponse = null;
        try {
            accessTokenResponse = (AccessTokenResponse) this.jsonMapper.readValue(doGet, AccessTokenResponse.class);
        } catch (Exception e) {
            LOGGER.error("unable to parse access token response: {}", doGet, e);
        }
        if (accessTokenResponse == null) {
            throw error("Unable to parse access token response");
        }
        if (StringUtil.isEmpty(accessTokenResponse.access_token)) {
            throw error("Empty access token returned");
        }
        this.accessToken = "Bearer " + accessTokenResponse.access_token;
    }
}
