package org.apache.hadoop.ozone.security;

import java.io.ByteArrayInputStream;
import java.io.DataInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import org.apache.hadoop.hdds.annotation.InterfaceAudience;
import org.apache.hadoop.hdds.annotation.InterfaceStability;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.security.OzoneSecretManager;
import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.security.x509.exception.CertificateException;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.ozone.om.OzoneManager;
import org.apache.hadoop.ozone.om.S3SecretManager;
import org.apache.hadoop.ozone.om.exceptions.OMException;
import org.apache.hadoop.ozone.om.exceptions.OMLeaderNotReadyException;
import org.apache.hadoop.ozone.om.exceptions.OMNotLeaderException;
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos;
import org.apache.hadoop.ozone.security.OzoneSecretStore;
import org.apache.hadoop.ozone.security.OzoneTokenIdentifier;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.HadoopKerberosName;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.hadoop.util.Daemon;
import org.apache.hadoop.util.Time;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceStability.Unstable
@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.class */
public class OzoneDelegationTokenSecretManager extends OzoneSecretManager<OzoneTokenIdentifier> {
    private static final Logger LOG = LoggerFactory.getLogger(OzoneDelegationTokenSecretManager.class);
    private final Map<OzoneTokenIdentifier, OzoneTokenIdentifier.TokenInfo> currentTokens;
    private final OzoneSecretStore store;
    private final S3SecretManager s3SecretManager;
    private Thread tokenRemoverThread;
    private final long tokenRemoverScanInterval;
    private final String omServiceId;
    private final OzoneManager ozoneManager;
    private final Object noInterruptsLock;
    private final boolean isRatisEnabled;

    /* loaded from: input_file:org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager$Builder.class */
    public static class Builder {
        private OzoneConfiguration ozoneConf;
        private long tokenMaxLifetime;
        private long tokenRenewInterval;
        private long tokenRemoverScanInterval;
        private Text service;
        private S3SecretManager s3SecretManager;
        private CertificateClient certClient;
        private String omServiceId;
        private OzoneManager ozoneManager;

        public OzoneDelegationTokenSecretManager build() throws IOException {
            return new OzoneDelegationTokenSecretManager(this);
        }

        public Builder setConf(OzoneConfiguration ozoneConfiguration) {
            this.ozoneConf = ozoneConfiguration;
            return this;
        }

        public Builder setTokenMaxLifetime(long j) {
            this.tokenMaxLifetime = j;
            return this;
        }

        public Builder setTokenRenewInterval(long j) {
            this.tokenRenewInterval = j;
            return this;
        }

        public Builder setTokenRemoverScanInterval(long j) {
            this.tokenRemoverScanInterval = j;
            return this;
        }

        public Builder setService(Text text) {
            this.service = text;
            return this;
        }

        public Builder setS3SecretManager(S3SecretManager s3SecretManager) {
            this.s3SecretManager = s3SecretManager;
            return this;
        }

        public Builder setCertificateClient(CertificateClient certificateClient) {
            this.certClient = certificateClient;
            return this;
        }

        public Builder setOmServiceId(String str) {
            this.omServiceId = str;
            return this;
        }

        public Builder setOzoneManager(OzoneManager ozoneManager) {
            this.ozoneManager = ozoneManager;
            return this;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager$ExpiredTokenRemover.class */
    public class ExpiredTokenRemover extends Thread {
        private long lastTokenCacheCleanup;

        private ExpiredTokenRemover() {
        }

        @Override // java.lang.Thread, java.lang.Runnable
        public void run() {
            OzoneDelegationTokenSecretManager.LOG.info("Starting expired delegation token remover thread, tokenRemoverScanInterval={} min(s)", Long.valueOf(OzoneDelegationTokenSecretManager.this.getTokenRemoverScanInterval() / 60000));
            while (OzoneDelegationTokenSecretManager.this.isRunning()) {
                try {
                    long now = Time.now();
                    if (this.lastTokenCacheCleanup + OzoneDelegationTokenSecretManager.this.getTokenRemoverScanInterval() < now) {
                        OzoneDelegationTokenSecretManager.this.removeExpiredToken();
                        this.lastTokenCacheCleanup = now;
                    }
                    Thread.sleep(Math.min(5000L, OzoneDelegationTokenSecretManager.this.getTokenRemoverScanInterval()));
                } catch (InterruptedException e) {
                    OzoneDelegationTokenSecretManager.LOG.info("ExpiredTokenRemover was interrupted.", e);
                    Thread.currentThread().interrupt();
                    return;
                } catch (Exception e2) {
                    OzoneDelegationTokenSecretManager.LOG.error("ExpiredTokenRemover thread received unexpected exception", e2);
                    Runtime.getRuntime().exit(-1);
                    return;
                }
            }
        }

        /* synthetic */ ExpiredTokenRemover(OzoneDelegationTokenSecretManager ozoneDelegationTokenSecretManager, ExpiredTokenRemover expiredTokenRemover) {
            this();
        }
    }

    public OzoneDelegationTokenSecretManager(Builder builder) throws IOException {
        super(new SecurityConfig(builder.ozoneConf), builder.tokenMaxLifetime, builder.tokenRenewInterval, builder.service, LOG);
        this.noInterruptsLock = new Object();
        setCertClient(builder.certClient);
        this.omServiceId = builder.omServiceId;
        this.currentTokens = new ConcurrentHashMap();
        this.tokenRemoverScanInterval = builder.tokenRemoverScanInterval;
        this.s3SecretManager = builder.s3SecretManager;
        this.ozoneManager = builder.ozoneManager;
        this.store = new OzoneSecretStore(builder.ozoneConf, this.ozoneManager.getMetadataManager());
        this.isRatisEnabled = builder.ozoneConf.getBoolean("ozone.om.ratis.enable", true);
        loadTokenSecretState(this.store.loadState());
    }

    /* renamed from: createIdentifier, reason: merged with bridge method [inline-methods] */
    public OzoneTokenIdentifier m217createIdentifier() {
        return OzoneTokenIdentifier.newInstance();
    }

    public OzoneTokenIdentifier createIdentifier(Text text, Text text2, Text text3) {
        return OzoneTokenIdentifier.newInstance(text, text2, text3);
    }

    public Token<OzoneTokenIdentifier> createToken(Text text, Text text2, Text text3) throws IOException {
        OzoneTokenIdentifier createIdentifier = createIdentifier(text, text2, text3);
        updateIdentifierDetails(createIdentifier);
        byte[] createPassword = createPassword(createIdentifier.getBytes(), getCurrentKey().getPrivateKey());
        long issueDate = createIdentifier.getIssueDate() + getTokenRenewInterval();
        if (!this.isRatisEnabled) {
            addToTokenStore(createIdentifier, createPassword, issueDate);
        }
        Token<OzoneTokenIdentifier> token = new Token<>(createIdentifier.getBytes(), createPassword, createIdentifier.getKind(), getService());
        if (LOG.isDebugEnabled()) {
            LOG.debug("Created delegation token: {}", token);
        }
        return token;
    }

    public long updateToken(Token<OzoneTokenIdentifier> token, OzoneTokenIdentifier ozoneTokenIdentifier, long j) {
        long issueDate = ozoneTokenIdentifier.getIssueDate() + j;
        this.currentTokens.put(ozoneTokenIdentifier, new OzoneTokenIdentifier.TokenInfo(issueDate, token.getPassword(), ozoneTokenIdentifier.getTrackingId()));
        return issueDate;
    }

    private void addToTokenStore(OzoneTokenIdentifier ozoneTokenIdentifier, byte[] bArr, long j) throws IOException {
        OzoneTokenIdentifier.TokenInfo tokenInfo = new OzoneTokenIdentifier.TokenInfo(j, bArr, ozoneTokenIdentifier.getTrackingId());
        this.currentTokens.put(ozoneTokenIdentifier, tokenInfo);
        this.store.storeToken(ozoneTokenIdentifier, tokenInfo.getRenewDate());
    }

    private void updateIdentifierDetails(OzoneTokenIdentifier ozoneTokenIdentifier) {
        long now = Time.now();
        int incrementDelegationTokenSeqNum = incrementDelegationTokenSeqNum();
        ozoneTokenIdentifier.setIssueDate(now);
        ozoneTokenIdentifier.setMasterKeyId(getCurrentKey().getKeyId());
        ozoneTokenIdentifier.setSequenceNumber(incrementDelegationTokenSeqNum);
        ozoneTokenIdentifier.setMaxDate(now + getTokenMaxLifetime());
        ozoneTokenIdentifier.setOmCertSerialId(getCertSerialId());
        ozoneTokenIdentifier.setOmServiceId(getOmServiceId());
    }

    private String getOmServiceId() {
        return this.omServiceId;
    }

    public synchronized long renewToken(Token<OzoneTokenIdentifier> token, String str) throws IOException {
        OzoneTokenIdentifier readProtoBuf = OzoneTokenIdentifier.readProtoBuf(new DataInputStream(new ByteArrayInputStream(token.getIdentifier())));
        if (LOG.isDebugEnabled()) {
            LOG.debug("Token renewal for identifier: {}, total currentTokens: {}", formatTokenId(readProtoBuf), Integer.valueOf(this.currentTokens.size()));
        }
        long now = Time.now();
        if (readProtoBuf.getMaxDate() < now) {
            throw new OMException(String.valueOf(str) + " tried to renew an expired token " + formatTokenId(readProtoBuf) + " max expiration date: " + Time.formatTime(readProtoBuf.getMaxDate()) + " currentTime: " + Time.formatTime(now), OMException.ResultCodes.TOKEN_EXPIRED);
        }
        validateToken(readProtoBuf);
        if (readProtoBuf.getRenewer() == null || readProtoBuf.getRenewer().toString().isEmpty()) {
            throw new AccessControlException(String.valueOf(str) + " tried to renew a token " + formatTokenId(readProtoBuf) + " without a renewer");
        }
        if (!readProtoBuf.getRenewer().toString().equals(str)) {
            throw new AccessControlException(String.valueOf(str) + " tries to renew a token " + formatTokenId(readProtoBuf) + " with non-matching renewer " + readProtoBuf.getRenewer());
        }
        long min = Math.min(readProtoBuf.getMaxDate(), now + getTokenRenewInterval());
        if (!this.isRatisEnabled) {
            try {
                addToTokenStore(readProtoBuf, token.getPassword(), min);
            } catch (IOException e) {
                LOG.error("Unable to update token " + readProtoBuf.getSequenceNumber(), e);
            }
        }
        return min;
    }

    public void updateRenewToken(Token<OzoneTokenIdentifier> token, OzoneTokenIdentifier ozoneTokenIdentifier, long j) {
        this.currentTokens.put(ozoneTokenIdentifier, new OzoneTokenIdentifier.TokenInfo(j, token.getPassword(), ozoneTokenIdentifier.getTrackingId()));
    }

    public OzoneTokenIdentifier cancelToken(Token<OzoneTokenIdentifier> token, String str) throws IOException {
        OzoneTokenIdentifier readProtoBuf = OzoneTokenIdentifier.readProtoBuf(token.getIdentifier());
        if (LOG.isDebugEnabled()) {
            LOG.debug("Token cancellation requested for identifier: {}", formatTokenId(readProtoBuf));
        }
        if (readProtoBuf.getUser() == null) {
            throw new SecretManager.InvalidToken("Token with no owner " + formatTokenId(readProtoBuf));
        }
        String userName = readProtoBuf.getUser().getUserName();
        Text renewer = readProtoBuf.getRenewer();
        String shortName = new HadoopKerberosName(str).getShortName();
        if (!str.equals(userName) && (renewer == null || renewer.toString().isEmpty() || !shortName.equals(renewer.toString()))) {
            throw new AccessControlException(String.valueOf(str) + " is not authorized to cancel the token " + formatTokenId(readProtoBuf));
        }
        if (!this.isRatisEnabled) {
            try {
                this.store.removeToken(readProtoBuf);
            } catch (IOException e) {
                LOG.error("Unable to remove token " + readProtoBuf.getSequenceNumber(), e);
            }
            if (this.currentTokens.remove(readProtoBuf) == null) {
                throw new SecretManager.InvalidToken("Token not found " + formatTokenId(readProtoBuf));
            }
        } else if (this.currentTokens.get(readProtoBuf) == null) {
            throw new SecretManager.InvalidToken("Token not found in-memory map of tokens" + formatTokenId(readProtoBuf));
        }
        return readProtoBuf;
    }

    public void removeToken(OzoneTokenIdentifier ozoneTokenIdentifier) {
        this.currentTokens.remove(ozoneTokenIdentifier);
    }

    public byte[] retrievePassword(OzoneTokenIdentifier ozoneTokenIdentifier) throws SecretManager.InvalidToken {
        try {
            this.ozoneManager.checkLeaderStatus();
            return ozoneTokenIdentifier.getTokenType().equals(OzoneManagerProtocolProtos.OMTokenProto.Type.S3AUTHINFO) ? validateS3AuthInfo(ozoneTokenIdentifier) : validateToken(ozoneTokenIdentifier).getPassword();
        } catch (OMNotLeaderException | OMLeaderNotReadyException e) {
            SecretManager.InvalidToken invalidToken = new SecretManager.InvalidToken("IOException");
            invalidToken.initCause(e);
            throw invalidToken;
        }
    }

    private OzoneTokenIdentifier.TokenInfo validateToken(OzoneTokenIdentifier ozoneTokenIdentifier) throws SecretManager.InvalidToken {
        OzoneTokenIdentifier.TokenInfo tokenInfo = this.currentTokens.get(ozoneTokenIdentifier);
        if (tokenInfo == null) {
            throw new SecretManager.InvalidToken("token " + formatTokenId(ozoneTokenIdentifier) + " can't be found in cache");
        }
        long now = Time.now();
        if (tokenInfo.getRenewDate() < now) {
            throw new SecretManager.InvalidToken("token " + formatTokenId(ozoneTokenIdentifier) + " is expired, current time: " + Time.formatTime(now) + " expected renewal time: " + Time.formatTime(tokenInfo.getRenewDate()));
        }
        if (verifySignature(ozoneTokenIdentifier, tokenInfo.getPassword())) {
            return tokenInfo;
        }
        throw new SecretManager.InvalidToken("Tampered/Invalid token.");
    }

    public boolean verifySignature(OzoneTokenIdentifier ozoneTokenIdentifier, byte[] bArr) {
        try {
            X509Certificate certificate = getCertClient().getCertificate(ozoneTokenIdentifier.getOmCertSerialId());
            if (certificate == null) {
                return false;
            }
            try {
                certificate.checkValidity();
                try {
                    return getCertClient().verifySignature(ozoneTokenIdentifier.getBytes(), bArr, certificate);
                } catch (CertificateException e) {
                    LOG.error("verifySignature with signerCert {} failed", certificate, e);
                    return false;
                }
            } catch (CertificateExpiredException | CertificateNotYetValidException e2) {
                LOG.error("signerCert {} is invalid", certificate, e2);
                return false;
            }
        } catch (CertificateException unused) {
            return false;
        }
    }

    private byte[] validateS3AuthInfo(OzoneTokenIdentifier ozoneTokenIdentifier) throws SecretManager.InvalidToken {
        LOG.trace("Validating S3AuthInfo for identifier:{}", ozoneTokenIdentifier);
        if (ozoneTokenIdentifier.getOwner() == null) {
            throw new SecretManager.InvalidToken("Owner is missing from the S3 auth token");
        }
        if (!ozoneTokenIdentifier.getOwner().toString().equals(ozoneTokenIdentifier.getAwsAccessId())) {
            LOG.error("Owner and AWSAccessId is different in the S3 token. Possible  security attack: {}", ozoneTokenIdentifier);
            throw new SecretManager.InvalidToken("Invalid S3 identifier: owner=" + ozoneTokenIdentifier.getOwner() + ", awsAccessId=" + ozoneTokenIdentifier.getAwsAccessId());
        }
        try {
            String secretString = this.s3SecretManager.getSecretString(ozoneTokenIdentifier.getAwsAccessId());
            if (secretString == null) {
                throw new SecretManager.InvalidToken("No S3 secret found for S3 identifier:" + ozoneTokenIdentifier);
            }
            if (AWSV4AuthValidator.validateRequest(ozoneTokenIdentifier.getStrToSign(), ozoneTokenIdentifier.getSignature(), secretString)) {
                return ozoneTokenIdentifier.getSignature().getBytes(StandardCharsets.UTF_8);
            }
            throw new SecretManager.InvalidToken("Invalid S3 identifier:" + ozoneTokenIdentifier);
        } catch (IOException e) {
            LOG.error("Error while validating S3 identifier:{}", ozoneTokenIdentifier, e);
            throw new SecretManager.InvalidToken("No S3 secret found for S3 identifier:" + ozoneTokenIdentifier);
        }
    }

    private void loadTokenSecretState(OzoneSecretStore.OzoneManagerSecretState<OzoneTokenIdentifier> ozoneManagerSecretState) throws IOException {
        LOG.info("Loading token state into token manager.");
        for (Map.Entry<OzoneTokenIdentifier, Long> entry : ozoneManagerSecretState.getTokenState().entrySet()) {
            addPersistedDelegationToken(entry.getKey(), entry.getValue().longValue());
        }
    }

    private void addPersistedDelegationToken(OzoneTokenIdentifier ozoneTokenIdentifier, long j) throws IOException {
        if (isRunning()) {
            throw new IOException("Can't add persisted delegation token to a running SecretManager.");
        }
        byte[] createPassword = createPassword(ozoneTokenIdentifier.getBytes(), getCertClient().getPrivateKey());
        if (ozoneTokenIdentifier.getSequenceNumber() > getDelegationTokenSeqNum()) {
            setDelegationTokenSeqNum(ozoneTokenIdentifier.getSequenceNumber());
        }
        if (this.currentTokens.get(ozoneTokenIdentifier) != null) {
            throw new IOException("Same delegation token being added twice: " + formatTokenId(ozoneTokenIdentifier));
        }
        this.currentTokens.put(ozoneTokenIdentifier, new OzoneTokenIdentifier.TokenInfo(j, createPassword, ozoneTokenIdentifier.getTrackingId()));
    }

    public synchronized void start(CertificateClient certificateClient) throws IOException {
        super.start(certificateClient);
        this.tokenRemoverThread = new Daemon(new ExpiredTokenRemover(this, null));
        this.tokenRemoverThread.setName(String.valueOf(this.ozoneManager.getThreadNamePrefix()) + "ExpiredTokenRemover");
        this.tokenRemoverThread.start();
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v10 */
    /* JADX WARN: Type inference failed for: r0v6, types: [java.lang.Object] */
    /* JADX WARN: Type inference failed for: r0v7, types: [java.lang.Throwable] */
    private synchronized void stopThreads() {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Stopping expired delegation token remover thread");
        }
        setIsRunning(false);
        if (this.tokenRemoverThread != null) {
            ?? r0 = this.noInterruptsLock;
            synchronized (r0) {
                this.tokenRemoverThread.interrupt();
                r0 = r0;
                try {
                    this.tokenRemoverThread.join();
                } catch (InterruptedException e) {
                    Thread.currentThread().interrupt();
                    throw new RuntimeException("Unable to join on token removal thread", e);
                }
            }
        }
    }

    public void stop() throws IOException {
        super.stop();
        stopThreads();
        if (this.store != null) {
            this.store.close();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v10 */
    /* JADX WARN: Type inference failed for: r0v2, types: [java.lang.Object] */
    /* JADX WARN: Type inference failed for: r0v20, types: [java.util.Iterator] */
    /* JADX WARN: Type inference failed for: r0v25, types: [org.apache.hadoop.ozone.security.OzoneSecretStore] */
    /* JADX WARN: Type inference failed for: r0v3, types: [java.lang.Throwable] */
    public void removeExpiredToken() {
        long now = Time.now();
        ?? r0 = this.noInterruptsLock;
        synchronized (r0) {
            Iterator<Map.Entry<OzoneTokenIdentifier, OzoneTokenIdentifier.TokenInfo>> it = this.currentTokens.entrySet().iterator();
            while (it.hasNext()) {
                Map.Entry<OzoneTokenIdentifier, OzoneTokenIdentifier.TokenInfo> next = it.next();
                if (next.getValue().getRenewDate() < now) {
                    r0 = it;
                    r0.remove();
                    try {
                        r0 = this.store;
                        r0.removeToken(next.getKey());
                    } catch (IOException unused) {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("Failed to remove expired token {}", next.getValue());
                        }
                    }
                }
            }
            r0 = r0;
        }
    }

    public long getTokenRemoverScanInterval() {
        return this.tokenRemoverScanInterval;
    }

    /* renamed from: cancelToken, reason: collision with other method in class */
    public /* bridge */ /* synthetic */ TokenIdentifier m218cancelToken(Token token, String str) throws IOException {
        return cancelToken((Token<OzoneTokenIdentifier>) token, str);
    }
}
