package org.opencastproject.kernel.security;

import com.entwinemedia.fn.data.Opt;
import com.entwinemedia.fn.fns.Strings;
import java.io.IOException;
import java.lang.management.ManagementFactory;
import java.util.Map;
import java.util.Random;
import java.util.concurrent.ConcurrentHashMap;
import javax.management.MBeanServer;
import javax.management.ObjectName;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.Header;
import org.apache.http.HeaderElement;
import org.apache.http.HttpResponse;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.client.ClientProtocolException;
import org.apache.http.client.ResponseHandler;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpHead;
import org.apache.http.client.methods.HttpRequestBase;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.impl.auth.DigestScheme;
import org.opencastproject.kernel.http.api.HttpClient;
import org.opencastproject.kernel.http.impl.HttpClientFactory;
import org.opencastproject.kernel.rest.CurrentJobFilter;
import org.opencastproject.security.api.Organization;
import org.opencastproject.security.api.SecurityService;
import org.opencastproject.security.api.TrustedHttpClient;
import org.opencastproject.security.api.TrustedHttpClientException;
import org.opencastproject.security.api.User;
import org.opencastproject.security.urlsigning.exception.UrlSigningException;
import org.opencastproject.security.urlsigning.service.UrlSigningService;
import org.opencastproject.security.util.HttpResponseWrapper;
import org.opencastproject.security.util.StandAloneTrustedHttpClientImpl;
import org.opencastproject.serviceregistry.api.ServiceRegistry;
import org.opencastproject.urlsigning.utils.ResourceRequestUtil;
import org.opencastproject.util.Log;
import org.opencastproject.util.OsgiUtil;
import org.opencastproject.util.data.Either;
import org.opencastproject.util.data.Function;
import org.osgi.service.component.ComponentContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/opencastproject/kernel/security/TrustedHttpClientImpl.class */
public class TrustedHttpClientImpl implements TrustedHttpClient, HttpConnectionMXBean {
    public static final String AUTHORIZATION_HEADER_NAME = "Authorization";
    private static final Logger logger = LoggerFactory.getLogger(TrustedHttpClientImpl.class);
    public static final String DIGEST_AUTH_USER_KEY = "org.opencastproject.security.digest.user";
    public static final String DIGEST_AUTH_PASS_KEY = "org.opencastproject.security.digest.pass";
    public static final String NONCE_TIMEOUT_RETRY_KEY = "org.opencastproject.security.digest.nonce.retries";
    protected static final String INTERNAL_URL_SIGNING_DURATION_KEY = "org.opencastproject.security.internal.url.signing.duration";
    public static final String NONCE_TIMEOUT_RETRY_BASE_TIME_KEY = "org.opencastproject.security.digest.nonce.base.time";
    public static final String NONCE_TIMEOUT_RETRY_MAXIMUM_VARIABLE_TIME_KEY = "org.opencastproject.security.digest.nonce.variable.time";
    public static final int DEFAULT_CONNECTION_TIMEOUT = 60000;
    public static final int DEFAULT_SOCKET_TIMEOUT = 300000;
    public static final int DEFAULT_NONCE_TIMEOUT_RETRIES = 12;
    private static final int MILLISECONDS_IN_SECONDS = 1000;
    public static final int DEFAULT_RETRY_BASE_TIME = 300;
    public static final int DEFAULT_RETRY_MAXIMUM_VARIABLE_TIME = 300;
    protected static final long DEFAULT_URL_SIGNING_EXPIRES_DURATION = 60;
    protected String user;
    protected String pass;
    private int nonceTimeoutRetries;
    protected Map<HttpResponse, HttpClient> responseMap;
    private Random generator;
    private HttpClientFactory httpClientFactory;
    private int retryBaseDelay;
    private int retryMaximumVariableTime;
    private long signedUrlExpiresDuration;
    private ServiceRegistry serviceRegistry;
    protected SecurityService securityService;
    protected UrlSigningService urlSigningService;

    public void activate(ComponentContext componentContext) {
        logger.debug("activate");
        this.user = componentContext.getBundleContext().getProperty(DIGEST_AUTH_USER_KEY);
        this.pass = componentContext.getBundleContext().getProperty(DIGEST_AUTH_PASS_KEY);
        if (this.user == null || this.pass == null) {
            throw new IllegalStateException("trusted communication is not properly configured");
        }
        getRetryNumber(componentContext);
        getRetryBaseTime(componentContext);
        getRetryMaximumVariableTime(componentContext);
        try {
            MBeanServer platformMBeanServer = ManagementFactory.getPlatformMBeanServer();
            ObjectName objectName = new ObjectName("org.opencastproject.security.api.TrustedHttpClient:type=HttpConnections");
            if (!platformMBeanServer.isRegistered(objectName)) {
                platformMBeanServer.registerMBean(this, objectName);
            }
        } catch (Exception e) {
            logger.warn("Unable to register {} as an mbean: {}", this, e);
        }
        Opt map = OsgiUtil.getOptContextProperty(componentContext, INTERNAL_URL_SIGNING_DURATION_KEY).toOpt().map(Strings.toLongF);
        if (map.isSome()) {
            this.signedUrlExpiresDuration = ((Long) map.get()).longValue();
            logger.debug("The property {} has been configured to expire signed URLs in {}.", INTERNAL_URL_SIGNING_DURATION_KEY, Log.getHumanReadableTimeString(this.signedUrlExpiresDuration));
        } else {
            this.signedUrlExpiresDuration = DEFAULT_URL_SIGNING_EXPIRES_DURATION;
            logger.debug("The property {} has not been configured, so the default is being used to expire signed URLs in {}.", INTERNAL_URL_SIGNING_DURATION_KEY, Log.getHumanReadableTimeString(this.signedUrlExpiresDuration));
        }
    }

    public void setServiceRegistry(ServiceRegistry serviceRegistry) {
        this.serviceRegistry = serviceRegistry;
    }

    public void setSecurityService(SecurityService securityService) {
        this.securityService = securityService;
    }

    public void setUrlSigningService(UrlSigningService urlSigningService) {
        this.urlSigningService = urlSigningService;
    }

    private void getRetryNumber(ComponentContext componentContext) {
        this.nonceTimeoutRetries = getIntFromComponentContext(componentContext, NONCE_TIMEOUT_RETRY_KEY, 12);
    }

    private void getRetryBaseTime(ComponentContext componentContext) {
        this.retryBaseDelay = getIntFromComponentContext(componentContext, NONCE_TIMEOUT_RETRY_BASE_TIME_KEY, 300);
    }

    private void getRetryMaximumVariableTime(ComponentContext componentContext) {
        this.retryMaximumVariableTime = getIntFromComponentContext(componentContext, NONCE_TIMEOUT_RETRY_MAXIMUM_VARIABLE_TIME_KEY, 300);
    }

    private int getIntFromComponentContext(ComponentContext componentContext, String str, int i) {
        int i2;
        try {
            i2 = Integer.parseInt(StringUtils.trimToNull(componentContext.getBundleContext().getProperty(str)));
        } catch (Exception e) {
            if (componentContext == null || componentContext.getBundleContext() == null || componentContext.getBundleContext().getProperty(str) == null) {
                logger.info("Unable to get property with key " + str + " so using default of " + i + " because of " + e.getMessage());
            } else {
                logger.info("Unable to get property with key " + str + " with value " + componentContext.getBundleContext().getProperty(str) + " so using default of " + i + " because of " + e.getMessage());
            }
            i2 = i;
        }
        return i2;
    }

    public void deactivate() {
        logger.debug("deactivate");
    }

    public void setHttpClientFactory(HttpClientFactory httpClientFactory) {
        this.httpClientFactory = httpClientFactory;
    }

    public TrustedHttpClientImpl() {
        this.user = null;
        this.pass = null;
        this.nonceTimeoutRetries = 12;
        this.responseMap = new ConcurrentHashMap();
        this.generator = new Random();
        this.httpClientFactory = null;
        this.retryBaseDelay = 300;
        this.retryMaximumVariableTime = 300;
        this.signedUrlExpiresDuration = DEFAULT_URL_SIGNING_EXPIRES_DURATION;
        this.serviceRegistry = null;
        this.securityService = null;
        this.urlSigningService = null;
    }

    public TrustedHttpClientImpl(String str, String str2) {
        this.user = null;
        this.pass = null;
        this.nonceTimeoutRetries = 12;
        this.responseMap = new ConcurrentHashMap();
        this.generator = new Random();
        this.httpClientFactory = null;
        this.retryBaseDelay = 300;
        this.retryMaximumVariableTime = 300;
        this.signedUrlExpiresDuration = DEFAULT_URL_SIGNING_EXPIRES_DURATION;
        this.serviceRegistry = null;
        this.securityService = null;
        this.urlSigningService = null;
        this.user = str;
        this.pass = str2;
    }

    public HttpClient makeHttpClient(int i, int i2) throws TrustedHttpClientException {
        if (this.httpClientFactory == null) {
            throw new TrustedHttpClientException(new NullPointerException("There is no DefaultHttpClientFactory service available so we cannot make a request"));
        }
        HttpClient makeHttpClient = this.httpClientFactory.makeHttpClient();
        makeHttpClient.getParams().setIntParameter("http.connection.timeout", i);
        makeHttpClient.getParams().setIntParameter("http.socket.timeout", i2);
        return makeHttpClient;
    }

    public <A> Function<Function<HttpResponse, A>, Either<Exception, A>> run(HttpUriRequest httpUriRequest) {
        return StandAloneTrustedHttpClientImpl.run(this, httpUriRequest);
    }

    public <A> TrustedHttpClient.RequestRunner<A> runner(HttpUriRequest httpUriRequest) {
        return StandAloneTrustedHttpClientImpl.runner(this, httpUriRequest);
    }

    public HttpResponse execute(HttpUriRequest httpUriRequest) throws TrustedHttpClientException {
        return execute(httpUriRequest, DEFAULT_CONNECTION_TIMEOUT, DEFAULT_SOCKET_TIMEOUT);
    }

    public HttpResponse execute(HttpUriRequest httpUriRequest, int i, int i2) throws TrustedHttpClientException {
        HttpResponseWrapper httpResponseWrapper;
        HttpClient makeHttpClient = makeHttpClient(i, i2);
        httpUriRequest.setHeader(DelegatingAuthenticationEntryPoint.REQUESTED_AUTH_HEADER, DelegatingAuthenticationEntryPoint.DIGEST_AUTH);
        httpUriRequest.setHeader("X-Opencast-Matterhorn-Authorization", "true");
        if (this.serviceRegistry != null && this.serviceRegistry.getCurrentJob() != null) {
            httpUriRequest.setHeader(CurrentJobFilter.CURRENT_JOB_HEADER, Long.toString(this.serviceRegistry.getCurrentJob().getId()));
        }
        logger.debug("Adding security context to request");
        Organization organization = this.securityService.getOrganization();
        if (organization != null) {
            httpUriRequest.setHeader("X-Opencast-Matterhorn-Organization", organization.getId());
            User user = this.securityService.getUser();
            if (user != null) {
                httpUriRequest.setHeader("X-Opencast-Matterhorn-User", user.getUsername());
            }
        }
        if ("GET".equalsIgnoreCase(httpUriRequest.getMethod()) || "HEAD".equalsIgnoreCase(httpUriRequest.getMethod())) {
            makeHttpClient.getCredentialsProvider().setCredentials(new AuthScope(AuthScope.ANY_HOST, -1, AuthScope.ANY_REALM, DelegatingAuthenticationEntryPoint.DIGEST_AUTH), new UsernamePasswordCredentials(this.user, this.pass));
            try {
                Opt<HttpUriRequest> signedUrl = getSignedUrl(httpUriRequest);
                if (signedUrl.isSome()) {
                    logger.debug("Adding url signing to request {} so that it is {}", httpUriRequest.getURI().toString(), ((HttpUriRequest) signedUrl.get()).getURI().toString());
                    httpResponseWrapper = new HttpResponseWrapper(makeHttpClient.execute((HttpUriRequest) signedUrl.get()));
                } else {
                    logger.debug("Not adding url signing to request {}", httpUriRequest.getURI().toString());
                    httpResponseWrapper = new HttpResponseWrapper(makeHttpClient.execute(httpUriRequest));
                }
                this.responseMap.put(httpResponseWrapper, makeHttpClient);
                return httpResponseWrapper;
            } catch (IOException e) {
                makeHttpClient.getConnectionManager().shutdown();
                throw new TrustedHttpClientException(e);
            }
        }
        manuallyHandleDigestAuthentication(httpUriRequest, makeHttpClient);
        HttpResponse httpResponse = null;
        try {
            httpResponse = new HttpResponseWrapper(makeHttpClient.execute(httpUriRequest));
            if (this.nonceTimeoutRetries > 0 && hadNonceTimeoutResponse(httpResponse)) {
                makeHttpClient.getConnectionManager().shutdown();
                httpResponse = retryAuthAndRequestAfterNonceTimeout(httpUriRequest, httpResponse);
            }
            this.responseMap.put(httpResponse, makeHttpClient);
            return httpResponse;
        } catch (Exception e2) {
            if (httpResponse != null) {
                this.responseMap.remove(httpResponse);
            }
            makeHttpClient.getConnectionManager().shutdown();
            throw new TrustedHttpClientException(e2);
        }
    }

    protected Opt<HttpUriRequest> getSignedUrl(HttpUriRequest httpUriRequest) throws TrustedHttpClientException {
        if ((!"GET".equalsIgnoreCase(httpUriRequest.getMethod()) && !"HEAD".equalsIgnoreCase(httpUriRequest.getMethod())) || !ResourceRequestUtil.isNotSigned(httpUriRequest.getURI()) || !this.urlSigningService.accepts(httpUriRequest.getURI().toString())) {
            logger.trace("Not signing request with method: {} and URI: {}", httpUriRequest.getMethod(), httpUriRequest.getURI().toString());
            return Opt.none();
        }
        logger.trace("Signing request with method: {} and URI: {}", httpUriRequest.getMethod(), httpUriRequest.getURI().toString());
        try {
            String sign = this.urlSigningService.sign(httpUriRequest.getURI().toString(), Long.valueOf(this.signedUrlExpiresDuration), (Long) null, (String) null);
            HttpRequestBase httpGet = "GET".equalsIgnoreCase(httpUriRequest.getMethod()) ? new HttpGet(sign) : new HttpHead(sign);
            httpGet.setProtocolVersion(httpUriRequest.getProtocolVersion());
            for (Header header : httpUriRequest.getAllHeaders()) {
                httpGet.addHeader(header);
            }
            return Opt.some(httpGet);
        } catch (UrlSigningException e) {
            throw new TrustedHttpClientException(e);
        }
    }

    private HttpResponse retryAuthAndRequestAfterNonceTimeout(HttpUriRequest httpUriRequest, HttpResponse httpResponse) throws TrustedHttpClientException, IOException, ClientProtocolException {
        httpUriRequest.removeHeaders(AUTHORIZATION_HEADER_NAME);
        int i = 0;
        while (true) {
            if (i >= this.nonceTimeoutRetries) {
                break;
            }
            HttpClient makeHttpClient = makeHttpClient(DEFAULT_CONNECTION_TIMEOUT, DEFAULT_SOCKET_TIMEOUT);
            int i2 = 0;
            if (this.retryMaximumVariableTime > 0) {
                i2 = this.generator.nextInt(this.retryMaximumVariableTime * MILLISECONDS_IN_SECONDS);
            }
            long j = (this.retryBaseDelay * MILLISECONDS_IN_SECONDS) + i2;
            if (j > 0) {
                logger.info("Sleeping " + j + "ms before trying request " + httpUriRequest.getURI() + " again due to a " + httpResponse.getStatusLine());
                try {
                    Thread.sleep(j);
                } catch (InterruptedException e) {
                    logger.error("Suffered InteruptedException while trying to sleep until next retry.", e);
                }
            }
            manuallyHandleDigestAuthentication(httpUriRequest, makeHttpClient);
            httpResponse = new HttpResponseWrapper(makeHttpClient.execute(httpUriRequest));
            if (!hadNonceTimeoutResponse(httpResponse)) {
                this.responseMap.put(httpResponse, makeHttpClient);
                break;
            }
            makeHttpClient.getConnectionManager().shutdown();
            i++;
        }
        return httpResponse;
    }

    private boolean hadNonceTimeoutResponse(HttpResponse httpResponse) {
        return 401 == httpResponse.getStatusLine().getStatusCode() && "Nonce has expired/timed out".equals(httpResponse.getStatusLine().getReasonPhrase());
    }

    private void manuallyHandleDigestAuthentication(HttpUriRequest httpUriRequest, HttpClient httpClient) throws TrustedHttpClientException {
        try {
            HttpRequestBase httpRequestBase = (HttpRequestBase) httpUriRequest.getClass().newInstance();
            httpRequestBase.setURI(httpUriRequest.getURI());
            httpRequestBase.setHeader(DelegatingAuthenticationEntryPoint.REQUESTED_AUTH_HEADER, DelegatingAuthenticationEntryPoint.DIGEST_AUTH);
            String[] realmAndNonce = getRealmAndNonce(httpRequestBase);
            if (realmAndNonce != null) {
                UsernamePasswordCredentials usernamePasswordCredentials = new UsernamePasswordCredentials(this.user, this.pass);
                DigestScheme digestScheme = new DigestScheme();
                digestScheme.overrideParamter("realm", realmAndNonce[0]);
                digestScheme.overrideParamter("nonce", realmAndNonce[1]);
                try {
                    httpUriRequest.setHeader(digestScheme.authenticate(usernamePasswordCredentials, httpUriRequest));
                } catch (Exception e) {
                    httpClient.getConnectionManager().shutdown();
                    throw new TrustedHttpClientException(e);
                }
            }
        } catch (Exception e2) {
            throw new IllegalStateException("Can not create a new " + httpUriRequest.getClass().getName());
        }
    }

    public <T> T execute(HttpUriRequest httpUriRequest, ResponseHandler<T> responseHandler, int i, int i2) throws TrustedHttpClientException {
        try {
            return responseHandler.handleResponse(execute(httpUriRequest, i, i2));
        } catch (IOException e) {
            throw new TrustedHttpClientException(e);
        }
    }

    public void close(HttpResponse httpResponse) {
        if (httpResponse == null) {
            logger.debug("Can not close a null response");
            return;
        }
        HttpClient remove = this.responseMap.remove(httpResponse);
        if (remove != null) {
            remove.getConnectionManager().shutdown();
        }
    }

    public <T> T execute(HttpUriRequest httpUriRequest, ResponseHandler<T> responseHandler) throws TrustedHttpClientException {
        return (T) execute(httpUriRequest, responseHandler, DEFAULT_CONNECTION_TIMEOUT, DEFAULT_SOCKET_TIMEOUT);
    }

    protected String[] getRealmAndNonce(HttpRequestBase httpRequestBase) throws TrustedHttpClientException {
        HttpClient makeHttpClient = makeHttpClient(DEFAULT_CONNECTION_TIMEOUT, DEFAULT_SOCKET_TIMEOUT);
        try {
            Header[] headers = new HttpResponseWrapper(makeHttpClient.execute(httpRequestBase)).getHeaders("WWW-Authenticate");
            if (headers == null || headers.length == 0) {
                logger.warn("URI {} does not support digest authentication", httpRequestBase.getURI());
                makeHttpClient.getConnectionManager().shutdown();
                return null;
            }
            String str = null;
            String str2 = null;
            for (HeaderElement headerElement : headers[0].getElements()) {
                if ("nonce".equals(headerElement.getName())) {
                    str = headerElement.getValue();
                } else if ("Digest realm".equals(headerElement.getName())) {
                    str2 = headerElement.getValue();
                }
            }
            makeHttpClient.getConnectionManager().shutdown();
            return new String[]{str2, str};
        } catch (IOException e) {
            makeHttpClient.getConnectionManager().shutdown();
            throw new TrustedHttpClientException(e);
        }
    }

    @Override // org.opencastproject.kernel.security.HttpConnectionMXBean
    public int getOpenConnections() {
        return this.responseMap.size();
    }

    public int getNonceTimeoutRetries() {
        return this.nonceTimeoutRetries;
    }

    public int getRetryBaseDelay() {
        return this.retryBaseDelay;
    }

    public int getRetryMaximumVariableTime() {
        return this.retryMaximumVariableTime;
    }
}
