package org.apache.hadoop.hdfs.protocol.datatransfer;

import com.google.common.base.Charsets;
import com.google.common.collect.Maps;
import com.google.protobuf.ByteString;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.util.HashMap;
import java.util.Map;
import java.util.TreeMap;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.RealmCallback;
import javax.security.sasl.RealmChoiceCallback;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos;
import org.apache.hadoop.hdfs.protocolPB.PBHelper;
import org.apache.hadoop.hdfs.security.token.block.BlockPoolTokenSecretManager;
import org.apache.hadoop.hdfs.security.token.block.DataEncryptionKey;
import org.apache.hadoop.security.SaslInputStream;
import org.apache.hadoop.security.SaslOutputStream;

/* JADX WARN: Classes with same name are omitted:
  input_file:webhdfs.war:WEB-INF/lib/hadoop-hdfs-2.0.3-alpha.jar:org/apache/hadoop/hdfs/protocol/datatransfer/DataTransferEncryptor.class
  input_file:webhdfs/WEB-INF/lib/hadoop-hdfs-2.0.3-alpha.jar:org/apache/hadoop/hdfs/protocol/datatransfer/DataTransferEncryptor.class
 */
@InterfaceAudience.Private
/* loaded from: input_file:hadoop-hdfs-httpfs-2.0.3-alpha/share/hadoop/httpfs/tomcat/webapps/webhdfs/WEB-INF/lib/hadoop-hdfs-2.0.3-alpha.jar:org/apache/hadoop/hdfs/protocol/datatransfer/DataTransferEncryptor.class */
public class DataTransferEncryptor {
    public static final Log LOG;
    private static final int ENCRYPTED_TRANSFER_MAGIC_NUMBER = -559038737;
    private static final String NAME_DELIMITER = " ";
    private static final String SERVER_NAME = "0";
    private static final String PROTOCOL = "hdfs";
    private static final String MECHANISM = "DIGEST-MD5";
    private static final Map<String, String> SASL_PROPS;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX WARN: Classes with same name are omitted:
      input_file:webhdfs.war:WEB-INF/lib/hadoop-hdfs-2.0.3-alpha.jar:org/apache/hadoop/hdfs/protocol/datatransfer/DataTransferEncryptor$InvalidMagicNumberException.class
      input_file:webhdfs/WEB-INF/lib/hadoop-hdfs-2.0.3-alpha.jar:org/apache/hadoop/hdfs/protocol/datatransfer/DataTransferEncryptor$InvalidMagicNumberException.class
     */
    @InterfaceAudience.Private
    /* loaded from: input_file:hadoop-hdfs-httpfs-2.0.3-alpha/share/hadoop/httpfs/tomcat/webapps/webhdfs/WEB-INF/lib/hadoop-hdfs-2.0.3-alpha.jar:org/apache/hadoop/hdfs/protocol/datatransfer/DataTransferEncryptor$InvalidMagicNumberException.class */
    public static class InvalidMagicNumberException extends IOException {
        private static final long serialVersionUID = 1;

        public InvalidMagicNumberException(int i) {
            super(String.format("Received %x instead of %x from client.", Integer.valueOf(i), Integer.valueOf(DataTransferEncryptor.ENCRYPTED_TRANSFER_MAGIC_NUMBER)));
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:webhdfs.war:WEB-INF/lib/hadoop-hdfs-2.0.3-alpha.jar:org/apache/hadoop/hdfs/protocol/datatransfer/DataTransferEncryptor$SaslClientCallbackHandler.class
      input_file:webhdfs/WEB-INF/lib/hadoop-hdfs-2.0.3-alpha.jar:org/apache/hadoop/hdfs/protocol/datatransfer/DataTransferEncryptor$SaslClientCallbackHandler.class
     */
    /* loaded from: input_file:hadoop-hdfs-httpfs-2.0.3-alpha/share/hadoop/httpfs/tomcat/webapps/webhdfs/WEB-INF/lib/hadoop-hdfs-2.0.3-alpha.jar:org/apache/hadoop/hdfs/protocol/datatransfer/DataTransferEncryptor$SaslClientCallbackHandler.class */
    public static class SaslClientCallbackHandler implements CallbackHandler {
        private byte[] encryptionKey;
        private String userName;

        public SaslClientCallbackHandler(byte[] bArr, String str) {
            this.encryptionKey = bArr;
            this.userName = str;
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            NameCallback nameCallback = null;
            PasswordCallback passwordCallback = null;
            RealmCallback realmCallback = null;
            for (Callback callback : callbackArr) {
                if (!(callback instanceof RealmChoiceCallback)) {
                    if (callback instanceof NameCallback) {
                        nameCallback = (NameCallback) callback;
                    } else if (callback instanceof PasswordCallback) {
                        passwordCallback = (PasswordCallback) callback;
                    } else {
                        if (!(callback instanceof RealmCallback)) {
                            throw new UnsupportedCallbackException(callback, "Unrecognized SASL client callback");
                        }
                        realmCallback = (RealmCallback) callback;
                    }
                }
            }
            if (nameCallback != null) {
                nameCallback.setName(this.userName);
            }
            if (passwordCallback != null) {
                passwordCallback.setPassword(DataTransferEncryptor.encryptionKeyToPassword(this.encryptionKey));
            }
            if (realmCallback != null) {
                realmCallback.setText(realmCallback.getDefaultText());
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:webhdfs.war:WEB-INF/lib/hadoop-hdfs-2.0.3-alpha.jar:org/apache/hadoop/hdfs/protocol/datatransfer/DataTransferEncryptor$SaslParticipant.class
      input_file:webhdfs/WEB-INF/lib/hadoop-hdfs-2.0.3-alpha.jar:org/apache/hadoop/hdfs/protocol/datatransfer/DataTransferEncryptor$SaslParticipant.class
     */
    /* loaded from: input_file:hadoop-hdfs-httpfs-2.0.3-alpha/share/hadoop/httpfs/tomcat/webapps/webhdfs/WEB-INF/lib/hadoop-hdfs-2.0.3-alpha.jar:org/apache/hadoop/hdfs/protocol/datatransfer/DataTransferEncryptor$SaslParticipant.class */
    public static class SaslParticipant {
        public SaslServer saslServer;
        public SaslClient saslClient;

        public SaslParticipant(SaslServer saslServer) {
            this.saslServer = saslServer;
        }

        public SaslParticipant(SaslClient saslClient) {
            this.saslClient = saslClient;
        }

        public byte[] evaluateChallengeOrResponse(byte[] bArr) throws SaslException {
            return this.saslClient != null ? this.saslClient.evaluateChallenge(bArr) : this.saslServer.evaluateResponse(bArr);
        }

        public boolean isComplete() {
            return this.saslClient != null ? this.saslClient.isComplete() : this.saslServer.isComplete();
        }

        public boolean supportsConfidentiality() {
            String str = this.saslClient != null ? (String) this.saslClient.getNegotiatedProperty("javax.security.sasl.qop") : (String) this.saslServer.getNegotiatedProperty("javax.security.sasl.qop");
            return str != null && str.equals("auth-conf");
        }

        /* JADX INFO: Access modifiers changed from: private */
        public IOStreamPair createEncryptedStreamPair(DataOutputStream dataOutputStream, DataInputStream dataInputStream) {
            return this.saslClient != null ? new IOStreamPair(new SaslInputStream(dataInputStream, this.saslClient), new SaslOutputStream(dataOutputStream, this.saslClient)) : new IOStreamPair(new SaslInputStream(dataInputStream, this.saslServer), new SaslOutputStream(dataOutputStream, this.saslServer));
        }
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:webhdfs.war:WEB-INF/lib/hadoop-hdfs-2.0.3-alpha.jar:org/apache/hadoop/hdfs/protocol/datatransfer/DataTransferEncryptor$SaslServerCallbackHandler.class
      input_file:webhdfs/WEB-INF/lib/hadoop-hdfs-2.0.3-alpha.jar:org/apache/hadoop/hdfs/protocol/datatransfer/DataTransferEncryptor$SaslServerCallbackHandler.class
     */
    /* loaded from: input_file:hadoop-hdfs-httpfs-2.0.3-alpha/share/hadoop/httpfs/tomcat/webapps/webhdfs/WEB-INF/lib/hadoop-hdfs-2.0.3-alpha.jar:org/apache/hadoop/hdfs/protocol/datatransfer/DataTransferEncryptor$SaslServerCallbackHandler.class */
    private static class SaslServerCallbackHandler implements CallbackHandler {
        private BlockPoolTokenSecretManager blockPoolTokenSecretManager;

        public SaslServerCallbackHandler(BlockPoolTokenSecretManager blockPoolTokenSecretManager) {
            this.blockPoolTokenSecretManager = blockPoolTokenSecretManager;
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            NameCallback nameCallback = null;
            PasswordCallback passwordCallback = null;
            AuthorizeCallback authorizeCallback = null;
            for (Callback callback : callbackArr) {
                if (callback instanceof AuthorizeCallback) {
                    authorizeCallback = (AuthorizeCallback) callback;
                } else if (callback instanceof PasswordCallback) {
                    passwordCallback = (PasswordCallback) callback;
                } else if (callback instanceof NameCallback) {
                    nameCallback = (NameCallback) callback;
                } else if (!(callback instanceof RealmCallback)) {
                    throw new UnsupportedCallbackException(callback, "Unrecognized SASL DIGEST-MD5 Callback: " + callback);
                }
            }
            if (passwordCallback != null) {
                passwordCallback.setPassword(DataTransferEncryptor.encryptionKeyToPassword(DataTransferEncryptor.getEncryptionKeyFromUserName(this.blockPoolTokenSecretManager, nameCallback.getDefaultName())));
            }
            if (authorizeCallback != null) {
                authorizeCallback.setAuthorized(true);
                authorizeCallback.setAuthorizedID(authorizeCallback.getAuthorizationID());
            }
        }
    }

    public static IOStreamPair getEncryptedStreams(OutputStream outputStream, InputStream inputStream, BlockPoolTokenSecretManager blockPoolTokenSecretManager, String str) throws IOException {
        DataInputStream dataInputStream = new DataInputStream(inputStream);
        DataOutputStream dataOutputStream = new DataOutputStream(outputStream);
        HashMap newHashMap = Maps.newHashMap(SASL_PROPS);
        newHashMap.put("com.sun.security.sasl.digest.cipher", str);
        if (LOG.isDebugEnabled()) {
            LOG.debug("Server using encryption algorithm " + str);
        }
        SaslParticipant saslParticipant = new SaslParticipant(Sasl.createSaslServer(MECHANISM, "hdfs", "0", newHashMap, new SaslServerCallbackHandler(blockPoolTokenSecretManager)));
        int readInt = dataInputStream.readInt();
        if (readInt != ENCRYPTED_TRANSFER_MAGIC_NUMBER) {
            throw new InvalidMagicNumberException(readInt);
        }
        try {
            performSaslStep1(dataOutputStream, dataInputStream, saslParticipant);
            sendSaslMessage(dataOutputStream, saslParticipant.evaluateChallengeOrResponse(readSaslMessage(dataInputStream)));
            checkSaslComplete(saslParticipant);
            return saslParticipant.createEncryptedStreamPair(dataOutputStream, dataInputStream);
        } catch (IOException e) {
            if ((e instanceof SaslException) && e.getCause() != null && (e.getCause() instanceof InvalidEncryptionKeyException)) {
                sendInvalidKeySaslErrorMessage(dataOutputStream, e.getCause().getMessage());
            } else {
                sendGenericSaslErrorMessage(dataOutputStream, e.getMessage());
            }
            throw e;
        }
    }

    public static IOStreamPair getEncryptedStreams(OutputStream outputStream, InputStream inputStream, DataEncryptionKey dataEncryptionKey) throws IOException {
        HashMap newHashMap = Maps.newHashMap(SASL_PROPS);
        newHashMap.put("com.sun.security.sasl.digest.cipher", dataEncryptionKey.encryptionAlgorithm);
        if (LOG.isDebugEnabled()) {
            LOG.debug("Client using encryption algorithm " + dataEncryptionKey.encryptionAlgorithm);
        }
        DataOutputStream dataOutputStream = new DataOutputStream(outputStream);
        DataInputStream dataInputStream = new DataInputStream(inputStream);
        String userNameFromEncryptionKey = getUserNameFromEncryptionKey(dataEncryptionKey);
        SaslParticipant saslParticipant = new SaslParticipant(Sasl.createSaslClient(new String[]{MECHANISM}, userNameFromEncryptionKey, "hdfs", "0", newHashMap, new SaslClientCallbackHandler(dataEncryptionKey.encryptionKey, userNameFromEncryptionKey)));
        dataOutputStream.writeInt(ENCRYPTED_TRANSFER_MAGIC_NUMBER);
        dataOutputStream.flush();
        try {
            sendSaslMessage(dataOutputStream, new byte[0]);
            performSaslStep1(dataOutputStream, dataInputStream, saslParticipant);
            byte[] evaluateChallengeOrResponse = saslParticipant.evaluateChallengeOrResponse(readSaslMessage(dataInputStream));
            if (!$assertionsDisabled && evaluateChallengeOrResponse != null) {
                throw new AssertionError();
            }
            checkSaslComplete(saslParticipant);
            return saslParticipant.createEncryptedStreamPair(dataOutputStream, dataInputStream);
        } catch (IOException e) {
            sendGenericSaslErrorMessage(dataOutputStream, e.getMessage());
            throw e;
        }
    }

    private static void performSaslStep1(DataOutputStream dataOutputStream, DataInputStream dataInputStream, SaslParticipant saslParticipant) throws IOException {
        sendSaslMessage(dataOutputStream, saslParticipant.evaluateChallengeOrResponse(readSaslMessage(dataInputStream)));
    }

    private static void checkSaslComplete(SaslParticipant saslParticipant) throws IOException {
        if (!saslParticipant.isComplete()) {
            throw new IOException("Failed to complete SASL handshake");
        }
        if (!saslParticipant.supportsConfidentiality()) {
            throw new IOException("SASL handshake completed, but channel does not support encryption");
        }
    }

    private static void sendSaslMessage(DataOutputStream dataOutputStream, byte[] bArr) throws IOException {
        sendSaslMessage(dataOutputStream, DataTransferProtos.DataTransferEncryptorMessageProto.DataTransferEncryptorStatus.SUCCESS, bArr, null);
    }

    private static void sendInvalidKeySaslErrorMessage(DataOutputStream dataOutputStream, String str) throws IOException {
        sendSaslMessage(dataOutputStream, DataTransferProtos.DataTransferEncryptorMessageProto.DataTransferEncryptorStatus.ERROR_UNKNOWN_KEY, null, str);
    }

    private static void sendGenericSaslErrorMessage(DataOutputStream dataOutputStream, String str) throws IOException {
        sendSaslMessage(dataOutputStream, DataTransferProtos.DataTransferEncryptorMessageProto.DataTransferEncryptorStatus.ERROR, null, str);
    }

    private static void sendSaslMessage(OutputStream outputStream, DataTransferProtos.DataTransferEncryptorMessageProto.DataTransferEncryptorStatus dataTransferEncryptorStatus, byte[] bArr, String str) throws IOException {
        DataTransferProtos.DataTransferEncryptorMessageProto.Builder newBuilder = DataTransferProtos.DataTransferEncryptorMessageProto.newBuilder();
        newBuilder.setStatus(dataTransferEncryptorStatus);
        if (bArr != null) {
            newBuilder.setPayload(ByteString.copyFrom(bArr));
        }
        if (str != null) {
            newBuilder.setMessage(str);
        }
        newBuilder.build().writeDelimitedTo(outputStream);
        outputStream.flush();
    }

    private static byte[] readSaslMessage(DataInputStream dataInputStream) throws IOException {
        DataTransferProtos.DataTransferEncryptorMessageProto parseFrom = DataTransferProtos.DataTransferEncryptorMessageProto.parseFrom(PBHelper.vintPrefixed(dataInputStream));
        if (parseFrom.getStatus() == DataTransferProtos.DataTransferEncryptorMessageProto.DataTransferEncryptorStatus.ERROR_UNKNOWN_KEY) {
            throw new InvalidEncryptionKeyException(parseFrom.getMessage());
        }
        if (parseFrom.getStatus() == DataTransferProtos.DataTransferEncryptorMessageProto.DataTransferEncryptorStatus.ERROR) {
            throw new IOException(parseFrom.getMessage());
        }
        return parseFrom.getPayload().toByteArray();
    }

    private static String getUserNameFromEncryptionKey(DataEncryptionKey dataEncryptionKey) {
        return dataEncryptionKey.keyId + " " + dataEncryptionKey.blockPoolId + " " + new String(Base64.encodeBase64(dataEncryptionKey.nonce, false), Charsets.UTF_8);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static byte[] getEncryptionKeyFromUserName(BlockPoolTokenSecretManager blockPoolTokenSecretManager, String str) throws IOException {
        String[] split = str.split(" ");
        if (split.length != 3) {
            throw new IOException("Provided name '" + str + "' has " + split.length + " components instead of the expected 3.");
        }
        return blockPoolTokenSecretManager.retrieveDataEncryptionKey(Integer.parseInt(split[0]), split[1], Base64.decodeBase64(split[2]));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static char[] encryptionKeyToPassword(byte[] bArr) {
        return new String(Base64.encodeBase64(bArr, false), Charsets.UTF_8).toCharArray();
    }

    static {
        $assertionsDisabled = !DataTransferEncryptor.class.desiredAssertionStatus();
        LOG = LogFactory.getLog(DataTransferEncryptor.class);
        SASL_PROPS = new TreeMap();
        SASL_PROPS.put("javax.security.sasl.qop", "auth-conf");
        SASL_PROPS.put("javax.security.sasl.server.authentication", "true");
    }
}
