package org.apache.pulsar.functions.auth;

import io.kubernetes.client.openapi.apis.CoreV1Api;
import io.kubernetes.client.openapi.models.V1Container;
import io.kubernetes.client.openapi.models.V1KeyToPath;
import io.kubernetes.client.openapi.models.V1PodSpec;
import io.kubernetes.client.openapi.models.V1ProjectedVolumeSource;
import io.kubernetes.client.openapi.models.V1SecretVolumeSource;
import io.kubernetes.client.openapi.models.V1ServiceAccountTokenProjection;
import io.kubernetes.client.openapi.models.V1StatefulSet;
import io.kubernetes.client.openapi.models.V1Volume;
import io.kubernetes.client.openapi.models.V1VolumeMount;
import io.kubernetes.client.openapi.models.V1VolumeProjection;
import java.nio.file.Paths;
import java.util.Map;
import java.util.Optional;
import java.util.function.Function;
import org.apache.pulsar.broker.authentication.AuthenticationDataSource;
import org.apache.pulsar.client.impl.auth.AuthenticationToken;
import org.apache.pulsar.functions.instance.AuthenticationConfig;
import org.apache.pulsar.functions.proto.Function;
import org.eclipse.jetty.util.StringUtil;

/* loaded from: input_file:org/apache/pulsar/functions/auth/KubernetesServiceAccountTokenAuthProvider.class */
public class KubernetesServiceAccountTokenAuthProvider implements KubernetesFunctionAuthProvider {
    private static final String BROKER_CLIENT_TRUST_CERTS_SECRET_NAME = "brokerClientTrustCertsSecretName";
    private static final String SERVICE_ACCOUNT_TOKEN_EXPIRATION_SECONDS = "serviceAccountTokenExpirationSeconds";
    private static final String SERVICE_ACCOUNT_TOKEN_AUDIENCE = "serviceAccountTokenAudience";
    private static final String SERVICE_ACCOUNT_VOLUME_NAME = "service-account-token";
    private static final String TRUST_CERT_VOLUME_NAME = "ca-cert";
    private static final String DEFAULT_MOUNT_DIR = "/etc/auth";
    private static final String FUNCTION_AUTH_TOKEN = "token";
    private static final String FUNCTION_CA_CERT = "ca.crt";
    private static final String DEFAULT_CERT_PATH = "/etc/auth/ca.crt";
    private String brokerTrustCertsSecretName;
    private long serviceAccountTokenExpirationSeconds;
    private String serviceAccountTokenAudience;

    @Override // org.apache.pulsar.functions.auth.KubernetesFunctionAuthProvider
    public void initialize(CoreV1Api coreV1Api, byte[] bArr, Function<Function.FunctionDetails, String> function, Map<String, Object> map) {
        setNamespaceProviderFunc(function);
        Object obj = map.get(BROKER_CLIENT_TRUST_CERTS_SECRET_NAME);
        if (obj instanceof String) {
            this.brokerTrustCertsSecretName = (String) obj;
        } else if (obj != null) {
            throw new IllegalArgumentException("Invalid value for brokerClientTrustCertsSecretName. Expected a string.");
        }
        Object obj2 = map.get(SERVICE_ACCOUNT_TOKEN_EXPIRATION_SECONDS);
        if (obj2 instanceof Long) {
            this.serviceAccountTokenExpirationSeconds = ((Long) obj2).longValue();
        } else if (obj2 instanceof String) {
            try {
                this.serviceAccountTokenExpirationSeconds = Long.parseLong((String) obj2);
            } catch (NumberFormatException e) {
                throw new IllegalArgumentException("Invalid value for serviceAccountTokenExpirationSeconds. Expected a long.");
            }
        } else if (obj2 != null) {
            throw new IllegalArgumentException("Invalid value for serviceAccountTokenExpirationSeconds. Expected a long.");
        }
        Object obj3 = map.get(SERVICE_ACCOUNT_TOKEN_AUDIENCE);
        if (obj3 instanceof String) {
            this.serviceAccountTokenAudience = (String) obj3;
        } else if (obj3 != null) {
            throw new IllegalArgumentException("Invalid value for serviceAccountTokenAudience. Expected a string.");
        }
    }

    @Override // org.apache.pulsar.functions.auth.FunctionAuthProvider
    public void configureAuthenticationConfig(AuthenticationConfig authenticationConfig, Optional<FunctionAuthData> optional) {
        authenticationConfig.setClientAuthenticationPlugin(AuthenticationToken.class.getName());
        authenticationConfig.setClientAuthenticationParameters(Paths.get(DEFAULT_MOUNT_DIR, FUNCTION_AUTH_TOKEN).toUri().toString());
        if (StringUtil.isNotBlank(this.brokerTrustCertsSecretName)) {
            authenticationConfig.setTlsTrustCertsFilePath(DEFAULT_CERT_PATH);
        }
    }

    @Override // org.apache.pulsar.functions.auth.FunctionAuthProvider
    public Optional<FunctionAuthData> cacheAuthData(Function.FunctionDetails functionDetails, AuthenticationDataSource authenticationDataSource) throws Exception {
        return Optional.empty();
    }

    @Override // org.apache.pulsar.functions.auth.FunctionAuthProvider
    public Optional<FunctionAuthData> updateAuthData(Function.FunctionDetails functionDetails, Optional<FunctionAuthData> optional, AuthenticationDataSource authenticationDataSource) throws Exception {
        return Optional.empty();
    }

    @Override // org.apache.pulsar.functions.auth.FunctionAuthProvider
    public void cleanUpAuthData(Function.FunctionDetails functionDetails, Optional<FunctionAuthData> optional) throws Exception {
    }

    @Override // org.apache.pulsar.functions.auth.KubernetesFunctionAuthProvider
    public void initialize(CoreV1Api coreV1Api) {
    }

    @Override // org.apache.pulsar.functions.auth.KubernetesFunctionAuthProvider
    public void configureAuthDataStatefulSet(V1StatefulSet v1StatefulSet, Optional<FunctionAuthData> optional) {
        V1PodSpec spec = v1StatefulSet.getSpec().getTemplate().getSpec();
        if (StringUtil.isNotBlank(this.brokerTrustCertsSecretName)) {
            spec.addVolumesItem(createTrustCertVolume());
        }
        spec.addVolumesItem(createServiceAccountVolume());
        spec.getContainers().forEach(this::addVolumeMountsToContainer);
    }

    private V1Volume createServiceAccountVolume() {
        V1ProjectedVolumeSource v1ProjectedVolumeSource = new V1ProjectedVolumeSource();
        V1VolumeProjection v1VolumeProjection = new V1VolumeProjection();
        v1VolumeProjection.serviceAccountToken(new V1ServiceAccountTokenProjection().audience(this.serviceAccountTokenAudience).expirationSeconds(Long.valueOf(this.serviceAccountTokenExpirationSeconds)).path(FUNCTION_AUTH_TOKEN));
        v1ProjectedVolumeSource.addSourcesItem(v1VolumeProjection);
        return new V1Volume().name(SERVICE_ACCOUNT_VOLUME_NAME).projected(v1ProjectedVolumeSource);
    }

    private V1Volume createTrustCertVolume() {
        return new V1Volume().name(TRUST_CERT_VOLUME_NAME).secret(new V1SecretVolumeSource().secretName(this.brokerTrustCertsSecretName).addItemsItem(new V1KeyToPath().key(FUNCTION_CA_CERT).path(FUNCTION_CA_CERT)));
    }

    private void addVolumeMountsToContainer(V1Container v1Container) {
        v1Container.addVolumeMountsItem(new V1VolumeMount().name(SERVICE_ACCOUNT_VOLUME_NAME).mountPath(DEFAULT_MOUNT_DIR).readOnly(true));
        if (StringUtil.isNotBlank(this.brokerTrustCertsSecretName)) {
            v1Container.addVolumeMountsItem(new V1VolumeMount().name(TRUST_CERT_VOLUME_NAME).mountPath(DEFAULT_MOUNT_DIR).readOnly(true));
        }
    }
}
