package org.apache.knox.gateway.cloud.idbroker.common;

import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.hadoop.security.token.TokenRenewer;
import org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier;
import org.apache.knox.gateway.cloud.idbroker.IDBConstants;
import org.apache.knox.gateway.shell.BasicResponse;
import org.apache.knox.gateway.shell.ClientContext;
import org.apache.knox.gateway.shell.CloudAccessBrokerSession;
import org.apache.knox.gateway.shell.knox.token.CloudAccessBrokerTokenRenew;
import org.apache.knox.gateway.shell.knox.token.CloudAccessBrokerTokenRevoke;
import org.apache.knox.gateway.shell.knox.token.Renew;
import org.apache.knox.gateway.shell.knox.token.Revoke;
import org.apache.knox.gateway.util.Tokens;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/knox/gateway/cloud/idbroker/common/AbstractIDBTokenRenewer.class */
public abstract class AbstractIDBTokenRenewer extends TokenRenewer {
    private static final Logger LOG = LoggerFactory.getLogger(AbstractIDBTokenRenewer.class);
    private static final String ERR_INVALID_RENEWER = "The user (%s) does not match the renewer declared for the token: %s";
    private final Lock requestExecutorInitLock = new ReentrantLock(true);
    private RequestExecutor requestExecutor;

    public boolean isManaged(Token<?> token) throws IOException {
        boolean z = false;
        TokenIdentifier decodeIdentifier = token.decodeIdentifier();
        if (handleKind(decodeIdentifier.getKind())) {
            z = isManagedToken((DelegationTokenIdentifier) decodeIdentifier);
        }
        return z;
    }

    public long renew(Token<?> token, Configuration configuration) throws IOException, InterruptedException {
        long j = 0;
        TokenIdentifier decodeIdentifier = token.decodeIdentifier();
        if (isManaged(token)) {
            DelegationTokenIdentifier delegationTokenIdentifier = (DelegationTokenIdentifier) decodeIdentifier;
            LOG.debug("Token: " + delegationTokenIdentifier.toString());
            j = TimeUnit.SECONDS.toMillis(getTokenExpiration(delegationTokenIdentifier));
            LOG.info("Renewing " + decodeIdentifier.toString());
            String accessToken = getAccessToken(delegationTokenIdentifier);
            if (accessToken == null || accessToken.isEmpty()) {
                LOG.info("Skipping Knox Token renewal because it's null or empty");
                return j;
            }
            UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
            if (!validateRenewer(currentUser, delegationTokenIdentifier)) {
                throw new IOException("Invalid renewer: " + currentUser.getShortUserName());
            }
            try {
                LOG.info("Renewing access token: " + Tokens.getTokenDisplayText(accessToken));
                long requestRenewal = requestRenewal(accessToken, configuration, currentUser);
                if (requestRenewal >= 0) {
                    j = requestRenewal;
                }
            } catch (Exception e) {
                LOG.error("Error renewing token: " + e.getMessage());
                throw new IOException("Error renewing token", e);
            }
        } else {
            LOG.info("Skipping renewal of non-managed token: " + decodeIdentifier.toString());
        }
        LOG.debug("Updated token expiration: " + j);
        return j;
    }

    private long requestRenewal(String str, Configuration configuration, UserGroupInformation userGroupInformation) throws Exception {
        long j = -1;
        RequestExecutor requestExecutor = getRequestExecutor(configuration);
        ClientContext with = ClientContext.with(requestExecutor.getEndpoint());
        with.kerberos().enable(true);
        Renew.Request renew = org.apache.knox.gateway.shell.knox.token.Token.renew(CloudAccessBrokerSession.create(with), str, userGroupInformation.getShortUserName());
        BasicResponse basicResponse = (BasicResponse) userGroupInformation.doAs(() -> {
            return (BasicResponse) requestExecutor.execute(new CloudAccessBrokerTokenRenew(renew));
        });
        String string = basicResponse.getString();
        int statusCode = basicResponse.getStatusCode();
        if (statusCode != 200) {
            LOG.error("Failed to renew token: " + statusCode);
            if (string != null) {
                LOG.error(string);
            }
            throw new IOException("Failed to renew token: " + statusCode);
        }
        if (basicResponse.getContentLength() > 0 && IDBConstants.MIME_TYPE_JSON.equals(basicResponse.getContentType())) {
            Map<String, Object> parseJSONResponse = parseJSONResponse(string);
            if (!Boolean.parseBoolean((String) parseJSONResponse.getOrDefault("renewed", "false"))) {
                LOG.error("Token could not be renewed: " + parseJSONResponse.get("error"));
                throw new IOException("Token could not be renewed: " + parseJSONResponse.get("error"));
            }
            LOG.debug("Token renewed.");
            String str2 = (String) parseJSONResponse.get("expires");
            if (str2 != null && !str2.isEmpty()) {
                j = Long.parseLong(str2);
            }
        }
        return j;
    }

    public void cancel(Token<?> token, Configuration configuration) throws IOException, InterruptedException {
        TokenIdentifier decodeIdentifier = token.decodeIdentifier();
        if (!isManaged(token)) {
            LOG.info("Skipping revocation of non-managed token: " + decodeIdentifier.toString());
            return;
        }
        LOG.info("Canceling " + decodeIdentifier.toString());
        DelegationTokenIdentifier delegationTokenIdentifier = (DelegationTokenIdentifier) decodeIdentifier;
        LOG.debug("Token: " + delegationTokenIdentifier.toString());
        String accessToken = getAccessToken(delegationTokenIdentifier);
        if (accessToken == null || accessToken.isEmpty()) {
            LOG.info("Skipping Knox Token revocation because it's null or empty");
            return;
        }
        UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
        if (!validateRenewer(currentUser, delegationTokenIdentifier)) {
            throw new IOException("Invalid renewer: " + currentUser.getShortUserName());
        }
        try {
            LOG.info("Revoking access token: " + Tokens.getTokenDisplayText(accessToken));
            requestRevocation(accessToken, configuration, currentUser);
        } catch (Exception e) {
            LOG.error("Error canceling token: " + e.getMessage());
            throw new IOException("Error canceling token", e);
        }
    }

    private void requestRevocation(String str, Configuration configuration, UserGroupInformation userGroupInformation) throws Exception {
        RequestExecutor requestExecutor = getRequestExecutor(configuration);
        ClientContext with = ClientContext.with(requestExecutor.getEndpoint());
        with.kerberos().enable(true);
        Revoke.Request revoke = org.apache.knox.gateway.shell.knox.token.Token.revoke(CloudAccessBrokerSession.create(with), str, userGroupInformation.getShortUserName());
        BasicResponse basicResponse = (BasicResponse) userGroupInformation.doAs(() -> {
            return (BasicResponse) requestExecutor.execute(new CloudAccessBrokerTokenRevoke(revoke));
        });
        String str2 = null;
        try {
            str2 = basicResponse.getString();
        } catch (Exception e) {
        }
        int statusCode = basicResponse.getStatusCode();
        if (statusCode != 200) {
            LOG.error("Failed to cancel token: " + statusCode);
            boolean z = true;
            if (str2 != null) {
                LOG.error(str2);
                if (((String) parseJSONResponse(str2).get("error")).contains("not configured")) {
                    z = false;
                }
            }
            if (z) {
                throw new IOException("Failed to cancel token: " + statusCode);
            }
            return;
        }
        if (str2 == null || basicResponse.getContentLength() <= 0 || !IDBConstants.MIME_TYPE_JSON.equals(basicResponse.getContentType())) {
            return;
        }
        Map<String, Object> parseJSONResponse = parseJSONResponse(str2);
        if (Boolean.parseBoolean((String) parseJSONResponse.getOrDefault("revoked", "false"))) {
            LOG.info("Token canceled.");
        } else {
            LOG.error("Token could not be canceled: " + ((String) parseJSONResponse.get("error")));
            throw new IOException("Token could not be canceled: " + parseJSONResponse.get("error"));
        }
    }

    protected abstract List<String> getGatewayAddressConfigProperty(Configuration configuration);

    protected abstract String getDelegationTokenPathConfigProperty(Configuration configuration);

    protected abstract String getAccessToken(DelegationTokenIdentifier delegationTokenIdentifier);

    protected abstract long getTokenExpiration(DelegationTokenIdentifier delegationTokenIdentifier);

    protected abstract RequestErrorHandlingAttributes getRequestErrorHandlingAttributes(Configuration configuration);

    protected abstract boolean isManagedToken(DelegationTokenIdentifier delegationTokenIdentifier);

    private List<String> getTokenEndpoints(Configuration configuration) {
        ArrayList arrayList = new ArrayList();
        String delegationTokenPathConfigProperty = getDelegationTokenPathConfigProperty(configuration);
        for (String str : getGatewayAddressConfigProperty(configuration)) {
            arrayList.add(str + (str.endsWith("/") ? "" : "/") + delegationTokenPathConfigProperty);
        }
        return arrayList;
    }

    protected RequestExecutor getRequestExecutor(Configuration configuration) {
        this.requestExecutorInitLock.lock();
        try {
            if (this.requestExecutor == null) {
                this.requestExecutor = new DefaultRequestExecutor(getTokenEndpoints(configuration), getRequestErrorHandlingAttributes(configuration));
            }
            return this.requestExecutor;
        } finally {
            this.requestExecutorInitLock.unlock();
        }
    }

    private static boolean validateRenewer(UserGroupInformation userGroupInformation, DelegationTokenIdentifier delegationTokenIdentifier) throws IllegalArgumentException {
        boolean z = true;
        Text renewer = delegationTokenIdentifier.getRenewer();
        if (renewer == null || renewer.getLength() <= 0) {
            LOG.error("Operation not permitted. No renewer is specified in the identifier.");
            z = false;
        } else if (!renewer.toString().equals(userGroupInformation.getShortUserName())) {
            LOG.error(String.format(Locale.getDefault(), ERR_INVALID_RENEWER, userGroupInformation.getUserName(), renewer));
            z = false;
        }
        return z;
    }

    private static Map<String, Object> parseJSONResponse(String str) throws IOException {
        return (Map) new ObjectMapper().readValue(str, new TypeReference<Map<String, Object>>() { // from class: org.apache.knox.gateway.cloud.idbroker.common.AbstractIDBTokenRenewer.1
        });
    }
}
