package org.apache.hadoop.hdds.scm.security;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.util.concurrent.ThreadFactoryBuilder;
import java.io.File;
import java.io.IOException;
import java.math.BigInteger;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.nio.file.StandardCopyOption;
import java.nio.file.attribute.FileAttribute;
import java.security.KeyPair;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.LocalDateTime;
import java.time.ZoneId;
import java.time.temporal.TemporalAmount;
import java.util.Calendar;
import java.util.Date;
import java.util.List;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicReference;
import org.apache.commons.io.FileUtils;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
import org.apache.hadoop.hdds.scm.ha.HASecurityUtils;
import org.apache.hadoop.hdds.scm.ha.SCMContext;
import org.apache.hadoop.hdds.scm.ha.SCMServiceException;
import org.apache.hadoop.hdds.scm.ha.SequenceIdGenerator;
import org.apache.hadoop.hdds.scm.ha.StatefulService;
import org.apache.hadoop.hdds.scm.security.RootCARotationHandlerImpl;
import org.apache.hadoop.hdds.scm.server.SCMStorageConfig;
import org.apache.hadoop.hdds.scm.server.StorageContainerManager;
import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.CertInfo;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateStore;
import org.apache.hadoop.hdds.security.x509.certificate.authority.profile.DefaultCAProfile;
import org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateSignRequest;
import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
import org.apache.hadoop.hdds.security.x509.keys.KeyCodec;
import org.apache.hadoop.ozone.OzoneConsts;
import org.bouncycastle.cert.X509CertificateHolder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hdds/scm/security/RootCARotationManager.class */
public class RootCARotationManager extends StatefulService {
    public static final Logger LOG = LoggerFactory.getLogger(RootCARotationManager.class);
    private static final String SERVICE_NAME = RootCARotationManager.class.getSimpleName();
    private final StorageContainerManager scm;
    private final OzoneConfiguration ozoneConf;
    private final SecurityConfig secConf;
    private final SCMContext scmContext;
    private final ScheduledExecutorService executorService;
    private final Duration checkInterval;
    private final Duration renewalGracePeriod;
    private final Date timeOfDay;
    private final Duration ackTimeout;
    private final Duration rootCertPollInterval;
    private final SCMCertificateClient scmCertClient;
    private final AtomicBoolean isRunning;
    private final AtomicBoolean isProcessing;
    private final AtomicReference<Long> processStartTime;
    private final AtomicBoolean isPostProcessing;
    private final String threadName;
    private final String newCAComponent;
    private RootCARotationHandler handler;
    private final SequenceIdGenerator sequenceIdGen;
    private ScheduledFuture rotationTask;
    private ScheduledFuture waitAckTask;
    private ScheduledFuture waitAckTimeoutTask;
    private final RootCARotationMetrics metrics;
    private ScheduledFuture clearPostProcessingTask;

    /* loaded from: input_file:org/apache/hadoop/hdds/scm/security/RootCARotationManager$MonitorTask.class */
    public class MonitorTask implements Runnable {
        private SCMCertificateClient certClient;
        private SCMStorageConfig scmStorageConfig;

        public MonitorTask(SCMCertificateClient sCMCertificateClient, SCMStorageConfig sCMStorageConfig) {
            this.certClient = sCMCertificateClient;
            this.scmStorageConfig = sCMStorageConfig;
        }

        @Override // java.lang.Runnable
        public void run() {
            Thread.currentThread().setName(RootCARotationManager.this.threadName + (RootCARotationManager.this.isRunning() ? "-Active" : "-Inactive"));
            if (RootCARotationManager.this.isRunning.get()) {
                synchronized (RootCARotationManager.class) {
                    if (RootCARotationManager.this.isProcessing.get()) {
                        RootCARotationManager.LOG.info("Root certificate rotation task is already running.");
                        return;
                    }
                    try {
                        X509Certificate cACertificate = this.certClient.getCACertificate();
                        if (RootCARotationManager.this.timeBefore2ExpiryGracePeriod(cACertificate).isZero()) {
                            RootCARotationManager.LOG.info("Root certificate {} has entered the 2 * expiry grace period({}).", cACertificate.getSerialNumber().toString(), RootCARotationManager.this.renewalGracePeriod);
                            LocalDateTime now = LocalDateTime.now();
                            LocalDateTime of = LocalDateTime.of(now.getYear(), now.getMonthValue(), now.getDayOfMonth(), RootCARotationManager.this.timeOfDay.getHours(), RootCARotationManager.this.timeOfDay.getMinutes(), RootCARotationManager.this.timeOfDay.getSeconds());
                            if (of.isBefore(now)) {
                                of = of.plusDays(1L);
                            }
                            long millis = Duration.between(now, of).toMillis();
                            if (of.isAfter(cACertificate.getNotAfter().toInstant().atZone(ZoneId.systemDefault()).toLocalDateTime())) {
                                RootCARotationManager.LOG.info("Configured rotation time {} is after root certificate {} end time {}. Start the rotation immediately.", new Object[]{of, cACertificate.getSerialNumber().toString(), cACertificate.getNotAfter()});
                                millis = 0;
                            }
                            RootCARotationManager.this.rotationTask = RootCARotationManager.this.executorService.schedule(new RotationTask(this.certClient, this.scmStorageConfig), millis, TimeUnit.MILLISECONDS);
                            RootCARotationManager.this.isProcessing.set(true);
                            RootCARotationManager.this.metrics.incrTotalRotationNum();
                            RootCARotationManager.LOG.info("Root certificate {} rotation task is scheduled with {} ms delay", cACertificate.getSerialNumber().toString(), Long.valueOf(millis));
                        }
                    } catch (Throwable th) {
                        RootCARotationManager.LOG.error("Error while scheduling root CA rotation task", th);
                        RootCARotationManager.this.scm.shutDown("Error while scheduling root CA rotation task");
                    }
                }
            }
        }
    }

    /* loaded from: input_file:org/apache/hadoop/hdds/scm/security/RootCARotationManager$RotationTask.class */
    public class RotationTask implements Runnable {
        private SCMCertificateClient certClient;
        private SCMStorageConfig scmStorageConfig;

        public RotationTask(SCMCertificateClient sCMCertificateClient, SCMStorageConfig sCMStorageConfig) {
            this.certClient = sCMCertificateClient;
            this.scmStorageConfig = sCMStorageConfig;
        }

        @Override // java.lang.Runnable
        public void run() {
            if (!RootCARotationManager.this.isRunning.get()) {
                RootCARotationManager.this.isProcessing.set(false);
                RootCARotationManager.this.processStartTime.set(null);
                return;
            }
            synchronized (RootCARotationManager.class) {
                X509Certificate cACertificate = this.certClient.getCACertificate();
                if (RootCARotationManager.this.timeBefore2ExpiryGracePeriod(cACertificate).isZero()) {
                    RootCARotationManager.LOG.info("Root certificate {} rotation is started.", cACertificate.getSerialNumber().toString());
                    RootCARotationManager.this.processStartTime.set(Long.valueOf(System.nanoTime()));
                    CertificateServer certificateServer = null;
                    BigInteger bigInteger = BigInteger.ONE;
                    try {
                        bigInteger = new BigInteger(String.valueOf(RootCARotationManager.this.sequenceIdGen.getNextId(SequenceIdGenerator.CERTIFICATE_ID)));
                        certificateServer = HASecurityUtils.initializeRootCertificateServer(RootCARotationManager.this.secConf, RootCARotationManager.this.scm.getCertificateStore(), this.scmStorageConfig, bigInteger, new DefaultCAProfile(), RootCARotationManager.this.newCAComponent);
                    } catch (Throwable th) {
                        RootCARotationManager.LOG.error("Error while generating new root CA certificate under {}", RootCARotationManager.this.newCAComponent, th);
                        String str = "Terminate SCM, encounter exception(" + th.getMessage() + ") when generating new root CA certificate under " + RootCARotationManager.this.newCAComponent;
                        RootCARotationManager.this.cleanupAndStop(str);
                        RootCARotationManager.this.scm.shutDown(str);
                    }
                    try {
                        if (certificateServer == null) {
                            throw new Exception("New root CA server should not be null");
                        }
                        X509CertificateHolder cACertificate2 = certificateServer.getCACertificate();
                        String bigInteger2 = cACertificate2.getSerialNumber().toString();
                        Preconditions.checkState(bigInteger2.equals(bigInteger.toString()), "Root certificate doesn't match, expected:" + bigInteger + ", fetched:" + bigInteger2);
                        RootCARotationManager.this.scm.getSecurityProtocolServer().setRootCertificateServer(certificateServer);
                        if (!RootCARotationManager.this.isRunning()) {
                            RootCARotationManager.LOG.info("SCM is not leader anymore. Delete the in-progress root CA directory");
                            RootCARotationManager.this.cleanupAndStop("SCM is not leader anymore");
                            return;
                        }
                        RootCARotationManager.this.checkInterruptState();
                        RootCARotationManager.this.handler.rotationPrepare(bigInteger2);
                        RootCARotationManager.LOG.info("Send out sub CA rotation prepare request for new root certificate {}", bigInteger2);
                        RootCARotationManager.this.waitAckTask = RootCARotationManager.this.executorService.scheduleAtFixedRate(new WaitSubCARotationPrepareAckTask(cACertificate2), 1L, 1L, TimeUnit.SECONDS);
                        RootCARotationManager.this.waitAckTimeoutTask = RootCARotationManager.this.executorService.schedule(() -> {
                            RootCARotationManager.this.waitAckTask.cancel(true);
                            RootCARotationManager.this.cleanupAndStop("Failed to receive all acks of rotation prepare after " + RootCARotationManager.this.ackTimeout + ", received " + RootCARotationManager.this.handler.rotationPrepareAcks() + " acks");
                        }, RootCARotationManager.this.ackTimeout.toMillis(), TimeUnit.MILLISECONDS);
                    } catch (Exception e) {
                        RootCARotationManager.LOG.error("Error while sending rotation prepare request", e);
                        RootCARotationManager.this.cleanupAndStop("Error while sending rotation prepare request");
                    }
                } else {
                    RootCARotationManager.LOG.warn("Root certificate {} hasn't entered the 2 * expiry grace period {}. Skip root certificate rotation this time.", cACertificate.getSerialNumber().toString(), RootCARotationManager.this.renewalGracePeriod);
                    RootCARotationManager.this.isProcessing.set(false);
                    RootCARotationManager.this.processStartTime.set(null);
                }
            }
        }
    }

    /* loaded from: input_file:org/apache/hadoop/hdds/scm/security/RootCARotationManager$SubCARotationPrepareTask.class */
    public class SubCARotationPrepareTask implements Runnable {
        private String rootCACertId;

        public SubCARotationPrepareTask(String str) {
            this.rootCACertId = str;
        }

        @Override // java.lang.Runnable
        public void run() {
            synchronized (RootCARotationManager.class) {
                try {
                    RootCARotationManager.LOG.info("SubCARotationPrepareTask[rootCertId = {}] - started.", this.rootCACertId);
                } catch (Throwable th) {
                    RootCARotationManager.LOG.error("Unexpected error happen", th);
                    RootCARotationManager.this.scm.shutDown("Unexpected error happen, " + th.getMessage());
                }
                if (RootCARotationManager.this.shouldSkipRootCert(this.rootCACertId)) {
                    RootCARotationManager.this.sendRotationPrepareAck(this.rootCACertId, RootCARotationManager.this.scmCertClient.getCertificate().getSerialNumber().toString());
                    return;
                }
                SecurityConfig securityConfig = RootCARotationManager.this.scmCertClient.getSecurityConfig();
                String str = SCMCertificateClient.COMPONENT_NAME + "-next-progress";
                String path = securityConfig.getLocation(str).toString();
                String path2 = securityConfig.getLocation(SCMCertificateClient.COMPONENT_NAME + "-next").toString();
                File file = new File(path);
                File file2 = new File(path2);
                try {
                    FileUtils.deleteDirectory(file);
                    FileUtils.deleteDirectory(file2);
                    Files.createDirectories(file.toPath(), new FileAttribute[0]);
                } catch (IOException e) {
                    RootCARotationManager.LOG.error("Failed to delete and create {}, or delete {}", new Object[]{file, file2, e});
                    RootCARotationManager.this.scm.shutDown("Terminate SCM, encounter IO exception(" + e.getMessage() + ") when deleting and create directory");
                }
                KeyCodec keyCodec = new KeyCodec(securityConfig, securityConfig.getKeyLocation(str));
                KeyPair keyPair = null;
                try {
                    keyPair = new HDDSKeyGenerator(securityConfig).generateKey();
                    keyCodec.writePublicKey(keyPair.getPublic());
                    keyCodec.writePrivateKey(keyPair.getPrivate());
                    RootCARotationManager.LOG.info("SubCARotationPrepareTask[rootCertId = {}] - scm key generated.", this.rootCACertId);
                } catch (Exception e2) {
                    RootCARotationManager.LOG.error("Failed to generate key under {}", file, e2);
                    RootCARotationManager.this.scm.shutDown("Terminate SCM, encounter exception(" + e2.getMessage() + ") when generating new key under " + file);
                }
                RootCARotationManager.this.checkInterruptState();
                String str2 = "";
                try {
                    CertificateSignRequest.Builder cSRBuilder = RootCARotationManager.this.scmCertClient.getCSRBuilder();
                    cSRBuilder.setKey(keyPair);
                    str2 = RootCARotationManager.this.scmCertClient.signAndStoreCertificate(cSRBuilder.build(), Paths.get(path, "certs"), true);
                    RootCARotationManager.LOG.info("SubCARotationPrepareTask[rootCertId = {}] - scm certificate {} signed.", this.rootCACertId, str2);
                } catch (Exception e3) {
                    RootCARotationManager.LOG.error("Failed to generate certificate under {}", file, e3);
                    RootCARotationManager.this.scm.shutDown("Terminate SCM, encounter exception(" + e3.getMessage() + ") when generating new certificate " + file);
                }
                try {
                    Files.move(file.toPath(), file2.toPath(), StandardCopyOption.ATOMIC_MOVE, StandardCopyOption.REPLACE_EXISTING);
                } catch (IOException e4) {
                    RootCARotationManager.LOG.error("Failed to move {} to {}", new Object[]{path, path2, e4});
                    RootCARotationManager.this.scm.shutDown("Terminate SCM, encounter exception(" + e4.getMessage() + ") when moving " + path + " to " + path2);
                }
                RootCARotationManager.this.checkInterruptState();
                RootCARotationManager.this.sendRotationPrepareAck(this.rootCACertId, str2);
            }
        }
    }

    /* loaded from: input_file:org/apache/hadoop/hdds/scm/security/RootCARotationManager$WaitSubCARotationPrepareAckTask.class */
    public class WaitSubCARotationPrepareAckTask implements Runnable {
        private String rootCACertId;
        private X509CertificateHolder rootCACertHolder;

        public WaitSubCARotationPrepareAckTask(X509CertificateHolder x509CertificateHolder) {
            this.rootCACertHolder = x509CertificateHolder;
            this.rootCACertId = x509CertificateHolder.getSerialNumber().toString();
        }

        /* JADX WARN: Finally extract failed */
        @Override // java.lang.Runnable
        public void run() {
            RootCARotationManager.this.checkInterruptState();
            if (!RootCARotationManager.this.isRunning()) {
                RootCARotationManager.LOG.info("SCM is not leader anymore. Delete the in-progress root CA directory");
                RootCARotationManager.this.cleanupAndStop("SCM is not leader anymore");
                return;
            }
            synchronized (RootCARotationManager.class) {
                int size = RootCARotationManager.this.scm.getSCMHANodeDetails().getPeerNodeDetails().size() + 1;
                int size2 = RootCARotationManager.this.scm.getScmHAManager().getRatisServer().getDivision().getRaftConf().getCurrentPeers().size();
                RootCARotationManager.LOG.info("numFromHADetails {}, numFromRatisServer {}", Integer.valueOf(size), Integer.valueOf(size2));
                if (RootCARotationManager.this.handler.rotationPrepareAcks() == size2) {
                    try {
                        try {
                            RootCARotationManager.this.waitAckTimeoutTask.cancel(true);
                            RootCARotationManager.this.handler.rotationCommit(this.rootCACertId);
                            RootCARotationManager.this.handler.rotationCommitted(this.rootCACertId);
                            RootCARotationManager.this.metrics.incrSuccessRotationNum();
                            long nanoTime = System.nanoTime() - ((Long) RootCARotationManager.this.processStartTime.get()).longValue();
                            RootCARotationManager.this.metrics.setSuccessTimeInNs(nanoTime);
                            RootCARotationManager.this.processStartTime.set(null);
                            X509Certificate x509Certificate = null;
                            try {
                                if (RootCARotationManager.this.scm.getCertificateStore().getCertificateByID(this.rootCACertHolder.getSerialNumber(), CertificateStore.CertType.VALID_CERTS) == null) {
                                    RootCARotationManager.LOG.info("Persist root certificate {} to cert store", this.rootCACertId);
                                    x509Certificate = CertificateCodec.getX509Certificate(this.rootCACertHolder);
                                    RootCARotationManager.this.scm.getCertificateStore().storeValidCertificate(this.rootCACertHolder.getSerialNumber(), x509Certificate, HddsProtos.NodeType.SCM);
                                }
                            } catch (IOException | CertificateException e) {
                                RootCARotationManager.LOG.error("Failed to save root certificate {} to cert store", this.rootCACertId);
                                RootCARotationManager.this.scm.shutDown("Failed to save root certificate to cert store");
                            }
                            RootCARotationManager.this.handler.resetRotationPrepareAcks();
                            RootCARotationManager.this.cleanupAndStop("Root certificate " + this.rootCACertId + " rotation is finished successfully after " + nanoTime + " ns");
                            RootCARotationManager.this.enterPostProcessing(RootCARotationManager.this.rootCertPollInterval.toMillis());
                            if (x509Certificate != null) {
                                RootCARotationManager.this.saveConfiguration(new CertInfo.Builder().setX509Certificate(x509Certificate).setTimestamp(x509Certificate.getNotBefore().getTime()).build().getProtobuf());
                            }
                            RootCARotationManager.this.waitAckTask.cancel(true);
                        } catch (Throwable th) {
                            RootCARotationManager.LOG.error("Execution error", th);
                            RootCARotationManager.this.handler.resetRotationPrepareAcks();
                            RootCARotationManager.this.cleanupAndStop("Execution error, " + th.getMessage());
                            RootCARotationManager.this.waitAckTask.cancel(true);
                        }
                    } catch (Throwable th2) {
                        RootCARotationManager.this.waitAckTask.cancel(true);
                        throw th2;
                    }
                }
            }
        }
    }

    /* JADX WARN: Type inference failed for: r1v30, types: [java.time.ZonedDateTime] */
    public RootCARotationManager(StorageContainerManager storageContainerManager) {
        super(storageContainerManager.getStatefulServiceStateManager());
        this.isRunning = new AtomicBoolean(false);
        this.isProcessing = new AtomicBoolean(false);
        this.processStartTime = new AtomicReference<>();
        this.isPostProcessing = new AtomicBoolean(false);
        this.newCAComponent = OzoneConsts.SCM_ROOT_CA_COMPONENT_NAME + "-next-progress";
        this.scm = storageContainerManager;
        this.ozoneConf = storageContainerManager.getConfiguration();
        this.secConf = new SecurityConfig(this.ozoneConf);
        this.scmContext = storageContainerManager.getScmContext();
        this.checkInterval = this.secConf.getCaCheckInterval();
        this.ackTimeout = this.secConf.getCaAckTimeout();
        this.renewalGracePeriod = this.secConf.getRenewalGracePeriod();
        this.timeOfDay = Date.from(LocalDateTime.parse(this.secConf.getCaRotationTimeOfDay()).atZone(ZoneId.systemDefault()).toInstant());
        this.rootCertPollInterval = this.secConf.getRootCaCertificatePollingInterval();
        this.threadName = storageContainerManager.threadNamePrefix() + SERVICE_NAME;
        this.executorService = Executors.newScheduledThreadPool(1, new ThreadFactoryBuilder().setNameFormat(this.threadName).setDaemon(true).build());
        this.scmCertClient = storageContainerManager.getScmCertificateClient();
        this.sequenceIdGen = storageContainerManager.getSequenceIdGen();
        this.handler = new RootCARotationHandlerImpl.Builder().setRatisServer(storageContainerManager.getScmHAManager().getRatisServer()).setStorageContainerManager(storageContainerManager).setRootCARotationManager(this).build();
        storageContainerManager.getSCMServiceManager().register(this);
        this.metrics = RootCARotationMetrics.create();
    }

    @Override // org.apache.hadoop.hdds.scm.ha.SCMService
    public void notifyStatusChanged() {
        if (this.scmContext.isLeader() && !this.scmContext.isInSafeMode()) {
            if (this.isRunning.compareAndSet(false, true)) {
                LOG.info("notifyStatusChanged: enable monitor task");
                try {
                    checkAndHandlePostProcessing();
                    return;
                } catch (IOException | CertificateException e) {
                    throw new RuntimeException("Error while checking post-processing state.", e);
                }
            }
            return;
        }
        if (this.isRunning.compareAndSet(true, false)) {
            LOG.info("notifyStatusChanged: disable monitor task.");
            if (this.rotationTask != null) {
                this.rotationTask.cancel(true);
            }
            if (this.waitAckTask != null) {
                this.waitAckTask.cancel(true);
            }
            if (this.waitAckTimeoutTask != null) {
                this.waitAckTask.cancel(true);
            }
            if (this.clearPostProcessingTask != null) {
                this.clearPostProcessingTask.cancel(true);
            }
            this.isProcessing.set(false);
            this.processStartTime.set(null);
            this.isPostProcessing.set(false);
        }
    }

    @Override // org.apache.hadoop.hdds.scm.ha.SCMService
    public boolean shouldRun() {
        return true;
    }

    @Override // org.apache.hadoop.hdds.scm.ha.SCMService
    public String getServiceName() {
        return RootCARotationManager.class.getSimpleName();
    }

    @Override // org.apache.hadoop.hdds.scm.ha.SCMService
    public void start() throws SCMServiceException {
        this.executorService.scheduleAtFixedRate(new MonitorTask(this.scmCertClient, this.scm.getScmStorageConfig()), 0L, this.checkInterval.toMillis(), TimeUnit.MILLISECONDS);
        LOG.info("Monitor task for root certificate {} is started with interval {}.", this.scmCertClient.getCACertificate().getSerialNumber(), this.checkInterval);
        this.executorService.scheduleAtFixedRate(this::removeExpiredCertTask, 0L, this.secConf.getExpiredCertificateCheckInterval().toMillis(), TimeUnit.MILLISECONDS);
        LOG.info("Scheduling expired certificate removal with interval {}s", Long.valueOf(this.secConf.getExpiredCertificateCheckInterval().getSeconds()));
    }

    private void removeExpiredCertTask() {
        if (this.isRunning.get() && this.scm.getCertificateStore() != null) {
            try {
                this.scm.getCertificateStore().removeAllExpiredCertificates();
            } catch (IOException e) {
                LOG.error("Failed to remove some expired certificates", e);
            }
        }
    }

    public boolean isRunning() {
        return this.isRunning.get();
    }

    public void scheduleSubCaRotationPrepareTask(String str) {
        this.executorService.schedule(new SubCARotationPrepareTask(str), 0L, TimeUnit.MILLISECONDS);
    }

    public boolean isRotationInProgress() {
        return this.isProcessing.get();
    }

    public boolean isPostRotationInProgress() {
        return this.isPostProcessing.get();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void checkInterruptState() {
        if (Thread.currentThread().isInterrupted()) {
            cleanupAndStop(getClass().getSimpleName() + " is interrupted");
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void cleanupAndStop(String str) {
        try {
            this.scm.getSecurityProtocolServer().setRootCertificateServer(null);
            FileUtils.deleteDirectory(new File(this.scmCertClient.getSecurityConfig().getLocation(this.newCAComponent).toString()));
            LOG.info("In-progress root CA directory {} is deleted for '{}'", this.scmCertClient.getSecurityConfig().getLocation(this.newCAComponent), str);
        } catch (IOException e) {
            LOG.error("Error when deleting in-progress root CA directory {} for {}", new Object[]{this.scmCertClient.getSecurityConfig().getLocation(this.newCAComponent), str, e});
        }
        this.isProcessing.set(false);
        this.processStartTime.set(null);
    }

    /* JADX WARN: Type inference failed for: r0v6, types: [java.time.LocalDateTime, java.time.temporal.Temporal] */
    public Duration timeBefore2ExpiryGracePeriod(X509Certificate x509Certificate) {
        ?? localDateTime = x509Certificate.getNotAfter().toInstant().minus((TemporalAmount) this.renewalGracePeriod).minus((TemporalAmount) this.renewalGracePeriod).atZone(ZoneId.systemDefault()).toLocalDateTime();
        LocalDateTime now = LocalDateTime.now();
        return localDateTime.isBefore(now) ? Duration.ZERO : Duration.between(now, localDateTime);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void sendRotationPrepareAck(String str, String str2) {
        try {
            this.handler.setSubCACertId(str2);
            this.handler.rotationPrepareAck(str, str2, this.scm.getScmId());
            LOG.info("SubCARotationPrepareTask[rootCertId = {}] - rotation prepare ack sent out, new scm certificate {}", str, str2);
        } catch (Exception e) {
            LOG.error("Failed to send ack to rotationPrepare request", e);
            this.scm.shutDown("Terminate SCM, encounter exception(" + e.getMessage() + ") when sending out rotationPrepare ack");
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void enterPostProcessing(long j) {
        this.isPostProcessing.set(true);
        LOG.info("isPostProcessing is true for {} ms", Long.valueOf(j));
        this.clearPostProcessingTask = this.executorService.schedule(() -> {
            this.isPostProcessing.set(false);
            LOG.info("isPostProcessing is false");
            try {
                deleteConfiguration();
                LOG.info("Stateful configuration is deleted");
            } catch (IOException e) {
                LOG.error("Failed to delete stateful configuration", e);
            }
        }, j, TimeUnit.MILLISECONDS);
    }

    @Override // org.apache.hadoop.hdds.scm.ha.SCMService
    public void stop() {
        if (this.metrics != null) {
            this.metrics.unRegister();
        }
        if (this.executorService != null) {
            this.executorService.shutdownNow();
        }
    }

    @VisibleForTesting
    public void setRootCARotationHandler(RootCARotationHandler rootCARotationHandler) {
        this.handler = rootCARotationHandler;
    }

    public boolean shouldSkipRootCert(String str) throws IOException {
        List trustChain = this.scmCertClient.getTrustChain();
        Preconditions.checkArgument(trustChain.size() > 1);
        if (((X509Certificate) trustChain.get(trustChain.size() - 1)).getSerialNumber().compareTo(new BigInteger(str)) < 0) {
            return false;
        }
        LOG.info("Sub CA certificate {} is already signed by root certificate {} or a newer root certificate.", ((X509Certificate) trustChain.get(0)).getSerialNumber().toString(), str);
        return true;
    }

    private void checkAndHandlePostProcessing() throws IOException, CertificateException {
        HddsProtos.CertInfoProto readConfiguration = readConfiguration(HddsProtos.CertInfoProto.class);
        if (readConfiguration == null) {
            LOG.info("No {} configuration found in stateful storage", getServiceName());
            return;
        }
        X509Certificate x509Certificate = CertificateCodec.getX509Certificate(readConfiguration.getX509Certificate());
        List trustChain = this.scmCertClient.getTrustChain();
        Preconditions.checkArgument(trustChain.size() > 1);
        X509Certificate x509Certificate2 = (X509Certificate) trustChain.get(trustChain.size() - 1);
        int compareTo = x509Certificate2.getSerialNumber().compareTo(x509Certificate.getSerialNumber());
        if (compareTo > 0) {
            LOG.warn("Root CA certificate ID {} in stateful storage is smaller than current scm's root certificate ID {}", x509Certificate.getSerialNumber(), x509Certificate2.getSerialNumber());
            deleteConfiguration();
            LOG.warn("Stateful configuration is deleted");
        } else {
            if (compareTo < 0) {
                throw new RuntimeException("Root CA certificate ID " + x509Certificate.getSerialNumber() + " in stateful storage is bigger than current scm's root CA certificate ID " + x509Certificate2.getSerialNumber());
            }
            Duration minus = Duration.between(x509Certificate2.getNotBefore().toInstant(), Calendar.getInstance().getTime().toInstant()).minus(this.rootCertPollInterval);
            if (minus.isNegative()) {
                enterPostProcessing(-minus.toMillis());
            } else {
                LOG.info("Root CA certificate ID {} in stateful storage has already come out of post-processing state", x509Certificate.getSerialNumber());
                deleteConfiguration();
            }
        }
    }
}
