package org.apache.hadoop.crypto.key;

import java.io.IOException;
import java.io.InputStream;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.Serializable;
import java.net.URI;
import java.net.URL;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.io.IOUtils;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.crypto.key.KeyProvider;
import org.apache.hadoop.fs.FSDataInputStream;
import org.apache.hadoop.fs.FSDataOutputStream;
import org.apache.hadoop.fs.FileStatus;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.permission.FsPermission;
import org.apache.hadoop.hdfs.DFSConfigKeys;
import org.apache.hadoop.security.ProviderUtils;
import org.apache.hadoop.util.StringUtils;
import org.p001sparkproject.guava.annotations.VisibleForTesting;
import org.p001sparkproject.guava.base.Preconditions;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/crypto/key/JavaKeyStoreProvider.class */
public class JavaKeyStoreProvider extends KeyProvider {
    private static final String KEY_METADATA = "KeyMetadata";
    public static final String SCHEME_NAME = "jceks";
    public static final String KEYSTORE_PASSWORD_FILE_KEY = "hadoop.security.keystore.java-keystore-provider.password-file";
    public static final String KEYSTORE_PASSWORD_ENV_VAR = "HADOOP_KEYSTORE_PASSWORD";
    private final URI uri;
    private final Path path;
    private final FileSystem fs;
    private final FsPermission permissions;
    private final KeyStore keyStore;
    private char[] password;
    private boolean changed;
    private Lock readLock;
    private Lock writeLock;
    private final Map<String, KeyProvider.Metadata> cache;
    private static Logger LOG = LoggerFactory.getLogger((Class<?>) JavaKeyStoreProvider.class);
    public static final char[] KEYSTORE_PASSWORD_DEFAULT = "none".toCharArray();

    /* loaded from: input_file:org/apache/hadoop/crypto/key/JavaKeyStoreProvider$Factory.class */
    public static class Factory extends KeyProviderFactory {
        @Override // org.apache.hadoop.crypto.key.KeyProviderFactory
        public KeyProvider createProvider(URI uri, Configuration configuration) throws IOException {
            if ("jceks".equals(uri.getScheme())) {
                return new JavaKeyStoreProvider(uri, configuration);
            }
            return null;
        }
    }

    /* loaded from: input_file:org/apache/hadoop/crypto/key/JavaKeyStoreProvider$KeyMetadata.class */
    public static class KeyMetadata implements Key, Serializable {
        private KeyProvider.Metadata metadata;
        private static final long serialVersionUID = 8405872419967874451L;

        private KeyMetadata(KeyProvider.Metadata metadata) {
            this.metadata = metadata;
        }

        @Override // java.security.Key
        public String getAlgorithm() {
            return this.metadata.getCipher();
        }

        @Override // java.security.Key
        public String getFormat() {
            return JavaKeyStoreProvider.KEY_METADATA;
        }

        @Override // java.security.Key
        public byte[] getEncoded() {
            return new byte[0];
        }

        private void writeObject(ObjectOutputStream objectOutputStream) throws IOException {
            byte[] serialize = this.metadata.serialize();
            objectOutputStream.writeInt(serialize.length);
            objectOutputStream.write(serialize);
        }

        private void readObject(ObjectInputStream objectInputStream) throws IOException, ClassNotFoundException {
            byte[] bArr = new byte[objectInputStream.readInt()];
            objectInputStream.readFully(bArr);
            this.metadata = new KeyProvider.Metadata(bArr);
        }
    }

    @VisibleForTesting
    JavaKeyStoreProvider(JavaKeyStoreProvider javaKeyStoreProvider) {
        super(new Configuration());
        this.changed = false;
        this.cache = new HashMap();
        this.uri = javaKeyStoreProvider.uri;
        this.path = javaKeyStoreProvider.path;
        this.fs = javaKeyStoreProvider.fs;
        this.permissions = javaKeyStoreProvider.permissions;
        this.keyStore = javaKeyStoreProvider.keyStore;
        this.password = javaKeyStoreProvider.password;
        this.changed = javaKeyStoreProvider.changed;
        this.readLock = javaKeyStoreProvider.readLock;
        this.writeLock = javaKeyStoreProvider.writeLock;
    }

    private JavaKeyStoreProvider(URI uri, Configuration configuration) throws IOException {
        super(configuration);
        FsPermission tryLoadIncompleteFlush;
        String str;
        this.changed = false;
        this.cache = new HashMap();
        this.uri = uri;
        this.path = ProviderUtils.unnestUri(uri);
        this.fs = this.path.getFileSystem(configuration);
        if (System.getenv().containsKey(KEYSTORE_PASSWORD_ENV_VAR)) {
            this.password = System.getenv(KEYSTORE_PASSWORD_ENV_VAR).toCharArray();
        }
        if (this.password == null && (str = configuration.get(KEYSTORE_PASSWORD_FILE_KEY)) != null) {
            URL resource = Thread.currentThread().getContextClassLoader().getResource(str);
            if (resource == null) {
                throw new IOException("Password file does not exists");
            }
            InputStream openStream = resource.openStream();
            Throwable th = null;
            try {
                this.password = IOUtils.toString(openStream).trim().toCharArray();
                if (openStream != null) {
                    if (0 != 0) {
                        try {
                            openStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        openStream.close();
                    }
                }
            } catch (Throwable th3) {
                if (openStream != null) {
                    if (0 != 0) {
                        try {
                            openStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        openStream.close();
                    }
                }
                throw th3;
            }
        }
        if (this.password == null) {
            this.password = KEYSTORE_PASSWORD_DEFAULT;
        }
        try {
            Path constructOldPath = constructOldPath(this.path);
            Path constructNewPath = constructNewPath(this.path);
            this.keyStore = KeyStore.getInstance("jceks");
            if (!this.fs.exists(this.path)) {
                tryLoadIncompleteFlush = tryLoadIncompleteFlush(constructOldPath, constructNewPath);
            } else {
                if (this.fs.exists(constructNewPath)) {
                    throw new IOException(String.format("Keystore not loaded due to some inconsistency ('%s' and '%s' should not exist together)!!", this.path, constructNewPath));
                }
                tryLoadIncompleteFlush = tryLoadFromPath(this.path, constructOldPath);
            }
            this.permissions = tryLoadIncompleteFlush;
            ReentrantReadWriteLock reentrantReadWriteLock = new ReentrantReadWriteLock(true);
            this.readLock = reentrantReadWriteLock.readLock();
            this.writeLock = reentrantReadWriteLock.writeLock();
        } catch (KeyStoreException e) {
            throw new IOException("Can't create keystore", e);
        } catch (NoSuchAlgorithmException e2) {
            throw new IOException("Can't load keystore " + this.path, e2);
        } catch (CertificateException e3) {
            throw new IOException("Can't load keystore " + this.path, e3);
        }
    }

    private FsPermission tryLoadFromPath(Path path, Path path2) throws NoSuchAlgorithmException, CertificateException, IOException {
        FsPermission loadFromPath;
        try {
            loadFromPath = loadFromPath(path, this.password);
            if (this.fs.exists(path2)) {
                this.fs.delete(path2, true);
            }
            LOG.debug("KeyStore loaded successfully !!");
        } catch (IOException e) {
            if (isBadorWrongPassword(e)) {
                throw e;
            }
            loadFromPath = loadFromPath(path2, this.password);
            renameOrFail(path, new Path(path.toString() + "_CORRUPTED_" + System.currentTimeMillis()));
            renameOrFail(path2, path);
            LOG.debug(String.format("KeyStore loaded successfully from '%s' since '%s'was corrupted !!", path2, path));
        }
        return loadFromPath;
    }

    private FsPermission tryLoadIncompleteFlush(Path path, Path path2) throws IOException, NoSuchAlgorithmException, CertificateException {
        FsPermission fsPermission = null;
        if (this.fs.exists(path2)) {
            fsPermission = loadAndReturnPerm(path2, path);
        }
        if (fsPermission == null && this.fs.exists(path)) {
            fsPermission = loadAndReturnPerm(path, path2);
        }
        if (fsPermission == null) {
            this.keyStore.load(null, this.password);
            LOG.debug("KeyStore initialized anew successfully !!");
            fsPermission = new FsPermission(DFSConfigKeys.DFS_DATANODE_DATA_DIR_PERMISSION_DEFAULT);
        }
        return fsPermission;
    }

    private FsPermission loadAndReturnPerm(Path path, Path path2) throws NoSuchAlgorithmException, CertificateException, IOException {
        FsPermission fsPermission = null;
        try {
            fsPermission = loadFromPath(path, this.password);
            renameOrFail(path, this.path);
            LOG.debug(String.format("KeyStore loaded successfully from '%s'!!", path));
            if (this.fs.exists(path2)) {
                this.fs.delete(path2, true);
            }
        } catch (IOException e) {
            if (isBadorWrongPassword(e)) {
                throw e;
            }
        }
        return fsPermission;
    }

    private boolean isBadorWrongPassword(IOException iOException) {
        if (iOException.getCause() instanceof UnrecoverableKeyException) {
            return true;
        }
        if (iOException.getCause() != null || iOException.getMessage() == null) {
            return false;
        }
        return iOException.getMessage().contains("Keystore was tampered") || iOException.getMessage().contains("password was incorrect");
    }

    private FsPermission loadFromPath(Path path, char[] cArr) throws IOException, NoSuchAlgorithmException, CertificateException {
        FSDataInputStream open = this.fs.open(path);
        Throwable th = null;
        try {
            FileStatus fileStatus = this.fs.getFileStatus(path);
            this.keyStore.load(open, cArr);
            FsPermission permission = fileStatus.getPermission();
            if (open != null) {
                if (0 != 0) {
                    try {
                        open.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    open.close();
                }
            }
            return permission;
        } catch (Throwable th3) {
            if (open != null) {
                if (0 != 0) {
                    try {
                        open.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    open.close();
                }
            }
            throw th3;
        }
    }

    private Path constructNewPath(Path path) {
        return new Path(path.toString() + "_NEW");
    }

    private Path constructOldPath(Path path) {
        return new Path(path.toString() + "_OLD");
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public KeyProvider.KeyVersion getKeyVersion(String str) throws IOException {
        this.readLock.lock();
        SecretKeySpec secretKeySpec = null;
        try {
            try {
                try {
                    if (!this.keyStore.containsAlias(str)) {
                        return null;
                    }
                    secretKeySpec = (SecretKeySpec) this.keyStore.getKey(str, this.password);
                    KeyProvider.KeyVersion keyVersion = new KeyProvider.KeyVersion(getBaseName(str), str, secretKeySpec.getEncoded());
                    this.readLock.unlock();
                    return keyVersion;
                } catch (KeyStoreException e) {
                    throw new IOException("Can't get key " + str + " from " + this.path, e);
                }
            } catch (NoSuchAlgorithmException e2) {
                throw new IOException("Can't get algorithm for key " + secretKeySpec + " from " + this.path, e2);
            } catch (UnrecoverableKeyException e3) {
                throw new IOException("Can't recover key " + secretKeySpec + " from " + this.path, e3);
            }
        } finally {
            this.readLock.unlock();
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public List<String> getKeys() throws IOException {
        this.readLock.lock();
        try {
            ArrayList arrayList = new ArrayList();
            String str = null;
            try {
                Enumeration<String> aliases = this.keyStore.aliases();
                while (aliases.hasMoreElements()) {
                    str = aliases.nextElement();
                    if (!str.contains("@")) {
                        arrayList.add(str);
                    }
                }
                return arrayList;
            } catch (KeyStoreException e) {
                throw new IOException("Can't get key " + str + " from " + this.path, e);
            }
        } finally {
            this.readLock.unlock();
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public List<KeyProvider.KeyVersion> getKeyVersions(String str) throws IOException {
        this.readLock.lock();
        try {
            ArrayList arrayList = new ArrayList();
            KeyProvider.Metadata metadata = getMetadata(str);
            if (metadata != null) {
                int versions = metadata.getVersions();
                for (int i = 0; i < versions; i++) {
                    KeyProvider.KeyVersion keyVersion = getKeyVersion(buildVersionName(str, i));
                    if (keyVersion != null) {
                        arrayList.add(keyVersion);
                    }
                }
            }
            return arrayList;
        } finally {
            this.readLock.unlock();
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public KeyProvider.Metadata getMetadata(String str) throws IOException {
        this.readLock.lock();
        try {
            if (this.cache.containsKey(str)) {
                KeyProvider.Metadata metadata = this.cache.get(str);
                this.readLock.unlock();
                return metadata;
            }
            try {
                try {
                    if (!this.keyStore.containsAlias(str)) {
                        return null;
                    }
                    KeyProvider.Metadata metadata2 = ((KeyMetadata) this.keyStore.getKey(str, this.password)).metadata;
                    this.cache.put(str, metadata2);
                    this.readLock.unlock();
                    return metadata2;
                } catch (ClassCastException e) {
                    throw new IOException("Can't cast key for " + str + " in keystore " + this.path + " to a KeyMetadata. Key may have been added using  keytool or some other non-Hadoop method.", e);
                } catch (NoSuchAlgorithmException e2) {
                    throw new IOException("Can't get algorithm for " + str + " from keystore " + this.path, e2);
                }
            } catch (KeyStoreException e3) {
                throw new IOException("Can't get metadata for " + str + " from keystore " + this.path, e3);
            } catch (UnrecoverableKeyException e4) {
                throw new IOException("Can't recover key for " + str + " from keystore " + this.path, e4);
            }
        } finally {
            this.readLock.unlock();
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public KeyProvider.KeyVersion createKey(String str, byte[] bArr, KeyProvider.Options options) throws IOException {
        Preconditions.checkArgument(str.equals(StringUtils.toLowerCase(str)), "Uppercase key names are unsupported: %s", str);
        this.writeLock.lock();
        try {
            try {
                if (this.keyStore.containsAlias(str) || this.cache.containsKey(str)) {
                    throw new IOException("Key " + str + " already exists in " + this);
                }
                KeyProvider.Metadata metadata = new KeyProvider.Metadata(options.getCipher(), options.getBitLength(), options.getDescription(), options.getAttributes(), new Date(), 1);
                if (options.getBitLength() != 8 * bArr.length) {
                    throw new IOException("Wrong key length. Required " + options.getBitLength() + ", but got " + (8 * bArr.length));
                }
                this.cache.put(str, metadata);
                KeyProvider.KeyVersion innerSetKeyVersion = innerSetKeyVersion(str, buildVersionName(str, 0), bArr, metadata.getCipher());
                this.writeLock.unlock();
                return innerSetKeyVersion;
            } catch (KeyStoreException e) {
                throw new IOException("Problem looking up key " + str + " in " + this, e);
            }
        } catch (Throwable th) {
            this.writeLock.unlock();
            throw th;
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public void deleteKey(String str) throws IOException {
        this.writeLock.lock();
        try {
            KeyProvider.Metadata metadata = getMetadata(str);
            if (metadata == null) {
                throw new IOException("Key " + str + " does not exist in " + this);
            }
            for (int i = 0; i < metadata.getVersions(); i++) {
                String buildVersionName = buildVersionName(str, i);
                try {
                    if (this.keyStore.containsAlias(buildVersionName)) {
                        this.keyStore.deleteEntry(buildVersionName);
                    }
                } catch (KeyStoreException e) {
                    throw new IOException("Problem removing " + buildVersionName + " from " + this, e);
                }
            }
            try {
                if (this.keyStore.containsAlias(str)) {
                    this.keyStore.deleteEntry(str);
                }
                this.cache.remove(str);
                this.changed = true;
                this.writeLock.unlock();
            } catch (KeyStoreException e2) {
                throw new IOException("Problem removing " + str + " from " + this, e2);
            }
        } catch (Throwable th) {
            this.writeLock.unlock();
            throw th;
        }
    }

    KeyProvider.KeyVersion innerSetKeyVersion(String str, String str2, byte[] bArr, String str3) throws IOException {
        try {
            this.keyStore.setKeyEntry(str2, new SecretKeySpec(bArr, str3), this.password, null);
            this.changed = true;
            return new KeyProvider.KeyVersion(str, str2, bArr);
        } catch (KeyStoreException e) {
            throw new IOException("Can't store key " + str2 + " in " + this, e);
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public KeyProvider.KeyVersion rollNewVersion(String str, byte[] bArr) throws IOException {
        this.writeLock.lock();
        try {
            KeyProvider.Metadata metadata = getMetadata(str);
            if (metadata == null) {
                throw new IOException("Key " + str + " not found");
            }
            if (metadata.getBitLength() != 8 * bArr.length) {
                throw new IOException("Wrong key length. Required " + metadata.getBitLength() + ", but got " + (8 * bArr.length));
            }
            KeyProvider.KeyVersion innerSetKeyVersion = innerSetKeyVersion(str, buildVersionName(str, metadata.addVersion()), bArr, metadata.getCipher());
            this.writeLock.unlock();
            return innerSetKeyVersion;
        } catch (Throwable th) {
            this.writeLock.unlock();
            throw th;
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public void flush() throws IOException {
        Path constructNewPath = constructNewPath(this.path);
        Path constructOldPath = constructOldPath(this.path);
        Path path = this.path;
        this.writeLock.lock();
        try {
            try {
                if (this.changed) {
                    if (this.fs.exists(constructNewPath)) {
                        renameOrFail(constructNewPath, new Path(constructNewPath.toString() + "_ORPHANED_" + System.currentTimeMillis()));
                    }
                    if (this.fs.exists(constructOldPath)) {
                        renameOrFail(constructOldPath, new Path(constructOldPath.toString() + "_ORPHANED_" + System.currentTimeMillis()));
                    }
                    for (Map.Entry<String, KeyProvider.Metadata> entry : this.cache.entrySet()) {
                        try {
                            this.keyStore.setKeyEntry(entry.getKey(), new KeyMetadata(entry.getValue()), this.password, null);
                        } catch (KeyStoreException e) {
                            throw new IOException("Can't set metadata key " + entry.getKey(), e);
                        }
                    }
                    boolean backupToOld = backupToOld(constructOldPath);
                    if (backupToOld) {
                    }
                    try {
                        writeToNew(constructNewPath);
                        cleanupNewAndOld(constructNewPath, constructOldPath);
                        this.changed = false;
                        this.writeLock.unlock();
                    } catch (IOException e2) {
                        revertFromOld(constructOldPath, backupToOld);
                        Path path2 = this.path;
                        throw e2;
                    }
                }
            } catch (IOException e3) {
                resetKeyStoreState(path);
                throw e3;
            }
        } finally {
            this.writeLock.unlock();
        }
    }

    private void resetKeyStoreState(Path path) {
        LOG.debug("Could not flush Keystore..attempting to reset to previous state !!");
        this.cache.clear();
        try {
            loadFromPath(path, this.password);
            LOG.debug("KeyStore resetting to previously flushed state !!");
        } catch (Exception e) {
            LOG.debug("Could not reset Keystore to previous state", (Throwable) e);
        }
    }

    private void cleanupNewAndOld(Path path, Path path2) throws IOException {
        renameOrFail(path, this.path);
        if (this.fs.exists(path2)) {
            this.fs.delete(path2, true);
        }
    }

    protected void writeToNew(Path path) throws IOException {
        try {
            FSDataOutputStream create = FileSystem.create(this.fs, path, this.permissions);
            Throwable th = null;
            try {
                try {
                    this.keyStore.store(create, this.password);
                    if (create != null) {
                        if (0 != 0) {
                            try {
                                create.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            create.close();
                        }
                    }
                } finally {
                }
            } catch (Throwable th3) {
                if (create != null) {
                    if (th != null) {
                        try {
                            create.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        create.close();
                    }
                }
                throw th3;
            }
        } catch (KeyStoreException e) {
            throw new IOException("Can't store keystore " + this, e);
        } catch (NoSuchAlgorithmException e2) {
            throw new IOException("No such algorithm storing keystore " + this, e2);
        } catch (CertificateException e3) {
            throw new IOException("Certificate exception storing keystore " + this, e3);
        }
    }

    protected boolean backupToOld(Path path) throws IOException {
        boolean z = false;
        if (this.fs.exists(this.path)) {
            renameOrFail(this.path, path);
            z = true;
        }
        return z;
    }

    private void revertFromOld(Path path, boolean z) throws IOException {
        if (z) {
            renameOrFail(path, this.path);
        }
    }

    private void renameOrFail(Path path, Path path2) throws IOException {
        if (!this.fs.rename(path, path2)) {
            throw new IOException("Rename unsuccessful : " + String.format("'%s' to '%s'", path, path2));
        }
    }

    public String toString() {
        return this.uri.toString();
    }
}
