package org.apache.hadoop.hdds.security.symmetric;

import com.google.common.util.concurrent.ThreadFactoryBuilder;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Objects;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ThreadFactory;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicReference;
import org.apache.hadoop.hdds.conf.ConfigurationSource;
import org.apache.hadoop.hdds.protocol.SecretKeyProtocol;
import org.apache.hadoop.hdds.security.exception.SCMSecretKeyException;
import org.apache.hadoop.hdds.utils.RetriableTask;
import org.apache.hadoop.io.retry.RetryPolicies;
import org.apache.hadoop.io.retry.RetryPolicy;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hdds/security/symmetric/DefaultSecretKeySignerClient.class */
public class DefaultSecretKeySignerClient implements SecretKeySignerClient {
    private static final Logger LOG = LoggerFactory.getLogger(DefaultSecretKeySignerClient.class);
    private final SecretKeyProtocol secretKeyProtocol;
    private final AtomicReference<ManagedSecretKey> cache = new AtomicReference<>();
    private final ThreadFactory threadFactory;
    private ScheduledExecutorService executorService;

    public DefaultSecretKeySignerClient(SecretKeyProtocol secretKeyProtocol, String str) {
        this.secretKeyProtocol = secretKeyProtocol;
        this.threadFactory = new ThreadFactoryBuilder().setNameFormat(str + "SecretKeyPoller").setDaemon(true).build();
    }

    @Override // org.apache.hadoop.hdds.security.symmetric.SecretKeySignerClient
    public ManagedSecretKey getCurrentSecretKey() {
        return (ManagedSecretKey) Objects.requireNonNull(this.cache.get(), "SecretKey client must have been initialized already.");
    }

    @Override // org.apache.hadoop.hdds.security.symmetric.SecretKeySignerClient
    public void refetchSecretKey() {
        checkAndRefresh(Duration.ZERO);
    }

    @Override // org.apache.hadoop.hdds.security.symmetric.SecretKeySignerClient
    public void start(ConfigurationSource configurationSource) throws IOException {
        ManagedSecretKey loadInitialSecretKey = loadInitialSecretKey();
        LOG.info("Initial secret key fetched from SCM: {}.", loadInitialSecretKey);
        this.cache.set(loadInitialSecretKey);
        scheduleSecretKeyPoller(configurationSource, loadInitialSecretKey.getCreationTime());
    }

    private ManagedSecretKey loadInitialSecretKey() throws IOException {
        int i = 100;
        int i2 = 10;
        RetryPolicy exponentialBackoffRetry = RetryPolicies.exponentialBackoffRetry(10, 1, TimeUnit.SECONDS);
        RetryPolicy retryPolicy = (exc, i3, i4, z) -> {
            return ((exc instanceof SCMSecretKeyException) && ((SCMSecretKeyException) exc).getErrorCode() == SCMSecretKeyException.ErrorCode.SECRET_KEY_NOT_INITIALIZED && i3 < i) ? exponentialBackoffRetry.shouldRetry(exc, i3 % i2, i4, z) : RetryPolicy.RetryAction.FAIL;
        };
        SecretKeyProtocol secretKeyProtocol = this.secretKeyProtocol;
        secretKeyProtocol.getClass();
        try {
            return (ManagedSecretKey) new RetriableTask(retryPolicy, "getCurrentSecretKey", secretKeyProtocol::getCurrentSecretKey).call();
        } catch (IOException e) {
            throw e;
        } catch (Exception e2) {
            throw new IllegalStateException("Unexpected exception getting current secret key", e2);
        }
    }

    @Override // org.apache.hadoop.hdds.security.symmetric.SecretKeySignerClient
    public void stop() {
        if (this.executorService != null) {
            this.executorService.shutdown();
            try {
                if (this.executorService.awaitTermination(1L, TimeUnit.MINUTES)) {
                    this.executorService.shutdownNow();
                }
            } catch (InterruptedException e) {
                LOG.error("Interrupted while shutting down executor service.", e);
                Thread.currentThread().interrupt();
            }
        }
    }

    private void scheduleSecretKeyPoller(ConfigurationSource configurationSource, Instant instant) {
        Duration parseRotateDuration = SecretKeyConfig.parseRotateDuration(configurationSource);
        Instant plus = instant.plus((TemporalAmount) parseRotateDuration);
        this.executorService = Executors.newScheduledThreadPool(1, this.threadFactory);
        Duration parseRotateCheckDuration = SecretKeyConfig.parseRotateCheckDuration(configurationSource);
        Duration between = Duration.between(Instant.now(), plus);
        LOG.info("Scheduling SecretKeyPoller with initial delay of {} and interval of {}", between, parseRotateCheckDuration);
        this.executorService.scheduleAtFixedRate(() -> {
            checkAndRefresh(parseRotateDuration);
        }, between.toMillis(), parseRotateCheckDuration.toMillis(), TimeUnit.MILLISECONDS);
    }

    private synchronized void checkAndRefresh(Duration duration) {
        ManagedSecretKey managedSecretKey = this.cache.get();
        if (managedSecretKey.getCreationTime().plus((TemporalAmount) duration).isBefore(Instant.now())) {
            try {
                ManagedSecretKey currentSecretKey = this.secretKeyProtocol.getCurrentSecretKey();
                if (!currentSecretKey.equals(managedSecretKey)) {
                    this.cache.set(currentSecretKey);
                    LOG.info("New secret key fetched from SCM: {}.", currentSecretKey);
                }
            } catch (IOException e) {
                throw new UncheckedIOException("Error fetching current key from SCM", e);
            }
        }
    }
}
