package io.hops.security;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.cert.X509Certificate;
import java.util.concurrent.TimeUnit;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.hadoop.security.UserGroupInformation;

/* loaded from: input_file:io/hops/security/HopsX509Authenticator.class */
public class HopsX509Authenticator {
    private static final Log LOG = LogFactory.getLog(HopsX509Authenticator.class);
    private final Configuration conf;
    private final Cache<String, InetAddress> trustedHostnames = CacheBuilder.newBuilder().maximumSize(500).expireAfterWrite(30, TimeUnit.MINUTES).build();

    /* JADX INFO: Access modifiers changed from: package-private */
    public HopsX509Authenticator(Configuration configuration) {
        this.conf = configuration;
    }

    public void authenticateConnection(UserGroupInformation userGroupInformation, X509Certificate x509Certificate, InetAddress inetAddress) throws HopsX509AuthenticationException {
        authenticateConnection(userGroupInformation, x509Certificate, inetAddress, null);
    }

    public void authenticateConnection(UserGroupInformation userGroupInformation, X509Certificate x509Certificate, InetAddress inetAddress, String str) throws HopsX509AuthenticationException {
        if (isHopsTLS()) {
            Preconditions.checkNotNull(userGroupInformation, "UserGroupInformation should not be null");
            Preconditions.checkNotNull(x509Certificate, "Client X.509 certificate should not be null");
            LOG.debug("Authenticating user: " + userGroupInformation.getUserName());
            String userName = userGroupInformation.getUserName();
            if (userName == null) {
                throw new HopsX509AuthenticationException("Could not extract username from UGI");
            }
            String name = x509Certificate.getSubjectX500Principal().getName("RFC2253");
            String extractCNFromSubject = HopsUtil.extractCNFromSubject(name);
            if (extractCNFromSubject == null) {
                throw new HopsX509AuthenticationException("Problematic CN in client certificate: " + name);
            }
            String extractOFromSubject = HopsUtil.extractOFromSubject(name);
            if (extractOFromSubject != null && (Strings.isNullOrEmpty(str) || !str.equalsIgnoreCase("WebHDFS"))) {
                userGroupInformation.addApplicationId(extractOFromSubject);
            }
            if (userName.equals(extractCNFromSubject)) {
                LOG.debug("Authenticated user " + userName + " - Username matches CN");
                return;
            }
            Preconditions.checkNotNull(inetAddress, "Remote address should not be null");
            InetAddress isTrustedFQDN = isTrustedFQDN(extractCNFromSubject);
            if (isTrustedFQDN != null && isTrustedFQDN.equals(inetAddress)) {
                LOG.debug("CN " + extractCNFromSubject + " is an FQDN and it has already been authenticated");
                return;
            }
            try {
                InetAddress byName = InetAddress.getByName(extractCNFromSubject);
                if (byName.equals(inetAddress)) {
                    this.trustedHostnames.put(extractCNFromSubject, byName);
                    LOG.debug("CN " + extractCNFromSubject + " is an FQDN and we managed to resolve it and it matches the remote address");
                } else {
                    StringBuilder sb = new StringBuilder();
                    sb.append("Could not authenticate client with CN ").append(extractCNFromSubject).append(" remote IP ").append(inetAddress).append(" and username ").append(userName);
                    if (str != null) {
                        sb.append(" for protocol ").append(str);
                    }
                    throw new HopsX509AuthenticationException(sb.toString());
                }
            } catch (UnknownHostException e) {
                LOG.error("Could not resolve host " + extractCNFromSubject, e);
                throw new HopsX509AuthenticationException("Hostname " + extractCNFromSubject + " is not resolvable and could not authenticate user " + userName);
            }
        }
    }

    private boolean isHopsTLS() {
        return this.conf.getBoolean(CommonConfigurationKeysPublic.IPC_SERVER_SSL_ENABLED, false);
    }

    @VisibleForTesting
    protected InetAddress isTrustedFQDN(String str) {
        return (InetAddress) this.trustedHostnames.getIfPresent(str);
    }
}
