package co.cask.cdap.security.store;

import co.cask.cdap.api.security.store.SecureStore;
import co.cask.cdap.api.security.store.SecureStoreData;
import co.cask.cdap.api.security.store.SecureStoreManager;
import co.cask.cdap.api.security.store.SecureStoreMetadata;
import co.cask.cdap.common.NamespaceNotFoundException;
import co.cask.cdap.common.NotFoundException;
import co.cask.cdap.common.namespace.NamespaceQueryAdmin;
import co.cask.cdap.common.security.DelegationTokensUpdater;
import co.cask.cdap.proto.Id;
import co.cask.cdap.proto.id.SecureKeyId;
import com.google.common.base.Charsets;
import com.google.common.base.Strings;
import com.google.inject.Inject;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.ConcurrentModificationException;
import java.util.HashMap;
import java.util.Map;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.crypto.key.KeyProvider;
import org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension;
import org.apache.hadoop.crypto.key.kms.KMSClientProvider;
import org.apache.hadoop.security.Credentials;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:co/cask/cdap/security/store/KMSSecureStore.class */
public class KMSSecureStore implements SecureStore, SecureStoreManager, DelegationTokensUpdater {
    private static final Logger LOG = LoggerFactory.getLogger(KMSSecureStore.class);
    private static final String NAME_SEPARATOR = ":";
    private final KeyProvider provider;
    private final Configuration conf;
    private final NamespaceQueryAdmin namespaceQueryAdmin;

    @Inject
    KMSSecureStore(Configuration configuration, NamespaceQueryAdmin namespaceQueryAdmin) throws IOException, URISyntaxException {
        this.conf = configuration;
        this.namespaceQueryAdmin = namespaceQueryAdmin;
        try {
            String str = configuration.get("hadoop.security.key.provider.path");
            if (Strings.isNullOrEmpty(str)) {
                throw new IllegalArgumentException("Could not find the key provider URI. Please make sure that hadoop.security.key.provider.path is set to the KMS URI in your core-site.xml.");
            }
            this.provider = KMSClientProvider.Factory.get(new URI(str), configuration);
            LOG.debug("KMS backed secure store initialized successfully.");
        } catch (IOException e) {
            throw new IOException("Secure store could not be loaded. KMS KeyProvider failed to initialize", e);
        } catch (URISyntaxException e2) {
            throw new URISyntaxException("Secure store could not be loaded. The value for hadoop.security.key.provider.pathin core-site.xml is not a valid URI.", e2.getReason());
        }
    }

    public void putSecureData(String str, String str2, String str3, String str4, Map<String, String> map) throws Exception {
        checkNamespaceExists(str);
        KeyProvider.Options options = new KeyProvider.Options(this.conf);
        options.setDescription(str4);
        options.setAttributes(map);
        byte[] bytes = str3.getBytes(Charsets.UTF_8);
        options.setBitLength(bytes.length * 8);
        try {
            this.provider.createKey(getKeyName(str, str2), bytes, options);
        } catch (IOException e) {
            throw new IOException("Failed to store the key " + str2 + " under namespace " + str, e);
        }
    }

    public void deleteSecureData(String str, String str2) throws Exception {
        checkNamespaceExists(str);
        try {
            this.provider.deleteKey(getKeyName(str, str2));
        } catch (IOException e) {
            throw new IOException("Failed to delete the key " + str2 + " under namespace " + str, e);
        }
    }

    public Map<String, String> listSecureData(String str) throws Exception {
        checkNamespaceExists(str);
        String str2 = str + NAME_SEPARATOR;
        ArrayList arrayList = new ArrayList();
        try {
            for (String str3 : this.provider.getKeys()) {
                if (str3.startsWith(str2)) {
                    arrayList.add(str3);
                }
            }
            KeyProvider.Metadata[] keysMetadata = this.provider.getKeysMetadata((String[]) arrayList.toArray(new String[arrayList.size()]));
            if (keysMetadata.length != arrayList.size()) {
                throw new ConcurrentModificationException("A key was deleted while listing was in progress. Please try again.");
            }
            HashMap hashMap = new HashMap(keysMetadata.length);
            for (int i = 0; i < keysMetadata.length; i++) {
                hashMap.put(((String) arrayList.get(i)).substring(str2.length()), keysMetadata[i].getDescription());
            }
            return hashMap;
        } catch (IOException e) {
            throw new IOException("Failed to get the list of elements from the secure store.", e);
        }
    }

    public SecureStoreData getSecureData(String str, String str2) throws Exception {
        checkNamespaceExists(str);
        String keyName = getKeyName(str, str2);
        KeyProvider.Metadata metadata = this.provider.getMetadata(keyName);
        if (metadata == null) {
            throw new NotFoundException(new SecureKeyId(str, str2));
        }
        return new SecureStoreData(SecureStoreMetadata.of(str2, metadata.getDescription(), metadata.getAttributes()), this.provider.getCurrentKey(keyName).getMaterial());
    }

    public Credentials addDelegationTokens(String str, Credentials credentials) {
        try {
            KeyProviderDelegationTokenExtension.createKeyProviderDelegationTokenExtension(this.provider).addDelegationTokens(str, credentials);
        } catch (IOException e) {
            LOG.debug("KMS delegation token not updated.");
        }
        return credentials;
    }

    private void checkNamespaceExists(String str) throws Exception {
        Id.Namespace namespace = new Id.Namespace(str);
        if (!this.namespaceQueryAdmin.exists(namespace)) {
            throw new NamespaceNotFoundException(namespace);
        }
    }

    private static String getKeyName(String str, String str2) {
        return str + NAME_SEPARATOR + str2;
    }
}
