package org.apache.hadoop.hdds.security.token;

import java.io.ByteArrayInputStream;
import java.io.DataInputStream;
import java.io.IOException;
import java.time.Instant;
import java.util.Objects;
import org.apache.hadoop.hdds.protocol.datanode.proto.ContainerProtos;
import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
import org.apache.hadoop.hdds.security.symmetric.ManagedSecretKey;
import org.apache.hadoop.hdds.security.symmetric.SecretKeyVerifierClient;
import org.apache.hadoop.hdds.security.token.ShortLivedTokenIdentifier;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;

/* loaded from: input_file:org/apache/hadoop/hdds/security/token/ShortLivedTokenVerifier.class */
public abstract class ShortLivedTokenVerifier<T extends ShortLivedTokenIdentifier> implements TokenVerifier {
    private final SecurityConfig conf;
    private final SecretKeyVerifierClient secretKeyClient;

    /* JADX INFO: Access modifiers changed from: protected */
    public ShortLivedTokenVerifier(SecurityConfig securityConfig, SecretKeyVerifierClient secretKeyVerifierClient) {
        this.conf = securityConfig;
        this.secretKeyClient = secretKeyVerifierClient;
    }

    protected abstract boolean isTokenRequired(ContainerProtos.Type type);

    protected abstract T createTokenIdentifier();

    protected abstract Object getService(ContainerProtos.ContainerCommandRequestProtoOrBuilder containerCommandRequestProtoOrBuilder);

    protected void verify(T t, ContainerProtos.ContainerCommandRequestProtoOrBuilder containerCommandRequestProtoOrBuilder) throws SCMSecurityException {
    }

    @Override // org.apache.hadoop.hdds.security.token.TokenVerifier
    public void verify(String str, Token<?> token, ContainerProtos.ContainerCommandRequestProtoOrBuilder containerCommandRequestProtoOrBuilder) throws SCMSecurityException {
        if (isTokenRequired(containerCommandRequestProtoOrBuilder.getCmdType())) {
            T createTokenIdentifier = createTokenIdentifier();
            try {
                createTokenIdentifier.readFields(new DataInputStream(new ByteArrayInputStream(token.getIdentifier())));
                verifyTokenPassword(createTokenIdentifier, token.getPassword());
                UserGroupInformation user = createTokenIdentifier.getUser();
                if (createTokenIdentifier.isExpired(Instant.now())) {
                    throw new BlockTokenException("Expired token for user: " + user);
                }
                String valueOf = String.valueOf(getService(containerCommandRequestProtoOrBuilder));
                if (!Objects.equals(valueOf, createTokenIdentifier.getService())) {
                    throw new BlockTokenException("ID mismatch. Token for ID: " + createTokenIdentifier.getService() + " can't be used to access: " + valueOf + " by user: " + user);
                }
                verify(createTokenIdentifier, containerCommandRequestProtoOrBuilder);
            } catch (IOException e) {
                throw new BlockTokenException("Failed to decode token : " + token);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SecurityConfig getConf() {
        return this.conf;
    }

    private void verifyTokenPassword(ShortLivedTokenIdentifier shortLivedTokenIdentifier, byte[] bArr) throws SCMSecurityException {
        ManagedSecretKey secretKey = this.secretKeyClient.getSecretKey(shortLivedTokenIdentifier.getSecretKeyId());
        if (secretKey == null) {
            throw new BlockTokenException("Can't find the signing secret key " + shortLivedTokenIdentifier.getSecretKeyId() + " of the token for user: " + shortLivedTokenIdentifier.getUser());
        }
        if (secretKey.isExpired()) {
            throw new BlockTokenException("Token can't be verified due to expired secret key " + shortLivedTokenIdentifier.getSecretKeyId());
        }
        if (!secretKey.isValidSignature((TokenIdentifier) shortLivedTokenIdentifier, bArr)) {
            throw new BlockTokenException("Invalid token for user: " + shortLivedTokenIdentifier.getUser());
        }
    }
}
