package org.apache.hadoop.ozone.security;

import java.io.ByteArrayInputStream;
import java.io.DataInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Iterator;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.security.x509.exceptions.CertificateException;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.ozone.om.S3SecretManager;
import org.apache.hadoop.ozone.om.S3SecretManagerImpl;
import org.apache.hadoop.ozone.om.exceptions.OMException;
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos;
import org.apache.hadoop.ozone.security.OzoneSecretStore;
import org.apache.hadoop.ozone.security.OzoneTokenIdentifier;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.HadoopKerberosName;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.util.Daemon;
import org.apache.hadoop.util.Time;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
@InterfaceStability.Unstable
/* loaded from: input_file:org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager.class */
public class OzoneDelegationTokenSecretManager extends OzoneSecretManager<OzoneTokenIdentifier> {
    private static final Logger LOG = LoggerFactory.getLogger(OzoneDelegationTokenSecretManager.class);
    private final Map<OzoneTokenIdentifier, OzoneTokenIdentifier.TokenInfo> currentTokens;
    private final OzoneSecretStore store;
    private final S3SecretManagerImpl s3SecretManager;
    private Thread tokenRemoverThread;
    private final long tokenRemoverScanInterval;
    private String omCertificateSerialId;
    private Object noInterruptsLock;

    /* loaded from: input_file:org/apache/hadoop/ozone/security/OzoneDelegationTokenSecretManager$ExpiredTokenRemover.class */
    private class ExpiredTokenRemover extends Thread {
        private long lastTokenCacheCleanup;

        private ExpiredTokenRemover() {
        }

        @Override // java.lang.Thread, java.lang.Runnable
        public void run() {
            OzoneDelegationTokenSecretManager.LOG.info("Starting expired delegation token remover thread, tokenRemoverScanInterval=" + (OzoneDelegationTokenSecretManager.this.getTokenRemoverScanInterval() / 60000) + " min(s)");
            while (OzoneDelegationTokenSecretManager.this.isRunning()) {
                try {
                    long now = Time.now();
                    if (this.lastTokenCacheCleanup + OzoneDelegationTokenSecretManager.this.getTokenRemoverScanInterval() < now) {
                        OzoneDelegationTokenSecretManager.this.removeExpiredToken();
                        this.lastTokenCacheCleanup = now;
                    }
                    try {
                        Thread.sleep(Math.min(5000L, OzoneDelegationTokenSecretManager.this.getTokenRemoverScanInterval()));
                    } catch (InterruptedException e) {
                        OzoneDelegationTokenSecretManager.LOG.error("ExpiredTokenRemover received " + e);
                    }
                } catch (Throwable th) {
                    OzoneDelegationTokenSecretManager.LOG.error("ExpiredTokenRemover thread received unexpected exception", th);
                    Runtime.getRuntime().exit(-1);
                    return;
                }
            }
        }
    }

    public OzoneDelegationTokenSecretManager(OzoneConfiguration ozoneConfiguration, long j, long j2, long j3, Text text, S3SecretManager s3SecretManager) throws IOException {
        super(new SecurityConfig(ozoneConfiguration), j, j2, text, LOG);
        this.noInterruptsLock = new Object();
        this.currentTokens = new ConcurrentHashMap();
        this.tokenRemoverScanInterval = j3;
        this.s3SecretManager = (S3SecretManagerImpl) s3SecretManager;
        this.store = new OzoneSecretStore(ozoneConfiguration, this.s3SecretManager.getOmMetadataManager());
        loadTokenSecretState(this.store.loadState());
    }

    /* renamed from: createIdentifier, reason: merged with bridge method [inline-methods] */
    public OzoneTokenIdentifier m2687createIdentifier() {
        return OzoneTokenIdentifier.newInstance();
    }

    public OzoneTokenIdentifier createIdentifier(Text text, Text text2, Text text3) {
        return OzoneTokenIdentifier.newInstance(text, text2, text3);
    }

    public Token<OzoneTokenIdentifier> createToken(Text text, Text text2, Text text3) throws IOException {
        OzoneTokenIdentifier createIdentifier = createIdentifier(text, text2, text3);
        updateIdentifierDetails(createIdentifier);
        byte[] createPassword = createPassword(createIdentifier.getBytes(), getCurrentKey().getPrivateKey());
        addToTokenStore(createIdentifier, createPassword, createIdentifier.getIssueDate() + getTokenRenewInterval());
        Token<OzoneTokenIdentifier> token = new Token<>(createIdentifier.getBytes(), createPassword, createIdentifier.getKind(), getService());
        if (LOG.isDebugEnabled()) {
            LOG.debug("Created delegation token: {}", token);
        }
        return token;
    }

    private void addToTokenStore(OzoneTokenIdentifier ozoneTokenIdentifier, byte[] bArr, long j) throws IOException {
        OzoneTokenIdentifier.TokenInfo tokenInfo = new OzoneTokenIdentifier.TokenInfo(j, bArr, ozoneTokenIdentifier.getTrackingId());
        this.currentTokens.put(ozoneTokenIdentifier, tokenInfo);
        this.store.storeToken(ozoneTokenIdentifier, tokenInfo.getRenewDate());
    }

    private void updateIdentifierDetails(OzoneTokenIdentifier ozoneTokenIdentifier) {
        long now = Time.now();
        int incrementDelegationTokenSeqNum = incrementDelegationTokenSeqNum();
        ozoneTokenIdentifier.setIssueDate(now);
        ozoneTokenIdentifier.setMasterKeyId(getCurrentKey().getKeyId());
        ozoneTokenIdentifier.setSequenceNumber(incrementDelegationTokenSeqNum);
        ozoneTokenIdentifier.setMaxDate(now + getTokenMaxLifetime());
        ozoneTokenIdentifier.setOmCertSerialId(getOmCertificateSerialId());
    }

    private String getOmCertificateSerialId() {
        if (this.omCertificateSerialId == null) {
            this.omCertificateSerialId = getCertClient().getCertificate().getSerialNumber().toString();
        }
        return this.omCertificateSerialId;
    }

    @Override // org.apache.hadoop.ozone.security.OzoneSecretManager
    public synchronized long renewToken(Token<OzoneTokenIdentifier> token, String str) throws IOException {
        OzoneTokenIdentifier readProtoBuf = OzoneTokenIdentifier.readProtoBuf(new DataInputStream(new ByteArrayInputStream(token.getIdentifier())));
        if (LOG.isDebugEnabled()) {
            LOG.debug("Token renewal for identifier: {}, total currentTokens: {}", formatTokenId(readProtoBuf), Integer.valueOf(this.currentTokens.size()));
        }
        long now = Time.now();
        if (readProtoBuf.getMaxDate() < now) {
            throw new OMException(str + " tried to renew an expired token " + formatTokenId(readProtoBuf) + " max expiration date: " + Time.formatTime(readProtoBuf.getMaxDate()) + " currentTime: " + Time.formatTime(now), OMException.ResultCodes.TOKEN_EXPIRED);
        }
        validateToken(readProtoBuf);
        if (readProtoBuf.getRenewer() == null || readProtoBuf.getRenewer().toString().isEmpty()) {
            throw new AccessControlException(str + " tried to renew a token " + formatTokenId(readProtoBuf) + " without a renewer");
        }
        if (!readProtoBuf.getRenewer().toString().equals(str)) {
            throw new AccessControlException(str + " tries to renew a token " + formatTokenId(readProtoBuf) + " with non-matching renewer " + readProtoBuf.getRenewer());
        }
        long min = Math.min(readProtoBuf.getMaxDate(), now + getTokenRenewInterval());
        try {
            addToTokenStore(readProtoBuf, token.getPassword(), min);
        } catch (IOException e) {
            LOG.error("Unable to update token " + readProtoBuf.getSequenceNumber(), e);
        }
        return min;
    }

    @Override // org.apache.hadoop.ozone.security.OzoneSecretManager
    public OzoneTokenIdentifier cancelToken(Token<OzoneTokenIdentifier> token, String str) throws IOException {
        OzoneTokenIdentifier readProtoBuf = OzoneTokenIdentifier.readProtoBuf(token.getIdentifier());
        LOG.debug("Token cancellation requested for identifier: {}", formatTokenId(readProtoBuf));
        if (readProtoBuf.getUser() == null) {
            throw new SecretManager.InvalidToken("Token with no owner " + formatTokenId(readProtoBuf));
        }
        String userName = readProtoBuf.getUser().getUserName();
        Text renewer = readProtoBuf.getRenewer();
        String shortName = new HadoopKerberosName(str).getShortName();
        if (!str.equals(userName) && (renewer == null || renewer.toString().isEmpty() || !shortName.equals(renewer.toString()))) {
            throw new AccessControlException(str + " is not authorized to cancel the token " + formatTokenId(readProtoBuf));
        }
        try {
            this.store.removeToken(readProtoBuf);
        } catch (IOException e) {
            LOG.error("Unable to remove token " + readProtoBuf.getSequenceNumber(), e);
        }
        if (this.currentTokens.remove(readProtoBuf) == null) {
            throw new SecretManager.InvalidToken("Token not found " + formatTokenId(readProtoBuf));
        }
        return readProtoBuf;
    }

    public byte[] retrievePassword(OzoneTokenIdentifier ozoneTokenIdentifier) throws SecretManager.InvalidToken {
        return ozoneTokenIdentifier.getTokenType().equals(OzoneManagerProtocolProtos.OMTokenProto.Type.S3TOKEN) ? validateS3Token(ozoneTokenIdentifier) : validateToken(ozoneTokenIdentifier).getPassword();
    }

    private OzoneTokenIdentifier.TokenInfo validateToken(OzoneTokenIdentifier ozoneTokenIdentifier) throws SecretManager.InvalidToken {
        OzoneTokenIdentifier.TokenInfo tokenInfo = this.currentTokens.get(ozoneTokenIdentifier);
        if (tokenInfo == null) {
            throw new SecretManager.InvalidToken("token " + formatTokenId(ozoneTokenIdentifier) + " can't be found in cache");
        }
        long now = Time.now();
        if (tokenInfo.getRenewDate() < now) {
            throw new SecretManager.InvalidToken("token " + formatTokenId(ozoneTokenIdentifier) + " is expired, current time: " + Time.formatTime(now) + " expected renewal time: " + Time.formatTime(tokenInfo.getRenewDate()));
        }
        if (verifySignature(ozoneTokenIdentifier, tokenInfo.getPassword())) {
            return tokenInfo;
        }
        throw new SecretManager.InvalidToken("Tampered/Invalid token.");
    }

    public boolean verifySignature(OzoneTokenIdentifier ozoneTokenIdentifier, byte[] bArr) {
        try {
            return getCertClient().verifySignature(ozoneTokenIdentifier.getBytes(), bArr, getCertClient().getCertificate(ozoneTokenIdentifier.getOmCertSerialId()));
        } catch (CertificateException e) {
            return false;
        }
    }

    private byte[] validateS3Token(OzoneTokenIdentifier ozoneTokenIdentifier) throws SecretManager.InvalidToken {
        LOG.trace("Validating S3Token for identifier:{}", ozoneTokenIdentifier);
        try {
            String s3UserSecretString = this.s3SecretManager.getS3UserSecretString(ozoneTokenIdentifier.getAwsAccessId());
            if (s3UserSecretString == null) {
                throw new SecretManager.InvalidToken("No S3 secret found for S3 identifier:" + ozoneTokenIdentifier);
            }
            if (AWSV4AuthValidator.validateRequest(ozoneTokenIdentifier.getStrToSign(), ozoneTokenIdentifier.getSignature(), s3UserSecretString)) {
                return ozoneTokenIdentifier.getSignature().getBytes(StandardCharsets.UTF_8);
            }
            throw new SecretManager.InvalidToken("Invalid S3 identifier:" + ozoneTokenIdentifier);
        } catch (IOException e) {
            LOG.error("Error while validating S3 identifier:{}", ozoneTokenIdentifier, e);
            throw new SecretManager.InvalidToken("No S3 secret found for S3 identifier:" + ozoneTokenIdentifier);
        }
    }

    private void loadTokenSecretState(OzoneSecretStore.OzoneManagerSecretState<OzoneTokenIdentifier> ozoneManagerSecretState) throws IOException {
        LOG.info("Loading token state into token manager.");
        for (Map.Entry<OzoneTokenIdentifier, Long> entry : ozoneManagerSecretState.getTokenState().entrySet()) {
            addPersistedDelegationToken(entry.getKey(), entry.getValue().longValue());
        }
    }

    private void addPersistedDelegationToken(OzoneTokenIdentifier ozoneTokenIdentifier, long j) throws IOException {
        if (isRunning()) {
            throw new IOException("Can't add persisted delegation token to a running SecretManager.");
        }
        byte[] createPassword = createPassword(ozoneTokenIdentifier.getBytes(), getCertClient().getPrivateKey());
        if (ozoneTokenIdentifier.getSequenceNumber() > getDelegationTokenSeqNum()) {
            setDelegationTokenSeqNum(ozoneTokenIdentifier.getSequenceNumber());
        }
        if (this.currentTokens.get(ozoneTokenIdentifier) != null) {
            throw new IOException("Same delegation token being added twice: " + formatTokenId(ozoneTokenIdentifier));
        }
        this.currentTokens.put(ozoneTokenIdentifier, new OzoneTokenIdentifier.TokenInfo(j, createPassword, ozoneTokenIdentifier.getTrackingId()));
    }

    @Override // org.apache.hadoop.ozone.security.OzoneSecretManager
    public synchronized void start(CertificateClient certificateClient) throws IOException {
        super.start(certificateClient);
        this.tokenRemoverThread = new Daemon(new ExpiredTokenRemover());
        this.tokenRemoverThread.start();
    }

    public void stopThreads() {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Stopping expired delegation token remover thread");
        }
        setIsRunning(false);
        if (this.tokenRemoverThread != null) {
            synchronized (this.noInterruptsLock) {
                this.tokenRemoverThread.interrupt();
            }
            try {
                this.tokenRemoverThread.join();
            } catch (InterruptedException e) {
                throw new RuntimeException("Unable to join on token removal thread", e);
            }
        }
    }

    @Override // org.apache.hadoop.ozone.security.OzoneSecretManager
    public void stop() throws IOException {
        super.stop();
        stopThreads();
        if (this.store != null) {
            this.store.close();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void removeExpiredToken() {
        long now = Time.now();
        synchronized (this) {
            Iterator<Map.Entry<OzoneTokenIdentifier, OzoneTokenIdentifier.TokenInfo>> it = this.currentTokens.entrySet().iterator();
            while (it.hasNext()) {
                Map.Entry<OzoneTokenIdentifier, OzoneTokenIdentifier.TokenInfo> next = it.next();
                if (next.getValue().getRenewDate() < now) {
                    it.remove();
                    try {
                        this.store.removeToken(next.getKey());
                    } catch (IOException e) {
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("Failed to remove expired token {}", next.getValue());
                        }
                    }
                }
            }
        }
    }

    public long getTokenRemoverScanInterval() {
        return this.tokenRemoverScanInterval;
    }
}
