package org.apache.hadoop.yarn.server.nodemanager.security;

import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.yarn.api.records.ApplicationId;
import org.apache.hadoop.yarn.api.records.ContainerId;
import org.apache.hadoop.yarn.security.ContainerTokenIdentifier;
import org.apache.hadoop.yarn.server.api.records.MasterKey;
import org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager;

/* loaded from: input_file:lib/hadoop-yarn-server-nodemanager-0.23.7.jar:org/apache/hadoop/yarn/server/nodemanager/security/NMContainerTokenSecretManager.class */
public class NMContainerTokenSecretManager extends BaseContainerTokenSecretManager {
    private static final Log LOG = LogFactory.getLog(NMContainerTokenSecretManager.class);
    private BaseContainerTokenSecretManager.MasterKeyData previousMasterKey;
    private final Map<ApplicationId, ConcurrentMap<ContainerId, BaseContainerTokenSecretManager.MasterKeyData>> oldMasterKeys;

    public NMContainerTokenSecretManager(Configuration configuration) {
        super(configuration);
        this.oldMasterKeys = new HashMap();
    }

    @InterfaceAudience.Private
    public synchronized void setMasterKey(MasterKey masterKey) {
        LOG.info("Rolling master-key for container-tokens, got key with id " + masterKey.getKeyId());
        if (this.currentMasterKey == null) {
            this.currentMasterKey = new BaseContainerTokenSecretManager.MasterKeyData(masterKey);
        } else if (this.currentMasterKey.getMasterKey().getKeyId() != masterKey.getKeyId()) {
            this.previousMasterKey = this.currentMasterKey;
            this.currentMasterKey = new BaseContainerTokenSecretManager.MasterKeyData(masterKey);
        }
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // org.apache.hadoop.yarn.server.security.BaseContainerTokenSecretManager, org.apache.hadoop.security.token.SecretManager
    public synchronized byte[] retrievePassword(ContainerTokenIdentifier containerTokenIdentifier) throws SecretManager.InvalidToken {
        int masterKeyId = containerTokenIdentifier.getMasterKeyId();
        ContainerId containerID = containerTokenIdentifier.getContainerID();
        ApplicationId applicationId = containerID.getApplicationAttemptId().getApplicationId();
        BaseContainerTokenSecretManager.MasterKeyData masterKeyData = null;
        if (this.previousMasterKey != null && masterKeyId == this.previousMasterKey.getMasterKey().getKeyId()) {
            masterKeyData = this.previousMasterKey;
        } else if (masterKeyId == this.currentMasterKey.getMasterKey().getKeyId()) {
            masterKeyData = this.currentMasterKey;
        } else if (this.oldMasterKeys.containsKey(applicationId) && this.oldMasterKeys.get(applicationId).containsKey(containerID)) {
            masterKeyData = this.oldMasterKeys.get(applicationId).get(containerID);
        }
        if (masterKeyData != null) {
            return retrievePasswordInternal(containerTokenIdentifier, masterKeyData);
        }
        throw new SecretManager.InvalidToken("Given Container " + containerTokenIdentifier.getContainerID().toString() + " seems to have an illegally generated token.");
    }

    public synchronized void startContainerSuccessful(ContainerTokenIdentifier containerTokenIdentifier) {
        if (UserGroupInformation.isSecurityEnabled()) {
            int masterKeyId = containerTokenIdentifier.getMasterKeyId();
            if (this.currentMasterKey.getMasterKey().getKeyId() == masterKeyId) {
                addKeyForContainerId(containerTokenIdentifier.getContainerID(), this.currentMasterKey);
            } else {
                if (this.previousMasterKey == null || this.previousMasterKey.getMasterKey().getKeyId() != masterKeyId) {
                    return;
                }
                addKeyForContainerId(containerTokenIdentifier.getContainerID(), this.previousMasterKey);
            }
        }
    }

    public synchronized boolean isValidStartContainerRequest(ContainerTokenIdentifier containerTokenIdentifier) {
        ContainerId containerID = containerTokenIdentifier.getContainerID();
        ApplicationId applicationId = containerID.getApplicationAttemptId().getApplicationId();
        return (this.oldMasterKeys.containsKey(applicationId) && this.oldMasterKeys.get(applicationId).containsKey(containerID)) ? false : true;
    }

    private synchronized void addKeyForContainerId(ContainerId containerId, BaseContainerTokenSecretManager.MasterKeyData masterKeyData) {
        if (containerId == null) {
            LOG.warn("Not adding key for null containerId");
            return;
        }
        ApplicationId applicationId = containerId.getApplicationAttemptId().getApplicationId();
        if (!this.oldMasterKeys.containsKey(applicationId)) {
            this.oldMasterKeys.put(applicationId, new ConcurrentHashMap());
        }
        this.oldMasterKeys.get(applicationId).put(containerId, masterKeyData);
    }

    public synchronized void appFinished(ApplicationId applicationId) {
        this.oldMasterKeys.remove(applicationId);
    }
}
