package com.google.cloud.hadoop.fs.gcs.auth;

import com.google.cloud.hadoop.fs.gcs.GoogleHadoopFileSystemBase;
import com.google.cloud.hadoop.fs.gcs.GoogleHadoopFileSystemConfiguration;
import com.google.cloud.hadoop.util.AccessTokenProvider;
import com.google.common.base.Preconditions;
import com.google.common.flogger.GoogleLogger;
import java.io.IOException;
import java.util.Objects;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier;

/* loaded from: input_file:com/google/cloud/hadoop/fs/gcs/auth/GcsDelegationTokens.class */
public class GcsDelegationTokens {
    private static final GoogleLogger logger = GoogleLogger.forEnclosingClass();
    private GoogleHadoopFileSystemBase fileSystem;
    private Text service;
    private AbstractDelegationTokenBinding tokenBinding;
    private AccessTokenProvider accessTokenProvider = null;
    private Token<DelegationTokenIdentifier> boundDT = null;
    private final UserGroupInformation user = UserGroupInformation.getCurrentUser();

    public void init(Configuration configuration) {
        String str = configuration.get(GoogleHadoopFileSystemConfiguration.DELEGATION_TOKEN_BINDING_CLASS.getKey());
        Preconditions.checkState(str != null, "Delegation Tokens are not configured");
        try {
            AbstractDelegationTokenBinding abstractDelegationTokenBinding = (AbstractDelegationTokenBinding) Class.forName(str).getDeclaredConstructor(new Class[0]).newInstance(new Object[0]);
            abstractDelegationTokenBinding.bindToFileSystem(this.fileSystem, getService());
            this.tokenBinding = abstractDelegationTokenBinding;
            logger.atFine().log("Filesystem %s is using delegation tokens of kind %s", getService(), this.tokenBinding.getKind());
            bindToAnyDelegationToken();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public Text getService() {
        return this.service;
    }

    public AccessTokenProvider getAccessTokenProvider() {
        return this.accessTokenProvider;
    }

    public AccessTokenProvider deployUnbonded() throws IOException {
        Preconditions.checkState(!isBoundToDT(), "Already Bound to a delegation token");
        logger.atFine().log("No delegation tokens present: using direct authentication");
        this.accessTokenProvider = this.tokenBinding.deployUnbonded();
        return this.accessTokenProvider;
    }

    public void bindToAnyDelegationToken() throws IOException {
        validateAccessTokenProvider();
        Token<DelegationTokenIdentifier> selectTokenFromFsOwner = selectTokenFromFsOwner();
        if (selectTokenFromFsOwner != null) {
            bindToDelegationToken(selectTokenFromFsOwner);
        } else {
            deployUnbonded();
        }
        if (this.accessTokenProvider == null) {
            throw new DelegationTokenIOException("No AccessTokenProvider created by Delegation Token Binding " + this.tokenBinding.getKind());
        }
    }

    public Token<DelegationTokenIdentifier> selectTokenFromFsOwner() throws IOException {
        return lookupToken(this.user.getCredentials(), this.service, this.tokenBinding.getKind());
    }

    public void bindToFileSystem(GoogleHadoopFileSystemBase googleHadoopFileSystemBase, Text text) throws IOException {
        this.service = (Text) Objects.requireNonNull(text);
        this.fileSystem = (GoogleHadoopFileSystemBase) Objects.requireNonNull(googleHadoopFileSystemBase);
    }

    public void bindToDelegationToken(Token<DelegationTokenIdentifier> token) throws IOException {
        validateAccessTokenProvider();
        this.boundDT = token;
        DelegationTokenIdentifier extractIdentifier = extractIdentifier(token);
        logger.atInfo().log("Using delegation token %s", extractIdentifier);
        this.accessTokenProvider = this.tokenBinding.bindToTokenIdentifier(extractIdentifier);
    }

    public boolean isBoundToDT() {
        return this.boundDT != null;
    }

    public Token<DelegationTokenIdentifier> getBoundDT() {
        return this.boundDT;
    }

    public Token<DelegationTokenIdentifier> getBoundOrNewDT(String str) throws IOException {
        logger.atFine().log("Delegation token requested");
        if (!isBoundToDT()) {
            return this.tokenBinding.createDelegationToken(str);
        }
        logger.atFine().log("Returning current token");
        return getBoundDT();
    }

    public static DelegationTokenIdentifier extractIdentifier(Token<? extends DelegationTokenIdentifier> token) throws IOException {
        Preconditions.checkArgument(token != null, "null token");
        try {
            DelegationTokenIdentifier decodeIdentifier = token.decodeIdentifier();
            if (decodeIdentifier == null) {
                throw new DelegationTokenIOException("Failed to unmarshall token " + token);
            }
            return decodeIdentifier;
        } catch (RuntimeException e) {
            Throwable cause = e.getCause();
            if (cause != null) {
                throw new DelegationTokenIOException("Decoding GCS token " + cause, cause);
            }
            throw e;
        }
    }

    private static Token<DelegationTokenIdentifier> lookupToken(Credentials credentials, Text text, Text text2) throws DelegationTokenIOException {
        logger.atFine().log("Looking for token for service %s in credentials", text);
        Token<DelegationTokenIdentifier> token = credentials.getToken(text);
        if (token == null) {
            logger.atFine().log("No token found for %s", text);
            return null;
        }
        Text kind = token.getKind();
        logger.atFine().log("Found token of kind %s", kind);
        if (text2.equals(kind)) {
            return token;
        }
        throw DelegationTokenIOException.tokenMismatch(text, text2, kind);
    }

    private void validateAccessTokenProvider() {
        Preconditions.checkState(this.accessTokenProvider == null, "GCP Delegation tokens has already been bound/deployed");
    }
}
