package org.apache.hadoop.ozone.security;

import com.google.protobuf.ServiceException;
import org.apache.hadoop.hdds.annotation.InterfaceAudience;
import org.apache.hadoop.hdds.annotation.InterfaceStability;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.ozone.om.OzoneManager;
import org.apache.hadoop.ozone.om.exceptions.OMException;
import org.apache.hadoop.ozone.om.exceptions.OMLeaderNotReadyException;
import org.apache.hadoop.ozone.om.exceptions.OMNotLeaderException;
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos;
import org.apache.hadoop.ozone.protocolPB.OzoneManagerProtocolServerSideTranslatorPB;
import org.apache.hadoop.security.token.SecretManager;

@InterfaceStability.Evolving
@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/ozone/security/S3SecurityUtil.class */
public final class S3SecurityUtil {
    private S3SecurityUtil() {
    }

    public static void validateS3Credential(OzoneManagerProtocolProtos.OMRequest oMRequest, OzoneManager ozoneManager) throws ServiceException, OMException {
        if (ozoneManager.isSecurityEnabled()) {
            OzoneTokenIdentifier constructS3Token = constructS3Token(oMRequest);
            try {
                ozoneManager.getDelegationTokenMgr().retrievePassword(constructS3Token);
            } catch (SecretManager.InvalidToken e) {
                if (e.getCause() != null && (e.getCause().getClass() == OMNotLeaderException.class || e.getCause().getClass() == OMLeaderNotReadyException.class)) {
                    throw new ServiceException(e.getCause());
                }
                OzoneManagerProtocolServerSideTranslatorPB.getLog().error("signatures do NOT match for S3 identifier:{}", constructS3Token, e);
                throw new OMException("User " + constructS3Token.getAwsAccessId() + " request authorization failure: signatures do NOT match", OMException.ResultCodes.INVALID_TOKEN);
            }
        }
    }

    private static OzoneTokenIdentifier constructS3Token(OzoneManagerProtocolProtos.OMRequest oMRequest) {
        OzoneManagerProtocolProtos.S3Authentication s3Authentication = oMRequest.getS3Authentication();
        OzoneTokenIdentifier ozoneTokenIdentifier = new OzoneTokenIdentifier();
        ozoneTokenIdentifier.setTokenType(OzoneManagerProtocolProtos.OMTokenProto.Type.S3AUTHINFO);
        ozoneTokenIdentifier.setStrToSign(s3Authentication.getStringToSign());
        ozoneTokenIdentifier.setSignature(s3Authentication.getSignature());
        ozoneTokenIdentifier.setAwsAccessId(s3Authentication.getAccessId());
        ozoneTokenIdentifier.setOwner(new Text(s3Authentication.getAccessId()));
        return ozoneTokenIdentifier;
    }
}
