package org.apache.hadoop.crypto.key;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.google.common.base.Preconditions;
import com.google.common.base.Throwables;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URI;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import okhttp3.Response;
import org.apache.commons.codec.binary.Base64;
import org.apache.curator.shaded.com.google.common.collect.Lists;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.crypto.CryptoCodec;
import org.apache.hadoop.crypto.Decryptor;
import org.apache.hadoop.crypto.key.KeyProvider;
import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
import org.apache.hadoop.util.KMSUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/crypto/key/KeyProxyProvider.class */
public class KeyProxyProvider extends KeyProvider implements KeyProviderCryptoExtension.CryptoExtension {
    public static final String SCHEME_NAME = "kmsproxy";
    public static final long ENCRYPTED_KEY_CACHE_TIME_MS = 5000;
    public static final long KEY_VERSION_CACHE_TIME_MS = 600000;
    public static final long KEY_METADATA_CACHE_TIME_MS = 600000;
    private static final Logger LOG = LoggerFactory.getLogger(KeyProxyProvider.class);
    private final Configuration conf;
    private final int generateEekNum;
    private final boolean useLocalDecryptor;
    private final ThreadLocal<Cache<String, CacheKeys>> encryptedKeyCache;
    private final ThreadLocal<Map<String, Object>> localMap;
    private final LoadingCache<String, KeyProvider.KeyVersion> keyVersionCache;
    private final LoadingCache<String, KeyProvider.Metadata> keyMetaCache;
    private final Map<String, CryptoCodec> cryptoCodecMap;

    /* loaded from: input_file:org/apache/hadoop/crypto/key/KeyProxyProvider$CacheKeys.class */
    private class CacheKeys {
        private final List<Map> keys;
        private final int size;
        private volatile int index = 0;

        CacheKeys(List<Map> list) {
            this.keys = list;
            this.size = list.size();
        }

        Map next() {
            if (this.index >= this.size) {
                return null;
            }
            List<Map> list = this.keys;
            int i = this.index;
            this.index = i + 1;
            return list.get(i);
        }
    }

    /* loaded from: input_file:org/apache/hadoop/crypto/key/KeyProxyProvider$Factory.class */
    public static class Factory extends KeyProviderFactory {
        public KeyProvider createProvider(URI uri, Configuration configuration) throws IOException {
            if (KeyProxyProvider.SCHEME_NAME.equals(uri.getScheme())) {
                return new KeyProxyProvider(uri, configuration);
            }
            return null;
        }
    }

    public KeyProxyProvider(URI uri, Configuration configuration) {
        super(configuration);
        this.encryptedKeyCache = ThreadLocal.withInitial(() -> {
            return CacheBuilder.newBuilder().expireAfterWrite(ENCRYPTED_KEY_CACHE_TIME_MS, TimeUnit.MILLISECONDS).build();
        });
        this.localMap = new ThreadLocal<Map<String, Object>>() { // from class: org.apache.hadoop.crypto.key.KeyProxyProvider.1
            /* JADX INFO: Access modifiers changed from: protected */
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.lang.ThreadLocal
            public Map<String, Object> initialValue() {
                return new HashMap();
            }
        };
        this.keyVersionCache = CacheBuilder.newBuilder().expireAfterAccess(600000L, TimeUnit.MILLISECONDS).build(new CacheLoader<String, KeyProvider.KeyVersion>() { // from class: org.apache.hadoop.crypto.key.KeyProxyProvider.2
            public KeyProvider.KeyVersion load(String str) throws IOException {
                return KeyProxyProvider.this.getKeyVersion(str);
            }
        });
        this.keyMetaCache = CacheBuilder.newBuilder().expireAfterAccess(600000L, TimeUnit.MILLISECONDS).build(new CacheLoader<String, KeyProvider.Metadata>() { // from class: org.apache.hadoop.crypto.key.KeyProxyProvider.3
            public KeyProvider.Metadata load(String str) throws IOException {
                return KeyProxyProvider.this.getMetadata(str);
            }
        });
        this.cryptoCodecMap = new ConcurrentHashMap();
        try {
            HttpUtils.initHttpClient(uri, configuration);
        } catch (MalformedURLException | KeyManagementException | NoSuchAlgorithmException e) {
            LOG.error("Failed to init HttpClient. ", e);
            Throwables.propagate(e);
        }
        this.conf = configuration;
        this.useLocalDecryptor = configuration.getBoolean(KMSProxyConfigKeys.HADOOP_KMS_PROXY_USE_LOCAL_DECRYPTOR_KEY, true);
        this.generateEekNum = (int) (configuration.getInt(KMSProxyConfigKeys.KMS_KEY_CACHE_SIZE, 100) * configuration.getFloat(KMSProxyConfigKeys.KMS_KEY_CACHE_LOW_WATERMARK, 0.3f));
    }

    private Map<String, Object> initMap() {
        Map<String, Object> map = this.localMap.get();
        map.clear();
        return map;
    }

    private <K, V> void putMap(Map<K, V> map, K k, V v) {
        if (v == null) {
            return;
        }
        map.put(k, v);
    }

    private void putMap(Map<String, Object> map, String str, byte[] bArr) {
        if (bArr == null) {
            return;
        }
        map.put(str, Base64.encodeBase64String(bArr));
    }

    private CryptoCodec getCryptoCodec(String str) {
        CryptoCodec cryptoCodec = this.cryptoCodecMap.get(str);
        if (cryptoCodec != null) {
            return cryptoCodec;
        }
        Configuration configuration = new Configuration(this.conf);
        configuration.set("hadoop.security.crypto.cipher.suite", str);
        CryptoCodec cryptoCodec2 = CryptoCodec.getInstance(configuration);
        this.cryptoCodecMap.put(str, cryptoCodec2);
        return cryptoCodec2;
    }

    public KeyProvider.KeyVersion getKeyVersion(String str) throws IOException {
        return KMSUtil.parseJSONKeyVersion(HttpUtils.fromResponseJson(HttpUtils.httpGet("keyversion/" + str)));
    }

    public List<String> getKeys() throws IOException {
        Response httpGet = HttpUtils.httpGet("keys/names");
        HttpUtils.checkResponse(httpGet);
        return (List) HttpUtils.fromResponseJson(httpGet, List.class);
    }

    public List<KeyProvider.KeyVersion> getKeyVersions(String str) throws IOException {
        Response httpGet = HttpUtils.httpGet("key/" + str + "/_versions");
        HttpUtils.checkResponse(httpGet);
        List list = (List) HttpUtils.fromResponseJson(httpGet, List.class);
        ArrayList newArrayListWithCapacity = Lists.newArrayListWithCapacity(list.size());
        Iterator it = list.iterator();
        while (it.hasNext()) {
            newArrayListWithCapacity.add(KMSUtil.parseJSONKeyVersion((Map) it.next()));
        }
        return newArrayListWithCapacity;
    }

    public KeyProvider.Metadata getMetadata(String str) throws IOException {
        return KMSUtil.parseJSONMetadata(HttpUtils.fromResponseJson(HttpUtils.httpGet("key/" + str + "/_metadata")));
    }

    public KeyProvider.KeyVersion createKey(String str, KeyProvider.Options options) throws IOException {
        return createKey(str, null, options);
    }

    public KeyProvider.KeyVersion createKey(String str, byte[] bArr, KeyProvider.Options options) throws IOException {
        Map<String, Object> initMap = initMap();
        putMap((Map<Map<String, Object>, String>) initMap, (Map<String, Object>) "name", str);
        putMap((Map<Map<String, Object>, String>) initMap, (Map<String, Object>) "cipher", options.getCipher());
        putMap((Map<Map<String, Object>, String>) initMap, (Map<String, Object>) "length", (String) Integer.valueOf(options.getBitLength()));
        putMap(initMap, "material", bArr);
        putMap((Map<Map<String, Object>, String>) initMap, (Map<String, Object>) "description", options.getDescription());
        Map attributes = options.getAttributes();
        if (attributes != null && !attributes.isEmpty()) {
            putMap((Map<Map<String, Object>, String>) initMap, (Map<String, Object>) "attributes", (String) attributes);
        }
        return KMSUtil.parseJSONKeyVersion(HttpUtils.fromResponseJson(HttpUtils.httpPost("keys", HttpUtils.toJson(initMap)), Constants.HTTP_CREATED));
    }

    public void deleteKey(String str) throws IOException {
        HttpUtils.checkResponse(HttpUtils.httpDelete("key/" + str));
    }

    public KeyProvider.KeyVersion rollNewVersion(String str) throws IOException {
        return rollNewVersion(str, null);
    }

    public KeyProvider.KeyVersion rollNewVersion(String str, byte[] bArr) throws IOException {
        Map<String, Object> initMap = initMap();
        putMap(initMap, "material", bArr);
        return KMSUtil.parseJSONKeyVersion(HttpUtils.fromResponseJson(HttpUtils.httpPost("key/" + str, HttpUtils.toJson(initMap))));
    }

    public void flush() throws IOException {
    }

    public void warmUpEncryptedKeys(String... strArr) throws IOException {
    }

    public void drain(String str) {
    }

    public KeyProviderCryptoExtension.EncryptedKeyVersion generateEncryptedKey(String str) throws IOException, GeneralSecurityException {
        Map next;
        Cache<String, CacheKeys> cache = this.encryptedKeyCache.get();
        CacheKeys cacheKeys = (CacheKeys) cache.getIfPresent(str);
        if (cacheKeys != null && (next = cacheKeys.next()) != null) {
            return KMSUtil.parseJSONEncKeyVersion(str, next);
        }
        Response httpGet = HttpUtils.httpGet("key/" + str + "/_eek?eek_op=generate&num_keys=" + this.generateEekNum);
        HttpUtils.checkResponse(httpGet);
        List list = (List) HttpUtils.fromResponseJson(httpGet, List.class);
        cache.put(str, new CacheKeys(list));
        return KMSUtil.parseJSONEncKeyVersion(str, (Map) list.get(0));
    }

    private KeyProvider.KeyVersion decryptEncryptedKey(Decryptor decryptor, KeyProvider.KeyVersion keyVersion, KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion) throws IOException, GeneralSecurityException {
        decryptor.init(keyVersion.getMaterial(), KeyProviderCryptoExtension.EncryptedKeyVersion.deriveIV(encryptedKeyVersion.getEncryptedKeyIv()));
        KeyProvider.KeyVersion encryptedKeyVersion2 = encryptedKeyVersion.getEncryptedKeyVersion();
        int length = encryptedKeyVersion2.getMaterial().length;
        ByteBuffer allocateDirect = ByteBuffer.allocateDirect(length);
        ByteBuffer allocateDirect2 = ByteBuffer.allocateDirect(length);
        allocateDirect.put(encryptedKeyVersion2.getMaterial());
        allocateDirect.flip();
        decryptor.decrypt(allocateDirect, allocateDirect2);
        allocateDirect2.flip();
        byte[] bArr = new byte[length];
        allocateDirect2.get(bArr);
        return new KeyProvider.KeyVersion(keyVersion.getName(), "EK", bArr);
    }

    private KeyProvider.KeyVersion localDecryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion) throws IOException, GeneralSecurityException {
        String versionName = encryptedKeyVersion.getEncryptedKeyVersion().getVersionName();
        Preconditions.checkArgument(versionName.equals("EEK"), "encryptedKey version name must be '%s', but found '%s'", "EEK", versionName);
        try {
            String encryptionKeyVersionName = encryptedKeyVersion.getEncryptionKeyVersionName();
            KeyProvider.KeyVersion keyVersion = (KeyProvider.KeyVersion) this.keyVersionCache.get(encryptionKeyVersionName);
            Preconditions.checkNotNull(keyVersion, "KeyVersion name '%s' does not exist", encryptionKeyVersionName);
            String encryptionKeyName = encryptedKeyVersion.getEncryptionKeyName();
            KeyProvider.Metadata metadata = (KeyProvider.Metadata) this.keyMetaCache.get(encryptionKeyName);
            Preconditions.checkNotNull(metadata, "Metadata of Key '%s' does not exist", encryptionKeyName);
            return decryptEncryptedKey(getCryptoCodec(metadata.getCipher()).createDecryptor(), keyVersion, encryptedKeyVersion);
        } catch (ExecutionException e) {
            throw new IOException(e);
        }
    }

    private byte[] getEncryptedKeyVersionJson(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion) throws JsonProcessingException {
        Map<String, Object> initMap = initMap();
        putMap((Map<Map<String, Object>, String>) initMap, (Map<String, Object>) "name", encryptedKeyVersion.getEncryptionKeyName());
        putMap(initMap, "iv", encryptedKeyVersion.getEncryptedKeyIv());
        putMap(initMap, "material", encryptedKeyVersion.getEncryptedKeyVersion().getMaterial());
        return HttpUtils.toJson(initMap);
    }

    private KeyProvider.KeyVersion remoteDecryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion) throws IOException, GeneralSecurityException {
        return KMSUtil.parseJSONKeyVersion(HttpUtils.fromResponseJson(HttpUtils.httpPost("keyversion/" + encryptedKeyVersion.getEncryptionKeyVersionName() + "/_eek?eek_op=decrypt", getEncryptedKeyVersionJson(encryptedKeyVersion))));
    }

    public KeyProvider.KeyVersion decryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion) throws IOException, GeneralSecurityException {
        return this.useLocalDecryptor ? localDecryptEncryptedKey(encryptedKeyVersion) : remoteDecryptEncryptedKey(encryptedKeyVersion);
    }

    public KeyProviderCryptoExtension.EncryptedKeyVersion reencryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion) throws IOException, GeneralSecurityException {
        return KMSUtil.parseJSONEncKeyVersion(encryptedKeyVersion.getEncryptionKeyName(), HttpUtils.fromResponseJson(HttpUtils.httpPost("keyversion/" + encryptedKeyVersion.getEncryptionKeyVersionName() + "/_eek?eek_op=reencrypt", getEncryptedKeyVersionJson(encryptedKeyVersion))));
    }

    public void reencryptEncryptedKeys(List<KeyProviderCryptoExtension.EncryptedKeyVersion> list) throws IOException, GeneralSecurityException {
        String encryptionKeyName = list.get(0).getEncryptionKeyName();
        ArrayList arrayList = new ArrayList(list.size());
        Iterator<KeyProviderCryptoExtension.EncryptedKeyVersion> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(KMSUtil.toJSON(it.next()));
        }
        HttpUtils.checkResponse(HttpUtils.httpPost("key/" + encryptionKeyName + "/_reencryptbatch", HttpUtils.toJson(arrayList)));
    }

    public void close() throws IOException {
        HttpUtils.closeHttpClient();
    }
}
