package water.persist.security;

import com.google.common.util.concurrent.ThreadFactoryBuilder;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.File;
import java.io.IOException;
import java.util.Arrays;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier;
import water.H2O;
import water.MRTask;
import water.Paxos;
import water.persist.PersistHdfs;
import water.util.BinaryFileTransfer;
import water.util.FileUtils;

/* loaded from: input_file:water/persist/security/HdfsDelegationTokenRefresher.class */
public class HdfsDelegationTokenRefresher implements Runnable {
    public static final String H2O_AUTH_USER = "h2o.auth.user";
    public static final String H2O_AUTH_PRINCIPAL = "h2o.auth.principal";
    public static final String H2O_AUTH_KEYTAB = "h2o.auth.keytab";
    public static final String H2O_AUTH_TOKEN_REFRESHER_ENABLED = "h2o.auth.tokenRefresher.enabled";
    public static final String H2O_AUTH_TOKEN_REFRESHER_INTERVAL_RATIO = "h2o.auth.tokenRefresher.intervalRatio";
    public static final String H2O_AUTH_TOKEN_REFRESHER_MAX_ATTEMPTS = "h2o.auth.tokenRefresher.maxAttempts";
    public static final String H2O_AUTH_TOKEN_REFRESHER_RETRY_DELAY_SECS = "h2o.auth.tokenRefresher.retryDelaySecs";
    public static final String H2O_AUTH_TOKEN_REFRESHER_FALLBACK_INTERVAL_SECS = "h2o.auth.tokenRefresher.fallbackIntervalSecs";
    private final ScheduledExecutorService _executor = Executors.newSingleThreadScheduledExecutor(new ThreadFactoryBuilder().setDaemon(true).setNameFormat("hdfs-token-refresher-%d").build());
    private final String _authPrincipal;
    private final String _authKeytabPath;
    private final String _authUser;
    private final double _intervalRatio;
    private final int _maxAttempts;
    private final int _retryDelaySecs;
    private final long _fallbackIntervalSecs;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:water/persist/security/HdfsDelegationTokenRefresher$DistributeCreds.class */
    public static class DistributeCreds extends MRTask<DistributeCreds> {
        private final byte[] _credsSerialized;

        private DistributeCreds(Credentials credentials) throws IOException {
            this._credsSerialized = serializeCreds(credentials);
        }

        protected void setupLocal() {
            try {
                Credentials deserialize = deserialize();
                HdfsDelegationTokenRefresher.log("Updating credentials", null);
                UserGroupInformation.getCurrentUser().addCredentials(deserialize);
            } catch (IOException e) {
                HdfsDelegationTokenRefresher.log("Failed to update credentials", e);
            }
        }

        private Credentials deserialize() throws IOException {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(this._credsSerialized);
            Credentials credentials = new Credentials();
            credentials.readTokenStorageStream(new DataInputStream(byteArrayInputStream));
            return credentials;
        }

        private static byte[] serializeCreds(Credentials credentials) throws IOException {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            credentials.writeTokenStorageToStream(new DataOutputStream(byteArrayOutputStream));
            return byteArrayOutputStream.toByteArray();
        }
    }

    public static void setup(Configuration configuration, String str) throws IOException {
        if (!configuration.getBoolean(H2O_AUTH_TOKEN_REFRESHER_ENABLED, false)) {
            log("HDFS Token renewal is not enabled in configuration", null);
            return;
        }
        String str2 = configuration.get(H2O_AUTH_USER);
        String str3 = configuration.get(H2O_AUTH_PRINCIPAL);
        if (str3 == null) {
            log("Principal not provided, HDFS tokens will not be refreshed by H2O and their lifespan will be limited", null);
            return;
        }
        String str4 = configuration.get(H2O_AUTH_KEYTAB);
        if (str4 == null) {
            log("Keytab not provided, HDFS tokens will not be refreshed by H2O and their lifespan will be limited", null);
        } else {
            startRefresher(configuration, str3, writeKeytabToFile(str4, str), str2);
        }
    }

    static void startRefresher(Configuration configuration, String str, String str2, String str3) {
        new HdfsDelegationTokenRefresher(configuration, str, str2, str3).start();
    }

    public static void startRefresher(Configuration configuration, String str, String str2, long j) {
        new HdfsDelegationTokenRefresher(configuration, str, str2, null).start(j);
    }

    private static String writeKeytabToFile(String str, String str2) throws IOException {
        FileUtils.makeSureDirExists(str2);
        File file = new File(str2, "hdfs_auth_keytab");
        BinaryFileTransfer.writeBinaryFile(file.getAbsolutePath(), BinaryFileTransfer.convertStringToByteArr(str));
        return file.getAbsolutePath();
    }

    public HdfsDelegationTokenRefresher(Configuration configuration, String str, String str2, String str3) {
        this._authPrincipal = str;
        this._authKeytabPath = str2;
        this._authUser = str3;
        this._intervalRatio = Double.parseDouble(configuration.get(H2O_AUTH_TOKEN_REFRESHER_INTERVAL_RATIO, "0.4"));
        this._maxAttempts = configuration.getInt(H2O_AUTH_TOKEN_REFRESHER_MAX_ATTEMPTS, 12);
        this._retryDelaySecs = configuration.getInt(H2O_AUTH_TOKEN_REFRESHER_RETRY_DELAY_SECS, 10);
        this._fallbackIntervalSecs = configuration.getInt(H2O_AUTH_TOKEN_REFRESHER_FALLBACK_INTERVAL_SECS, 43200);
    }

    void start() {
        start(autodetectRenewalInterval());
    }

    void start(long j) {
        if (j <= 0) {
            throw new IllegalArgumentException("Renewal interval needs to be a positive number, got " + j);
        }
        this._executor.scheduleAtFixedRate(this, 0L, j, TimeUnit.SECONDS);
    }

    private long autodetectRenewalInterval() {
        long j;
        long j2 = 0;
        try {
            j2 = getTokenRenewalIntervalSecs(loginAuthUser());
        } catch (IOException | InterruptedException e) {
            log("Encountered error while trying to determine token renewal interval.", e);
        }
        if (j2 == 0) {
            j = this._fallbackIntervalSecs;
            log("Token renewal interval was not determined, will use " + this._fallbackIntervalSecs + "s.", null);
        } else {
            j = (long) (j2 * this._intervalRatio);
            log("Determined token renewal interval = " + j2 + "s. Using actual interval = " + j + "s (ratio=" + this._intervalRatio + ").", null);
        }
        return j;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void log(String str, Exception exc) {
        System.out.println("HDFS TOKEN REFRESH: " + str);
        if (exc != null) {
            exc.printStackTrace(System.out);
        }
    }

    @Override // java.lang.Runnable
    public void run() {
        if (Paxos._cloudLocked && H2O.CLOUD.leader() != H2O.SELF) {
            this._executor.shutdown();
            return;
        }
        for (int i = 0; i < this._maxAttempts; i++) {
            try {
                distribute(refreshTokens(loginAuthUser()));
                return;
            } catch (IOException | InterruptedException e) {
                log("Failed to refresh token (attempt " + i + " out of " + this._maxAttempts + "). Will retry in " + this._retryDelaySecs + "s.", e);
                try {
                    Thread.sleep(this._retryDelaySecs * 1000);
                } catch (InterruptedException e2) {
                    Thread.currentThread().interrupt();
                }
            }
        }
    }

    private Credentials refreshTokens(UserGroupInformation userGroupInformation) throws IOException, InterruptedException {
        return (Credentials) userGroupInformation.doAs(() -> {
            Credentials credentials = new Credentials();
            log("Fetched delegation tokens: " + Arrays.toString(fetchDelegationTokens(getRenewer(), credentials)), null);
            return credentials;
        });
    }

    private String getRenewer() {
        return this._authUser != null ? this._authUser : this._authPrincipal;
    }

    private UserGroupInformation loginAuthUser() throws IOException, InterruptedException {
        log("Log in from keytab as " + this._authPrincipal, null);
        UserGroupInformation loginUserFromKeytabAndReturnUGI = UserGroupInformation.loginUserFromKeytabAndReturnUGI(this._authPrincipal, this._authKeytabPath);
        if (this._authUser != null) {
            log("Impersonate " + this._authUser, null);
            loginUserFromKeytabAndReturnUGI = UserGroupInformation.createProxyUser(this._authUser, loginUserFromKeytabAndReturnUGI);
        }
        return loginUserFromKeytabAndReturnUGI;
    }

    private long getTokenRenewalIntervalSecs(UserGroupInformation userGroupInformation) throws IOException, InterruptedException {
        Credentials refreshTokens = refreshTokens(userGroupInformation);
        long longValue = ((Long) userGroupInformation.doAs(() -> {
            return (Long) refreshTokens.getAllTokens().stream().map(token -> {
                try {
                    long renew = token.renew(PersistHdfs.CONF);
                    long j = 0;
                    AbstractDelegationTokenIdentifier decodeIdentifier = token.decodeIdentifier();
                    if (decodeIdentifier instanceof AbstractDelegationTokenIdentifier) {
                        j = decodeIdentifier.getIssueDate();
                    }
                    return Long.valueOf(renew - (j > 0 ? j : System.currentTimeMillis()));
                } catch (IOException | InterruptedException e) {
                    log("Failed to determine token expiration for token " + token, e);
                    return Long.MAX_VALUE;
                }
            }).min((v0, v1) -> {
                return v0.compareTo(v1);
            }).orElse(Long.MAX_VALUE);
        })).longValue();
        if (longValue <= 0 || longValue >= Long.MAX_VALUE) {
            return 0L;
        }
        return longValue / 1000;
    }

    private static Token<?>[] fetchDelegationTokens(String str, Credentials credentials) throws IOException {
        return FileSystem.get(PersistHdfs.CONF).addDelegationTokens(str, credentials);
    }

    private void distribute(Credentials credentials) throws IOException {
        DistributeCreds distributeCreds = new DistributeCreds(credentials);
        if (Paxos._cloudLocked) {
            distributeCreds.doAllNodes();
        } else {
            distributeCreds.setupLocal();
        }
    }
}
