package org.apache.hadoop.hdds.scm.ha;

import java.io.IOException;
import java.math.BigInteger;
import java.net.InetAddress;
import java.security.cert.X509Certificate;
import java.util.concurrent.TimeUnit;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB;
import org.apache.hadoop.hdds.ratis.RatisHelper;
import org.apache.hadoop.hdds.scm.proxy.SCMClientConfig;
import org.apache.hadoop.hdds.scm.proxy.SCMSecurityProtocolFailoverProxyProvider;
import org.apache.hadoop.hdds.scm.server.SCMStorageConfig;
import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.ssl.KeyStoresFactory;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CAType;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateStore;
import org.apache.hadoop.hdds.security.x509.certificate.authority.DefaultCAServer;
import org.apache.hadoop.hdds.security.x509.certificate.authority.profile.PKIProfile;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient;
import org.apache.hadoop.ozone.OzoneConsts;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ratis.client.RaftClient;
import org.apache.ratis.grpc.GrpcTlsConfig;
import org.apache.ratis.protocol.Message;
import org.apache.ratis.protocol.RaftClientReply;
import org.apache.ratis.protocol.RaftGroup;
import org.apache.ratis.protocol.RaftPeerId;
import org.apache.ratis.retry.RetryPolicies;
import org.apache.ratis.rpc.SupportedRpcType;
import org.apache.ratis.util.TimeDuration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hdds/scm/ha/HASecurityUtils.class */
public final class HASecurityUtils {
    public static final Logger LOG = LoggerFactory.getLogger(HASecurityUtils.class);

    private HASecurityUtils() {
    }

    public static void initializeSecurity(SCMStorageConfig sCMStorageConfig, OzoneConfiguration ozoneConfiguration, String str, boolean z) throws IOException {
        LOG.info("Initializing secure StorageContainerManager.");
        SCMCertificateClient sCMCertificateClient = new SCMCertificateClient(new SecurityConfig(ozoneConfiguration), getScmSecurityClientWithFixedDuration(ozoneConfiguration), sCMStorageConfig.getScmId(), sCMStorageConfig.getClusterID(), sCMStorageConfig.getScmCertSerialId(), str, z, str2 -> {
            try {
                sCMStorageConfig.setScmCertSerialId(str2);
            } catch (IOException e) {
                LOG.error("Failed to set new certificate ID", e);
                throw new RuntimeException("Failed to set new certificate ID");
            }
        });
        Throwable th = null;
        try {
            try {
                sCMCertificateClient.initWithRecovery();
                if (sCMCertificateClient != null) {
                    if (0 == 0) {
                        sCMCertificateClient.close();
                        return;
                    }
                    try {
                        sCMCertificateClient.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (sCMCertificateClient != null) {
                if (th != null) {
                    try {
                        sCMCertificateClient.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    sCMCertificateClient.close();
                }
            }
            throw th4;
        }
    }

    public static CertificateServer initializeRootCertificateServer(SecurityConfig securityConfig, CertificateStore certificateStore, SCMStorageConfig sCMStorageConfig, BigInteger bigInteger, PKIProfile pKIProfile, String str) throws IOException {
        DefaultCAServer defaultCAServer = new DefaultCAServer("scm@" + InetAddress.getLocalHost().getHostName(), sCMStorageConfig.getClusterID(), sCMStorageConfig.getScmId(), certificateStore, bigInteger, pKIProfile, str);
        defaultCAServer.init(securityConfig, CAType.ROOT);
        return defaultCAServer;
    }

    public static CertificateServer initializeRootCertificateServer(SecurityConfig securityConfig, CertificateStore certificateStore, SCMStorageConfig sCMStorageConfig, PKIProfile pKIProfile) throws IOException {
        return initializeRootCertificateServer(securityConfig, certificateStore, sCMStorageConfig, BigInteger.ONE, pKIProfile, OzoneConsts.SCM_ROOT_CA_COMPONENT_NAME);
    }

    public static GrpcTlsConfig createSCMRatisTLSConfig(SecurityConfig securityConfig, CertificateClient certificateClient) throws IOException {
        if (!securityConfig.isSecurityEnabled() || !securityConfig.isGrpcTlsEnabled()) {
            return null;
        }
        KeyStoresFactory serverKeyStoresFactory = certificateClient.getServerKeyStoresFactory();
        return new GrpcTlsConfig(serverKeyStoresFactory.getKeyManagers()[0], serverKeyStoresFactory.getTrustManagers()[0], true);
    }

    public static SCMRatisResponse submitScmRequestToRatis(RaftGroup raftGroup, GrpcTlsConfig grpcTlsConfig, Message message) throws Exception {
        SupportedRpcType supportedRpcType = SupportedRpcType.GRPC;
        RaftClient build = RaftClient.newBuilder().setRaftGroup(raftGroup).setLeaderId((RaftPeerId) null).setProperties(RatisHelper.newRaftProperties(supportedRpcType)).setParameters(RatisHelper.setClientTlsConf(supportedRpcType, grpcTlsConfig)).setRetryPolicy(RetryPolicies.retryUpToMaximumCountWithFixedSleep(120, TimeDuration.valueOf(500L, TimeUnit.MILLISECONDS))).build();
        Throwable th = null;
        try {
            SCMRatisResponse decode = SCMRatisResponse.decode((RaftClientReply) build.async().send(message).get());
            if (build != null) {
                if (0 != 0) {
                    try {
                        build.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    build.close();
                }
            }
            return decode;
        } catch (Throwable th3) {
            if (build != null) {
                if (0 != 0) {
                    try {
                        build.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    build.close();
                }
            }
            throw th3;
        }
    }

    private static SCMSecurityProtocolClientSideTranslatorPB getScmSecurityClientWithFixedDuration(OzoneConfiguration ozoneConfiguration) throws IOException {
        long timeDuration = ozoneConfiguration.getTimeDuration("ozone.scm.info.wait.duration", 600L, TimeUnit.SECONDS);
        SCMClientConfig sCMClientConfig = (SCMClientConfig) ozoneConfiguration.getObject(SCMClientConfig.class);
        int retryInterval = (int) (timeDuration / (sCMClientConfig.getRetryInterval() / 1000));
        if (retryInterval > sCMClientConfig.getRetryCount()) {
            sCMClientConfig.setRetryCount(retryInterval);
            ozoneConfiguration.setFromObject(sCMClientConfig);
        }
        return new SCMSecurityProtocolClientSideTranslatorPB(new SCMSecurityProtocolFailoverProxyProvider(ozoneConfiguration, UserGroupInformation.getCurrentUser()));
    }

    public static boolean isSelfSignedCertificate(X509Certificate x509Certificate) {
        return x509Certificate.getIssuerX500Principal().equals(x509Certificate.getSubjectX500Principal());
    }

    public static boolean isCACertificate(X509Certificate x509Certificate) {
        return x509Certificate.getBasicConstraints() != -1;
    }
}
