package org.apache.hadoop.fs.s3a.auth.delegation;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import java.io.IOException;
import java.net.URI;
import java.util.EnumSet;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.atomic.AtomicInteger;
import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.s3a.AWSCredentialProviderList;
import org.apache.hadoop.fs.s3a.S3AFileSystem;
import org.apache.hadoop.fs.s3a.S3AInstrumentation;
import org.apache.hadoop.fs.s3a.auth.RoleModel;
import org.apache.hadoop.fs.s3a.auth.delegation.AWSPolicyProvider;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.service.ServiceOperations;
import org.apache.hadoop.util.DurationInfo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/fs/s3a/auth/delegation/S3ADelegationTokens.class */
public class S3ADelegationTokens extends AbstractDTService {

    @VisibleForTesting
    static final String E_ALREADY_DEPLOYED = "S3A Delegation tokens has already been bound/deployed";
    public static final String E_DELEGATION_TOKENS_DISABLED = "Delegation tokens are not enabled";
    private final UserGroupInformation user;
    private final AtomicInteger creationCount;
    private Text service;
    private Optional<Token<AbstractS3ATokenIdentifier>> boundDT;
    private Optional<AbstractS3ATokenIdentifier> decodedIdentifier;
    private AbstractDelegationTokenBinding tokenBinding;
    private Optional<AWSCredentialProviderList> credentialProviders;
    private S3AInstrumentation.DelegationTokenStatistics stats;
    private String tokenBindingName;
    private static final Logger LOG = LoggerFactory.getLogger(S3ADelegationTokens.class);
    protected static final EnumSet<AWSPolicyProvider.AccessLevel> ACCESS_POLICY = EnumSet.of(AWSPolicyProvider.AccessLevel.READ, AWSPolicyProvider.AccessLevel.WRITE);

    /* loaded from: input_file:org/apache/hadoop/fs/s3a/auth/delegation/S3ADelegationTokens$TokenIssuingPolicy.class */
    public enum TokenIssuingPolicy {
        ReturnExistingToken,
        NoTokensAvailable,
        RequestNewToken
    }

    public S3ADelegationTokens() throws IOException {
        super("S3ADelegationTokens");
        this.creationCount = new AtomicInteger(0);
        this.boundDT = Optional.empty();
        this.decodedIdentifier = Optional.empty();
        this.credentialProviders = Optional.empty();
        this.tokenBindingName = "";
        this.user = UserGroupInformation.getCurrentUser();
    }

    @Override // org.apache.hadoop.fs.s3a.auth.delegation.AbstractDTService
    public void bindToFileSystem(URI uri, S3AFileSystem s3AFileSystem) throws IOException {
        super.bindToFileSystem(uri, s3AFileSystem);
        this.service = getTokenService(getCanonicalUri());
        this.stats = s3AFileSystem.getInstrumentation().newDelegationTokenStatistics();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.hadoop.fs.s3a.auth.delegation.AbstractDTService
    public void serviceInit(Configuration configuration) throws Exception {
        super.serviceInit(configuration);
        Preconditions.checkState(hasDelegationTokenBinding(configuration), E_DELEGATION_TOKENS_DISABLED);
        this.tokenBinding = (AbstractDelegationTokenBinding) configuration.getClass(DelegationConstants.DELEGATION_TOKEN_BINDING, SessionTokenBinding.class, AbstractDelegationTokenBinding.class).newInstance();
        this.tokenBinding.bindToFileSystem(getCanonicalUri(), getFileSystem());
        this.tokenBinding.init(configuration);
        this.tokenBindingName = this.tokenBinding.getKind().toString();
        LOG.debug("Filesystem {} is using delegation tokens of kind {}", getCanonicalUri(), this.tokenBindingName);
    }

    protected void serviceStart() throws Exception {
        super.serviceStart();
        this.tokenBinding.start();
        bindToAnyDelegationToken();
        LOG.debug("S3A Delegation support token {} with {}", identifierToString(), this.tokenBinding.getDescription());
    }

    private String identifierToString() {
        return (String) this.decodedIdentifier.map((v0) -> {
            return Objects.toString(v0);
        }).orElse("(none)");
    }

    protected void serviceStop() throws Exception {
        LOG.debug("Stopping delegation tokens");
        try {
            super.serviceStop();
            ServiceOperations.stopQuietly(LOG, this.tokenBinding);
        } catch (Throwable th) {
            ServiceOperations.stopQuietly(LOG, this.tokenBinding);
            throw th;
        }
    }

    private void deployUnbonded() throws IOException {
        requireServiceStarted();
        Preconditions.checkState(!isBoundToDT(), "Already Bound to a delegation token");
        LOG.debug("No delegation tokens present: using direct authentication");
        this.credentialProviders = Optional.of(this.tokenBinding.deployUnbonded());
    }

    private void bindToAnyDelegationToken() throws IOException {
        Preconditions.checkState(!this.credentialProviders.isPresent(), E_ALREADY_DEPLOYED);
        Token<AbstractS3ATokenIdentifier> selectTokenFromFSOwner = selectTokenFromFSOwner();
        if (selectTokenFromFSOwner != null) {
            bindToDelegationToken(selectTokenFromFSOwner);
        } else {
            deployUnbonded();
        }
        if (this.credentialProviders.get().size() == 0) {
            throw new DelegationTokenIOException("No AWS credential providers created by Delegation Token Binding " + this.tokenBinding.getName());
        }
    }

    @VisibleForTesting
    void resetTokenBindingToDT(Token<AbstractS3ATokenIdentifier> token) throws IOException {
        this.credentialProviders = Optional.empty();
        bindToDelegationToken(token);
    }

    @VisibleForTesting
    public void bindToDelegationToken(Token<AbstractS3ATokenIdentifier> token) throws IOException {
        Preconditions.checkState(!this.credentialProviders.isPresent(), E_ALREADY_DEPLOYED);
        this.boundDT = Optional.of(token);
        AbstractS3ATokenIdentifier extractIdentifier = extractIdentifier(token);
        LOG.info("Using delegation token {}", extractIdentifier);
        this.decodedIdentifier = Optional.of(extractIdentifier);
        DurationInfo durationInfo = new DurationInfo(LOG, true, "Creating Delegation Token", new Object[0]);
        Throwable th = null;
        try {
            try {
                this.credentialProviders = Optional.of(this.tokenBinding.bindToTokenIdentifier(extractIdentifier));
                if (durationInfo != null) {
                    if (0 == 0) {
                        durationInfo.close();
                        return;
                    }
                    try {
                        durationInfo.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (durationInfo != null) {
                if (th != null) {
                    try {
                        durationInfo.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    durationInfo.close();
                }
            }
            throw th4;
        }
    }

    public boolean isBoundToDT() {
        return this.boundDT.isPresent();
    }

    public Optional<Token<AbstractS3ATokenIdentifier>> getBoundDT() {
        return this.boundDT;
    }

    public TokenIssuingPolicy getTokenIssuingPolicy() {
        return isBoundToDT() ? TokenIssuingPolicy.ReturnExistingToken : this.tokenBinding.getTokenIssuingPolicy();
    }

    public Token<AbstractS3ATokenIdentifier> getBoundOrNewDT(EncryptionSecrets encryptionSecrets, Text text) throws IOException {
        LOG.debug("Delegation token requested");
        if (!isBoundToDT()) {
            return createDelegationToken(encryptionSecrets, text);
        }
        LOG.debug("Returning current token");
        return getBoundDT().get();
    }

    public int getCreationCount() {
        return this.creationCount.get();
    }

    @VisibleForTesting
    public Token<AbstractS3ATokenIdentifier> createDelegationToken(EncryptionSecrets encryptionSecrets, Text text) throws IOException {
        requireServiceStarted();
        Preconditions.checkArgument(encryptionSecrets != null, "Null encryption secrets");
        List<RoleModel.Statement> listAWSPolicyRules = getFileSystem().listAWSPolicyRules(ACCESS_POLICY);
        Optional<RoleModel.Policy> empty = listAWSPolicyRules.isEmpty() ? Optional.empty() : Optional.of(new RoleModel.Policy(listAWSPolicyRules));
        DurationInfo durationInfo = new DurationInfo(LOG, true, "Creating New Delegation Token", new Object[]{this.tokenBinding.getKind()});
        Throwable th = null;
        try {
            try {
                Token<AbstractS3ATokenIdentifier> createDelegationToken = this.tokenBinding.createDelegationToken(empty, encryptionSecrets, text);
                if (createDelegationToken != null) {
                    createDelegationToken.setService(this.service);
                    noteTokenCreated(createDelegationToken);
                }
                if (durationInfo != null) {
                    if (0 != 0) {
                        try {
                            durationInfo.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        durationInfo.close();
                    }
                }
                return createDelegationToken;
            } finally {
            }
        } catch (Throwable th3) {
            if (durationInfo != null) {
                if (th != null) {
                    try {
                        durationInfo.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    durationInfo.close();
                }
            }
            throw th3;
        }
    }

    private void noteTokenCreated(Token<AbstractS3ATokenIdentifier> token) {
        LOG.info("Created S3A Delegation Token: {}", token);
        this.creationCount.incrementAndGet();
        this.stats.tokenIssued();
    }

    public AWSCredentialProviderList getCredentialProviders() throws IOException {
        return this.credentialProviders.orElseThrow(() -> {
            return new DelegationTokenIOException("Not yet bonded");
        });
    }

    public Optional<EncryptionSecrets> getEncryptionSecrets() {
        return this.decodedIdentifier.map((v0) -> {
            return v0.getEncryptionSecrets();
        });
    }

    public Optional<AbstractS3ATokenIdentifier> getDecodedIdentifier() {
        return this.decodedIdentifier;
    }

    public Text getService() {
        return this.service;
    }

    public String getCanonicalServiceName() {
        return getCanonicalUri().toString();
    }

    @VisibleForTesting
    public Token<AbstractS3ATokenIdentifier> selectTokenFromFSOwner() throws IOException {
        return lookupToken(this.user.getCredentials(), this.service, this.tokenBinding.getKind());
    }

    private static Text getTokenService(URI uri) {
        return getTokenService(uri.toString());
    }

    public String toString() {
        StringBuilder sb = new StringBuilder("S3ADelegationTokens{");
        sb.append("canonicalServiceURI=").append(getCanonicalUri());
        sb.append("; owner=").append(this.user.getShortUserName());
        sb.append("; isBoundToDT=").append(isBoundToDT());
        sb.append("; token creation count=").append(getCreationCount());
        sb.append("; tokenManager=").append(this.tokenBinding);
        sb.append("; token=").append(identifierToString());
        sb.append('}');
        return sb.toString();
    }

    public Text getTokenKind() {
        return this.tokenBinding.getKind();
    }

    @VisibleForTesting
    static Text getTokenService(String str) {
        return new Text(str);
    }

    public AbstractS3ATokenIdentifier extractIdentifier(Token<? extends AbstractS3ATokenIdentifier> token) throws IOException {
        Preconditions.checkArgument(token != null, "null token");
        try {
            AbstractS3ATokenIdentifier decodeIdentifier = token.decodeIdentifier();
            if (decodeIdentifier == null) {
                throw new DelegationTokenIOException("Failed to unmarshall token for " + getCanonicalUri());
            }
            decodeIdentifier.validate();
            return decodeIdentifier;
        } catch (RuntimeException e) {
            Throwable cause = e.getCause();
            if (cause != null) {
                throw new DelegationTokenIOException("Decoding S3A token " + cause, cause);
            }
            throw e;
        }
    }

    public String getUserAgentField() {
        return this.tokenBinding.getUserAgentField();
    }

    @VisibleForTesting
    public static Token<AbstractS3ATokenIdentifier> lookupToken(Credentials credentials, Text text, Text text2) throws DelegationTokenIOException {
        LOG.debug("Looking for token for service {} in credentials", text);
        Token<AbstractS3ATokenIdentifier> token = credentials.getToken(text);
        if (token == null) {
            LOG.debug("No token for {} found", text);
            return null;
        }
        Text kind = token.getKind();
        LOG.debug("Found token of kind {}", kind);
        if (text2.equals(kind)) {
            return token;
        }
        throw new DelegationTokenIOException("Token mismatch: expected token for " + text + " of type " + text2 + " but got a token of type " + kind);
    }

    public static Token<AbstractS3ATokenIdentifier> lookupToken(Credentials credentials, Text text) {
        return credentials.getToken(text);
    }

    public static Token<AbstractS3ATokenIdentifier> lookupS3ADelegationToken(Credentials credentials, URI uri) {
        return lookupToken(credentials, getTokenService(uri.toString()));
    }

    public static boolean hasDelegationTokenBinding(Configuration configuration) {
        return StringUtils.isNotEmpty(configuration.getTrimmed(DelegationConstants.DELEGATION_TOKEN_BINDING, ""));
    }
}
