package org.apache.hadoop.hive.llap.security;

import java.io.ByteArrayInputStream;
import java.io.DataInputStream;
import java.io.IOException;
import java.lang.reflect.Field;
import java.security.PrivilegedAction;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.TimeUnit;
import jodd.util.StringPool;
import org.apache.avro.mapred.tether.TetherOutputService;
import org.apache.curator.ensemble.fixed.FixedEnsembleProvider;
import org.apache.curator.framework.CuratorFramework;
import org.apache.curator.framework.CuratorFrameworkFactory;
import org.apache.curator.retry.RetryOneTime;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.llap.LlapUtil;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier;
import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager;
import org.apache.hadoop.security.token.delegation.DelegationKey;
import org.apache.hadoop.security.token.delegation.HiveDelegationTokenSupport;
import org.apache.hadoop.security.token.delegation.ZKDelegationTokenSecretManager;
import org.apache.zookeeper.data.ACL;
import org.apache.zookeeper.data.Id;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hive/llap/security/SecretManager.class */
public class SecretManager extends ZKDelegationTokenSecretManager<LlapTokenIdentifier> implements SigningSecretManager {
    private static final Logger LOG;
    private static final String DISABLE_MESSAGE;
    private final Configuration conf;
    private final String clusterId;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/hadoop/hive/llap/security/SecretManager$LlapZkConf.class */
    public static final class LlapZkConf {
        public Configuration zkConf;
        public UserGroupInformation zkUgi;

        public LlapZkConf(Configuration configuration, UserGroupInformation userGroupInformation) {
            this.zkConf = configuration;
            this.zkUgi = userGroupInformation;
        }
    }

    public SecretManager(Configuration configuration, String str) {
        super(validateConfigBeforeCtor(configuration));
        this.clusterId = str;
        this.conf = configuration;
        checkForZKDTSMBug();
    }

    private static Configuration validateConfigBeforeCtor(Configuration configuration) {
        setCurator(null);
        String str = configuration.get("zk-dt-secret-manager.zkAuthType");
        if ("sasl".equals(str)) {
            return configuration;
        }
        throw new RuntimeException("Inconsistent configuration: secure cluster, but ZK auth is " + str + " instead of sasl");
    }

    public void startThreads() throws IOException {
        String userNameFromPrincipal = LlapUtil.getUserNameFromPrincipal(this.conf.get("zk-dt-secret-manager.kerberos.principal"));
        LOG.info("Starting ZK threads as user " + UserGroupInformation.getCurrentUser() + "; kerberos principal is configured for user (short user name) " + userNameFromPrincipal);
        super.startThreads();
        if (HiveConf.getBoolVar(this.conf, HiveConf.ConfVars.LLAP_VALIDATE_ACLS) && UserGroupInformation.isSecurityEnabled()) {
            String str = this.conf.get("zk-dt-secret-manager.znodeWorkingPath", (String) null);
            if (str == null) {
                throw new AssertionError("Path was not set in config");
            }
            checkRootAcls(this.conf, str, userNameFromPrincipal);
        }
    }

    private void checkForZKDTSMBug() {
        long j = this.conf.getLong("delegation-token.renew-interval.sec", -1L);
        LOG.info("Checking for tokenRenewInterval bug: " + j);
        if (j == -1) {
            return;
        }
        try {
            Field declaredField = AbstractDelegationTokenSecretManager.class.getDeclaredField("tokenRenewInterval");
            declaredField.setAccessible(true);
            try {
                long j2 = declaredField.getLong(this);
                long j3 = j * 1000;
                LOG.info("tokenRenewInterval is: " + j2 + " (expected " + j3 + StringPool.RIGHT_BRACKET);
                if (j2 == j) {
                    declaredField.setLong(this, j3);
                }
            } catch (Exception e) {
                throw new RuntimeException("Failed to address tokenRenewInterval bug", e);
            }
        } catch (Throwable th) {
            LOG.error("Failed to check for tokenRenewInterval bug, hoping for the best", th);
        }
    }

    /* renamed from: createIdentifier, reason: merged with bridge method [inline-methods] */
    public LlapTokenIdentifier m879createIdentifier() {
        return new LlapTokenIdentifier();
    }

    public LlapTokenIdentifier decodeTokenIdentifier(Token<LlapTokenIdentifier> token) throws IOException {
        DataInputStream dataInputStream = new DataInputStream(new ByteArrayInputStream(token.getIdentifier()));
        LlapTokenIdentifier llapTokenIdentifier = new LlapTokenIdentifier();
        llapTokenIdentifier.readFields(dataInputStream);
        dataInputStream.close();
        return llapTokenIdentifier;
    }

    @Override // org.apache.hadoop.hive.llap.security.SigningSecretManager
    public synchronized DelegationKey getCurrentKey() throws IOException {
        DelegationKey delegationKey = getDelegationKey(getCurrentKeyId());
        if (delegationKey != null) {
            return delegationKey;
        }
        HiveDelegationTokenSupport.rollMasterKey(this);
        return getDelegationKey(getCurrentKeyId());
    }

    @Override // org.apache.hadoop.hive.llap.security.SigningSecretManager
    public byte[] signWithKey(byte[] bArr, DelegationKey delegationKey) {
        return createPassword(bArr, delegationKey.getKey());
    }

    @Override // org.apache.hadoop.hive.llap.security.SigningSecretManager
    public byte[] signWithKey(byte[] bArr, int i) throws SecurityException {
        DelegationKey delegationKey = getDelegationKey(i);
        if (delegationKey == null) {
            throw new SecurityException("The key ID " + i + " was not found");
        }
        return createPassword(bArr, delegationKey.getKey());
    }

    private static LlapZkConf createLlapZkConf(Configuration configuration, String str, String str2, String str3) {
        Configuration configuration2 = new Configuration(configuration);
        long timeVar = HiveConf.getTimeVar(configuration, HiveConf.ConfVars.LLAP_DELEGATION_TOKEN_LIFETIME, TimeUnit.SECONDS);
        configuration2.setLong("delegation-token.max-lifetime.sec", timeVar);
        configuration2.setLong("delegation-token.renew-interval.sec", timeVar);
        try {
            configuration2.set("zk-dt-secret-manager.kerberos.principal", SecurityUtil.getServerPrincipal(str, "0.0.0.0"));
            configuration2.set("zk-dt-secret-manager.kerberos.keytab", str2);
            String str4 = "zkdtsm_" + str3;
            LOG.info("Using {} as ZK secret manager path", str4);
            configuration2.set("zk-dt-secret-manager.znodeWorkingPath", str4);
            configuration2.set("zk-dt-secret-manager.zkAuthType", "sasl");
            long timeVar2 = HiveConf.getTimeVar(configuration2, HiveConf.ConfVars.LLAP_ZKSM_ZK_SESSION_TIMEOUT, TimeUnit.MILLISECONDS);
            long j = (3 * timeVar2) / TetherOutputService.TIMEOUT;
            long max = Math.max(timeVar2, TetherOutputService.TIMEOUT);
            configuration2.set("zk-dt-secret-manager.zkSessionTimeout", Long.toString(timeVar2));
            configuration2.set("zk-dt-secret-manager.zkConnectionTimeout", Long.toString(max));
            configuration2.set("zk-dt-secret-manager.zkNumRetries", Long.toString(j));
            setZkConfIfNotSet(configuration2, "zk-dt-secret-manager.zkConnectionString", HiveConf.getVar(configuration2, HiveConf.ConfVars.LLAP_ZKSM_ZK_CONNECTION_STRING));
            try {
                return new LlapZkConf(configuration2, LlapUtil.loginWithKerberos(str, str2));
            } catch (IOException e) {
                throw new RuntimeException(e);
            }
        } catch (IOException e2) {
            throw new RuntimeException(e2);
        }
    }

    public static SecretManager createSecretManager(Configuration configuration, String str) {
        return createSecretManager(configuration, HiveConf.getVar(configuration, HiveConf.ConfVars.LLAP_KERBEROS_PRINCIPAL), HiveConf.getVar(configuration, HiveConf.ConfVars.LLAP_KERBEROS_KEYTAB_FILE), str);
    }

    public static SecretManager createSecretManager(Configuration configuration, String str, String str2, final String str3) {
        if (!$assertionsDisabled && !UserGroupInformation.isSecurityEnabled()) {
            throw new AssertionError();
        }
        final LlapZkConf createLlapZkConf = createLlapZkConf(configuration, str, str2, str3);
        return (SecretManager) createLlapZkConf.zkUgi.doAs(new PrivilegedAction<SecretManager>() { // from class: org.apache.hadoop.hive.llap.security.SecretManager.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public SecretManager run() {
                SecretManager secretManager = new SecretManager(LlapZkConf.this.zkConf, str3);
                try {
                    secretManager.startThreads();
                    return secretManager;
                } catch (IOException e) {
                    throw new RuntimeException(e);
                }
            }
        });
    }

    private static void setZkConfIfNotSet(Configuration configuration, String str, String str2) {
        if (configuration.get(str) != null) {
            return;
        }
        configuration.set(str, str2);
    }

    public Token<LlapTokenIdentifier> createLlapToken(String str, String str2, boolean z) throws IOException {
        Text text;
        Text text2 = null;
        if (str2 == null) {
            UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
            str2 = currentUser.getUserName();
            if (currentUser.getRealUser() != null) {
                text2 = new Text(currentUser.getRealUser().getUserName());
            }
            text = new Text(currentUser.getShortUserName());
        } else {
            text = new Text(str2);
        }
        Token<LlapTokenIdentifier> token = new Token<>(new LlapTokenIdentifier(new Text(str2), text, text2, this.clusterId, str, z), this);
        if (LOG.isInfoEnabled()) {
            LOG.info("Created LLAP token {}", token);
        }
        return token;
    }

    @Override // org.apache.hadoop.hive.llap.security.SigningSecretManager
    public void close() {
        stopThreads();
    }

    private static void checkRootAcls(Configuration configuration, String str, String str2) {
        CuratorFramework build = CuratorFrameworkFactory.builder().namespace((String) null).retryPolicy(new RetryOneTime(10)).sessionTimeoutMs(configuration.getInt("zk-dt-secret-manager.zkSessionTimeout", 10000)).connectionTimeoutMs(configuration.getInt("zk-dt-secret-manager.zkConnectionTimeout", 10000)).ensembleProvider(new FixedEnsembleProvider(configuration.get("zk-dt-secret-manager.zkConnectionString"))).build();
        String str3 = "/" + str + "/ZKDTSMRoot";
        Id id = new Id("sasl", str2);
        try {
            try {
                build.start();
                Iterator it = ((List) build.getChildren().forPath(str3)).iterator();
                while (it.hasNext()) {
                    checkAcls(build, id, str3 + "/" + ((String) it.next()));
                }
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        } finally {
            build.close();
        }
    }

    private static void checkAcls(CuratorFramework curatorFramework, Id id, String str) {
        try {
            List<ACL> list = (List) curatorFramework.getACL().forPath(str);
            if (list == null || list.isEmpty()) {
                throw new SecurityException("No ACLs on " + str + ". " + DISABLE_MESSAGE);
            }
            for (ACL acl : list) {
                if (!id.equals(acl.getId())) {
                    throw new SecurityException("The ACL " + acl + " is unnacceptable for " + str + "; only " + id + " is allowed. " + DISABLE_MESSAGE);
                }
            }
        } catch (Exception e) {
            throw new RuntimeException("Error during the ACL check. " + DISABLE_MESSAGE, e);
        }
    }

    public void verifyToken(byte[] bArr) throws IOException {
        if (UserGroupInformation.isSecurityEnabled()) {
            if (bArr == null) {
                throw new SecurityException("Token required for authentication");
            }
            Token token = new Token();
            token.readFields(new DataInputStream(new ByteArrayInputStream(bArr)));
            verifyToken((AbstractDelegationTokenIdentifier) token.decodeIdentifier(), token.getPassword());
        }
    }

    /* renamed from: decodeTokenIdentifier, reason: collision with other method in class */
    public /* bridge */ /* synthetic */ AbstractDelegationTokenIdentifier m878decodeTokenIdentifier(Token token) throws IOException {
        return decodeTokenIdentifier((Token<LlapTokenIdentifier>) token);
    }

    static {
        $assertionsDisabled = !SecretManager.class.desiredAssertionStatus();
        LOG = LoggerFactory.getLogger(SecretManager.class);
        DISABLE_MESSAGE = "Set " + HiveConf.ConfVars.LLAP_VALIDATE_ACLS.varname + " to false to disable ACL validation (note that invalid ACLs on secret key paths would mean that security is compromised)";
    }
}
