package org.apache.ignite.internal.managers.encryption;

import java.io.Serializable;
import java.lang.invoke.SerializedLambda;
import java.nio.ByteBuffer;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.Callable;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import org.apache.ignite.IgniteCheckedException;
import org.apache.ignite.IgniteClientDisconnectedException;
import org.apache.ignite.IgniteEncryption;
import org.apache.ignite.IgniteException;
import org.apache.ignite.IgniteSystemProperties;
import org.apache.ignite.cluster.ClusterNode;
import org.apache.ignite.configuration.WALMode;
import org.apache.ignite.failure.FailureContext;
import org.apache.ignite.failure.FailureType;
import org.apache.ignite.internal.GridComponent;
import org.apache.ignite.internal.GridKernalContext;
import org.apache.ignite.internal.GridTopic;
import org.apache.ignite.internal.IgniteInternalFuture;
import org.apache.ignite.internal.IgniteKernal;
import org.apache.ignite.internal.managers.GridManagerAdapter;
import org.apache.ignite.internal.managers.communication.GridIoManager;
import org.apache.ignite.internal.managers.communication.GridMessageListener;
import org.apache.ignite.internal.managers.eventstorage.DiscoveryEventListener;
import org.apache.ignite.internal.managers.eventstorage.GridEventStorageManager;
import org.apache.ignite.internal.pagemem.wal.record.MasterKeyChangeRecordV2;
import org.apache.ignite.internal.pagemem.wal.record.ReencryptionStartRecord;
import org.apache.ignite.internal.processors.bulkload.BulkLoadCsvFormat;
import org.apache.ignite.internal.processors.cache.CacheGroupContext;
import org.apache.ignite.internal.processors.cache.CacheGroupDescriptor;
import org.apache.ignite.internal.processors.cache.distributed.dht.preloader.GridDhtPartitionsExchangeFuture;
import org.apache.ignite.internal.processors.cache.distributed.dht.preloader.PartitionsExchangeAware;
import org.apache.ignite.internal.processors.cache.persistence.metastorage.MetastorageLifecycleListener;
import org.apache.ignite.internal.processors.cache.persistence.metastorage.ReadOnlyMetastorage;
import org.apache.ignite.internal.processors.cache.persistence.metastorage.ReadWriteMetastorage;
import org.apache.ignite.internal.processors.cache.persistence.wal.WALPointer;
import org.apache.ignite.internal.processors.cluster.IgniteChangeGlobalStateSupport;
import org.apache.ignite.internal.util.distributed.DistributedProcess;
import org.apache.ignite.internal.util.future.GridFinishedFuture;
import org.apache.ignite.internal.util.future.GridFutureAdapter;
import org.apache.ignite.internal.util.future.IgniteFinishedFutureImpl;
import org.apache.ignite.internal.util.future.IgniteFutureImpl;
import org.apache.ignite.internal.util.typedef.F;
import org.apache.ignite.internal.util.typedef.T2;
import org.apache.ignite.internal.util.typedef.internal.A;
import org.apache.ignite.internal.util.typedef.internal.S;
import org.apache.ignite.internal.util.typedef.internal.U;
import org.apache.ignite.lang.IgniteFuture;
import org.apache.ignite.lang.IgniteFutureCancelledException;
import org.apache.ignite.lang.IgniteProductVersion;
import org.apache.ignite.lang.IgniteUuid;
import org.apache.ignite.spi.IgniteNodeValidationResult;
import org.apache.ignite.spi.IgniteSpiException;
import org.apache.ignite.spi.discovery.DiscoveryDataBag;
import org.apache.ignite.spi.encryption.EncryptionSpi;
import org.jetbrains.annotations.Nullable;

/* loaded from: input_file:org/apache/ignite/internal/managers/encryption/GridEncryptionManager.class */
public class GridEncryptionManager extends GridManagerAdapter<EncryptionSpi> implements EncryptionCacheKeyProvider, MetastorageLifecycleListener, IgniteChangeGlobalStateSupport, IgniteEncryption, PartitionsExchangeAware {
    private static final IgniteProductVersion CACHE_ENCRYPTION_SINCE;
    public static final String MASTER_KEY_NAME_PREFIX = "encryption-master-key-name";
    public static final String ENCRYPTION_KEYS_PREFIX = "grp-encryption-keys-";
    public static final int INITIAL_KEY_ID = 0;
    private static final String REENCRYPTED_WAL_SEGMENTS = "reencrypted-wal-segments";

    @Deprecated
    private static final String ENCRYPTION_KEY_PREFIX = "grp-encryption-key-";
    private final Object metaStorageMux;
    private final Object opsMux;
    private final ReentrantReadWriteLock masterKeyChangeLock;
    private volatile boolean disconnected;
    private volatile boolean stopped;
    private volatile boolean writeToMetaStoreEnabled;
    private CacheGroupEncryptionKeys grpKeys;
    private ConcurrentMap<IgniteUuid, GenerateEncryptionKeyFuture> genEncKeyFuts;
    private volatile ReadWriteMetastorage metaStorage;
    private GridMessageListener ioLsnr;
    private DiscoveryEventListener discoLsnr;
    private volatile boolean restoredFromWAL;
    private volatile boolean recoveryMasterKeyName;
    private KeyChangeFuture masterKeyChangeFut;
    private volatile MasterKeyChangeRequest masterKeyChangeRequest;
    private volatile byte[] masterKeyDigest;
    private DistributedProcess<MasterKeyChangeRequest, EmptyResult> prepareMKChangeProc;
    private DistributedProcess<MasterKeyChangeRequest, EmptyResult> performMKChangeProc;
    private GroupKeyChangeProcess grpKeyChangeProc;
    private final Map<Integer, long[]> reencryptGroups;
    private final Map<Integer, Integer> reencryptGroupsForced;
    private CacheGroupPageScanner pageScanner;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/apache/ignite/internal/managers/encryption/GridEncryptionManager$EmptyResult.class */
    public static class EmptyResult implements Serializable {
        private static final long serialVersionUID = 0;
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/ignite/internal/managers/encryption/GridEncryptionManager$GenerateEncryptionKeyFuture.class */
    public class GenerateEncryptionKeyFuture extends GridFutureAdapter<T2<Collection<byte[]>, byte[]>> {
        private IgniteUuid id;
        private int keyCnt;
        private UUID nodeId;

        private GenerateEncryptionKeyFuture(int i) {
            this.keyCnt = i;
        }

        @Override // org.apache.ignite.internal.util.future.GridFutureAdapter
        public boolean onDone(@Nullable T2<Collection<byte[]>, byte[]> t2, @Nullable Throwable th) {
            GridEncryptionManager.this.genEncKeyFuts.remove(this.id, this);
            return super.onDone((GenerateEncryptionKeyFuture) t2, th);
        }

        public IgniteUuid id() {
            return this.id;
        }

        public void id(IgniteUuid igniteUuid) {
            this.id = igniteUuid;
        }

        public UUID nodeId() {
            return this.nodeId;
        }

        public void nodeId(UUID uuid) {
            this.nodeId = uuid;
        }

        public int keyCount() {
            return this.keyCnt;
        }

        @Override // org.apache.ignite.internal.util.future.GridFutureAdapter
        public String toString() {
            return S.toString((Class<GenerateEncryptionKeyFuture>) GenerateEncryptionKeyFuture.class, this);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/apache/ignite/internal/managers/encryption/GridEncryptionManager$KeyChangeFuture.class */
    public static class KeyChangeFuture extends GridFutureAdapter<Void> {
        private final UUID id;

        /* JADX INFO: Access modifiers changed from: package-private */
        public KeyChangeFuture(UUID uuid) {
            this.id = uuid;
        }

        public UUID id() {
            return this.id;
        }

        @Override // org.apache.ignite.internal.util.future.GridFutureAdapter
        public String toString() {
            return S.toString((Class<KeyChangeFuture>) KeyChangeFuture.class, this);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/ignite/internal/managers/encryption/GridEncryptionManager$MasterKeyChangeRequest.class */
    public static class MasterKeyChangeRequest implements Serializable {
        private static final long serialVersionUID = 0;
        private final UUID reqId;
        private final byte[] encKeyName;
        private final byte[] digest;

        private MasterKeyChangeRequest(UUID uuid, byte[] bArr, byte[] bArr2) {
            this.reqId = uuid;
            this.encKeyName = bArr;
            this.digest = bArr2;
        }

        UUID requestId() {
            return this.reqId;
        }

        byte[] encKeyName() {
            return this.encKeyName;
        }

        byte[] digest() {
            return this.digest;
        }

        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (!(obj instanceof MasterKeyChangeRequest)) {
                return false;
            }
            MasterKeyChangeRequest masterKeyChangeRequest = (MasterKeyChangeRequest) obj;
            return Arrays.equals(this.encKeyName, masterKeyChangeRequest.encKeyName) && Arrays.equals(this.digest, masterKeyChangeRequest.digest) && Objects.equals(this.reqId, masterKeyChangeRequest.reqId);
        }

        public int hashCode() {
            return (31 * ((31 * Objects.hash(this.reqId)) + Arrays.hashCode(this.encKeyName))) + Arrays.hashCode(this.digest);
        }

        public String toString() {
            return S.toString((Class<MasterKeyChangeRequest>) MasterKeyChangeRequest.class, this);
        }
    }

    /* loaded from: input_file:org/apache/ignite/internal/managers/encryption/GridEncryptionManager$NodeEncryptionKeys.class */
    protected static class NodeEncryptionKeys implements Serializable {
        private static final long serialVersionUID = 0;
        Map<Integer, byte[]> knownKeys;
        Map<Integer, byte[]> newKeys;
        byte[] masterKeyDigest;
        Map<Integer, List<GroupKeyEncrypted>> knownKeysWithIds;

        NodeEncryptionKeys(HashMap<Integer, List<GroupKeyEncrypted>> hashMap, Map<Integer, byte[]> map, byte[] bArr) {
            this.newKeys = map;
            this.masterKeyDigest = bArr;
            if (F.isEmpty(hashMap)) {
                return;
            }
            this.knownKeys = U.newHashMap(hashMap.size());
            for (Map.Entry<Integer, List<GroupKeyEncrypted>> entry : hashMap.entrySet()) {
                this.knownKeys.put(entry.getKey(), entry.getValue().get(0).key());
            }
            this.knownKeysWithIds = hashMap;
        }
    }

    public GridEncryptionManager(GridKernalContext gridKernalContext) {
        super(gridKernalContext, gridKernalContext.config().getEncryptionSpi());
        this.metaStorageMux = new Object();
        this.opsMux = new Object();
        this.masterKeyChangeLock = new ReentrantReadWriteLock();
        this.genEncKeyFuts = new ConcurrentHashMap();
        this.reencryptGroups = new ConcurrentHashMap();
        this.reencryptGroupsForced = new ConcurrentHashMap();
        gridKernalContext.internalSubscriptionProcessor().registerMetastorageListener(this);
    }

    @Override // org.apache.ignite.internal.GridComponent
    public void start() throws IgniteCheckedException {
        startSpi();
        GridEventStorageManager event = this.ctx.event();
        DiscoveryEventListener discoveryEventListener = (discoveryEvent, discoCache) -> {
            UUID id = discoveryEvent.eventNode().id();
            synchronized (this.opsMux) {
                Iterator<Map.Entry<IgniteUuid, GenerateEncryptionKeyFuture>> it = this.genEncKeyFuts.entrySet().iterator();
                while (it.hasNext()) {
                    GenerateEncryptionKeyFuture value = it.next().getValue();
                    if (!F.eq(id, value.nodeId())) {
                        return;
                    }
                    try {
                        it.remove();
                        sendGenerateEncryptionKeyRequest(value);
                        this.genEncKeyFuts.put(value.id(), value);
                    } catch (IgniteCheckedException e) {
                        value.onDone((T2<Collection<byte[]>, byte[]>) null, (Throwable) e);
                    }
                }
            }
        };
        this.discoLsnr = discoveryEventListener;
        event.addDiscoveryEventListener(discoveryEventListener, 11, 12);
        GridIoManager io = this.ctx.io();
        GridTopic gridTopic = GridTopic.TOPIC_GEN_ENC_KEY;
        GridMessageListener gridMessageListener = (uuid, obj, b) -> {
            synchronized (this.opsMux) {
                if (obj instanceof GenerateEncryptionKeyRequest) {
                    GenerateEncryptionKeyRequest generateEncryptionKeyRequest = (GenerateEncryptionKeyRequest) obj;
                    if (!$assertionsDisabled && generateEncryptionKeyRequest.keyCount() == 0) {
                        throw new AssertionError();
                    }
                    ArrayList arrayList = new ArrayList(generateEncryptionKeyRequest.keyCount());
                    try {
                        this.ctx.io().sendToGridTopic(uuid, GridTopic.TOPIC_GEN_ENC_KEY, new GenerateEncryptionKeyResponse(generateEncryptionKeyRequest.id(), arrayList, (byte[]) withMasterKeyChangeReadLock(() -> {
                            for (int i = 0; i < generateEncryptionKeyRequest.keyCount(); i++) {
                                arrayList.add(getSpi().encryptKey(getSpi().create()));
                            }
                            return getSpi().masterKeyDigest();
                        })), (byte) 2);
                    } catch (IgniteCheckedException e) {
                        U.error(this.log, "Unable to send generate key response[nodeId=" + uuid + "]");
                    }
                } else {
                    GenerateEncryptionKeyResponse generateEncryptionKeyResponse = (GenerateEncryptionKeyResponse) obj;
                    GenerateEncryptionKeyFuture generateEncryptionKeyFuture = this.genEncKeyFuts.get(generateEncryptionKeyResponse.requestId());
                    if (generateEncryptionKeyFuture != null) {
                        generateEncryptionKeyFuture.onDone(new T2<>(generateEncryptionKeyResponse.encryptionKeys(), generateEncryptionKeyResponse.masterKeyDigest()), (Throwable) null);
                    } else {
                        U.warn(this.log, "Response received for a unknown request.[reqId=" + generateEncryptionKeyResponse.requestId() + "]");
                    }
                }
            }
        };
        this.ioLsnr = gridMessageListener;
        io.addMessageListener(gridTopic, gridMessageListener);
        this.ctx.internalSubscriptionProcessor().registerGlobalStateListener(this);
        this.prepareMKChangeProc = new DistributedProcess<>(this.ctx, DistributedProcess.DistributedProcessType.MASTER_KEY_CHANGE_PREPARE, this::prepareMasterKeyChange, this::finishPrepareMasterKeyChange);
        this.performMKChangeProc = new DistributedProcess<>(this.ctx, DistributedProcess.DistributedProcessType.MASTER_KEY_CHANGE_FINISH, this::performMasterKeyChange, this::finishPerformMasterKeyChange);
        this.grpKeys = new CacheGroupEncryptionKeys(getSpi());
        this.pageScanner = new CacheGroupPageScanner(this.ctx);
        this.grpKeyChangeProc = new GroupKeyChangeProcess(this.ctx, this.grpKeys);
    }

    @Override // org.apache.ignite.internal.GridComponent
    public void stop(boolean z) throws IgniteCheckedException {
        stopSpi();
        this.pageScanner.stop();
    }

    @Override // org.apache.ignite.internal.managers.GridManagerAdapter
    protected void onKernalStart0() {
        this.ctx.cache().context().exchange().registerExchangeAwareComponent(this);
    }

    @Override // org.apache.ignite.internal.managers.GridManagerAdapter
    protected void onKernalStop0(boolean z) {
        synchronized (this.opsMux) {
            this.stopped = true;
            if (this.ioLsnr != null) {
                this.ctx.io().removeMessageListener(GridTopic.TOPIC_GEN_ENC_KEY, this.ioLsnr);
            }
            if (this.discoLsnr != null) {
                this.ctx.event().removeDiscoveryEventListener(this.discoLsnr, 11, 12);
            }
            cancelFutures("Kernal stopped.");
        }
    }

    @Override // org.apache.ignite.internal.managers.GridManagerAdapter, org.apache.ignite.internal.GridComponent
    public void onDisconnected(IgniteFuture<?> igniteFuture) {
        synchronized (this.opsMux) {
            if (!$assertionsDisabled && this.disconnected) {
                throw new AssertionError();
            }
            this.disconnected = true;
            this.masterKeyChangeRequest = null;
            this.masterKeyDigest = null;
            cancelFutures("Client node was disconnected from topology (operation result is unknown).");
        }
    }

    @Override // org.apache.ignite.internal.managers.GridManagerAdapter, org.apache.ignite.internal.GridComponent
    public IgniteInternalFuture<?> onReconnected(boolean z) {
        synchronized (this.opsMux) {
            if (!$assertionsDisabled && !this.disconnected) {
                throw new AssertionError();
            }
            this.disconnected = false;
        }
        return null;
    }

    public void onLocalJoin() {
        if (U.isLocalNodeCoordinator(this.ctx.discovery())) {
            synchronized (this.metaStorageMux) {
                HashMap<Integer, GroupKeyEncrypted> all = this.grpKeys.getAll();
                HashMap<Integer, byte[]> newEncryptionKeys = newEncryptionKeys(all == null ? Collections.EMPTY_SET : all.keySet());
                if (newEncryptionKeys == null) {
                    return;
                }
                for (Map.Entry<Integer, byte[]> entry : newEncryptionKeys.entrySet()) {
                    addGroupKey(entry.getKey().intValue(), new GroupKeyEncrypted(0, entry.getValue()));
                    U.quietAndInfo(this.log, "Added encryption key on local join [grpId=" + entry.getKey() + "]");
                }
            }
        }
    }

    @Override // org.apache.ignite.internal.managers.GridManagerAdapter, org.apache.ignite.internal.GridComponent
    @Nullable
    public IgniteNodeValidationResult validateNode(ClusterNode clusterNode, DiscoveryDataBag.JoiningNodeDiscoveryData joiningNodeDiscoveryData) {
        List<GroupKeyEncrypted> value;
        IgniteNodeValidationResult validateNode = super.validateNode(clusterNode, joiningNodeDiscoveryData);
        if (validateNode != null) {
            return validateNode;
        }
        if (isMasterKeyChangeInProgress()) {
            return new IgniteNodeValidationResult(this.ctx.localNodeId(), "Master key change is in progress! Node join is rejected. [node=" + clusterNode.id() + "]", "Master key change is in progress! Node join is rejected.");
        }
        if (clusterNode.isClient()) {
            return null;
        }
        IgniteNodeValidationResult validateNode2 = validateNode(clusterNode);
        if (validateNode2 != null) {
            return validateNode2;
        }
        if (this.grpKeyChangeProc.inProgress()) {
            return new IgniteNodeValidationResult(this.ctx.localNodeId(), "Cache group key change is in progress! Node join is rejected. [node=" + clusterNode.id() + "]", "Cache group key change is in progress! Node join is rejected.");
        }
        NodeEncryptionKeys nodeEncryptionKeys = (NodeEncryptionKeys) joiningNodeDiscoveryData.joiningNodeData();
        if (!joiningNodeDiscoveryData.hasJoiningNodeData() || nodeEncryptionKeys == null) {
            return new IgniteNodeValidationResult(this.ctx.localNodeId(), "Joining node doesn't have encryption data [node=" + clusterNode.id() + "]", "Joining node doesn't have encryption data.");
        }
        if (!Arrays.equals(getSpi().masterKeyDigest(), nodeEncryptionKeys.masterKeyDigest)) {
            return new IgniteNodeValidationResult(this.ctx.localNodeId(), "Master key digest differs! Node join is rejected. [node=" + clusterNode.id() + "]", "Master key digest differs! Node join is rejected.");
        }
        if (F.isEmpty(nodeEncryptionKeys.knownKeys)) {
            U.quietAndInfo(this.log, "Joining node doesn't have stored group keys [node=" + clusterNode.id() + "]");
            return null;
        }
        if (!$assertionsDisabled && F.isEmpty(nodeEncryptionKeys.knownKeysWithIds)) {
            throw new AssertionError();
        }
        for (Map.Entry<Integer, List<GroupKeyEncrypted>> entry : nodeEncryptionKeys.knownKeysWithIds.entrySet()) {
            GroupKey activeKey = getActiveKey(entry.getKey().intValue());
            if (activeKey != null && (value = entry.getValue()) != null) {
                GroupKeyEncrypted groupKeyEncrypted = null;
                Iterator<GroupKeyEncrypted> it = value.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    GroupKeyEncrypted next = it.next();
                    if (next.id() == activeKey.unsignedId()) {
                        groupKeyEncrypted = next;
                        break;
                    }
                }
                if (groupKeyEncrypted != null && !F.eq(activeKey.key(), getSpi().decryptKey(groupKeyEncrypted.key()))) {
                    return new IgniteNodeValidationResult(this.ctx.localNodeId(), "Cache key differs! Node join is rejected. [node=" + clusterNode.id() + ", grp=" + entry.getKey() + "]", "Cache key differs! Node join is rejected.");
                }
            }
        }
        return null;
    }

    @Override // org.apache.ignite.internal.managers.GridManagerAdapter, org.apache.ignite.internal.GridComponent
    public void collectJoiningNodeData(DiscoveryDataBag discoveryDataBag) {
        if (this.ctx.clientNode()) {
            return;
        }
        Set<Integer> groupIds = this.grpKeys.groupIds();
        HashMap newHashMap = U.newHashMap(groupIds.size());
        Iterator<Integer> it = groupIds.iterator();
        while (it.hasNext()) {
            int intValue = it.next().intValue();
            newHashMap.put(Integer.valueOf(intValue), this.grpKeys.getAll(intValue));
        }
        HashMap<Integer, byte[]> newEncryptionKeys = newEncryptionKeys(groupIds);
        if (this.log.isInfoEnabled()) {
            String concat = F.isEmpty(newHashMap) ? null : F.concat(newHashMap.keySet(), IgniteKernal.COORDINATOR_PROPERTIES_SEPARATOR);
            if (concat != null) {
                U.quietAndInfo(this.log, "Sending stored group keys to coordinator [grps=" + concat + "]");
            }
            String concat2 = F.isEmpty(newEncryptionKeys) ? null : F.concat(newEncryptionKeys.keySet(), IgniteKernal.COORDINATOR_PROPERTIES_SEPARATOR);
            if (concat2 != null) {
                U.quietAndInfo(this.log, "Sending new group keys to coordinator [grps=" + concat2 + "]");
            }
        }
        discoveryDataBag.addJoiningNodeData(Integer.valueOf(GridComponent.DiscoveryDataExchangeType.ENCRYPTION_MGR.ordinal()), new NodeEncryptionKeys(newHashMap, newEncryptionKeys, getSpi().masterKeyDigest()));
    }

    @Override // org.apache.ignite.internal.managers.GridManagerAdapter, org.apache.ignite.internal.GridComponent
    public void onJoiningNodeDataReceived(DiscoveryDataBag.JoiningNodeDiscoveryData joiningNodeDiscoveryData) {
        NodeEncryptionKeys nodeEncryptionKeys = (NodeEncryptionKeys) joiningNodeDiscoveryData.joiningNodeData();
        if (nodeEncryptionKeys == null || nodeEncryptionKeys.newKeys == null || this.ctx.clientNode()) {
            return;
        }
        for (Map.Entry<Integer, byte[]> entry : nodeEncryptionKeys.newKeys.entrySet()) {
            if (getActiveKey(entry.getKey().intValue()) == null) {
                U.quietAndInfo(this.log, "Store group key received from joining node [node=" + joiningNodeDiscoveryData.joiningNodeId() + ", grp=" + entry.getKey() + "]");
                addGroupKey(entry.getKey().intValue(), new GroupKeyEncrypted(0, entry.getValue()));
            } else {
                U.quietAndInfo(this.log, "Skip group key received from joining node. Already exists. [node=" + joiningNodeDiscoveryData.joiningNodeId() + ", grp=" + entry.getKey() + "]");
            }
        }
    }

    @Override // org.apache.ignite.internal.managers.GridManagerAdapter, org.apache.ignite.internal.GridComponent
    public void collectGridNodeData(DiscoveryDataBag discoveryDataBag) {
        if (discoveryDataBag.isJoiningNodeClient() || discoveryDataBag.commonDataCollectedFor(Integer.valueOf(GridComponent.DiscoveryDataExchangeType.ENCRYPTION_MGR.ordinal()))) {
            return;
        }
        HashMap<Integer, GroupKeyEncrypted> all = this.grpKeys.getAll();
        HashMap<Integer, byte[]> newEncryptionKeys = newEncryptionKeys(all == null ? Collections.EMPTY_SET : all.keySet());
        if (!F.isEmpty(newEncryptionKeys)) {
            if (all == null) {
                all = new HashMap<>();
            }
            for (Map.Entry<Integer, byte[]> entry : newEncryptionKeys.entrySet()) {
                GroupKeyEncrypted putIfAbsent = all.putIfAbsent(entry.getKey(), new GroupKeyEncrypted(0, entry.getValue()));
                if (!$assertionsDisabled && putIfAbsent != null) {
                    throw new AssertionError();
                }
            }
        }
        discoveryDataBag.addGridCommonData(Integer.valueOf(GridComponent.DiscoveryDataExchangeType.ENCRYPTION_MGR.ordinal()), all);
    }

    @Override // org.apache.ignite.internal.managers.GridManagerAdapter, org.apache.ignite.internal.GridComponent
    public void onGridDataReceived(DiscoveryDataBag.GridDiscoveryData gridDiscoveryData) {
        if (this.ctx.clientNode()) {
            return;
        }
        Map map = (Map) gridDiscoveryData.commonData();
        if (F.isEmpty((Map<?, ?>) map)) {
            return;
        }
        for (Map.Entry entry : map.entrySet()) {
            int intValue = ((Integer) entry.getKey()).intValue();
            GroupKeyEncrypted groupKeyEncrypted = entry.getValue() instanceof GroupKeyEncrypted ? (GroupKeyEncrypted) entry.getValue() : new GroupKeyEncrypted(0, (byte[]) entry.getValue());
            GroupKey activeKey = getActiveKey(intValue);
            if (activeKey == null || activeKey.unsignedId() != groupKeyEncrypted.id()) {
                U.quietAndInfo(this.log, "Store group key received from coordinator [grp=" + intValue + ", keyId=" + groupKeyEncrypted.id() + "]");
                this.grpKeys.addKey(intValue, groupKeyEncrypted);
                if (activeKey != null) {
                    GroupKey changeActiveKey = this.grpKeys.changeActiveKey(intValue, groupKeyEncrypted.id());
                    if (this.ctx.config().getDataStorageConfiguration().getWalMode() != WALMode.NONE) {
                        this.grpKeys.reserveWalKey(intValue, changeActiveKey.unsignedId(), this.ctx.cache().context().wal().currentSegment());
                    }
                    this.reencryptGroupsForced.put(Integer.valueOf(intValue), Integer.valueOf(groupKeyEncrypted.id()));
                }
            } else {
                U.quietAndInfo(this.log, "Skip group key received from coordinator. Already exists. [grp=" + intValue + ", keyId=" + groupKeyEncrypted.id() + "]");
            }
        }
    }

    @Override // org.apache.ignite.internal.managers.encryption.EncryptionCacheKeyProvider
    @Nullable
    public GroupKey getActiveKey(int i) {
        return this.grpKeys.getActiveKey(i);
    }

    @Override // org.apache.ignite.internal.managers.encryption.EncryptionCacheKeyProvider
    @Nullable
    public GroupKey groupKey(int i, int i2) {
        return this.grpKeys.getKey(i, i2);
    }

    @Nullable
    public List<Integer> groupKeyIds(int i) {
        return this.grpKeys.keyIds(i);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void addGroupKey(int i, GroupKeyEncrypted groupKeyEncrypted) {
        synchronized (this.metaStorageMux) {
            try {
                this.grpKeys.addKey(i, groupKeyEncrypted);
                writeGroupKeysToMetaStore(i, this.grpKeys.getAll(i));
            } catch (IgniteCheckedException e) {
                throw new IgniteException("Failed to write cache group encryption key [grpId=" + i + "]", e);
            }
        }
    }

    @Override // org.apache.ignite.IgniteEncryption
    public IgniteFuture<Void> changeMasterKey(String str) {
        if (this.ctx.clientNode()) {
            return new IgniteFinishedFutureImpl((Throwable) new UnsupportedOperationException("Client nodes can not perform this operation."));
        }
        if (!this.ctx.state().clusterState().state().active()) {
            return new IgniteFinishedFutureImpl((Throwable) new IgniteException("Master key change was rejected. The cluster is inactive."));
        }
        if (str.equals(getMasterKeyName())) {
            return new IgniteFinishedFutureImpl((Throwable) new IgniteException("Master key change was rejected. New name equal to the current."));
        }
        try {
            MasterKeyChangeRequest masterKeyChangeRequest = new MasterKeyChangeRequest(UUID.randomUUID(), encryptKeyName(str), masterKeyDigest(str));
            synchronized (this.opsMux) {
                if (this.disconnected) {
                    return new IgniteFinishedFutureImpl((Throwable) new IgniteClientDisconnectedException(this.ctx.cluster().clientReconnectFuture(), "Master key change was rejected. Client node disconnected."));
                }
                if (this.stopped) {
                    return new IgniteFinishedFutureImpl((Throwable) new IgniteException("Master key change was rejected. Node is stopping."));
                }
                if (this.masterKeyChangeFut != null && !this.masterKeyChangeFut.isDone()) {
                    return new IgniteFinishedFutureImpl((Throwable) new IgniteException("Master key change was rejected. The previous change was not completed."));
                }
                this.masterKeyChangeFut = new KeyChangeFuture(masterKeyChangeRequest.requestId());
                this.prepareMKChangeProc.start(masterKeyChangeRequest.requestId(), masterKeyChangeRequest);
                return new IgniteFutureImpl(this.masterKeyChangeFut);
            }
        } catch (Exception e) {
            return new IgniteFinishedFutureImpl((Throwable) new IgniteException("Master key change was rejected. Unable to get the master key digest.", e));
        }
    }

    @Override // org.apache.ignite.IgniteEncryption
    public String getMasterKeyName() {
        if (this.ctx.clientNode()) {
            throw new UnsupportedOperationException("Client nodes can not perform this operation.");
        }
        return (String) withMasterKeyChangeReadLock(() -> {
            return getSpi().getMasterKeyName();
        });
    }

    @Override // org.apache.ignite.IgniteEncryption
    public IgniteFuture<Void> changeCacheGroupKey(Collection<String> collection) {
        A.notEmpty(collection, "cacheOrGrpNames");
        synchronized (this.opsMux) {
            if (this.stopped) {
                return new IgniteFinishedFutureImpl((Throwable) new IgniteException("Cache group key change was rejected. Node is stopping."));
            }
            return this.grpKeyChangeProc.start(collection);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void changeCacheGroupKeyLocal(int[] iArr, byte[] bArr, byte[][] bArr2) throws IgniteCheckedException {
        HashMap newHashMap = U.newHashMap(iArr.length);
        for (int i = 0; i < iArr.length; i++) {
            newHashMap.put(Integer.valueOf(iArr[i]), Byte.valueOf(bArr[i]));
        }
        WALPointer log = this.ctx.cache().context().wal().log(new ReencryptionStartRecord(newHashMap));
        if (log != null) {
            this.ctx.cache().context().wal().flush(log, false);
        }
        for (int i2 = 0; i2 < iArr.length; i2++) {
            int i3 = iArr[i2];
            int i4 = bArr[i2] & 255;
            withMasterKeyChangeReadLock(() -> {
                synchronized (this.metaStorageMux) {
                    GroupKey changeActiveKey = this.grpKeys.changeActiveKey(i3, i4);
                    writeGroupKeysToMetaStore(i3, this.grpKeys.getAll(i3));
                    if (log == null) {
                        return null;
                    }
                    this.grpKeys.reserveWalKey(i3, changeActiveKey.unsignedId(), this.ctx.cache().context().wal().currentSegment());
                    writeTrackedWalIdxsToMetaStore();
                    return null;
                }
            });
            CacheGroupContext cacheGroup = this.ctx.cache().cacheGroup(i3);
            if (cacheGroup != null && cacheGroup.affinityNode()) {
                this.reencryptGroups.put(Integer.valueOf(i3), this.pageScanner.pagesCount(cacheGroup));
            }
            if (this.log.isInfoEnabled()) {
                this.log.info("New encryption key for group was added [grpId=" + i3 + ", keyId=" + i4 + "]");
            }
        }
        startReencryption(newHashMap.keySet());
    }

    public IgniteInternalFuture<Void> reencryptionFuture(int i) {
        return this.pageScanner.statusFuture(i);
    }

    public boolean reencryptionInProgress(int i) {
        return this.reencryptGroups.containsKey(Integer.valueOf(i));
    }

    public boolean reencryptionInProgress() {
        return this.grpKeyChangeProc.inProgress() || !this.reencryptGroups.isEmpty();
    }

    public double getReencryptionRate() {
        return this.pageScanner.getRate();
    }

    public void setReencryptionRate(double d) {
        this.pageScanner.setRate(d);
    }

    private void removeGroupKey(int i) {
        synchronized (this.metaStorageMux) {
            this.ctx.cache().context().database().checkpointReadLock();
            try {
                try {
                } catch (IgniteCheckedException e) {
                    U.error(this.log, "Failed to clear meta storage", e);
                    this.ctx.cache().context().database().checkpointReadUnlock();
                }
                if (this.grpKeys.remove(i) == null) {
                    return;
                }
                this.metaStorage.remove("grp-encryption-keys-" + i);
                if (this.log.isDebugEnabled()) {
                    this.log.debug("Key(s) removed. [grp=" + i + "]");
                }
                this.ctx.cache().context().database().checkpointReadUnlock();
            } finally {
                this.ctx.cache().context().database().checkpointReadUnlock();
            }
        }
    }

    public void setInitialGroupKey(int i, @Nullable byte[] bArr, @Nullable Integer num) {
        if (bArr == null || this.ctx.clientNode()) {
            return;
        }
        removeGroupKey(i);
        withMasterKeyChangeReadLock(() -> {
            addGroupKey(i, new GroupKeyEncrypted(num == null ? 0 : num.intValue(), bArr));
            return null;
        });
    }

    public void onCacheGroupStop(int i) {
        try {
            reencryptionFuture(i).cancel();
        } catch (IgniteCheckedException e) {
            this.log.warning("Unable to cancel reencryption [grpId=" + i + "]", e);
        }
        this.reencryptGroups.remove(Integer.valueOf(i));
    }

    public void onCacheGroupDestroyed(int i) {
        if (getActiveKey(i) == null) {
            return;
        }
        removeGroupKey(i);
    }

    public void onDestroyPartitionStore(CacheGroupContext cacheGroupContext, int i) {
        if (this.pageScanner.excludePartition(cacheGroupContext.groupId(), i)) {
            setEncryptionState(cacheGroupContext, i, 0, 0);
        }
    }

    public void onCancelDestroyPartitionStore(CacheGroupContext cacheGroupContext, int i) {
        this.pageScanner.includePartition(cacheGroupContext.groupId(), i);
    }

    public void onWalSegmentRemoved(long j) {
        if (this.grpKeys.isReleaseWalKeysRequired(j)) {
            this.ctx.pools().getSystemExecutorService().submit(() -> {
                releaseWalKeys(j);
            });
        }
    }

    private void releaseWalKeys(long j) {
        withMasterKeyChangeReadLock(() -> {
            synchronized (this.metaStorageMux) {
                Map<Integer, Set<Integer>> releaseWalKeys = this.grpKeys.releaseWalKeys(j);
                if (F.isEmpty(releaseWalKeys)) {
                    return null;
                }
                try {
                    writeTrackedWalIdxsToMetaStore();
                    for (Map.Entry<Integer, Set<Integer>> entry : releaseWalKeys.entrySet()) {
                        Integer key = entry.getKey();
                        if (!this.reencryptGroups.containsKey(key)) {
                            Set<Integer> value = entry.getValue();
                            if (this.grpKeys.removeKeysById(key.intValue(), value)) {
                                writeGroupKeysToMetaStore(key.intValue(), this.grpKeys.getAll(key.intValue()));
                                if (this.log.isInfoEnabled()) {
                                    this.log.info("Previous encryption keys have been removed [grpId=" + key + ", keyIds=" + value + "]");
                                }
                            }
                        }
                    }
                } catch (IgniteCheckedException e) {
                    this.log.error("Unable to remove encryption keys from metastore.", e);
                }
                return null;
            }
        });
    }

    @Override // org.apache.ignite.internal.processors.cache.persistence.metastorage.MetastorageLifecycleListener
    public void onReadyForRead(ReadOnlyMetastorage readOnlyMetastorage) {
        String str;
        try {
            if (!this.restoredFromWAL && (str = (String) readOnlyMetastorage.read(MASTER_KEY_NAME_PREFIX)) != null) {
                if (this.log.isInfoEnabled()) {
                    this.log.info("Master key name loaded from metastrore [masterKeyName=" + str + "]");
                }
                getSpi().setMasterKeyName(str);
            }
            readOnlyMetastorage.iterate(ENCRYPTION_KEYS_PREFIX, (str2, serializable) -> {
                int parseInt = Integer.parseInt(str2.replace(ENCRYPTION_KEYS_PREFIX, BulkLoadCsvFormat.DEFAULT_NULL_STRING));
                if (this.grpKeys.groupIds().contains(Integer.valueOf(parseInt))) {
                    return;
                }
                this.grpKeys.setGroupKeys(parseInt, (List) serializable);
            }, true);
            if (this.grpKeys.groupIds().isEmpty()) {
                readOnlyMetastorage.iterate(ENCRYPTION_KEY_PREFIX, (str3, serializable2) -> {
                    this.grpKeys.setGroupKeys(Integer.parseInt(str3.replace(ENCRYPTION_KEY_PREFIX, BulkLoadCsvFormat.DEFAULT_NULL_STRING)), Collections.singletonList(new GroupKeyEncrypted(0, (byte[]) serializable2)));
                }, true);
            }
            Serializable read = readOnlyMetastorage.read(REENCRYPTED_WAL_SEGMENTS);
            if (read != null) {
                this.grpKeys.trackedWalSegments((Collection) read);
            }
            if (this.grpKeys.groupIds().isEmpty()) {
                U.quietAndInfo(this.log, "Encryption keys loaded from metastore. [grps=" + F.concat(this.grpKeys.groupIds(), IgniteKernal.COORDINATOR_PROPERTIES_SEPARATOR) + ", masterKeyName=" + getSpi().getMasterKeyName() + "]");
            }
            String string = IgniteSystemProperties.getString(IgniteSystemProperties.IGNITE_MASTER_KEY_NAME_TO_CHANGE_BEFORE_STARTUP);
            if (string != null) {
                if (string.equals(getSpi().getMasterKeyName())) {
                    if (this.log.isInfoEnabled()) {
                        this.log.info("Restored master key name equals to name from system property IGNITE_MASTER_KEY_NAME_TO_CHANGE_BEFORE_STARTUP. This system property will be ignored and recommended to remove [masterKeyName=" + string + "]");
                    }
                } else {
                    this.recoveryMasterKeyName = true;
                    if (this.log.isInfoEnabled()) {
                        this.log.info("System property IGNITE_MASTER_KEY_NAME_TO_CHANGE_BEFORE_STARTUP is set. Master key will be changed locally and group keys will be re-encrypted before join to cluster. Result will be saved to MetaStore on activation process. [masterKeyName=" + string + "]");
                    }
                    getSpi().setMasterKeyName(string);
                }
            }
        } catch (IgniteCheckedException e) {
            throw new IgniteException("Failed to read encryption keys state.", e);
        }
    }

    @Override // org.apache.ignite.internal.processors.cache.persistence.metastorage.MetastorageLifecycleListener
    public void onReadyForReadWrite(ReadWriteMetastorage readWriteMetastorage) throws IgniteCheckedException {
        CacheGroupContext cacheGroup;
        withMasterKeyChangeReadLock(() -> {
            synchronized (this.metaStorageMux) {
                this.metaStorage = readWriteMetastorage;
                this.writeToMetaStoreEnabled = true;
                if (this.recoveryMasterKeyName) {
                    writeKeysToWal();
                }
                writeKeysToMetaStore(this.restoredFromWAL || this.recoveryMasterKeyName);
                this.restoredFromWAL = false;
                this.recoveryMasterKeyName = false;
            }
            return null;
        });
        for (Map.Entry<Integer, Integer> entry : this.reencryptGroupsForced.entrySet()) {
            int intValue = entry.getKey().intValue();
            if (!this.reencryptGroups.containsKey(Integer.valueOf(intValue)) && entry.getValue().intValue() == getActiveKey(intValue).unsignedId() && (cacheGroup = this.ctx.cache().cacheGroup(intValue)) != null && cacheGroup.affinityNode()) {
                this.reencryptGroups.put(Integer.valueOf(intValue), this.pageScanner.pagesCount(cacheGroup));
            }
        }
        this.reencryptGroupsForced.clear();
    }

    @Override // org.apache.ignite.internal.processors.cluster.IgniteChangeGlobalStateSupport
    public void onActivate(GridKernalContext gridKernalContext) throws IgniteCheckedException {
        withMasterKeyChangeReadLock(() -> {
            synchronized (this.metaStorageMux) {
                this.writeToMetaStoreEnabled = this.metaStorage != null;
                if (this.writeToMetaStoreEnabled) {
                    writeKeysToMetaStore(false);
                }
            }
            return null;
        });
    }

    @Override // org.apache.ignite.internal.processors.cluster.IgniteChangeGlobalStateSupport
    public void onDeActivate(GridKernalContext gridKernalContext) {
        synchronized (this.metaStorageMux) {
            this.writeToMetaStoreEnabled = false;
        }
    }

    @Override // org.apache.ignite.internal.processors.cache.distributed.dht.preloader.PartitionsExchangeAware
    public void onDoneAfterTopologyUnlock(GridDhtPartitionsExchangeFuture gridDhtPartitionsExchangeFuture) {
        if (gridDhtPartitionsExchangeFuture.activateCluster() || gridDhtPartitionsExchangeFuture.localJoinExchange()) {
            try {
                startReencryption(this.reencryptGroups.keySet());
            } catch (IgniteCheckedException e) {
                this.log.error("Unable to start reencryption", e);
            }
        }
    }

    public void setEncryptionState(CacheGroupContext cacheGroupContext, int i, int i2, int i3) {
        long[] computeIfAbsent = this.reencryptGroups.computeIfAbsent(Integer.valueOf(cacheGroupContext.groupId()), num -> {
            return new long[cacheGroupContext.affinity().partitions() + 1];
        });
        computeIfAbsent[Math.min(i, computeIfAbsent.length - 1)] = ReencryptStateUtils.state(i2, i3);
    }

    public long getEncryptionState(int i, int i2) {
        long[] jArr = this.reencryptGroups.get(Integer.valueOf(i));
        if (jArr == null) {
            return 0L;
        }
        return jArr[Math.min(i2, jArr.length - 1)];
    }

    public long getBytesLeftForReencryption(int i) {
        return this.pageScanner.remainingPagesCount(i) * this.ctx.config().getDataStorageConfiguration().getPageSize();
    }

    public IgniteInternalFuture<T2<Collection<byte[]>, byte[]>> generateKeys(int i) {
        if (i == 0 || !this.ctx.clientNode()) {
            return new GridFinishedFuture(createKeys(i));
        }
        synchronized (this.opsMux) {
            if (this.disconnected || this.stopped) {
                return new GridFinishedFuture((Throwable) new IgniteFutureCancelledException("Node " + (this.stopped ? "stopped" : "disconnected")));
            }
            try {
                GenerateEncryptionKeyFuture generateEncryptionKeyFuture = new GenerateEncryptionKeyFuture(i);
                sendGenerateEncryptionKeyRequest(generateEncryptionKeyFuture);
                this.genEncKeyFuts.put(generateEncryptionKeyFuture.id(), generateEncryptionKeyFuture);
                return generateEncryptionKeyFuture;
            } catch (IgniteCheckedException e) {
                return new GridFinishedFuture((Throwable) e);
            }
        }
    }

    private void sendGenerateEncryptionKeyRequest(GenerateEncryptionKeyFuture generateEncryptionKeyFuture) throws IgniteCheckedException {
        ClusterNode randomServerNode = U.randomServerNode(this.ctx);
        if (randomServerNode == null) {
            throw new IgniteCheckedException("There is no node to send GenerateEncryptionKeyRequest to");
        }
        GenerateEncryptionKeyRequest generateEncryptionKeyRequest = new GenerateEncryptionKeyRequest(generateEncryptionKeyFuture.keyCount());
        generateEncryptionKeyFuture.id(generateEncryptionKeyRequest.id());
        generateEncryptionKeyFuture.nodeId(randomServerNode.id());
        this.ctx.io().sendToGridTopic(randomServerNode.id(), GridTopic.TOPIC_GEN_ENC_KEY, generateEncryptionKeyRequest, (byte) 2);
    }

    public boolean suspendReencryption(int i) throws IgniteCheckedException {
        return reencryptionFuture(i).cancel();
    }

    public boolean resumeReencryption(int i) throws IgniteCheckedException {
        if (!reencryptionFuture(i).isDone()) {
            return false;
        }
        if (!reencryptionInProgress(i)) {
            throw new IgniteCheckedException("Re-encryption completed or not required [grpId=" + i + "]");
        }
        startReencryption(Collections.singleton(Integer.valueOf(i)));
        return true;
    }

    private void startReencryption(Collection<Integer> collection) throws IgniteCheckedException {
        Iterator<Integer> it = collection.iterator();
        while (it.hasNext()) {
            int intValue = it.next().intValue();
            IgniteInternalFuture<Void> schedule = this.pageScanner.schedule(intValue);
            schedule.listen(() -> {
                if (schedule.isCancelled() || schedule.error() != null) {
                    this.log.warning("Reencryption " + (schedule.isCancelled() ? "cancelled" : "failed") + " [grp=" + intValue + "]", schedule.error());
                } else {
                    withMasterKeyChangeReadLock(() -> {
                        synchronized (this.metaStorageMux) {
                            cleanupKeys(intValue);
                            this.reencryptGroups.remove(Integer.valueOf(intValue));
                        }
                        return null;
                    });
                }
            });
        }
    }

    private void cleanupKeys(int i) throws IgniteCheckedException {
        Set<Integer> removeUnusedKeys = this.grpKeys.removeUnusedKeys(i);
        if (removeUnusedKeys.isEmpty()) {
            return;
        }
        writeGroupKeysToMetaStore(i, this.grpKeys.getAll(i));
        if (this.log.isInfoEnabled()) {
            this.log.info("Previous encryption keys were removed [grpId=" + i + ", keyIds=" + removeUnusedKeys + "]");
        }
    }

    private void writeKeysToMetaStore(boolean z) throws IgniteCheckedException {
        if (z) {
            this.metaStorage.write(MASTER_KEY_NAME_PREFIX, getSpi().getMasterKeyName());
        }
        if (!this.reencryptGroupsForced.isEmpty()) {
            writeTrackedWalIdxsToMetaStore();
        }
        for (Integer num : this.grpKeys.groupIds()) {
            if (z || this.reencryptGroupsForced.containsKey(num) || this.metaStorage.read("grp-encryption-keys-" + num) == null) {
                writeGroupKeysToMetaStore(num.intValue(), this.grpKeys.getAll(num.intValue()));
            }
        }
    }

    private void writeGroupKeysToMetaStore(int i, List<GroupKeyEncrypted> list) throws IgniteCheckedException {
        if (!$assertionsDisabled && !Thread.holdsLock(this.metaStorageMux)) {
            throw new AssertionError();
        }
        if (this.metaStorage == null || !this.writeToMetaStoreEnabled || this.stopped) {
            return;
        }
        this.ctx.cache().context().database().checkpointReadLock();
        try {
            this.metaStorage.write("grp-encryption-keys-" + i, (Serializable) list);
        } finally {
            this.ctx.cache().context().database().checkpointReadUnlock();
        }
    }

    private void writeTrackedWalIdxsToMetaStore() throws IgniteCheckedException {
        if (!$assertionsDisabled && !Thread.holdsLock(this.metaStorageMux)) {
            throw new AssertionError();
        }
        if (this.metaStorage == null || !this.writeToMetaStoreEnabled || this.stopped) {
            return;
        }
        this.ctx.cache().context().database().checkpointReadLock();
        try {
            this.metaStorage.write(REENCRYPTED_WAL_SEGMENTS, (Serializable) this.grpKeys.trackedWalSegments());
        } finally {
            this.ctx.cache().context().database().checkpointReadUnlock();
        }
    }

    public void checkEncryptedCacheSupported() throws IgniteCheckedException {
        for (ClusterNode clusterNode : this.ctx.grid().cluster().nodes()) {
            if (CACHE_ENCRYPTION_SINCE.compareTo(clusterNode.version()) > 0) {
                throw new IgniteCheckedException("All nodes in cluster should be 2.7.0 or greater to create encrypted cache! [nodeId=" + clusterNode.id() + "]");
            }
        }
    }

    @Override // org.apache.ignite.internal.managers.GridManagerAdapter, org.apache.ignite.internal.GridComponent
    public GridComponent.DiscoveryDataExchangeType discoveryDataType() {
        return GridComponent.DiscoveryDataExchangeType.ENCRYPTION_MGR;
    }

    @Nullable
    private HashMap<Integer, byte[]> newEncryptionKeys(Set<Integer> set) {
        if (!$assertionsDisabled && isMasterKeyChangeInProgress()) {
            throw new AssertionError();
        }
        HashMap<Integer, byte[]> hashMap = null;
        for (CacheGroupDescriptor cacheGroupDescriptor : this.ctx.cache().cacheGroupDescriptors().values()) {
            if (!set.contains(Integer.valueOf(cacheGroupDescriptor.groupId())) && cacheGroupDescriptor.config().isEncryptionEnabled()) {
                if (hashMap == null) {
                    hashMap = new HashMap<>();
                }
                hashMap.put(Integer.valueOf(cacheGroupDescriptor.groupId()), getSpi().encryptKey(getSpi().create()));
            }
        }
        return hashMap;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public T2<Collection<byte[]>, byte[]> createKeys(int i) {
        return (T2) withMasterKeyChangeReadLock(() -> {
            if (i == 0) {
                return new T2(Collections.emptyList(), getSpi().masterKeyDigest());
            }
            ArrayList arrayList = new ArrayList(i);
            for (int i2 = 0; i2 < i; i2++) {
                arrayList.add(getSpi().encryptKey(getSpi().create()));
            }
            return new T2(arrayList, getSpi().masterKeyDigest());
        });
    }

    private void doChangeMasterKey(String str) {
        if (this.log.isInfoEnabled()) {
            this.log.info("Start master key change [masterKeyName=" + str + "]");
        }
        this.masterKeyChangeLock.writeLock().lock();
        try {
            try {
                getSpi().setMasterKeyName(str);
                synchronized (this.metaStorageMux) {
                    this.ctx.cache().context().database().checkpointReadLock();
                    try {
                        writeKeysToWal();
                        if (!$assertionsDisabled && !this.writeToMetaStoreEnabled) {
                            throw new AssertionError();
                        }
                        writeKeysToMetaStore(true);
                        this.ctx.cache().context().database().checkpointReadUnlock();
                    } catch (Throwable th) {
                        this.ctx.cache().context().database().checkpointReadUnlock();
                        throw th;
                    }
                }
                if (this.log.isInfoEnabled()) {
                    this.log.info("Master key successfully changed [masterKeyName=" + str + "]");
                }
                this.masterKeyChangeLock.writeLock().unlock();
            } catch (Exception e) {
                U.error(this.log, "Unable to change master key locally.", e);
                this.ctx.failure().process(new FailureContext(FailureType.CRITICAL_ERROR, new IgniteException("Unable to change master key locally.", e)));
                this.masterKeyChangeLock.writeLock().unlock();
            }
        } catch (Throwable th2) {
            this.masterKeyChangeLock.writeLock().unlock();
            throw th2;
        }
    }

    private void writeKeysToWal() throws IgniteCheckedException {
        ArrayList arrayList = new ArrayList();
        Iterator<Integer> it = this.grpKeys.groupIds().iterator();
        while (it.hasNext()) {
            int intValue = it.next().intValue();
            Iterator<GroupKeyEncrypted> it2 = this.grpKeys.getAll(intValue).iterator();
            while (it2.hasNext()) {
                arrayList.add(new T2(Integer.valueOf(intValue), it2.next()));
            }
        }
        WALPointer log = this.ctx.cache().context().wal().log(new MasterKeyChangeRecordV2(getSpi().getMasterKeyName(), arrayList));
        if (!$assertionsDisabled && log == null) {
            throw new AssertionError();
        }
    }

    public void applyKeys(MasterKeyChangeRecordV2 masterKeyChangeRecordV2) {
        if (!$assertionsDisabled && (this.writeToMetaStoreEnabled || this.ctx.state().clusterState().active())) {
            throw new AssertionError();
        }
        if (this.log.isInfoEnabled()) {
            this.log.info("Master key name loaded from WAL [masterKeyName=" + masterKeyChangeRecordV2.getMasterKeyName() + "]");
        }
        try {
            getSpi().setMasterKeyName(masterKeyChangeRecordV2.getMasterKeyName());
            HashMap hashMap = new HashMap();
            for (T2<Integer, GroupKeyEncrypted> t2 : masterKeyChangeRecordV2.getGrpKeys()) {
                ((List) hashMap.computeIfAbsent(t2.getKey(), num -> {
                    return new ArrayList();
                })).add(t2.getValue());
            }
            for (Map.Entry entry : hashMap.entrySet()) {
                this.grpKeys.setGroupKeys(((Integer) entry.getKey()).intValue(), (List) entry.getValue());
            }
            this.restoredFromWAL = true;
        } catch (IgniteSpiException e) {
            this.log.warning("Unable to apply group keys from WAL record [masterKeyName=" + masterKeyChangeRecordV2.getMasterKeyName() + "]", e);
        }
    }

    public void applyReencryptionStartRecord(ReencryptionStartRecord reencryptionStartRecord) {
        if (!$assertionsDisabled && this.writeToMetaStoreEnabled) {
            throw new AssertionError();
        }
        for (Map.Entry<Integer, Byte> entry : reencryptionStartRecord.groups().entrySet()) {
            this.reencryptGroupsForced.put(entry.getKey(), Integer.valueOf(entry.getValue().byteValue() & 255));
        }
    }

    private IgniteInternalFuture<EmptyResult> prepareMasterKeyChange(MasterKeyChangeRequest masterKeyChangeRequest) {
        if (this.masterKeyChangeRequest != null) {
            return new GridFinishedFuture((Throwable) new IgniteException("Master key change was rejected. The previous change was not completed."));
        }
        if (this.ctx.cache().context().snapshotMgr().isSnapshotCreating() || this.ctx.cache().context().snapshotMgr().isRestoring()) {
            return new GridFinishedFuture((Throwable) new IgniteException("Master key change was rejected. Snapshot operation is in progress."));
        }
        this.masterKeyChangeRequest = masterKeyChangeRequest;
        if (this.ctx.clientNode()) {
            return new GridFinishedFuture();
        }
        try {
            String decryptKeyName = decryptKeyName(masterKeyChangeRequest.encKeyName());
            if (decryptKeyName.equals(getMasterKeyName())) {
                throw new IgniteException("Master key change was rejected. New name equal to the current.");
            }
            return !Arrays.equals(masterKeyChangeRequest.digest, tryChangeMasterKey(decryptKeyName)) ? new GridFinishedFuture((Throwable) new IgniteException("Master key change was rejected. Master key digest consistency check failed. Make sure that the new master key is the same at all server nodes [nodeId=" + this.ctx.localNodeId() + "]")) : new GridFinishedFuture(new EmptyResult());
        } catch (Exception e) {
            return new GridFinishedFuture((Throwable) new IgniteException("Master key change was rejected [nodeId=" + this.ctx.localNodeId() + "]", e));
        }
    }

    private void finishPrepareMasterKeyChange(UUID uuid, Map<UUID, EmptyResult> map, Map<UUID, Throwable> map2) {
        if (map2.isEmpty()) {
            if (U.isLocalNodeCoordinator(this.ctx.discovery())) {
                this.performMKChangeProc.start(uuid, this.masterKeyChangeRequest);
            }
        } else {
            if (this.masterKeyChangeRequest != null && this.masterKeyChangeRequest.requestId().equals(uuid)) {
                this.masterKeyChangeRequest = null;
            }
            completeMasterKeyChangeFuture(uuid, map2);
        }
    }

    private IgniteInternalFuture<EmptyResult> performMasterKeyChange(MasterKeyChangeRequest masterKeyChangeRequest) {
        if (this.masterKeyChangeRequest == null || !this.masterKeyChangeRequest.equals(masterKeyChangeRequest)) {
            return new GridFinishedFuture((Throwable) new IgniteException("Unknown master key change was rejected."));
        }
        if (!this.ctx.state().clusterState().state().active()) {
            this.masterKeyChangeRequest = null;
            return new GridFinishedFuture((Throwable) new IgniteException("Master key change was rejected. The cluster is inactive."));
        }
        if (!this.ctx.clientNode()) {
            doChangeMasterKey(decryptKeyName(masterKeyChangeRequest.encKeyName()));
        }
        this.masterKeyChangeRequest = null;
        this.masterKeyDigest = masterKeyChangeRequest.digest();
        return new GridFinishedFuture(new EmptyResult());
    }

    private void finishPerformMasterKeyChange(UUID uuid, Map<UUID, EmptyResult> map, Map<UUID, Throwable> map2) {
        completeMasterKeyChangeFuture(uuid, map2);
    }

    private void completeMasterKeyChangeFuture(UUID uuid, Map<UUID, Throwable> map) {
        synchronized (this.opsMux) {
            if (!(this.masterKeyChangeFut != null && this.masterKeyChangeFut.id().equals(uuid)) || this.masterKeyChangeFut.isDone()) {
                return;
            }
            if (F.isEmpty(map)) {
                this.masterKeyChangeFut.onDone();
            } else {
                this.masterKeyChangeFut.onDone(map.values().stream().findFirst().get());
            }
            this.masterKeyChangeFut = null;
        }
    }

    private void cancelFutures(String str) {
        if (!$assertionsDisabled && !Thread.holdsLock(this.opsMux)) {
            throw new AssertionError();
        }
        Iterator<GenerateEncryptionKeyFuture> it = this.genEncKeyFuts.values().iterator();
        while (it.hasNext()) {
            it.next().onDone((Throwable) new IgniteFutureCancelledException(str));
        }
        if (this.masterKeyChangeFut != null && !this.masterKeyChangeFut.isDone()) {
            this.masterKeyChangeFut.onDone((Throwable) new IgniteFutureCancelledException(str));
        }
        if (this.grpKeyChangeProc != null) {
            this.grpKeyChangeProc.cancel(str);
        }
    }

    public boolean isMasterKeyChangeInProgress() {
        return this.masterKeyChangeRequest != null;
    }

    @Nullable
    public byte[] masterKeyDigest() {
        return this.masterKeyDigest;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public <T> T withMasterKeyChangeReadLock(Callable<T> callable) {
        this.masterKeyChangeLock.readLock().lock();
        try {
            try {
                T call = callable.call();
                this.masterKeyChangeLock.readLock().unlock();
                return call;
            } catch (Exception e) {
                throw new IgniteException(e);
            }
        } catch (Throwable th) {
            this.masterKeyChangeLock.readLock().unlock();
            throw th;
        }
    }

    private byte[] masterKeyDigest(String str) {
        return getSpi().masterKeyDigest(str);
    }

    private byte[] tryChangeMasterKey(String str) throws IgniteCheckedException {
        this.masterKeyChangeLock.writeLock().lock();
        try {
            String masterKeyName = getSpi().getMasterKeyName();
            try {
                try {
                    getSpi().setMasterKeyName(str);
                    byte[] masterKeyDigest = getSpi().masterKeyDigest();
                    getSpi().setMasterKeyName(masterKeyName);
                    return masterKeyDigest;
                } catch (Throwable th) {
                    getSpi().setMasterKeyName(masterKeyName);
                    throw th;
                }
            } catch (Exception e) {
                throw new IgniteException("Unable to set master key locally [masterKeyName=" + str + "]", e);
            }
        } finally {
            this.masterKeyChangeLock.writeLock().unlock();
        }
    }

    private byte[] encryptKeyName(String str) {
        return (byte[]) withMasterKeyChangeReadLock(() -> {
            Serializable create = getSpi().create();
            byte[] encryptKey = getSpi().encryptKey(create);
            byte[] bytes = U.toBytes(str);
            ByteBuffer allocate = ByteBuffer.allocate(4 + encryptKey.length + getSpi().encryptedSize(bytes.length));
            allocate.putInt(encryptKey.length);
            allocate.put(encryptKey);
            getSpi().encrypt(ByteBuffer.wrap(bytes), create, allocate);
            return allocate.array();
        });
    }

    private String decryptKeyName(byte[] bArr) {
        return (String) withMasterKeyChangeReadLock(() -> {
            ByteBuffer wrap = ByteBuffer.wrap(bArr);
            byte[] bArr2 = new byte[wrap.getInt()];
            wrap.get(bArr2);
            byte[] bArr3 = new byte[wrap.remaining()];
            wrap.get(bArr3);
            return (String) U.fromBytes(getSpi().decrypt(bArr3, getSpi().decryptKey(bArr2)));
        });
    }

    private static /* synthetic */ Object $deserializeLambda$(SerializedLambda serializedLambda) {
        String implMethodName = serializedLambda.getImplMethodName();
        boolean z = -1;
        switch (implMethodName.hashCode()) {
            case 2000242529:
                if (implMethodName.equals("lambda$startReencryption$fc76bc5c$1")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (serializedLambda.getImplMethodKind() == 7 && serializedLambda.getFunctionalInterfaceClass().equals("org/apache/ignite/lang/IgniteRunnable") && serializedLambda.getFunctionalInterfaceMethodName().equals("run") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("()V") && serializedLambda.getImplClass().equals("org/apache/ignite/internal/managers/encryption/GridEncryptionManager") && serializedLambda.getImplMethodSignature().equals("(Lorg/apache/ignite/internal/IgniteInternalFuture;I)V")) {
                    GridEncryptionManager gridEncryptionManager = (GridEncryptionManager) serializedLambda.getCapturedArg(0);
                    IgniteInternalFuture igniteInternalFuture = (IgniteInternalFuture) serializedLambda.getCapturedArg(1);
                    int intValue = ((Integer) serializedLambda.getCapturedArg(2)).intValue();
                    return () -> {
                        if (igniteInternalFuture.isCancelled() || igniteInternalFuture.error() != null) {
                            this.log.warning("Reencryption " + (igniteInternalFuture.isCancelled() ? "cancelled" : "failed") + " [grp=" + intValue + "]", igniteInternalFuture.error());
                        } else {
                            withMasterKeyChangeReadLock(() -> {
                                synchronized (this.metaStorageMux) {
                                    cleanupKeys(intValue);
                                    this.reencryptGroups.remove(Integer.valueOf(intValue));
                                }
                                return null;
                            });
                        }
                    };
                }
                break;
        }
        throw new IllegalArgumentException("Invalid lambda deserialization");
    }

    static {
        $assertionsDisabled = !GridEncryptionManager.class.desiredAssertionStatus();
        CACHE_ENCRYPTION_SINCE = IgniteProductVersion.fromString("2.7.0");
    }
}
