package org.apache.hadoop.yarn.server.resourcemanager.security;

import com.google.common.annotations.VisibleForTesting;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.net.URISyntaxException;
import java.nio.ByteBuffer;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.LocalDateTime;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.concurrent.ArrayBlockingQueue;
import java.util.concurrent.BlockingQueue;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit;
import org.apache.commons.io.FileUtils;
import org.apache.commons.lang.RandomStringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.commons.math3.util.Pair;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory;
import org.apache.hadoop.security.ssl.SSLFactory;
import org.apache.hadoop.util.BackOff;
import org.apache.hadoop.util.DateUtils;
import org.apache.hadoop.yarn.api.records.ApplicationId;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.event.EventHandler;
import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppImpl;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppSecurityMaterialRenewedEvent;
import org.apache.hadoop.yarn.server.resourcemanager.security.RMAppSecurityManager;
import org.apache.hadoop.yarn.server.security.CertificateLocalizationService;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.X500NameBuilder;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;

/* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/X509SecurityHandler.class */
public class X509SecurityHandler implements RMAppSecurityHandler<X509SecurityManagerMaterial, X509MaterialParameter> {
    private static final Log LOG = LogFactory.getLog(X509SecurityHandler.class);
    private static final String SECURITY_PROVIDER = "BC";
    private static final String KEY_ALGORITHM = "RSA";
    private static final String SIGNATURE_ALGORITHM = "SHA256withRSA";
    private static final int KEY_SIZE = 1024;
    private static final int REVOCATION_QUEUE_SIZE = 100;
    private final RMContext rmContext;
    private final RMAppSecurityManager rmAppSecurityManager;
    private final EventHandler eventHandler;
    private CertificateLocalizationService certificateLocalizationService;
    private RMAppSecurityActions rmAppSecurityActions;
    private KeyPairGenerator keyPairGenerator;
    private Configuration config;
    private ScheduledExecutorService renewalExecutorService;
    private Thread revocationEventsHandler;
    private Thread revocationMonitor;
    private final String TMP = System.getProperty("java.io.tmpdir");
    private boolean hopsTLSEnabled = false;
    private Long amountOfTimeToSubstractFromExpiration = 2L;
    private TemporalUnit renewalUnitOfTime = ChronoUnit.DAYS;
    private Long revocationMonitorInterval = 10L;
    private TemporalUnit revocationUnitOfInterval = ChronoUnit.HOURS;
    private final SecureRandom rng = new SecureRandom();
    private final BlockingQueue<CertificateRevocationEvent> revocationEvents = new ArrayBlockingQueue(100);
    private final Map<ApplicationId, ScheduledFuture> renewalTasks = new ConcurrentHashMap();

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/X509SecurityHandler$CertificateBundle.class */
    public static class CertificateBundle {
        private final X509Certificate certificate;
        private final X509Certificate issuer;

        /* JADX INFO: Access modifiers changed from: protected */
        public CertificateBundle(X509Certificate x509Certificate, X509Certificate x509Certificate2) {
            this.certificate = x509Certificate;
            this.issuer = x509Certificate2;
        }

        public X509Certificate getCertificate() {
            return this.certificate;
        }

        public X509Certificate getIssuer() {
            return this.issuer;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/X509SecurityHandler$CertificateRevocationEvent.class */
    public class CertificateRevocationEvent {
        private final String identifier;

        private CertificateRevocationEvent(String str) {
            this.identifier = str;
        }
    }

    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/X509SecurityHandler$CertificateRevocationMonitor.class */
    private class CertificateRevocationMonitor extends Thread {
        private final Map<ChronoUnit, TimeUnit> CHRONO_MAPPING;
        private final TimeUnit intervalForSleep;

        private CertificateRevocationMonitor() {
            this.CHRONO_MAPPING = new HashMap();
            this.CHRONO_MAPPING.put(ChronoUnit.MILLIS, TimeUnit.MILLISECONDS);
            this.CHRONO_MAPPING.put(ChronoUnit.SECONDS, TimeUnit.SECONDS);
            this.CHRONO_MAPPING.put(ChronoUnit.MINUTES, TimeUnit.MINUTES);
            this.CHRONO_MAPPING.put(ChronoUnit.HOURS, TimeUnit.HOURS);
            this.CHRONO_MAPPING.put(ChronoUnit.DAYS, TimeUnit.DAYS);
            this.intervalForSleep = this.CHRONO_MAPPING.get(X509SecurityHandler.this.revocationUnitOfInterval);
        }

        @Override // java.lang.Thread, java.lang.Runnable
        public void run() {
            while (!Thread.currentThread().isInterrupted()) {
                try {
                    LocalDateTime now = DateUtils.getNow();
                    for (Map.Entry<ApplicationId, RMApp> entry : X509SecurityHandler.this.rmContext.getRMApps().entrySet()) {
                        RMApp value = entry.getValue();
                        if (value.isAppRotatingCryptoMaterial() && DateUtils.unixEpoch2LocalDateTime(value.getMaterialRotationStartTime()).minus(X509SecurityHandler.this.revocationMonitorInterval.longValue(), X509SecurityHandler.this.revocationUnitOfInterval).isBefore(now)) {
                            Integer valueOf = Integer.valueOf(value.getCryptoMaterialVersion().intValue() - 1);
                            X509SecurityHandler.LOG.debug("Revoking certificate for app " + entry.getKey() + " with version " + valueOf);
                            X509SecurityHandler.this.putToQueue(value.getApplicationId(), value.getUser(), valueOf);
                            ((RMAppImpl) value).resetCryptoRotationMetrics();
                        }
                    }
                    this.intervalForSleep.sleep(X509SecurityHandler.this.revocationMonitorInterval.longValue());
                } catch (InterruptedException e) {
                    X509SecurityHandler.LOG.info("Certificate revocation monitor stopping");
                    Thread.currentThread().interrupt();
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/X509SecurityHandler$KeyStoresWrapper.class */
    public class KeyStoresWrapper {
        private final KeyStore keystore;
        private final char[] keyStorePassword;
        private final KeyStore trustStore;
        private final char[] trustStorePassword;
        private final String appUser;
        private final ApplicationId appId;

        private KeyStoresWrapper(KeyStore keyStore, char[] cArr, KeyStore keyStore2, char[] cArr2, String str, ApplicationId applicationId) {
            this.keystore = keyStore;
            this.keyStorePassword = cArr;
            this.trustStore = keyStore2;
            this.trustStorePassword = cArr2;
            this.appUser = str;
            this.appId = applicationId;
        }

        protected KeyStore getKeystore() {
            return this.keystore;
        }

        protected char[] getKeyStorePassword() {
            return this.keyStorePassword;
        }

        protected KeyStore getTrustStore() {
            return this.trustStore;
        }

        protected char[] getTrustStorePassword() {
            return this.trustStorePassword;
        }

        protected byte[] getRawKeyStore(TYPE type) throws GeneralSecurityException, IOException {
            File file;
            char[] cArr;
            KeyStore keyStore;
            if (type.equals(TYPE.KEYSTORE)) {
                file = Paths.get(X509SecurityHandler.this.TMP, this.appUser + "-" + this.appId.toString() + "_kstore.jks").toFile();
                cArr = this.keyStorePassword;
                keyStore = this.keystore;
            } else {
                file = Paths.get(X509SecurityHandler.this.TMP, this.appUser + "-" + this.appId.toString() + "_tstore.jks").toFile();
                cArr = this.trustStorePassword;
                keyStore = this.trustStore;
            }
            FileOutputStream fileOutputStream = new FileOutputStream(file, false);
            Throwable th = null;
            try {
                keyStore.store(fileOutputStream, cArr);
                if (fileOutputStream != null) {
                    if (0 != 0) {
                        try {
                            fileOutputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        fileOutputStream.close();
                    }
                }
                byte[] readAllBytes = Files.readAllBytes(file.toPath());
                FileUtils.deleteQuietly(file);
                return readAllBytes;
            } catch (Throwable th3) {
                if (fileOutputStream != null) {
                    if (0 != 0) {
                        try {
                            fileOutputStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        fileOutputStream.close();
                    }
                }
                throw th3;
            }
        }
    }

    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/X509SecurityHandler$RevocationEventsHandler.class */
    private class RevocationEventsHandler extends Thread {
        private RevocationEventsHandler() {
        }

        private void drain() {
            ArrayList arrayList = new ArrayList(X509SecurityHandler.this.revocationEvents.size());
            X509SecurityHandler.this.revocationEvents.drainTo(arrayList);
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                X509SecurityHandler.this.revokeInternal(((CertificateRevocationEvent) it.next()).identifier);
            }
        }

        @Override // java.lang.Thread, java.lang.Runnable
        public void run() {
            while (!Thread.currentThread().isInterrupted()) {
                try {
                    X509SecurityHandler.this.revokeInternal(((CertificateRevocationEvent) X509SecurityHandler.this.revocationEvents.take()).identifier);
                } catch (InterruptedException e) {
                    X509SecurityHandler.LOG.info("RevocationEventsHandler interrupted. Exiting...");
                    drain();
                    Thread.currentThread().interrupt();
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/X509SecurityHandler$TYPE.class */
    public enum TYPE {
        KEYSTORE,
        TRUSTSTORE
    }

    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/X509SecurityHandler$X509MaterialParameter.class */
    public static class X509MaterialParameter extends RMAppSecurityManager.SecurityManagerMaterial {
        private final String appUser;
        private final Integer cryptoMaterialVersion;
        private final boolean isFromRenewal;
        private Long expiration;

        public X509MaterialParameter(ApplicationId applicationId, String str, Integer num) {
            this(applicationId, str, num, false);
        }

        public X509MaterialParameter(ApplicationId applicationId, String str, Integer num, boolean z) {
            super(applicationId);
            this.appUser = str;
            this.cryptoMaterialVersion = num;
            this.isFromRenewal = z;
        }

        public String getAppUser() {
            return this.appUser;
        }

        public Integer getCryptoMaterialVersion() {
            return this.cryptoMaterialVersion;
        }

        public boolean isFromRenewal() {
            return this.isFromRenewal;
        }

        public Long getExpiration() {
            return this.expiration;
        }

        public void setExpiration(Long l) {
            this.expiration = l;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (!(obj instanceof X509MaterialParameter)) {
                return false;
            }
            X509MaterialParameter x509MaterialParameter = (X509MaterialParameter) obj;
            return getApplicationId().equals(x509MaterialParameter.getApplicationId()) && this.appUser.equals(x509MaterialParameter.appUser) && this.cryptoMaterialVersion.equals(x509MaterialParameter.cryptoMaterialVersion) && this.isFromRenewal == x509MaterialParameter.isFromRenewal;
        }

        public int hashCode() {
            return (31 * ((31 * ((31 * ((31 * 17) + getApplicationId().hashCode())) + this.appUser.hashCode())) + this.cryptoMaterialVersion.hashCode())) + (this.isFromRenewal ? 1 : 0);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @InterfaceAudience.Private
    @VisibleForTesting
    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/X509SecurityHandler$X509Renewer.class */
    public class X509Renewer implements Runnable {
        protected final ApplicationId appId;
        protected final String appUser;
        protected final BackOff backOff;
        protected Integer currentCryptoVersion;
        protected long backOffTime = 0;

        public X509Renewer(ApplicationId applicationId, String str, Integer num) {
            this.appId = applicationId;
            this.appUser = str;
            this.currentCryptoVersion = num;
            this.backOff = X509SecurityHandler.this.rmAppSecurityManager.createBackOffPolicy();
        }

        @Override // java.lang.Runnable
        public void run() {
            try {
                X509SecurityHandler.LOG.debug("Renewing certificate for application " + this.appId);
                KeyPair generateKeyPair = X509SecurityHandler.this.generateKeyPair();
                X509SecurityHandler x509SecurityHandler = X509SecurityHandler.this;
                ApplicationId applicationId = this.appId;
                String str = this.appUser;
                Integer valueOf = Integer.valueOf(this.currentCryptoVersion.intValue() + 1);
                this.currentCryptoVersion = valueOf;
                CertificateBundle sendCSRAndGetSigned = X509SecurityHandler.this.sendCSRAndGetSigned(x509SecurityHandler.generateCSR(applicationId, str, generateKeyPair, valueOf));
                long time = sendCSRAndGetSigned.certificate.getNotAfter().getTime();
                KeyStoresWrapper createApplicationStores = X509SecurityHandler.this.createApplicationStores(sendCSRAndGetSigned, generateKeyPair.getPrivate(), this.appUser, this.appId);
                byte[] rawKeyStore = createApplicationStores.getRawKeyStore(TYPE.KEYSTORE);
                byte[] rawKeyStore2 = createApplicationStores.getRawKeyStore(TYPE.TRUSTSTORE);
                X509SecurityHandler.this.rmContext.getCertificateLocalizationService().updateX509(this.appUser, this.appId.toString(), ByteBuffer.wrap(rawKeyStore), String.valueOf(createApplicationStores.keyStorePassword), ByteBuffer.wrap(rawKeyStore2), String.valueOf(createApplicationStores.trustStorePassword));
                X509SecurityHandler.this.renewalTasks.remove(this.appId);
                X509SecurityHandler.this.eventHandler.handle(new RMAppSecurityMaterialRenewedEvent(this.appId, new X509SecurityManagerMaterial(this.appId, rawKeyStore, createApplicationStores.keyStorePassword, rawKeyStore2, createApplicationStores.trustStorePassword, Long.valueOf(time))));
                X509SecurityHandler.LOG.debug("Renewed certificate for application " + this.appId);
            } catch (Exception e) {
                X509SecurityHandler.this.renewalTasks.remove(this.appId);
                this.backOffTime = this.backOff.getBackOffInMillis();
                if (this.backOffTime == -1) {
                    X509SecurityHandler.LOG.error("Failed to renew certificate for application " + this.appId + ". Failed more than 4 times, giving up", e);
                    return;
                }
                X509SecurityHandler.LOG.warn("Failed to renew certificate for application " + this.appId + ". Retrying in " + this.backOffTime + " ms");
                X509SecurityHandler.this.renewalTasks.put(this.appId, X509SecurityHandler.this.renewalExecutorService.schedule(this, this.backOffTime, TimeUnit.MILLISECONDS));
            }
        }
    }

    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/X509SecurityHandler$X509SecurityManagerMaterial.class */
    public static class X509SecurityManagerMaterial extends RMAppSecurityManager.SecurityManagerMaterial {
        private final byte[] keyStore;
        private final char[] keyStorePassword;
        private final byte[] trustStore;
        private final char[] trustStorePassword;
        private final Long expirationEpoch;
        private Integer cryptoMaterialVersion;

        public X509SecurityManagerMaterial(ApplicationId applicationId, byte[] bArr, char[] cArr, byte[] bArr2, char[] cArr2, Long l) {
            super(applicationId);
            this.keyStore = bArr;
            this.keyStorePassword = cArr;
            this.trustStore = bArr2;
            this.trustStorePassword = cArr2;
            this.expirationEpoch = l;
        }

        public byte[] getKeyStore() {
            return this.keyStore;
        }

        public char[] getKeyStorePassword() {
            return this.keyStorePassword;
        }

        public byte[] getTrustStore() {
            return this.trustStore;
        }

        public char[] getTrustStorePassword() {
            return this.trustStorePassword;
        }

        public Long getExpirationEpoch() {
            return this.expirationEpoch;
        }

        public Integer getCryptoMaterialVersion() {
            return this.cryptoMaterialVersion;
        }

        public void setCryptoMaterialVersion(Integer num) {
            this.cryptoMaterialVersion = num;
        }
    }

    public X509SecurityHandler(RMContext rMContext, RMAppSecurityManager rMAppSecurityManager) {
        this.rmContext = rMContext;
        this.rmAppSecurityManager = rMAppSecurityManager;
        this.eventHandler = rMContext.getDispatcher().getEventHandler();
    }

    @VisibleForTesting
    protected RMContext getRmContext() {
        return this.rmContext;
    }

    @VisibleForTesting
    protected ScheduledExecutorService getRenewerScheduler() {
        return this.renewalExecutorService;
    }

    @Override // org.apache.hadoop.yarn.server.resourcemanager.security.RMAppSecurityHandler
    public void init(Configuration configuration) throws Exception {
        LOG.info("Initializing X.509 Security Handler");
        this.config = configuration;
        this.hopsTLSEnabled = configuration.getBoolean("ipc.server.ssl.enabled", false);
        this.renewalExecutorService = this.rmAppSecurityManager.getRenewalExecutorService();
        Pair<Long, TemporalUnit> parseInterval = this.rmAppSecurityManager.parseInterval(configuration.get(YarnConfiguration.RM_APP_CERTIFICATE_EXPIRATION_SAFETY_PERIOD, YarnConfiguration.DEFAULT_RM_APP_CERTIFICATE_RENEWER_DELAY), YarnConfiguration.RM_APP_CERTIFICATE_EXPIRATION_SAFETY_PERIOD);
        this.amountOfTimeToSubstractFromExpiration = (Long) parseInterval.getFirst();
        this.renewalUnitOfTime = (TemporalUnit) parseInterval.getSecond();
        Pair<Long, TemporalUnit> parseInterval2 = this.rmAppSecurityManager.parseInterval(configuration.get(YarnConfiguration.RM_APP_CERTIFICATE_REVOCATION_MONITOR_INTERVAL, YarnConfiguration.DEFAULT_RM_APP_CERTIFICATE_REVOCATION_MONITOR_INTERVAL), YarnConfiguration.RM_APP_CERTIFICATE_REVOCATION_MONITOR_INTERVAL);
        this.revocationMonitorInterval = (Long) parseInterval2.getFirst();
        this.revocationUnitOfInterval = (TemporalUnit) parseInterval2.getSecond();
        if (isHopsTLSEnabled()) {
            this.certificateLocalizationService = this.rmContext.getCertificateLocalizationService();
            this.rmAppSecurityActions = this.rmAppSecurityManager.getRmAppCertificateActions();
            this.keyPairGenerator = KeyPairGenerator.getInstance(KEY_ALGORITHM, SECURITY_PROVIDER);
            this.keyPairGenerator.initialize(1024);
        }
    }

    @Override // org.apache.hadoop.yarn.server.resourcemanager.security.RMAppSecurityHandler
    public void start() throws Exception {
        LOG.info("Starting X.509 Security Handler");
        if (isHopsTLSEnabled()) {
            this.revocationEventsHandler = new RevocationEventsHandler();
            this.revocationEventsHandler.setDaemon(false);
            this.revocationEventsHandler.setName("X509-RevocationEventsHandler");
            this.revocationEventsHandler.start();
            this.revocationMonitor = new CertificateRevocationMonitor();
            this.revocationMonitor.setDaemon(true);
            this.revocationMonitor.setName("X.509-RevocationMonitor");
            this.revocationMonitor.start();
        }
    }

    @Override // org.apache.hadoop.yarn.server.resourcemanager.security.RMAppSecurityHandler
    public void stop() throws Exception {
        LOG.info("Stopping X.509 Security Handler");
        if (this.revocationMonitor != null) {
            this.revocationMonitor.interrupt();
        }
        if (this.revocationEventsHandler != null) {
            this.revocationEventsHandler.interrupt();
        }
    }

    @VisibleForTesting
    protected RMAppSecurityActions getRmAppSecurityActions() {
        return this.rmAppSecurityActions;
    }

    @VisibleForTesting
    protected Configuration getConfig() {
        return this.config;
    }

    @Override // org.apache.hadoop.yarn.server.resourcemanager.security.RMAppSecurityHandler
    public X509SecurityManagerMaterial generateMaterial(X509MaterialParameter x509MaterialParameter) throws Exception {
        if (!isHopsTLSEnabled()) {
            return null;
        }
        ApplicationId applicationId = x509MaterialParameter.getApplicationId();
        String str = x509MaterialParameter.appUser;
        Integer num = x509MaterialParameter.cryptoMaterialVersion;
        KeyPair generateKeyPair = generateKeyPair();
        CertificateBundle sendCSRAndGetSigned = sendCSRAndGetSigned(generateCSR(applicationId, str, generateKeyPair, num));
        long time = sendCSRAndGetSigned.certificate.getNotAfter().getTime();
        KeyStoresWrapper createApplicationStores = createApplicationStores(sendCSRAndGetSigned, generateKeyPair.getPrivate(), str, applicationId);
        byte[] rawKeyStore = createApplicationStores.getRawKeyStore(TYPE.KEYSTORE);
        byte[] rawKeyStore2 = createApplicationStores.getRawKeyStore(TYPE.TRUSTSTORE);
        this.certificateLocalizationService.materializeCertificates(str, applicationId.toString(), str, ByteBuffer.wrap(rawKeyStore), String.valueOf(createApplicationStores.keyStorePassword), ByteBuffer.wrap(rawKeyStore2), String.valueOf(createApplicationStores.trustStorePassword));
        return new X509SecurityManagerMaterial(applicationId, rawKeyStore, createApplicationStores.keyStorePassword, rawKeyStore2, createApplicationStores.trustStorePassword, Long.valueOf(time));
    }

    @Override // org.apache.hadoop.yarn.server.resourcemanager.security.RMAppSecurityHandler
    public void registerRenewer(X509MaterialParameter x509MaterialParameter) {
        if (isHopsTLSEnabled() && !this.renewalTasks.containsKey(x509MaterialParameter.getApplicationId())) {
            this.renewalTasks.put(x509MaterialParameter.getApplicationId(), this.renewalExecutorService.schedule(createCertificateRenewerTask(x509MaterialParameter.getApplicationId(), x509MaterialParameter.appUser, x509MaterialParameter.cryptoMaterialVersion), Duration.between(DateUtils.getNow(), DateUtils.unixEpoch2LocalDateTime(x509MaterialParameter.getExpiration().longValue())).minus(this.amountOfTimeToSubstractFromExpiration.longValue(), this.renewalUnitOfTime).getSeconds(), TimeUnit.SECONDS));
        }
    }

    public void deregisterFromCertificateRenewer(ApplicationId applicationId) {
        ScheduledFuture remove;
        if (isHopsTLSEnabled() && (remove = this.renewalTasks.remove(applicationId)) != null) {
            remove.cancel(true);
        }
    }

    @VisibleForTesting
    protected Runnable createCertificateRenewerTask(ApplicationId applicationId, String str, Integer num) {
        return new X509Renewer(applicationId, str, num);
    }

    @Override // org.apache.hadoop.yarn.server.resourcemanager.security.RMAppSecurityHandler
    public boolean revokeMaterial(X509MaterialParameter x509MaterialParameter, Boolean bool) {
        if (!isHopsTLSEnabled()) {
            return true;
        }
        ApplicationId applicationId = x509MaterialParameter.getApplicationId();
        String str = x509MaterialParameter.appUser;
        Integer num = x509MaterialParameter.cryptoMaterialVersion;
        LOG.info("Revoking certificate for application: " + applicationId + " with version " + num);
        try {
            if (!x509MaterialParameter.isFromRenewal) {
                deregisterFromCertificateRenewer(applicationId);
                if (this.certificateLocalizationService != null) {
                    this.certificateLocalizationService.removeX509Material(str, applicationId.toString());
                }
            }
            if (bool.booleanValue()) {
                return revokeInternal(getCertificateIdentifier(applicationId, str, num));
            }
            putToQueue(applicationId, str, num);
            return false;
        } catch (InterruptedException e) {
            LOG.warn("Shutting down while putting revocation event for user " + str + " and application " + applicationId, e);
            return false;
        }
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected void putToQueue(ApplicationId applicationId, String str, Integer num) throws InterruptedException {
        this.revocationEvents.put(new CertificateRevocationEvent(getCertificateIdentifier(applicationId, str, num)));
    }

    public static String getCertificateIdentifier(ApplicationId applicationId, String str, Integer num) {
        return str + "__" + applicationId.toString() + "__" + num;
    }

    public char[] generateRandomPassword() {
        return RandomStringUtils.random(20, 0, 0, true, true, (char[]) null, this.rng).toCharArray();
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    public KeyStore loadSystemTrustStore(Configuration configuration) throws GeneralSecurityException, IOException {
        String str = configuration.get("hadoop.ssl.server.conf", "ssl-server.xml");
        Configuration configuration2 = new Configuration();
        configuration2.addResource(str);
        String str2 = configuration2.get(FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER, "ssl.{0}.truststore.location"));
        String str3 = configuration2.get(FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER, "ssl.{0}.truststore.password"));
        KeyStore keyStore = KeyStore.getInstance(configuration2.get(FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER, "ssl.{0}.truststore.type"), "jks"));
        FileInputStream fileInputStream = new FileInputStream(str2);
        Throwable th = null;
        try {
            keyStore.load(fileInputStream, str3.toCharArray());
            if (fileInputStream != null) {
                if (0 != 0) {
                    try {
                        fileInputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    fileInputStream.close();
                }
            }
            return keyStore;
        } catch (Throwable th3) {
            if (fileInputStream != null) {
                if (0 != 0) {
                    try {
                        fileInputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    fileInputStream.close();
                }
            }
            throw th3;
        }
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected KeyPair generateKeyPair() {
        return this.keyPairGenerator.genKeyPair();
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected PKCS10CertificationRequest generateCSR(ApplicationId applicationId, String str, KeyPair keyPair, Integer num) throws OperatorCreationException {
        LOG.info("Generating certificate for application: " + applicationId);
        return createCSR(createX500Subject(applicationId, str, num), keyPair);
    }

    private X500Name createX500Subject(ApplicationId applicationId, String str, Integer num) {
        if (applicationId == null || str == null) {
            throw new IllegalArgumentException("ApplicationID and application user cannot be null");
        }
        X500NameBuilder x500NameBuilder = new X500NameBuilder(BCStyle.INSTANCE);
        x500NameBuilder.addRDN(BCStyle.CN, str);
        x500NameBuilder.addRDN(BCStyle.O, applicationId.toString());
        x500NameBuilder.addRDN(BCStyle.OU, num.toString());
        return x500NameBuilder.build();
    }

    private PKCS10CertificationRequest createCSR(X500Name x500Name, KeyPair keyPair) throws OperatorCreationException {
        return new JcaPKCS10CertificationRequestBuilder(x500Name, keyPair.getPublic()).build(new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(SECURITY_PROVIDER).build(keyPair.getPrivate()));
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected CertificateBundle sendCSRAndGetSigned(PKCS10CertificationRequest pKCS10CertificationRequest) throws URISyntaxException, IOException, GeneralSecurityException {
        return this.rmAppSecurityActions.sign(pKCS10CertificationRequest);
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected KeyStoresWrapper createApplicationStores(CertificateBundle certificateBundle, PrivateKey privateKey, String str, ApplicationId applicationId) throws GeneralSecurityException, IOException {
        char[] generateRandomPassword = generateRandomPassword();
        KeyStore keyStore = KeyStore.getInstance("JKS");
        keyStore.load(null, null);
        keyStore.setKeyEntry(str, privateKey, generateRandomPassword, new X509Certificate[]{certificateBundle.certificate, certificateBundle.issuer});
        KeyStore loadSystemTrustStore = loadSystemTrustStore(this.config);
        KeyStore keyStore2 = KeyStore.getInstance("JKS");
        keyStore2.load(null, null);
        Enumeration<String> aliases = loadSystemTrustStore.aliases();
        while (aliases.hasMoreElements()) {
            String nextElement = aliases.nextElement();
            keyStore2.setCertificateEntry(nextElement, (X509Certificate) loadSystemTrustStore.getCertificate(nextElement));
        }
        return new KeyStoresWrapper(keyStore, generateRandomPassword, keyStore2, generateRandomPassword, str, applicationId);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean revokeInternal(String str) {
        if (!isHopsTLSEnabled()) {
            return true;
        }
        try {
            this.rmAppSecurityActions.revoke(str);
            return true;
        } catch (IOException | URISyntaxException | GeneralSecurityException e) {
            LOG.error("Could not revoke certificate " + str, e);
            return false;
        }
    }

    @VisibleForTesting
    protected void waitForQueueToDrain() throws InterruptedException {
        if (this.revocationEventsHandler == null || !this.revocationEventsHandler.isAlive()) {
            return;
        }
        while (this.revocationEvents.peek() != null) {
            TimeUnit.MILLISECONDS.sleep(30L);
        }
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    public boolean isHopsTLSEnabled() {
        return this.hopsTLSEnabled;
    }

    @VisibleForTesting
    public Map<ApplicationId, ScheduledFuture> getRenewalTasks() {
        return this.renewalTasks;
    }
}
