package org.gridgain.internal.security.key;

import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.time.Duration;
import java.time.Instant;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicReference;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import java.util.function.BiConsumer;
import java.util.function.Supplier;
import javax.security.auth.DestroyFailedException;
import org.apache.ignite3.internal.logger.IgniteLogger;
import org.apache.ignite3.internal.logger.Loggers;
import org.apache.ignite3.internal.manager.ComponentContext;
import org.apache.ignite3.internal.security.configuration.SecurityConfiguration;
import org.apache.ignite3.internal.thread.NamedThreadFactory;
import org.apache.ignite3.internal.util.CompletableFutures;
import org.apache.ignite3.internal.util.IgniteUtils;
import org.gridgain.internal.security.key.exception.KeyExpiredException;
import org.gridgain.internal.security.key.exception.KeyNotFoundException;
import org.gridgain.internal.security.key.exception.KeyValidationException;
import org.gridgain.internal.security.key.store.PrivateKeyRecord;
import org.gridgain.internal.security.key.store.PrivateKeyStore;
import org.gridgain.internal.security.key.store.PublicKeyChainRecord;
import org.gridgain.internal.security.key.store.PublicKeyRecord;
import org.gridgain.internal.security.key.store.PublicKeyStore;
import org.jetbrains.annotations.Nullable;
import org.jetbrains.annotations.TestOnly;

/* loaded from: input_file:org/gridgain/internal/security/key/NodeKeyManagerImpl.class */
public class NodeKeyManagerImpl implements NodeKeyManager {
    private static final IgniteLogger LOG = Loggers.forClass(NodeKeyManagerImpl.class);
    private final String nodeName;
    private final PrivateKeyStore privateKeyStore;
    private final PublicKeyStore publicKeyStore;
    private final SecurityConfiguration securityConfiguration;
    private final Supplier<Instant> currentTimeSupplier;
    private final PublicKeyChainCache<RSAPublicKey> publicKeyChainCache;
    private final SecretGenerator<RSAPrivateKey, RSAPublicKey> secretGenerator;
    private final KeyConverter<RSAPrivateKey, RSAPublicKey> keyConverter;
    private final Lock lock;
    private final AtomicReference<IgnitePrivateKey<RSAPrivateKey>> lastPrivateKey;
    private final ScheduledExecutorService executorService;
    private volatile ScheduledFuture<?> keyRotationTask;

    public NodeKeyManagerImpl(String str, PrivateKeyStore privateKeyStore, PublicKeyStore publicKeyStore, SecurityConfiguration securityConfiguration) {
        this.keyConverter = new KeyConverter<>(new RsaKeyDecoder());
        this.lock = new ReentrantLock();
        this.lastPrivateKey = new AtomicReference<>();
        this.nodeName = str;
        this.privateKeyStore = privateKeyStore;
        this.publicKeyStore = publicKeyStore;
        this.securityConfiguration = securityConfiguration;
        this.currentTimeSupplier = Instant::now;
        this.secretGenerator = new RsaSecretGenerator();
        this.publicKeyChainCache = new PublicKeyChainCache<>(this.keyConverter);
        this.executorService = createExecutorService(str);
    }

    @TestOnly
    public NodeKeyManagerImpl(String str, PrivateKeyStore privateKeyStore, PublicKeyStore publicKeyStore, SecurityConfiguration securityConfiguration, Supplier<Instant> supplier, PublicKeyChainCache<RSAPublicKey> publicKeyChainCache, SecretGenerator<RSAPrivateKey, RSAPublicKey> secretGenerator) {
        this.keyConverter = new KeyConverter<>(new RsaKeyDecoder());
        this.lock = new ReentrantLock();
        this.lastPrivateKey = new AtomicReference<>();
        this.nodeName = str;
        this.privateKeyStore = privateKeyStore;
        this.publicKeyStore = publicKeyStore;
        this.securityConfiguration = securityConfiguration;
        this.currentTimeSupplier = supplier;
        this.publicKeyChainCache = publicKeyChainCache;
        this.secretGenerator = secretGenerator;
        this.executorService = createExecutorService(str);
    }

    @Override // org.apache.ignite3.internal.manager.IgniteComponent
    public CompletableFuture<Void> startAsync(ComponentContext componentContext) {
        this.securityConfiguration.enabled().listen(configurationNotificationEvent -> {
            if (Boolean.TRUE.equals(configurationNotificationEvent.newValue())) {
                scheduleKeyRotation(retrieveLastKeyPair());
            } else {
                cancelKeyRotationScheduler();
            }
            return CompletableFutures.nullCompletedFuture();
        });
        this.publicKeyStore.registerPrefixWatch(this.publicKeyChainCache);
        this.publicKeyStore.getAllPublicKeyChains().forEach((str, publicKeyChainRecord) -> {
            this.publicKeyChainCache.put(str, this.keyConverter.publicKeyChainFromRecord(publicKeyChainRecord));
        });
        IgniteKeyPair<RSAPrivateKey, RSAPublicKey> retrieveLastKeyPair = retrieveLastKeyPair();
        if (retrieveLastKeyPair != null) {
            this.lastPrivateKey.set(new IgnitePrivateKey<>(retrieveLastKeyPair.privateKey(), retrieveLastKeyPair.metadata()));
        }
        if (this.securityConfiguration.enabled().value().booleanValue()) {
            scheduleKeyRotation(retrieveLastKeyPair);
        }
        this.securityConfiguration.jwt().keyTtl().listen(configurationNotificationEvent2 -> {
            if (this.securityConfiguration.enabled().value().booleanValue()) {
                cancelKeyRotationScheduler();
                scheduleKeyRotationTask(0L);
            }
            return CompletableFutures.nullCompletedFuture();
        });
        return CompletableFutures.nullCompletedFuture();
    }

    private void cancelKeyRotationScheduler() {
        if (this.keyRotationTask != null) {
            this.keyRotationTask.cancel(false);
            this.keyRotationTask = null;
        }
    }

    private void scheduleKeyRotation(@Nullable IgniteKeyPair<RSAPrivateKey, RSAPublicKey> igniteKeyPair) {
        long computeInitialDelay = computeInitialDelay(igniteKeyPair);
        if (computeInitialDelay == 0) {
            LOG.info("No valid key pair was found, a new key pair will be generated immediately", new Object[0]);
        } else {
            LOG.info("Valid key pair was found, a new key pair will be generated in {} seconds", Long.valueOf(computeInitialDelay / 1000));
        }
        scheduleKeyRotationTask(computeInitialDelay);
    }

    private long computeInitialDelay(@Nullable IgniteKeyPair<RSAPrivateKey, RSAPublicKey> igniteKeyPair) {
        if (igniteKeyPair == null) {
            return 0L;
        }
        KeyMetadata metadata = igniteKeyPair.metadata();
        Instant plusMillis = metadata.issuedAt().plusMillis(this.securityConfiguration.jwt().keyTtl().value().longValue());
        if (plusMillis.equals(metadata.expirationTime())) {
            return Math.max(Duration.between(this.currentTimeSupplier.get(), plusMillis).toMillis(), 0L);
        }
        return 0L;
    }

    private void scheduleKeyRotationTask(long j) {
        this.keyRotationTask = this.executorService.scheduleAtFixedRate(() -> {
            try {
                rotateKey(this.lastPrivateKey.get());
            } catch (Exception e) {
                LOG.error("Failed to rotate the key pair", e);
            }
        }, j, this.securityConfiguration.jwt().keyTtl().value().longValue(), TimeUnit.MILLISECONDS);
    }

    @Nullable
    private IgniteKeyPair<RSAPrivateKey, RSAPublicKey> retrieveLastKeyPair() {
        try {
            Instant instant = this.currentTimeSupplier.get();
            PublicKeyChainRecord publicKeyChain = this.publicKeyStore.getPublicKeyChain(this.nodeName);
            if (publicKeyChain == null) {
                return null;
            }
            PublicKeyRecord keyRecord = publicKeyChain.keyRecord();
            PrivateKeyRecord privateKey = this.privateKeyStore.getPrivateKey();
            if (privateKey == null) {
                return null;
            }
            validateKeyPair(privateKey, keyRecord, instant);
            IgnitePrivateKey<RSAPrivateKey> privateKeyFromRecord = this.keyConverter.privateKeyFromRecord(privateKey);
            return new IgniteKeyPair<>(privateKeyFromRecord.key(), this.keyConverter.publicKeyFromRecord(keyRecord).key(), privateKeyFromRecord.metadata());
        } catch (Exception e) {
            LOG.info("Failed to retrieve the last key pair", e);
            return null;
        }
    }

    @Override // org.apache.ignite3.internal.manager.IgniteComponent
    public CompletableFuture<Void> stopAsync(ComponentContext componentContext) {
        IgniteUtils.shutdownAndAwaitTermination(this.executorService, 10L, TimeUnit.SECONDS);
        return CompletableFutures.nullCompletedFuture();
    }

    @Override // org.gridgain.internal.security.key.NodeKeyManager
    public IgnitePublicKey<RSAPublicKey> getPublicKey(String str, int i) {
        PublicKeyChain<RSAPublicKey> publicKeyChain = this.publicKeyChainCache.get(str);
        if (publicKeyChain == null) {
            throw new KeyNotFoundException("Public key for node: " + str + " was not found");
        }
        IgnitePublicKey<RSAPublicKey> currentKey = publicKeyChain.currentKey();
        if (currentKey.metadata().id() == i) {
            return currentKey;
        }
        IgnitePublicKey<RSAPublicKey> prevKey = publicKeyChain.prevKey();
        if (prevKey == null || prevKey.metadata().id() != i) {
            throw new KeyExpiredException("Public key for node: " + str + " with id: " + i + " was not found");
        }
        return prevKey;
    }

    @Override // org.gridgain.internal.security.key.NodeKeyManager
    public IgnitePrivateKey<RSAPrivateKey> getLocalPrivateKey() {
        IgnitePrivateKey<RSAPrivateKey> ignitePrivateKey = this.lastPrivateKey.get();
        return (ignitePrivateKey == null || !isKeyValidAt(ignitePrivateKey.metadata(), this.currentTimeSupplier.get())) ? rotateKey(ignitePrivateKey) : ignitePrivateKey;
    }

    private IgnitePrivateKey<RSAPrivateKey> rotateKey(@Nullable IgnitePrivateKey<RSAPrivateKey> ignitePrivateKey) {
        this.lock.lock();
        try {
            IgnitePrivateKey<RSAPrivateKey> ignitePrivateKey2 = this.lastPrivateKey.get();
            if (ignitePrivateKey2 != null && ignitePrivateKey2 != ignitePrivateKey) {
                return ignitePrivateKey2;
            }
            IgnitePrivateKey<RSAPrivateKey> join = rotateKey0(nextId(ignitePrivateKey)).join();
            this.lock.unlock();
            return join;
        } finally {
            this.lock.unlock();
        }
    }

    private static int nextId(@Nullable IgnitePrivateKey<RSAPrivateKey> ignitePrivateKey) {
        if (ignitePrivateKey == null || ignitePrivateKey.metadata().id() == Integer.MAX_VALUE) {
            return 1;
        }
        return ignitePrivateKey.metadata().id() + 1;
    }

    private CompletableFuture<IgnitePrivateKey<RSAPrivateKey>> rotateKey0(int i) {
        IgniteKeyPair<RSAPrivateKey, RSAPublicKey> generateKeyPair = this.secretGenerator.generateKeyPair(i, this.securityConfiguration.jwt().keyTtl().value().longValue());
        IgnitePrivateKey<RSAPrivateKey> ignitePrivateKey = new IgnitePrivateKey<>(generateKeyPair.privateKey(), generateKeyPair.metadata());
        PublicKeyRecord publicKeyRecordFromKey = this.keyConverter.publicKeyRecordFromKey(new IgnitePublicKey<>(generateKeyPair.publicKey(), generateKeyPair.metadata()));
        PublicKeyChainRecord publicKeyChain = this.publicKeyStore.getPublicKeyChain(this.nodeName);
        PublicKeyChainRecord merge = publicKeyChain != null ? publicKeyChain.merge(publicKeyRecordFromKey) : new PublicKeyChainRecord(publicKeyRecordFromKey, null);
        this.privateKeyStore.putPrivateKey(this.keyConverter.privateKeyRecordFromKey(ignitePrivateKey));
        PublicKeyChainRecord publicKeyChainRecord = merge;
        return this.publicKeyStore.updatePublicKeyChain(this.nodeName, merge).thenApply(r3 -> {
            return ignitePrivateKey;
        }).whenComplete((BiConsumer<? super U, ? super Throwable>) (ignitePrivateKey2, th) -> {
            if (th != null) {
                LOG.error("Failed to generate new key", th);
                return;
            }
            LOG.info("New key pair was generated", new Object[0]);
            this.publicKeyChainCache.updateRecord(this.nodeName, publicKeyChainRecord);
            IgnitePrivateKey<RSAPrivateKey> andSet = this.lastPrivateKey.getAndSet(ignitePrivateKey);
            if (andSet != null) {
                try {
                    andSet.key().destroy();
                } catch (DestroyFailedException e) {
                }
            }
        });
    }

    private static void validateKeyPair(PrivateKeyRecord privateKeyRecord, PublicKeyRecord publicKeyRecord, Instant instant) {
        if (!privateKeyRecord.metadata().equals(publicKeyRecord.metadata())) {
            throw new KeyValidationException("Private and public keys have different metadata");
        }
    }

    private static boolean isKeyValidAt(KeyMetadata keyMetadata, Instant instant) {
        return TimeUtils.isWithinRange(instant, keyMetadata.issuedAt(), keyMetadata.expirationTime());
    }

    private static ScheduledExecutorService createExecutorService(String str) {
        return Executors.newScheduledThreadPool(1, NamedThreadFactory.create(str, "jwt-key-manager-executor", LOG));
    }

    @TestOnly
    public IgnitePrivateKey<RSAPrivateKey> forceKeyRotation() {
        return rotateKey(this.lastPrivateKey.get());
    }

    @TestOnly
    public ScheduledFuture<?> keyRotationTask() {
        return this.keyRotationTask;
    }
}
