package org.apache.hadoop.hdds.security;

import com.google.common.base.Preconditions;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.X509Certificate;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.concurrent.atomic.AtomicReference;
import org.apache.hadoop.hdds.annotation.InterfaceAudience;
import org.apache.hadoop.hdds.annotation.InterfaceStability;
import org.apache.hadoop.hdds.security.exception.OzoneSecurityException;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateNotification;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.slf4j.Logger;

@InterfaceStability.Unstable
@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/hdds/security/OzoneSecretManager.class */
public abstract class OzoneSecretManager<T extends TokenIdentifier> extends SecretManager<T> implements CertificateNotification {
    private final Logger logger;
    private final SecurityConfig securityConfig;
    private final long tokenMaxLifetime;
    private final long tokenRenewInterval;
    private final Text service;
    private CertificateClient certClient;
    private volatile boolean running;
    private AtomicInteger currentKeyId = new AtomicInteger();
    private AtomicInteger tokenSequenceNumber = new AtomicInteger();
    private AtomicReference<OzoneSecretKey> currentKey = new AtomicReference<>();

    public OzoneSecretManager(SecurityConfig securityConfig, long j, long j2, Text text, Logger logger) {
        this.securityConfig = securityConfig;
        this.tokenMaxLifetime = j;
        this.tokenRenewInterval = j2;
        this.service = text;
        this.logger = logger;
    }

    public byte[] createPassword(byte[] bArr, PrivateKey privateKey) throws OzoneSecurityException {
        try {
            Signature signature = Signature.getInstance(getDefaultSignatureAlgorithm());
            signature.initSign(privateKey);
            signature.update(bArr);
            return signature.sign();
        } catch (InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
            throw new OzoneSecurityException("Error while creating HMAC hash for token.", e, OzoneSecurityException.ResultCodes.SECRET_MANAGER_HMAC_ERROR);
        }
    }

    public byte[] createPassword(T t) {
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Creating password for identifier: {}, currentKey: {}", formatTokenId(t), Integer.valueOf(this.currentKey.get().getKeyId()));
        }
        byte[] bArr = null;
        try {
            bArr = createPassword(t.getBytes(), this.currentKey.get().getPrivateKey());
        } catch (IOException e) {
            this.logger.error("Could not store token {}!!", formatTokenId(t), e);
        }
        return bArr;
    }

    public abstract long renewToken(Token<T> token, String str) throws IOException;

    public abstract T cancelToken(Token<T> token, String str) throws IOException;

    public int incrementCurrentKeyId() {
        return this.currentKeyId.incrementAndGet();
    }

    public int getDelegationTokenSeqNum() {
        return this.tokenSequenceNumber.get();
    }

    public void setDelegationTokenSeqNum(int i) {
        this.tokenSequenceNumber.set(i);
    }

    public int incrementDelegationTokenSeqNum() {
        return this.tokenSequenceNumber.incrementAndGet();
    }

    private OzoneSecretKey updateCurrentKey(KeyPair keyPair, X509Certificate x509Certificate) {
        this.logger.info("Updating current master key for generating tokens. Cert id {}", x509Certificate.getSerialNumber().toString());
        OzoneSecretKey ozoneSecretKey = new OzoneSecretKey(incrementCurrentKeyId(), x509Certificate.getNotAfter().getTime(), keyPair, x509Certificate.getSerialNumber().toString());
        this.currentKey.set(ozoneSecretKey);
        return ozoneSecretKey;
    }

    public void notifyCertificateRenewed(CertificateClient certificateClient, String str, String str2) {
        if (!str.equals(getCertSerialId())) {
            this.logger.info("Old certificate Id doesn't match. Holding {}, oldCertId {}", getCertSerialId(), str);
        }
        if (!str2.equals(this.certClient.getCertificate().getSerialNumber().toString())) {
            this.logger.info("New certificate Id doesn't match. Holding in caClient {}, newCertId {}", str2, this.certClient.getCertificate().getSerialNumber().toString());
        }
        this.logger.info("Certificate is changed from {} to {}", str, str2);
        updateCurrentKey(new KeyPair(this.certClient.getPublicKey(), this.certClient.getPrivateKey()), this.certClient.getCertificate());
    }

    public String formatTokenId(T t) {
        return "(" + t + ")";
    }

    public synchronized void start(CertificateClient certificateClient) throws IOException {
        Preconditions.checkState(!isRunning());
        setCertClient(certificateClient);
        updateCurrentKey(new KeyPair(this.certClient.getPublicKey(), this.certClient.getPrivateKey()), this.certClient.getCertificate());
        certificateClient.registerNotificationReceiver(this);
        setIsRunning(true);
    }

    public synchronized void stop() throws IOException {
        setIsRunning(false);
    }

    public String getDefaultSignatureAlgorithm() {
        return this.securityConfig.getSignatureAlgo();
    }

    public long getTokenMaxLifetime() {
        return this.tokenMaxLifetime;
    }

    public long getTokenRenewInterval() {
        return this.tokenRenewInterval;
    }

    public Text getService() {
        return this.service;
    }

    public boolean isRunning() {
        return this.running;
    }

    public void setIsRunning(boolean z) {
        this.running = z;
    }

    public OzoneSecretKey getCurrentKey() {
        return this.currentKey.get();
    }

    public AtomicInteger getCurrentKeyId() {
        return this.currentKeyId;
    }

    public String getCertSerialId() {
        return this.currentKey.get().getCertSerialId();
    }

    public AtomicInteger getTokenSequenceNumber() {
        return this.tokenSequenceNumber;
    }

    public CertificateClient getCertClient() {
        return this.certClient;
    }

    public void setCertClient(CertificateClient certificateClient) {
        this.certClient = certificateClient;
    }
}
