package org.hawkular.openshift.auth;

import com.codahale.metrics.Timer;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.node.ObjectNode;
import com.google.common.util.concurrent.Uninterruptibles;
import io.undertow.Undertow;
import io.undertow.client.ClientCallback;
import io.undertow.client.ClientConnection;
import io.undertow.client.ClientExchange;
import io.undertow.client.ClientRequest;
import io.undertow.client.UndertowClient;
import io.undertow.connector.ByteBufferPool;
import io.undertow.protocols.ssl.UndertowXnioSsl;
import io.undertow.server.HttpHandler;
import io.undertow.server.HttpServerExchange;
import io.undertow.server.XnioByteBufferPool;
import io.undertow.util.AttachmentKey;
import io.undertow.util.Headers;
import io.undertow.util.HttpString;
import io.undertow.util.Methods;
import io.undertow.util.StatusCodes;
import io.undertow.util.StringReadChannelListener;
import io.undertow.util.StringWriteChannelListener;
import java.io.Closeable;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.channels.UnresolvedAddressException;
import java.util.ArrayDeque;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Queue;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.TimeUnit;
import java.util.function.Consumer;
import java.util.regex.Pattern;
import org.apache.http.HttpStatus;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpHead;
import org.apache.http.client.methods.HttpPatch;
import org.apache.http.client.methods.HttpPost;
import org.drools.core.RuleBaseConfiguration;
import org.eclipse.jdt.internal.compiler.lookup.TagBits;
import org.hawkular.metrics.api.jaxrs.util.MetricRegistryProvider;
import org.hawkular.metrics.core.dropwizard.HawkularMetricRegistry;
import org.jboss.logging.Logger;
import org.xnio.BufferAllocator;
import org.xnio.ByteBufferSlicePool;
import org.xnio.IoUtils;
import org.xnio.OptionMap;
import org.xnio.Xnio;
import org.xnio.XnioExecutor;
import org.xnio.XnioIoThread;
import org.xnio.ssl.XnioSsl;

/* JADX INFO: Access modifiers changed from: package-private */
/* JADX WARN: Classes with same name are omitted:
  input_file:hawkular-alerts.war:WEB-INF/lib/hawkular-openshift-security-filter-0.28.3.Final.jar:org/hawkular/openshift/auth/TokenAuthenticator.class
 */
/* loaded from: input_file:hawkular-metrics.war:WEB-INF/lib/hawkular-openshift-security-filter-0.28.3.Final.jar:org/hawkular/openshift/auth/TokenAuthenticator.class */
public class TokenAuthenticator implements Authenticator {
    static final String BEARER_PREFIX = "Bearer ";
    private static final String UNAUTHORIZED_USER_EDIT_MSG = "Users are not authorized to perform edits on metric data";
    private static final String RESOURCE = "pods";
    private static final String KIND = "SubjectAccessReview";
    private static final Map<HttpString, String> VERBS;
    private static final String VERBS_DEFAULT;
    private static final String KUBERNETES_MASTER_URL_SYSPROP = "KUBERNETES_MASTER_URL";
    private static final String USER_WRITE_ACCESS_SYSPROP = "USER_WRITE_ACCESS";
    private static final String KUBERNETES_MASTER_URL_DEFAULT = "https://kubernetes.default.svc.cluster.local";
    private static final String KUBERNETES_MASTER_URL;
    private static final String USER_WRITE_ACCESS;
    private static final String ACCESS_URI = "/oapi/v1/subjectaccessreviews";
    private static final int MAX_CONNECTIONS_PER_THREAD = 20;
    private static final long CONNECTION_WAIT_TIMEOUT;
    private static final String TIMEDOUT_WAITING_CONNECTION = "Could not acquire a Kubernetes client connection";
    private static final long CONNECTION_TTL;
    private static final int MAX_RETRY = 5;
    private static final int MAX_PENDING = 32768;
    private static final String TOO_MANY_PENDING_REQUESTS = "Too many pending requests";
    private static final String CLIENT_REQUEST_FAILURE = "Kubernetes client request failure";
    private static final String METRICS_SCOPE = "OpenShift";
    private static final String METRICS_TYPE = "Security";
    private final HttpHandler containerHandler;
    private final ObjectMapper objectMapper = new ObjectMapper();
    private final URI kubernetesMasterUri;
    private final ConcurrentMap<XnioIoThread, ConnectionPool> connectionPools;
    private final ConnectionFactory connectionFactory;
    private final Timer authLatency;
    private final Timer apiLatency;
    private final Pattern postQuery;
    private final String resourceName;
    private final String componentName;
    private static final Logger log = Logger.getLogger(TokenAuthenticator.class);
    private static final AttachmentKey<AuthContext> AUTH_CONTEXT_KEY = AttachmentKey.create(AuthContext.class);
    private static final HttpString HAWKULAR_TENANT = new HttpString("Hawkular-Tenant");
    private static final String MISSING_HEADERS_MSG = "The '" + Headers.AUTHORIZATION + "' and '" + HAWKULAR_TENANT + "' headers are required";

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:hawkular-alerts.war:WEB-INF/lib/hawkular-openshift-security-filter-0.28.3.Final.jar:org/hawkular/openshift/auth/TokenAuthenticator$AuthContext.class
     */
    /* loaded from: input_file:hawkular-metrics.war:WEB-INF/lib/hawkular-openshift-security-filter-0.28.3.Final.jar:org/hawkular/openshift/auth/TokenAuthenticator$AuthContext.class */
    public static final class AuthContext {
        private long creation;
        private String authorizationHeader;
        private String tenant;
        private String subjectAccessReview;
        private int retries;
        private long requestStart;
        private long requestStop;

        private AuthContext() {
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static AuthContext initialize(HttpServerExchange httpServerExchange) {
            AuthContext authContext = new AuthContext();
            authContext.creation = System.nanoTime();
            authContext.authorizationHeader = httpServerExchange.getRequestHeaders().getFirst(Headers.AUTHORIZATION);
            authContext.tenant = httpServerExchange.getRequestHeaders().getFirst(TokenAuthenticator.HAWKULAR_TENANT);
            return authContext;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean isMissingTenantHeader() {
            return this.tenant == null;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void clientRequestStarting() {
            this.requestStart = System.nanoTime();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void clientResponseReceived() {
            this.requestStop = System.nanoTime();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public long getClientResponseTime() {
            return this.requestStop - this.requestStart;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public long getLatency() {
            return this.requestStop - this.creation;
        }

        static /* synthetic */ int access$1408(AuthContext authContext) {
            int i = authContext.retries;
            authContext.retries = i + 1;
            return i;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:hawkular-alerts.war:WEB-INF/lib/hawkular-openshift-security-filter-0.28.3.Final.jar:org/hawkular/openshift/auth/TokenAuthenticator$ConnectionFactory.class
     */
    /* loaded from: input_file:hawkular-metrics.war:WEB-INF/lib/hawkular-openshift-security-filter-0.28.3.Final.jar:org/hawkular/openshift/auth/TokenAuthenticator$ConnectionFactory.class */
    public static class ConnectionFactory {
        private final URI kubernetesMasterUri;
        private final UndertowClient undertowClient;
        private final XnioSsl ssl;
        private final ByteBufferPool byteBufferPool;

        private ConnectionFactory(URI uri) {
            this.kubernetesMasterUri = uri;
            this.undertowClient = UndertowClient.getInstance();
            try {
                this.ssl = new UndertowXnioSsl(Xnio.getInstance(Undertow.class.getClassLoader()), OptionMap.EMPTY);
                this.byteBufferPool = createByteBufferPool();
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }

        private ByteBufferPool createByteBufferPool() {
            boolean z;
            int i;
            int i2;
            long maxMemory = Runtime.getRuntime().maxMemory();
            if (maxMemory < TagBits.HasUnresolvedSuperinterfaces) {
                z = false;
                i = 512;
                i2 = 10;
            } else if (maxMemory < TagBits.HasUnresolvedEnclosingType) {
                z = true;
                i = 1024;
                i2 = 10;
            } else {
                z = true;
                i = 16384;
                i2 = 20;
            }
            return new XnioByteBufferPool(new ByteBufferSlicePool(z ? BufferAllocator.DIRECT_BYTE_BUFFER_ALLOCATOR : BufferAllocator.BYTE_BUFFER_ALLOCATOR, i, i2 * i));
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void createConnection(ClientCallback<ClientConnection> clientCallback) {
            this.undertowClient.connect(clientCallback, this.kubernetesMasterUri, Thread.currentThread(), this.ssl, this.byteBufferPool, OptionMap.EMPTY);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void close() {
            this.byteBufferPool.close();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:hawkular-alerts.war:WEB-INF/lib/hawkular-openshift-security-filter-0.28.3.Final.jar:org/hawkular/openshift/auth/TokenAuthenticator$ConnectionPool.class
     */
    /* loaded from: input_file:hawkular-metrics.war:WEB-INF/lib/hawkular-openshift-security-filter-0.28.3.Final.jar:org/hawkular/openshift/auth/TokenAuthenticator$ConnectionPool.class */
    public static class ConnectionPool {
        private final ConnectionFactory connectionFactory;
        private final List<PooledConnection> connections;
        private final Queue<PooledConnectionWaiter> waiters;
        private final XnioExecutor.Key periodicTaskKey;
        private int ongoingCreations;
        private boolean stop;
        private volatile int connectionCount;
        private volatile int waiterCount;

        private ConnectionPool(ConnectionFactory connectionFactory, String str) {
            this.connectionFactory = connectionFactory;
            this.connections = new ArrayList(20);
            this.waiters = new ArrayDeque();
            this.periodicTaskKey = Thread.currentThread().executeAtInterval(this::periodicTask, 1L, TimeUnit.SECONDS);
            this.ongoingCreations = 0;
            this.stop = false;
        }

        private void periodicTask() {
            if (this.stop) {
                return;
            }
            long currentTimeMillis = System.currentTimeMillis();
            Iterator<PooledConnection> it = this.connections.iterator();
            while (it.hasNext()) {
                PooledConnection next = it.next();
                if (next.idle && !next.canReuse(currentTimeMillis)) {
                    it.remove();
                    IoUtils.safeClose(next);
                }
            }
            removeTimedOutWaiters();
            if (!this.waiters.isEmpty() && !isFull()) {
                createConnection();
            }
            this.connectionCount = this.connections.size();
            this.waiterCount = this.waiters.size();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean offer(PooledConnectionWaiter pooledConnectionWaiter) {
            if (this.stop) {
                pooledConnectionWaiter.onTimeout.run();
                return true;
            }
            removeTimedOutWaiters();
            if (this.waiters.size() >= 32768) {
                return false;
            }
            this.waiters.offer(pooledConnectionWaiter);
            PooledConnection selectIdleConnection = selectIdleConnection();
            if (selectIdleConnection == null) {
                return true;
            }
            this.waiters.poll().onGet.accept(selectIdleConnection);
            return true;
        }

        private PooledConnection selectIdleConnection() {
            long currentTimeMillis = System.currentTimeMillis();
            Iterator<PooledConnection> it = this.connections.iterator();
            while (it.hasNext()) {
                PooledConnection next = it.next();
                if (next.idle) {
                    if (next.canReuse(currentTimeMillis)) {
                        next.idle = false;
                        return next;
                    }
                    it.remove();
                    IoUtils.safeClose(next);
                }
            }
            return null;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void release(PooledConnection pooledConnection) {
            pooledConnection.idle = true;
            if (this.stop) {
                return;
            }
            if (!pooledConnection.canReuse(System.currentTimeMillis())) {
                this.connections.remove(pooledConnection);
                IoUtils.safeClose(pooledConnection);
            }
            removeTimedOutWaiters();
            if (this.waiters.isEmpty()) {
                return;
            }
            PooledConnection selectIdleConnection = selectIdleConnection();
            if (selectIdleConnection != null) {
                this.waiters.poll().onGet.accept(selectIdleConnection);
            } else {
                if (isFull()) {
                    return;
                }
                createConnection();
            }
        }

        private void removeTimedOutWaiters() {
            long currentTimeMillis = System.currentTimeMillis();
            Iterator<PooledConnectionWaiter> it = this.waiters.iterator();
            while (it.hasNext()) {
                PooledConnectionWaiter next = it.next();
                if (next.timestamp + TokenAuthenticator.CONNECTION_WAIT_TIMEOUT >= currentTimeMillis) {
                    return;
                }
                it.remove();
                next.onTimeout.run();
            }
        }

        private boolean isFull() {
            return this.connections.size() + this.ongoingCreations == 20;
        }

        private void createConnection() {
            this.ongoingCreations++;
            try {
                this.connectionFactory.createConnection(new ClientCallback<ClientConnection>() { // from class: org.hawkular.openshift.auth.TokenAuthenticator.ConnectionPool.1
                    public void completed(ClientConnection clientConnection) {
                        ConnectionPool.access$3010(ConnectionPool.this);
                        ConnectionPool.this.onConnectionCreated(clientConnection);
                    }

                    public void failed(IOException iOException) {
                        ConnectionPool.access$3010(ConnectionPool.this);
                        ConnectionPool.this.onConnectionCreationFailure(iOException);
                    }
                });
            } catch (UnresolvedAddressException e) {
                this.ongoingCreations--;
                onConnectionCreationFailure(e);
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void onConnectionCreated(ClientConnection clientConnection) {
            if (this.stop) {
                IoUtils.safeClose(clientConnection);
                return;
            }
            PooledConnection pooledConnection = new PooledConnection();
            pooledConnection.clientConnection = clientConnection;
            this.connections.add(pooledConnection);
            removeTimedOutWaiters();
            if (this.waiters.isEmpty()) {
                pooledConnection.idle = true;
                return;
            }
            PooledConnectionWaiter poll = this.waiters.poll();
            pooledConnection.idle = false;
            poll.onGet.accept(pooledConnection);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void onConnectionCreationFailure(Exception exc) {
            TokenAuthenticator.log.debug("Failed to create client connection", exc);
            if (this.stop) {
                return;
            }
            Thread.currentThread().executeAfter(() -> {
                removeTimedOutWaiters();
                if (this.stop || this.waiters.isEmpty() || isFull()) {
                    return;
                }
                createConnection();
            }, 1L, TimeUnit.SECONDS);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void stop(Runnable runnable) {
            this.stop = true;
            this.periodicTaskKey.remove();
            while (!this.waiters.isEmpty()) {
                this.waiters.poll().onTimeout.run();
            }
            closeAllConnections(runnable);
        }

        private void closeAllConnections(Runnable runnable) {
            Iterator<PooledConnection> it = this.connections.iterator();
            while (it.hasNext()) {
                PooledConnection next = it.next();
                if (next.idle) {
                    it.remove();
                    IoUtils.safeClose(next);
                }
            }
            if (this.connections.isEmpty()) {
                runnable.run();
            } else {
                Thread.currentThread().executeAfter(() -> {
                    closeAllConnections(runnable);
                }, 500L, TimeUnit.MILLISECONDS);
            }
        }

        static /* synthetic */ int access$3010(ConnectionPool connectionPool) {
            int i = connectionPool.ongoingCreations;
            connectionPool.ongoingCreations = i - 1;
            return i;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:hawkular-alerts.war:WEB-INF/lib/hawkular-openshift-security-filter-0.28.3.Final.jar:org/hawkular/openshift/auth/TokenAuthenticator$PooledConnection.class
     */
    /* loaded from: input_file:hawkular-metrics.war:WEB-INF/lib/hawkular-openshift-security-filter-0.28.3.Final.jar:org/hawkular/openshift/auth/TokenAuthenticator$PooledConnection.class */
    public static class PooledConnection implements Closeable {
        private ClientConnection clientConnection;
        private boolean idle;
        private long createdOn;

        private PooledConnection() {
            this.createdOn = System.currentTimeMillis();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void sendRequest(ClientRequest clientRequest, ClientCallback<ClientExchange> clientCallback) {
            this.clientConnection.sendRequest(clientRequest, clientCallback);
        }

        private boolean isOpen() {
            return this.clientConnection.isOpen();
        }

        @Override // java.io.Closeable, java.lang.AutoCloseable
        public void close() throws IOException {
            this.clientConnection.close();
        }

        private boolean hasExpired(long j) {
            return this.createdOn + TokenAuthenticator.CONNECTION_TTL < j;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean canReuse(long j) {
            return isOpen() && !hasExpired(j);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:hawkular-alerts.war:WEB-INF/lib/hawkular-openshift-security-filter-0.28.3.Final.jar:org/hawkular/openshift/auth/TokenAuthenticator$PooledConnectionWaiter.class
     */
    /* loaded from: input_file:hawkular-metrics.war:WEB-INF/lib/hawkular-openshift-security-filter-0.28.3.Final.jar:org/hawkular/openshift/auth/TokenAuthenticator$PooledConnectionWaiter.class */
    public static class PooledConnectionWaiter {
        private final Consumer<PooledConnection> onGet;
        private final Runnable onTimeout;
        private final long timestamp;

        private PooledConnectionWaiter(Consumer<PooledConnection> consumer, Runnable runnable) {
            this.onGet = consumer;
            this.onTimeout = runnable;
            this.timestamp = System.currentTimeMillis();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:hawkular-alerts.war:WEB-INF/lib/hawkular-openshift-security-filter-0.28.3.Final.jar:org/hawkular/openshift/auth/TokenAuthenticator$RequestReadyCallback.class
     */
    /* loaded from: input_file:hawkular-metrics.war:WEB-INF/lib/hawkular-openshift-security-filter-0.28.3.Final.jar:org/hawkular/openshift/auth/TokenAuthenticator$RequestReadyCallback.class */
    public class RequestReadyCallback implements ClientCallback<ClientExchange> {
        private final HttpServerExchange serverExchange;
        private final PooledConnection connection;

        private RequestReadyCallback(HttpServerExchange httpServerExchange, PooledConnection pooledConnection) {
            this.serverExchange = httpServerExchange;
            this.connection = pooledConnection;
        }

        public void completed(ClientExchange clientExchange) {
            clientExchange.setResponseListener(new ResponseListener(this.serverExchange, this.connection));
            writeBody(clientExchange);
        }

        private void writeBody(ClientExchange clientExchange) {
            new StringWriteChannelListener(((AuthContext) this.serverExchange.getAttachment(TokenAuthenticator.AUTH_CONTEXT_KEY)).subjectAccessReview).setup(clientExchange.getRequestChannel());
        }

        public void failed(IOException iOException) {
            TokenAuthenticator.this.onRequestFailure(this.serverExchange, this.connection, iOException, true);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:hawkular-alerts.war:WEB-INF/lib/hawkular-openshift-security-filter-0.28.3.Final.jar:org/hawkular/openshift/auth/TokenAuthenticator$ResponseBodyListener.class
     */
    /* loaded from: input_file:hawkular-metrics.war:WEB-INF/lib/hawkular-openshift-security-filter-0.28.3.Final.jar:org/hawkular/openshift/auth/TokenAuthenticator$ResponseBodyListener.class */
    public class ResponseBodyListener extends StringReadChannelListener {
        private final HttpServerExchange serverExchange;
        private final PooledConnection connection;
        private final ClientExchange clientExchange;

        private ResponseBodyListener(HttpServerExchange httpServerExchange, PooledConnection pooledConnection, ClientExchange clientExchange) {
            super(clientExchange.getConnection().getBufferPool());
            this.serverExchange = httpServerExchange;
            this.connection = pooledConnection;
            this.clientExchange = clientExchange;
        }

        protected void stringDone(String str) {
            ((AuthContext) this.serverExchange.getAttachment(TokenAuthenticator.AUTH_CONTEXT_KEY)).clientResponseReceived();
            int responseCode = this.clientExchange.getResponse().getResponseCode();
            if (responseCode != 201) {
                IOException iOException = new IOException(StatusCodes.getReason(responseCode));
                if (responseCode >= 500) {
                    TokenAuthenticator.this.onRequestFailure(this.serverExchange, this.connection, iOException, true);
                    return;
                } else {
                    TokenAuthenticator.this.onRequestFailure(this.serverExchange, this.connection, iOException, false);
                    return;
                }
            }
            try {
                JsonNode readTree = TokenAuthenticator.this.objectMapper.readTree(str);
                JsonNode jsonNode = readTree == null ? null : readTree.get("allowed");
                TokenAuthenticator.this.onRequestResult(this.serverExchange, this.connection, jsonNode != null && jsonNode.asBoolean());
            } catch (IOException e) {
                TokenAuthenticator.this.onRequestFailure(this.serverExchange, this.connection, e, true);
            }
        }

        protected void error(IOException iOException) {
            TokenAuthenticator.this.onRequestFailure(this.serverExchange, this.connection, iOException, true);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:hawkular-alerts.war:WEB-INF/lib/hawkular-openshift-security-filter-0.28.3.Final.jar:org/hawkular/openshift/auth/TokenAuthenticator$ResponseListener.class
     */
    /* loaded from: input_file:hawkular-metrics.war:WEB-INF/lib/hawkular-openshift-security-filter-0.28.3.Final.jar:org/hawkular/openshift/auth/TokenAuthenticator$ResponseListener.class */
    public class ResponseListener implements ClientCallback<ClientExchange> {
        private final HttpServerExchange serverExchange;
        private final PooledConnection connection;

        private ResponseListener(HttpServerExchange httpServerExchange, PooledConnection pooledConnection) {
            this.serverExchange = httpServerExchange;
            this.connection = pooledConnection;
        }

        public void completed(ClientExchange clientExchange) {
            new ResponseBodyListener(this.serverExchange, this.connection, clientExchange).setup(clientExchange.getResponseChannel());
        }

        public void failed(IOException iOException) {
            TokenAuthenticator.this.onRequestFailure(this.serverExchange, this.connection, iOException, true);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public TokenAuthenticator(HttpHandler httpHandler, String str, String str2, Pattern pattern) {
        this.containerHandler = httpHandler;
        this.resourceName = str2;
        this.componentName = str;
        this.postQuery = pattern;
        try {
            this.kubernetesMasterUri = new URI(KUBERNETES_MASTER_URL);
            this.connectionPools = new ConcurrentHashMap(Runtime.getRuntime().availableProcessors(), 1.0f);
            this.connectionFactory = new ConnectionFactory(this.kubernetesMasterUri);
            HawkularMetricRegistry metricRegistry = MetricRegistryProvider.INSTANCE.getMetricRegistry();
            this.authLatency = metricRegistry.timer("openshift-oauth-latency");
            this.apiLatency = metricRegistry.timer("openshift-oauth-kubernetes-response-time");
        } catch (URISyntaxException e) {
            throw new RuntimeException(e);
        }
    }

    public void handleRequest(HttpServerExchange httpServerExchange) throws Exception {
        AuthContext initialize = AuthContext.initialize(httpServerExchange);
        httpServerExchange.putAttachment(AUTH_CONTEXT_KEY, initialize);
        httpServerExchange.addExchangeCompleteListener((httpServerExchange2, nextListener) -> {
            httpServerExchange2.removeAttachment(AUTH_CONTEXT_KEY);
            nextListener.proceed();
        });
        if (initialize.isMissingTenantHeader()) {
            Utils.endExchange(httpServerExchange, 400, MISSING_HEADERS_MSG);
            return;
        }
        httpServerExchange.dispatch();
        if (this.connectionPools.computeIfAbsent(httpServerExchange.getIoThread(), xnioIoThread -> {
            return new ConnectionPool(this.connectionFactory, this.componentName);
        }).offer(createWaiter(httpServerExchange))) {
            return;
        }
        Utils.endExchange(httpServerExchange, 500, TOO_MANY_PENDING_REQUESTS);
    }

    private boolean isQuery(HttpServerExchange httpServerExchange) {
        if (httpServerExchange.getRequestMethod().toString().equalsIgnoreCase(HttpGet.METHOD_NAME) || httpServerExchange.getRequestMethod().toString().equalsIgnoreCase(HttpHead.METHOD_NAME)) {
            return true;
        }
        return httpServerExchange.getRequestMethod().toString().equalsIgnoreCase(HttpPost.METHOD_NAME) && this.postQuery != null && this.postQuery.matcher(httpServerExchange.getRelativePath()).find();
    }

    private PooledConnectionWaiter createWaiter(HttpServerExchange httpServerExchange) {
        return new PooledConnectionWaiter(pooledConnection -> {
            sendAuthenticationRequest(httpServerExchange, pooledConnection);
        }, () -> {
            onPooledConnectionWaitTimeout(httpServerExchange);
        });
    }

    private void sendAuthenticationRequest(HttpServerExchange httpServerExchange, PooledConnection pooledConnection) {
        AuthContext authContext = (AuthContext) httpServerExchange.getAttachment(AUTH_CONTEXT_KEY);
        authContext.subjectAccessReview = generateSubjectAccessReview(authContext.tenant, getVerb(httpServerExchange), !isQuery(httpServerExchange) ? USER_WRITE_ACCESS.equalsIgnoreCase("true") ? RESOURCE : this.resourceName : RESOURCE);
        ClientRequest buildClientRequest = buildClientRequest(authContext);
        authContext.clientRequestStarting();
        pooledConnection.sendRequest(buildClientRequest, new RequestReadyCallback(httpServerExchange, pooledConnection));
    }

    private void onPooledConnectionWaitTimeout(HttpServerExchange httpServerExchange) {
        Utils.endExchange(httpServerExchange, 500, TIMEDOUT_WAITING_CONNECTION);
    }

    private String getVerb(HttpServerExchange httpServerExchange) {
        if (isQuery(httpServerExchange)) {
            return VERBS.get(Methods.GET);
        }
        String str = VERBS.get(httpServerExchange.getRequestMethod());
        if (str == null) {
            log.debugf("Unhandled http method '%s'. Checking for read access.", httpServerExchange.getRequestMethod());
            str = VERBS_DEFAULT;
        }
        return str;
    }

    private String generateSubjectAccessReview(String str, String str2, String str3) {
        ObjectNode createObjectNode = this.objectMapper.createObjectNode();
        createObjectNode.put("apiVersion", "v1");
        createObjectNode.put("kind", KIND);
        createObjectNode.put("resource", str3);
        createObjectNode.put("verb", str2);
        createObjectNode.put("namespace", str);
        return createObjectNode.toString();
    }

    private ClientRequest buildClientRequest(AuthContext authContext) {
        ClientRequest path = new ClientRequest().setMethod(Methods.POST).setPath(ACCESS_URI);
        String host = this.kubernetesMasterUri.getHost();
        int port = this.kubernetesMasterUri.getPort();
        path.getRequestHeaders().add(Headers.HOST, port == -1 ? host : host + ":" + port).add(Headers.ACCEPT, "application/json").add(Headers.CONTENT_TYPE, "application/json").add(Headers.AUTHORIZATION, authContext.authorizationHeader).add(Headers.CONTENT_LENGTH, authContext.subjectAccessReview.length());
        return path;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void onRequestResult(HttpServerExchange httpServerExchange, PooledConnection pooledConnection, boolean z) {
        this.connectionPools.get(httpServerExchange.getIoThread()).release(pooledConnection);
        AuthContext authContext = (AuthContext) httpServerExchange.removeAttachment(AUTH_CONTEXT_KEY);
        this.apiLatency.update(authContext.getClientResponseTime(), TimeUnit.NANOSECONDS);
        this.authLatency.update(authContext.getLatency(), TimeUnit.NANOSECONDS);
        if (z) {
            httpServerExchange.dispatch(this.containerHandler);
        } else {
            Utils.endExchange(httpServerExchange, HttpStatus.SC_FORBIDDEN);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void onRequestFailure(HttpServerExchange httpServerExchange, PooledConnection pooledConnection, IOException iOException, boolean z) {
        log.debug("Client request failure", iOException);
        IoUtils.safeClose(pooledConnection);
        ConnectionPool connectionPool = this.connectionPools.get(httpServerExchange.getIoThread());
        connectionPool.release(pooledConnection);
        AuthContext authContext = (AuthContext) httpServerExchange.getAttachment(AUTH_CONTEXT_KEY);
        if (authContext.retries >= 5 || !z) {
            Utils.endExchange(httpServerExchange, 500, CLIENT_REQUEST_FAILURE);
            return;
        }
        AuthContext.access$1408(authContext);
        if (connectionPool.offer(createWaiter(httpServerExchange))) {
            return;
        }
        Utils.endExchange(httpServerExchange, 500, TOO_MANY_PENDING_REQUESTS);
    }

    @Override // org.hawkular.openshift.auth.Authenticator
    public void stop() {
        Set<Map.Entry<XnioIoThread, ConnectionPool>> entrySet = this.connectionPools.entrySet();
        CountDownLatch countDownLatch = new CountDownLatch(entrySet.size());
        entrySet.forEach(entry -> {
            ((XnioIoThread) entry.getKey()).execute(() -> {
                ConnectionPool connectionPool = (ConnectionPool) entry.getValue();
                countDownLatch.getClass();
                connectionPool.stop(countDownLatch::countDown);
            });
        });
        Uninterruptibles.awaitUninterruptibly(countDownLatch, 5L, TimeUnit.SECONDS);
        this.connectionFactory.close();
    }

    static {
        HashMap hashMap = new HashMap();
        hashMap.put(Methods.GET, "list");
        hashMap.put(Methods.PUT, "update");
        hashMap.put(Methods.POST, "update");
        hashMap.put(Methods.DELETE, "update");
        hashMap.put(new HttpString(HttpPatch.METHOD_NAME), "update");
        VERBS = Collections.unmodifiableMap(hashMap);
        VERBS_DEFAULT = VERBS.get(Methods.GET);
        KUBERNETES_MASTER_URL = System.getProperty(KUBERNETES_MASTER_URL_SYSPROP, KUBERNETES_MASTER_URL_DEFAULT);
        USER_WRITE_ACCESS = System.getProperty(USER_WRITE_ACCESS_SYSPROP, RuleBaseConfiguration.DEFAULT_SIGN_ON_SERIALIZATION);
        CONNECTION_WAIT_TIMEOUT = TimeUnit.MILLISECONDS.convert(30L, TimeUnit.SECONDS);
        CONNECTION_TTL = TimeUnit.MILLISECONDS.convert(10L, TimeUnit.SECONDS);
    }
}
