package org.apache.ranger.authentication;

import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.net.ServerSocket;
import java.net.Socket;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Properties;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.TrustManagerFactory;
import org.apache.ranger.credentialapi.CredentialReader;
import org.apache.ranger.plugin.util.XMLUtils;
import org.apache.ranger.unixusersync.config.UserGroupSyncConfig;
import org.apache.ranger.unixusersync.ha.UserSyncHAInitializerImpl;
import org.apache.ranger.usergroupsync.UserGroupSync;
import org.apache.ranger.usergroupsync.UserSyncMetricsProducer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/ranger/authentication/UnixAuthenticationService.class */
public class UnixAuthenticationService {
    private static final String serviceName = "UnixAuthenticationService";
    private static final String SSL_ALGORITHM = "TLSv1.2";
    private static final String REMOTE_LOGIN_AUTH_SERVICE_PORT_PARAM = "ranger.usersync.port";
    private static final String SSL_KEYSTORE_PATH_PARAM = "ranger.usersync.keystore.file";
    private static final String SSL_TRUSTSTORE_PATH_PARAM = "ranger.usersync.truststore.file";
    private static final String SSL_KEYSTORE_FILE_TYPE_PARAM = "ranger.keystore.file.type";
    private static final String SSL_TRUSTSTORE_FILE_TYPE_PARAM = "ranger.truststore.file.type";
    private static final String SSL_KEYSTORE_PATH_PASSWORD_ALIAS = "usersync.ssl.key.password";
    private static final String SSL_TRUSTSTORE_PATH_PASSWORD_ALIAS = "usersync.ssl.truststore.password";
    private static final String CRED_VALIDATOR_PROG = "ranger.usersync.passwordvalidator.path";
    private static final String ADMIN_USER_LIST_PARAM = "admin.users";
    private static final String ADMIN_ROLE_LIST_PARAM = "admin.roleNames";
    private static final String SSL_ENABLED_PARAM = "ranger.usersync.ssl";
    private static final String CREDSTORE_FILENAME_PARAM = "ranger.usersync.credstore.filename";
    private String keyStorePath;
    private String keyStoreType;
    private List<String> enabledProtocolsList;
    private List<String> enabledCipherSuiteList;
    private String keyStorePathPassword;
    private String trustStorePath;
    private String trustStorePathPassword;
    private String trustStoreType;
    private String adminRoleNames;
    private int portNum;
    private static final Logger LOG = LoggerFactory.getLogger(UnixAuthenticationService.class);
    private static boolean enableUnixAuth = false;
    private static final String[] UGSYNC_CONFIG_XML_FILES = {"ranger-ugsync-default.xml", "ranger-ugsync-site.xml"};
    private List<String> adminUserList = new ArrayList();
    private UserSyncHAInitializerImpl userSyncHAInitializerImpl = null;
    private boolean SSLEnabled = false;

    public static void main(String[] strArr) {
        if (strArr.length > 0) {
            int length = strArr.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                if ("-enableUnixAuth".equalsIgnoreCase(strArr[i])) {
                    enableUnixAuth = true;
                    break;
                }
                i++;
            }
        }
        UnixAuthenticationService unixAuthenticationService = new UnixAuthenticationService();
        unixAuthenticationService.userSyncHAInitializerImpl = UserSyncHAInitializerImpl.getInstance(UserGroupSyncConfig.getInstance().getUserGroupConfig());
        unixAuthenticationService.run();
    }

    public void run() {
        try {
            try {
                LOG.info("Starting User Sync Service!");
                startUnixUserGroupSyncProcess();
                Thread.sleep(5000L);
                if (enableUnixAuth) {
                    LOG.info("Enabling Unix Auth Service!");
                    init();
                    startService();
                } else {
                    LOG.info("Unix Auth Service Disabled!");
                }
                LOG.info("Service: UnixAuthenticationService - STOPPED.");
                if (this.userSyncHAInitializerImpl != null) {
                    LOG.info("Stopping curator leader latch service as main thread is closing");
                    this.userSyncHAInitializerImpl.stop();
                }
            } catch (Throwable th) {
                LOG.error("ERROR: Service: UnixAuthenticationService", th);
                LOG.info("Service: UnixAuthenticationService - STOPPED.");
                if (this.userSyncHAInitializerImpl != null) {
                    LOG.info("Stopping curator leader latch service as main thread is closing");
                    this.userSyncHAInitializerImpl.stop();
                }
            }
        } catch (Throwable th2) {
            LOG.info("Service: UnixAuthenticationService - STOPPED.");
            if (this.userSyncHAInitializerImpl != null) {
                LOG.info("Stopping curator leader latch service as main thread is closing");
                this.userSyncHAInitializerImpl.stop();
            }
            throw th2;
        }
    }

    private void startUnixUserGroupSyncProcess() {
        LOG.info("Start : startUnixUserGroupSyncProcess ");
        Thread thread = new Thread((Runnable) new UserGroupSync());
        thread.setName("UnixUserSyncThread");
        thread.setDaemon(false);
        thread.start();
        LOG.info("UnixUserSyncThread started");
        LOG.info("creating UserSyncMetricsProducer thread with default metrics location : " + System.getProperty("logdir"));
        if (!UserGroupSyncConfig.getInstance().isUserSyncMetricsEnabled()) {
            LOG.info(" Ranger userSync metrics is not enabled");
            return;
        }
        Thread thread2 = new Thread((Runnable) new UserSyncMetricsProducer());
        thread2.setName("UserSyncMetricsProducerThread");
        thread2.setDaemon(false);
        thread2.start();
        LOG.info("UserSyncMetricsProducer started");
    }

    private void init() throws Throwable {
        Properties properties = new Properties();
        for (String str : UGSYNC_CONFIG_XML_FILES) {
            XMLUtils.loadConfig(str, properties);
        }
        String property = properties.getProperty(CREDSTORE_FILENAME_PARAM);
        this.keyStorePath = properties.getProperty(SSL_KEYSTORE_PATH_PARAM);
        this.keyStoreType = properties.getProperty(SSL_KEYSTORE_FILE_TYPE_PARAM, KeyStore.getDefaultType());
        this.trustStoreType = properties.getProperty(SSL_TRUSTSTORE_FILE_TYPE_PARAM, KeyStore.getDefaultType());
        if (property == null) {
            throw new RuntimeException("Credential file is not defined. param = [ranger.usersync.credstore.filename]");
        }
        File file = new File(property);
        if (!file.exists()) {
            throw new RuntimeException("Credential file [" + property + "]: does not exists.");
        }
        if (!file.canRead()) {
            throw new RuntimeException("Credential file [" + property + "]: can not be read.");
        }
        if ("bcfks".equalsIgnoreCase(this.keyStoreType)) {
            property = "bcfks://file" + property;
        }
        this.keyStorePathPassword = CredentialReader.getDecryptedString(property, SSL_KEYSTORE_PATH_PASSWORD_ALIAS, this.keyStoreType);
        this.trustStorePathPassword = CredentialReader.getDecryptedString(property, SSL_TRUSTSTORE_PATH_PASSWORD_ALIAS, this.trustStoreType);
        this.trustStorePath = properties.getProperty(SSL_TRUSTSTORE_PATH_PARAM);
        this.portNum = Integer.parseInt(properties.getProperty(REMOTE_LOGIN_AUTH_SERVICE_PORT_PARAM));
        String property2 = properties.getProperty(CRED_VALIDATOR_PROG);
        if (property2 != null) {
            PasswordValidator.setValidatorProgram(property2);
        }
        String property3 = properties.getProperty(ADMIN_USER_LIST_PARAM);
        if (property3 != null && property3.trim().length() > 0) {
            for (String str2 : property3.split(",")) {
                LOG.info("Adding Admin User:" + str2.trim());
                this.adminUserList.add(str2.trim());
            }
            PasswordValidator.setAdminUserList(this.adminUserList);
        }
        this.adminRoleNames = properties.getProperty(ADMIN_ROLE_LIST_PARAM);
        if (this.adminRoleNames != null) {
            LOG.info("Adding Admin Group:" + this.adminRoleNames);
            PasswordValidator.setAdminRoleNames(this.adminRoleNames);
        }
        String property4 = properties.getProperty(SSL_ENABLED_PARAM);
        this.SSLEnabled = property4 != null && property4.equalsIgnoreCase("true");
        String property5 = properties.getProperty("ranger.usersync.https.ssl.enabled.protocols", SSL_ALGORITHM);
        String property6 = properties.getProperty("ranger.usersync.https.ssl.enabled.cipher.suites", "");
        this.enabledProtocolsList = new ArrayList(Arrays.asList(property5.toUpperCase().trim().split("\\s*,\\s*")));
        this.enabledCipherSuiteList = new ArrayList(Arrays.asList(property6.toUpperCase().trim().split("\\s*,\\s*")));
    }

    public void startService() throws Throwable {
        InputStream fileInputStream;
        SSLContext sSLContext = SSLContext.getInstance(SSL_ALGORITHM);
        KeyManager[] keyManagerArr = null;
        if (this.keyStorePath != null && !this.keyStorePath.isEmpty()) {
            KeyStore keyStore = KeyStore.getInstance(this.keyStoreType);
            fileInputStream = getFileInputStream(this.keyStorePath);
            try {
                if (this.keyStorePathPassword == null) {
                    this.keyStorePathPassword = "";
                }
                keyStore.load(fileInputStream, this.keyStorePathPassword.toCharArray());
                if (fileInputStream != null) {
                    fileInputStream.close();
                }
                KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                keyManagerFactory.init(keyStore, this.keyStorePathPassword.toCharArray());
                keyManagerArr = keyManagerFactory.getKeyManagers();
            } finally {
            }
        }
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        KeyStore keyStore2 = null;
        if (this.trustStorePath != null && !this.trustStorePath.isEmpty()) {
            keyStore2 = KeyStore.getInstance(this.trustStoreType);
            fileInputStream = getFileInputStream(this.trustStorePath);
            try {
                if (this.trustStorePathPassword == null) {
                    this.trustStorePathPassword = "";
                }
                keyStore2.load(fileInputStream, this.trustStorePathPassword.toCharArray());
                if (fileInputStream != null) {
                    fileInputStream.close();
                }
            } finally {
            }
        }
        trustManagerFactory.init(keyStore2);
        sSLContext.init(keyManagerArr, trustManagerFactory.getTrustManagers(), new SecureRandom());
        ServerSocket createServerSocket = this.SSLEnabled ? sSLContext.getServerSocketFactory().createServerSocket(this.portNum) : new ServerSocket(this.portNum);
        if (this.SSLEnabled) {
            SSLServerSocket sSLServerSocket = (SSLServerSocket) createServerSocket;
            String[] enabledProtocols = sSLServerSocket.getEnabledProtocols();
            HashSet hashSet = new HashSet();
            for (String str : enabledProtocols) {
                if (this.enabledProtocolsList.contains(str.toUpperCase())) {
                    LOG.info("Enabling Protocol: [" + str + "]");
                    hashSet.add(str);
                } else {
                    LOG.info("Disabling Protocol: [" + str + "]");
                }
            }
            if (!hashSet.isEmpty()) {
                sSLServerSocket.setEnabledProtocols((String[]) hashSet.toArray(new String[0]));
            }
            String[] enabledCipherSuites = sSLServerSocket.getEnabledCipherSuites();
            HashSet hashSet2 = new HashSet();
            for (String str2 : enabledCipherSuites) {
                if (this.enabledCipherSuiteList.contains(str2)) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Enabling CipherSuite : [" + str2 + "]");
                    }
                    hashSet2.add(str2);
                } else if (LOG.isDebugEnabled()) {
                    LOG.debug("Disabling CipherSuite : [" + str2 + "]");
                }
            }
            if (!hashSet2.isEmpty()) {
                sSLServerSocket.setEnabledCipherSuites((String[]) hashSet2.toArray(new String[0]));
            }
        }
        while (true) {
            try {
                Socket accept = createServerSocket.accept();
                if (accept == null) {
                    return;
                } else {
                    new Thread(new PasswordValidator(accept)).start();
                }
            } catch (IOException e) {
                createServerSocket.close();
                throw e;
            }
        }
    }

    private InputStream getFileInputStream(String str) throws FileNotFoundException {
        InputStream resourceAsStream;
        File file = new File(str);
        if (file.exists()) {
            resourceAsStream = new FileInputStream(file);
        } else {
            resourceAsStream = getClass().getResourceAsStream(str);
            if (resourceAsStream == null) {
                resourceAsStream = getClass().getResourceAsStream(File.separator + str);
            }
        }
        return resourceAsStream;
    }
}
