package org.apache.hadoop.crypto.key.kms;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.lang.reflect.UndeclaredThrowableException;
import java.net.HttpURLConnection;
import java.net.InetSocketAddress;
import java.net.MalformedURLException;
import java.net.SocketTimeoutException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.net.URLEncoder;
import java.security.GeneralSecurityException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Queue;
import java.util.concurrent.ExecutionException;
import javax.net.ssl.HttpsURLConnection;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.io.Charsets;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.crypto.key.KeyProvider;
import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
import org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension;
import org.apache.hadoop.crypto.key.KeyProviderFactory;
import org.apache.hadoop.crypto.key.kms.ValueQueue;
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.ProviderUtils;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.client.ConnectionConfigurator;
import org.apache.hadoop.security.ssl.SSLFactory;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL;
import org.apache.hadoop.util.HttpExceptionUtils;
import org.apache.http.client.utils.URIBuilder;
import org.codehaus.jackson.map.ObjectMapper;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/crypto/key/kms/KMSClientProvider.class */
public class KMSClientProvider extends KeyProvider implements KeyProviderCryptoExtension.CryptoExtension, KeyProviderDelegationTokenExtension.DelegationTokenExtension {
    private static final String INVALID_SIGNATURE = "Invalid signature";
    private static final String ANONYMOUS_REQUESTS_DISALLOWED = "Anonymous requests are disallowed";
    public static final String TOKEN_KIND = "kms-dt";
    public static final String SCHEME_NAME = "kms";
    private static final String UTF8 = "UTF-8";
    private static final String CONTENT_TYPE = "Content-Type";
    private static final String APPLICATION_JSON_MIME = "application/json";
    private static final String HTTP_GET = "GET";
    private static final String HTTP_POST = "POST";
    private static final String HTTP_PUT = "PUT";
    private static final String HTTP_DELETE = "DELETE";
    private static final String CONFIG_PREFIX = "hadoop.security.kms.client.";
    public static final String TIMEOUT_ATTR = "hadoop.security.kms.client.timeout";
    public static final int DEFAULT_TIMEOUT = 60;
    public static final String AUTH_RETRY = "hadoop.security.kms.client.authentication.retry-count";
    public static final int DEFAULT_AUTH_RETRY = 1;
    private final ValueQueue<KeyProviderCryptoExtension.EncryptedKeyVersion> encKeyVersionQueue;
    private String kmsUrl;
    private SSLFactory sslFactory;
    private ConnectionConfigurator configurator;
    private DelegationTokenAuthenticatedURL.Token authToken;
    private final int authRetry;
    private final UserGroupInformation actualUgi;

    /* loaded from: input_file:org/apache/hadoop/crypto/key/kms/KMSClientProvider$EncryptedQueueRefiller.class */
    private class EncryptedQueueRefiller implements ValueQueue.QueueRefiller<KeyProviderCryptoExtension.EncryptedKeyVersion> {
        private EncryptedQueueRefiller() {
        }

        @Override // org.apache.hadoop.crypto.key.kms.ValueQueue.QueueRefiller
        public void fillQueueForKey(String str, Queue<KeyProviderCryptoExtension.EncryptedKeyVersion> queue, int i) throws IOException {
            KMSClientProvider.checkNotNull(str, "keyName");
            HashMap hashMap = new HashMap();
            hashMap.put(KMSRESTConstants.EEK_OP, KMSRESTConstants.EEK_GENERATE);
            hashMap.put(KMSRESTConstants.EEK_NUM_KEYS, "" + i);
            HttpURLConnection createConnection = KMSClientProvider.this.createConnection(KMSClientProvider.this.createURL("key", str, KMSRESTConstants.EEK_SUB_RESOURCE, hashMap), "GET");
            createConnection.setRequestProperty("Content-Type", "application/json");
            queue.addAll(KMSClientProvider.parseJSONEncKeyVersion(str, (List) KMSClientProvider.this.call(createConnection, null, 200, List.class)));
        }
    }

    /* loaded from: input_file:org/apache/hadoop/crypto/key/kms/KMSClientProvider$Factory.class */
    public static class Factory extends KeyProviderFactory {
        @Override // org.apache.hadoop.crypto.key.KeyProviderFactory
        public KeyProvider createProvider(URI uri, Configuration configuration) throws IOException {
            if (!KMSClientProvider.SCHEME_NAME.equals(uri.getScheme())) {
                return null;
            }
            URL url = new URL(KMSClientProvider.extractKMSPath(uri).toString());
            String authority = url.getAuthority();
            if (Strings.isNullOrEmpty(authority)) {
                throw new IOException("No valid authority in kms uri [" + url + "]");
            }
            int i = -1;
            String str = authority;
            if (authority.contains(":")) {
                String[] split = authority.split(":");
                try {
                    i = Integer.parseInt(split[1]);
                    str = split[0];
                } catch (Exception e) {
                    throw new IOException("Could not parse port in kms uri [" + url + "]");
                }
            }
            return createProvider(uri, configuration, url, i, str);
        }

        private KeyProvider createProvider(URI uri, Configuration configuration, URL url, int i, String str) throws IOException {
            String[] split = str.split(";");
            if (split.length == 1) {
                return new KMSClientProvider(uri, configuration);
            }
            KMSClientProvider[] kMSClientProviderArr = new KMSClientProvider[split.length];
            for (int i2 = 0; i2 < split.length; i2++) {
                try {
                    kMSClientProviderArr[i2] = new KMSClientProvider(new URI(KMSClientProvider.SCHEME_NAME, url.getProtocol(), split[i2], i, url.getPath(), null, null), configuration);
                } catch (URISyntaxException e) {
                    throw new IOException("Could not instantiate KMSProvider..", e);
                }
            }
            return new LoadBalancingKMSClientProvider(kMSClientProviderArr, configuration);
        }
    }

    /* loaded from: input_file:org/apache/hadoop/crypto/key/kms/KMSClientProvider$KMSEncryptedKeyVersion.class */
    public static class KMSEncryptedKeyVersion extends KeyProviderCryptoExtension.EncryptedKeyVersion {
        public KMSEncryptedKeyVersion(String str, String str2, byte[] bArr, String str3, byte[] bArr2) {
            super(str, str2, bArr, new KMSKeyVersion(null, str3, bArr2));
        }
    }

    /* loaded from: input_file:org/apache/hadoop/crypto/key/kms/KMSClientProvider$KMSKeyVersion.class */
    public static class KMSKeyVersion extends KeyProvider.KeyVersion {
        public KMSKeyVersion(String str, String str2, byte[] bArr) {
            super(str, str2, bArr);
        }
    }

    /* loaded from: input_file:org/apache/hadoop/crypto/key/kms/KMSClientProvider$KMSMetadata.class */
    public static class KMSMetadata extends KeyProvider.Metadata {
        public KMSMetadata(String str, int i, String str2, Map<String, String> map, Date date, int i2) {
            super(str, i, str2, map, date, i2);
        }
    }

    /* loaded from: input_file:org/apache/hadoop/crypto/key/kms/KMSClientProvider$TimeoutConnConfigurator.class */
    private static class TimeoutConnConfigurator implements ConnectionConfigurator {
        private ConnectionConfigurator cc;
        private int timeout;

        public TimeoutConnConfigurator(int i, ConnectionConfigurator connectionConfigurator) {
            this.timeout = i;
            this.cc = connectionConfigurator;
        }

        @Override // org.apache.hadoop.security.authentication.client.ConnectionConfigurator
        public HttpURLConnection configure(HttpURLConnection httpURLConnection) throws IOException {
            if (this.cc != null) {
                httpURLConnection = this.cc.configure(httpURLConnection);
            }
            httpURLConnection.setConnectTimeout(this.timeout * 1000);
            httpURLConnection.setReadTimeout(this.timeout * 1000);
            return httpURLConnection;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static List<KeyProviderCryptoExtension.EncryptedKeyVersion> parseJSONEncKeyVersion(String str, List list) {
        LinkedList linkedList = new LinkedList();
        if (!list.isEmpty()) {
            Iterator it2 = list.iterator();
            while (it2.hasNext()) {
                Map map = (Map) it2.next();
                String str2 = (String) checkNotNull((String) map.get(KMSRESTConstants.VERSION_NAME_FIELD), KMSRESTConstants.VERSION_NAME_FIELD);
                byte[] decodeBase64 = Base64.decodeBase64((String) checkNotNull((String) map.get(KMSRESTConstants.IV_FIELD), KMSRESTConstants.IV_FIELD));
                Map map2 = (Map) checkNotNull((Map) map.get(KMSRESTConstants.ENCRYPTED_KEY_VERSION_FIELD), KMSRESTConstants.ENCRYPTED_KEY_VERSION_FIELD);
                linkedList.add(new KMSEncryptedKeyVersion(str, str2, decodeBase64, (String) checkNotNull((String) map2.get(KMSRESTConstants.VERSION_NAME_FIELD), KMSRESTConstants.VERSION_NAME_FIELD), Base64.decodeBase64((String) checkNotNull((String) map2.get(KMSRESTConstants.MATERIAL_FIELD), KMSRESTConstants.MATERIAL_FIELD))));
            }
        }
        return linkedList;
    }

    private static KeyProvider.KeyVersion parseJSONKeyVersion(Map map) {
        KMSKeyVersion kMSKeyVersion = null;
        if (!map.isEmpty()) {
            kMSKeyVersion = new KMSKeyVersion((String) map.get("name"), (String) map.get(KMSRESTConstants.VERSION_NAME_FIELD), map.containsKey(KMSRESTConstants.MATERIAL_FIELD) ? Base64.decodeBase64((String) map.get(KMSRESTConstants.MATERIAL_FIELD)) : null);
        }
        return kMSKeyVersion;
    }

    private static KeyProvider.Metadata parseJSONMetadata(Map map) {
        KMSMetadata kMSMetadata = null;
        if (!map.isEmpty()) {
            kMSMetadata = new KMSMetadata((String) map.get(KMSRESTConstants.CIPHER_FIELD), ((Integer) map.get("length")).intValue(), (String) map.get(KMSRESTConstants.DESCRIPTION_FIELD), (Map) map.get(KMSRESTConstants.ATTRIBUTES_FIELD), new Date(((Long) map.get(KMSRESTConstants.CREATED_FIELD)).longValue()), ((Integer) map.get(KMSRESTConstants.VERSIONS_FIELD)).intValue());
        }
        return kMSMetadata;
    }

    private static void writeJson(Map map, OutputStream outputStream) throws IOException {
        new ObjectMapper().writerWithDefaultPrettyPrinter().writeValue(new OutputStreamWriter(outputStream, Charsets.UTF_8), map);
    }

    public static <T> T checkNotNull(T t, String str) throws IllegalArgumentException {
        if (t == null) {
            throw new IllegalArgumentException("Parameter '" + str + "' cannot be null");
        }
        return t;
    }

    public static String checkNotEmpty(String str, String str2) throws IllegalArgumentException {
        checkNotNull(str, str2);
        if (str.isEmpty()) {
            throw new IllegalArgumentException("Parameter '" + str2 + "' cannot be empty");
        }
        return str;
    }

    public String toString() {
        StringBuilder sb = new StringBuilder("KMSClientProvider[");
        sb.append(this.kmsUrl).append("]");
        return sb.toString();
    }

    public KMSClientProvider(URI uri, Configuration configuration) throws IOException {
        super(configuration);
        this.kmsUrl = createServiceURL(extractKMSPath(uri));
        if ("https".equalsIgnoreCase(new URL(this.kmsUrl).getProtocol())) {
            this.sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT, configuration);
            try {
                this.sslFactory.init();
            } catch (GeneralSecurityException e) {
                throw new IOException(e);
            }
        }
        int i = configuration.getInt(TIMEOUT_ATTR, 60);
        this.authRetry = configuration.getInt(AUTH_RETRY, 1);
        this.configurator = new TimeoutConnConfigurator(i, this.sslFactory);
        this.encKeyVersionQueue = new ValueQueue<>(configuration.getInt(CommonConfigurationKeysPublic.KMS_CLIENT_ENC_KEY_CACHE_SIZE, 500), configuration.getFloat(CommonConfigurationKeysPublic.KMS_CLIENT_ENC_KEY_CACHE_LOW_WATERMARK, 0.3f), configuration.getInt(CommonConfigurationKeysPublic.KMS_CLIENT_ENC_KEY_CACHE_EXPIRY_MS, CommonConfigurationKeysPublic.KMS_CLIENT_ENC_KEY_CACHE_EXPIRY_DEFAULT), configuration.getInt(CommonConfigurationKeysPublic.KMS_CLIENT_ENC_KEY_CACHE_NUM_REFILL_THREADS, 2), new EncryptedQueueRefiller());
        this.authToken = new DelegationTokenAuthenticatedURL.Token();
        this.actualUgi = UserGroupInformation.getCurrentUser().getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.PROXY ? UserGroupInformation.getCurrentUser().getRealUser() : UserGroupInformation.getCurrentUser();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Path extractKMSPath(URI uri) throws MalformedURLException, IOException {
        return ProviderUtils.unnestUri(uri);
    }

    private static String createServiceURL(Path path) throws IOException {
        String externalForm = new URL(path.toString()).toExternalForm();
        if (externalForm.endsWith("/")) {
            externalForm = externalForm.substring(0, externalForm.length() - 1);
        }
        return new URL(externalForm + KMSRESTConstants.SERVICE_VERSION + "/").toExternalForm();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public URL createURL(String str, String str2, String str3, Map<String, ?> map) throws IOException {
        try {
            StringBuilder sb = new StringBuilder();
            sb.append(this.kmsUrl);
            if (str != null) {
                sb.append(str);
                if (str2 != null) {
                    sb.append("/").append(URLEncoder.encode(str2, "UTF-8"));
                    if (str3 != null) {
                        sb.append("/").append(str3);
                    }
                }
            }
            URIBuilder uRIBuilder = new URIBuilder(sb.toString());
            if (map != null) {
                for (Map.Entry<String, ?> entry : map.entrySet()) {
                    Object value = entry.getValue();
                    if (value instanceof String) {
                        uRIBuilder.addParameter(entry.getKey(), (String) value);
                    } else {
                        for (String str4 : (String[]) value) {
                            uRIBuilder.addParameter(entry.getKey(), str4);
                        }
                    }
                }
            }
            return uRIBuilder.build().toURL();
        } catch (URISyntaxException e) {
            throw new IOException(e);
        }
    }

    private HttpURLConnection configureConnection(HttpURLConnection httpURLConnection) throws IOException {
        if (this.sslFactory != null) {
            HttpsURLConnection httpsURLConnection = (HttpsURLConnection) httpURLConnection;
            try {
                httpsURLConnection.setSSLSocketFactory(this.sslFactory.createSSLSocketFactory());
                httpsURLConnection.setHostnameVerifier(this.sslFactory.getHostnameVerifier());
            } catch (GeneralSecurityException e) {
                throw new IOException(e);
            }
        }
        return httpURLConnection;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public HttpURLConnection createConnection(final URL url, String str) throws IOException {
        try {
            UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
            final String shortUserName = currentUser.getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.PROXY ? currentUser.getShortUserName() : null;
            HttpURLConnection httpURLConnection = (HttpURLConnection) this.actualUgi.doAs(new PrivilegedExceptionAction<HttpURLConnection>() { // from class: org.apache.hadoop.crypto.key.kms.KMSClientProvider.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public HttpURLConnection run() throws Exception {
                    return new DelegationTokenAuthenticatedURL(KMSClientProvider.this.configurator).openConnection(url, KMSClientProvider.this.authToken, shortUserName);
                }
            });
            httpURLConnection.setUseCaches(false);
            httpURLConnection.setRequestMethod(str);
            if (str.equals("POST") || str.equals("PUT")) {
                httpURLConnection.setDoOutput(true);
            }
            return configureConnection(httpURLConnection);
        } catch (IOException e) {
            throw e;
        } catch (UndeclaredThrowableException e2) {
            throw new IOException(e2.getUndeclaredThrowable());
        } catch (Exception e3) {
            throw new IOException(e3);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public <T> T call(HttpURLConnection httpURLConnection, Map map, int i, Class<T> cls) throws IOException {
        return (T) call(httpURLConnection, map, i, cls, this.authRetry);
    }

    /* JADX WARN: Multi-variable type inference failed */
    private <T> T call(HttpURLConnection httpURLConnection, Map map, int i, Class<T> cls, int i2) throws IOException {
        T t = null;
        if (map != null) {
            try {
                writeJson(map, httpURLConnection.getOutputStream());
            } catch (IOException e) {
                httpURLConnection.getInputStream().close();
                throw e;
            }
        }
        if ((httpURLConnection.getResponseCode() == 403 && (httpURLConnection.getResponseMessage().equals(ANONYMOUS_REQUESTS_DISALLOWED) || httpURLConnection.getResponseMessage().contains(INVALID_SIGNATURE))) || httpURLConnection.getResponseCode() == 401) {
            this.authToken = new DelegationTokenAuthenticatedURL.Token();
            if (i2 > 0) {
                String requestProperty = httpURLConnection.getRequestProperty("Content-Type");
                HttpURLConnection createConnection = createConnection(httpURLConnection.getURL(), httpURLConnection.getRequestMethod());
                createConnection.setRequestProperty("Content-Type", requestProperty);
                return (T) call(createConnection, map, i, cls, i2 - 1);
            }
        }
        try {
            AuthenticatedURL.extractToken(httpURLConnection, this.authToken);
        } catch (AuthenticationException e2) {
        }
        HttpExceptionUtils.validateResponse(httpURLConnection, i);
        if ("application/json".equalsIgnoreCase(httpURLConnection.getContentType()) && cls != null) {
            ObjectMapper objectMapper = new ObjectMapper();
            InputStream inputStream = null;
            try {
                try {
                    inputStream = httpURLConnection.getInputStream();
                    t = objectMapper.readValue(inputStream, cls);
                    if (inputStream != null) {
                        inputStream.close();
                    }
                } catch (IOException e3) {
                    if (inputStream != null) {
                        inputStream.close();
                    }
                    throw e3;
                }
            } catch (Throwable th) {
                if (inputStream != null) {
                    inputStream.close();
                }
                throw th;
            }
        }
        return t;
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public KeyProvider.KeyVersion getKeyVersion(String str) throws IOException {
        checkNotEmpty(str, KMSRESTConstants.VERSION_NAME_FIELD);
        return parseJSONKeyVersion((Map) call(createConnection(createURL(KMSRESTConstants.KEY_VERSION_RESOURCE, str, null, null), "GET"), null, 200, Map.class));
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public KeyProvider.KeyVersion getCurrentKey(String str) throws IOException {
        checkNotEmpty(str, "name");
        return parseJSONKeyVersion((Map) call(createConnection(createURL("key", str, KMSRESTConstants.CURRENT_VERSION_SUB_RESOURCE, null), "GET"), null, 200, Map.class));
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public List<String> getKeys() throws IOException {
        return (List) call(createConnection(createURL(KMSRESTConstants.KEYS_NAMES_RESOURCE, null, null, null), "GET"), null, 200, List.class);
    }

    private List<String[]> createKeySets(String[] strArr) {
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        int i = 0;
        for (String str : strArr) {
            int length = "key".length() + 1 + str.length();
            i += length;
            if (i > 1500) {
                arrayList.add(arrayList2.toArray(new String[arrayList2.size()]));
                arrayList2 = new ArrayList();
                i = length;
            }
            arrayList2.add(str);
        }
        if (!arrayList2.isEmpty()) {
            arrayList.add(arrayList2.toArray(new String[arrayList2.size()]));
        }
        return arrayList;
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public KeyProvider.Metadata[] getKeysMetadata(String... strArr) throws IOException {
        ArrayList arrayList = new ArrayList();
        for (String[] strArr2 : createKeySets(strArr)) {
            if (strArr.length > 0) {
                HashMap hashMap = new HashMap();
                hashMap.put("key", strArr2);
                Iterator it2 = ((List) call(createConnection(createURL(KMSRESTConstants.KEYS_METADATA_RESOURCE, null, null, hashMap), "GET"), null, 200, List.class)).iterator();
                while (it2.hasNext()) {
                    arrayList.add(parseJSONMetadata((Map) it2.next()));
                }
            }
        }
        return (KeyProvider.Metadata[]) arrayList.toArray(new KeyProvider.Metadata[arrayList.size()]);
    }

    private KeyProvider.KeyVersion createKeyInternal(String str, byte[] bArr, KeyProvider.Options options) throws NoSuchAlgorithmException, IOException {
        checkNotEmpty(str, "name");
        checkNotNull(options, "options");
        HashMap hashMap = new HashMap();
        hashMap.put("name", str);
        hashMap.put(KMSRESTConstants.CIPHER_FIELD, options.getCipher());
        hashMap.put("length", Integer.valueOf(options.getBitLength()));
        if (bArr != null) {
            hashMap.put(KMSRESTConstants.MATERIAL_FIELD, Base64.encodeBase64String(bArr));
        }
        if (options.getDescription() != null) {
            hashMap.put(KMSRESTConstants.DESCRIPTION_FIELD, options.getDescription());
        }
        if (options.getAttributes() != null && !options.getAttributes().isEmpty()) {
            hashMap.put(KMSRESTConstants.ATTRIBUTES_FIELD, options.getAttributes());
        }
        HttpURLConnection createConnection = createConnection(createURL(KMSRESTConstants.KEYS_RESOURCE, null, null, null), "POST");
        createConnection.setRequestProperty("Content-Type", "application/json");
        return parseJSONKeyVersion((Map) call(createConnection, hashMap, 201, Map.class));
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public KeyProvider.KeyVersion createKey(String str, KeyProvider.Options options) throws NoSuchAlgorithmException, IOException {
        return createKeyInternal(str, null, options);
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public KeyProvider.KeyVersion createKey(String str, byte[] bArr, KeyProvider.Options options) throws IOException {
        checkNotNull(bArr, KMSRESTConstants.MATERIAL_FIELD);
        try {
            return createKeyInternal(str, bArr, options);
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("It should not happen", e);
        }
    }

    private KeyProvider.KeyVersion rollNewVersionInternal(String str, byte[] bArr) throws NoSuchAlgorithmException, IOException {
        checkNotEmpty(str, "name");
        HashMap hashMap = new HashMap();
        if (bArr != null) {
            hashMap.put(KMSRESTConstants.MATERIAL_FIELD, Base64.encodeBase64String(bArr));
        }
        HttpURLConnection createConnection = createConnection(createURL("key", str, null, null), "POST");
        createConnection.setRequestProperty("Content-Type", "application/json");
        KeyProvider.KeyVersion parseJSONKeyVersion = parseJSONKeyVersion((Map) call(createConnection, hashMap, 200, Map.class));
        this.encKeyVersionQueue.drain(str);
        return parseJSONKeyVersion;
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public KeyProvider.KeyVersion rollNewVersion(String str) throws NoSuchAlgorithmException, IOException {
        return rollNewVersionInternal(str, null);
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public KeyProvider.KeyVersion rollNewVersion(String str, byte[] bArr) throws IOException {
        checkNotNull(bArr, KMSRESTConstants.MATERIAL_FIELD);
        try {
            return rollNewVersionInternal(str, bArr);
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("It should not happen", e);
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension
    public KeyProviderCryptoExtension.EncryptedKeyVersion generateEncryptedKey(String str) throws IOException, GeneralSecurityException {
        try {
            return this.encKeyVersionQueue.getNext(str);
        } catch (ExecutionException e) {
            if (e.getCause() instanceof SocketTimeoutException) {
                throw ((SocketTimeoutException) e.getCause());
            }
            throw new IOException(e);
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension
    public KeyProvider.KeyVersion decryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion) throws IOException, GeneralSecurityException {
        checkNotNull(encryptedKeyVersion.getEncryptionKeyVersionName(), KMSRESTConstants.VERSION_NAME_FIELD);
        checkNotNull(encryptedKeyVersion.getEncryptedKeyIv(), KMSRESTConstants.IV_FIELD);
        Preconditions.checkArgument(encryptedKeyVersion.getEncryptedKeyVersion().getVersionName().equals(KeyProviderCryptoExtension.EEK), "encryptedKey version name must be '%s', is '%s'", KeyProviderCryptoExtension.EEK, encryptedKeyVersion.getEncryptedKeyVersion().getVersionName());
        checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey");
        HashMap hashMap = new HashMap();
        hashMap.put(KMSRESTConstants.EEK_OP, KMSRESTConstants.EEK_DECRYPT);
        HashMap hashMap2 = new HashMap();
        hashMap2.put("name", encryptedKeyVersion.getEncryptionKeyName());
        hashMap2.put(KMSRESTConstants.IV_FIELD, Base64.encodeBase64String(encryptedKeyVersion.getEncryptedKeyIv()));
        hashMap2.put(KMSRESTConstants.MATERIAL_FIELD, Base64.encodeBase64String(encryptedKeyVersion.getEncryptedKeyVersion().getMaterial()));
        HttpURLConnection createConnection = createConnection(createURL(KMSRESTConstants.KEY_VERSION_RESOURCE, encryptedKeyVersion.getEncryptionKeyVersionName(), KMSRESTConstants.EEK_SUB_RESOURCE, hashMap), "POST");
        createConnection.setRequestProperty("Content-Type", "application/json");
        return parseJSONKeyVersion((Map) call(createConnection, hashMap2, 200, Map.class));
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public List<KeyProvider.KeyVersion> getKeyVersions(String str) throws IOException {
        checkNotEmpty(str, "name");
        List list = (List) call(createConnection(createURL("key", str, KMSRESTConstants.VERSIONS_SUB_RESOURCE, null), "GET"), null, 200, List.class);
        ArrayList arrayList = null;
        if (!list.isEmpty()) {
            arrayList = new ArrayList();
            Iterator it2 = list.iterator();
            while (it2.hasNext()) {
                arrayList.add(parseJSONKeyVersion((Map) it2.next()));
            }
        }
        return arrayList;
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public KeyProvider.Metadata getMetadata(String str) throws IOException {
        checkNotEmpty(str, "name");
        return parseJSONMetadata((Map) call(createConnection(createURL("key", str, "_metadata", null), "GET"), null, 200, Map.class));
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public void deleteKey(String str) throws IOException {
        checkNotEmpty(str, "name");
        call(createConnection(createURL("key", str, null, null), "DELETE"), null, 200, null);
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public void flush() throws IOException {
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension
    public void warmUpEncryptedKeys(String... strArr) throws IOException {
        try {
            this.encKeyVersionQueue.initializeQueuesForKeys(strArr);
        } catch (ExecutionException e) {
            throw new IOException(e);
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension
    public void drain(String str) {
        this.encKeyVersionQueue.drain(str);
    }

    @VisibleForTesting
    public int getEncKeyQueueSize(String str) throws IOException {
        try {
            return this.encKeyVersionQueue.getSize(str);
        } catch (ExecutionException e) {
            throw new IOException(e);
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension.DelegationTokenExtension
    public Token<?>[] addDelegationTokens(final String str, Credentials credentials) throws IOException {
        Token<?>[] tokenArr = null;
        if (credentials.getToken(getDelegationTokenService()) == null) {
            final URL createURL = createURL(null, null, null, null);
            final DelegationTokenAuthenticatedURL delegationTokenAuthenticatedURL = new DelegationTokenAuthenticatedURL(this.configurator);
            try {
                UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
                final String shortUserName = currentUser.getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.PROXY ? currentUser.getShortUserName() : null;
                Token<? extends TokenIdentifier> token = (Token) this.actualUgi.doAs(new PrivilegedExceptionAction<Token<?>>() { // from class: org.apache.hadoop.crypto.key.kms.KMSClientProvider.2
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Token<?> run() throws Exception {
                        return delegationTokenAuthenticatedURL.getDelegationToken(createURL, new DelegationTokenAuthenticatedURL.Token(), str, shortUserName);
                    }
                });
                if (token == null) {
                    throw new IOException("Got NULL as delegation token");
                }
                credentials.addToken(token.getService(), token);
                tokenArr = new Token[]{token};
            } catch (InterruptedException e) {
                Thread.currentThread().interrupt();
            } catch (Exception e2) {
                throw new IOException(e2);
            }
        }
        return tokenArr;
    }

    private Text getDelegationTokenService() throws IOException {
        URL url = new URL(this.kmsUrl);
        return SecurityUtil.buildTokenService(new InetSocketAddress(url.getHost(), url.getPort()));
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public void close() throws IOException {
        try {
            try {
                this.encKeyVersionQueue.shutdown();
                if (this.sslFactory != null) {
                    this.sslFactory.destroy();
                }
            } catch (Exception e) {
                throw new IOException(e);
            }
        } catch (Throwable th) {
            if (this.sslFactory != null) {
                this.sslFactory.destroy();
            }
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    public String getKMSUrl() {
        return this.kmsUrl;
    }
}
