package org.apache.hadoop.crypto.key;

import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.Serializable;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URL;
import java.security.Key;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.crypto.key.KeyProvider;
import org.apache.hadoop.fs.Path;
import org.apache.log4j.Logger;
import org.apache.ranger.credentialapi.CredentialReader;
import org.apache.ranger.kms.dao.DaoManager;
import org.apache.ranger.plugin.util.JsonUtilsV2;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/crypto/key/RangerKeyStoreProvider.class */
public class RangerKeyStoreProvider extends KeyProvider {
    static final Logger logger = Logger.getLogger(RangerKeyStoreProvider.class);
    public static final String SCHEME_NAME = "dbks";
    public static final String KMS_CONFIG_DIR = "kms.config.dir";
    public static final String DBKS_SITE_XML = "dbks-site.xml";
    public static final String ENCRYPTION_KEY = "ranger.db.encrypt.key.password";
    private static final String KEY_METADATA = "KeyMetadata";
    private static final String CREDENTIAL_PATH = "ranger.ks.jpa.jdbc.credential.provider.path";
    private static final String MK_CREDENTIAL_ALIAS = "ranger.ks.masterkey.credential.alias";
    private static final String DB_CREDENTIAL_ALIAS = "ranger.ks.jpa.jdbc.credential.alias";
    private static final String DB_PASSWORD = "ranger.ks.jpa.jdbc.password";
    private static final String HSM_ENABLED = "ranger.ks.hsm.enabled";
    private static final String HSM_PARTITION_PASSWORD_ALIAS = "ranger.ks.hsm.partition.password.alias";
    private static final String HSM_PARTITION_PASSWORD = "ranger.ks.hsm.partition.password";
    private static final String KEYSECURE_ENABLED = "ranger.kms.keysecure.enabled";
    private static final String KEYSECURE_USERNAME = "ranger.kms.keysecure.login.username";
    private static final String KEYSECURE_PASSWORD_ALIAS = "ranger.kms.keysecure.login.password.alias";
    private static final String KEYSECURE_PASSWORD = "ranger.kms.keysecure.login.password";
    private static final String KEYSECURE_LOGIN = "ranger.kms.keysecure.login";
    private final RangerKeyStore dbStore;
    private char[] masterKey;
    private boolean changed;
    private final Map<String, KeyProvider.Metadata> cache;
    private DaoManager daoManager;
    private Lock readLock;

    /* loaded from: input_file:org/apache/hadoop/crypto/key/RangerKeyStoreProvider$Factory.class */
    public static class Factory extends KeyProviderFactory {
        public KeyProvider createProvider(URI uri, Configuration configuration) throws IOException {
            try {
                if (RangerKeyStoreProvider.SCHEME_NAME.equals(uri.getScheme())) {
                    return new RangerKeyStoreProvider(configuration);
                }
                return null;
            } catch (Throwable th) {
                RangerKeyStoreProvider.logger.error("==> RangerKeyStoreProvider.reloadKeys() error : ", th);
                return null;
            }
        }
    }

    /* loaded from: input_file:org/apache/hadoop/crypto/key/RangerKeyStoreProvider$KeyMetadata.class */
    public static class KeyMetadata implements Key, Serializable {
        private KeyProvider.Metadata metadata;
        private static final long serialVersionUID = 8405872419967874451L;

        private KeyMetadata(KeyProvider.Metadata metadata) {
            this.metadata = metadata;
        }

        @Override // java.security.Key
        public String getAlgorithm() {
            return this.metadata.getCipher();
        }

        @Override // java.security.Key
        public String getFormat() {
            return RangerKeyStoreProvider.KEY_METADATA;
        }

        @Override // java.security.Key
        public byte[] getEncoded() {
            return new byte[0];
        }

        private void writeObject(ObjectOutputStream objectOutputStream) throws IOException {
            byte[] serialize = this.metadata.serialize();
            objectOutputStream.writeInt(serialize.length);
            objectOutputStream.write(serialize);
        }

        private void readObject(ObjectInputStream objectInputStream) throws IOException, ClassNotFoundException {
            byte[] bArr = new byte[objectInputStream.readInt()];
            objectInputStream.readFully(bArr);
            this.metadata = new KeyProvider.Metadata(bArr);
        }
    }

    public RangerKeyStoreProvider(Configuration configuration) throws Throwable {
        super(configuration);
        RangerKMSMKI rangerMasterKey;
        this.changed = false;
        this.cache = new HashMap();
        if (logger.isDebugEnabled()) {
            logger.debug("==> RangerKeyStoreProvider.Configuration(conf)");
        }
        Configuration dBKSConf = getDBKSConf();
        getFromJceks(dBKSConf, CREDENTIAL_PATH, MK_CREDENTIAL_ALIAS, "ranger.db.encrypt.key.password");
        getFromJceks(dBKSConf, CREDENTIAL_PATH, DB_CREDENTIAL_ALIAS, DB_PASSWORD);
        getFromJceks(dBKSConf, CREDENTIAL_PATH, HSM_PARTITION_PASSWORD_ALIAS, HSM_PARTITION_PASSWORD);
        this.daoManager = new RangerKMSDB(dBKSConf).getDaoManager();
        String str = dBKSConf.get("ranger.db.encrypt.key.password");
        if (str == null || str.trim().equals("") || str.trim().equals("_") || str.trim().equals("crypted")) {
            throw new IOException("The Ranger MasterKey Password is empty or not a valid Password");
        }
        if (StringUtils.isEmpty(dBKSConf.get(HSM_ENABLED)) || dBKSConf.get(HSM_ENABLED).equalsIgnoreCase("false")) {
            logger.info("Ranger KMS Database is enabled for storing master key.");
            rangerMasterKey = new RangerMasterKey(this.daoManager);
        } else {
            logger.info("Ranger KMS HSM is enabled for storing master key.");
            rangerMasterKey = new RangerHSM(dBKSConf);
            String str2 = dBKSConf.get(HSM_PARTITION_PASSWORD);
            if (str2 == null || str2.trim().equals("") || str2.trim().equals("_") || str2.trim().equals("crypted")) {
                throw new IOException("Partition Password doesn't exists");
            }
        }
        if (dBKSConf != null && StringUtils.isNotEmpty(dBKSConf.get(KEYSECURE_ENABLED)) && dBKSConf.get(KEYSECURE_ENABLED).equalsIgnoreCase("true")) {
            getFromJceks(dBKSConf, CREDENTIAL_PATH, KEYSECURE_PASSWORD_ALIAS, KEYSECURE_PASSWORD);
            dBKSConf.set(KEYSECURE_LOGIN, dBKSConf.get(KEYSECURE_USERNAME).trim() + ":" + dBKSConf.get(KEYSECURE_PASSWORD));
            RangerSafenetKeySecure rangerSafenetKeySecure = new RangerSafenetKeySecure(dBKSConf);
            this.dbStore = new RangerKeyStore(this.daoManager);
            rangerSafenetKeySecure.generateMasterKey(str);
            try {
                this.masterKey = rangerSafenetKeySecure.getMasterKey(str).toCharArray();
            } catch (Exception e) {
                throw new Exception("Error while getting Safenet KeySecure master key " + e);
            }
        } else {
            this.dbStore = new RangerKeyStore(this.daoManager);
            rangerMasterKey.generateMasterKey(str);
            try {
                this.masterKey = rangerMasterKey.getMasterKey(str).toCharArray();
            } catch (Exception e2) {
                throw new Exception("Error while getting Ranger Master key " + e2);
            }
        }
        reloadKeys();
        this.readLock = new ReentrantReadWriteLock(true).readLock();
    }

    public static Configuration getDBKSConf() {
        Configuration configuration = getConfiguration(true, "dbks-site.xml");
        getFromJceks(configuration, CREDENTIAL_PATH, MK_CREDENTIAL_ALIAS, "ranger.db.encrypt.key.password");
        getFromJceks(configuration, CREDENTIAL_PATH, DB_CREDENTIAL_ALIAS, DB_PASSWORD);
        return configuration;
    }

    static Configuration getConfiguration(boolean z, String... strArr) {
        Configuration configuration = new Configuration(z);
        String property = System.getProperty("kms.config.dir");
        if (property != null) {
            try {
                if (!new Path(property).isUriPathAbsolute()) {
                    throw new RuntimeException("System property 'kms.config.dir' must be an absolute path: " + property);
                }
                for (String str : strArr) {
                    configuration.addResource(new URL("file://" + new Path(property, str).toUri()));
                }
            } catch (MalformedURLException e) {
                logger.error("==> RangerKeyStoreProvider.getConfiguration() error : ", e);
                throw new RuntimeException(e);
            }
        } else {
            for (String str2 : strArr) {
                configuration.addResource(str2);
            }
        }
        return configuration;
    }

    private void loadKeys(char[] cArr) throws NoSuchAlgorithmException, CertificateException, IOException {
        if (logger.isDebugEnabled()) {
            logger.debug("==> RangerKeyStoreProvider.loadKeys()");
        }
        this.dbStore.engineLoad(null, cArr);
    }

    public KeyProvider.KeyVersion createKey(String str, byte[] bArr, KeyProvider.Options options) throws IOException {
        if (logger.isDebugEnabled()) {
            logger.debug("==> RangerKeyStoreProvider.createKey()");
        }
        reloadKeys();
        if (this.dbStore.engineContainsAlias(str) || this.cache.containsKey(str)) {
            throw new IOException("Key " + str + " already exists");
        }
        KeyProvider.Metadata metadata = new KeyProvider.Metadata(options.getCipher(), options.getBitLength(), options.getDescription(), options.getAttributes(), new Date(), 1);
        if (options.getBitLength() != 8 * bArr.length) {
            throw new IOException("Wrong key length. Required " + options.getBitLength() + ", but got " + (8 * bArr.length));
        }
        this.cache.put(str, metadata);
        String buildVersionName = buildVersionName(str, 0);
        if (logger.isDebugEnabled()) {
            logger.debug("<== RangerKeyStoreProvider.createKey()");
        }
        return innerSetKeyVersion(str, buildVersionName, bArr, metadata.getCipher(), metadata.getBitLength(), metadata.getDescription(), metadata.getVersions(), metadata.getAttributes());
    }

    KeyProvider.KeyVersion innerSetKeyVersion(String str, String str2, byte[] bArr, String str3, int i, String str4, int i2, Map<String, String> map) throws IOException {
        if (logger.isDebugEnabled()) {
            logger.debug("==> RangerKeyStoreProvider.innerSetKeyVersion()");
            logger.debug("name : " + str + " and versionName : " + str2);
        }
        try {
            this.dbStore.addKeyEntry(str2, new SecretKeySpec(bArr, str3), this.masterKey, str3, i, str4, i2, JsonUtilsV2.mapToJson(map));
            this.changed = true;
            if (logger.isDebugEnabled()) {
                logger.debug("<== RangerKeyStoreProvider.innerSetKeyVersion()");
            }
            return new KeyProvider.KeyVersion(str, str2, bArr);
        } catch (Exception e) {
            throw new IOException("Can't store key " + str2, e);
        }
    }

    public void deleteKey(String str) throws IOException {
        if (logger.isDebugEnabled()) {
            logger.debug("==> RangerKeyStoreProvider.deleteKey(" + str + ")");
        }
        reloadKeys();
        KeyProvider.Metadata metadata = getMetadata(str);
        if (metadata == null) {
            throw new IOException("Key " + str + " does not exist");
        }
        for (int i = 0; i < metadata.getVersions(); i++) {
            String buildVersionName = buildVersionName(str, i);
            try {
                if (this.dbStore.engineContainsAlias(buildVersionName)) {
                    this.dbStore.engineDeleteEntry(buildVersionName);
                }
            } catch (KeyStoreException e) {
                throw new IOException("Problem removing " + buildVersionName, e);
            }
        }
        try {
            if (this.dbStore.engineContainsAlias(str)) {
                this.dbStore.engineDeleteEntry(str);
            }
            this.cache.remove(str);
            this.changed = true;
        } catch (KeyStoreException e2) {
            throw new IOException("Problem removing " + str + " from " + this, e2);
        }
    }

    public void flush() throws IOException {
        try {
            if (this.changed) {
                for (Map.Entry<String, KeyProvider.Metadata> entry : this.cache.entrySet()) {
                    try {
                        KeyProvider.Metadata value = entry.getValue();
                        this.dbStore.addKeyEntry(entry.getKey(), new KeyMetadata(value), this.masterKey, value.getAlgorithm(), value.getBitLength(), value.getDescription(), value.getVersions(), JsonUtilsV2.mapToJson(value.getAttributes()));
                    } catch (Exception e) {
                        throw new IOException("Can't set metadata key " + entry.getKey(), e);
                    }
                }
                try {
                    this.dbStore.engineStore(null, this.masterKey);
                    reloadKeys();
                    this.changed = false;
                } catch (NoSuchAlgorithmException e2) {
                    throw new IOException("No such algorithm storing key", e2);
                } catch (CertificateException e3) {
                    throw new IOException("Certificate exception storing key", e3);
                }
            }
        } catch (IOException e4) {
            this.cache.clear();
            reloadKeys();
            throw e4;
        }
    }

    public KeyProvider.KeyVersion getKeyVersion(String str) throws IOException {
        this.readLock.lock();
        SecretKeySpec secretKeySpec = null;
        try {
            try {
                try {
                    try {
                        if (!this.dbStore.engineContainsAlias(str)) {
                            this.dbStore.engineLoad(null, this.masterKey);
                            if (!this.dbStore.engineContainsAlias(str)) {
                                return null;
                            }
                        }
                        secretKeySpec = (SecretKeySpec) this.dbStore.engineGetKey(str, this.masterKey);
                        if (secretKeySpec == null) {
                            this.readLock.unlock();
                            return null;
                        }
                        KeyProvider.KeyVersion keyVersion = new KeyProvider.KeyVersion(getBaseName(str), str, secretKeySpec.getEncoded());
                        this.readLock.unlock();
                        return keyVersion;
                    } catch (CertificateException e) {
                        throw new IOException("Certificate exception storing key", e);
                    }
                } catch (UnrecoverableKeyException e2) {
                    throw new IOException("Can't recover key " + secretKeySpec, e2);
                }
            } catch (NoSuchAlgorithmException e3) {
                throw new IOException("Can't get algorithm for key " + secretKeySpec, e3);
            }
        } finally {
            this.readLock.unlock();
        }
    }

    public List<KeyProvider.KeyVersion> getKeyVersions(String str) throws IOException {
        ArrayList arrayList = new ArrayList();
        KeyProvider.Metadata metadata = getMetadata(str);
        if (metadata != null) {
            int versions = metadata.getVersions();
            for (int i = 0; i < versions; i++) {
                KeyProvider.KeyVersion keyVersion = getKeyVersion(buildVersionName(str, i));
                if (keyVersion != null) {
                    arrayList.add(keyVersion);
                }
            }
        }
        return arrayList;
    }

    public List<String> getKeys() throws IOException {
        ArrayList arrayList = new ArrayList();
        reloadKeys();
        Enumeration<String> engineAliases = this.dbStore.engineAliases();
        while (engineAliases.hasMoreElements()) {
            String nextElement = engineAliases.nextElement();
            if (!nextElement.contains("@")) {
                arrayList.add(nextElement);
            }
        }
        return arrayList;
    }

    public KeyProvider.Metadata getMetadata(String str) throws IOException {
        try {
            try {
                this.readLock.lock();
                if (this.cache.containsKey(str)) {
                    KeyProvider.Metadata metadata = this.cache.get(str);
                    this.readLock.unlock();
                    return metadata;
                }
                try {
                    if (!this.dbStore.engineContainsAlias(str)) {
                        this.dbStore.engineLoad(null, this.masterKey);
                        if (!this.dbStore.engineContainsAlias(str)) {
                            return null;
                        }
                    }
                    Key engineGetKey = this.dbStore.engineGetKey(str, this.masterKey);
                    if (engineGetKey == null) {
                        this.readLock.unlock();
                        return null;
                    }
                    KeyProvider.Metadata metadata2 = ((KeyMetadata) engineGetKey).metadata;
                    this.cache.put(str, metadata2);
                    this.readLock.unlock();
                    return metadata2;
                } catch (NoSuchAlgorithmException e) {
                    throw new IOException("Can't get algorithm for " + str, e);
                } catch (UnrecoverableKeyException e2) {
                    throw new IOException("Can't recover key for " + str, e2);
                }
            } catch (Exception e3) {
                throw new IOException("Please try again ", e3);
            }
        } finally {
            this.readLock.unlock();
        }
    }

    public KeyProvider.KeyVersion rollNewVersion(String str, byte[] bArr) throws IOException {
        if (logger.isDebugEnabled()) {
            logger.debug("==> RangerKeyStoreProvider.rollNewVersion()");
        }
        reloadKeys();
        KeyProvider.Metadata metadata = getMetadata(str);
        if (metadata == null) {
            throw new IOException("Key " + str + " not found");
        }
        if (metadata.getBitLength() != 8 * bArr.length) {
            throw new IOException("Wrong key length. Required " + metadata.getBitLength() + ", but got " + (8 * bArr.length));
        }
        return innerSetKeyVersion(str, buildVersionName(str, metadata.addVersion()), bArr, metadata.getCipher(), metadata.getBitLength(), metadata.getDescription(), metadata.getVersions(), metadata.getAttributes());
    }

    private static void getFromJceks(Configuration configuration, String str, String str2, String str3) {
        if (logger.isDebugEnabled()) {
            logger.debug("==> RangerKeyStoreProvider.getFromJceks()");
        }
        if (configuration != null) {
            String str4 = configuration.get(str);
            String str5 = configuration.get(str2);
            if (str4 == null || str5 == null) {
                return;
            }
            String decryptedString = CredentialReader.getDecryptedString(str4.trim(), str5.trim());
            if (decryptedString == null || decryptedString.trim().isEmpty() || decryptedString.trim().equalsIgnoreCase("none")) {
                logger.info("Credential keystore password not applied for KMS; clear text password shall be applicable");
            } else {
                configuration.set(str3, decryptedString);
            }
        }
    }

    private void reloadKeys() throws IOException {
        if (logger.isDebugEnabled()) {
            logger.debug("==> RangerKeyStoreProvider.reloadKeys()");
        }
        try {
            this.cache.clear();
            loadKeys(this.masterKey);
        } catch (NoSuchAlgorithmException e) {
            throw new IOException("Can't load Keys");
        } catch (CertificateException e2) {
            throw new IOException("Can't load Keys");
        }
    }
}
