package org.apache.hadoop.hdds.scm.server;

import com.google.common.annotations.VisibleForTesting;
import com.google.protobuf.BlockingService;
import java.io.IOException;
import java.math.BigInteger;
import java.net.InetSocketAddress;
import java.security.cert.CertPath;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.UUID;
import java.util.concurrent.ExecutionException;
import java.util.stream.Collectors;
import javax.annotation.Nullable;
import org.apache.hadoop.hdds.annotation.InterfaceAudience;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.protocol.SCMSecurityProtocol;
import org.apache.hadoop.hdds.protocol.SecretKeyProtocolScm;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
import org.apache.hadoop.hdds.protocol.proto.SCMSecretKeyProtocolProtos;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos;
import org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolPB;
import org.apache.hadoop.hdds.protocolPB.SecretKeyProtocolDatanodePB;
import org.apache.hadoop.hdds.protocolPB.SecretKeyProtocolOmPB;
import org.apache.hadoop.hdds.protocolPB.SecretKeyProtocolScmPB;
import org.apache.hadoop.hdds.scm.ScmUtils;
import org.apache.hadoop.hdds.scm.exceptions.SCMException;
import org.apache.hadoop.hdds.scm.ha.SequenceIdGenerator;
import org.apache.hadoop.hdds.scm.protocol.SCMSecurityProtocolServerSideTranslatorPB;
import org.apache.hadoop.hdds.scm.protocol.SecretKeyProtocolServerSideTranslatorPB;
import org.apache.hadoop.hdds.scm.update.client.UpdateServiceConfig;
import org.apache.hadoop.hdds.scm.update.server.SCMCRLStore;
import org.apache.hadoop.hdds.scm.update.server.SCMUpdateServiceGrpcServer;
import org.apache.hadoop.hdds.security.exception.SCMSecretKeyException;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
import org.apache.hadoop.hdds.security.symmetric.ManagedSecretKey;
import org.apache.hadoop.hdds.security.symmetric.SecretKeyManager;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateApprover;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateSignRequest;
import org.apache.hadoop.hdds.security.x509.crl.CRLInfo;
import org.apache.hadoop.hdds.utils.HddsServerUtil;
import org.apache.hadoop.hdds.utils.ProtocolMessageMetrics;
import org.apache.hadoop.ipc.ProtobufRpcEngine;
import org.apache.hadoop.ipc.RPC;
import org.apache.hadoop.ipc.Server;
import org.apache.hadoop.security.KerberosInfo;
import org.apache.hadoop.security.UserGroupInformation;
import org.bouncycastle.asn1.x509.CRLReason;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@KerberosInfo(serverPrincipal = "hdds.scm.kerberos.principal")
@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/hdds/scm/server/SCMSecurityProtocolServer.class */
public class SCMSecurityProtocolServer implements SCMSecurityProtocol, SecretKeyProtocolScm {
    private static final Logger LOGGER = LoggerFactory.getLogger(SCMSecurityProtocolServer.class);
    private CertificateServer rootCertificateServer;
    private final CertificateServer scmCertificateServer;
    private final RPC.Server rpcServer;
    private final SCMUpdateServiceGrpcServer grpcUpdateServer;
    private final InetSocketAddress rpcAddress;
    private final ProtocolMessageMetrics metrics;
    private final ProtocolMessageMetrics secretKeyMetrics;
    private final StorageContainerManager storageContainerManager;
    private final CertificateClient scmCertificateClient;
    private final OzoneConfiguration config;
    private final SequenceIdGenerator sequenceIdGen;
    private final SecretKeyManager secretKeyManager;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SCMSecurityProtocolServer(OzoneConfiguration ozoneConfiguration, @Nullable CertificateServer certificateServer, CertificateServer certificateServer2, CertificateClient certificateClient, StorageContainerManager storageContainerManager, @Nullable SecretKeyManager secretKeyManager) throws IOException {
        this.storageContainerManager = storageContainerManager;
        this.rootCertificateServer = certificateServer;
        this.scmCertificateServer = certificateServer2;
        this.scmCertificateClient = certificateClient;
        this.config = ozoneConfiguration;
        this.sequenceIdGen = storageContainerManager.getSequenceIdGen();
        this.secretKeyManager = secretKeyManager;
        int i = ozoneConfiguration.getInt("ozone.scm.security.handler.count.key", 2);
        this.rpcAddress = HddsServerUtil.getScmSecurityInetAddress(ozoneConfiguration);
        RPC.setProtocolEngine(ozoneConfiguration, SCMSecurityProtocolPB.class, ProtobufRpcEngine.class);
        this.metrics = new ProtocolMessageMetrics("ScmSecurityProtocol", "SCM Security protocol metrics", SCMSecurityProtocolProtos.Type.values());
        this.secretKeyMetrics = new ProtocolMessageMetrics("ScmSecretKeyProtocol", "SCM SecretKey protocol metrics", SCMSecretKeyProtocolProtos.Type.values());
        BlockingService newReflectiveBlockingService = SCMSecurityProtocolProtos.SCMSecurityProtocolService.newReflectiveBlockingService(new SCMSecurityProtocolServerSideTranslatorPB(this, storageContainerManager, this.metrics));
        BlockingService newReflectiveBlockingService2 = SCMSecretKeyProtocolProtos.SCMSecretKeyProtocolService.newReflectiveBlockingService(new SecretKeyProtocolServerSideTranslatorPB(this, storageContainerManager, this.secretKeyMetrics));
        this.rpcServer = StorageContainerManager.startRpcServer(ozoneConfiguration, this.rpcAddress, SCMSecurityProtocolPB.class, newReflectiveBlockingService, i);
        HddsServerUtil.addPBProtocol(ozoneConfiguration, SecretKeyProtocolDatanodePB.class, newReflectiveBlockingService2, this.rpcServer);
        HddsServerUtil.addPBProtocol(ozoneConfiguration, SecretKeyProtocolOmPB.class, newReflectiveBlockingService2, this.rpcServer);
        HddsServerUtil.addPBProtocol(ozoneConfiguration, SecretKeyProtocolScmPB.class, newReflectiveBlockingService2, this.rpcServer);
        if (ozoneConfiguration.getBoolean("hadoop.security.authorization", false)) {
            this.rpcServer.refreshServiceAcl(ozoneConfiguration, SCMPolicyProvider.getInstance());
        }
        this.grpcUpdateServer = new SCMUpdateServiceGrpcServer((UpdateServiceConfig) ozoneConfiguration.getObject(UpdateServiceConfig.class), new SCMCRLStore(certificateServer2));
    }

    public String getDataNodeCertificate(HddsProtos.DatanodeDetailsProto datanodeDetailsProto, String str) throws IOException {
        LOGGER.info("Processing CSR for dn {}, UUID: {}", datanodeDetailsProto.getHostName(), datanodeDetailsProto.getUuid());
        Objects.requireNonNull(datanodeDetailsProto);
        ScmUtils.checkIfCertSignRequestAllowed(this.storageContainerManager.getRootCARotationManager(), false, this.config, "getDataNodeCertificate");
        return getEncodedCertToString(str, HddsProtos.NodeType.DATANODE);
    }

    public String getCertificate(HddsProtos.NodeDetailsProto nodeDetailsProto, String str) throws IOException {
        LOGGER.info("Processing CSR for {} {}, UUID: {}", new Object[]{nodeDetailsProto.getNodeType(), nodeDetailsProto.getHostName(), nodeDetailsProto.getUuid()});
        Objects.requireNonNull(nodeDetailsProto);
        ScmUtils.checkIfCertSignRequestAllowed(this.storageContainerManager.getRootCARotationManager(), false, this.config, "getCertificate");
        return getEncodedCertToString(str, nodeDetailsProto.getNodeType());
    }

    public ManagedSecretKey getCurrentSecretKey() throws SCMSecretKeyException {
        validateSecretKeyStatus();
        return this.secretKeyManager.getCurrentSecretKey();
    }

    public ManagedSecretKey getSecretKey(UUID uuid) throws SCMSecretKeyException {
        validateSecretKeyStatus();
        return this.secretKeyManager.getSecretKey(uuid);
    }

    public List<ManagedSecretKey> getAllSecretKeys() throws SCMSecretKeyException {
        validateSecretKeyStatus();
        return this.secretKeyManager.getSortedKeys();
    }

    private void validateSecretKeyStatus() throws SCMSecretKeyException {
        if (this.secretKeyManager == null) {
            throw new SCMSecretKeyException("Secret keys are not enabled.", SCMSecretKeyException.ErrorCode.SECRET_KEY_NOT_ENABLED);
        }
        if (!this.secretKeyManager.isInitialized()) {
            throw new SCMSecretKeyException("Secret key initialization is not finished yet.", SCMSecretKeyException.ErrorCode.SECRET_KEY_NOT_INITIALIZED);
        }
    }

    public boolean checkAndRotate(boolean z) throws SCMSecretKeyException {
        validateSecretKeyStatus();
        try {
            return this.secretKeyManager.checkAndRotate(z);
        } catch (SCMException e) {
            LOGGER.error("Error rotating secret keys", e);
            throw new SCMSecretKeyException(e.getMessage(), SCMSecretKeyException.ErrorCode.INTERNAL_ERROR);
        }
    }

    public synchronized List<String> getAllRootCaCertificates() throws IOException {
        ArrayList arrayList = new ArrayList();
        Iterator it = (this.scmCertificateClient.getAllRootCaCerts().size() == 0 ? this.scmCertificateClient.getAllCaCerts() : this.scmCertificateClient.getAllRootCaCerts()).iterator();
        while (it.hasNext()) {
            arrayList.add(CertificateCodec.getPEMEncodedString((X509Certificate) it.next()));
        }
        return arrayList;
    }

    public String getOMCertificate(HddsProtos.OzoneManagerDetailsProto ozoneManagerDetailsProto, String str) throws IOException {
        LOGGER.info("Processing CSR for om {}, UUID: {}", ozoneManagerDetailsProto.getHostName(), ozoneManagerDetailsProto.getUuid());
        Objects.requireNonNull(ozoneManagerDetailsProto);
        ScmUtils.checkIfCertSignRequestAllowed(this.storageContainerManager.getRootCARotationManager(), false, this.config, "getOMCertificate");
        return getEncodedCertToString(str, HddsProtos.NodeType.OM);
    }

    public String getSCMCertificate(HddsProtos.ScmNodeDetailsProto scmNodeDetailsProto, String str) throws IOException {
        return getSCMCertificate(scmNodeDetailsProto, str, false);
    }

    public String getSCMCertificate(HddsProtos.ScmNodeDetailsProto scmNodeDetailsProto, String str, boolean z) throws IOException {
        Objects.requireNonNull(scmNodeDetailsProto);
        if (!this.storageContainerManager.getClusterId().equals(scmNodeDetailsProto.getClusterId())) {
            throw new IOException("SCM ClusterId mismatch. Peer SCM ClusterId " + scmNodeDetailsProto.getClusterId() + ", primary SCM ClusterId " + this.storageContainerManager.getClusterId());
        }
        ScmUtils.checkIfCertSignRequestAllowed(this.storageContainerManager.getRootCARotationManager(), z, this.config, "getSCMCertificate");
        LOGGER.info("Processing CSR for scm {}, nodeId: {}", scmNodeDetailsProto.getHostName(), scmNodeDetailsProto.getScmNodeId());
        return getEncodedCertToString(str, HddsProtos.NodeType.SCM);
    }

    private synchronized String getEncodedCertToString(String str, HddsProtos.NodeType nodeType) throws IOException {
        PKCS10CertificationRequest certificationRequest = CertificateSignRequest.getCertificationRequest(str);
        try {
            return CertificateCodec.getPEMEncodedString((CertPath) ((nodeType != HddsProtos.NodeType.SCM || this.rootCertificateServer == null) ? this.scmCertificateServer.requestCertificate(certificationRequest, CertificateApprover.ApprovalType.KERBEROS_TRUSTED, nodeType, getNextCertificateId()) : this.rootCertificateServer.requestCertificate(certificationRequest, CertificateApprover.ApprovalType.KERBEROS_TRUSTED, nodeType, getNextCertificateId())).get());
        } catch (InterruptedException e) {
            Thread.currentThread().interrupt();
            throw generateException(e, nodeType);
        } catch (ExecutionException e2) {
            if (e2.getCause() == null) {
                throw generateException(e2, nodeType);
            }
            if (e2.getCause() instanceof SCMSecurityException) {
                throw e2.getCause();
            }
            throw generateException(e2, nodeType);
        }
    }

    private SCMSecurityException generateException(Exception exc, HddsProtos.NodeType nodeType) {
        return new SCMSecurityException("generate " + nodeType.toString() + " Certificate operation failed", exc, nodeType == HddsProtos.NodeType.SCM ? SCMSecurityException.ErrorCode.GET_SCM_CERTIFICATE_FAILED : nodeType == HddsProtos.NodeType.OM ? SCMSecurityException.ErrorCode.GET_OM_CERTIFICATE_FAILED : nodeType == HddsProtos.NodeType.DATANODE ? SCMSecurityException.ErrorCode.GET_DN_CERTIFICATE_FAILED : SCMSecurityException.ErrorCode.GET_CERTIFICATE_FAILED);
    }

    public String getCertificate(String str) throws IOException {
        LOGGER.debug("Getting certificate with certificate serial id {}", str);
        try {
            X509Certificate certificate = this.scmCertificateServer.getCertificate(str);
            if (certificate != null) {
                return CertificateCodec.getPEMEncodedString(certificate);
            }
            LOGGER.info("Certificate with serial id {} not found.", str);
            throw new SCMSecurityException("Certificate not found", SCMSecurityException.ErrorCode.CERTIFICATE_NOT_FOUND);
        } catch (CertificateException e) {
            throw new SCMSecurityException("getCertificate operation failed. ", e, SCMSecurityException.ErrorCode.GET_CERTIFICATE_FAILED);
        }
    }

    public String getCACertificate() throws IOException {
        LOGGER.debug("Getting CA certificate.");
        try {
            return CertificateCodec.getPEMEncodedString(this.scmCertificateServer.getCaCertPath());
        } catch (CertificateException e) {
            throw new SCMSecurityException("getRootCertificate operation failed. ", e, SCMSecurityException.ErrorCode.GET_CA_CERT_FAILED);
        }
    }

    public List<String> listCertificate(HddsProtos.NodeType nodeType, long j, int i, boolean z) throws IOException {
        List listCertificate = this.scmCertificateServer.listCertificate(nodeType, j, i, z);
        ArrayList arrayList = new ArrayList(listCertificate.size());
        Iterator it = listCertificate.iterator();
        while (it.hasNext()) {
            try {
                arrayList.add(CertificateCodec.getPEMEncodedString((X509Certificate) it.next()));
            } catch (SCMSecurityException e) {
                throw new SCMSecurityException("listCertificate operation failed.", e, e.getErrorCode());
            }
        }
        return arrayList;
    }

    public List<String> listCACertificate() throws IOException {
        return listCertificate(HddsProtos.NodeType.SCM, 0L, 10, false);
    }

    public synchronized String getRootCACertificate() throws IOException {
        LOGGER.debug("Getting Root CA certificate.");
        if (this.rootCertificateServer == null) {
            return CertificateCodec.getPEMEncodedString(this.scmCertificateClient.getCACertificate());
        }
        try {
            return CertificateCodec.getPEMEncodedString(this.rootCertificateServer.getCACertificate());
        } catch (CertificateException e) {
            LOGGER.error("Failed to get root CA certificate", e);
            throw new IOException("Failed to get root CA certificate", e);
        }
    }

    public List<CRLInfo> getCrls(List<Long> list) throws IOException {
        return this.scmCertificateServer.getCrls(list);
    }

    public long getLatestCrlId() {
        return this.scmCertificateServer.getLatestCrlId();
    }

    public long revokeCertificates(List<String> list, int i, long j) throws IOException {
        this.storageContainerManager.checkAdminAccess(getRpcRemoteUser(), false);
        try {
            Long l = (Long) ((Optional) this.scmCertificateServer.revokeCertificates((List) list.stream().map(str -> {
                return new BigInteger(str);
            }).collect(Collectors.toList()), CRLReason.lookup(i), new Date(j)).get()).get();
            getGrpcUpdateServer().notifyCrlUpdate();
            return l.longValue();
        } catch (InterruptedException | ExecutionException e) {
            Thread.currentThread().interrupt();
            throw new SCMException("Fail to revoke certs", SCMException.ResultCodes.FAILED_TO_REVOKE_CERTIFICATES);
        }
    }

    public List<String> removeExpiredCertificates() throws IOException {
        this.storageContainerManager.checkAdminAccess(getRpcRemoteUser(), false);
        ArrayList arrayList = new ArrayList();
        Iterator it = this.storageContainerManager.getCertificateStore().removeAllExpiredCertificates().iterator();
        while (it.hasNext()) {
            arrayList.add(CertificateCodec.getPEMEncodedString((X509Certificate) it.next()));
        }
        return arrayList;
    }

    private String getNextCertificateId() throws IOException {
        return String.valueOf(this.sequenceIdGen.getNextId(SequenceIdGenerator.CERTIFICATE_ID));
    }

    public SCMUpdateServiceGrpcServer getGrpcUpdateServer() {
        return this.grpcUpdateServer;
    }

    @VisibleForTesting
    public UserGroupInformation getRpcRemoteUser() {
        return Server.getRemoteUser();
    }

    public RPC.Server getRpcServer() {
        return this.rpcServer;
    }

    public InetSocketAddress getRpcAddress() {
        return this.rpcAddress;
    }

    public void start() throws IOException {
        LOGGER.info(StorageContainerManager.buildRpcServerStartMessage("Starting RPC server for SCMSecurityProtocolServer.", getRpcAddress()));
        this.metrics.register();
        getRpcServer().start();
        getGrpcUpdateServer().start();
    }

    public void stop() {
        try {
            LOGGER.info("Stopping the SCMSecurityProtocolServer.");
            this.metrics.unregister();
            getRpcServer().stop();
            getGrpcUpdateServer().stop();
        } catch (Exception e) {
            LOGGER.error("SCMSecurityProtocolServer stop failed.", e);
        }
    }

    public void join() throws InterruptedException {
        LOGGER.info("Join RPC server for SCMSecurityProtocolServer.");
        getRpcServer().join();
        LOGGER.info("Join gRPC server for SCMSecurityProtocolServer.");
        getGrpcUpdateServer().join();
    }

    public synchronized CertificateServer getRootCertificateServer() {
        return this.rootCertificateServer;
    }

    public synchronized void setRootCertificateServer(CertificateServer certificateServer) {
        this.rootCertificateServer = certificateServer;
    }

    public CertificateServer getScmCertificateServer() {
        return this.scmCertificateServer;
    }
}
