package org.apache.knox.gateway.cloud.idbroker.google;

import com.google.cloud.hadoop.fs.gcs.auth.DelegationTokenIOException;
import com.google.cloud.hadoop.util.AccessTokenProvider;
import java.io.Closeable;
import java.io.IOException;
import java.util.Date;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.io.IOUtils;
import org.apache.knox.gateway.cloud.idbroker.IDBClient;
import org.apache.knox.gateway.cloud.idbroker.common.KnoxToken;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/knox/gateway/cloud/idbroker/google/CloudAccessBrokerTokenProvider.class */
public class CloudAccessBrokerTokenProvider implements TokenProvider {
    private static final Logger LOG = LoggerFactory.getLogger(CloudAccessBrokerTokenProvider.class);
    private static final String E_MISSING_DT = "Missing required delegation token.";
    private Configuration config;
    private IDBClient<AccessTokenProvider.AccessToken> cabClient;
    private AccessTokenProvider.AccessToken accessToken;
    private long knoxTokenExpirationOffset;
    private KnoxToken knoxToken;

    /* JADX INFO: Access modifiers changed from: package-private */
    public CloudAccessBrokerTokenProvider(IDBClient<AccessTokenProvider.AccessToken> iDBClient, KnoxToken knoxToken, String str, Long l) {
        if (iDBClient == null) {
            LOG.error("Specified client is null!");
        }
        this.cabClient = iDBClient;
        this.knoxToken = knoxToken;
        if (str != null) {
            this.accessToken = new AccessTokenProvider.AccessToken(str, l);
        }
    }

    public void setConf(Configuration configuration) {
        this.config = configuration;
        if (configuration != null) {
            this.knoxTokenExpirationOffset = configuration.getLong(GoogleIDBProperty.IDBROKER_DT_EXPIRATION_OFFSET.getPropertyName(), this.knoxTokenExpirationOffset);
        }
    }

    public Configuration getConf() {
        return this.config;
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.google.TokenProvider
    public void updateDelegationToken(KnoxToken knoxToken) {
        this.knoxToken = knoxToken;
    }

    public AccessTokenProvider.AccessToken getAccessToken() {
        if (isValid(this.accessToken)) {
            LOG.info("Using existing Google Cloud Platform credentials");
        } else {
            LOG.info("No existing valid Google Cloud Platform credentials.");
            try {
                this.accessToken = fetchAccessToken();
            } catch (IOException e) {
                LOG.error("Failed to fetch new Google Cloud Platform credentials: " + e.getMessage());
                throw new RuntimeException(e);
            }
        }
        return this.accessToken;
    }

    public void refresh() throws IOException {
        LOG.info("Refresh Google Cloud Platform credentials");
        this.accessToken = fetchAccessToken();
    }

    private boolean isValid(AccessTokenProvider.AccessToken accessToken) {
        return accessToken != null && accessToken.getExpirationTimeMilliSeconds().longValue() >= System.currentTimeMillis() + this.knoxTokenExpirationOffset;
    }

    /* JADX WARN: Finally extract failed */
    private AccessTokenProvider.AccessToken fetchAccessToken() throws IOException {
        if (!this.cabClient.shouldUseKerberos() && (this.knoxToken == null || !this.knoxToken.isValid())) {
            throw new IllegalStateException(E_MISSING_DT);
        }
        try {
            Closeable createKnoxCABSession = this.cabClient.createKnoxCABSession(this.knoxToken);
            try {
                try {
                    LOG.debug("Requesting Google Cloud Platform credentials from the Cloud Access Broker.");
                    AccessTokenProvider.AccessToken fetchCloudCredentials = this.cabClient.fetchCloudCredentials(createKnoxCABSession);
                    IOUtils.cleanupWithLogger(LOG, new Closeable[]{createKnoxCABSession});
                    if (fetchCloudCredentials != null) {
                        LOG.info("Acquired Google Cloud Platform credentials: token={}, expires={}", fetchCloudCredentials.getToken().substring(0, 8), new Date(fetchCloudCredentials.getExpirationTimeMilliSeconds().longValue()));
                    }
                    return fetchCloudCredentials;
                } catch (IOException e) {
                    LOG.error("Error requesting cloud credentials: " + e.getMessage());
                    throw e;
                }
            } catch (Throwable th) {
                IOUtils.cleanupWithLogger(LOG, new Closeable[]{createKnoxCABSession});
                throw th;
            }
        } catch (Exception e2) {
            LOG.error(e2.getMessage());
            LOG.debug("Failed to get Google Cloud Platform credentials.", e2);
            throw new DelegationTokenIOException(e2.getMessage(), e2);
        }
    }
}
