package org.keycloak.infinispan.module.certificates;

import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalAmount;
import java.time.temporal.TemporalUnit;
import java.util.Date;
import java.util.Objects;
import java.util.Optional;
import java.util.UUID;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.locks.ReentrantLock;
import org.infinispan.commons.api.Lifecycle;
import org.infinispan.factories.annotations.ComponentName;
import org.infinispan.factories.annotations.Inject;
import org.infinispan.factories.annotations.Start;
import org.infinispan.factories.annotations.Stop;
import org.infinispan.factories.scopes.Scope;
import org.infinispan.factories.scopes.Scopes;
import org.infinispan.manager.ClusterExecutor;
import org.infinispan.manager.EmbeddedCacheManager;
import org.infinispan.notifications.Listener;
import org.infinispan.notifications.cachemanagerlistener.CacheManagerNotifier;
import org.infinispan.notifications.cachemanagerlistener.annotation.Merged;
import org.infinispan.notifications.cachemanagerlistener.annotation.ViewChanged;
import org.infinispan.notifications.cachemanagerlistener.event.ViewChangedEvent;
import org.infinispan.remoting.transport.Address;
import org.infinispan.util.concurrent.BlockingManager;
import org.jboss.logging.Logger;
import org.keycloak.common.util.CertificateUtils;
import org.keycloak.common.util.KeyUtils;
import org.keycloak.common.util.Time;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.storage.configuration.ServerConfigStorageProvider;

@Scope(Scopes.GLOBAL)
@Listener
/* loaded from: input_file:org/keycloak/infinispan/module/certificates/CertificateReloadManager.class */
public class CertificateReloadManager implements Lifecycle {
    public static final String CERTIFICATE_ID = "crt_jgroups";
    private static final String JGROUPS_SUBJECT = "jgroups";
    private final KeycloakSessionFactory sessionFactory;
    private final JGroupsCertificateHolder certificateHolder;
    private volatile long rotationSeconds;
    private final AutoCloseableLock lock = new AutoCloseableLock(new ReentrantLock());
    private ScheduledFuture<?> scheduledFuture;
    private ScheduledFuture<?> bootFuture;

    @Inject
    EmbeddedCacheManager cacheManager;

    @Inject
    CacheManagerNotifier notifier;

    @ComponentName("org.infinispan.executors.expiration")
    @Inject
    ScheduledExecutorService scheduledExecutorService;

    @Inject
    BlockingManager blockingManager;
    private static final Logger logger = Logger.getLogger(MethodHandles.lookup().lookupClass());
    private static final Duration RETRY_WAIT_TIME = Duration.ofMinutes(1);
    private static final Duration BOOT_PERIOD = Duration.ofMillis(500);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/keycloak/infinispan/module/certificates/CertificateReloadManager$AutoCloseableLock.class */
    public static final class AutoCloseableLock extends Record implements AutoCloseable {
        private final ReentrantLock innerLock;

        private AutoCloseableLock(ReentrantLock reentrantLock) {
            this.innerLock = reentrantLock;
        }

        public void lock() {
            this.innerLock.lock();
        }

        @Override // java.lang.AutoCloseable
        public void close() {
            this.innerLock.unlock();
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, AutoCloseableLock.class), AutoCloseableLock.class, "innerLock", "FIELD:Lorg/keycloak/infinispan/module/certificates/CertificateReloadManager$AutoCloseableLock;->innerLock:Ljava/util/concurrent/locks/ReentrantLock;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, AutoCloseableLock.class), AutoCloseableLock.class, "innerLock", "FIELD:Lorg/keycloak/infinispan/module/certificates/CertificateReloadManager$AutoCloseableLock;->innerLock:Ljava/util/concurrent/locks/ReentrantLock;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, AutoCloseableLock.class, Object.class), AutoCloseableLock.class, "innerLock", "FIELD:Lorg/keycloak/infinispan/module/certificates/CertificateReloadManager$AutoCloseableLock;->innerLock:Ljava/util/concurrent/locks/ReentrantLock;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public ReentrantLock innerLock() {
            return this.innerLock;
        }
    }

    public CertificateReloadManager(KeycloakSessionFactory keycloakSessionFactory, JGroupsCertificateHolder jGroupsCertificateHolder, int i) {
        this.sessionFactory = keycloakSessionFactory;
        this.certificateHolder = jGroupsCertificateHolder;
        this.rotationSeconds = TimeUnit.DAYS.toSeconds(i);
    }

    @Start
    public void start() {
        logger.info("Starting JGroups certificate reload manager");
        this.notifier.addListener(this);
        scheduleNextRotation();
        this.certificateHolder.setExceptionHandler(this::onInvalidCertificate);
        this.lock.lock();
        AutoCloseableLock autoCloseableLock = this.lock;
        try {
            this.bootFuture = this.scheduledExecutorService.scheduleAtFixedRate(() -> {
                this.blockingManager.runBlocking(this::bootReload, "boot-reload");
            }, BOOT_PERIOD.toMillis(), BOOT_PERIOD.toMillis(), TimeUnit.MILLISECONDS);
            if (autoCloseableLock != null) {
                autoCloseableLock.close();
            }
        } catch (Throwable th) {
            if (autoCloseableLock != null) {
                try {
                    autoCloseableLock.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Stop
    public void stop() {
        logger.info("Stopping JGroups certificate reload manager");
        this.notifier.removeListener(this);
        this.lock.lock();
        AutoCloseableLock autoCloseableLock = this.lock;
        try {
            if (this.scheduledFuture == null) {
                if (autoCloseableLock != null) {
                    autoCloseableLock.close();
                }
            } else {
                this.scheduledFuture.cancel(true);
                if (autoCloseableLock != null) {
                    autoCloseableLock.close();
                }
            }
        } catch (Throwable th) {
            if (autoCloseableLock != null) {
                try {
                    autoCloseableLock.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public void rotateCertificate() {
        logger.info("Rotating JGroups certificate");
        this.lock.lock();
        try {
            AutoCloseableLock autoCloseableLock = this.lock;
            try {
                KeycloakModelUtils.runJobInTransaction(this.sessionFactory, this::replaceCertificateInTransaction);
                sendReloadNotification();
                if (autoCloseableLock != null) {
                    autoCloseableLock.close();
                }
            } finally {
            }
        } catch (RuntimeException e) {
            logger.warn("Failed to rotate JGroups certificate", e);
            retry(this::rotateCertificate, "retry-rotate");
        }
    }

    public void reloadCertificate() {
        logger.info("Reloading JGroups Certificate");
        this.lock.lock();
        try {
            try {
                AutoCloseableLock autoCloseableLock = this.lock;
                try {
                    if (this.bootFuture != null) {
                        this.bootFuture.cancel(true);
                        this.bootFuture = null;
                    }
                    Optional optional = (Optional) KeycloakModelUtils.runJobInTransactionWithResult(this.sessionFactory, CertificateReloadManager::loadCertificateInTransaction);
                    if (optional.isEmpty()) {
                        if (autoCloseableLock != null) {
                            autoCloseableLock.close();
                        }
                        scheduleNextRotation();
                    } else {
                        this.certificateHolder.useCertificate(JGroupsCertificate.fromJson((String) optional.get()));
                        if (autoCloseableLock != null) {
                            autoCloseableLock.close();
                        }
                        scheduleNextRotation();
                    }
                } catch (Throwable th) {
                    if (autoCloseableLock != null) {
                        try {
                            autoCloseableLock.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (IOException | GeneralSecurityException e) {
                logger.warn("Failed to reload JGroups certificate", e);
                retry(this::reloadCertificate, "retry-reload");
                scheduleNextRotation();
            }
        } catch (Throwable th3) {
            scheduleNextRotation();
            throw th3;
        }
    }

    @Merged
    @ViewChanged
    public void onViewChanged(ViewChangedEvent viewChangedEvent) {
        logger.debug("On view changed");
        reloadCertificate();
    }

    public JGroupsCertificate currentCertificate() {
        return this.certificateHolder.getCertificateInUse();
    }

    public void setRotationSeconds(long j) {
        this.rotationSeconds = j;
    }

    public long getRotationSeconds() {
        return this.rotationSeconds;
    }

    public boolean isCoordinator() {
        return this.cacheManager.isCoordinator();
    }

    public boolean hasRotationTask() {
        this.lock.lock();
        AutoCloseableLock autoCloseableLock = this.lock;
        try {
            boolean z = this.scheduledFuture != null;
            if (autoCloseableLock != null) {
                autoCloseableLock.close();
            }
            return z;
        } catch (Throwable th) {
            if (autoCloseableLock != null) {
                try {
                    autoCloseableLock.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private void bootReload() {
        logger.debug("[Boot] reloading certificate.");
        this.lock.lock();
        try {
            AutoCloseableLock autoCloseableLock = this.lock;
            try {
                Optional optional = (Optional) KeycloakModelUtils.runJobInTransactionWithResult(this.sessionFactory, CertificateReloadManager::loadCertificateInTransaction);
                if (optional.isEmpty()) {
                    if (autoCloseableLock != null) {
                        autoCloseableLock.close();
                    }
                } else {
                    this.certificateHolder.useCertificate(JGroupsCertificate.fromJson((String) optional.get()));
                    if (autoCloseableLock != null) {
                        autoCloseableLock.close();
                    }
                }
            } catch (Throwable th) {
                if (autoCloseableLock != null) {
                    try {
                        autoCloseableLock.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (IOException | GeneralSecurityException e) {
            logger.warn("Exception on boot reload cycle. Ignoring it.", e);
        }
    }

    private void onInvalidCertificate() {
        logger.info("On certificate exception");
        this.blockingManager.runBlocking(this::reloadCertificate, "invalid-certificate");
    }

    private void onCertificateReloadResponse(Address address, Void r7, Throwable th) {
        if (th != null) {
            logger.warnf(th, "Node %s failed to handle JGroups certificate reload notification.", address);
            retry(() -> {
                sendReloadNotification(address);
            }, "retry-notification");
        }
    }

    private void scheduleNextRotation() {
        this.lock.lock();
        AutoCloseableLock autoCloseableLock = this.lock;
        try {
            if (this.scheduledFuture != null) {
                this.scheduledFuture.cancel(false);
            }
            if (!isCoordinator()) {
                if (autoCloseableLock != null) {
                    autoCloseableLock.close();
                    return;
                }
                return;
            }
            JGroupsCertificate certificateInUse = this.certificateHolder.getCertificateInUse();
            Duration delayUntilNextRotation = delayUntilNextRotation(Instant.ofEpochMilli(certificateInUse.getGeneratedMillis()), certificateInUse.getCertificate().getNotAfter().toInstant());
            logger.debugf("Next rotation in %s", delayUntilNextRotation);
            if (delayUntilNextRotation.isZero()) {
                this.blockingManager.runBlocking(this::rotateCertificate, "rotate");
                if (autoCloseableLock != null) {
                    autoCloseableLock.close();
                    return;
                }
                return;
            }
            this.scheduledFuture = this.scheduledExecutorService.schedule(() -> {
                return this.blockingManager.runBlocking(this::rotateCertificate, "rotate");
            }, delayUntilNextRotation.toSeconds(), TimeUnit.SECONDS);
            if (autoCloseableLock != null) {
                autoCloseableLock.close();
            }
        } catch (Throwable th) {
            if (autoCloseableLock != null) {
                try {
                    autoCloseableLock.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private void replaceCertificateInTransaction(KeycloakSession keycloakSession) {
        ServerConfigStorageProvider provider = keycloakSession.getProvider(ServerConfigStorageProvider.class);
        JGroupsCertificate certificateInUse = this.certificateHolder.getCertificateInUse();
        Objects.requireNonNull(certificateInUse);
        provider.replace(CERTIFICATE_ID, certificateInUse::isSameAlias, () -> {
            return generateSelfSignedCertificate(this.rotationSeconds * 2);
        });
    }

    private static Optional<String> loadCertificateInTransaction(KeycloakSession keycloakSession) {
        return keycloakSession.getProvider(ServerConfigStorageProvider.class).find(CERTIFICATE_ID);
    }

    private Duration delayUntilNextRotation(Instant instant, Instant instant2) {
        Instant plus = instant.plus((TemporalAmount) Duration.ofSeconds(this.rotationSeconds));
        Instant plus2 = instant.plus((TemporalAmount) Duration.between(instant, instant2).dividedBy(2L));
        if (plus2.isBefore(plus)) {
            plus = plus2;
        }
        long until = Instant.ofEpochSecond(Time.currentTime()).until(plus, ChronoUnit.SECONDS);
        return until > 0 ? Duration.ofSeconds(until) : Duration.ZERO;
    }

    private void sendReloadNotification() {
        this.cacheManager.executor().allNodeSubmission().submitConsumer(ReloadCertificateFunction.getInstance(), this::onCertificateReloadResponse);
    }

    private void sendReloadNotification(Address address) {
        ClusterExecutor executor = this.cacheManager.executor();
        Objects.requireNonNull(address);
        executor.filterTargets((v1) -> {
            return r1.equals(v1);
        }).submitConsumer(ReloadCertificateFunction.getInstance(), this::onCertificateReloadResponse);
    }

    private void retry(Runnable runnable, String str) {
        this.scheduledExecutorService.schedule(() -> {
            return this.blockingManager.runBlocking(runnable, str);
        }, RETRY_WAIT_TIME.toSeconds(), TimeUnit.SECONDS);
    }

    public static String generateSelfSignedCertificate(long j) {
        Date from = Date.from(Instant.now().plus(j, (TemporalUnit) ChronoUnit.SECONDS));
        KeyPair generateRsaKeyPair = KeyUtils.generateRsaKeyPair(2048);
        X509Certificate generateV1SelfSignedCertificate = CertificateUtils.generateV1SelfSignedCertificate(generateRsaKeyPair, JGROUPS_SUBJECT, BigInteger.valueOf(System.currentTimeMillis()), from);
        logger.debugf("Created JGroups certificate. Valid until %s", generateV1SelfSignedCertificate.getNotAfter());
        JGroupsCertificate jGroupsCertificate = new JGroupsCertificate();
        jGroupsCertificate.setCertificate(generateV1SelfSignedCertificate);
        jGroupsCertificate.setKeyPair(generateRsaKeyPair);
        jGroupsCertificate.setAlias(UUID.randomUUID().toString());
        jGroupsCertificate.setGeneratedMillis(System.currentTimeMillis());
        return JGroupsCertificate.toJson(jGroupsCertificate);
    }
}
