package org.apache.hadoop.yarn.server.resourcemanager.security;

import io.hops.security.AbstractSecurityActions;
import io.hops.security.ServiceJWTManager;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.StringWriter;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.GeneralSecurityException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.util.DateUtils;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.server.resourcemanager.security.JWTSecurityHandler;
import org.apache.hadoop.yarn.server.resourcemanager.security.X509SecurityHandler;
import org.apache.http.HttpRequest;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpDelete;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.methods.HttpPut;
import org.apache.http.client.utils.URIBuilder;
import org.apache.http.entity.StringEntity;
import org.apache.http.util.EntityUtils;
import org.bouncycastle.openssl.jcajce.JcaMiscPEMGenerator;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.util.io.pem.PemWriter;

/* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/HopsworksRMAppSecurityActions.class */
public class HopsworksRMAppSecurityActions extends AbstractSecurityActions implements RMAppSecurityActions {
    public static final String REVOKE_CERT_ID_PARAM = "certId";
    protected static final int MAX_CONNECTIONS_PER_ROUTE = 50;
    private static final Log LOG = LogFactory.getLog(HopsworksRMAppSecurityActions.class);
    private static final Pattern SUBJECT_USERNAME = Pattern.compile("^(.+)(?>_{2})(.+)$");
    private URI signEndpoint;
    private URI revokePath;
    private CertificateFactory certificateFactory;
    private boolean x509Configured;
    private URI jwtGeneratePath;
    private URI jwtInvalidatePath;
    private URI jwtRenewPath;
    private boolean jwtConfigured;

    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/HopsworksRMAppSecurityActions$CSRDTO.class */
    private class CSRDTO {
        private String csr;
        private String signedCert;
        private String intermediateCaCert;
        private String rootCaCert;

        private CSRDTO() {
        }
    }

    public HopsworksRMAppSecurityActions() {
        super("HopsworksRMAppSecurityActions");
        this.x509Configured = false;
        this.jwtConfigured = false;
    }

    protected void serviceInit(Configuration configuration) throws Exception {
        if (!configuration.getBoolean("ipc.server.ssl.enabled", false) && configuration.getBoolean(YarnConfiguration.RM_JWT_ENABLED, false)) {
            super.serviceInit(configuration);
            initJWT(configuration);
        } else if (configuration.getBoolean("ipc.server.ssl.enabled", false)) {
            super.serviceInit(configuration);
            initJWT(configuration);
            initX509(configuration);
        }
    }

    protected void serviceStart() throws Exception {
        if (getConfig().getBoolean("ipc.server.ssl.enabled", false) || getConfig().getBoolean(YarnConfiguration.RM_JWT_ENABLED, false)) {
            super.serviceStart();
        }
    }

    protected void serviceStop() throws Exception {
        if (getConfig().getBoolean("ipc.server.ssl.enabled", false) || getConfig().getBoolean(YarnConfiguration.RM_JWT_ENABLED, false)) {
            super.serviceStop();
        }
    }

    private void initX509(Configuration configuration) throws URISyntaxException, GeneralSecurityException {
        this.signEndpoint = new URI(configuration.get(YarnConfiguration.HOPS_HOPSWORKS_SIGN_ENDPOINT_KEY, "/hopsworks-ca/v2/certificate/app"));
        this.revokePath = new URI(configuration.get(YarnConfiguration.HOPS_HOPSWORKS_REVOKE_ENDPOINT_KEY, "/hopsworks-ca/v2/certificate/app"));
        this.certificateFactory = CertificateFactory.getInstance("X.509", "BC");
        this.x509Configured = true;
    }

    private void initJWT(Configuration configuration) throws URISyntaxException {
        this.jwtGeneratePath = new URI(configuration.get(YarnConfiguration.RM_JWT_GENERATE_PATH, "/hopsworks-api/api/jwt"));
        String str = configuration.get(YarnConfiguration.RM_JWT_INVALIDATE_PATH, "/hopsworks-api/api/jwt/key");
        if (!str.endsWith("/")) {
            str = str + "/";
        }
        this.jwtInvalidatePath = new URI(str);
        this.jwtRenewPath = new URI(configuration.get(YarnConfiguration.RM_JWT_RENEW_PATH, "/hopsworks-api/api/jwt"));
        this.jwtConfigured = true;
    }

    private void x509NotConfigured(String str) throws GeneralSecurityException {
        notConfigured(str, "X.509");
    }

    private void jwtNotConfigured(String str) throws GeneralSecurityException {
        notConfigured(str, "JWT");
    }

    private void notConfigured(String str, String str2) throws GeneralSecurityException {
        throw new GeneralSecurityException("Called method " + str + " of " + HopsworksRMAppSecurityActions.class.getSimpleName() + " but " + str2 + " is not configured");
    }

    @Override // org.apache.hadoop.yarn.server.resourcemanager.security.RMAppSecurityActions
    public X509SecurityHandler.CertificateBundle sign(PKCS10CertificationRequest pKCS10CertificationRequest) throws IOException, GeneralSecurityException {
        if (!this.x509Configured) {
            x509NotConfigured("sign");
        }
        CloseableHttpResponse closeableHttpResponse = null;
        try {
            String stringifyCSR = stringifyCSR(pKCS10CertificationRequest);
            CSRDTO csrdto = new CSRDTO();
            csrdto.csr = stringifyCSR;
            HttpPost httpPost = new HttpPost(this.signEndpoint);
            httpPost.setEntity(new StringEntity(this.parser.toJson(csrdto)));
            closeableHttpResponse = doJSONCall(httpPost, "Hopsworks CA could not sign CSR");
            CSRDTO csrdto2 = (CSRDTO) this.parser.fromJson(EntityUtils.toString(closeableHttpResponse.getEntity()), CSRDTO.class);
            X509SecurityHandler.CertificateBundle certificateBundle = new X509SecurityHandler.CertificateBundle(parseCertificate(csrdto2.signedCert), parseCertificate(csrdto2.intermediateCaCert));
            if (closeableHttpResponse != null) {
                closeableHttpResponse.close();
            }
            return certificateBundle;
        } catch (Throwable th) {
            if (closeableHttpResponse != null) {
                closeableHttpResponse.close();
            }
            throw th;
        }
    }

    @Override // org.apache.hadoop.yarn.server.resourcemanager.security.RMAppSecurityActions
    public int revoke(String str) throws URISyntaxException, IOException, GeneralSecurityException {
        if (!this.x509Configured) {
            x509NotConfigured("revoke");
        }
        CloseableHttpResponse closeableHttpResponse = null;
        try {
            closeableHttpResponse = doTextPlainCall(new HttpDelete(new URIBuilder(this.revokePath).addParameter(REVOKE_CERT_ID_PARAM, str).build()), "Hopsworks CA could not revoke certificate " + str);
            int statusCode = closeableHttpResponse.getStatusLine().getStatusCode();
            if (closeableHttpResponse != null) {
                closeableHttpResponse.close();
            }
            return statusCode;
        } catch (Throwable th) {
            if (closeableHttpResponse != null) {
                closeableHttpResponse.close();
            }
            throw th;
        }
    }

    @Override // org.apache.hadoop.yarn.server.resourcemanager.security.RMAppSecurityActions
    public String generateJWT(JWTSecurityHandler.JWTMaterialParameter jWTMaterialParameter) throws IOException, GeneralSecurityException {
        if (!this.jwtConfigured) {
            jwtNotConfigured("generateJWT");
        }
        CloseableHttpResponse closeableHttpResponse = null;
        try {
            Matcher matcher = SUBJECT_USERNAME.matcher(jWTMaterialParameter.getAppUser());
            String group = matcher.matches() ? matcher.group(2) : jWTMaterialParameter.getAppUser();
            ServiceJWTManager.JWTDTO jwtdto = new ServiceJWTManager.JWTDTO();
            jwtdto.setSubject(group);
            jwtdto.setKeyName(jWTMaterialParameter.getApplicationId().toString());
            jwtdto.setAudiences(String.join(",", jWTMaterialParameter.getAudiences()));
            jwtdto.setExpiresAt(DateUtils.localDateTime2Date(jWTMaterialParameter.getExpirationDate()));
            jwtdto.setNbf(DateUtils.localDateTime2Date(jWTMaterialParameter.getValidNotBefore()));
            jwtdto.setRenewable(Boolean.valueOf(jWTMaterialParameter.isRenewable()));
            jwtdto.setExpLeeway(Integer.valueOf(jWTMaterialParameter.getExpLeeway()));
            HttpPost httpPost = new HttpPost(this.jwtGeneratePath);
            httpPost.setEntity(new StringEntity(this.parser.toJson(jwtdto)));
            closeableHttpResponse = doJSONCall(httpPost, "Hopsworks could not generate JWT for " + jWTMaterialParameter.getAppUser() + "/" + jWTMaterialParameter.getApplicationId().toString());
            String token = ((ServiceJWTManager.JWTDTO) this.parser.fromJson(EntityUtils.toString(closeableHttpResponse.getEntity()), ServiceJWTManager.JWTDTO.class)).getToken();
            if (closeableHttpResponse != null) {
                closeableHttpResponse.close();
            }
            return token;
        } catch (Throwable th) {
            if (closeableHttpResponse != null) {
                closeableHttpResponse.close();
            }
            throw th;
        }
    }

    @Override // org.apache.hadoop.yarn.server.resourcemanager.security.RMAppSecurityActions
    public String renewJWT(JWTSecurityHandler.JWTMaterialParameter jWTMaterialParameter) throws IOException, GeneralSecurityException {
        if (!this.jwtConfigured) {
            jwtNotConfigured("renewJWT");
        }
        CloseableHttpResponse closeableHttpResponse = null;
        try {
            ServiceJWTManager.JWTDTO jwtdto = new ServiceJWTManager.JWTDTO();
            jwtdto.setToken(jWTMaterialParameter.getToken());
            jwtdto.setExpiresAt(DateUtils.localDateTime2Date(jWTMaterialParameter.getExpirationDate()));
            jwtdto.setNbf(DateUtils.localDateTime2Date(jWTMaterialParameter.getValidNotBefore()));
            HttpPut httpPut = new HttpPut(this.jwtRenewPath);
            httpPut.setEntity(new StringEntity(this.parser.toJson(jwtdto)));
            closeableHttpResponse = doJSONCall(httpPut, "Could not renew JWT for " + jWTMaterialParameter.getAppUser() + "/" + jWTMaterialParameter.getApplicationId());
            String token = ((ServiceJWTManager.JWTDTO) this.parser.fromJson(EntityUtils.toString(closeableHttpResponse.getEntity()), ServiceJWTManager.JWTDTO.class)).getToken();
            if (closeableHttpResponse != null) {
                closeableHttpResponse.close();
            }
            return token;
        } catch (Throwable th) {
            if (closeableHttpResponse != null) {
                closeableHttpResponse.close();
            }
            throw th;
        }
    }

    @Override // org.apache.hadoop.yarn.server.resourcemanager.security.RMAppSecurityActions
    public void invalidateJWT(String str) throws URISyntaxException, IOException, GeneralSecurityException {
        if (!this.jwtConfigured) {
            jwtNotConfigured("invalidateJWT");
        }
        CloseableHttpResponse closeableHttpResponse = null;
        try {
            closeableHttpResponse = doJSONCall(new HttpDelete(new URI(this.jwtInvalidatePath.getPath() + str)), "Hopsworks could to invalidate JWT signing key " + str);
            if (closeableHttpResponse != null) {
                closeableHttpResponse.close();
            }
        } catch (Throwable th) {
            if (closeableHttpResponse != null) {
                closeableHttpResponse.close();
            }
            throw th;
        }
    }

    private CloseableHttpResponse doJSONCall(HttpRequest httpRequest, String str) throws IOException {
        addJSONContentType(httpRequest);
        return doCall(httpRequest, str);
    }

    private CloseableHttpResponse doTextPlainCall(HttpRequest httpRequest, String str) throws IOException {
        addTextPlainContentType(httpRequest);
        return doCall(httpRequest, str);
    }

    private CloseableHttpResponse doCall(HttpRequest httpRequest, String str) throws IOException {
        addJWTAuthHeader(httpRequest, this.serviceJWTManager.getMasterToken());
        CloseableHttpResponse execute = this.httpClient.execute(this.remoteHost, httpRequest);
        checkHTTPResponseCode(execute, str);
        return execute;
    }

    private X509Certificate parseCertificate(String str) throws IOException, GeneralSecurityException {
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(str.getBytes());
        Throwable th = null;
        try {
            try {
                X509Certificate x509Certificate = (X509Certificate) this.certificateFactory.generateCertificate(byteArrayInputStream);
                if (byteArrayInputStream != null) {
                    if (0 != 0) {
                        try {
                            byteArrayInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        byteArrayInputStream.close();
                    }
                }
                return x509Certificate;
            } finally {
            }
        } catch (Throwable th3) {
            if (byteArrayInputStream != null) {
                if (th != null) {
                    try {
                        byteArrayInputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    byteArrayInputStream.close();
                }
            }
            throw th3;
        }
    }

    private String stringifyCSR(PKCS10CertificationRequest pKCS10CertificationRequest) throws IOException {
        StringWriter stringWriter = new StringWriter();
        Throwable th = null;
        try {
            try {
                PemWriter pemWriter = new PemWriter(stringWriter);
                pemWriter.writeObject(new JcaMiscPEMGenerator(pKCS10CertificationRequest).generate());
                pemWriter.flush();
                stringWriter.flush();
                pemWriter.close();
                String stringWriter2 = stringWriter.toString();
                if (stringWriter != null) {
                    if (0 != 0) {
                        try {
                            stringWriter.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        stringWriter.close();
                    }
                }
                return stringWriter2;
            } finally {
            }
        } catch (Throwable th3) {
            if (stringWriter != null) {
                if (th != null) {
                    try {
                        stringWriter.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    stringWriter.close();
                }
            }
            throw th3;
        }
    }
}
