package org.apache.hadoop.ozone.om.request.s3.tenant;

import com.google.common.base.Preconditions;
import java.io.IOException;
import java.nio.file.InvalidPathException;
import java.util.Collections;
import java.util.HashMap;
import java.util.TreeSet;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.hadoop.hdds.utils.db.cache.CacheKey;
import org.apache.hadoop.hdds.utils.db.cache.CacheValue;
import org.apache.hadoop.ozone.OmUtils;
import org.apache.hadoop.ozone.audit.OMAction;
import org.apache.hadoop.ozone.om.OMMetadataManager;
import org.apache.hadoop.ozone.om.OMMetrics;
import org.apache.hadoop.ozone.om.OMMultiTenantManager;
import org.apache.hadoop.ozone.om.OzoneManager;
import org.apache.hadoop.ozone.om.exceptions.OMException;
import org.apache.hadoop.ozone.om.helpers.OmDBAccessIdInfo;
import org.apache.hadoop.ozone.om.helpers.OmDBUserPrincipalInfo;
import org.apache.hadoop.ozone.om.helpers.S3SecretValue;
import org.apache.hadoop.ozone.om.lock.OzoneManagerLock;
import org.apache.hadoop.ozone.om.request.OMClientRequest;
import org.apache.hadoop.ozone.om.request.util.OmResponseUtil;
import org.apache.hadoop.ozone.om.response.OMClientResponse;
import org.apache.hadoop.ozone.om.response.s3.tenant.OMTenantAssignUserAccessIdResponse;
import org.apache.hadoop.ozone.om.upgrade.BelongsToLayoutVersion;
import org.apache.hadoop.ozone.om.upgrade.DisallowedUntilLayoutVersion;
import org.apache.hadoop.ozone.om.upgrade.OMLayoutFeature;
import org.apache.hadoop.ozone.om.upgrade.OMLayoutFeatureAspect;
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos;
import org.aspectj.lang.JoinPoint;
import org.aspectj.runtime.reflect.Factory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/ozone/om/request/s3/tenant/OMTenantAssignUserAccessIdRequest.class */
public class OMTenantAssignUserAccessIdRequest extends OMClientRequest {
    public static final Logger LOG;
    private static /* synthetic */ JoinPoint.StaticPart ajc$tjp_0;

    static {
        ajc$preClinit();
        LOG = LoggerFactory.getLogger(OMTenantAssignUserAccessIdRequest.class);
    }

    public OMTenantAssignUserAccessIdRequest(OzoneManagerProtocolProtos.OMRequest oMRequest) {
        super(oMRequest);
    }

    @Override // org.apache.hadoop.ozone.om.request.OMClientRequest
    @DisallowedUntilLayoutVersion(OMLayoutFeature.MULTITENANCY_SCHEMA)
    public OzoneManagerProtocolProtos.OMRequest preExecute(OzoneManager ozoneManager) throws IOException {
        JoinPoint makeJP = Factory.makeJP(ajc$tjp_0, this, this, ozoneManager);
        OMLayoutFeatureAspect.aspectOf().checkLayoutFeature(makeJP);
        if (this != null && getClass().isAnnotationPresent(BelongsToLayoutVersion.class)) {
            OMLayoutFeatureAspect.aspectOf().beforeRequestApplyTxn(makeJP);
        }
        OzoneManagerProtocolProtos.OMRequest preExecute = super.preExecute(ozoneManager);
        OzoneManagerProtocolProtos.TenantAssignUserAccessIdRequest tenantAssignUserAccessIdRequest = preExecute.getTenantAssignUserAccessIdRequest();
        String tenantId = tenantAssignUserAccessIdRequest.getTenantId();
        OMMultiTenantManager multiTenantManager = ozoneManager.getMultiTenantManager();
        multiTenantManager.checkTenantAdmin(tenantId, false);
        String userPrincipal = tenantAssignUserAccessIdRequest.getUserPrincipal();
        String accessId = tenantAssignUserAccessIdRequest.getAccessId();
        if (accessId.length() >= 100) {
            throw new OMException("accessId length exceeds the maximum length allowed", OMException.ResultCodes.INVALID_ACCESS_ID);
        }
        if (userPrincipal.contains("$")) {
            throw new OMException("Invalid tenant username '" + userPrincipal + "'. Tenant username shouldn't contain delimiter.", OMException.ResultCodes.INVALID_TENANT_USERNAME);
        }
        if (tenantId.contains("$")) {
            throw new OMException("Invalid tenant name '" + tenantId + "'. Tenant name shouldn't contain delimiter.", OMException.ResultCodes.INVALID_TENANT_ID);
        }
        String defaultAccessId = OMMultiTenantManager.getDefaultAccessId(tenantId, userPrincipal);
        if (!accessId.equals(defaultAccessId)) {
            throw new OMException("Invalid accessId '" + accessId + "'. Specifying a custom access ID disallowed. Expected accessId to be assigned is '" + defaultAccessId + "'", OMException.ResultCodes.INVALID_ACCESS_ID);
        }
        multiTenantManager.checkTenantExistence(tenantId);
        multiTenantManager.getAuthorizerLock().tryWriteLockInOMRequest();
        try {
            multiTenantManager.getAuthorizerOp().assignUserToTenant(userPrincipal, tenantId, accessId);
            return preExecute.toBuilder().setUpdateGetS3SecretRequest(OzoneManagerProtocolProtos.UpdateGetS3SecretRequest.newBuilder().setKerberosID(accessId).setAwsSecret(DigestUtils.sha256Hex(OmUtils.getSHADigest())).build()).build();
        } catch (Exception e) {
            multiTenantManager.getAuthorizerLock().unlockWriteInOMRequest();
            throw e;
        }
    }

    @Override // org.apache.hadoop.ozone.om.request.OMClientRequest
    public OMClientResponse validateAndUpdateCache(OzoneManager ozoneManager, long j) {
        OMTenantAssignUserAccessIdResponse oMTenantAssignUserAccessIdResponse;
        String tenantVolumeName;
        boolean isLockAcquired;
        OMMultiTenantManager multiTenantManager = ozoneManager.getMultiTenantManager();
        OMMetrics metrics = ozoneManager.getMetrics();
        metrics.incNumTenantAssignUsers();
        OMClientResponse oMClientResponse = null;
        OzoneManagerProtocolProtos.OMResponse.Builder oMResponseBuilder = OmResponseUtil.getOMResponseBuilder(getOmRequest());
        OzoneManagerProtocolProtos.UpdateGetS3SecretRequest updateGetS3SecretRequest = getOmRequest().getUpdateGetS3SecretRequest();
        String kerberosID = updateGetS3SecretRequest.getKerberosID();
        String awsSecret = updateGetS3SecretRequest.getAwsSecret();
        HashMap hashMap = new HashMap();
        OMMetadataManager metadataManager = ozoneManager.getMetadataManager();
        OzoneManagerProtocolProtos.TenantAssignUserAccessIdRequest tenantAssignUserAccessIdRequest = getOmRequest().getTenantAssignUserAccessIdRequest();
        String tenantId = tenantAssignUserAccessIdRequest.getTenantId();
        String userPrincipal = tenantAssignUserAccessIdRequest.getUserPrincipal();
        Preconditions.checkState(kerberosID.equals(tenantAssignUserAccessIdRequest.getAccessId()));
        Exception exc = null;
        try {
            try {
                tenantVolumeName = ozoneManager.getMultiTenantManager().getTenantVolumeName(tenantId);
                mergeOmLockDetails(metadataManager.getLock().acquireWriteLock(OzoneManagerLock.Resource.VOLUME_LOCK, new String[]{tenantVolumeName}));
                isLockAcquired = getOmLockDetails().isLockAcquired();
            } catch (IOException | InvalidPathException e) {
                exc = e;
                oMResponseBuilder.setTenantAssignUserAccessIdResponse(OzoneManagerProtocolProtos.TenantAssignUserAccessIdResponse.newBuilder().build());
                oMTenantAssignUserAccessIdResponse = new OMTenantAssignUserAccessIdResponse(createErrorOMResponse(oMResponseBuilder, exc));
                if (0 != 0) {
                    Preconditions.checkNotNull((Object) null);
                    mergeOmLockDetails(metadataManager.getLock().releaseWriteLock(OzoneManagerLock.Resource.VOLUME_LOCK, new String[]{null}));
                }
                multiTenantManager.getAuthorizerLock().unlockWriteInOMRequest();
                if (oMTenantAssignUserAccessIdResponse != null) {
                    oMTenantAssignUserAccessIdResponse.setOmLockDetails(getOmLockDetails());
                }
            }
            if (!metadataManager.getTenantStateTable().isExist(tenantId)) {
                LOG.error("tenant {} doesn't exist", tenantId);
                throw new OMException("tenant '" + tenantId + "' doesn't exist", OMException.ResultCodes.TENANT_NOT_FOUND);
            }
            if (metadataManager.getTenantAccessIdTable().isExist(kerberosID)) {
                LOG.error("accessId {} already exists", kerberosID);
                throw new OMException("accessId '" + kerberosID + "' already exists!", OMException.ResultCodes.TENANT_USER_ACCESS_ID_ALREADY_EXISTS);
            }
            OmDBUserPrincipalInfo omDBUserPrincipalInfo = (OmDBUserPrincipalInfo) metadataManager.getPrincipalToAccessIdsTable().getIfExist(userPrincipal);
            if (omDBUserPrincipalInfo != null) {
                for (String str : omDBUserPrincipalInfo.getAccessIds()) {
                    OmDBAccessIdInfo omDBAccessIdInfo = (OmDBAccessIdInfo) metadataManager.getTenantAccessIdTable().get(str);
                    if (omDBAccessIdInfo == null) {
                        LOG.error("Metadata error: accessIdInfo is null for accessId '{}'. Ignoring.", str);
                        throw new OMException("accessIdInfo is null", OMException.ResultCodes.INVALID_ACCESS_ID);
                    }
                    if (tenantId.equals(omDBAccessIdInfo.getTenantId())) {
                        throw new OMException("The same user is not allowed to be assigned to the same tenant more than once. User '" + userPrincipal + "' is already assigned to tenant '" + tenantId + "' with accessId '" + str + "'.", OMException.ResultCodes.TENANT_USER_ACCESS_ID_ALREADY_EXISTS);
                    }
                }
            }
            S3SecretValue s3SecretValue = new S3SecretValue(kerberosID, awsSecret);
            s3SecretValue.setTransactionLogIndex(j);
            OmDBAccessIdInfo build = new OmDBAccessIdInfo.Builder().setTenantId(tenantId).setUserPrincipal(userPrincipal).setIsAdmin(false).setIsDelegatedAdmin(false).build();
            metadataManager.getTenantAccessIdTable().addCacheEntry(new CacheKey(kerberosID), CacheValue.get(j, build));
            if (omDBUserPrincipalInfo == null) {
                omDBUserPrincipalInfo = new OmDBUserPrincipalInfo.Builder().setAccessIds(new TreeSet(Collections.singleton(kerberosID))).build();
            } else {
                omDBUserPrincipalInfo.addAccessId(kerberosID);
            }
            metadataManager.getPrincipalToAccessIdsTable().addCacheEntry(new CacheKey(userPrincipal), CacheValue.get(j, omDBUserPrincipalInfo));
            ozoneManager.getS3SecretManager().doUnderLock(kerberosID, s3SecretManager -> {
                if (s3SecretManager.hasS3Secret(kerberosID)) {
                    LOG.error("accessId '{}' already exists in S3SecretTable", kerberosID);
                    throw new OMException("accessId '" + kerberosID + "' already exists in S3SecretTable", OMException.ResultCodes.TENANT_USER_ACCESS_ID_ALREADY_EXISTS);
                }
                s3SecretManager.updateCache(kerberosID, s3SecretValue);
                return null;
            });
            multiTenantManager.getCacheOp().assignUserToTenant(userPrincipal, tenantId, kerberosID);
            oMResponseBuilder.setTenantAssignUserAccessIdResponse(OzoneManagerProtocolProtos.TenantAssignUserAccessIdResponse.newBuilder().setS3Secret(OzoneManagerProtocolProtos.S3Secret.newBuilder().setAwsSecret(awsSecret).setKerberosID(kerberosID)).build());
            oMTenantAssignUserAccessIdResponse = new OMTenantAssignUserAccessIdResponse(oMResponseBuilder.build(), s3SecretValue, userPrincipal, kerberosID, build, omDBUserPrincipalInfo, ozoneManager.getS3SecretManager());
            if (isLockAcquired) {
                Preconditions.checkNotNull(tenantVolumeName);
                mergeOmLockDetails(metadataManager.getLock().releaseWriteLock(OzoneManagerLock.Resource.VOLUME_LOCK, new String[]{tenantVolumeName}));
            }
            multiTenantManager.getAuthorizerLock().unlockWriteInOMRequest();
            if (oMTenantAssignUserAccessIdResponse != null) {
                oMTenantAssignUserAccessIdResponse.setOmLockDetails(getOmLockDetails());
            }
            hashMap.put("tenant", tenantId);
            hashMap.put("user", userPrincipal);
            hashMap.put("accessId", kerberosID);
            auditLog(ozoneManager.getAuditLogger(), buildAuditMessage(OMAction.TENANT_ASSIGN_USER_ACCESSID, hashMap, exc, getOmRequest().getUserInfo()));
            if (exc == null) {
                LOG.info("Assigned user '{}' to tenant '{}' with accessId '{}'", new Object[]{userPrincipal, tenantId, kerberosID});
            } else {
                LOG.error("Failed to assign '{}' to tenant '{}' with accessId '{}': {}", new Object[]{userPrincipal, tenantId, kerberosID, exc.getMessage()});
                metrics.incNumTenantAssignUserFails();
            }
            return oMTenantAssignUserAccessIdResponse;
        } catch (Throwable th) {
            if (0 != 0) {
                Preconditions.checkNotNull((Object) null);
                mergeOmLockDetails(metadataManager.getLock().releaseWriteLock(OzoneManagerLock.Resource.VOLUME_LOCK, new String[]{null}));
            }
            multiTenantManager.getAuthorizerLock().unlockWriteInOMRequest();
            if (0 != 0) {
                oMClientResponse.setOmLockDetails(getOmLockDetails());
            }
            throw th;
        }
    }

    private static /* synthetic */ void ajc$preClinit() {
        Factory factory = new Factory("OMTenantAssignUserAccessIdRequest.java", OMTenantAssignUserAccessIdRequest.class);
        ajc$tjp_0 = factory.makeSJP("method-execution", factory.makeMethodSig("1", "preExecute", "org.apache.hadoop.ozone.om.request.s3.tenant.OMTenantAssignUserAccessIdRequest", "org.apache.hadoop.ozone.om.OzoneManager", "ozoneManager", "java.io.IOException", "org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos$OMRequest"), 110);
    }
}
