package org.apache.accumulo.server.security.delegation;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.collect.Maps;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.TimeUnit;
import javax.crypto.SecretKey;
import org.apache.accumulo.core.client.AccumuloException;
import org.apache.accumulo.core.client.admin.DelegationTokenConfig;
import org.apache.accumulo.core.clientImpl.AuthenticationTokenIdentifier;
import org.apache.accumulo.core.data.InstanceId;
import org.apache.accumulo.core.securityImpl.thrift.TAuthenticationTokenIdentifier;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.security.token.Token;
import org.apache.zookeeper.KeeperException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/accumulo/server/security/delegation/AuthenticationTokenSecretManager.class */
public class AuthenticationTokenSecretManager extends SecretManager<AuthenticationTokenIdentifier> {
    private static final Logger log = LoggerFactory.getLogger(AuthenticationTokenSecretManager.class);
    private final InstanceId instanceID;
    private final long tokenMaxLifetime;
    private final ConcurrentHashMap<Integer, AuthenticationKey> allKeys = new ConcurrentHashMap<>();
    private AuthenticationKey currentKey;

    public AuthenticationTokenSecretManager(InstanceId instanceId, long j) {
        Objects.requireNonNull(instanceId);
        Preconditions.checkArgument(j > 0, "Max lifetime must be positive");
        this.instanceID = instanceId;
        this.tokenMaxLifetime = j;
    }

    private byte[] createPassword(AuthenticationTokenIdentifier authenticationTokenIdentifier, DelegationTokenConfig delegationTokenConfig) {
        authenticationTokenIdentifier.setIssueDate(System.currentTimeMillis());
        authenticationTokenIdentifier.setExpirationDate(calculateExpirationDate());
        if (delegationTokenConfig != null) {
            long tokenLifetime = delegationTokenConfig.getTokenLifetime(TimeUnit.MILLISECONDS);
            if (tokenLifetime > 0) {
                long issueDate = authenticationTokenIdentifier.getIssueDate() + tokenLifetime;
                if (issueDate < authenticationTokenIdentifier.getIssueDate()) {
                    issueDate = Long.MAX_VALUE;
                }
                if (issueDate > authenticationTokenIdentifier.getExpirationDate()) {
                    throw new IllegalStateException("Requested token lifetime exceeds configured maximum");
                }
                log.trace("Overriding token expiration date from {} to {}", Long.valueOf(authenticationTokenIdentifier.getExpirationDate()), Long.valueOf(issueDate));
                authenticationTokenIdentifier.setExpirationDate(issueDate);
            }
        }
        return createPassword(authenticationTokenIdentifier);
    }

    private long calculateExpirationDate() {
        long currentTimeMillis = System.currentTimeMillis();
        long j = currentTimeMillis + this.tokenMaxLifetime;
        if (j < currentTimeMillis) {
            j = Long.MAX_VALUE;
        }
        return j;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public byte[] createPassword(AuthenticationTokenIdentifier authenticationTokenIdentifier) {
        AuthenticationKey authenticationKey;
        synchronized (this) {
            authenticationKey = this.currentKey;
        }
        authenticationTokenIdentifier.setKeyId(authenticationKey.getKeyId());
        authenticationTokenIdentifier.setInstanceId(this.instanceID);
        if (!authenticationTokenIdentifier.isSetIssueDate()) {
            authenticationTokenIdentifier.setIssueDate(System.currentTimeMillis());
        }
        if (!authenticationTokenIdentifier.isSetExpirationDate()) {
            authenticationTokenIdentifier.setExpirationDate(calculateExpirationDate());
        }
        return createPassword(authenticationTokenIdentifier.getBytes(), authenticationKey.getKey());
    }

    public byte[] retrievePassword(AuthenticationTokenIdentifier authenticationTokenIdentifier) throws SecretManager.InvalidToken {
        long currentTimeMillis = System.currentTimeMillis();
        if (authenticationTokenIdentifier.getExpirationDate() < currentTimeMillis) {
            throw new SecretManager.InvalidToken("Token has expired");
        }
        if (authenticationTokenIdentifier.getIssueDate() > currentTimeMillis) {
            throw new SecretManager.InvalidToken("Token issued in the future");
        }
        AuthenticationKey authenticationKey = this.allKeys.get(Integer.valueOf(authenticationTokenIdentifier.getKeyId()));
        if (authenticationKey == null) {
            throw new SecretManager.InvalidToken("Unknown manager key for token (id=" + authenticationTokenIdentifier.getKeyId() + ")");
        }
        return createPassword(authenticationTokenIdentifier.getBytes(), authenticationKey.getKey());
    }

    /* renamed from: createIdentifier, reason: merged with bridge method [inline-methods] */
    public AuthenticationTokenIdentifier m89createIdentifier() {
        return new AuthenticationTokenIdentifier(new TAuthenticationTokenIdentifier());
    }

    public Map.Entry<Token<AuthenticationTokenIdentifier>, AuthenticationTokenIdentifier> generateToken(String str, DelegationTokenConfig delegationTokenConfig) throws AccumuloException {
        Objects.requireNonNull(str);
        Objects.requireNonNull(delegationTokenConfig);
        AuthenticationTokenIdentifier authenticationTokenIdentifier = new AuthenticationTokenIdentifier(new TAuthenticationTokenIdentifier(str));
        StringBuilder sb = new StringBuilder("AccumuloDelegationToken");
        if (authenticationTokenIdentifier.getInstanceId() != null) {
            sb.append("-").append(authenticationTokenIdentifier.getInstanceId());
        }
        try {
            return Maps.immutableEntry(new Token(authenticationTokenIdentifier.getBytes(), createPassword(authenticationTokenIdentifier, delegationTokenConfig), authenticationTokenIdentifier.getKind(), new Text(sb.toString())), authenticationTokenIdentifier);
        } catch (RuntimeException e) {
            throw new AccumuloException(e.getMessage());
        }
    }

    public synchronized void addKey(AuthenticationKey authenticationKey) {
        Objects.requireNonNull(authenticationKey);
        log.debug("Adding AuthenticationKey with keyId {}", Integer.valueOf(authenticationKey.getKeyId()));
        this.allKeys.put(Integer.valueOf(authenticationKey.getKeyId()), authenticationKey);
        if (this.currentKey == null || authenticationKey.getKeyId() > this.currentKey.getKeyId()) {
            this.currentKey = authenticationKey;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public synchronized boolean removeKey(Integer num) {
        Objects.requireNonNull(num);
        log.debug("Removing AuthenticationKey with keyId {}", num);
        return this.allKeys.remove(num) != null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    public AuthenticationKey getCurrentKey() {
        return this.currentKey;
    }

    @VisibleForTesting
    Map<Integer, AuthenticationKey> getKeys() {
        return this.allKeys;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public synchronized int removeExpiredKeys(ZooAuthenticationKeyDistributor zooAuthenticationKeyDistributor) {
        long currentTimeMillis = System.currentTimeMillis();
        int i = 0;
        Iterator<Map.Entry<Integer, AuthenticationKey>> it = this.allKeys.entrySet().iterator();
        while (it.hasNext()) {
            AuthenticationKey value = it.next().getValue();
            if (value.getExpirationDate() < currentTimeMillis) {
                log.debug("Removing expired delegation token key {}", Integer.valueOf(value.getKeyId()));
                it.remove();
                i++;
                try {
                    zooAuthenticationKeyDistributor.remove(value);
                } catch (KeeperException | InterruptedException e) {
                    log.error("Failed to remove AuthenticationKey from ZooKeeper. Exiting", e);
                    throw new IllegalStateException((Throwable) e);
                }
            }
        }
        return i;
    }

    synchronized boolean isCurrentKeySet() {
        return this.currentKey != null;
    }

    public synchronized void removeAllKeys() {
        this.allKeys.clear();
        this.currentKey = null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SecretKey generateSecret() {
        return super.generateSecret();
    }

    public static SecretKey createSecretKey(byte[] bArr) {
        return SecretManager.createSecretKey(bArr);
    }
}
