package com.google.cloud.sql.core;

import com.google.api.client.googleapis.json.GoogleJsonError;
import com.google.api.client.googleapis.json.GoogleJsonResponseException;
import com.google.api.services.sqladmin.SQLAdmin;
import com.google.api.services.sqladmin.model.ConnectSettings;
import com.google.api.services.sqladmin.model.GenerateEphemeralCertRequest;
import com.google.api.services.sqladmin.model.GenerateEphemeralCertResponse;
import com.google.api.services.sqladmin.model.IpMapping;
import com.google.auth.oauth2.OAuth2Credentials;
import com.google.cloud.sql.CredentialFactory;
import com.google.common.base.CharMatcher;
import com.google.common.base.Preconditions;
import com.google.common.base.Throwables;
import com.google.common.io.BaseEncoding;
import com.google.common.util.concurrent.FutureCallback;
import com.google.common.util.concurrent.Futures;
import com.google.common.util.concurrent.ListenableFuture;
import com.google.common.util.concurrent.ListeningScheduledExecutorService;
import com.google.common.util.concurrent.RateLimiter;
import com.google.common.util.concurrent.SettableFuture;
import com.google.common.util.concurrent.Uninterruptibles;
import com.google.errorprone.annotations.concurrent.GuardedBy;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.Instant;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManagerFactory;
import org.checkerframework.checker.nullness.compatqual.NullableDecl;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/google/cloud/sql/core/CloudSqlInstance.class */
public class CloudSqlInstance {
    private static final Logger logger = Logger.getLogger(CloudSqlInstance.class.getName());
    private static final Pattern CONNECTION_NAME = Pattern.compile("([^:]+(:[^:]+)?):([^:]+):([^:]+)");
    private static final Duration DEFAULT_REFRESH_BUFFER = Duration.ofMinutes(5);
    private static final Duration IAM_AUTH_REFRESH_BUFFER = Duration.ofSeconds(55);
    private final ListeningScheduledExecutorService executor;
    private final SQLAdmin apiClient;
    private final boolean enableIamAuth;
    private final Optional<OAuth2Credentials> credentials;
    private final String connectionName;
    private final String projectId;
    private final String regionId;
    private final String instanceId;
    private final String regionalizedInstanceId;
    private final ListenableFuture<KeyPair> keyPair;

    @GuardedBy("instanceDataGuard")
    private ListenableFuture<InstanceData> currentInstanceData;

    @GuardedBy("instanceDataGuard")
    private ListenableFuture<ListenableFuture<InstanceData>> nextInstanceData;
    private final Object instanceDataGuard = new Object();
    private final RateLimiter forcedRenewRateLimiter = RateLimiter.create(0.016666666666666666d);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/google/cloud/sql/core/CloudSqlInstance$InstanceData.class */
    public static class InstanceData {
        private final Metadata metadata;
        private final SSLContext sslContext;
        private final SslData sslData;
        private final Date expiration;

        InstanceData(Metadata metadata, SslData sslData, Date date) {
            this.metadata = metadata;
            this.sslData = sslData;
            this.sslContext = sslData.getSslContext();
            this.expiration = date;
        }

        Date getExpiration() {
            return this.expiration;
        }

        SSLContext getSslContext() {
            return this.sslContext;
        }

        Map<String, String> getIpAddrs() {
            return this.metadata.getIpAddrs();
        }

        SslData getSslData() {
            return this.sslData;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/google/cloud/sql/core/CloudSqlInstance$Metadata.class */
    public static class Metadata {
        private final Map<String, String> ipAddrs;
        private final Certificate instanceCaCertificate;

        Metadata(Map<String, String> map, Certificate certificate) {
            this.ipAddrs = map;
            this.instanceCaCertificate = certificate;
        }

        Map<String, String> getIpAddrs() {
            return this.ipAddrs;
        }

        Certificate getInstanceCaCertificate() {
            return this.instanceCaCertificate;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CloudSqlInstance(String str, SQLAdmin sQLAdmin, boolean z, CredentialFactory credentialFactory, ListeningScheduledExecutorService listeningScheduledExecutorService, ListenableFuture<KeyPair> listenableFuture) {
        Matcher matcher = CONNECTION_NAME.matcher(str);
        Preconditions.checkArgument(matcher.matches(), String.format("[%s] Cloud SQL connection name is invalid, expected string in the form of \"<PROJECT_ID>:<REGION_ID>:<INSTANCE_ID>\".", str));
        this.connectionName = str;
        this.projectId = matcher.group(1);
        this.regionId = matcher.group(3);
        this.instanceId = matcher.group(4);
        this.regionalizedInstanceId = String.format("%s~%s", this.regionId, this.instanceId);
        this.apiClient = sQLAdmin;
        this.enableIamAuth = z;
        this.executor = listeningScheduledExecutorService;
        this.keyPair = listenableFuture;
        if (z) {
            this.credentials = Optional.of(credentialFactory.create().getCredentials());
        } else {
            this.credentials = Optional.empty();
        }
        synchronized (this.instanceDataGuard) {
            this.currentInstanceData = performRefresh();
            this.nextInstanceData = Futures.immediateFuture(this.currentInstanceData);
        }
    }

    private static String generatePublicKeyCert(KeyPair keyPair) {
        return "-----BEGIN RSA PUBLIC KEY-----\n" + BaseEncoding.base64().withSeparator("\n", 64).encode(keyPair.getPublic().getEncoded()) + "\n-----END RSA PUBLIC KEY-----\n";
    }

    private static <T> ListenableFuture<T> whenAllSucceed(final Callable<T> callable, final ListeningScheduledExecutorService listeningScheduledExecutorService, ListenableFuture<?>... listenableFutureArr) {
        final SettableFuture create = SettableFuture.create();
        final AtomicInteger atomicInteger = new AtomicInteger(listenableFutureArr.length);
        FutureCallback<Object> futureCallback = new FutureCallback<Object>() { // from class: com.google.cloud.sql.core.CloudSqlInstance.1
            public void onSuccess(@NullableDecl Object obj) {
                if (atomicInteger.decrementAndGet() == 0) {
                    create.setFuture(listeningScheduledExecutorService.submit(callable));
                }
            }

            public void onFailure(Throwable th) {
                if (create.setException(th)) {
                    return;
                }
                CloudSqlInstance.logger.log(Level.SEVERE, "Got more than one input failure. Logging failures after the first", th);
            }
        };
        for (ListenableFuture<?> listenableFuture : listenableFutureArr) {
            Futures.addCallback(listenableFuture, futureCallback, listeningScheduledExecutorService);
        }
        return create;
    }

    private static <T> ListenableFuture<T> blockOnNestedFuture(ListenableFuture<ListenableFuture<T>> listenableFuture, ScheduledExecutorService scheduledExecutorService) {
        final SettableFuture create = SettableFuture.create();
        Futures.addCallback(listenableFuture, new FutureCallback<ListenableFuture<T>>() { // from class: com.google.cloud.sql.core.CloudSqlInstance.2
            public void onSuccess(ListenableFuture<T> listenableFuture2) {
                create.setFuture(listenableFuture2);
            }

            public void onFailure(Throwable th) {
                create.setException(th);
            }
        }, scheduledExecutorService);
        return create;
    }

    private static Certificate createCertificate(String str) throws CertificateException {
        return CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8)));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public InstanceData getInstanceData() {
        ListenableFuture<InstanceData> listenableFuture;
        synchronized (this.instanceDataGuard) {
            listenableFuture = this.currentInstanceData;
        }
        try {
            return (InstanceData) Uninterruptibles.getUninterruptibly(listenableFuture);
        } catch (ExecutionException e) {
            Throwable cause = e.getCause();
            Throwables.throwIfUnchecked(cause);
            throw new RuntimeException(cause);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SSLSocket createSslSocket() throws IOException {
        return (SSLSocket) getInstanceData().getSslContext().getSocketFactory().createSocket();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getPreferredIp(List<String> list) {
        Map<String, String> ipAddrs = getInstanceData().getIpAddrs();
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            String str = ipAddrs.get(it.next());
            if (str != null) {
                return str;
            }
        }
        throw new IllegalArgumentException(String.format("[%s] Cloud SQL instance  does not have any IP addresses matching preferences (%s)", this.connectionName, String.join(", ", list)));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean forceRefresh() {
        synchronized (this.instanceDataGuard) {
            if (this.nextInstanceData.cancel(false)) {
                this.currentInstanceData = performRefresh();
                this.nextInstanceData = Futures.immediateFuture(this.currentInstanceData);
            } else {
                this.currentInstanceData = blockOnNestedFuture(this.nextInstanceData, this.executor);
            }
        }
        return true;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public ListenableFuture<InstanceData> performRefresh() {
        this.forcedRenewRateLimiter.acquire(1);
        ListenableFuture submit = this.executor.submit(this::fetchMetadata);
        ListenableFuture whenAllSucceed = whenAllSucceed(() -> {
            return fetchEphemeralCertificate((KeyPair) Futures.getDone(this.keyPair));
        }, this.executor, this.keyPair);
        ListenableFuture whenAllSucceed2 = whenAllSucceed(() -> {
            return createSslData((KeyPair) Futures.getDone(this.keyPair), (Metadata) Futures.getDone(submit), (Certificate) Futures.getDone(whenAllSucceed));
        }, this.executor, this.keyPair, submit, whenAllSucceed);
        final ListenableFuture<InstanceData> whenAllSucceed3 = whenAllSucceed(() -> {
            Date notAfter = ((X509Certificate) ((Certificate) Futures.getDone(whenAllSucceed))).getNotAfter();
            if (this.enableIamAuth) {
                Date tokenExpirationTime = getTokenExpirationTime();
                if (notAfter.after(tokenExpirationTime)) {
                    notAfter = tokenExpirationTime;
                }
            }
            return new InstanceData((Metadata) Futures.getDone(submit), (SslData) Futures.getDone(whenAllSucceed2), notAfter);
        }, this.executor, submit, whenAllSucceed2);
        Futures.addCallback(whenAllSucceed3, new FutureCallback<InstanceData>() { // from class: com.google.cloud.sql.core.CloudSqlInstance.3
            public void onSuccess(InstanceData instanceData) {
                synchronized (CloudSqlInstance.this.instanceDataGuard) {
                    CloudSqlInstance.this.currentInstanceData = whenAllSucceed3;
                    CloudSqlInstance.this.nextInstanceData = CloudSqlInstance.this.executor.schedule(() -> {
                        return CloudSqlInstance.this.performRefresh();
                    }, CloudSqlInstance.this.secondsUntilRefresh(), TimeUnit.SECONDS);
                }
            }

            public void onFailure(Throwable th) {
                CloudSqlInstance.logger.log(Level.WARNING, "An error occurred while performing refresh. Retrying immediately.", th);
                synchronized (CloudSqlInstance.this.instanceDataGuard) {
                    InstanceData instanceData = null;
                    try {
                        instanceData = CloudSqlInstance.this.getInstanceData();
                    } catch (Exception e) {
                    }
                    if (instanceData == null || instanceData.getExpiration().toInstant().isBefore(Instant.now())) {
                        CloudSqlInstance.this.currentInstanceData = whenAllSucceed3;
                    }
                    CloudSqlInstance.this.nextInstanceData = Futures.immediateFuture(CloudSqlInstance.this.performRefresh());
                }
            }
        }, this.executor);
        return whenAllSucceed3;
    }

    private SslData createSslData(KeyPair keyPair, Metadata metadata, Certificate certificate) {
        SSLContext sSLContext;
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            keyStore.setEntry("ephemeral", new KeyStore.PrivateKeyEntry(keyPair.getPrivate(), new Certificate[]{certificate}), new KeyStore.PasswordProtection(new char[0]));
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(keyStore, new char[0]);
            KeyStore keyStore2 = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore2.load(null, null);
            keyStore2.setCertificateEntry("instance", metadata.getInstanceCaCertificate());
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("X.509");
            trustManagerFactory.init(keyStore2);
            if (this.enableIamAuth) {
                try {
                    sSLContext = SSLContext.getInstance("TLSv1.3");
                } catch (NoSuchAlgorithmException e) {
                    throw new RuntimeException(String.format("[%s] Unable to create a SSLContext for the Cloud SQL instance.", this.connectionName) + " TLSv1.3 is not supported for your Java version and is required to connect using IAM authentication", e);
                }
            } else {
                sSLContext = SSLContext.getInstance("TLSv1.2");
            }
            sSLContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), new SecureRandom());
            return new SslData(sSLContext, keyManagerFactory, trustManagerFactory);
        } catch (IOException | GeneralSecurityException e2) {
            throw new RuntimeException(String.format("[%s] Unable to create a SSLContext for the Cloud SQL instance.", this.connectionName), e2);
        }
    }

    private Metadata fetchMetadata() {
        try {
            ConnectSettings connectSettings = (ConnectSettings) this.apiClient.connect().get(this.projectId, this.regionalizedInstanceId).execute();
            if (!connectSettings.getRegion().equals(this.regionId)) {
                throw new IllegalArgumentException(String.format("[%s] The region specified for the Cloud SQL instance is incorrect. Please verify the instance connection name.", this.connectionName));
            }
            if (!connectSettings.getBackendType().equals("SECOND_GEN")) {
                throw new IllegalArgumentException(String.format("[%s] Connections to Cloud SQL instance not supported - not a Second Generation instance.", this.connectionName));
            }
            if (connectSettings.getIpAddresses().isEmpty()) {
                throw new IllegalStateException(String.format("[%s] Unable to connect to Cloud SQL instance: instance does not have an assigned IP address.", this.connectionName));
            }
            HashMap hashMap = new HashMap();
            for (IpMapping ipMapping : connectSettings.getIpAddresses()) {
                hashMap.put(ipMapping.getType(), ipMapping.getIpAddress());
            }
            try {
                return new Metadata(hashMap, createCertificate(connectSettings.getServerCaCert().getCert()));
            } catch (CertificateException e) {
                throw new RuntimeException(String.format("[%s] Unable to parse the server CA certificate for the Cloud SQL instance.", this.connectionName), e);
            }
        } catch (IOException e2) {
            throw addExceptionContext(e2, String.format("[%s] Failed to update metadata for Cloud SQL instance.", this.connectionName));
        }
    }

    private Certificate fetchEphemeralCertificate(KeyPair keyPair) {
        GenerateEphemeralCertRequest publicKey = new GenerateEphemeralCertRequest().setPublicKey(generatePublicKeyCert(keyPair));
        if (this.enableIamAuth) {
            try {
                this.credentials.get().refresh();
                publicKey.setAccessToken(CharMatcher.is('.').trimTrailingFrom(this.credentials.get().getAccessToken().getTokenValue()));
            } catch (IOException e) {
                throw addExceptionContext(e, "An exception occurred while fetching IAM auth token:");
            }
        }
        try {
            try {
                return createCertificate(((GenerateEphemeralCertResponse) this.apiClient.connect().generateEphemeralCert(this.projectId, this.regionalizedInstanceId, publicKey).execute()).getEphemeralCert().getCert());
            } catch (CertificateException e2) {
                throw new RuntimeException(String.format("[%s] Unable to parse the ephemeral certificate for the Cloud SQL instance.", this.connectionName), e2);
            }
        } catch (IOException e3) {
            throw addExceptionContext(e3, String.format("[%s] Failed to create ephemeral certificate for the Cloud SQL instance.", this.connectionName));
        }
    }

    private Date getTokenExpirationTime() {
        return this.credentials.get().getAccessToken().getExpirationTime();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public long secondsUntilRefresh() {
        Duration duration = this.enableIamAuth ? IAM_AUTH_REFRESH_BUFFER : DEFAULT_REFRESH_BUFFER;
        Date expiration = getInstanceData().getExpiration();
        Duration minus = Duration.between(Instant.now(), expiration.toInstant()).minus(duration);
        if (minus.isNegative()) {
            minus = Duration.between(Instant.now(), expiration.toInstant()).minus(Duration.ofSeconds(5L));
        }
        return minus.getSeconds();
    }

    private RuntimeException addExceptionContext(IOException iOException, String str) {
        GoogleJsonResponseException googleJsonResponseException = iOException instanceof GoogleJsonResponseException ? (GoogleJsonResponseException) iOException : null;
        if (googleJsonResponseException == null || googleJsonResponseException.getDetails() == null || googleJsonResponseException.getDetails().getErrors() == null || googleJsonResponseException.getDetails().getErrors().isEmpty()) {
            return new RuntimeException(str, iOException);
        }
        String reason = ((GoogleJsonError.ErrorInfo) googleJsonResponseException.getDetails().getErrors().get(0)).getReason();
        return "accessNotConfigured".equals(reason) ? new RuntimeException(String.format("[%s] The Google Cloud SQL Admin API is not enabled for the project \"%s\". Please use the Google Developers Console to enable it: %s", this.connectionName, this.projectId, "https://console.cloud.google.com/apis/api/sqladmin/overview?project=" + this.projectId), iOException) : "notAuthorized".equals(reason) ? new RuntimeException(String.format("[%s] The Cloud SQL Instance does not exist or your account is not authorized to access it. Please verify the instance connection name and check the IAM permissions for project \"%s\" ", this.connectionName, this.projectId), iOException) : new RuntimeException(str, iOException);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SslData getSslData() {
        return getInstanceData().getSslData();
    }
}
