package org.apache.hadoop.security.alias;

import com.google.common.base.Charsets;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.URI;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.List;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import javax.crypto.spec.SecretKeySpec;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.security.ProviderUtils;
import org.apache.hadoop.security.alias.CredentialProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/security/alias/AbstractJavaKeyStoreProvider.class */
public abstract class AbstractJavaKeyStoreProvider extends CredentialProvider {
    public static final Logger LOG = LoggerFactory.getLogger(AbstractJavaKeyStoreProvider.class);
    public static final String CREDENTIAL_PASSWORD_ENV_VAR = "HADOOP_CREDSTORE_PASSWORD";
    public static final String CREDENTIAL_PASSWORD_FILE_KEY = "hadoop.security.credstore.java-keystore-provider.password-file";
    private Path path;
    private final URI uri;
    private KeyStore keyStore;
    private char[] password = null;
    private boolean changed = false;
    private Lock readLock;
    private Lock writeLock;
    private final Configuration conf;

    /* JADX INFO: Access modifiers changed from: protected */
    public AbstractJavaKeyStoreProvider(URI uri, Configuration configuration) throws IOException {
        this.uri = uri;
        this.conf = configuration;
        initFileSystem(uri);
        locateKeystore();
        ReentrantReadWriteLock reentrantReadWriteLock = new ReentrantReadWriteLock(true);
        this.readLock = reentrantReadWriteLock.readLock();
        this.writeLock = reentrantReadWriteLock.writeLock();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Configuration getConf() {
        return this.conf;
    }

    public Path getPath() {
        return this.path;
    }

    public void setPath(Path path) {
        this.path = path;
    }

    public char[] getPassword() {
        return this.password;
    }

    public void setPassword(char[] cArr) {
        this.password = cArr;
    }

    public boolean isChanged() {
        return this.changed;
    }

    public void setChanged(boolean z) {
        this.changed = z;
    }

    public Lock getReadLock() {
        return this.readLock;
    }

    public void setReadLock(Lock lock) {
        this.readLock = lock;
    }

    public Lock getWriteLock() {
        return this.writeLock;
    }

    public void setWriteLock(Lock lock) {
        this.writeLock = lock;
    }

    public URI getUri() {
        return this.uri;
    }

    public KeyStore getKeyStore() {
        return this.keyStore;
    }

    protected final String getPathAsString() {
        return getPath().toString();
    }

    protected abstract String getSchemeName();

    protected abstract OutputStream getOutputStreamForKeystore() throws IOException;

    protected abstract boolean keystoreExists() throws IOException;

    protected abstract InputStream getInputStreamForFile() throws IOException;

    protected abstract void createPermissions(String str) throws IOException;

    protected abstract void stashOriginalFilePermissions() throws IOException;

    /* JADX INFO: Access modifiers changed from: protected */
    public void initFileSystem(URI uri) throws IOException {
        this.path = ProviderUtils.unnestUri(uri);
        if (LOG.isDebugEnabled()) {
            LOG.debug("backing jks path initialized to " + this.path);
        }
    }

    @Override // org.apache.hadoop.security.alias.CredentialProvider
    public CredentialProvider.CredentialEntry getCredentialEntry(String str) throws IOException {
        this.readLock.lock();
        try {
            try {
                try {
                    if (!this.keyStore.containsAlias(str)) {
                        return null;
                    }
                    CredentialProvider.CredentialEntry credentialEntry = new CredentialProvider.CredentialEntry(str, bytesToChars(((SecretKeySpec) this.keyStore.getKey(str, this.password)).getEncoded()));
                    this.readLock.unlock();
                    return credentialEntry;
                } catch (NoSuchAlgorithmException e) {
                    throw new IOException("Can't get algorithm for credential " + str + " from " + getPathAsString(), e);
                }
            } catch (KeyStoreException e2) {
                throw new IOException("Can't get credential " + str + " from " + getPathAsString(), e2);
            } catch (UnrecoverableKeyException e3) {
                throw new IOException("Can't recover credential " + str + " from " + getPathAsString(), e3);
            }
        } finally {
            this.readLock.unlock();
        }
    }

    public static char[] bytesToChars(byte[] bArr) throws IOException {
        return new String(bArr, Charsets.UTF_8).toCharArray();
    }

    @Override // org.apache.hadoop.security.alias.CredentialProvider
    public List<String> getAliases() throws IOException {
        this.readLock.lock();
        try {
            ArrayList arrayList = new ArrayList();
            String str = null;
            try {
                Enumeration<String> aliases = this.keyStore.aliases();
                while (aliases.hasMoreElements()) {
                    str = aliases.nextElement();
                    arrayList.add(str);
                }
                return arrayList;
            } catch (KeyStoreException e) {
                throw new IOException("Can't get alias " + str + " from " + getPathAsString(), e);
            }
        } finally {
            this.readLock.unlock();
        }
    }

    @Override // org.apache.hadoop.security.alias.CredentialProvider
    public CredentialProvider.CredentialEntry createCredentialEntry(String str, char[] cArr) throws IOException {
        this.writeLock.lock();
        try {
            try {
                if (this.keyStore.containsAlias(str)) {
                    throw new IOException("Credential " + str + " already exists in " + this);
                }
                CredentialProvider.CredentialEntry innerSetCredential = innerSetCredential(str, cArr);
                this.writeLock.unlock();
                return innerSetCredential;
            } catch (KeyStoreException e) {
                throw new IOException("Problem looking up credential " + str + " in " + this, e);
            }
        } catch (Throwable th) {
            this.writeLock.unlock();
            throw th;
        }
    }

    @Override // org.apache.hadoop.security.alias.CredentialProvider
    public void deleteCredentialEntry(String str) throws IOException {
        this.writeLock.lock();
        try {
            try {
                if (!this.keyStore.containsAlias(str)) {
                    throw new IOException("Credential " + str + " does not exist in " + this);
                }
                this.keyStore.deleteEntry(str);
                this.changed = true;
            } catch (KeyStoreException e) {
                throw new IOException("Problem removing " + str + " from " + this, e);
            }
        } finally {
            this.writeLock.unlock();
        }
    }

    CredentialProvider.CredentialEntry innerSetCredential(String str, char[] cArr) throws IOException {
        this.writeLock.lock();
        try {
            try {
                this.keyStore.setKeyEntry(str, new SecretKeySpec(new String(cArr).getBytes("UTF-8"), "AES"), this.password, null);
                this.writeLock.unlock();
                this.changed = true;
                return new CredentialProvider.CredentialEntry(str, cArr);
            } catch (KeyStoreException e) {
                throw new IOException("Can't store credential " + str + " in " + this, e);
            }
        } catch (Throwable th) {
            this.writeLock.unlock();
            throw th;
        }
    }

    @Override // org.apache.hadoop.security.alias.CredentialProvider
    public void flush() throws IOException {
        this.writeLock.lock();
        try {
            if (!this.changed) {
                LOG.debug("Keystore hasn't changed, returning.");
                this.writeLock.unlock();
                return;
            }
            LOG.debug("Writing out keystore.");
            try {
                try {
                    OutputStream outputStreamForKeystore = getOutputStreamForKeystore();
                    Throwable th = null;
                    try {
                        this.keyStore.store(outputStreamForKeystore, this.password);
                        if (outputStreamForKeystore != null) {
                            if (0 != 0) {
                                try {
                                    outputStreamForKeystore.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                outputStreamForKeystore.close();
                            }
                        }
                        this.changed = false;
                        this.writeLock.unlock();
                    } catch (Throwable th3) {
                        if (outputStreamForKeystore != null) {
                            if (0 != 0) {
                                try {
                                    outputStreamForKeystore.close();
                                } catch (Throwable th4) {
                                    th.addSuppressed(th4);
                                }
                            } else {
                                outputStreamForKeystore.close();
                            }
                        }
                        throw th3;
                    }
                } catch (KeyStoreException e) {
                    throw new IOException("Can't store keystore " + this, e);
                }
            } catch (NoSuchAlgorithmException e2) {
                throw new IOException("No such algorithm storing keystore " + this, e2);
            } catch (CertificateException e3) {
                throw new IOException("Certificate exception storing keystore " + this, e3);
            }
        } catch (Throwable th5) {
            this.writeLock.unlock();
            throw th5;
        }
    }

    private void locateKeystore() throws IOException {
        try {
            this.password = ProviderUtils.locatePassword(CREDENTIAL_PASSWORD_ENV_VAR, this.conf.get("hadoop.security.credstore.java-keystore-provider.password-file"));
            if (this.password == null) {
                throw new IllegalArgumentException(noPasswordError());
            }
            KeyStore keyStore = KeyStore.getInstance("jceks");
            if (keystoreExists()) {
                stashOriginalFilePermissions();
                InputStream inputStreamForFile = getInputStreamForFile();
                Throwable th = null;
                try {
                    keyStore.load(inputStreamForFile, this.password);
                    if (inputStreamForFile != null) {
                        if (0 != 0) {
                            try {
                                inputStreamForFile.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            inputStreamForFile.close();
                        }
                    }
                } catch (Throwable th3) {
                    if (inputStreamForFile != null) {
                        if (0 != 0) {
                            try {
                                inputStreamForFile.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            inputStreamForFile.close();
                        }
                    }
                    throw th3;
                }
            } else {
                createPermissions("600");
                keyStore.load(null, this.password);
            }
            this.keyStore = keyStore;
        } catch (KeyStoreException e) {
            throw new IOException("Can't create keystore", e);
        } catch (GeneralSecurityException e2) {
            throw new IOException("Can't load keystore " + getPathAsString(), e2);
        }
    }

    @Override // org.apache.hadoop.security.alias.CredentialProvider
    public boolean needsPassword() throws IOException {
        return null == ProviderUtils.locatePassword(CREDENTIAL_PASSWORD_ENV_VAR, this.conf.get("hadoop.security.credstore.java-keystore-provider.password-file"));
    }

    @Override // org.apache.hadoop.security.alias.CredentialProvider
    public String noPasswordWarning() {
        return ProviderUtils.noPasswordWarning(CREDENTIAL_PASSWORD_ENV_VAR, "hadoop.security.credstore.java-keystore-provider.password-file");
    }

    @Override // org.apache.hadoop.security.alias.CredentialProvider
    public String noPasswordError() {
        return ProviderUtils.noPasswordError(CREDENTIAL_PASSWORD_ENV_VAR, "hadoop.security.credstore.java-keystore-provider.password-file");
    }

    public String toString() {
        return this.uri.toString();
    }
}
