package org.apache.hadoop.security.token.delegation;

import java.io.ByteArrayInputStream;
import java.io.DataInputStream;
import java.io.IOException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import javax.crypto.SecretKey;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.HadoopKerberosName;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier;
import org.apache.hadoop.util.Daemon;
import org.apache.hadoop.util.Time;
import org.spark-project.guava.base.Preconditions;

@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
@InterfaceStability.Evolving
/* loaded from: input_file:org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager.class */
public abstract class AbstractDelegationTokenSecretManager<TokenIdent extends AbstractDelegationTokenIdentifier> extends SecretManager<TokenIdent> {
    private static final Log LOG = LogFactory.getLog(AbstractDelegationTokenSecretManager.class);
    private DelegationKey currentKey;
    private long keyUpdateInterval;
    private long tokenMaxLifetime;
    private long tokenRemoverScanInterval;
    private long tokenRenewInterval;
    private Thread tokenRemoverThread;
    protected volatile boolean running;
    protected final Map<TokenIdent, DelegationTokenInformation> currentTokens = new HashMap();
    protected int delegationTokenSequenceNumber = 0;
    protected final Map<Integer, DelegationKey> allKeys = new HashMap();
    protected int currentId = 0;
    protected Object noInterruptsLock = new Object();
    protected boolean storeTokenTrackingId = false;

    @InterfaceStability.Evolving
    /* loaded from: input_file:org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager$DelegationTokenInformation.class */
    public static class DelegationTokenInformation {
        long renewDate;
        byte[] password;
        String trackingId;

        public DelegationTokenInformation(long j, byte[] bArr) {
            this(j, bArr, null);
        }

        public DelegationTokenInformation(long j, byte[] bArr, String str) {
            this.renewDate = j;
            this.password = bArr;
            this.trackingId = str;
        }

        public long getRenewDate() {
            return this.renewDate;
        }

        byte[] getPassword() {
            return this.password;
        }

        public String getTrackingId() {
            return this.trackingId;
        }
    }

    /* loaded from: input_file:org/apache/hadoop/security/token/delegation/AbstractDelegationTokenSecretManager$ExpiredTokenRemover.class */
    private class ExpiredTokenRemover extends Thread {
        private long lastMasterKeyUpdate;
        private long lastTokenCacheCleanup;

        private ExpiredTokenRemover() {
        }

        @Override // java.lang.Thread, java.lang.Runnable
        public void run() {
            AbstractDelegationTokenSecretManager.LOG.info("Starting expired delegation token remover thread, tokenRemoverScanInterval=" + (AbstractDelegationTokenSecretManager.this.tokenRemoverScanInterval / 60000) + " min(s)");
            while (AbstractDelegationTokenSecretManager.this.running) {
                try {
                    long now = Time.now();
                    if (this.lastMasterKeyUpdate + AbstractDelegationTokenSecretManager.this.keyUpdateInterval < now) {
                        try {
                            AbstractDelegationTokenSecretManager.this.rollMasterKey();
                            this.lastMasterKeyUpdate = now;
                        } catch (IOException e) {
                            AbstractDelegationTokenSecretManager.LOG.error("Master key updating failed: ", e);
                        }
                    }
                    if (this.lastTokenCacheCleanup + AbstractDelegationTokenSecretManager.this.tokenRemoverScanInterval < now) {
                        AbstractDelegationTokenSecretManager.this.removeExpiredToken();
                        this.lastTokenCacheCleanup = now;
                    }
                    try {
                        Thread.sleep(Math.min(5000L, AbstractDelegationTokenSecretManager.this.keyUpdateInterval));
                    } catch (InterruptedException e2) {
                        AbstractDelegationTokenSecretManager.LOG.error("InterruptedExcpetion recieved for ExpiredTokenRemover thread " + e2);
                    }
                } catch (Throwable th) {
                    AbstractDelegationTokenSecretManager.LOG.error("ExpiredTokenRemover thread received unexpected exception. " + th);
                    Runtime.getRuntime().exit(-1);
                    return;
                }
            }
        }
    }

    public AbstractDelegationTokenSecretManager(long j, long j2, long j3, long j4) {
        this.keyUpdateInterval = j;
        this.tokenMaxLifetime = j2;
        this.tokenRenewInterval = j3;
        this.tokenRemoverScanInterval = j4;
    }

    public void startThreads() throws IOException {
        Preconditions.checkState(!this.running);
        updateCurrentKey();
        synchronized (this) {
            this.running = true;
            this.tokenRemoverThread = new Daemon(new ExpiredTokenRemover());
            this.tokenRemoverThread.start();
        }
    }

    public synchronized void reset() {
        this.currentId = 0;
        this.allKeys.clear();
        this.delegationTokenSequenceNumber = 0;
        this.currentTokens.clear();
    }

    public synchronized void addKey(DelegationKey delegationKey) throws IOException {
        if (this.running) {
            throw new IOException("Can't add delegation key to a running SecretManager.");
        }
        if (delegationKey.getKeyId() > this.currentId) {
            this.currentId = delegationKey.getKeyId();
        }
        this.allKeys.put(Integer.valueOf(delegationKey.getKeyId()), delegationKey);
    }

    public synchronized DelegationKey[] getAllKeys() {
        return (DelegationKey[]) this.allKeys.values().toArray(new DelegationKey[0]);
    }

    protected void logUpdateMasterKey(DelegationKey delegationKey) throws IOException {
    }

    protected void logExpireToken(TokenIdent tokenident) throws IOException {
    }

    protected void storeNewMasterKey(DelegationKey delegationKey) throws IOException {
    }

    protected void removeStoredMasterKey(DelegationKey delegationKey) {
    }

    protected void storeNewToken(TokenIdent tokenident, long j) {
    }

    protected void removeStoredToken(TokenIdent tokenident) throws IOException {
    }

    protected void updateStoredToken(TokenIdent tokenident, long j) {
    }

    public synchronized void addPersistedDelegationToken(TokenIdent tokenident, long j) throws IOException {
        if (this.running) {
            throw new IOException("Can't add persisted delegation token to a running SecretManager.");
        }
        DelegationKey delegationKey = this.allKeys.get(Integer.valueOf(tokenident.getMasterKeyId()));
        if (delegationKey == null) {
            LOG.warn("No KEY found for persisted identifier " + tokenident.toString());
            return;
        }
        byte[] createPassword = createPassword(tokenident.getBytes(), delegationKey.getKey());
        if (tokenident.getSequenceNumber() > this.delegationTokenSequenceNumber) {
            this.delegationTokenSequenceNumber = tokenident.getSequenceNumber();
        }
        if (this.currentTokens.get(tokenident) != null) {
            throw new IOException("Same delegation token being added twice.");
        }
        this.currentTokens.put(tokenident, new DelegationTokenInformation(j, createPassword, getTrackingIdIfEnabled(tokenident)));
    }

    private void updateCurrentKey() throws IOException {
        int i;
        LOG.info("Updating the current master key for generating delegation tokens");
        synchronized (this) {
            i = this.currentId + 1;
        }
        DelegationKey delegationKey = new DelegationKey(i, System.currentTimeMillis() + this.keyUpdateInterval + this.tokenMaxLifetime, generateSecret());
        logUpdateMasterKey(delegationKey);
        storeNewMasterKey(delegationKey);
        synchronized (this) {
            this.currentId = delegationKey.getKeyId();
            this.currentKey = delegationKey;
            this.allKeys.put(Integer.valueOf(this.currentKey.getKeyId()), this.currentKey);
        }
    }

    void rollMasterKey() throws IOException {
        synchronized (this) {
            removeExpiredKeys();
            this.currentKey.setExpiryDate(Time.now() + this.tokenMaxLifetime);
            this.allKeys.put(Integer.valueOf(this.currentKey.getKeyId()), this.currentKey);
        }
        updateCurrentKey();
    }

    private synchronized void removeExpiredKeys() {
        long now = Time.now();
        Iterator<Map.Entry<Integer, DelegationKey>> it = this.allKeys.entrySet().iterator();
        while (it.hasNext()) {
            Map.Entry<Integer, DelegationKey> next = it.next();
            if (next.getValue().getExpiryDate() < now) {
                it.remove();
                if (!next.getValue().equals(this.currentKey)) {
                    removeStoredMasterKey(next.getValue());
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.hadoop.security.token.SecretManager
    public synchronized byte[] createPassword(TokenIdent tokenident) {
        long now = Time.now();
        int i = this.delegationTokenSequenceNumber + 1;
        this.delegationTokenSequenceNumber = i;
        tokenident.setIssueDate(now);
        tokenident.setMaxDate(now + this.tokenMaxLifetime);
        tokenident.setMasterKeyId(this.currentId);
        tokenident.setSequenceNumber(i);
        LOG.info("Creating password for identifier: " + tokenident);
        byte[] createPassword = createPassword(tokenident.getBytes(), this.currentKey.getKey());
        storeNewToken(tokenident, now + this.tokenRenewInterval);
        this.currentTokens.put(tokenident, new DelegationTokenInformation(now + this.tokenRenewInterval, createPassword, getTrackingIdIfEnabled(tokenident)));
        return createPassword;
    }

    @Override // org.apache.hadoop.security.token.SecretManager
    public synchronized byte[] retrievePassword(TokenIdent tokenident) throws SecretManager.InvalidToken {
        DelegationTokenInformation delegationTokenInformation = this.currentTokens.get(tokenident);
        if (delegationTokenInformation == null) {
            throw new SecretManager.InvalidToken("token (" + tokenident.toString() + ") can't be found in cache");
        }
        if (delegationTokenInformation.getRenewDate() < Time.now()) {
            throw new SecretManager.InvalidToken("token (" + tokenident.toString() + ") is expired");
        }
        return delegationTokenInformation.getPassword();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getTrackingIdIfEnabled(TokenIdent tokenident) {
        if (this.storeTokenTrackingId) {
            return tokenident.getTrackingId();
        }
        return null;
    }

    public synchronized String getTokenTrackingId(TokenIdent tokenident) {
        DelegationTokenInformation delegationTokenInformation = this.currentTokens.get(tokenident);
        if (delegationTokenInformation == null) {
            return null;
        }
        return delegationTokenInformation.getTrackingId();
    }

    public synchronized void verifyToken(TokenIdent tokenident, byte[] bArr) throws SecretManager.InvalidToken {
        if (!Arrays.equals(bArr, retrievePassword((AbstractDelegationTokenSecretManager<TokenIdent>) tokenident))) {
            throw new SecretManager.InvalidToken("token (" + tokenident + ") is invalid, password doesn't match");
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    public synchronized long renewToken(Token<TokenIdent> token, String str) throws SecretManager.InvalidToken, IOException {
        long now = Time.now();
        DataInputStream dataInputStream = new DataInputStream(new ByteArrayInputStream(token.getIdentifier()));
        AbstractDelegationTokenIdentifier abstractDelegationTokenIdentifier = (AbstractDelegationTokenIdentifier) createIdentifier();
        abstractDelegationTokenIdentifier.readFields(dataInputStream);
        LOG.info("Token renewal requested for identifier: " + abstractDelegationTokenIdentifier);
        if (abstractDelegationTokenIdentifier.getMaxDate() < now) {
            throw new SecretManager.InvalidToken("User " + str + " tried to renew an expired token");
        }
        if (abstractDelegationTokenIdentifier.getRenewer() == null || abstractDelegationTokenIdentifier.getRenewer().toString().isEmpty()) {
            throw new AccessControlException("User " + str + " tried to renew a token without a renewer");
        }
        if (!abstractDelegationTokenIdentifier.getRenewer().toString().equals(str)) {
            throw new AccessControlException("Client " + str + " tries to renew a token with renewer specified as " + abstractDelegationTokenIdentifier.getRenewer());
        }
        DelegationKey delegationKey = this.allKeys.get(Integer.valueOf(abstractDelegationTokenIdentifier.getMasterKeyId()));
        if (delegationKey == null) {
            throw new SecretManager.InvalidToken("Unable to find master key for keyId=" + abstractDelegationTokenIdentifier.getMasterKeyId() + " from cache. Failed to renew an unexpired token with sequenceNumber=" + abstractDelegationTokenIdentifier.getSequenceNumber());
        }
        byte[] createPassword = createPassword(token.getIdentifier(), delegationKey.getKey());
        if (!Arrays.equals(createPassword, token.getPassword())) {
            throw new AccessControlException("Client " + str + " is trying to renew a token with wrong password");
        }
        long min = Math.min(abstractDelegationTokenIdentifier.getMaxDate(), now + this.tokenRenewInterval);
        DelegationTokenInformation delegationTokenInformation = new DelegationTokenInformation(min, createPassword, getTrackingIdIfEnabled(abstractDelegationTokenIdentifier));
        if (this.currentTokens.get(abstractDelegationTokenIdentifier) == null) {
            throw new SecretManager.InvalidToken("Renewal request for unknown token");
        }
        this.currentTokens.put(abstractDelegationTokenIdentifier, delegationTokenInformation);
        updateStoredToken(abstractDelegationTokenIdentifier, min);
        return min;
    }

    public synchronized TokenIdent cancelToken(Token<TokenIdent> token, String str) throws IOException {
        DataInputStream dataInputStream = new DataInputStream(new ByteArrayInputStream(token.getIdentifier()));
        TokenIdent tokenident = (TokenIdent) createIdentifier();
        tokenident.readFields(dataInputStream);
        LOG.info("Token cancelation requested for identifier: " + tokenident);
        if (tokenident.getUser() == null) {
            throw new SecretManager.InvalidToken("Token with no owner");
        }
        String userName = tokenident.getUser().getUserName();
        Text renewer = tokenident.getRenewer();
        String shortName = new HadoopKerberosName(str).getShortName();
        if (!str.equals(userName) && (renewer == null || renewer.toString().isEmpty() || !shortName.equals(renewer.toString()))) {
            throw new AccessControlException(str + " is not authorized to cancel the token");
        }
        if (this.currentTokens.remove(tokenident) == null) {
            throw new SecretManager.InvalidToken("Token not found");
        }
        removeStoredToken(tokenident);
        return tokenident;
    }

    public static SecretKey createSecretKey(byte[] bArr) {
        return SecretManager.createSecretKey(bArr);
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Multi-variable type inference failed */
    public void removeExpiredToken() throws IOException {
        long now = Time.now();
        HashSet<AbstractDelegationTokenIdentifier> hashSet = new HashSet();
        synchronized (this) {
            Iterator<Map.Entry<TokenIdent, DelegationTokenInformation>> it = this.currentTokens.entrySet().iterator();
            while (it.hasNext()) {
                Map.Entry<TokenIdent, DelegationTokenInformation> next = it.next();
                if (next.getValue().getRenewDate() < now) {
                    hashSet.add(next.getKey());
                    it.remove();
                }
            }
        }
        for (AbstractDelegationTokenIdentifier abstractDelegationTokenIdentifier : hashSet) {
            logExpireToken(abstractDelegationTokenIdentifier);
            removeStoredToken(abstractDelegationTokenIdentifier);
        }
    }

    public void stopThreads() {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Stopping expired delegation token remover thread");
        }
        this.running = false;
        if (this.tokenRemoverThread != null) {
            synchronized (this.noInterruptsLock) {
                this.tokenRemoverThread.interrupt();
            }
            try {
                this.tokenRemoverThread.join();
            } catch (InterruptedException e) {
                throw new RuntimeException("Unable to join on token removal thread", e);
            }
        }
    }

    public synchronized boolean isRunning() {
        return this.running;
    }
}
