package org.apache.hadoop.security.authentication.util;

import java.nio.ByteBuffer;
import java.security.SecureRandom;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Properties;
import java.util.Random;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.servlet.ServletContext;
import org.apache.curator.framework.CuratorFramework;
import org.apache.curator.framework.CuratorFrameworkFactory;
import org.apache.curator.framework.api.ACLProvider;
import org.apache.curator.framework.api.BackgroundPathAndBytesable;
import org.apache.curator.framework.api.WatchPathable;
import org.apache.curator.framework.imps.DefaultACLProvider;
import org.apache.curator.retry.ExponentialBackoffRetry;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.classification.VisibleForTesting;
import org.apache.zookeeper.KeeperException;
import org.apache.zookeeper.data.ACL;
import org.apache.zookeeper.data.Id;
import org.apache.zookeeper.data.Stat;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
@InterfaceStability.Unstable
/* loaded from: input_file:org/apache/hadoop/security/authentication/util/ZKSignerSecretProvider.class */
public class ZKSignerSecretProvider extends RolloverSignerSecretProvider {
    private static final String CONFIG_PREFIX = "signer.secret.provider.zookeeper.";
    public static final String ZOOKEEPER_CONNECTION_STRING = "signer.secret.provider.zookeeper.connection.string";
    public static final String ZOOKEEPER_PATH = "signer.secret.provider.zookeeper.path";
    public static final String ZOOKEEPER_AUTH_TYPE = "signer.secret.provider.zookeeper.auth.type";
    public static final String ZOOKEEPER_KERBEROS_KEYTAB = "signer.secret.provider.zookeeper.kerberos.keytab";
    public static final String ZOOKEEPER_KERBEROS_PRINCIPAL = "signer.secret.provider.zookeeper.kerberos.principal";
    public static final String DISCONNECT_FROM_ZOOKEEPER_ON_SHUTDOWN = "signer.secret.provider.zookeeper.disconnect.on.shutdown";
    public static final String ZOOKEEPER_SIGNER_SECRET_PROVIDER_CURATOR_CLIENT_ATTRIBUTE = "signer.secret.provider.zookeeper.curator.client";
    private static final String JAAS_LOGIN_ENTRY_NAME = "ZKSignerSecretProviderClient";
    private String path;
    private volatile byte[] nextSecret;
    private final Random rand;
    private int zkVersion;
    private long nextRolloverDate;
    private long tokenValidity;
    private CuratorFramework client;
    private boolean shouldDisconnect;
    private static Logger LOG = LoggerFactory.getLogger(ZKSignerSecretProvider.class);
    private static int INT_BYTES = 4;
    private static int LONG_BYTES = 8;
    private static int DATA_VERSION = 0;

    @InterfaceAudience.Private
    /* loaded from: input_file:org/apache/hadoop/security/authentication/util/ZKSignerSecretProvider$JaasConfiguration.class */
    public static class JaasConfiguration extends Configuration {
        private final Configuration baseConfig = Configuration.getConfiguration();
        private static AppConfigurationEntry[] entry;
        private String entryName;

        public JaasConfiguration(String str, String str2, String str3) {
            this.entryName = str;
            HashMap hashMap = new HashMap();
            hashMap.put("keyTab", str3);
            hashMap.put("principal", str2);
            hashMap.put("useKeyTab", "true");
            hashMap.put("storeKey", "true");
            hashMap.put("useTicketCache", "false");
            hashMap.put("refreshKrb5Config", "true");
            String str4 = System.getenv("HADOOP_JAAS_DEBUG");
            if (str4 != null && "true".equalsIgnoreCase(str4)) {
                hashMap.put("debug", "true");
            }
            entry = new AppConfigurationEntry[]{new AppConfigurationEntry(getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap)};
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            if (this.entryName.equals(str)) {
                return entry;
            }
            if (this.baseConfig != null) {
                return this.baseConfig.getAppConfigurationEntry(str);
            }
            return null;
        }

        private String getKrb5LoginModuleName() {
            return System.getProperty("java.vendor").contains("IBM") ? "com.ibm.security.auth.module.Krb5LoginModule" : "com.sun.security.auth.module.Krb5LoginModule";
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/security/authentication/util/ZKSignerSecretProvider$SASLOwnerACLProvider.class */
    public static class SASLOwnerACLProvider implements ACLProvider {
        private final List<ACL> saslACL;

        private SASLOwnerACLProvider(String str) {
            this.saslACL = Collections.singletonList(new ACL(31, new Id("sasl", str)));
        }

        public List<ACL> getDefaultAcl() {
            return this.saslACL;
        }

        public List<ACL> getAclForPath(String str) {
            return this.saslACL;
        }
    }

    public ZKSignerSecretProvider() {
        this.rand = new SecureRandom();
    }

    @VisibleForTesting
    public ZKSignerSecretProvider(long j) {
        this.rand = new Random(j);
    }

    @Override // org.apache.hadoop.security.authentication.util.RolloverSignerSecretProvider, org.apache.hadoop.security.authentication.util.SignerSecretProvider
    public void init(Properties properties, ServletContext servletContext, long j) throws Exception {
        Object attribute = servletContext.getAttribute(ZOOKEEPER_SIGNER_SECRET_PROVIDER_CURATOR_CLIENT_ATTRIBUTE);
        if (attribute == null || !(attribute instanceof CuratorFramework)) {
            this.client = createCuratorClient(properties);
            servletContext.setAttribute(ZOOKEEPER_SIGNER_SECRET_PROVIDER_CURATOR_CLIENT_ATTRIBUTE, this.client);
        } else {
            this.client = (CuratorFramework) attribute;
        }
        this.tokenValidity = j;
        this.shouldDisconnect = Boolean.parseBoolean(properties.getProperty(DISCONNECT_FROM_ZOOKEEPER_ON_SHUTDOWN, "true"));
        this.path = properties.getProperty(ZOOKEEPER_PATH);
        if (this.path == null) {
            throw new IllegalArgumentException("signer.secret.provider.zookeeper.path must be specified");
        }
        try {
            this.nextRolloverDate = System.currentTimeMillis() + j;
            this.client.create().creatingParentsIfNeeded().forPath(this.path, generateZKData(generateRandomSecret(), generateRandomSecret(), null));
            this.zkVersion = 0;
            LOG.info("Creating secret znode");
        } catch (KeeperException.NodeExistsException e) {
            LOG.info("The secret znode already exists, retrieving data");
        }
        pullFromZK(true);
        long currentTimeMillis = this.nextRolloverDate - System.currentTimeMillis();
        if (currentTimeMillis < 1) {
            int i = 1;
            while (currentTimeMillis < 1) {
                currentTimeMillis = (this.nextRolloverDate + (j * i)) - System.currentTimeMillis();
                i++;
            }
        }
        super.startScheduler(currentTimeMillis, j);
    }

    @Override // org.apache.hadoop.security.authentication.util.RolloverSignerSecretProvider, org.apache.hadoop.security.authentication.util.SignerSecretProvider
    public void destroy() {
        if (this.shouldDisconnect && this.client != null) {
            this.client.close();
        }
        super.destroy();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.hadoop.security.authentication.util.RolloverSignerSecretProvider
    public synchronized void rollSecret() {
        super.rollSecret();
        this.nextRolloverDate += this.tokenValidity;
        byte[][] allSecrets = super.getAllSecrets();
        pushToZK(generateRandomSecret(), allSecrets[0], allSecrets[1]);
        pullFromZK(false);
    }

    @Override // org.apache.hadoop.security.authentication.util.RolloverSignerSecretProvider
    protected byte[] generateNewSecret() {
        return this.nextSecret;
    }

    private synchronized void pushToZK(byte[] bArr, byte[] bArr2, byte[] bArr3) {
        try {
            ((BackgroundPathAndBytesable) this.client.setData().withVersion(this.zkVersion)).forPath(this.path, generateZKData(bArr, bArr2, bArr3));
        } catch (Exception e) {
            LOG.error("An unexpected exception occurred pushing data to ZooKeeper", e);
        } catch (KeeperException.BadVersionException e2) {
            LOG.debug("Unable to push to znode; another server already did it");
        }
    }

    private synchronized byte[] generateZKData(byte[] bArr, byte[] bArr2, byte[] bArr3) {
        int length = bArr.length;
        int length2 = bArr2.length;
        int i = 0;
        if (bArr3 != null) {
            i = bArr3.length;
        }
        ByteBuffer allocate = ByteBuffer.allocate(INT_BYTES + INT_BYTES + length + INT_BYTES + length2 + INT_BYTES + i + LONG_BYTES);
        allocate.putInt(DATA_VERSION);
        allocate.putInt(length);
        allocate.put(bArr);
        allocate.putInt(length2);
        allocate.put(bArr2);
        allocate.putInt(i);
        if (i > 0) {
            allocate.put(bArr3);
        }
        allocate.putLong(this.nextRolloverDate);
        return allocate.array();
    }

    private synchronized void pullFromZK(boolean z) {
        try {
            Stat stat = new Stat();
            ByteBuffer wrap = ByteBuffer.wrap((byte[]) ((WatchPathable) this.client.getData().storingStatIn(stat)).forPath(this.path));
            if (wrap.getInt() > DATA_VERSION) {
                throw new IllegalStateException("Cannot load data from ZooKeeper; itwas written with a newer version");
            }
            byte[] bArr = new byte[wrap.getInt()];
            wrap.get(bArr);
            this.nextSecret = bArr;
            this.zkVersion = stat.getVersion();
            if (z) {
                byte[] bArr2 = new byte[wrap.getInt()];
                wrap.get(bArr2);
                int i = wrap.getInt();
                byte[] bArr3 = null;
                if (i > 0) {
                    bArr3 = new byte[i];
                    wrap.get(bArr3);
                }
                super.initSecrets(bArr2, bArr3);
                this.nextRolloverDate = wrap.getLong();
            }
        } catch (Exception e) {
            LOG.error("An unexpected exception occurred while pulling data fromZooKeeper", e);
        }
    }

    @VisibleForTesting
    protected byte[] generateRandomSecret() {
        byte[] bArr = new byte[32];
        this.rand.nextBytes(bArr);
        return bArr;
    }

    protected CuratorFramework createCuratorClient(Properties properties) throws Exception {
        SASLOwnerACLProvider defaultACLProvider;
        String property = properties.getProperty(ZOOKEEPER_CONNECTION_STRING, "localhost:2181");
        ExponentialBackoffRetry exponentialBackoffRetry = new ExponentialBackoffRetry(1000, 3);
        if (properties.getProperty(ZOOKEEPER_AUTH_TYPE, "none").equals("sasl")) {
            LOG.info("Connecting to ZooKeeper with SASL/Kerberosand using 'sasl' ACLs");
            String jaasConfiguration = setJaasConfiguration(properties);
            System.setProperty("zookeeper.sasl.clientconfig", JAAS_LOGIN_ENTRY_NAME);
            System.setProperty("zookeeper.authProvider.1", "org.apache.zookeeper.server.auth.SASLAuthenticationProvider");
            defaultACLProvider = new SASLOwnerACLProvider(jaasConfiguration);
        } else {
            LOG.info("Connecting to ZooKeeper without authentication");
            defaultACLProvider = new DefaultACLProvider();
        }
        CuratorFramework build = CuratorFrameworkFactory.builder().connectString(property).retryPolicy(exponentialBackoffRetry).aclProvider(defaultACLProvider).build();
        build.start();
        return build;
    }

    private String setJaasConfiguration(Properties properties) throws Exception {
        String trim = properties.getProperty(ZOOKEEPER_KERBEROS_KEYTAB).trim();
        if (trim == null || trim.length() == 0) {
            throw new IllegalArgumentException("signer.secret.provider.zookeeper.kerberos.keytab must be specified");
        }
        String trim2 = properties.getProperty(ZOOKEEPER_KERBEROS_PRINCIPAL).trim();
        if (trim2 == null || trim2.length() == 0) {
            throw new IllegalArgumentException("signer.secret.provider.zookeeper.kerberos.principal must be specified");
        }
        Configuration.setConfiguration(new JaasConfiguration(JAAS_LOGIN_ENTRY_NAME, trim2, trim));
        return trim2.split("[/@]")[0];
    }
}
