package org.apache.hadoop.hdds.security.token;

import java.io.ByteArrayInputStream;
import java.io.DataInputStream;
import java.io.IOException;
import java.security.cert.X509Certificate;
import org.apache.hadoop.hdds.HddsUtils;
import org.apache.hadoop.hdds.protocol.datanode.proto.ContainerProtos;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.ozone.shaded.com.google.common.base.Strings;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.util.Time;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hdds/security/token/BlockTokenVerifier.class */
public class BlockTokenVerifier implements TokenVerifier {
    private final CertificateClient caClient;
    private final SecurityConfig conf;
    private static boolean testStub = false;
    private static final Logger LOGGER = LoggerFactory.getLogger(BlockTokenVerifier.class);

    public BlockTokenVerifier(SecurityConfig securityConfig, CertificateClient certificateClient) {
        this.conf = securityConfig;
        this.caClient = certificateClient;
    }

    private boolean isExpired(long j) {
        return Time.now() > j;
    }

    @Override // org.apache.hadoop.hdds.security.token.TokenVerifier
    public void verify(String str, String str2, ContainerProtos.Type type, String str3) throws SCMSecurityException {
        if (this.conf.isBlockTokenEnabled() && HddsUtils.requireBlockToken(type)) {
            if (Strings.isNullOrEmpty(str2)) {
                throw new BlockTokenException("Fail to find any token (empty or null.)");
            }
            Token token = new Token();
            OzoneBlockTokenIdentifier ozoneBlockTokenIdentifier = new OzoneBlockTokenIdentifier();
            try {
                token.decodeFromUrlString(str2);
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.debug("Verifying token:{} for user:{} ", token, str);
                }
                ozoneBlockTokenIdentifier.readFields(new DataInputStream(new ByteArrayInputStream(token.getIdentifier())));
                if (this.caClient == null) {
                    throw new SCMSecurityException("Certificate client not available to validate token");
                }
                UserGroupInformation user = ozoneBlockTokenIdentifier.getUser();
                X509Certificate certificate = this.caClient.getCertificate(ozoneBlockTokenIdentifier.getOmCertSerialId());
                if (certificate == null) {
                    throw new BlockTokenException("Can't find signer certificate (OmCertSerialId: " + ozoneBlockTokenIdentifier.getOmCertSerialId() + ") of the block token for user: " + user);
                }
                if (!this.caClient.verifySignature(ozoneBlockTokenIdentifier.getBytes(), token.getPassword(), certificate)) {
                    throw new BlockTokenException("Invalid block token for user: " + ozoneBlockTokenIdentifier.getUser());
                }
                if (isExpired(ozoneBlockTokenIdentifier.getExpiryDate())) {
                    throw new BlockTokenException("Expired block token for user: " + user);
                }
                if (!ozoneBlockTokenIdentifier.getBlockId().equals(str3)) {
                    throw new BlockTokenException("Block id mismatch. Token for block ID: " + ozoneBlockTokenIdentifier.getBlockId() + " can't be used to access block: " + str3 + " by user: " + user);
                }
            } catch (IOException e) {
                throw new BlockTokenException("Failed to decode token : " + str2);
            }
        }
    }

    public static boolean isTestStub() {
        return testStub;
    }

    public static void setTestStub(boolean z) {
        testStub = z;
    }
}
