package io.hops.hopsworks.common.security;

import io.hops.hopsworks.common.dao.certificates.CertsFacade;
import io.hops.hopsworks.common.dao.certificates.ProjectGenericUserCerts;
import io.hops.hopsworks.common.dao.certificates.UserCerts;
import io.hops.hopsworks.common.dao.project.Project;
import io.hops.hopsworks.common.dao.project.ProjectFacade;
import io.hops.hopsworks.common.dao.user.UserFacade;
import io.hops.hopsworks.common.dao.user.Users;
import io.hops.hopsworks.common.exception.CryptoPasswordNotFoundException;
import io.hops.hopsworks.common.hdfs.DistributedFileSystemOps;
import io.hops.hopsworks.common.hdfs.DistributedFsService;
import io.hops.hopsworks.common.hdfs.HdfsUsersController;
import io.hops.hopsworks.common.security.dao.RemoteMaterialRefID;
import io.hops.hopsworks.common.security.dao.RemoteMaterialReferences;
import io.hops.hopsworks.common.util.HopsUtils;
import io.hops.hopsworks.common.util.Settings;
import java.io.File;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.nio.ByteBuffer;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Paths;
import java.nio.file.attribute.PosixFileAttributeView;
import java.nio.file.attribute.PosixFilePermission;
import java.nio.file.attribute.PosixFilePermissions;
import java.util.Comparator;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TreeSet;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentSkipListSet;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Pattern;
import javax.annotation.PostConstruct;
import javax.annotation.PreDestroy;
import javax.annotation.Resource;
import javax.ejb.ConcurrencyManagement;
import javax.ejb.ConcurrencyManagementType;
import javax.ejb.DependsOn;
import javax.ejb.EJB;
import javax.ejb.Singleton;
import javax.enterprise.concurrent.ManagedScheduledExecutorService;
import org.apache.commons.collections.Bag;
import org.apache.commons.collections.MapUtils;
import org.apache.commons.collections.bag.HashBag;
import org.apache.commons.io.FileUtils;
import org.apache.hadoop.fs.FSDataOutputStream;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.permission.FsPermission;

@Singleton
@DependsOn({"Settings"})
@ConcurrencyManagement(ConcurrencyManagementType.BEAN)
/* loaded from: input_file:io/hops/hopsworks/common/security/CertificateMaterializer.class */
public class CertificateMaterializer {
    private static final Logger LOG = Logger.getLogger(CertificateMaterializer.class.getName());
    private static final Pattern HDFS_SCHEME = Pattern.compile("^hdfs://.*");
    private static final int MAX_NUMBER_OF_RETRIES = 3;
    private static final long RETRY_WAIT_TIMEOUT = 10;
    private String lock_id;
    private String transientDir;
    private Long DELAY_VALUE;
    private TimeUnit DELAY_TIMEUNIT;

    @EJB
    private Settings settings;

    @EJB
    private CertsFacade certsFacade;

    @EJB
    private ProjectFacade projectFacade;

    @EJB
    private HdfsUsersController hdfsUsersController;

    @EJB
    private UserFacade userFacade;

    @EJB
    private CertificatesMgmService certificatesMgmService;

    @EJB
    private RemoteMaterialReferencesFacade remoteMaterialReferencesFacade;

    @EJB
    private DistributedFsService distributedFsService;

    @Resource
    private ManagedScheduledExecutorService scheduler;
    private final Map<MaterialKey, ReentrantReadWriteLock> materialKeyLocks = new ConcurrentHashMap();
    private final Map<MaterialKey, Bag> materializedCerts = new HashMap();
    private final Map<MaterialKey, CryptoMaterial> materialCache = new HashMap();
    private final Map<MaterialKey, Map<String, LocalFileRemover>> fileRemovers = new HashMap();
    private final Set<Integer> projectsWithOpenInterpreters = new ConcurrentSkipListSet();

    /* loaded from: input_file:io/hops/hopsworks/common/security/CertificateMaterializer$CryptoMaterial.class */
    public class CryptoMaterial {
        private final ByteBuffer keyStore;
        private final ByteBuffer trustStore;
        private final char[] password;

        public CryptoMaterial(ByteBuffer byteBuffer, ByteBuffer byteBuffer2, char[] cArr) {
            this.keyStore = byteBuffer;
            this.trustStore = byteBuffer2;
            this.password = cArr;
        }

        public ByteBuffer getKeyStore() {
            return this.keyStore;
        }

        public ByteBuffer getTrustStore() {
            return this.trustStore;
        }

        public char[] getPassword() {
            return this.password;
        }

        public void wipePassword() {
            for (int i = 0; i < this.password.length; i++) {
                this.password[i] = 0;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/hops/hopsworks/common/security/CertificateMaterializer$LocalFileRemover.class */
    public class LocalFileRemover implements Runnable {
        private final MaterialKey key;
        private final CryptoMaterial cryptoMaterial;
        private final String materializationDirectory;
        private ScheduledFuture scheduledFuture;

        private LocalFileRemover(MaterialKey materialKey, CryptoMaterial cryptoMaterial, String str) {
            this.key = materialKey;
            this.cryptoMaterial = cryptoMaterial;
            this.materializationDirectory = str != null ? str : CertificateMaterializer.this.transientDir;
        }

        @Override // java.lang.Runnable
        public void run() {
            ReentrantReadWriteLock.WriteLock writeLock = null;
            try {
                writeLock = CertificateMaterializer.this.getWriteLockForKey(this.key);
                writeLock.lock();
                CertificateMaterializer.this.deleteMaterialFromLocalFs(this.key, this.materializationDirectory);
                Map map = (Map) CertificateMaterializer.this.fileRemovers.get(this.key);
                if (map != null) {
                    map.remove(this.materializationDirectory);
                    if (map.isEmpty()) {
                        CertificateMaterializer.this.fileRemovers.remove(this.key);
                    }
                    Bag bag = (Bag) CertificateMaterializer.this.materializedCerts.get(this.key);
                    if (bag != null && bag.isEmpty()) {
                        CertificateMaterializer.this.materializedCerts.remove(this.key);
                        CryptoMaterial cryptoMaterial = (CryptoMaterial) CertificateMaterializer.this.materialCache.remove(this.key);
                        if (cryptoMaterial != null) {
                            cryptoMaterial.wipePassword();
                        }
                    }
                    CertificateMaterializer.LOG.log(Level.FINEST, "Deleted crypto material for <" + this.key.getExtendedUsername() + "> from directory " + this.materializationDirectory);
                }
                CertificateMaterializer.this.removeLockForKey(this.key);
                writeLock.unlock();
            } catch (Throwable th) {
                writeLock.unlock();
                throw th;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/hops/hopsworks/common/security/CertificateMaterializer$MaterialKey.class */
    public class MaterialKey {
        private final String username;
        private final String projectName;
        private final boolean isProjectUser;

        private MaterialKey(String str, String str2) {
            this.username = str;
            if (str == null) {
                this.isProjectUser = true;
            } else {
                this.isProjectUser = false;
            }
            this.projectName = str2;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean isProjectUser() {
            return this.isProjectUser;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public String getExtendedUsername() {
            return this.isProjectUser ? this.projectName + Settings.PROJECT_GENERIC_USER_SUFFIX : this.projectName + "__" + this.username;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj instanceof MaterialKey) {
                return (null == this.username || null == ((MaterialKey) obj).username) ? this.projectName.equals(((MaterialKey) obj).projectName) : this.username.equals(((MaterialKey) obj).username) && this.projectName.equals(((MaterialKey) obj).projectName);
            }
            return false;
        }

        public int hashCode() {
            int i = 17;
            if (null != this.username) {
                i = (31 * 17) + this.username.hashCode();
            }
            return (31 * i) + this.projectName.hashCode();
        }
    }

    /* loaded from: input_file:io/hops/hopsworks/common/security/CertificateMaterializer$MaterializerState.class */
    public class MaterializerState<T, S, R, P> {
        private final T localMaterial;
        private final S remoteMaterial;
        private final R scheduledRemovals;
        private final P materialKeyLocks;

        public MaterializerState(T t, S s, R r, P p) {
            this.localMaterial = t;
            this.remoteMaterial = s;
            this.scheduledRemovals = r;
            this.materialKeyLocks = p;
        }

        public T getLocalMaterial() {
            return this.localMaterial;
        }

        public S getRemoteMaterial() {
            return this.remoteMaterial;
        }

        public R getScheduledRemovals() {
            return this.scheduledRemovals;
        }

        public P getMaterialKeyLocks() {
            return this.materialKeyLocks;
        }
    }

    @PostConstruct
    public void init() {
        PosixFileAttributeView posixFileAttributeView;
        Set<PosixFilePermission> permissions;
        boolean contains;
        boolean contains2;
        boolean contains3;
        boolean contains4;
        boolean contains5;
        boolean contains6;
        boolean contains7;
        boolean contains8;
        boolean contains9;
        File file = new File(this.settings.getHopsworksTmpCertDir());
        if (!file.exists()) {
            throw new IllegalStateException("Transient certificates directory <" + file.getAbsolutePath() + "> does NOT exist!");
        }
        try {
            posixFileAttributeView = (PosixFileAttributeView) Files.getFileAttributeView(file.toPath(), PosixFileAttributeView.class, LinkOption.NOFOLLOW_LINKS);
            permissions = posixFileAttributeView.readAttributes().permissions();
            contains = permissions.contains(PosixFilePermission.OWNER_READ);
            contains2 = permissions.contains(PosixFilePermission.OWNER_WRITE);
            contains3 = permissions.contains(PosixFilePermission.OWNER_EXECUTE);
            contains4 = permissions.contains(PosixFilePermission.GROUP_READ);
            contains5 = permissions.contains(PosixFilePermission.GROUP_WRITE);
            contains6 = permissions.contains(PosixFilePermission.GROUP_EXECUTE);
            contains7 = permissions.contains(PosixFilePermission.OTHERS_READ);
            contains8 = permissions.contains(PosixFilePermission.OTHERS_WRITE);
            contains9 = permissions.contains(PosixFilePermission.OTHERS_EXECUTE);
        } catch (IOException e) {
            throw new IllegalStateException("Error while getting filesystem permissions of " + file.getAbsolutePath(), e);
        } catch (UnsupportedOperationException e2) {
            LOG.log(Level.WARNING, "Associated filesystem is not POSIX compliant. Continue without checking the permissions of " + file.getAbsolutePath() + " This might be a security problem.");
        }
        if (contains && contains2 && contains3 && contains4 && !contains5 && contains6 && !contains7) {
            if ((!contains8) & (!contains9)) {
                LOG.log(Level.INFO, "Passed permissions check for " + file.getAbsolutePath() + ". Owner: " + posixFileAttributeView.readAttributes().owner().getName() + " Group: " + posixFileAttributeView.readAttributes().group().getName() + " permissions: " + PosixFilePermissions.toString(permissions));
                try {
                    FileUtils.cleanDirectory(file);
                } catch (IOException e3) {
                    LOG.log(Level.WARNING, "Could not clean directory " + file.getAbsolutePath() + " during startup, there might be stale certificates", (Throwable) e3);
                }
                this.transientDir = file.getAbsolutePath();
                String certificateMaterializerDelay = this.settings.getCertificateMaterializerDelay();
                this.DELAY_VALUE = this.settings.getConfTimeValue(certificateMaterializerDelay);
                this.DELAY_TIMEUNIT = this.settings.getConfTimeTimeUnit(certificateMaterializerDelay);
                try {
                    String str = InetAddress.getLocalHost().getHostAddress() + "_" + Thread.currentThread().getId();
                    this.lock_id = str.length() <= 30 ? str : str.substring(0, 30);
                    return;
                } catch (UnknownHostException e4) {
                    throw new IllegalStateException(e4);
                }
            }
        }
        throw new IllegalStateException("Wrong permissions for " + file.getAbsolutePath() + ", it should be 0750");
    }

    @PreDestroy
    public void tearDown() {
        try {
            FileUtils.cleanDirectory(new File(this.transientDir));
        } catch (IOException e) {
            LOG.log(Level.SEVERE, "Could not clean directory " + this.transientDir + " Administrator should clean it manually!", (Throwable) e);
        }
    }

    public void materializeCertificatesLocal(String str) throws IOException {
        materializeCertificatesLocal(null, str);
    }

    public void materializeCertificatesLocal(String str, String str2) throws IOException {
        MaterialKey materialKey = new MaterialKey(str, str2);
        ReentrantReadWriteLock.WriteLock writeLock = null;
        try {
            writeLock = getWriteLockForKey(materialKey);
            writeLock.lock();
            materializeLocalInternal(materialKey, this.transientDir);
            writeLock.unlock();
        } catch (Throwable th) {
            writeLock.unlock();
            throw th;
        }
    }

    private ReentrantReadWriteLock.ReadLock getReadLockForKey(MaterialKey materialKey) {
        ReentrantReadWriteLock lockForKey = getLockForKey(materialKey, false);
        if (lockForKey != null) {
            return lockForKey.readLock();
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public ReentrantReadWriteLock.WriteLock getWriteLockForKey(MaterialKey materialKey) {
        return getLockForKey(materialKey, true).writeLock();
    }

    private ReentrantReadWriteLock getLockForKey(MaterialKey materialKey, boolean z) {
        if (z) {
            this.materialKeyLocks.putIfAbsent(materialKey, new ReentrantReadWriteLock(true));
        }
        return this.materialKeyLocks.get(materialKey);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void removeLockForKey(MaterialKey materialKey) {
        this.materialKeyLocks.remove(materialKey);
    }

    public void materializeCertificatesLocalCustomDir(String str, String str2) throws IOException {
        materializeCertificatesLocalCustomDir(null, str, str2);
    }

    public void materializeCertificatesLocalCustomDir(String str, String str2, String str3) throws IOException {
        MaterialKey materialKey = new MaterialKey(str, str2);
        String str4 = str3 != null ? str3 : this.transientDir;
        ReentrantReadWriteLock.WriteLock writeLock = null;
        try {
            writeLock = getWriteLockForKey(materialKey);
            writeLock.lock();
            materializeLocalInternal(materialKey, str4);
            writeLock.unlock();
        } catch (Throwable th) {
            writeLock.unlock();
            throw th;
        }
    }

    public void removeCertificatesLocal(String str) {
        removeCertificatesLocal(null, str);
    }

    public void removeCertificatesLocal(String str, String str2) {
        MaterialKey materialKey = new MaterialKey(str, str2);
        ReentrantReadWriteLock.WriteLock writeLock = null;
        boolean z = false;
        try {
            writeLock = getWriteLockForKey(materialKey);
            writeLock.lock();
            z = removeLocal(materialKey, this.transientDir);
            if (!z) {
                removeLockForKey(materialKey);
            }
            writeLock.unlock();
        } catch (Throwable th) {
            if (!z) {
                removeLockForKey(materialKey);
            }
            writeLock.unlock();
            throw th;
        }
    }

    public void removeCertificatesLocalCustomDir(String str, String str2) {
        removeCertificatesLocalCustomDir(null, str, str2);
    }

    public void removeCertificatesLocalCustomDir(String str, String str2, String str3) {
        MaterialKey materialKey = new MaterialKey(str, str2);
        String str4 = str3 != null ? str3 : this.transientDir;
        ReentrantReadWriteLock.WriteLock writeLock = null;
        boolean z = false;
        try {
            writeLock = getWriteLockForKey(materialKey);
            writeLock.lock();
            z = removeLocal(materialKey, str4);
            if (!z) {
                removeLockForKey(materialKey);
            }
            writeLock.unlock();
        } catch (Throwable th) {
            if (!z) {
                removeLockForKey(materialKey);
            }
            writeLock.unlock();
            throw th;
        }
    }

    public void materializeCertificatesRemote(String str, String str2, String str3, String str4, FsPermission fsPermission, String str5) throws IOException {
        if (str5 == null) {
            throw new IllegalArgumentException("Remote directory should not be null");
        }
        String normalizeURI = normalizeURI(str5);
        MaterialKey materialKey = new MaterialKey(str, str2);
        ReentrantReadWriteLock.WriteLock writeLock = null;
        try {
            writeLock = getWriteLockForKey(materialKey);
            writeLock.lock();
            materializeRemoteInternal(materialKey, str3, str4, fsPermission, normalizeURI);
            writeLock.unlock();
        } catch (Throwable th) {
            writeLock.unlock();
            throw th;
        }
    }

    public void removeCertificatesRemote(String str, String str2, String str3) {
        if (str3 == null) {
            throw new IllegalArgumentException("Remote directory cannot be null");
        }
        String normalizeURI = normalizeURI(str3);
        MaterialKey materialKey = new MaterialKey(str, str2);
        ReentrantReadWriteLock.WriteLock writeLock = null;
        boolean z = false;
        try {
            writeLock = getWriteLockForKey(materialKey);
            writeLock.lock();
            z = removeRemoteInternal(materialKey, normalizeURI, false);
            if (!z) {
                removeLockForKey(materialKey);
            }
            writeLock.unlock();
        } catch (Throwable th) {
            if (!z) {
                removeLockForKey(materialKey);
            }
            writeLock.unlock();
            throw th;
        }
    }

    public void forceRemoveRemoteMaterial(String str, String str2, String str3, boolean z) {
        if (str3 == null) {
            throw new IllegalArgumentException("Remote directory cannot be null");
        }
        String normalizeURI = normalizeURI(str3);
        MaterialKey materialKey = new MaterialKey(str, str2);
        ReentrantReadWriteLock.WriteLock writeLock = null;
        boolean z2 = false;
        try {
            writeLock = getWriteLockForKey(materialKey);
            writeLock.unlock();
            z2 = removeRemoteInternal(materialKey, normalizeURI, true);
            if (z) {
                ReentrantReadWriteLock.WriteLock writeLock2 = null;
                boolean z3 = false;
                materialKey = new MaterialKey(null, str2);
                try {
                    writeLock2 = getWriteLockForKey(materialKey);
                    writeLock2.lock();
                    z3 = removeRemoteInternal(materialKey, normalizeURI, true);
                    if (!z3) {
                        removeLockForKey(materialKey);
                    }
                    writeLock2.unlock();
                } catch (Throwable th) {
                    if (!z3) {
                        removeLockForKey(materialKey);
                    }
                    writeLock2.unlock();
                    throw th;
                }
            }
            if (!z2) {
                removeLockForKey(materialKey);
            }
            writeLock.unlock();
        } catch (Throwable th2) {
            if (!z2) {
                removeLockForKey(materialKey);
            }
            writeLock.unlock();
            throw th2;
        }
    }

    public CryptoMaterial getUserMaterial(String str) throws CryptoPasswordNotFoundException {
        return getUserMaterial(null, str);
    }

    public CryptoMaterial getUserMaterial(String str, String str2) throws CryptoPasswordNotFoundException {
        MaterialKey materialKey = new MaterialKey(str, str2);
        ReentrantReadWriteLock.ReadLock readLock = null;
        try {
            ReentrantReadWriteLock.ReadLock readLockForKey = getReadLockForKey(materialKey);
            if (readLockForKey == null) {
                throw new CryptoPasswordNotFoundException("Could not find a lock associated with this key " + materialKey.getExtendedUsername());
            }
            readLockForKey.lock();
            CryptoMaterial cryptoMaterial = this.materialCache.get(materialKey);
            if (cryptoMaterial == null) {
                throw new CryptoPasswordNotFoundException("Cryptographic material for user <" + materialKey.getExtendedUsername() + " does not exist in the cache!");
            }
            if (readLockForKey != null) {
                readLockForKey.unlock();
            }
            return cryptoMaterial;
        } catch (Throwable th) {
            if (0 != 0) {
                readLock.unlock();
            }
            throw th;
        }
    }

    public void forceRemoveLocalMaterial(String str, String str2, String str3, boolean z) {
        forceRemoveLocalMaterial(str, str2, str3);
        if (z) {
            forceRemoveLocalMaterial(null, str2, str3);
        }
    }

    public boolean existsInLocalStore(String str, String str2, String str3) {
        String str4 = str3 != null ? str3 : this.transientDir;
        MaterialKey materialKey = new MaterialKey(str, str2);
        ReentrantReadWriteLock.ReadLock readLock = null;
        try {
            ReentrantReadWriteLock.ReadLock readLockForKey = getReadLockForKey(materialKey);
            if (readLockForKey == null) {
                LOG.log(Level.WARNING, "Could not find read lock for key " + materialKey.getExtendedUsername());
                if (readLockForKey != null) {
                    readLockForKey.unlock();
                }
                return false;
            }
            readLockForKey.lock();
            Bag bag = this.materializedCerts.get(materialKey);
            if (bag == null) {
                if (readLockForKey != null) {
                    readLockForKey.unlock();
                }
                return false;
            }
            boolean contains = bag.contains(str4);
            if (readLockForKey != null) {
                readLockForKey.unlock();
            }
            return contains;
        } catch (Throwable th) {
            if (0 != 0) {
                readLock.unlock();
            }
            throw th;
        }
    }

    public boolean existsInRemoteStore(String str, String str2, String str3) {
        if (str3 == null) {
            throw new IllegalArgumentException("Remote directory cannot be null");
        }
        return this.remoteMaterialReferencesFacade.findById(new RemoteMaterialRefID(new MaterialKey(str, str2).getExtendedUsername(), str3)) != null;
    }

    public MaterializerState<Map<String, Map<String, Integer>>, Map<String, Map<String, Integer>>, Map<String, Set<String>>, Map<String, Boolean>> getState() {
        MaterializerState<Map<MaterialKey, Bag>, List<RemoteMaterialReferences>, Map<MaterialKey, Map<String, Runnable>>, Map<MaterialKey, ReentrantReadWriteLock>> immutableState = getImmutableState();
        Map<MaterialKey, Bag> localMaterial = immutableState.getLocalMaterial();
        HashMap hashMap = new HashMap(localMaterial.size());
        for (Map.Entry<MaterialKey, Bag> entry : localMaterial.entrySet()) {
            String extendedUsername = entry.getKey().getExtendedUsername();
            HashMap hashMap2 = new HashMap();
            Bag value = entry.getValue();
            for (String str : value.uniqueSet()) {
                hashMap2.put(str, Integer.valueOf(value.getCount(str)));
            }
            hashMap.put(extendedUsername, hashMap2);
        }
        List<RemoteMaterialReferences> remoteMaterial = immutableState.getRemoteMaterial();
        HashMap hashMap3 = new HashMap(remoteMaterial.size());
        for (RemoteMaterialReferences remoteMaterialReferences : remoteMaterial) {
            String username = remoteMaterialReferences.getIdentifier().getUsername();
            Map map = (Map) hashMap3.get(username);
            if (map == null) {
                HashMap hashMap4 = new HashMap();
                hashMap4.put(remoteMaterialReferences.getIdentifier().getPath(), remoteMaterialReferences.getReferences());
                hashMap3.put(username, hashMap4);
            } else {
                map.put(remoteMaterialReferences.getIdentifier().getPath(), remoteMaterialReferences.getReferences());
            }
        }
        Map<MaterialKey, Map<String, Runnable>> scheduledRemovals = immutableState.getScheduledRemovals();
        HashMap hashMap5 = new HashMap();
        for (Map.Entry<MaterialKey, Map<String, Runnable>> entry2 : scheduledRemovals.entrySet()) {
            hashMap5.put(entry2.getKey().getExtendedUsername(), entry2.getValue().keySet());
        }
        Map<MaterialKey, ReentrantReadWriteLock> materialKeyLocks = immutableState.getMaterialKeyLocks();
        HashMap hashMap6 = new HashMap(materialKeyLocks.size());
        for (Map.Entry<MaterialKey, ReentrantReadWriteLock> entry3 : materialKeyLocks.entrySet()) {
            hashMap6.put(entry3.getKey().getExtendedUsername(), Boolean.valueOf(entry3.getValue().isWriteLocked()));
        }
        return new MaterializerState<>(hashMap, hashMap3, hashMap5, hashMap6);
    }

    private MaterializerState<Map<MaterialKey, Bag>, List<RemoteMaterialReferences>, Map<MaterialKey, Map<String, Runnable>>, Map<MaterialKey, ReentrantReadWriteLock>> getImmutableState() {
        TreeSet<ReentrantReadWriteLock> acquireWriteLocks = acquireWriteLocks(null);
        try {
            Map unmodifiableMap = MapUtils.unmodifiableMap(this.materializedCerts);
            Map unmodifiableMap2 = MapUtils.unmodifiableMap(this.fileRemovers);
            Map unmodifiableMap3 = MapUtils.unmodifiableMap((Map) null);
            List<RemoteMaterialReferences> findAll = this.remoteMaterialReferencesFacade.findAll();
            releaseWriteLocks(acquireWriteLocks);
            return new MaterializerState<>(unmodifiableMap, findAll, unmodifiableMap2, unmodifiableMap3);
        } catch (Throwable th) {
            releaseWriteLocks(acquireWriteLocks);
            throw th;
        }
    }

    private TreeSet<ReentrantReadWriteLock> acquireWriteLocks(Map<MaterialKey, ReentrantReadWriteLock> map) {
        TreeSet<ReentrantReadWriteLock> treeSet = new TreeSet<>(new Comparator<ReentrantReadWriteLock>() { // from class: io.hops.hopsworks.common.security.CertificateMaterializer.1
            @Override // java.util.Comparator
            public int compare(ReentrantReadWriteLock reentrantReadWriteLock, ReentrantReadWriteLock reentrantReadWriteLock2) {
                if (reentrantReadWriteLock.hashCode() < reentrantReadWriteLock2.hashCode()) {
                    return -1;
                }
                return reentrantReadWriteLock.hashCode() > reentrantReadWriteLock2.hashCode() ? 1 : 0;
            }
        });
        map.values().stream().forEach(reentrantReadWriteLock -> {
            reentrantReadWriteLock.writeLock().lock();
            treeSet.add(reentrantReadWriteLock);
        });
        return treeSet;
    }

    private void releaseWriteLocks(TreeSet<ReentrantReadWriteLock> treeSet) {
        treeSet.descendingSet().stream().forEach(reentrantReadWriteLock -> {
            reentrantReadWriteLock.writeLock().unlock();
        });
    }

    public boolean openedInterpreter(Integer num) {
        return this.projectsWithOpenInterpreters.add(num);
    }

    public void closedInterpreter(Integer num) {
        this.projectsWithOpenInterpreters.remove(num);
    }

    private void materializeLocalInternal(MaterialKey materialKey, String str) throws IOException {
        Bag bag = this.materializedCerts.get(materialKey);
        if (bag == null) {
            if (checkWithScheduledRemovalsLocal(materialKey, str)) {
                CryptoMaterial materialFromDatabase = getMaterialFromDatabase(materialKey);
                this.materialCache.put(materialKey, materialFromDatabase);
                flushToLocalFileSystem(materialKey, materialFromDatabase, str);
                Bag hashBag = new HashBag();
                hashBag.add(str != null ? str : this.transientDir, 1);
                this.materializedCerts.put(materialKey, hashBag);
                return;
            }
            return;
        }
        if (bag.getCount(str) != 0) {
            bag.add(str, 1);
            return;
        }
        if (checkWithScheduledRemovalsLocal(materialKey, str)) {
            CryptoMaterial cryptoMaterial = this.materialCache.get(materialKey);
            if (cryptoMaterial == null) {
                cryptoMaterial = getMaterialFromDatabase(materialKey);
            }
            flushToLocalFileSystem(materialKey, cryptoMaterial, str);
            bag.add(str, 1);
        }
    }

    private boolean checkWithScheduledRemovalsLocal(MaterialKey materialKey, String str) throws IOException {
        LocalFileRemover localFileRemover;
        Map<String, LocalFileRemover> map = this.fileRemovers.get(materialKey);
        if (map == null || (localFileRemover = map.get(str)) == null) {
            return true;
        }
        if (!localFileRemover.scheduledFuture.cancel(false)) {
            forceRemoveLocalMaterial(materialKey.username, materialKey.projectName, str);
            return true;
        }
        if (!this.materialCache.containsKey(materialKey)) {
            if (localFileRemover.cryptoMaterial != null) {
                this.materialCache.put(materialKey, localFileRemover.cryptoMaterial);
            } else {
                this.materialCache.put(materialKey, getMaterialFromDatabase(materialKey));
            }
        }
        Bag bag = this.materializedCerts.get(materialKey);
        if (bag != null) {
            bag.add(str, 1);
        } else {
            Bag hashBag = new HashBag();
            hashBag.add(str);
            this.materializedCerts.put(materialKey, hashBag);
        }
        map.remove(str);
        if (!map.isEmpty()) {
            return false;
        }
        this.fileRemovers.remove(materialKey);
        return false;
    }

    private void flushToLocalFileSystem(MaterialKey materialKey, CryptoMaterial cryptoMaterial, String str) throws IOException {
        String str2 = str != null ? str : this.transientDir;
        File file = Paths.get(str2, materialKey.getExtendedUsername() + Settings.KEYSTORE_SUFFIX).toFile();
        File file2 = Paths.get(str2, materialKey.getExtendedUsername() + Settings.TRUSTSTORE_SUFFIX).toFile();
        File file3 = Paths.get(str2, materialKey.getExtendedUsername() + Settings.CERT_PASS_SUFFIX).toFile();
        FileUtils.writeByteArrayToFile(file, cryptoMaterial.getKeyStore().array(), false);
        FileUtils.writeByteArrayToFile(file2, cryptoMaterial.getTrustStore().array(), false);
        FileUtils.write(file3, new String(cryptoMaterial.getPassword()), false);
    }

    private boolean removeLocal(MaterialKey materialKey, String str) {
        Bag bag = this.materializedCerts.get(materialKey);
        if (bag == null) {
            return false;
        }
        bag.remove(str, 1);
        if (bag.getCount(str) > 0) {
            return true;
        }
        scheduleFileRemover(materialKey, str);
        return true;
    }

    private void scheduleFileRemover(MaterialKey materialKey, String str) {
        LocalFileRemover localFileRemover = new LocalFileRemover(materialKey, this.materialCache.get(materialKey), str);
        localFileRemover.scheduledFuture = this.scheduler.schedule(localFileRemover, this.DELAY_VALUE.longValue(), this.DELAY_TIMEUNIT);
        Map<String, LocalFileRemover> map = this.fileRemovers.get(materialKey);
        if (map != null) {
            map.put(str, localFileRemover);
        } else {
            HashMap hashMap = new HashMap();
            hashMap.put(str, localFileRemover);
            this.fileRemovers.put(materialKey, hashMap);
        }
        LOG.log(Level.FINEST, "Scheduled local file removal for <" + materialKey.getExtendedUsername() + ">");
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void deleteMaterialFromLocalFs(MaterialKey materialKey, String str) {
        File file = Paths.get(str, materialKey.getExtendedUsername() + Settings.KEYSTORE_SUFFIX).toFile();
        File file2 = Paths.get(str, materialKey.getExtendedUsername() + Settings.TRUSTSTORE_SUFFIX).toFile();
        File file3 = Paths.get(str, materialKey.getExtendedUsername() + Settings.CERT_PASS_SUFFIX).toFile();
        FileUtils.deleteQuietly(file);
        FileUtils.deleteQuietly(file2);
        FileUtils.deleteQuietly(file3);
    }

    private void forceRemoveLocalMaterial(String str, String str2, String str3) {
        String str4;
        ReentrantReadWriteLock.WriteLock writeLock = null;
        if (str3 != null) {
            str4 = str3;
        } else {
            try {
                str4 = this.transientDir;
            } catch (Throwable th) {
                writeLock.unlock();
                throw th;
            }
        }
        String str5 = str4;
        MaterialKey materialKey = new MaterialKey(str, str2);
        writeLock = getWriteLockForKey(materialKey);
        writeLock.lock();
        Map<String, LocalFileRemover> map = this.fileRemovers.get(materialKey);
        if (map != null) {
            LocalFileRemover remove = map.remove(str5);
            if (remove != null) {
                remove.scheduledFuture.cancel(true);
            }
            if (map.isEmpty()) {
                this.fileRemovers.remove(materialKey);
            }
        }
        Bag bag = this.materializedCerts.get(materialKey);
        if (bag != null) {
            bag.remove(str5);
            if (bag.isEmpty()) {
                this.materializedCerts.remove(materialKey);
                CryptoMaterial remove2 = this.materialCache.remove(materialKey);
                if (remove2 != null) {
                    remove2.wipePassword();
                }
            }
        }
        deleteMaterialFromLocalFs(materialKey, str5);
        removeLockForKey(materialKey);
        writeLock.unlock();
    }

    private void materializeRemoteInternal(MaterialKey materialKey, String str, String str2, FsPermission fsPermission, String str3) throws IOException {
        RemoteMaterialReferences remoteMaterialReferences = null;
        RemoteMaterialRefID remoteMaterialRefID = new RemoteMaterialRefID(materialKey.getExtendedUsername(), str3);
        int i = 0;
        while (remoteMaterialReferences == null && i < MAX_NUMBER_OF_RETRIES) {
            try {
                try {
                    remoteMaterialReferences = this.remoteMaterialReferencesFacade.acquireLock(remoteMaterialRefID, this.lock_id);
                    if (remoteMaterialReferences == null) {
                        this.remoteMaterialReferencesFacade.createNewMaterialReference(remoteMaterialRefID);
                        remoteMaterialReferences = this.remoteMaterialReferencesFacade.acquireLock(remoteMaterialRefID, this.lock_id);
                        CryptoMaterial cryptoMaterial = this.materialCache.get(materialKey);
                        if (cryptoMaterial == null) {
                            cryptoMaterial = getMaterialFromDatabase(materialKey);
                        }
                        DistributedFileSystemOps dfsOps = this.distributedFsService.getDfsOps();
                        try {
                            Path path = new Path(str3 + "/" + materialKey.getExtendedUsername() + Settings.KEYSTORE_SUFFIX);
                            writeToHDFS(dfsOps, path, cryptoMaterial.getKeyStore().array());
                            dfsOps.setOwner(path, str, str2);
                            dfsOps.setPermission(path, fsPermission);
                            Path path2 = new Path(str3 + "/" + materialKey.getExtendedUsername() + Settings.TRUSTSTORE_SUFFIX);
                            writeToHDFS(dfsOps, path2, cryptoMaterial.getTrustStore().array());
                            dfsOps.setOwner(path2, str, str2);
                            dfsOps.setPermission(path2, fsPermission);
                            Path path3 = new Path(str3 + "/" + materialKey.getExtendedUsername() + Settings.CERT_PASS_SUFFIX);
                            writeToHDFS(dfsOps, path3, new String(cryptoMaterial.getPassword()).getBytes());
                            dfsOps.setOwner(path3, str, str2);
                            dfsOps.setPermission(path3, fsPermission);
                            dfsOps.flushCache(str, str2);
                            if (dfsOps != null) {
                                this.distributedFsService.closeDfsClient(dfsOps);
                            }
                            remoteMaterialReferences.setReferences(1);
                            this.remoteMaterialReferencesFacade.update(remoteMaterialReferences);
                        } catch (Throwable th) {
                            if (dfsOps != null) {
                                this.distributedFsService.closeDfsClient(dfsOps);
                            }
                            throw th;
                            break;
                        }
                    } else {
                        remoteMaterialReferences.incrementReferences();
                        this.remoteMaterialReferencesFacade.update(remoteMaterialReferences);
                    }
                    try {
                        this.remoteMaterialReferencesFacade.releaseLock(remoteMaterialRefID, this.lock_id);
                    } catch (AcquireLockException e) {
                        LOG.log(Level.SEVERE, "Cannot release lock for " + remoteMaterialRefID, (Throwable) e);
                    }
                } catch (Exception e2) {
                    if (!(e2 instanceof AcquireLockException)) {
                        throw new IOException(e2);
                    }
                    LOG.log(Level.WARNING, e2.getMessage(), (Throwable) e2);
                    i++;
                    try {
                        TimeUnit.MILLISECONDS.sleep(RETRY_WAIT_TIMEOUT);
                        try {
                            this.remoteMaterialReferencesFacade.releaseLock(remoteMaterialRefID, this.lock_id);
                        } catch (AcquireLockException e3) {
                            LOG.log(Level.SEVERE, "Cannot release lock for " + remoteMaterialRefID, (Throwable) e3);
                        }
                    } catch (InterruptedException e4) {
                        throw new IOException(e4);
                    }
                }
            } catch (Throwable th2) {
                try {
                    this.remoteMaterialReferencesFacade.releaseLock(remoteMaterialRefID, this.lock_id);
                } catch (AcquireLockException e5) {
                    LOG.log(Level.SEVERE, "Cannot release lock for " + remoteMaterialRefID, (Throwable) e5);
                }
                throw th2;
            }
        }
        if (remoteMaterialReferences == null) {
            throw new IOException("Could not materialize certificates for " + materialKey.getExtendedUsername() + " in remote directory " + str3);
        }
    }

    private void writeToHDFS(DistributedFileSystemOps distributedFileSystemOps, Path path, byte[] bArr) throws IOException {
        if (distributedFileSystemOps == null) {
            throw new IOException("DistributedFilesystemOps is null");
        }
        FSDataOutputStream create = distributedFileSystemOps.getFilesystem().create(path);
        try {
            create.write(bArr);
            create.hflush();
            if (create != null) {
                create.close();
            }
        } catch (Throwable th) {
            if (create != null) {
                create.close();
            }
            throw th;
        }
    }

    private boolean removeRemoteInternal(MaterialKey materialKey, String str, boolean z) {
        RemoteMaterialReferences remoteMaterialReferences = null;
        RemoteMaterialRefID remoteMaterialRefID = new RemoteMaterialRefID(materialKey.getExtendedUsername(), str);
        int i = 0;
        boolean z2 = false;
        while (true) {
            if (remoteMaterialReferences != null || i >= MAX_NUMBER_OF_RETRIES) {
                break;
            }
            if (z) {
                try {
                    try {
                        remoteMaterialReferences = new RemoteMaterialReferences(remoteMaterialRefID);
                    } catch (Exception e) {
                        if (!(e instanceof AcquireLockException)) {
                            throw new RuntimeException(e);
                        }
                        LOG.log(Level.WARNING, e.getMessage(), (Throwable) e);
                        i++;
                        try {
                            TimeUnit.MILLISECONDS.sleep(RETRY_WAIT_TIMEOUT);
                            if (z2) {
                                removeLockForKey(materialKey);
                            } else {
                                try {
                                    this.remoteMaterialReferencesFacade.releaseLock(remoteMaterialRefID, this.lock_id);
                                } catch (AcquireLockException e2) {
                                    LOG.log(Level.SEVERE, "Cannot release lock for " + remoteMaterialRefID, (Throwable) e2);
                                }
                            }
                        } catch (InterruptedException e3) {
                            throw new IllegalStateException(e3);
                        }
                    }
                } finally {
                    try {
                        if (z2) {
                            removeLockForKey(materialKey);
                        } else {
                            this.remoteMaterialReferencesFacade.releaseLock(remoteMaterialRefID, this.lock_id);
                        }
                    } catch (AcquireLockException e4) {
                        LOG.log(Level.SEVERE, "Cannot release lock for " + remoteMaterialRefID, (Throwable) e4);
                    }
                }
            } else {
                remoteMaterialReferences = this.remoteMaterialReferencesFacade.acquireLock(remoteMaterialRefID, this.lock_id);
            }
            if (remoteMaterialReferences != null) {
                remoteMaterialReferences.decrementReferences();
                if (remoteMaterialReferences.getReferences().intValue() <= 0 || z) {
                    try {
                        this.distributedFsService.getDfsOps().rm(new Path(str), true);
                    } catch (IOException e5) {
                        LOG.log(Level.SEVERE, "Crypto material for <" + materialKey.getExtendedUsername() + "> could not be removed from HDFS. You SHOULD clean them manually!");
                    }
                    this.remoteMaterialReferencesFacade.delete(remoteMaterialReferences.getIdentifier());
                    z2 = true;
                } else {
                    remoteMaterialReferences.decrementReferences();
                    this.remoteMaterialReferencesFacade.update(remoteMaterialReferences);
                }
                if (z2) {
                    removeLockForKey(materialKey);
                } else {
                    try {
                        this.remoteMaterialReferencesFacade.releaseLock(remoteMaterialRefID, this.lock_id);
                    } catch (AcquireLockException e6) {
                        LOG.log(Level.SEVERE, "Cannot release lock for " + remoteMaterialRefID, (Throwable) e6);
                    }
                }
            } else {
                LOG.log(Level.WARNING, "Could not find remote crypto material for " + materialKey.getExtendedUsername() + " to remove");
            }
        }
        return z2;
    }

    private String normalizeURI(String str) {
        if (!HDFS_SCHEME.matcher(str).matches()) {
            str = "hdfs://" + str;
        }
        return str;
    }

    private void deleteFromHDFS(DistributedFileSystemOps distributedFileSystemOps, Path path) throws IOException {
        distributedFileSystemOps.rm(path, false);
    }

    private CryptoMaterial getMaterialFromDatabase(MaterialKey materialKey) throws IOException {
        if (!materialKey.isProjectUser()) {
            UserCerts findUserCert = this.certsFacade.findUserCert(materialKey.projectName, materialKey.username);
            return new CryptoMaterial(ByteBuffer.wrap(findUserCert.getUserKey()), ByteBuffer.wrap(findUserCert.getUserCert()), decryptMaterialPassword(materialKey.getExtendedUsername(), findUserCert.getUserKeyPwd(), UserCerts.class));
        }
        ProjectGenericUserCerts findProjectGenericUserCerts = this.certsFacade.findProjectGenericUserCerts(materialKey.getExtendedUsername());
        if (findProjectGenericUserCerts != null) {
            return new CryptoMaterial(ByteBuffer.wrap(findProjectGenericUserCerts.getKey()), ByteBuffer.wrap(findProjectGenericUserCerts.getCert()), decryptMaterialPassword(materialKey.projectName, findProjectGenericUserCerts.getCertificatePassword(), ProjectGenericUserCerts.class));
        }
        String str = "Could not find certificates in the database for user <" + materialKey.getExtendedUsername() + ">";
        LOG.log(Level.SEVERE, str);
        throw new IOException(str);
    }

    private <T> char[] decryptMaterialPassword(String str, String str2, Class<T> cls) throws IOException {
        String password;
        if (ProjectGenericUserCerts.class == cls) {
            Project findByName = this.projectFacade.findByName(str);
            if (findByName == null) {
                String str3 = "Project <" + str + "> could not be found in the system";
                LOG.log(Level.SEVERE, str3);
                throw new IOException(str3);
            }
            password = findByName.getOwner().getPassword();
        } else {
            if (UserCerts.class != cls) {
                String str4 = "Unknown certificate type: " + cls.getName();
                LOG.log(Level.SEVERE, str4);
                throw new IllegalArgumentException(str4);
            }
            Users findByUsername = this.userFacade.findByUsername(this.hdfsUsersController.getUserName(str));
            if (findByUsername == null) {
                String str5 = "Could not find user <" + str + "> in the system";
                LOG.log(Level.SEVERE, str5);
                throw new IOException(str5);
            }
            password = findByUsername.getPassword();
        }
        try {
            return HopsUtils.decrypt(password, str2, this.certificatesMgmService.getMasterEncryptionPassword()).toCharArray();
        } catch (Exception e) {
            LOG.log(Level.SEVERE, "Error while decrypting certificate password for user <" + str + ">");
            throw new IOException(e);
        }
    }
}
