package org.apache.hadoop.yarn.server.resourcemanager.security;

import com.google.common.annotations.VisibleForTesting;
import java.io.IOException;
import java.net.URISyntaxException;
import java.security.GeneralSecurityException;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.Map;
import java.util.concurrent.ArrayBlockingQueue;
import java.util.concurrent.BlockingQueue;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.commons.math3.random.RandomDataGenerator;
import org.apache.commons.math3.util.Pair;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.util.BackOff;
import org.apache.hadoop.yarn.api.records.ApplicationId;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.event.EventHandler;
import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppSecurityMaterialRenewedEvent;
import org.apache.hadoop.yarn.server.resourcemanager.security.RMAppSecurityManager;

/* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/JWTSecurityHandler.class */
public class JWTSecurityHandler implements RMAppSecurityHandler<JWTSecurityManagerMaterial, JWTMaterialParameter> {
    private static final Log LOG = LogFactory.getLog(JWTSecurityHandler.class);
    private final RMContext rmContext;
    private final RMAppSecurityManager rmAppSecurityManager;
    private final EventHandler eventHandler;
    private String[] jwtAudience;
    private Configuration config;
    private boolean jwtEnabled;
    private RMAppSecurityActions rmAppSecurityActions;
    private Pair<Long, TemporalUnit> validityPeriod;
    private ScheduledExecutorService renewalExecutorService;
    private Long leeway;
    private Thread invalidationEventsHandler;
    private static final int INVALIDATION_EVENTS_QUEUE_SIZE = 100;
    private final Map<ApplicationId, ScheduledFuture> renewalTasks = new ConcurrentHashMap();
    private final BlockingQueue<JWTInvalidationEvent> invalidationEvents = new ArrayBlockingQueue(100);
    private final RandomDataGenerator random = new RandomDataGenerator();

    /* JADX INFO: Access modifiers changed from: protected */
    @InterfaceAudience.Private
    @VisibleForTesting
    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/JWTSecurityHandler$InvalidationEventsHandler.class */
    public class InvalidationEventsHandler extends Thread {
        protected InvalidationEventsHandler() {
        }

        private void drain() {
            ArrayList arrayList = new ArrayList(JWTSecurityHandler.this.invalidationEvents.size());
            JWTSecurityHandler.this.invalidationEvents.drainTo(arrayList);
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                JWTSecurityHandler.this.revokeInternal(((JWTInvalidationEvent) it.next()).signingKeyName);
            }
        }

        @Override // java.lang.Thread, java.lang.Runnable
        public void run() {
            while (!Thread.currentThread().isInterrupted()) {
                try {
                    JWTSecurityHandler.this.revokeInternal(((JWTInvalidationEvent) JWTSecurityHandler.this.invalidationEvents.take()).signingKeyName);
                } catch (InterruptedException e) {
                    JWTSecurityHandler.LOG.info("JWT InvalidationEventHandler interrupted. Draining queue...");
                    drain();
                    Thread.currentThread().interrupt();
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/JWTSecurityHandler$JWTInvalidationEvent.class */
    public static class JWTInvalidationEvent {
        private final String signingKeyName;

        protected JWTInvalidationEvent(String str) {
            this.signingKeyName = str;
        }

        protected String getSigningKeyName() {
            return this.signingKeyName;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj instanceof JWTInvalidationEvent) {
                return this.signingKeyName.equals(((JWTInvalidationEvent) obj).signingKeyName);
            }
            return false;
        }

        public int hashCode() {
            return this.signingKeyName.hashCode();
        }
    }

    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/JWTSecurityHandler$JWTMaterialParameter.class */
    public static class JWTMaterialParameter extends RMAppSecurityManager.SecurityManagerMaterial {
        private final String appUser;
        private String token;
        private String[] audiences;
        private Instant expirationDate;
        private Instant validNotBefore;
        private boolean renewable;
        private int expLeeway;

        public JWTMaterialParameter(ApplicationId applicationId, String str) {
            super(applicationId);
            this.appUser = str;
        }

        public String getAppUser() {
            return this.appUser;
        }

        public String[] getAudiences() {
            return this.audiences;
        }

        public void setAudiences(String[] strArr) {
            this.audiences = strArr;
        }

        public Instant getExpirationDate() {
            return this.expirationDate;
        }

        public void setExpirationDate(Instant instant) {
            this.expirationDate = instant;
        }

        public Instant getValidNotBefore() {
            return this.validNotBefore;
        }

        public void setValidNotBefore(Instant instant) {
            this.validNotBefore = instant;
        }

        public boolean isRenewable() {
            return this.renewable;
        }

        public void setRenewable(boolean z) {
            this.renewable = z;
        }

        public int getExpLeeway() {
            return this.expLeeway;
        }

        public void setExpLeeway(int i) {
            this.expLeeway = i;
        }

        public String getToken() {
            return this.token;
        }

        public void setToken(String str) {
            this.token = str;
        }

        public int hashCode() {
            int hashCode = (31 * ((31 * 17) + this.appUser.hashCode())) + getApplicationId().hashCode();
            if (this.expirationDate != null) {
                hashCode = (31 * hashCode) + this.expirationDate.hashCode();
            }
            return hashCode;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (!(obj instanceof JWTMaterialParameter)) {
                return false;
            }
            JWTMaterialParameter jWTMaterialParameter = (JWTMaterialParameter) obj;
            return this.expirationDate != null ? this.appUser.equals(jWTMaterialParameter.appUser) && getApplicationId().equals(jWTMaterialParameter.getApplicationId()) && this.expirationDate.equals(jWTMaterialParameter.getExpirationDate()) : this.appUser.equals(jWTMaterialParameter.appUser) && getApplicationId().equals(jWTMaterialParameter.getApplicationId());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/JWTSecurityHandler$JWTRenewer.class */
    public class JWTRenewer implements Runnable {
        private final ApplicationId appId;
        private final String appUser;
        private final String token;
        private final BackOff backOff;
        private long backOffTime = 0;

        public JWTRenewer(ApplicationId applicationId, String str, String str2) {
            this.appId = applicationId;
            this.appUser = str;
            this.token = str2;
            this.backOff = JWTSecurityHandler.this.rmAppSecurityManager.createBackOffPolicy();
        }

        @Override // java.lang.Runnable
        public void run() {
            try {
                JWTSecurityHandler.LOG.debug("Renewing JWT for application " + this.appId);
                JWTMaterialParameter jWTMaterialParameter = new JWTMaterialParameter(this.appId, this.appUser);
                jWTMaterialParameter.setToken(this.token);
                JWTSecurityHandler.this.prepareJWTGenerationParameters(jWTMaterialParameter);
                String renewInternal = JWTSecurityHandler.this.renewInternal(jWTMaterialParameter);
                JWTSecurityHandler.this.renewalTasks.remove(this.appId);
                JWTSecurityHandler.this.eventHandler.handle(new RMAppSecurityMaterialRenewedEvent(this.appId, new JWTSecurityManagerMaterial(this.appId, renewInternal, jWTMaterialParameter.getExpirationDate())));
                JWTSecurityHandler.LOG.debug("Renewed JWT for application " + this.appId);
            } catch (Exception e) {
                JWTSecurityHandler.this.renewalTasks.remove(this.appId);
                this.backOffTime = this.backOff.getBackOffInMillis();
                if (this.backOffTime == -1) {
                    JWTSecurityHandler.LOG.error("Failed to renew JWT for application " + this.appId + ". Failed more than 4 times, giving up", e);
                    return;
                }
                JWTSecurityHandler.LOG.warn("Failed to renew JWT for application " + this.appId + ". Retrying in " + this.backOffTime + " ms");
                JWTSecurityHandler.this.renewalTasks.put(this.appId, JWTSecurityHandler.this.renewalExecutorService.schedule(this, this.backOffTime, TimeUnit.MILLISECONDS));
            }
        }
    }

    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/JWTSecurityHandler$JWTSecurityManagerMaterial.class */
    public class JWTSecurityManagerMaterial extends RMAppSecurityManager.SecurityManagerMaterial {
        private final String token;
        private final Instant expirationDate;

        public JWTSecurityManagerMaterial(ApplicationId applicationId, String str, Instant instant) {
            super(applicationId);
            this.token = str;
            this.expirationDate = instant;
        }

        public String getToken() {
            return this.token;
        }

        public Instant getExpirationDate() {
            return this.expirationDate;
        }
    }

    public JWTSecurityHandler(RMContext rMContext, RMAppSecurityManager rMAppSecurityManager) {
        this.rmContext = rMContext;
        this.rmAppSecurityManager = rMAppSecurityManager;
        this.eventHandler = rMContext.getDispatcher().getEventHandler();
    }

    @Override // org.apache.hadoop.yarn.server.resourcemanager.security.RMAppSecurityHandler
    public void init(Configuration configuration) throws Exception {
        LOG.info("Initializing JWT Security Handler");
        this.config = configuration;
        this.jwtEnabled = configuration.getBoolean(YarnConfiguration.RM_JWT_ENABLED, YarnConfiguration.DEFAULT_RM_JWT_ENABLED);
        this.jwtAudience = configuration.getTrimmedStrings(YarnConfiguration.RM_JWT_AUDIENCE, new String[]{YarnConfiguration.DEFAULT_RM_JWT_AUDIENCE});
        this.renewalExecutorService = this.rmAppSecurityManager.getRenewalExecutorService();
        this.validityPeriod = this.rmAppSecurityManager.parseInterval(configuration.get(YarnConfiguration.RM_JWT_VALIDITY_PERIOD, YarnConfiguration.DEFAULT_RM_JWT_VALIDITY_PERIOD), YarnConfiguration.RM_JWT_VALIDITY_PERIOD);
        Pair<Long, TemporalUnit> parseInterval = this.rmAppSecurityManager.parseInterval(configuration.get(YarnConfiguration.RM_JWT_EXPIRATION_LEEWAY, YarnConfiguration.DEFAULT_RM_JWT_EXPIRATION_LEEWAY), YarnConfiguration.RM_JWT_EXPIRATION_LEEWAY);
        if (((ChronoUnit) parseInterval.getSecond()).compareTo(ChronoUnit.SECONDS) < 0) {
            throw new IllegalArgumentException("Value of " + YarnConfiguration.RM_JWT_EXPIRATION_LEEWAY + " should be at least seconds");
        }
        this.leeway = Long.valueOf(Duration.of(((Long) parseInterval.getFirst()).longValue(), (TemporalUnit) parseInterval.getSecond()).getSeconds());
        if (this.jwtEnabled) {
            this.rmAppSecurityActions = this.rmAppSecurityManager.getRmAppCertificateActions();
        }
    }

    @Override // org.apache.hadoop.yarn.server.resourcemanager.security.RMAppSecurityHandler
    public void start() throws Exception {
        LOG.info("Starting JWT Security Handler");
        if (isJWTEnabled()) {
            this.invalidationEventsHandler = createInvalidationEventsHandler();
            this.invalidationEventsHandler.setDaemon(false);
            this.invalidationEventsHandler.setName("JWT-InvalidationEventsHandler");
            this.invalidationEventsHandler.start();
        }
    }

    @Override // org.apache.hadoop.yarn.server.resourcemanager.security.RMAppSecurityHandler
    public void stop() throws Exception {
        LOG.info("Stopping JWT Security Handler");
        if (this.invalidationEventsHandler != null) {
            this.invalidationEventsHandler.interrupt();
        }
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected Thread createInvalidationEventsHandler() {
        return new InvalidationEventsHandler();
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    public BlockingQueue<JWTInvalidationEvent> getInvalidationEvents() {
        return this.invalidationEvents;
    }

    @Override // org.apache.hadoop.yarn.server.resourcemanager.security.RMAppSecurityHandler
    public JWTSecurityManagerMaterial generateMaterial(JWTMaterialParameter jWTMaterialParameter) throws Exception {
        if (!isJWTEnabled()) {
            return null;
        }
        ApplicationId applicationId = jWTMaterialParameter.getApplicationId();
        LOG.info("Generating JWT for application " + applicationId);
        prepareJWTGenerationParameters(jWTMaterialParameter);
        return new JWTSecurityManagerMaterial(applicationId, generateInternal(jWTMaterialParameter), jWTMaterialParameter.getExpirationDate());
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected void prepareJWTGenerationParameters(JWTMaterialParameter jWTMaterialParameter) {
        jWTMaterialParameter.setAudiences(this.jwtAudience);
        Instant now = getNow();
        jWTMaterialParameter.setExpirationDate(now.plus(((Long) this.validityPeriod.getFirst()).longValue(), (TemporalUnit) this.validityPeriod.getSecond()));
        jWTMaterialParameter.setValidNotBefore(now);
        jWTMaterialParameter.setRenewable(false);
        jWTMaterialParameter.setExpLeeway(this.leeway.intValue());
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected String generateInternal(JWTMaterialParameter jWTMaterialParameter) throws URISyntaxException, IOException, GeneralSecurityException {
        return this.rmAppSecurityActions.generateJWT(jWTMaterialParameter);
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected Instant getNow() {
        return Instant.now();
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected Pair<Long, TemporalUnit> getValidityPeriod() {
        return this.validityPeriod;
    }

    @VisibleForTesting
    protected Map<ApplicationId, ScheduledFuture> getRenewalTasks() {
        return this.renewalTasks;
    }

    @VisibleForTesting
    protected Configuration getConfig() {
        return this.config;
    }

    @VisibleForTesting
    protected RMAppSecurityManager getRmAppSecurityManager() {
        return this.rmAppSecurityManager;
    }

    @Override // org.apache.hadoop.yarn.server.resourcemanager.security.RMAppSecurityHandler
    public void registerRenewer(JWTMaterialParameter jWTMaterialParameter) {
        if (isJWTEnabled() && !this.renewalTasks.containsKey(jWTMaterialParameter.getApplicationId())) {
            this.renewalTasks.put(jWTMaterialParameter.getApplicationId(), this.renewalExecutorService.schedule(createJWTRenewalTask(jWTMaterialParameter.getApplicationId(), jWTMaterialParameter.appUser, jWTMaterialParameter.token), computeScheduledDelay(jWTMaterialParameter.getExpirationDate()), TimeUnit.SECONDS));
        }
    }

    private long computeScheduledDelay(Instant instant) {
        return Duration.between(getNow(), instant).getSeconds() + this.random.nextLong(3L, Math.max(this.leeway.longValue() - 5, 5L));
    }

    public void deregisterFromRenewer(ApplicationId applicationId) {
        ScheduledFuture scheduledFuture;
        if (isJWTEnabled() && (scheduledFuture = this.renewalTasks.get(applicationId)) != null) {
            scheduledFuture.cancel(true);
        }
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected Runnable createJWTRenewalTask(ApplicationId applicationId, String str, String str2) {
        return new JWTRenewer(applicationId, str, str2);
    }

    @Override // org.apache.hadoop.yarn.server.resourcemanager.security.RMAppSecurityHandler
    public boolean revokeMaterial(JWTMaterialParameter jWTMaterialParameter, Boolean bool) {
        if (!isJWTEnabled()) {
            return true;
        }
        ApplicationId applicationId = jWTMaterialParameter.getApplicationId();
        try {
            LOG.info("Invalidating JWT for application: " + applicationId);
            deregisterFromRenewer(applicationId);
            putToInvalidationQueue(applicationId);
            return true;
        } catch (InterruptedException e) {
            LOG.warn("Shutting down while putting invalidation event to queue for application " + applicationId);
            return false;
        }
    }

    private void putToInvalidationQueue(ApplicationId applicationId) throws InterruptedException {
        this.invalidationEvents.put(new JWTInvalidationEvent(applicationId.toString()));
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected void revokeInternal(String str) {
        if (isJWTEnabled()) {
            try {
                this.rmAppSecurityActions.invalidateJWT(str);
            } catch (IOException | URISyntaxException | GeneralSecurityException e) {
                LOG.error("Could not invalidate JWT with signing key " + str, e);
            }
        }
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected String renewInternal(JWTMaterialParameter jWTMaterialParameter) throws URISyntaxException, IOException, GeneralSecurityException {
        if (isJWTEnabled()) {
            return this.rmAppSecurityActions.renewJWT(jWTMaterialParameter);
        }
        return null;
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected boolean isJWTEnabled() {
        return this.jwtEnabled;
    }
}
