package com.spotify.helios.client;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Optional;
import com.google.common.collect.ImmutableList;
import com.spotify.helios.common.HeliosException;
import com.spotify.sshagentproxy.AgentProxy;
import com.spotify.sshagentproxy.Identity;
import com.spotify.sshagenttls.CertFileHttpsHandler;
import com.spotify.sshagenttls.CertKeyPaths;
import com.spotify.sshagenttls.SshAgentHttpsHandler;
import java.io.IOException;
import java.net.ConnectException;
import java.net.HttpURLConnection;
import java.net.SocketTimeoutException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.UnknownHostException;
import java.nio.file.Paths;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import javax.security.auth.x500.X500Principal;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/spotify/helios/client/AuthenticatingHttpConnector.class */
public class AuthenticatingHttpConnector implements HttpConnector {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) AuthenticatingHttpConnector.class);
    private final String user;
    private final Optional<AgentProxy> agentProxy;
    private final Optional<CertKeyPaths> clientCertificatePath;
    private final List<Identity> identities;
    private final EndpointIterator endpointIterator;
    private final DefaultHttpConnector delegate;

    public AuthenticatingHttpConnector(String str, Optional<AgentProxy> optional, Optional<CertKeyPaths> optional2, EndpointIterator endpointIterator, DefaultHttpConnector defaultHttpConnector) {
        this(str, optional, optional2, endpointIterator, defaultHttpConnector, getSshIdentities(optional));
    }

    @VisibleForTesting
    AuthenticatingHttpConnector(String str, Optional<AgentProxy> optional, Optional<CertKeyPaths> optional2, EndpointIterator endpointIterator, DefaultHttpConnector defaultHttpConnector, List<Identity> list) {
        this.user = str;
        this.agentProxy = optional;
        this.clientCertificatePath = optional2;
        this.endpointIterator = endpointIterator;
        this.delegate = defaultHttpConnector;
        this.identities = list;
    }

    @Override // com.spotify.helios.client.HttpConnector
    public HttpURLConnection connect(URI uri, String str, byte[] bArr, Map<String, List<String>> map) throws HeliosException {
        try {
            URI ipUri = toIpUri(this.endpointIterator.next(), uri);
            try {
                try {
                    log.debug("connecting to {}", ipUri);
                    return this.clientCertificatePath.isPresent() ? connectWithCertificateFile(ipUri, str, bArr, map) : (!this.agentProxy.isPresent() || this.identities.isEmpty()) ? doConnect(ipUri, str, bArr, map) : connectWithIdentities(this.identities, ipUri, str, bArr, map);
                } catch (ConnectException | SocketTimeoutException | UnknownHostException e) {
                    log.debug(e.toString());
                    throw new HeliosException("Unable to connect to master: " + ipUri, e);
                }
            } catch (IOException e2) {
                throw new HeliosException("Unexpected error connecting to " + ipUri, e2);
            }
        } catch (URISyntaxException e3) {
            throw new HeliosException(e3);
        }
    }

    private HttpURLConnection connectWithCertificateFile(URI uri, String str, byte[] bArr, Map<String, List<String>> map) throws HeliosException {
        CertKeyPaths certKeyPaths = this.clientCertificatePath.get();
        log.debug("configuring CertificateFileHttpsHandler with {}", certKeyPaths);
        this.delegate.setExtraHttpsHandler(CertFileHttpsHandler.create(false, certKeyPaths));
        return doConnect(uri, str, bArr, map);
    }

    private HttpURLConnection connectWithIdentities(List<Identity> list, URI uri, String str, byte[] bArr, Map<String, List<String>> map) throws IOException, HeliosException {
        if (list.isEmpty()) {
            throw new IllegalArgumentException("identities cannot be empty");
        }
        LinkedList linkedList = new LinkedList(list);
        HttpURLConnection httpURLConnection = null;
        while (!linkedList.isEmpty()) {
            Identity identity = (Identity) linkedList.poll();
            this.delegate.setExtraHttpsHandler(SshAgentHttpsHandler.builder().setUser(this.user).setFailOnCertError(false).setAgentProxy(this.agentProxy.get()).setIdentity(identity).setX500Principal(new X500Principal("C=US,O=Spotify,CN=helios-client")).setCertCacheDir(Paths.get(System.getProperty("user.home"), ".helios")).build());
            httpURLConnection = doConnect(uri, str, bArr, map);
            int responseCode = httpURLConnection.getResponseCode();
            if (!(responseCode == 403 || responseCode == 401) || linkedList.isEmpty()) {
                break;
            }
            log.debug("retrying with next SSH identity since {} failed", identity == null ? "the previous one" : identity.getComment());
        }
        return httpURLConnection;
    }

    private HttpURLConnection doConnect(URI uri, String str, byte[] bArr, Map<String, List<String>> map) throws HeliosException {
        return this.delegate.connect(uri, str, bArr, map);
    }

    private URI toIpUri(Endpoint endpoint, URI uri) throws URISyntaxException {
        URI uri2 = endpoint.getUri();
        return new URI(uri2.getScheme(), uri2.getUserInfo(), endpoint.getIp().getHostAddress(), uri2.getPort(), uri2.getPath() + uri.getPath(), uri.getQuery(), null);
    }

    private static List<Identity> getSshIdentities(Optional<AgentProxy> optional) {
        ImmutableList.Builder builder = ImmutableList.builder();
        if (optional.isPresent()) {
            try {
                for (Identity identity : optional.get().list()) {
                    if (identity.getPublicKey().getAlgorithm().equals("RSA")) {
                        builder.add((ImmutableList.Builder) identity);
                    }
                }
            } catch (Exception e) {
                log.debug("Unable to get identities from ssh-agent. Note that this might not indicate an actual problem unless your Helios cluster requires authentication for all requests.", (Throwable) e);
            }
        }
        return builder.build();
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() throws IOException {
        if (this.agentProxy.isPresent()) {
            this.agentProxy.get().close();
        }
    }
}
