package org.apache.hadoop.security.authentication;

import com.amazonaws.services.ecr.AmazonECR;
import com.amazonaws.services.ecr.AmazonECRClientBuilder;
import com.amazonaws.services.ecr.model.AmazonECRException;
import com.amazonaws.services.ecr.model.AuthorizationData;
import com.amazonaws.services.ecr.model.GetAuthorizationTokenRequest;
import java.io.File;
import java.io.IOException;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.util.regex.Pattern;
import org.apache.commons.io.FileUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.yarn.security.DockerCredentialTokenIdentifier;
import org.apache.hadoop.yarn.util.DockerClientConfigHandler;
import org.apache.hadoop.yarn.util.DockerClientCredentialProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/security/authentication/EcrDockerClientCredentialProvider.class */
public class EcrDockerClientCredentialProvider implements DockerClientCredentialProvider {
    private static final String NM_DOCKER_ENABLE_ECR_AUTO_AUTHENTICATION = "yarn.nodemanager.runtime.linux.docker.ecr-auto-authentication.enabled";
    private static final boolean DEFAULT_NM_DOCKER_ENABLE_ECR_AUTO_AUTHENTICATION = false;
    private Configuration conf;
    private String clientConfig;
    private Path nmApplicationPrivateDir;
    private String imageName;
    private String applicationId;
    private static final Logger LOG = LoggerFactory.getLogger(EcrDockerClientCredentialProvider.class);
    public static final String ECR_IMAGE_PATTERN = "^[0-9]+\\.dkr\\.ecr\\.[a-zA-Z0-9\\-]+.amazonaws.com([a-z0-9_./-]+)(:[\\w.-]+)?$";
    private static final Pattern ecrImagePattern = Pattern.compile(ECR_IMAGE_PATTERN);

    public void init(Configuration configuration, String str, Path path, String str2, String str3) {
        this.conf = configuration;
        this.clientConfig = str;
        this.nmApplicationPrivateDir = path;
        this.imageName = str2;
        this.applicationId = str3;
    }

    public Credentials getCredential() throws IOException {
        if (this.conf.getBoolean(NM_DOCKER_ENABLE_ECR_AUTO_AUTHENTICATION, false)) {
            try {
                if (checkEcrImageName(this.imageName)) {
                    return getEcrCredential(new File(this.nmApplicationPrivateDir + "/ecr-token-cache"), this.imageName, this.applicationId);
                }
            } catch (IOException e) {
                throw e;
            }
        }
        if (this.clientConfig == null || this.clientConfig.isEmpty()) {
            return null;
        }
        return DockerClientConfigHandler.readCredentialsFromConfigFile(new Path(this.clientConfig), this.conf, this.applicationId);
    }

    private Credentials getEcrCredential(File file, String str, String str2) throws IOException {
        Credentials credentials = new Credentials();
        String str3 = null;
        if (file.exists()) {
            str3 = FileUtils.readFileToString(file, StandardCharsets.UTF_8);
        }
        if (str3 == null || str3.isEmpty()) {
            try {
                str3 = ((AuthorizationData) ((AmazonECR) AmazonECRClientBuilder.standard().build()).getAuthorizationToken(new GetAuthorizationTokenRequest()).getAuthorizationData().get(0)).getAuthorizationToken();
                if (str3 == null || str3.isEmpty()) {
                    throw new IOException("Failed to get ecr authorization token");
                }
                FileUtils.deleteQuietly(file);
                FileUtils.writeStringToFile(file, str3, StandardCharsets.UTF_8);
            } catch (AmazonECRException e) {
                throw new IOException("Failed to get ecr authorization token: " + e.getErrorMessage());
            }
        }
        DockerCredentialTokenIdentifier dockerCredentialTokenIdentifier = new DockerCredentialTokenIdentifier(str, str2);
        credentials.addToken(new Text(str + "-" + str2), new Token(dockerCredentialTokenIdentifier.getBytes(), str3.getBytes(Charset.forName("UTF-8")), dockerCredentialTokenIdentifier.getKind(), new Text(str)));
        LOG.info("Got token from AmazonECR");
        return credentials;
    }

    private boolean checkEcrImageName(String str) {
        return ecrImagePattern.matcher(str).matches();
    }
}
