package org.apache.jackrabbit.oak.blob.cloud.azure.blobstorage;

import com.azure.core.credential.AccessToken;
import com.azure.core.credential.TokenRequestContext;
import com.azure.identity.ClientSecretCredential;
import com.azure.identity.ClientSecretCredentialBuilder;
import com.microsoft.azure.storage.CloudStorageAccount;
import com.microsoft.azure.storage.StorageCredentials;
import com.microsoft.azure.storage.StorageCredentialsToken;
import com.microsoft.azure.storage.StorageException;
import com.microsoft.azure.storage.UserDelegationKey;
import com.microsoft.azure.storage.blob.BlobRequestOptions;
import com.microsoft.azure.storage.blob.CloudBlobClient;
import com.microsoft.azure.storage.blob.CloudBlobContainer;
import com.microsoft.azure.storage.blob.CloudBlockBlob;
import com.microsoft.azure.storage.blob.SharedAccessBlobHeaders;
import com.microsoft.azure.storage.blob.SharedAccessBlobPermissions;
import com.microsoft.azure.storage.blob.SharedAccessBlobPolicy;
import java.io.Closeable;
import java.net.URISyntaxException;
import java.security.InvalidKeyException;
import java.time.Instant;
import java.time.LocalDateTime;
import java.time.OffsetDateTime;
import java.time.format.DateTimeFormatter;
import java.util.Date;
import java.util.EnumSet;
import java.util.Objects;
import java.util.Optional;
import java.util.Properties;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import org.apache.commons.lang3.StringUtils;
import org.apache.jackrabbit.core.data.DataStoreException;
import org.apache.jackrabbit.oak.commons.concurrent.ExecutorCloser;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/jackrabbit/oak/blob/cloud/azure/blobstorage/AzureBlobContainerProvider.class */
public class AzureBlobContainerProvider implements Closeable {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) AzureBlobContainerProvider.class);
    private static final String DEFAULT_ENDPOINT_SUFFIX = "core.windows.net";
    private static final String AZURE_DEFAULT_SCOPE = "https://storage.azure.com/.default";
    private final String azureConnectionString;
    private final String accountName;
    private final String containerName;
    private final String blobEndpoint;
    private final String sasToken;
    private final String accountKey;
    private final String tenantId;
    private final String clientId;
    private final String clientSecret;
    private ClientSecretCredential clientSecretCredential;
    private AccessToken accessToken;
    private StorageCredentialsToken storageCredentialsToken;
    private static final long TOKEN_REFRESHER_INITIAL_DELAY = 45;
    private static final long TOKEN_REFRESHER_DELAY = 1;
    private final ScheduledExecutorService executorService = Executors.newSingleThreadScheduledExecutor();

    /* loaded from: input_file:org/apache/jackrabbit/oak/blob/cloud/azure/blobstorage/AzureBlobContainerProvider$Builder.class */
    public static class Builder {
        private final String containerName;
        private String azureConnectionString;
        private String accountName;
        private String blobEndpoint;
        private String sasToken;
        private String accountKey;
        private String tenantId;
        private String clientId;
        private String clientSecret;

        private Builder(String str) {
            this.containerName = str;
        }

        public static Builder builder(String str) {
            return new Builder(str);
        }

        public Builder withAzureConnectionString(String str) {
            this.azureConnectionString = str;
            return this;
        }

        public Builder withAccountName(String str) {
            this.accountName = str;
            return this;
        }

        public Builder withBlobEndpoint(String str) {
            this.blobEndpoint = str;
            return this;
        }

        public Builder withSasToken(String str) {
            this.sasToken = str;
            return this;
        }

        public Builder withAccountKey(String str) {
            this.accountKey = str;
            return this;
        }

        public Builder withTenantId(String str) {
            this.tenantId = str;
            return this;
        }

        public Builder withClientId(String str) {
            this.clientId = str;
            return this;
        }

        public Builder withClientSecret(String str) {
            this.clientSecret = str;
            return this;
        }

        public Builder initializeWithProperties(Properties properties) {
            withAzureConnectionString(properties.getProperty(AzureConstants.AZURE_CONNECTION_STRING, ""));
            withAccountName(properties.getProperty("accessKey", ""));
            withBlobEndpoint(properties.getProperty(AzureConstants.AZURE_BLOB_ENDPOINT, ""));
            withSasToken(properties.getProperty(AzureConstants.AZURE_SAS, ""));
            withAccountKey(properties.getProperty("secretKey", ""));
            withTenantId(properties.getProperty(AzureConstants.AZURE_TENANT_ID, ""));
            withClientId(properties.getProperty(AzureConstants.AZURE_CLIENT_ID, ""));
            withClientSecret(properties.getProperty(AzureConstants.AZURE_CLIENT_SECRET, ""));
            return this;
        }

        public AzureBlobContainerProvider build() {
            return new AzureBlobContainerProvider(this);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/jackrabbit/oak/blob/cloud/azure/blobstorage/AzureBlobContainerProvider$TokenRefresher.class */
    public class TokenRefresher implements Runnable {
        private TokenRefresher() {
        }

        @Override // java.lang.Runnable
        public void run() {
            try {
                AzureBlobContainerProvider.log.debug("Checking for azure access token expiry at: {}", LocalDateTime.now());
                OffsetDateTime plusMinutes = OffsetDateTime.now().plusMinutes(5L);
                if (AzureBlobContainerProvider.this.accessToken.getExpiresAt() != null && AzureBlobContainerProvider.this.accessToken.getExpiresAt().isBefore(plusMinutes)) {
                    AzureBlobContainerProvider.log.info("Access token is about to expire (5 minutes or less) at: {}. New access token will be generated", AzureBlobContainerProvider.this.accessToken.getExpiresAt().format(DateTimeFormatter.ISO_LOCAL_DATE_TIME));
                    AccessToken tokenSync = AzureBlobContainerProvider.this.clientSecretCredential.getTokenSync(new TokenRequestContext().addScopes(AzureBlobContainerProvider.AZURE_DEFAULT_SCOPE));
                    AzureBlobContainerProvider.log.info("New azure access token generated at: {}", LocalDateTime.now());
                    if (tokenSync == null || StringUtils.isBlank(tokenSync.getToken())) {
                        AzureBlobContainerProvider.log.error("New access token is null or empty");
                    } else {
                        AzureBlobContainerProvider.this.accessToken = tokenSync;
                        AzureBlobContainerProvider.this.storageCredentialsToken.updateToken(AzureBlobContainerProvider.this.accessToken.getToken());
                    }
                }
            } catch (Exception e) {
                AzureBlobContainerProvider.log.error("Error while acquiring new access token: ", (Throwable) e);
            }
        }
    }

    private AzureBlobContainerProvider(Builder builder) {
        this.azureConnectionString = builder.azureConnectionString;
        this.accountName = builder.accountName;
        this.containerName = builder.containerName;
        this.blobEndpoint = builder.blobEndpoint;
        this.sasToken = builder.sasToken;
        this.accountKey = builder.accountKey;
        this.tenantId = builder.tenantId;
        this.clientId = builder.clientId;
        this.clientSecret = builder.clientSecret;
    }

    public String getContainerName() {
        return this.containerName;
    }

    @NotNull
    public CloudBlobContainer getBlobContainer() throws DataStoreException {
        return getBlobContainer(null);
    }

    @NotNull
    public CloudBlobContainer getBlobContainer(@Nullable BlobRequestOptions blobRequestOptions) throws DataStoreException {
        if (StringUtils.isNotBlank(this.azureConnectionString)) {
            log.debug("connecting to azure blob storage via azureConnectionString");
            return Utils.getBlobContainer(this.azureConnectionString, this.containerName, blobRequestOptions);
        }
        if (authenticateViaServicePrincipal()) {
            log.debug("connecting to azure blob storage via service principal credentials");
            return getBlobContainerFromServicePrincipals(blobRequestOptions);
        }
        if (StringUtils.isNotBlank(this.sasToken)) {
            log.debug("connecting to azure blob storage via sas token");
            return Utils.getBlobContainer(Utils.getConnectionStringForSas(this.sasToken, this.blobEndpoint, this.accountName), this.containerName, blobRequestOptions);
        }
        log.debug("connecting to azure blob storage via access key");
        return Utils.getBlobContainer(Utils.getConnectionString(this.accountName, this.accountKey, this.blobEndpoint), this.containerName, blobRequestOptions);
    }

    @NotNull
    private CloudBlobContainer getBlobContainerFromServicePrincipals(@Nullable BlobRequestOptions blobRequestOptions) throws DataStoreException {
        try {
            CloudBlobClient createCloudBlobClient = new CloudStorageAccount((StorageCredentials) getStorageCredentials(), true, "core.windows.net", this.accountName).createCloudBlobClient();
            if (blobRequestOptions != null) {
                createCloudBlobClient.setDefaultRequestOptions(blobRequestOptions);
            }
            return createCloudBlobClient.getContainerReference(this.containerName);
        } catch (StorageException | URISyntaxException e) {
            throw new DataStoreException(e);
        }
    }

    @NotNull
    private StorageCredentialsToken getStorageCredentials() {
        boolean z = false;
        if (this.accessToken == null) {
            this.clientSecretCredential = new ClientSecretCredentialBuilder().clientId(this.clientId).clientSecret(this.clientSecret).tenantId(this.tenantId).build();
            this.accessToken = this.clientSecretCredential.getTokenSync(new TokenRequestContext().addScopes(AZURE_DEFAULT_SCOPE));
            if (this.accessToken == null || StringUtils.isBlank(this.accessToken.getToken())) {
                log.error("Access token is null or empty");
                throw new IllegalArgumentException("Could not connect to azure storage, access token is null or empty");
            }
            this.storageCredentialsToken = new StorageCredentialsToken(this.accountName, this.accessToken.getToken());
            z = true;
        }
        Objects.requireNonNull(this.storageCredentialsToken, "storage credentials token cannot be null");
        if (z) {
            log.info("starting refresh token task at: {}", OffsetDateTime.now());
            this.executorService.scheduleWithFixedDelay(new TokenRefresher(), TOKEN_REFRESHER_INITIAL_DELAY, 1L, TimeUnit.MINUTES);
        }
        return this.storageCredentialsToken;
    }

    @NotNull
    public String generateSharedAccessSignature(BlobRequestOptions blobRequestOptions, String str, EnumSet<SharedAccessBlobPermissions> enumSet, int i, SharedAccessBlobHeaders sharedAccessBlobHeaders) throws DataStoreException, URISyntaxException, StorageException, InvalidKeyException {
        SharedAccessBlobPolicy sharedAccessBlobPolicy = new SharedAccessBlobPolicy();
        Date from = Date.from(Instant.now().plusSeconds(i));
        sharedAccessBlobPolicy.setSharedAccessExpiryTime(from);
        sharedAccessBlobPolicy.setPermissions(enumSet);
        CloudBlockBlob blockBlobReference = getBlobContainer(blobRequestOptions).getBlockBlobReference(str);
        return authenticateViaServicePrincipal() ? generateUserDelegationKeySignedSas(blockBlobReference, sharedAccessBlobPolicy, sharedAccessBlobHeaders, from) : generateSas(blockBlobReference, sharedAccessBlobPolicy, sharedAccessBlobHeaders);
    }

    @NotNull
    private String generateUserDelegationKeySignedSas(CloudBlockBlob cloudBlockBlob, SharedAccessBlobPolicy sharedAccessBlobPolicy, SharedAccessBlobHeaders sharedAccessBlobHeaders, Date date) throws StorageException {
        fillEmptyHeaders(sharedAccessBlobHeaders);
        UserDelegationKey userDelegationKey = cloudBlockBlob.getServiceClient().getUserDelegationKey(Date.from(Instant.now().minusSeconds(900L)), date);
        return sharedAccessBlobHeaders == null ? cloudBlockBlob.generateUserDelegationSharedAccessSignature(userDelegationKey, sharedAccessBlobPolicy) : cloudBlockBlob.generateUserDelegationSharedAccessSignature(userDelegationKey, sharedAccessBlobPolicy, sharedAccessBlobHeaders, null, null);
    }

    private void fillEmptyHeaders(SharedAccessBlobHeaders sharedAccessBlobHeaders) {
        Optional.ofNullable(sharedAccessBlobHeaders).ifPresent(sharedAccessBlobHeaders2 -> {
            if (StringUtils.isBlank(sharedAccessBlobHeaders2.getCacheControl())) {
                sharedAccessBlobHeaders2.setCacheControl("");
            }
            if (StringUtils.isBlank(sharedAccessBlobHeaders2.getContentDisposition())) {
                sharedAccessBlobHeaders2.setContentDisposition("");
            }
            if (StringUtils.isBlank(sharedAccessBlobHeaders2.getContentEncoding())) {
                sharedAccessBlobHeaders2.setContentEncoding("");
            }
            if (StringUtils.isBlank(sharedAccessBlobHeaders2.getContentLanguage())) {
                sharedAccessBlobHeaders2.setContentLanguage("");
            }
            if (StringUtils.isBlank(sharedAccessBlobHeaders2.getContentType())) {
                sharedAccessBlobHeaders2.setContentType("");
            }
        });
    }

    @NotNull
    private String generateSas(CloudBlockBlob cloudBlockBlob, SharedAccessBlobPolicy sharedAccessBlobPolicy, SharedAccessBlobHeaders sharedAccessBlobHeaders) throws InvalidKeyException, StorageException {
        return sharedAccessBlobHeaders == null ? cloudBlockBlob.generateSharedAccessSignature(sharedAccessBlobPolicy, null) : cloudBlockBlob.generateSharedAccessSignature(sharedAccessBlobPolicy, sharedAccessBlobHeaders, null, null, null, true);
    }

    private boolean authenticateViaServicePrincipal() {
        return StringUtils.isBlank(this.azureConnectionString) && StringUtils.isNoneBlank(this.accountName, this.tenantId, this.clientId, this.clientSecret);
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        new ExecutorCloser(this.executorService).close();
        log.info("Refresh token executor service shutdown completed");
    }
}
