package org.apache.hadoop.yarn.server.resourcemanager.security;

import io.hops.security.HopsUtil;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.nio.file.Paths;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.util.Arrays;
import java.util.Enumeration;
import java.util.concurrent.TimeUnit;
import org.apache.commons.io.FileUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.yarn.api.records.ApplicationId;
import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppSecurityMaterialRenewedEvent;
import org.apache.hadoop.yarn.server.resourcemanager.security.X509SecurityHandler;
import org.apache.log4j.LogManager;
import org.apache.log4j.Logger;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.junit.Assert;

/* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/MockX509SecurityHandler.class */
public class MockX509SecurityHandler extends X509SecurityHandler {
    private static final Logger LOG = LogManager.getLogger(MockX509SecurityHandler.class);
    private final boolean loadTrustStore;
    private final String systemTMP;
    private boolean renewalException;
    private long oldCertificateExpiration;

    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/MockX509SecurityHandler$MockFailingX509SecurityHandler.class */
    public static class MockFailingX509SecurityHandler extends X509SecurityHandler {
        private final Integer succeedAfterRetries;
        private int numberOfRenewalFailures;
        private boolean renewalFailed;

        /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/MockX509SecurityHandler$MockFailingX509SecurityHandler$MockFailingX509Renewer.class */
        public class MockFailingX509Renewer extends X509SecurityHandler.X509Renewer {
            private final Integer succeedAfterRetries;

            public MockFailingX509Renewer(ApplicationId applicationId, String str, Integer num, Integer num2) {
                super(MockFailingX509SecurityHandler.this, applicationId, str, num);
                this.succeedAfterRetries = num2;
            }

            /* JADX WARN: Multi-variable type inference failed */
            public void run() {
                try {
                    if (this.backOff.getNumberOfRetries() < this.succeedAfterRetries.intValue()) {
                        throw new Exception("Ooops something went wrong");
                    }
                    MockFailingX509SecurityHandler.this.getRenewalTasks().remove(this.appId);
                    MockX509SecurityHandler.LOG.info("Renewed certificate for applicaiton " + this.appId);
                } catch (Exception e) {
                    MockFailingX509SecurityHandler.this.getRenewalTasks().remove(this.appId);
                    this.backOffTime = this.backOff.getBackOffInMillis();
                    if (this.backOffTime == -1) {
                        MockX509SecurityHandler.LOG.error("Failed to renew certificate for application " + this.appId + " Failed more than 4 times, giving up");
                        MockFailingX509SecurityHandler.this.renewalFailed = true;
                    } else {
                        MockFailingX509SecurityHandler.access$208(MockFailingX509SecurityHandler.this);
                        MockX509SecurityHandler.LOG.warn("Failed to renew certificates for application " + this.appId + ". Retrying in " + this.backOffTime);
                        MockFailingX509SecurityHandler.this.getRenewalTasks().put(this.appId, MockFailingX509SecurityHandler.this.getRenewerScheduler().schedule((Runnable) this, this.backOffTime, TimeUnit.MILLISECONDS));
                    }
                }
            }
        }

        public MockFailingX509SecurityHandler(RMContext rMContext, RMAppSecurityManager rMAppSecurityManager, Integer num) {
            super(rMContext, rMAppSecurityManager);
            this.numberOfRenewalFailures = 0;
            this.renewalFailed = false;
            this.succeedAfterRetries = num;
        }

        public int getNumberOfRenewalFailures() {
            return this.numberOfRenewalFailures;
        }

        public boolean hasRenewalFailed() {
            return this.renewalFailed;
        }

        public boolean isHopsTLSEnabled() {
            return true;
        }

        protected Runnable createCertificateRenewerTask(ApplicationId applicationId, String str, Integer num) {
            return new MockFailingX509Renewer(applicationId, str, num, this.succeedAfterRetries);
        }

        public X509SecurityHandler.X509SecurityManagerMaterial generateMaterial(X509SecurityHandler.X509MaterialParameter x509MaterialParameter) throws Exception {
            throw new IOException("Exception is intended here");
        }

        static /* synthetic */ int access$208(MockFailingX509SecurityHandler mockFailingX509SecurityHandler) {
            int i = mockFailingX509SecurityHandler.numberOfRenewalFailures;
            mockFailingX509SecurityHandler.numberOfRenewalFailures = i + 1;
            return i;
        }
    }

    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/MockX509SecurityHandler$MockX509Renewer.class */
    public class MockX509Renewer extends X509SecurityHandler.X509Renewer {
        private final long oldCertificateExpiration;

        public MockX509Renewer(ApplicationId applicationId, String str, Integer num, long j) {
            super(MockX509SecurityHandler.this, applicationId, str, num);
            this.oldCertificateExpiration = j;
        }

        public void run() {
            MockX509SecurityHandler.LOG.info("Renewing certificate for application: " + this.appId);
            try {
                KeyPair generateKeyPair = MockX509SecurityHandler.this.generateKeyPair();
                int intValue = this.currentCryptoVersion.intValue();
                MockX509SecurityHandler mockX509SecurityHandler = MockX509SecurityHandler.this;
                ApplicationId applicationId = this.appId;
                String str = this.appUser;
                Integer valueOf = Integer.valueOf(this.currentCryptoVersion.intValue() + 1);
                this.currentCryptoVersion = valueOf;
                PKCS10CertificationRequest generateCSR = mockX509SecurityHandler.generateCSR(applicationId, str, generateKeyPair, valueOf);
                int parseInt = Integer.parseInt(HopsUtil.extractOUFromSubject(generateCSR.getSubject().toString()));
                if (intValue + 1 != parseInt) {
                    MockX509SecurityHandler.LOG.error("Crypto version of new certificate is wrong: " + parseInt);
                    MockX509SecurityHandler.this.renewalException = true;
                }
                X509SecurityHandler.CertificateBundle sendCSRAndGetSigned = MockX509SecurityHandler.this.sendCSRAndGetSigned(generateCSR);
                long time = sendCSRAndGetSigned.getCertificate().getNotAfter().getTime();
                if (time <= this.oldCertificateExpiration) {
                    MockX509SecurityHandler.LOG.error("New certificate expiration is older than old certificate");
                    MockX509SecurityHandler.this.renewalException = true;
                }
                X509SecurityHandler.KeyStoresWrapper createApplicationStores = MockX509SecurityHandler.this.createApplicationStores(sendCSRAndGetSigned, generateKeyPair.getPrivate(), this.appUser, this.appId);
                byte[] rawKeyStore = createApplicationStores.getRawKeyStore(X509SecurityHandler.TYPE.KEYSTORE);
                byte[] rawKeyStore2 = createApplicationStores.getRawKeyStore(X509SecurityHandler.TYPE.TRUSTSTORE);
                MockX509SecurityHandler.this.getRenewalTasks().remove(this.appId);
                MockX509SecurityHandler.this.getRmContext().getDispatcher().getEventHandler().handle(new RMAppSecurityMaterialRenewedEvent(this.appId, new X509SecurityHandler.X509SecurityManagerMaterial(this.appId, rawKeyStore, createApplicationStores.getKeyStorePassword(), rawKeyStore2, createApplicationStores.getTrustStorePassword(), Long.valueOf(time))));
                MockX509SecurityHandler.LOG.debug("Renewed certificate for application " + this.appId);
            } catch (Exception e) {
                MockX509SecurityHandler.LOG.error("Exception while renewing certificate. THis should not have happened here :(", e);
                MockX509SecurityHandler.this.renewalException = true;
            }
        }
    }

    public MockX509SecurityHandler(RMContext rMContext, RMAppSecurityManager rMAppSecurityManager, boolean z) {
        super(rMContext, rMAppSecurityManager);
        this.renewalException = false;
        this.loadTrustStore = z;
        this.systemTMP = System.getProperty("java.io.tmpdir");
    }

    public KeyStore loadSystemTrustStore(Configuration configuration) throws GeneralSecurityException, IOException {
        if (this.loadTrustStore) {
            return super.loadSystemTrustStore(configuration);
        }
        KeyStore keyStore = KeyStore.getInstance("JKS");
        keyStore.load(null, null);
        return keyStore;
    }

    public X509SecurityHandler.X509SecurityManagerMaterial generateMaterial(X509SecurityHandler.X509MaterialParameter x509MaterialParameter) throws Exception {
        ApplicationId applicationId = x509MaterialParameter.getApplicationId();
        String appUser = x509MaterialParameter.getAppUser();
        Integer cryptoMaterialVersion = x509MaterialParameter.getCryptoMaterialVersion();
        KeyPair generateKeyPair = generateKeyPair();
        PKCS10CertificationRequest generateCSR = generateCSR(applicationId, appUser, generateKeyPair, cryptoMaterialVersion);
        Assert.assertEquals(appUser, HopsUtil.extractCNFromSubject(generateCSR.getSubject().toString()));
        Assert.assertEquals(applicationId.toString(), HopsUtil.extractOFromSubject(generateCSR.getSubject().toString()));
        Assert.assertEquals(String.valueOf(cryptoMaterialVersion), HopsUtil.extractOUFromSubject(generateCSR.getSubject().toString()));
        X509SecurityHandler.CertificateBundle sendCSRAndGetSigned = sendCSRAndGetSigned(generateCSR);
        sendCSRAndGetSigned.getCertificate().checkValidity();
        long time = sendCSRAndGetSigned.getCertificate().getNotAfter().getTime();
        Assert.assertTrue(time >= Instant.now().toEpochMilli());
        Assert.assertNotNull(sendCSRAndGetSigned.getIssuer());
        TestingRMAppSecurityActions rmAppSecurityActions = getRmAppSecurityActions();
        if (rmAppSecurityActions instanceof TestingRMAppSecurityActions) {
            sendCSRAndGetSigned.getCertificate().verify(rmAppSecurityActions.getCaCert().getPublicKey(), "BC");
        }
        sendCSRAndGetSigned.getCertificate().verify(sendCSRAndGetSigned.getIssuer().getPublicKey(), "BC");
        X509SecurityHandler.KeyStoresWrapper createApplicationStores = createApplicationStores(sendCSRAndGetSigned, generateKeyPair.getPrivate(), appUser, applicationId);
        X509Certificate x509Certificate = (X509Certificate) createApplicationStores.getKeystore().getCertificate(appUser);
        byte[] rawKeyStore = createApplicationStores.getRawKeyStore(X509SecurityHandler.TYPE.KEYSTORE);
        Assert.assertNotNull(rawKeyStore);
        Assert.assertNotEquals(0L, rawKeyStore.length);
        Assert.assertFalse(Paths.get(this.systemTMP, appUser + "-" + applicationId.toString() + "_kstore.jks").toFile().exists());
        Assert.assertNotNull(createApplicationStores.getKeyStorePassword());
        Assert.assertNotEquals(0L, r0.length);
        byte[] rawKeyStore2 = createApplicationStores.getRawKeyStore(X509SecurityHandler.TYPE.TRUSTSTORE);
        Assert.assertFalse(Paths.get(this.systemTMP, appUser + "-" + applicationId.toString() + "_tstore.jks").toFile().exists());
        char[] trustStorePassword = createApplicationStores.getTrustStorePassword();
        Assert.assertNotNull(trustStorePassword);
        Assert.assertNotEquals(0L, trustStorePassword.length);
        verifyContentOfAppTrustStore(rawKeyStore2, trustStorePassword, appUser, applicationId);
        if (rmAppSecurityActions instanceof TestingRMAppSecurityActions) {
            x509Certificate.verify(rmAppSecurityActions.getCaCert().getPublicKey(), "BC");
        }
        Assert.assertEquals(appUser, HopsUtil.extractCNFromSubject(x509Certificate.getSubjectX500Principal().getName()));
        Assert.assertEquals(applicationId.toString(), HopsUtil.extractOFromSubject(x509Certificate.getSubjectX500Principal().getName()));
        Assert.assertEquals(String.valueOf(cryptoMaterialVersion), HopsUtil.extractOUFromSubject(x509Certificate.getSubjectX500Principal().getName()));
        return new X509SecurityHandler.X509SecurityManagerMaterial(applicationId, rawKeyStore, createApplicationStores.getKeyStorePassword(), rawKeyStore2, createApplicationStores.getTrustStorePassword(), Long.valueOf(time));
    }

    public boolean isHopsTLSEnabled() {
        return true;
    }

    public boolean revokeMaterial(X509SecurityHandler.X509MaterialParameter x509MaterialParameter, Boolean bool) {
        ApplicationId applicationId = x509MaterialParameter.getApplicationId();
        String appUser = x509MaterialParameter.getAppUser();
        Integer cryptoMaterialVersion = x509MaterialParameter.getCryptoMaterialVersion();
        try {
            if (!x509MaterialParameter.isFromRenewal()) {
                deregisterFromCertificateRenewer(applicationId);
            }
            putToQueue(applicationId, appUser, cryptoMaterialVersion);
            waitForQueueToDrain();
            return true;
        } catch (InterruptedException e) {
            LOG.error(e, e);
            Assert.fail("Exception should not be thrown here");
            return false;
        }
    }

    protected Runnable createCertificateRenewerTask(ApplicationId applicationId, String str, Integer num) {
        return new MockX509Renewer(applicationId, str, num, 1L);
    }

    public void setOldCertificateExpiration(long j) {
        this.oldCertificateExpiration = j;
    }

    public boolean getRenewalException() {
        return this.renewalException;
    }

    private void verifyContentOfAppTrustStore(byte[] bArr, char[] cArr, String str, ApplicationId applicationId) throws GeneralSecurityException, IOException {
        File file = Paths.get(this.systemTMP, str + "-" + applicationId.toString() + "_tstore.jks").toFile();
        boolean z = false;
        try {
            KeyStore loadSystemTrustStore = loadSystemTrustStore(getConfig());
            FileUtils.writeByteArrayToFile(file, bArr, false);
            KeyStore keyStore = KeyStore.getInstance("JKS");
            FileInputStream fileInputStream = new FileInputStream(file);
            Throwable th = null;
            try {
                try {
                    keyStore.load(fileInputStream, cArr);
                    if (fileInputStream != null) {
                        if (0 != 0) {
                            try {
                                fileInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            fileInputStream.close();
                        }
                    }
                    Enumeration<String> aliases = loadSystemTrustStore.aliases();
                    while (true) {
                        if (!aliases.hasMoreElements()) {
                            break;
                        }
                        String nextElement = aliases.nextElement();
                        X509Certificate x509Certificate = (X509Certificate) keyStore.getCertificate(nextElement);
                        if (x509Certificate == null) {
                            z = true;
                            break;
                        } else if (!Arrays.equals(((X509Certificate) loadSystemTrustStore.getCertificate(nextElement)).getSignature(), x509Certificate.getSignature())) {
                            z = true;
                            break;
                        }
                    }
                    FileUtils.deleteQuietly(file);
                    Assert.assertFalse(z);
                } finally {
                }
            } finally {
            }
        } catch (Throwable th3) {
            FileUtils.deleteQuietly(file);
            Assert.assertFalse(false);
            throw th3;
        }
    }
}
