package org.apache.hadoop.hdds.security;

import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.Provider;
import java.security.Security;
import java.time.Duration;
import java.util.concurrent.TimeUnit;
import java.util.regex.Pattern;
import org.apache.hadoop.hdds.HddsConfigKeys;
import org.apache.hadoop.hdds.conf.ConfigurationSource;
import org.apache.hadoop.ozone.OzoneConfigKeys;
import org.apache.hadoop.ozone.shaded.com.google.common.base.Preconditions;
import org.apache.hadoop.ozone.shaded.org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.apache.ratis.thirdparty.io.netty.handler.ssl.SslProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hdds/security/SecurityConfig.class */
public class SecurityConfig {
    private static final Logger LOG = LoggerFactory.getLogger(SecurityConfig.class);
    private static volatile Provider provider;
    private final int size;
    private final String keyAlgo;
    private final String providerString;
    private final String metadataDir;
    private final String keyDir;
    private final String privateKeyFileName;
    private final String publicKeyFileName;
    private final Duration maxCertDuration;
    private final String x509SignatureAlgo;
    private final boolean blockTokenEnabled;
    private final long blockTokenExpiryDurationMs;
    private final boolean tokenSanityChecksEnabled;
    private final boolean containerTokenEnabled;
    private final String certificateDir;
    private final String certificateFileName;
    private final boolean grpcTlsEnabled;
    private final Duration defaultCertDuration;
    private final Duration renewalGracePeriod;
    private final boolean isSecurityEnabled;
    private final String crlName;
    private final boolean grpcTlsUseTestCert;
    private final String externalRootCaPublicKeyPath;
    private final String externalRootCaPrivateKeyPath;
    private final String externalRootCaCert;
    private final Duration caCheckInterval;
    private final String caRotationTimeOfDay;
    private final Pattern caRotationTimeOfDayPattern = Pattern.compile("\\d{2}:\\d{2}:\\d{2}");
    private final Duration caAckTimeout;
    private final SslProvider grpcSSLProvider;
    private final Duration rootCaCertificatePollingInterval;
    private final boolean autoCARotationEnabled;
    private final Duration expiredCertificateCheckInterval;

    public SecurityConfig(ConfigurationSource configurationSource) {
        Preconditions.checkNotNull(configurationSource, "Configuration cannot be null");
        this.size = configurationSource.getInt(HddsConfigKeys.HDDS_KEY_LEN, 2048);
        this.keyAlgo = configurationSource.get(HddsConfigKeys.HDDS_KEY_ALGORITHM, HddsConfigKeys.HDDS_DEFAULT_KEY_ALGORITHM);
        this.providerString = configurationSource.get(HddsConfigKeys.HDDS_SECURITY_PROVIDER, "BC");
        this.metadataDir = configurationSource.get(HddsConfigKeys.HDDS_METADATA_DIR_NAME, configurationSource.get("ozone.metadata.dirs"));
        this.keyDir = configurationSource.get(HddsConfigKeys.HDDS_KEY_DIR_NAME, HddsConfigKeys.HDDS_KEY_DIR_NAME_DEFAULT);
        this.privateKeyFileName = configurationSource.get(HddsConfigKeys.HDDS_PRIVATE_KEY_FILE_NAME, "private.pem");
        this.publicKeyFileName = configurationSource.get(HddsConfigKeys.HDDS_PUBLIC_KEY_FILE_NAME, HddsConfigKeys.HDDS_PUBLIC_KEY_FILE_NAME_DEFAULT);
        this.maxCertDuration = Duration.parse(configurationSource.get(HddsConfigKeys.HDDS_X509_MAX_DURATION, HddsConfigKeys.HDDS_X509_MAX_DURATION_DEFAULT));
        this.x509SignatureAlgo = configurationSource.get(HddsConfigKeys.HDDS_X509_SIGNATURE_ALGO, HddsConfigKeys.HDDS_X509_SIGNATURE_ALGO_DEFAULT);
        this.certificateDir = configurationSource.get(HddsConfigKeys.HDDS_X509_DIR_NAME, HddsConfigKeys.HDDS_X509_DIR_NAME_DEFAULT);
        this.certificateFileName = configurationSource.get(HddsConfigKeys.HDDS_X509_FILE_NAME, "certificate.crt");
        this.blockTokenEnabled = configurationSource.getBoolean(HddsConfigKeys.HDDS_BLOCK_TOKEN_ENABLED, false);
        this.blockTokenExpiryDurationMs = configurationSource.getTimeDuration(HddsConfigKeys.HDDS_BLOCK_TOKEN_EXPIRY_TIME, "1d", TimeUnit.MILLISECONDS);
        this.tokenSanityChecksEnabled = configurationSource.getBoolean(HddsConfigKeys.HDDS_X509_GRACE_DURATION_TOKEN_CHECKS_ENABLED, true);
        this.containerTokenEnabled = configurationSource.getBoolean(HddsConfigKeys.HDDS_CONTAINER_TOKEN_ENABLED, false);
        this.grpcTlsEnabled = configurationSource.getBoolean(HddsConfigKeys.HDDS_GRPC_TLS_ENABLED, false);
        if (this.grpcTlsEnabled) {
            this.grpcTlsUseTestCert = configurationSource.getBoolean(HddsConfigKeys.HDDS_GRPC_TLS_TEST_CERT, false);
        } else {
            this.grpcTlsUseTestCert = false;
        }
        this.isSecurityEnabled = configurationSource.getBoolean(OzoneConfigKeys.OZONE_SECURITY_ENABLED_KEY, false);
        this.defaultCertDuration = Duration.parse(configurationSource.get(HddsConfigKeys.HDDS_X509_DEFAULT_DURATION, HddsConfigKeys.HDDS_X509_DEFAULT_DURATION_DEFAULT));
        this.renewalGracePeriod = Duration.parse(configurationSource.get(HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION, HddsConfigKeys.HDDS_X509_RENEW_GRACE_DURATION_DEFAULT));
        this.caCheckInterval = Duration.parse(configurationSource.get(HddsConfigKeys.HDDS_X509_CA_ROTATION_CHECK_INTERNAL, "P1D"));
        String str = configurationSource.get(HddsConfigKeys.HDDS_X509_CA_ROTATION_TIME_OF_DAY, HddsConfigKeys.HDDS_X509_CA_ROTATION_TIME_OF_DAY_DEFAULT);
        if (!this.caRotationTimeOfDayPattern.matcher(str).matches()) {
            throw new IllegalArgumentException("Property value of hdds.x509.ca.rotation.time-of-day should follow the hh:mm:ss format.");
        }
        this.caRotationTimeOfDay = "1970-01-01T" + str;
        this.caAckTimeout = Duration.parse(configurationSource.get(HddsConfigKeys.HDDS_X509_CA_ROTATION_ACK_TIMEOUT, HddsConfigKeys.HDDS_X509_CA_ROTATION_ACK_TIMEOUT_DEFAULT));
        this.autoCARotationEnabled = configurationSource.getBoolean(HddsConfigKeys.HDDS_X509_CA_ROTATION_ENABLED, false);
        validateCertificateValidityConfig();
        this.rootCaCertificatePollingInterval = Duration.parse(configurationSource.get(HddsConfigKeys.HDDS_X509_ROOTCA_CERTIFICATE_POLLING_INTERVAL, HddsConfigKeys.HDDS_X509_ROOTCA_CERTIFICATE_POLLING_INTERVAL_DEFAULT));
        this.expiredCertificateCheckInterval = Duration.parse(configurationSource.get(HddsConfigKeys.HDDS_X509_EXPIRED_CERTIFICATE_CHECK_INTERVAL, "P1D"));
        this.externalRootCaCert = configurationSource.get(HddsConfigKeys.HDDS_X509_ROOTCA_CERTIFICATE_FILE, "");
        this.externalRootCaPublicKeyPath = configurationSource.get(HddsConfigKeys.HDDS_X509_ROOTCA_PUBLIC_KEY_FILE, "");
        this.externalRootCaPrivateKeyPath = configurationSource.get(HddsConfigKeys.HDDS_X509_ROOTCA_PRIVATE_KEY_FILE, "");
        this.crlName = configurationSource.get(HddsConfigKeys.HDDS_X509_CRL_NAME, HddsConfigKeys.HDDS_X509_CRL_NAME_DEFAULT);
        this.grpcSSLProvider = SslProvider.valueOf(configurationSource.get(HddsConfigKeys.HDDS_GRPC_TLS_PROVIDER, HddsConfigKeys.HDDS_GRPC_TLS_PROVIDER_DEFAULT));
        if (provider == null) {
            synchronized (SecurityConfig.class) {
                provider = Security.getProvider(this.providerString);
                if (provider == null) {
                    provider = initSecurityProvider(this.providerString);
                }
            }
        }
    }

    private void validateCertificateValidityConfig() {
        if (this.maxCertDuration.isNegative() || this.maxCertDuration.isZero()) {
            LOG.error("Property hdds.x509.max.duration should not be zero or negative");
            throw new IllegalArgumentException("Property hdds.x509.max.duration should not be zero or negative");
        }
        if (this.defaultCertDuration.isNegative() || this.defaultCertDuration.isZero()) {
            LOG.error("Property hdds.x509.default.duration should not be zero or negative");
            throw new IllegalArgumentException("Property hdds.x509.default.duration should not be zero or negative");
        }
        if (this.renewalGracePeriod.isNegative() || this.renewalGracePeriod.isZero()) {
            LOG.error("Property hdds.x509.renew.grace.duration should not be zero or negative");
            throw new IllegalArgumentException("Property hdds.x509.renew.grace.duration should not be zero or negative");
        }
        if (this.maxCertDuration.compareTo(this.defaultCertDuration) < 0) {
            LOG.error("Property hdds.x509.default.duration should not be greater than Property hdds.x509.max.duration");
            throw new IllegalArgumentException("Property hdds.x509.default.duration should not be greater than Property hdds.x509.max.duration");
        }
        if (this.defaultCertDuration.compareTo(this.renewalGracePeriod) < 0) {
            LOG.error("Property hdds.x509.renew.grace.duration should not be greater than Property hdds.x509.default.duration");
            throw new IllegalArgumentException("Property hdds.x509.renew.grace.duration should not be greater than Property hdds.x509.default.duration");
        }
        if (this.autoCARotationEnabled) {
            if (this.caCheckInterval.isNegative() || this.caCheckInterval.isZero()) {
                LOG.error("Property hdds.x509.ca.rotation.check.interval should not be zero or negative");
                throw new IllegalArgumentException("Property hdds.x509.ca.rotation.check.interval should not be zero or negative");
            }
            if (this.caCheckInterval.compareTo(this.renewalGracePeriod) >= 0) {
                throw new IllegalArgumentException("Property value of hdds.x509.ca.rotation.check.interval should be smaller than hdds.x509.renew.grace.duration");
            }
            if (this.caAckTimeout.isNegative() || this.caAckTimeout.isZero()) {
                LOG.error("Property hdds.x509.ca.rotation.ack.timeout should not be zero or negative");
                throw new IllegalArgumentException("Property hdds.x509.ca.rotation.ack.timeout should not be zero or negative");
            }
            if (this.caAckTimeout.compareTo(this.renewalGracePeriod) >= 0) {
                throw new IllegalArgumentException("Property value of hdds.x509.ca.rotation.ack.timeout should be smaller than hdds.x509.renew.grace.duration");
            }
        }
        if (this.tokenSanityChecksEnabled && this.blockTokenExpiryDurationMs > this.renewalGracePeriod.toMillis()) {
            throw new IllegalArgumentException(" Certificate grace period hdds.x509.renew.grace.duration should be greater than maximum block/container token lifetime hdds.block.token.expiry.time");
        }
    }

    public String getCrlName() {
        return this.crlName;
    }

    public boolean isSecurityEnabled() {
        return this.isSecurityEnabled;
    }

    public Duration getDefaultCertDuration() {
        return this.defaultCertDuration;
    }

    public Duration getRenewalGracePeriod() {
        return this.renewalGracePeriod;
    }

    public String getCertificateFileName() {
        return this.certificateFileName;
    }

    public String getPublicKeyFileName() {
        return this.publicKeyFileName;
    }

    public String getPrivateKeyFileName() {
        return this.privateKeyFileName;
    }

    public Path getKeyLocation(String str) {
        Preconditions.checkNotNull(this.metadataDir, "Metadata directory can't be null. Please check configs.");
        return Paths.get(this.metadataDir, str, this.keyDir);
    }

    public Path getCertificateLocation(String str) {
        Preconditions.checkNotNull(this.metadataDir, "Metadata directory can't be null. Please check configs.");
        return Paths.get(this.metadataDir, str, this.certificateDir);
    }

    public Path getLocation(String str) {
        Preconditions.checkNotNull(this.metadataDir, "Metadata directory can't be null. Please check configs.");
        return Paths.get(this.metadataDir, str);
    }

    public int getSize() {
        return this.size;
    }

    public String getProvider() {
        return this.providerString;
    }

    public String getKeyAlgo() {
        return this.keyAlgo;
    }

    public String getSignatureAlgo() {
        return this.x509SignatureAlgo;
    }

    public Duration getMaxCertificateDuration() {
        return this.maxCertDuration;
    }

    public boolean isBlockTokenEnabled() {
        return this.blockTokenEnabled;
    }

    public long getBlockTokenExpiryDurationMs() {
        return this.blockTokenExpiryDurationMs;
    }

    public boolean isContainerTokenEnabled() {
        return this.containerTokenEnabled;
    }

    public boolean isGrpcTlsEnabled() {
        return this.grpcTlsEnabled;
    }

    public SslProvider getGrpcSslProvider() {
        return this.grpcSSLProvider;
    }

    public String getExternalRootCaPrivateKeyPath() {
        return this.externalRootCaPrivateKeyPath;
    }

    public String getExternalRootCaPublicKeyPath() {
        return this.externalRootCaPublicKeyPath;
    }

    public String getExternalRootCaCert() {
        return this.externalRootCaCert;
    }

    public Duration getCaCheckInterval() {
        return this.caCheckInterval;
    }

    public String getCaRotationTimeOfDay() {
        return this.caRotationTimeOfDay;
    }

    public Duration getCaAckTimeout() {
        return this.caAckTimeout;
    }

    public Duration getRootCaCertificatePollingInterval() {
        return this.rootCaCertificatePollingInterval;
    }

    public boolean isAutoCARotationEnabled() {
        return this.autoCARotationEnabled;
    }

    public Duration getExpiredCertificateCheckInterval() {
        return this.expiredCertificateCheckInterval;
    }

    public boolean useTestCert() {
        return this.grpcTlsUseTestCert;
    }

    private Provider initSecurityProvider(String str) {
        if ("BC".equals(str)) {
            Security.addProvider(new BouncyCastleProvider());
            return Security.getProvider(str);
        }
        LOG.error("Security Provider:{} is unknown", provider);
        throw new SecurityException("Unknown security provider:" + provider);
    }

    public boolean isTokenEnabled() {
        return this.blockTokenEnabled || this.containerTokenEnabled;
    }
}
