package org.apache.brooklyn.location.jclouds.networking;

import com.google.common.annotations.Beta;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Function;
import com.google.common.base.Optional;
import com.google.common.base.Preconditions;
import com.google.common.base.Predicate;
import com.google.common.base.Predicates;
import com.google.common.base.Supplier;
import com.google.common.base.Suppliers;
import com.google.common.base.Throwables;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.collect.FluentIterable;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import com.google.common.util.concurrent.UncheckedExecutionException;
import java.util.Iterator;
import java.util.Set;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutionException;
import javax.annotation.Nullable;
import org.apache.brooklyn.api.entity.Entity;
import org.apache.brooklyn.core.location.geo.LocalhostExternalIpLoader;
import org.apache.brooklyn.location.jclouds.BasicJcloudsLocationCustomizer;
import org.apache.brooklyn.location.jclouds.JcloudsLocation;
import org.apache.brooklyn.location.jclouds.JcloudsMachineLocation;
import org.apache.brooklyn.util.collections.MutableList;
import org.apache.brooklyn.util.core.task.Tasks;
import org.apache.brooklyn.util.exceptions.Exceptions;
import org.apache.brooklyn.util.net.Cidr;
import org.apache.brooklyn.util.time.Duration;
import org.jclouds.aws.AWSResponseException;
import org.jclouds.compute.ComputeService;
import org.jclouds.compute.domain.SecurityGroup;
import org.jclouds.compute.domain.Template;
import org.jclouds.compute.extensions.SecurityGroupExtension;
import org.jclouds.domain.Location;
import org.jclouds.net.domain.IpPermission;
import org.jclouds.net.domain.IpProtocol;
import org.jclouds.providers.ProviderMetadata;
import org.jclouds.providers.Providers;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Beta
/* loaded from: input_file:org/apache/brooklyn/location/jclouds/networking/JcloudsLocationSecurityGroupCustomizer.class */
public class JcloudsLocationSecurityGroupCustomizer extends BasicJcloudsLocationCustomizer {
    private static final Logger LOG = LoggerFactory.getLogger(JcloudsLocationSecurityGroupCustomizer.class);
    private static final LoadingCache<String, JcloudsLocationSecurityGroupCustomizer> CUSTOMISERS = CacheBuilder.newBuilder().build(new CacheLoader<String, JcloudsLocationSecurityGroupCustomizer>() { // from class: org.apache.brooklyn.location.jclouds.networking.JcloudsLocationSecurityGroupCustomizer.1
        public JcloudsLocationSecurityGroupCustomizer load(String str) throws Exception {
            return new JcloudsLocationSecurityGroupCustomizer(str);
        }
    });
    private final Cache<Location, SecurityGroup> sharedGroupCache;
    private final Cache<String, SecurityGroup> uniqueGroupCache;
    private final String applicationId;
    private Supplier<Cidr> sshCidrSupplier;
    private Predicate<Exception> isExceptionRetryable;

    /* loaded from: input_file:org/apache/brooklyn/location/jclouds/networking/JcloudsLocationSecurityGroupCustomizer$AwsExceptionRetryPredicate.class */
    private static class AwsExceptionRetryPredicate implements Predicate<Exception> {
        private static final Set<String> AWS_ERRORS_TO_RETRY = ImmutableSet.of("InvalidGroup.InUse", "DependencyViolation", "RequestLimitExceeded");

        private AwsExceptionRetryPredicate() {
        }

        public boolean apply(Exception exc) {
            AWSResponseException firstThrowableOfType = Exceptions.getFirstThrowableOfType(exc, AWSResponseException.class);
            if (firstThrowableOfType == null) {
                return false;
            }
            return AWS_ERRORS_TO_RETRY.contains(firstThrowableOfType.getError().getCode());
        }
    }

    /* loaded from: input_file:org/apache/brooklyn/location/jclouds/networking/JcloudsLocationSecurityGroupCustomizer$LocalhostExternalIpCidrSupplier.class */
    private static class LocalhostExternalIpCidrSupplier implements Supplier<Cidr> {
        private volatile Cidr cidr;

        private LocalhostExternalIpCidrSupplier() {
        }

        /* renamed from: get, reason: merged with bridge method [inline-methods] */
        public Cidr m24get() {
            Cidr cidr = this.cidr;
            if (cidr == null) {
                synchronized (this) {
                    cidr = this.cidr;
                    if (cidr == null) {
                        Cidr cidr2 = new Cidr(LocalhostExternalIpLoader.getLocalhostIpWithin(Duration.seconds(5)) + "/32");
                        cidr = cidr2;
                        this.cidr = cidr2;
                    }
                }
            }
            return cidr;
        }
    }

    protected JcloudsLocationSecurityGroupCustomizer(String str) {
        this(str, Suppliers.ofInstance(new Cidr("0.0.0.0/0")));
    }

    protected JcloudsLocationSecurityGroupCustomizer(String str, Supplier<Cidr> supplier) {
        this.sharedGroupCache = CacheBuilder.newBuilder().build();
        this.uniqueGroupCache = CacheBuilder.newBuilder().build();
        this.isExceptionRetryable = Predicates.alwaysFalse();
        this.applicationId = str;
        this.sshCidrSupplier = supplier;
    }

    public static JcloudsLocationSecurityGroupCustomizer getInstance(String str) {
        return (JcloudsLocationSecurityGroupCustomizer) CUSTOMISERS.getUnchecked(str);
    }

    public static JcloudsLocationSecurityGroupCustomizer getInstance(Entity entity) {
        return getInstance(entity.getApplicationId());
    }

    public JcloudsLocationSecurityGroupCustomizer setRetryExceptionPredicate(Predicate<Exception> predicate) {
        this.isExceptionRetryable = (Predicate) Preconditions.checkNotNull(predicate, "predicate");
        return this;
    }

    public JcloudsLocationSecurityGroupCustomizer setSshCidrSupplier(Supplier<Cidr> supplier) {
        this.sshCidrSupplier = (Supplier) Preconditions.checkNotNull(supplier, "cidrSupplier");
        return this;
    }

    public JcloudsLocationSecurityGroupCustomizer addPermissionsToLocation(JcloudsMachineLocation jcloudsMachineLocation, IpPermission... ipPermissionArr) {
        addPermissionsToLocation(jcloudsMachineLocation, (Iterable<IpPermission>) ImmutableList.copyOf(ipPermissionArr));
        return this;
    }

    public JcloudsLocationSecurityGroupCustomizer addPermissionsToLocation(JcloudsMachineLocation jcloudsMachineLocation, SecurityGroupDefinition securityGroupDefinition) {
        addPermissionsToLocation(jcloudsMachineLocation, securityGroupDefinition.getPermissions());
        return this;
    }

    private SecurityGroup getSecurityGroup(final String str, final SecurityGroupExtension securityGroupExtension, final String str2) {
        Tasks.setBlockingDetails("Loading unique security group for node: " + str);
        try {
            try {
                SecurityGroup securityGroup = (SecurityGroup) this.uniqueGroupCache.get(str, new Callable<SecurityGroup>() { // from class: org.apache.brooklyn.location.jclouds.networking.JcloudsLocationSecurityGroupCustomizer.2
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.util.concurrent.Callable
                    public SecurityGroup call() throws Exception {
                        SecurityGroup uniqueSecurityGroupForNodeCachingSharedGroupIfPreviouslyUnknown = JcloudsLocationSecurityGroupCustomizer.this.getUniqueSecurityGroupForNodeCachingSharedGroupIfPreviouslyUnknown(str, str2, securityGroupExtension);
                        if (uniqueSecurityGroupForNodeCachingSharedGroupIfPreviouslyUnknown == null) {
                            throw new IllegalStateException("Failed to find machine-unique group on node: " + str);
                        }
                        return uniqueSecurityGroupForNodeCachingSharedGroupIfPreviouslyUnknown;
                    }
                });
                Tasks.resetBlockingDetails();
                return securityGroup;
            } catch (ExecutionException e) {
                throw Throwables.propagate(new Exception(e.getCause()));
            } catch (UncheckedExecutionException e2) {
                throw Throwables.propagate(new Exception(e2.getCause()));
            }
        } catch (Throwable th) {
            Tasks.resetBlockingDetails();
            throw th;
        }
    }

    public JcloudsLocationSecurityGroupCustomizer addPermissionsToLocation(JcloudsMachineLocation jcloudsMachineLocation, Iterable<IpPermission> iterable) {
        synchronized (JcloudsLocationSecurityGroupCustomizer.class) {
            addPermissionsToLocation(iterable, jcloudsMachineLocation.getNode().getId(), jcloudsMachineLocation.m20getParent().getComputeService());
        }
        return this;
    }

    public void removePermissionsFromLocation(JcloudsMachineLocation jcloudsMachineLocation, Iterable<IpPermission> iterable) {
        synchronized (JcloudsLocationSecurityGroupCustomizer.class) {
            removePermissionsFromLocation(iterable, jcloudsMachineLocation.getNode().getId(), jcloudsMachineLocation.m20getParent().getComputeService());
        }
    }

    @VisibleForTesting
    void removePermissionsFromLocation(Iterable<IpPermission> iterable, String str, ComputeService computeService) {
        if (!computeService.getSecurityGroupExtension().isPresent()) {
            LOG.warn("Security group extension for {} absent; cannot update node {} with {}", new Object[]{computeService, str, iterable});
            return;
        }
        SecurityGroupExtension securityGroupExtension = (SecurityGroupExtension) computeService.getSecurityGroupExtension().get();
        SecurityGroup securityGroup = getSecurityGroup(str, securityGroupExtension, computeService.getContext().unwrap().getId());
        Iterator<IpPermission> it = iterable.iterator();
        while (it.hasNext()) {
            removePermission(it.next(), securityGroup, securityGroupExtension);
        }
    }

    @VisibleForTesting
    void addPermissionsToLocation(Iterable<IpPermission> iterable, String str, ComputeService computeService) {
        if (!computeService.getSecurityGroupExtension().isPresent()) {
            LOG.warn("Security group extension for {} absent; cannot update node {} with {}", new Object[]{computeService, str, iterable});
            return;
        }
        SecurityGroupExtension securityGroupExtension = (SecurityGroupExtension) computeService.getSecurityGroupExtension().get();
        SecurityGroup securityGroup = getSecurityGroup(str, securityGroupExtension, computeService.getContext().unwrap().getId());
        MutableList copyOf = MutableList.copyOf(iterable);
        Iterables.removeAll(copyOf, securityGroup.getIpPermissions());
        Iterator it = copyOf.iterator();
        while (it.hasNext()) {
            addPermission((IpPermission) it.next(), securityGroup, securityGroupExtension);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public SecurityGroup getUniqueSecurityGroupForNodeCachingSharedGroupIfPreviouslyUnknown(String str, String str2, SecurityGroupExtension securityGroupExtension) {
        SecurityGroup securityGroup;
        Set listSecurityGroupsForNode = securityGroupExtension.listSecurityGroupsForNode(str);
        if (listSecurityGroupsForNode == null || listSecurityGroupsForNode.isEmpty()) {
            return null;
        }
        if (str2.equals("aws-ec2")) {
            if (listSecurityGroupsForNode.size() == 2) {
                String nameForSharedSecurityGroup = getNameForSharedSecurityGroup();
                Iterator it = listSecurityGroupsForNode.iterator();
                SecurityGroup securityGroup2 = (SecurityGroup) it.next();
                if (securityGroup2.getName().endsWith(nameForSharedSecurityGroup)) {
                    securityGroup = (SecurityGroup) it.next();
                } else {
                    securityGroup = securityGroup2;
                    securityGroup2 = (SecurityGroup) it.next();
                }
                if (!securityGroup2.getName().endsWith(nameForSharedSecurityGroup)) {
                    LOG.warn("Couldn't determine which security group is shared between instances in app {}. Expected={}, found={}", new Object[]{this.applicationId, nameForSharedSecurityGroup, listSecurityGroupsForNode});
                    return null;
                }
                SecurityGroup securityGroup3 = (SecurityGroup) this.sharedGroupCache.asMap().putIfAbsent(securityGroup2.getLocation(), securityGroup2);
                LOG.info("Loaded unique security group for node {} (in {}): {}", new Object[]{str, this.applicationId, securityGroup});
                if (securityGroup3 == null) {
                    LOG.info("Proactively set shared group for app {} to: {}", this.applicationId, securityGroup2);
                }
                return securityGroup;
            }
            LOG.warn("Expected to find two security groups on node {} in app {} (one shared, one unique). Found {}: {}", new Object[]{str, this.applicationId, Integer.valueOf(listSecurityGroupsForNode.size()), listSecurityGroupsForNode});
        }
        return (SecurityGroup) Iterables.getOnlyElement(listSecurityGroupsForNode);
    }

    @Override // org.apache.brooklyn.location.jclouds.BasicJcloudsLocationCustomizer, org.apache.brooklyn.location.jclouds.JcloudsLocationCustomizer
    public void customize(JcloudsLocation jcloudsLocation, ComputeService computeService, Template template) {
        if (!computeService.getSecurityGroupExtension().isPresent()) {
            LOG.warn("Security group extension for {} absent; cannot configure security groups in context: {}", computeService, this.applicationId);
        } else if (template.getLocation() == null) {
            LOG.warn("No location has been set on {}; cannot configure security groups in context: {}", template, this.applicationId);
        } else {
            LOG.info("Configuring security groups on location {} in context {}", jcloudsLocation, this.applicationId);
            setSecurityGroupOnTemplate(jcloudsLocation, template, (SecurityGroupExtension) computeService.getSecurityGroupExtension().get());
        }
    }

    private void setSecurityGroupOnTemplate(JcloudsLocation jcloudsLocation, final Template template, final SecurityGroupExtension securityGroupExtension) {
        Tasks.setBlockingDetails("Loading security group shared by instances in " + template.getLocation() + " in app " + this.applicationId);
        try {
            try {
                SecurityGroup securityGroup = (SecurityGroup) this.sharedGroupCache.get(template.getLocation(), new Callable<SecurityGroup>() { // from class: org.apache.brooklyn.location.jclouds.networking.JcloudsLocationSecurityGroupCustomizer.3
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.util.concurrent.Callable
                    public SecurityGroup call() throws Exception {
                        return JcloudsLocationSecurityGroupCustomizer.this.getOrCreateSharedSecurityGroup(template.getLocation(), securityGroupExtension);
                    }
                });
                Tasks.resetBlockingDetails();
                Set groups = template.getOptions().getGroups();
                template.getOptions().securityGroups(new String[]{securityGroup.getName()});
                if (groups.isEmpty()) {
                    LOG.debug("Configured security groups at {} to: {}", jcloudsLocation, template.getOptions().getGroups());
                } else {
                    LOG.info("Replaced configured security groups: configured={}, replaced with={}", groups, template.getOptions().getGroups());
                }
            } catch (ExecutionException e) {
                throw Throwables.propagate(new Exception(e.getCause()));
            }
        } catch (Throwable th) {
            Tasks.resetBlockingDetails();
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public SecurityGroup getOrCreateSharedSecurityGroup(Location location, SecurityGroupExtension securityGroupExtension) {
        final String nameForSharedSecurityGroup = getNameForSharedSecurityGroup();
        Optional tryFind = Iterables.tryFind(securityGroupExtension.listSecurityGroupsInLocation(location), new Predicate<SecurityGroup>() { // from class: org.apache.brooklyn.location.jclouds.networking.JcloudsLocationSecurityGroupCustomizer.4
            public boolean apply(SecurityGroup securityGroup) {
                return securityGroup.getName().endsWith(nameForSharedSecurityGroup);
            }
        });
        if (tryFind.isPresent()) {
            LOG.info("Found existing shared security group in {} for app {}: {}", new Object[]{location, this.applicationId, nameForSharedSecurityGroup});
            return (SecurityGroup) tryFind.get();
        }
        LOG.info("Creating new shared security group in {} for app {}: {}", new Object[]{location, this.applicationId, nameForSharedSecurityGroup});
        return createBaseSecurityGroupInLocation(nameForSharedSecurityGroup, location, securityGroupExtension);
    }

    private SecurityGroup createBaseSecurityGroupInLocation(String str, Location location, SecurityGroupExtension securityGroupExtension) {
        SecurityGroup addSecurityGroupInLocation = addSecurityGroupInLocation(str, location, securityGroupExtension);
        Set<String> jcloudsLocationIds = getJcloudsLocationIds("openstack-nova");
        String providerId = addSecurityGroupInLocation.getProviderId();
        int i = 0;
        if (location.getParent() != null && Iterables.contains(jcloudsLocationIds, location.getParent().getId())) {
            providerId = addSecurityGroupInLocation.getId();
            i = 1;
        }
        IpPermission.Builder port = IpPermission.builder().groupId(providerId).fromPort(i).toPort(65535);
        addPermission(port.ipProtocol(IpProtocol.TCP).build(), addSecurityGroupInLocation, securityGroupExtension);
        addPermission(port.ipProtocol(IpProtocol.UDP).build(), addSecurityGroupInLocation, securityGroupExtension);
        addPermission(port.ipProtocol(IpProtocol.ICMP).fromPort(-1).toPort(-1).build(), addSecurityGroupInLocation, securityGroupExtension);
        addPermission(IpPermission.builder().fromPort(22).toPort(22).ipProtocol(IpProtocol.TCP).cidrBlock(getBrooklynCidrBlock()).build(), addSecurityGroupInLocation, securityGroupExtension);
        return addSecurityGroupInLocation;
    }

    private Set<String> getJcloudsLocationIds(final String str) {
        return new ImmutableSet.Builder().addAll(FluentIterable.from(Providers.all()).filter(new Predicate<ProviderMetadata>() { // from class: org.apache.brooklyn.location.jclouds.networking.JcloudsLocationSecurityGroupCustomizer.6
            public boolean apply(ProviderMetadata providerMetadata) {
                return providerMetadata.getApiMetadata().getId().equals(str);
            }
        }).transform(new Function<ProviderMetadata, String>() { // from class: org.apache.brooklyn.location.jclouds.networking.JcloudsLocationSecurityGroupCustomizer.5
            @Nullable
            public String apply(ProviderMetadata providerMetadata) {
                return providerMetadata.getId();
            }
        }).toSet()).add(str).build();
    }

    protected SecurityGroup addSecurityGroupInLocation(final String str, final Location location, final SecurityGroupExtension securityGroupExtension) {
        LOG.debug("Creating security group {} in {}", str, location);
        return (SecurityGroup) runOperationWithRetry(new Callable<SecurityGroup>() { // from class: org.apache.brooklyn.location.jclouds.networking.JcloudsLocationSecurityGroupCustomizer.7
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public SecurityGroup call() throws Exception {
                return securityGroupExtension.createSecurityGroup(str, location);
            }
        });
    }

    protected SecurityGroup addPermission(final IpPermission ipPermission, final SecurityGroup securityGroup, final SecurityGroupExtension securityGroupExtension) {
        LOG.debug("Adding permission to security group {}: {}", securityGroup.getName(), ipPermission);
        return (SecurityGroup) runOperationWithRetry(new Callable<SecurityGroup>() { // from class: org.apache.brooklyn.location.jclouds.networking.JcloudsLocationSecurityGroupCustomizer.8
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public SecurityGroup call() throws Exception {
                try {
                    return securityGroupExtension.addIpPermission(ipPermission, securityGroup);
                } catch (AWSResponseException e) {
                    if (!"InvalidPermission.Duplicate".equals(e.getError().getCode())) {
                        throw e;
                    }
                    JcloudsLocationSecurityGroupCustomizer.LOG.info("Permission already exists for security group; continuing (logging underlying exception at debug): permission=" + ipPermission + "; group=" + securityGroup);
                    JcloudsLocationSecurityGroupCustomizer.LOG.debug("Permission already exists for security group; continuing: permission=" + ipPermission + "; group=" + securityGroup, e);
                    return null;
                } catch (Exception e2) {
                    Exceptions.propagateIfFatal(e2);
                    if (!e2.toString().contains("InvalidPermission.Duplicate")) {
                        throw Exceptions.propagate(e2);
                    }
                    JcloudsLocationSecurityGroupCustomizer.LOG.info("Permission already exists for security group; continuing (but unexpected exception type): permission=" + ipPermission + "; group=" + securityGroup, e2);
                    return null;
                }
            }
        });
    }

    protected SecurityGroup removePermission(final IpPermission ipPermission, final SecurityGroup securityGroup, final SecurityGroupExtension securityGroupExtension) {
        LOG.debug("Removing permission from security group {}: {}", securityGroup.getName(), ipPermission);
        return (SecurityGroup) runOperationWithRetry(new Callable<SecurityGroup>() { // from class: org.apache.brooklyn.location.jclouds.networking.JcloudsLocationSecurityGroupCustomizer.9
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public SecurityGroup call() throws Exception {
                return securityGroupExtension.removeIpPermission(ipPermission, securityGroup);
            }
        });
    }

    public String getBrooklynCidrBlock() {
        return ((Cidr) this.sshCidrSupplier.get()).toString();
    }

    @VisibleForTesting
    String getNameForSharedSecurityGroup() {
        return "brooklyn-" + this.applicationId.toLowerCase() + "-shared";
    }

    @VisibleForTesting
    void clearSecurityGroupCaches() {
        LOG.info("Clearing security group caches");
        this.sharedGroupCache.invalidateAll();
        this.uniqueGroupCache.invalidateAll();
    }

    protected <T> T runOperationWithRetry(Callable<T> callable) {
        int i = 64;
        Exception exc = null;
        for (int i2 = 0; i2 < 100; i2++) {
            try {
                return callable.call();
            } catch (Exception e) {
                exc = e;
                if (!this.isExceptionRetryable.apply(e)) {
                    break;
                }
                LOG.debug("Attempt #{} failed to add security group: {}", Integer.valueOf(i2 + 1), e.getMessage());
                try {
                    Thread.sleep(i);
                    i <<= 1;
                } catch (InterruptedException e2) {
                    throw Exceptions.propagate(e2);
                }
            }
        }
        throw new RuntimeException("Unable to add security group rule; repeated errors from provider", exc);
    }

    public static Predicate<Exception> newAwsExceptionRetryPredicate() {
        return new AwsExceptionRetryPredicate();
    }
}
