package org.apache.hadoop.yarn.server.resourcemanager.security;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.util.concurrent.ThreadFactoryBuilder;
import io.hops.hadoop.shaded.org.apache.commons.math3.util.Pair;
import io.hops.hadoop.shaded.org.apache.zookeeper.server.quorum.QuorumPeer;
import io.hops.hadoop.shaded.org.bouncycastle.jce.provider.BouncyCastleProvider;
import io.hops.security.AbstractSecurityActions;
import io.hops.security.HopsSecurityActionsFactory;
import java.security.Security;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.service.AbstractService;
import org.apache.hadoop.util.BackOff;
import org.apache.hadoop.util.ExponentialBackOff;
import org.apache.hadoop.yarn.api.records.ApplicationId;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.event.EventHandler;
import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppEvent;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppEventType;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppSecurityMaterialGeneratedEvent;
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.AllocationFileLoaderService;
import org.apache.hadoop.yarn.server.resourcemanager.security.JWTSecurityHandler;
import org.apache.hadoop.yarn.server.resourcemanager.security.X509SecurityHandler;

/* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/RMAppSecurityManager.class */
public class RMAppSecurityManager extends AbstractService implements EventHandler<RMAppSecurityManagerEvent> {
    private static final Log LOG = LogFactory.getLog(RMAppSecurityManager.class);
    private static final Map<String, ChronoUnit> CHRONOUNITS = new HashMap();
    private static final Pattern CONF_TIME_PATTERN;
    private RMContext rmContext;
    private Configuration conf;
    private EventHandler handler;
    private RMAppSecurityActions rmAppCertificateActions;
    private boolean isRPCTLSEnabled;
    private Map<Class, RMAppSecurityHandler> securityHandlersMap;
    private static final int RENEWAL_EXECUTOR_SERVICE_POOL_SIZE = 10;
    private ScheduledExecutorService renewalExecutorService;

    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/RMAppSecurityManager$SecurityManagerMaterial.class */
    public static abstract class SecurityManagerMaterial {
        private final ApplicationId applicationId;

        /* JADX INFO: Access modifiers changed from: protected */
        public SecurityManagerMaterial(ApplicationId applicationId) {
            this.applicationId = applicationId;
        }

        public ApplicationId getApplicationId() {
            return this.applicationId;
        }
    }

    public RMAppSecurityManager(RMContext rMContext) {
        super(RMAppSecurityManager.class.getName());
        this.isRPCTLSEnabled = false;
        Security.addProvider(new BouncyCastleProvider());
        this.rmContext = rMContext;
        this.securityHandlersMap = new HashMap();
    }

    protected void serviceInit(Configuration configuration) throws Exception {
        LOG.debug("Initializing RMAppSecurityManager");
        this.conf = configuration;
        this.handler = this.rmContext.getDispatcher().getEventHandler();
        this.rmAppCertificateActions = HopsSecurityActionsFactory.getInstance().getActor(configuration, configuration.get(YarnConfiguration.HOPS_RM_SECURITY_ACTOR_KEY, "org.apache.hadoop.yarn.server.resourcemanager.security.HopsworksRMAppSecurityActions"));
        this.isRPCTLSEnabled = configuration.getBoolean("ipc.server.ssl.enabled", false);
        this.renewalExecutorService = Executors.newScheduledThreadPool(10, new ThreadFactoryBuilder().setDaemon(true).setNameFormat("RMApp Security Material Renewer #%d").build());
        Iterator<RMAppSecurityHandler> it = this.securityHandlersMap.values().iterator();
        while (it.hasNext()) {
            it.next().init(configuration);
        }
        super.serviceInit(configuration);
    }

    public void registerRMAppSecurityHandler(RMAppSecurityHandler rMAppSecurityHandler) {
        registerRMAppSecurityHandlerWithType(rMAppSecurityHandler, rMAppSecurityHandler.getClass());
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    public void registerRMAppSecurityHandlerWithType(RMAppSecurityHandler rMAppSecurityHandler, Class cls) {
        if (rMAppSecurityHandler != null) {
            this.securityHandlersMap.put(cls, rMAppSecurityHandler);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Pair<Long, TemporalUnit> parseInterval(String str, String str2) {
        Matcher matcher = CONF_TIME_PATTERN.matcher(str);
        if (!matcher.matches()) {
            throw new IllegalArgumentException("Could not parse value " + str + " of " + str2);
        }
        Long valueOf = Long.valueOf(Long.parseLong(matcher.group(1)));
        String group = matcher.group(2);
        ChronoUnit chronoUnit = CHRONOUNITS.get(group.toUpperCase());
        if (chronoUnit != null) {
            return new Pair<>(valueOf, chronoUnit);
        }
        StringBuilder sb = new StringBuilder();
        Iterator<String> it = CHRONOUNITS.keySet().iterator();
        while (it.hasNext()) {
            sb.append(it.next()).append(", ");
        }
        sb.append("\b\b");
        throw new IllegalArgumentException("Could not parse ChronoUnit: " + group + ". Valid values are " + sb.toString());
    }

    protected void serviceStart() throws Exception {
        LOG.info("Starting RMAppSecurityManager");
        Iterator<RMAppSecurityHandler> it = this.securityHandlersMap.values().iterator();
        while (it.hasNext()) {
            it.next().start();
        }
        super.serviceStart();
    }

    protected void serviceStop() throws Exception {
        LOG.info("Stopping RMAppCertificateManager");
        Iterator<RMAppSecurityHandler> it = this.securityHandlersMap.values().iterator();
        while (it.hasNext()) {
            it.next().stop();
        }
        if (this.renewalExecutorService != null) {
            try {
                this.renewalExecutorService.shutdown();
                if (!this.renewalExecutorService.awaitTermination(2L, TimeUnit.SECONDS)) {
                    this.renewalExecutorService.shutdownNow();
                }
                clearRMAppSecurityActionsFactory();
            } catch (InterruptedException e) {
                this.renewalExecutorService.shutdownNow();
                if (this.rmAppCertificateActions != null && (this.rmAppCertificateActions instanceof AbstractSecurityActions)) {
                    this.rmAppCertificateActions.stop();
                }
                Thread.currentThread().interrupt();
            }
        }
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected void clearRMAppSecurityActionsFactory() {
        HopsSecurityActionsFactory.getInstance().clear(this.conf.get(YarnConfiguration.HOPS_RM_SECURITY_ACTOR_KEY, "org.apache.hadoop.yarn.server.resourcemanager.security.HopsworksRMAppSecurityActions"));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public ScheduledExecutorService getRenewalExecutorService() {
        return this.renewalExecutorService;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public BackOff createBackOffPolicy() {
        return new ExponentialBackOff.Builder().setInitialIntervalMillis(200L).setMaximumIntervalMillis(AllocationFileLoaderService.ALLOC_RELOAD_WAIT_MS).setMultiplier(1.5d).setMaximumRetries(4).build();
    }

    public void handle(RMAppSecurityManagerEvent rMAppSecurityManagerEvent) {
        LOG.info("Processing event type: " + rMAppSecurityManagerEvent.getType() + " for application: " + rMAppSecurityManagerEvent.getApplicationId());
        if (((RMAppSecurityManagerEventType) rMAppSecurityManagerEvent.getType()).equals(RMAppSecurityManagerEventType.GENERATE_SECURITY_MATERIAL)) {
            generateSecurityMaterial(rMAppSecurityManagerEvent);
            return;
        }
        if (((RMAppSecurityManagerEventType) rMAppSecurityManagerEvent.getType()).equals(RMAppSecurityManagerEventType.REVOKE_SECURITY_MATERIAL)) {
            revokeSecurityMaterial(rMAppSecurityManagerEvent);
            return;
        }
        if (((RMAppSecurityManagerEventType) rMAppSecurityManagerEvent.getType()).equals(RMAppSecurityManagerEventType.REVOKE_CERTIFICATE_AFTER_ROTATION)) {
            revokeX509Only(rMAppSecurityManagerEvent);
        } else if (((RMAppSecurityManagerEventType) rMAppSecurityManagerEvent.getType()).equals(RMAppSecurityManagerEventType.REVOKE_GENERATE_MATERIAL)) {
            revokeAndGenerateMaterial(rMAppSecurityManagerEvent.getSecurityMaterial());
        } else {
            LOG.warn("Unknown event type " + rMAppSecurityManagerEvent.getType());
        }
    }

    public <P extends SecurityManagerMaterial> void registerWithMaterialRenewers(P p) {
        if (p instanceof X509SecurityHandler.X509MaterialParameter) {
            X509SecurityHandler x509SecurityHandler = (X509SecurityHandler) this.securityHandlersMap.get(X509SecurityHandler.class);
            if (x509SecurityHandler != null) {
                x509SecurityHandler.registerRenewer((X509SecurityHandler.X509MaterialParameter) p);
                return;
            } else {
                LOG.error("Tried to register with X.509 renewer but there is no handler");
                throw new NullPointerException("Tried to register with X.509 renewer but there is no handler");
            }
        }
        if (p instanceof JWTSecurityHandler.JWTMaterialParameter) {
            JWTSecurityHandler jWTSecurityHandler = (JWTSecurityHandler) this.securityHandlersMap.get(JWTSecurityHandler.class);
            if (jWTSecurityHandler == null) {
                throw new NullPointerException("Tried to register with JWT renewer but there is no handler");
            }
            jWTSecurityHandler.registerRenewer((JWTSecurityHandler.JWTMaterialParameter) p);
        }
    }

    @VisibleForTesting
    public RMAppSecurityActions getRmAppCertificateActions() {
        return this.rmAppCertificateActions;
    }

    @VisibleForTesting
    public RMAppSecurityHandler getSecurityHandler(Class cls) {
        return this.securityHandlersMap.get(cls);
    }

    @VisibleForTesting
    protected RMContext getRmContext() {
        return this.rmContext;
    }

    private void generateSecurityMaterial(RMAppSecurityManagerEvent rMAppSecurityManagerEvent) {
        ApplicationId applicationId = rMAppSecurityManagerEvent.getApplicationId();
        RMAppSecurityMaterial rMAppSecurityMaterial = new RMAppSecurityMaterial();
        try {
            for (RMAppSecurityHandler rMAppSecurityHandler : this.securityHandlersMap.values()) {
                if (rMAppSecurityHandler instanceof X509SecurityHandler) {
                    X509SecurityHandler.X509MaterialParameter x509MaterialParameter = (X509SecurityHandler.X509MaterialParameter) rMAppSecurityManagerEvent.getSecurityMaterial().getMaterial(X509SecurityHandler.X509MaterialParameter.class);
                    if (x509MaterialParameter == null) {
                        throw new NullPointerException("Hops TLS is enabled but X.509 parameter is null for " + applicationId);
                    }
                    SecurityManagerMaterial generateMaterial = rMAppSecurityHandler.generateMaterial(x509MaterialParameter);
                    if (generateMaterial != null) {
                        rMAppSecurityMaterial.addMaterial(generateMaterial);
                    }
                } else if (rMAppSecurityHandler instanceof JWTSecurityHandler) {
                    JWTSecurityHandler.JWTMaterialParameter jWTMaterialParameter = (JWTSecurityHandler.JWTMaterialParameter) rMAppSecurityManagerEvent.getSecurityMaterial().getMaterial(JWTSecurityHandler.JWTMaterialParameter.class);
                    if (jWTMaterialParameter == null) {
                        throw new NullPointerException("JWT on Yarn is enabled but JWT parameter is null for " + applicationId);
                    }
                    SecurityManagerMaterial generateMaterial2 = rMAppSecurityHandler.generateMaterial(jWTMaterialParameter);
                    if (generateMaterial2 != null) {
                        rMAppSecurityMaterial.addMaterial(generateMaterial2);
                    }
                } else {
                    continue;
                }
            }
            if (rMAppSecurityMaterial.isEmpty()) {
                this.handler.handle(new RMAppEvent(applicationId, RMAppEventType.SECURITY_MATERIAL_GENERATED));
            } else {
                this.handler.handle(new RMAppSecurityMaterialGeneratedEvent(applicationId, rMAppSecurityMaterial, RMAppEventType.SECURITY_MATERIAL_GENERATED));
            }
        } catch (Exception e) {
            LOG.error("Error while generating RMApp security material", e);
            this.handler.handle(new RMAppEvent(applicationId, RMAppEventType.KILL, "Error while generating application security material for " + applicationId + " - " + e.getMessage()));
        }
    }

    private void revokeX509Only(RMAppSecurityManagerEvent rMAppSecurityManagerEvent) {
        RMAppSecurityHandler rMAppSecurityHandler = this.securityHandlersMap.get(X509SecurityHandler.class);
        if (rMAppSecurityHandler == null && isRPCTLSEnabled()) {
            LOG.error("Hops TLS is enabled but there is no X509SecurityHandler registered");
        } else {
            revokeX509(rMAppSecurityManagerEvent, rMAppSecurityHandler);
        }
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    public void revokeSecurityMaterial(RMAppSecurityManagerEvent rMAppSecurityManagerEvent) {
        for (RMAppSecurityHandler rMAppSecurityHandler : this.securityHandlersMap.values()) {
            if (rMAppSecurityHandler instanceof X509SecurityHandler) {
                revokeX509(rMAppSecurityManagerEvent, rMAppSecurityHandler);
            } else if (rMAppSecurityHandler instanceof JWTSecurityHandler) {
                revokeJWT(rMAppSecurityManagerEvent, rMAppSecurityHandler);
            }
        }
    }

    private void revokeX509(RMAppSecurityManagerEvent rMAppSecurityManagerEvent, RMAppSecurityHandler rMAppSecurityHandler) {
        ApplicationId applicationId = rMAppSecurityManagerEvent.getApplicationId();
        X509SecurityHandler.X509MaterialParameter x509MaterialParameter = (X509SecurityHandler.X509MaterialParameter) rMAppSecurityManagerEvent.getSecurityMaterial().getMaterial(X509SecurityHandler.X509MaterialParameter.class);
        if (x509MaterialParameter != null) {
            rMAppSecurityHandler.revokeMaterial(x509MaterialParameter, false);
            LOG.debug("Revoked X.509 material for " + applicationId);
        }
    }

    private void revokeJWT(RMAppSecurityManagerEvent rMAppSecurityManagerEvent, RMAppSecurityHandler rMAppSecurityHandler) {
        JWTSecurityHandler.JWTMaterialParameter jWTMaterialParameter = (JWTSecurityHandler.JWTMaterialParameter) rMAppSecurityManagerEvent.getSecurityMaterial().getMaterial(JWTSecurityHandler.JWTMaterialParameter.class);
        if (jWTMaterialParameter != null) {
            rMAppSecurityHandler.revokeMaterial(jWTMaterialParameter, false);
            LOG.debug("Revoked JWT material for " + jWTMaterialParameter.getApplicationId());
        }
    }

    public <P extends SecurityManagerMaterial> void revokeSecurityMaterialSync(P p) {
        if (p instanceof X509SecurityHandler.X509MaterialParameter) {
            ((X509SecurityHandler) this.securityHandlersMap.get(X509SecurityHandler.class)).revokeMaterial((X509SecurityHandler.X509MaterialParameter) p, (Boolean) true);
        }
    }

    public void revokeAndGenerateMaterial(RMAppSecurityMaterial rMAppSecurityMaterial) {
        X509SecurityHandler.X509MaterialParameter x509MaterialParameter = (X509SecurityHandler.X509MaterialParameter) rMAppSecurityMaterial.getMaterial(X509SecurityHandler.X509MaterialParameter.class);
        boolean z = false;
        boolean z2 = false;
        ApplicationId applicationId = null;
        RMAppSecurityMaterial rMAppSecurityMaterial2 = new RMAppSecurityMaterial();
        X509SecurityHandler x509SecurityHandler = (X509SecurityHandler) this.securityHandlersMap.get(X509SecurityHandler.class);
        JWTSecurityHandler jWTSecurityHandler = (JWTSecurityHandler) this.securityHandlersMap.get(JWTSecurityHandler.class);
        if (x509MaterialParameter != null) {
            applicationId = x509MaterialParameter.getApplicationId();
            z2 = x509SecurityHandler.revokeMaterial(x509MaterialParameter, (Boolean) true);
        }
        if (z2 && 0 == 0) {
            try {
                X509SecurityHandler.X509SecurityManagerMaterial generateMaterial = x509SecurityHandler.generateMaterial(x509MaterialParameter);
                if (generateMaterial != null) {
                    rMAppSecurityMaterial2.addMaterial(generateMaterial);
                }
            } catch (Exception e) {
                LOG.error("Error when generating X.509 material for " + x509MaterialParameter.getApplicationId(), e);
                z = true;
            }
            JWTSecurityHandler.JWTMaterialParameter jWTMaterialParameter = (JWTSecurityHandler.JWTMaterialParameter) rMAppSecurityMaterial.getMaterial(JWTSecurityHandler.JWTMaterialParameter.class);
            if (!z) {
                if (jWTMaterialParameter != null) {
                    if (applicationId == null) {
                        try {
                            applicationId = jWTMaterialParameter.getApplicationId();
                        } catch (Exception e2) {
                            LOG.error("Error when generating JWT material for " + applicationId, e2);
                            z = true;
                        }
                    }
                    JWTSecurityHandler.JWTSecurityManagerMaterial generateMaterial2 = jWTSecurityHandler.generateMaterial(jWTMaterialParameter);
                    if (generateMaterial2 != null) {
                        rMAppSecurityMaterial2.addMaterial(generateMaterial2);
                    }
                }
            }
            if (!z) {
                if (rMAppSecurityMaterial2.isEmpty()) {
                    this.handler.handle(new RMAppEvent(applicationId, RMAppEventType.SECURITY_MATERIAL_GENERATED));
                    return;
                } else {
                    this.handler.handle(new RMAppSecurityMaterialGeneratedEvent(applicationId, rMAppSecurityMaterial2, RMAppEventType.SECURITY_MATERIAL_GENERATED));
                    return;
                }
            }
            if (((X509SecurityHandler.X509SecurityManagerMaterial) rMAppSecurityMaterial2.getMaterial(X509SecurityHandler.X509SecurityManagerMaterial.class)) != null) {
                x509SecurityHandler.revokeMaterial(new X509SecurityHandler.X509MaterialParameter(x509MaterialParameter.getApplicationId(), x509MaterialParameter.getAppUser(), Integer.valueOf(x509MaterialParameter.getCryptoMaterialVersion().intValue() + 1)), (Boolean) false);
            }
            if (((JWTSecurityHandler.JWTSecurityManagerMaterial) rMAppSecurityMaterial2.getMaterial(JWTSecurityHandler.JWTSecurityManagerMaterial.class)) != null) {
                jWTSecurityHandler.revokeMaterial(jWTMaterialParameter, (Boolean) false);
            }
            this.handler.handle(new RMAppEvent(applicationId, RMAppEventType.KILL, "Error while revoking and generating new security material for " + applicationId));
        }
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    public boolean isRPCTLSEnabled() {
        return this.isRPCTLSEnabled;
    }

    static {
        CHRONOUNITS.put(QuorumPeer.FLE_TIME_UNIT, ChronoUnit.MILLIS);
        CHRONOUNITS.put("S", ChronoUnit.SECONDS);
        CHRONOUNITS.put("M", ChronoUnit.MINUTES);
        CHRONOUNITS.put("H", ChronoUnit.HOURS);
        CHRONOUNITS.put("D", ChronoUnit.DAYS);
        CONF_TIME_PATTERN = Pattern.compile("(^[0-9]+)(\\p{Alpha}+)");
    }
}
