package org.apache.hadoop.crypto.key.kms;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.ObjectWriter;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.lang.reflect.UndeclaredThrowableException;
import java.net.HttpURLConnection;
import java.net.InetSocketAddress;
import java.net.MalformedURLException;
import java.net.SocketTimeoutException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Queue;
import java.util.concurrent.ExecutionException;
import javax.net.ssl.HttpsURLConnection;
import org.apache.commons.codec.binary.Base64;
import org.apache.flink.hadoop.shaded.com.google.common.annotations.VisibleForTesting;
import org.apache.flink.hadoop.shaded.com.google.common.base.Preconditions;
import org.apache.flink.hadoop.shaded.com.google.common.base.Strings;
import org.apache.flink.hadoop.shaded.org.apache.http.HttpStatus;
import org.apache.flink.hadoop.shaded.org.apache.http.client.utils.URIBuilder;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.crypto.key.KeyProvider;
import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
import org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension;
import org.apache.hadoop.crypto.key.KeyProviderFactory;
import org.apache.hadoop.crypto.key.kms.ValueQueue;
import org.apache.hadoop.fs.CommonConfigurationKeys;
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.io.IOUtils;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.ProviderUtils;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.client.ConnectionConfigurator;
import org.apache.hadoop.security.ssl.SSLFactory;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.hadoop.security.token.TokenRenewer;
import org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticatedURL;
import org.apache.hadoop.util.HttpExceptionUtils;
import org.apache.hadoop.util.KMSUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/crypto/key/kms/KMSClientProvider.class */
public class KMSClientProvider extends KeyProvider implements KeyProviderCryptoExtension.CryptoExtension, KeyProviderDelegationTokenExtension.DelegationTokenExtension {
    private static final String INVALID_SIGNATURE = "Invalid signature";
    private static final String ANONYMOUS_REQUESTS_DISALLOWED = "Anonymous requests are disallowed";
    public static final String TOKEN_KIND_STR = "kms-dt";
    public static final String SCHEME_NAME = "kms";
    private static final String UTF8 = "UTF-8";
    private static final String CONTENT_TYPE = "Content-Type";
    private static final String APPLICATION_JSON_MIME = "application/json";
    private static final String HTTP_GET = "GET";
    private static final String HTTP_POST = "POST";
    private static final String HTTP_PUT = "PUT";
    private static final String HTTP_DELETE = "DELETE";
    private static final String CONFIG_PREFIX = "hadoop.security.kms.client.";
    public static final String AUTH_RETRY = "hadoop.security.kms.client.authentication.retry-count";
    public static final int DEFAULT_AUTH_RETRY = 1;
    private final ValueQueue<KeyProviderCryptoExtension.EncryptedKeyVersion> encKeyVersionQueue;
    private final Text dtService;
    private URL kmsUrl;
    private SSLFactory sslFactory;
    private ConnectionConfigurator configurator;
    private DelegationTokenAuthenticatedURL.Token authToken;
    private final int authRetry;
    private static final Logger LOG = LoggerFactory.getLogger(KMSClientProvider.class);
    public static final Text TOKEN_KIND = KMSDelegationToken.TOKEN_KIND;
    private static final ObjectWriter WRITER = new ObjectMapper().writerWithDefaultPrettyPrinter();

    @VisibleForTesting
    public static volatile boolean fallbackDefaultPortForTesting = false;

    /* loaded from: input_file:org/apache/hadoop/crypto/key/kms/KMSClientProvider$EncryptedQueueRefiller.class */
    private class EncryptedQueueRefiller implements ValueQueue.QueueRefiller<KeyProviderCryptoExtension.EncryptedKeyVersion> {
        private EncryptedQueueRefiller() {
        }

        @Override // org.apache.hadoop.crypto.key.kms.ValueQueue.QueueRefiller
        public void fillQueueForKey(String str, Queue<KeyProviderCryptoExtension.EncryptedKeyVersion> queue, int i) throws IOException {
            KMSUtil.checkNotNull(str, "keyName");
            HashMap hashMap = new HashMap();
            hashMap.put(KMSRESTConstants.EEK_OP, KMSRESTConstants.EEK_GENERATE);
            hashMap.put(KMSRESTConstants.EEK_NUM_KEYS, "" + i);
            HttpURLConnection createConnection = KMSClientProvider.this.createConnection(KMSClientProvider.this.createURL("key", str, KMSRESTConstants.EEK_SUB_RESOURCE, hashMap), "GET");
            createConnection.setRequestProperty("Content-Type", "application/json");
            queue.addAll(KMSUtil.parseJSONEncKeyVersions(str, (List) KMSClientProvider.this.call(createConnection, null, 200, List.class)));
        }
    }

    /* loaded from: input_file:org/apache/hadoop/crypto/key/kms/KMSClientProvider$Factory.class */
    public static class Factory extends KeyProviderFactory {
        @Override // org.apache.hadoop.crypto.key.KeyProviderFactory
        public KeyProvider createProvider(URI uri, Configuration configuration) throws IOException {
            if (!KMSClientProvider.SCHEME_NAME.equals(uri.getScheme())) {
                return null;
            }
            URL url = new URL(KMSClientProvider.extractKMSPath(uri).toString());
            String authority = url.getAuthority();
            if (Strings.isNullOrEmpty(authority)) {
                throw new IOException("No valid authority in kms uri [" + url + "]");
            }
            int i = -1;
            String str = authority;
            if (authority.contains(":")) {
                String[] split = authority.split(":");
                try {
                    i = Integer.parseInt(split[1]);
                    str = split[0];
                } catch (Exception e) {
                    throw new IOException("Could not parse port in kms uri [" + url + "]");
                }
            }
            return createProvider(configuration, url, i, str);
        }

        private KeyProvider createProvider(Configuration configuration, URL url, int i, String str) throws IOException {
            String[] split = str.split(CommonConfigurationKeys.NFS_EXPORTS_ALLOWED_HOSTS_SEPARATOR);
            KMSClientProvider[] kMSClientProviderArr = new KMSClientProvider[split.length];
            for (int i2 = 0; i2 < split.length; i2++) {
                try {
                    kMSClientProviderArr[i2] = new KMSClientProvider(new URI(KMSClientProvider.SCHEME_NAME, url.getProtocol(), split[i2], i, url.getPath(), null, null), configuration);
                } catch (URISyntaxException e) {
                    throw new IOException("Could not instantiate KMSProvider.", e);
                }
            }
            return new LoadBalancingKMSClientProvider(kMSClientProviderArr, configuration);
        }
    }

    /* loaded from: input_file:org/apache/hadoop/crypto/key/kms/KMSClientProvider$KMSEncryptedKeyVersion.class */
    public static class KMSEncryptedKeyVersion extends KeyProviderCryptoExtension.EncryptedKeyVersion {
        public KMSEncryptedKeyVersion(String str, String str2, byte[] bArr, String str3, byte[] bArr2) {
            super(str, str2, bArr, new KMSKeyVersion(null, str3, bArr2));
        }
    }

    /* loaded from: input_file:org/apache/hadoop/crypto/key/kms/KMSClientProvider$KMSKeyVersion.class */
    public static class KMSKeyVersion extends KeyProvider.KeyVersion {
        public KMSKeyVersion(String str, String str2, byte[] bArr) {
            super(str, str2, bArr);
        }
    }

    /* loaded from: input_file:org/apache/hadoop/crypto/key/kms/KMSClientProvider$KMSMetadata.class */
    public static class KMSMetadata extends KeyProvider.Metadata {
        public KMSMetadata(String str, int i, String str2, Map<String, String> map, Date date, int i2) {
            super(str, i, str2, map, date, i2);
        }
    }

    /* loaded from: input_file:org/apache/hadoop/crypto/key/kms/KMSClientProvider$KMSTokenRenewer.class */
    public static class KMSTokenRenewer extends TokenRenewer {
        private static final Logger LOG = LoggerFactory.getLogger(KMSTokenRenewer.class);

        @Override // org.apache.hadoop.security.token.TokenRenewer
        public boolean handleKind(Text text) {
            return text.equals(KMSClientProvider.TOKEN_KIND);
        }

        @Override // org.apache.hadoop.security.token.TokenRenewer
        public boolean isManaged(Token<?> token) throws IOException {
            return true;
        }

        /* JADX WARN: Multi-variable type inference failed */
        @Override // org.apache.hadoop.security.token.TokenRenewer
        public long renew(Token<?> token, Configuration configuration) throws IOException {
            LOG.debug("Renewing delegation token {}", token);
            KeyProvider createKeyProvider = KMSUtil.createKeyProvider(configuration, "hadoop.security.key.provider.path");
            try {
                if (createKeyProvider instanceof KeyProviderDelegationTokenExtension.DelegationTokenExtension) {
                    long renewDelegationToken = ((KeyProviderDelegationTokenExtension.DelegationTokenExtension) createKeyProvider).renewDelegationToken(token);
                    if (createKeyProvider != 0) {
                        createKeyProvider.close();
                    }
                    return renewDelegationToken;
                }
                Object[] objArr = new Object[2];
                objArr[0] = createKeyProvider == 0 ? "null" : createKeyProvider.getClass();
                objArr[1] = token;
                throw new IOException(String.format("keyProvider %s cannot renew token [%s]", objArr));
            } catch (Throwable th) {
                if (createKeyProvider != 0) {
                    createKeyProvider.close();
                }
                throw th;
            }
        }

        /* JADX WARN: Multi-variable type inference failed */
        @Override // org.apache.hadoop.security.token.TokenRenewer
        public void cancel(Token<?> token, Configuration configuration) throws IOException {
            LOG.debug("Canceling delegation token {}", token);
            KeyProvider createKeyProvider = KMSUtil.createKeyProvider(configuration, "hadoop.security.key.provider.path");
            try {
                if (!(createKeyProvider instanceof KeyProviderDelegationTokenExtension.DelegationTokenExtension)) {
                    Object[] objArr = new Object[2];
                    objArr[0] = createKeyProvider == 0 ? "null" : createKeyProvider.getClass();
                    objArr[1] = token;
                    throw new IOException(String.format("keyProvider %s cannot cancel token [%s]", objArr));
                }
                ((KeyProviderDelegationTokenExtension.DelegationTokenExtension) createKeyProvider).cancelDelegationToken(token);
                if (createKeyProvider != 0) {
                    createKeyProvider.close();
                }
            } catch (Throwable th) {
                if (createKeyProvider != 0) {
                    createKeyProvider.close();
                }
                throw th;
            }
        }
    }

    /* loaded from: input_file:org/apache/hadoop/crypto/key/kms/KMSClientProvider$TimeoutConnConfigurator.class */
    private static class TimeoutConnConfigurator implements ConnectionConfigurator {
        private ConnectionConfigurator cc;
        private int timeout;

        public TimeoutConnConfigurator(int i, ConnectionConfigurator connectionConfigurator) {
            this.timeout = i;
            this.cc = connectionConfigurator;
        }

        @Override // org.apache.hadoop.security.authentication.client.ConnectionConfigurator
        public HttpURLConnection configure(HttpURLConnection httpURLConnection) throws IOException {
            if (this.cc != null) {
                httpURLConnection = this.cc.configure(httpURLConnection);
            }
            httpURLConnection.setConnectTimeout(this.timeout * 1000);
            httpURLConnection.setReadTimeout(this.timeout * 1000);
            return httpURLConnection;
        }
    }

    private static void writeJson(Object obj, OutputStream outputStream) throws IOException {
        WRITER.writeValue(new OutputStreamWriter(outputStream, StandardCharsets.UTF_8), obj);
    }

    public String toString() {
        StringBuilder sb = new StringBuilder("KMSClientProvider[");
        sb.append(this.kmsUrl).append("]");
        return sb.toString();
    }

    public KMSClientProvider(URI uri, Configuration configuration) throws IOException {
        super(configuration);
        this.kmsUrl = createServiceURL(extractKMSPath(uri));
        int port = this.kmsUrl.getPort();
        if (port == -1 && fallbackDefaultPortForTesting) {
            port = 9600;
        }
        this.dtService = SecurityUtil.buildTokenService(new InetSocketAddress(this.kmsUrl.getHost(), port));
        if ("https".equalsIgnoreCase(this.kmsUrl.getProtocol())) {
            this.sslFactory = new SSLFactory(SSLFactory.Mode.CLIENT, configuration);
            try {
                this.sslFactory.init();
            } catch (GeneralSecurityException e) {
                throw new IOException(e);
            }
        }
        int i = configuration.getInt(CommonConfigurationKeysPublic.KMS_CLIENT_TIMEOUT_SECONDS, 60);
        this.authRetry = configuration.getInt(AUTH_RETRY, 1);
        this.configurator = new TimeoutConnConfigurator(i, this.sslFactory);
        this.encKeyVersionQueue = new ValueQueue<>(configuration.getInt(CommonConfigurationKeysPublic.KMS_CLIENT_ENC_KEY_CACHE_SIZE, 500), configuration.getFloat(CommonConfigurationKeysPublic.KMS_CLIENT_ENC_KEY_CACHE_LOW_WATERMARK, 0.3f), configuration.getInt(CommonConfigurationKeysPublic.KMS_CLIENT_ENC_KEY_CACHE_EXPIRY_MS, CommonConfigurationKeysPublic.KMS_CLIENT_ENC_KEY_CACHE_EXPIRY_DEFAULT), configuration.getInt(CommonConfigurationKeysPublic.KMS_CLIENT_ENC_KEY_CACHE_NUM_REFILL_THREADS, 2), new EncryptedQueueRefiller());
        this.authToken = new DelegationTokenAuthenticatedURL.Token();
        LOG.debug("KMSClientProvider for KMS url: {} delegation token service: {} created.", this.kmsUrl, this.dtService);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Path extractKMSPath(URI uri) throws MalformedURLException, IOException {
        return ProviderUtils.unnestUri(uri);
    }

    private static URL createServiceURL(Path path) throws IOException {
        String externalForm = new URL(path.toString()).toExternalForm();
        if (externalForm.endsWith("/")) {
            externalForm = externalForm.substring(0, externalForm.length() - 1);
        }
        return new URL(externalForm + KMSRESTConstants.SERVICE_VERSION + "/");
    }

    /* JADX INFO: Access modifiers changed from: private */
    public URL createURL(String str, String str2, String str3, Map<String, ?> map) throws IOException {
        try {
            StringBuilder sb = new StringBuilder();
            sb.append(this.kmsUrl);
            if (str != null) {
                sb.append(str);
                if (str2 != null) {
                    sb.append("/").append(URLEncoder.encode(str2, "UTF-8"));
                    if (str3 != null) {
                        sb.append("/").append(str3);
                    }
                }
            }
            URIBuilder uRIBuilder = new URIBuilder(sb.toString());
            if (map != null) {
                for (Map.Entry<String, ?> entry : map.entrySet()) {
                    Object value = entry.getValue();
                    if (value instanceof String) {
                        uRIBuilder.addParameter(entry.getKey(), (String) value);
                    } else {
                        for (String str4 : (String[]) value) {
                            uRIBuilder.addParameter(entry.getKey(), str4);
                        }
                    }
                }
            }
            return uRIBuilder.build().toURL();
        } catch (URISyntaxException e) {
            throw new IOException(e);
        }
    }

    private HttpURLConnection configureConnection(HttpURLConnection httpURLConnection) throws IOException {
        if (this.sslFactory != null) {
            HttpsURLConnection httpsURLConnection = (HttpsURLConnection) httpURLConnection;
            try {
                httpsURLConnection.setSSLSocketFactory(this.sslFactory.createSSLSocketFactory());
                httpsURLConnection.setHostnameVerifier(this.sslFactory.getHostnameVerifier());
            } catch (GeneralSecurityException e) {
                throw new IOException(e);
            }
        }
        return httpURLConnection;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public HttpURLConnection createConnection(final URL url, String str) throws IOException {
        try {
            final String doAsUser = getDoAsUser();
            HttpURLConnection httpURLConnection = (HttpURLConnection) getActualUgi().doAs(new PrivilegedExceptionAction<HttpURLConnection>() { // from class: org.apache.hadoop.crypto.key.kms.KMSClientProvider.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public HttpURLConnection run() throws Exception {
                    return new DelegationTokenAuthenticatedURL(KMSClientProvider.this.configurator).openConnection(url, KMSClientProvider.this.authToken, doAsUser);
                }
            });
            httpURLConnection.setUseCaches(false);
            httpURLConnection.setRequestMethod(str);
            if (str.equals("POST") || str.equals("PUT")) {
                httpURLConnection.setDoOutput(true);
            }
            return configureConnection(httpURLConnection);
        } catch (IOException e) {
            if (e instanceof SocketTimeoutException) {
                LOG.warn("Failed to connect to {}:{}", url.getHost(), Integer.valueOf(url.getPort()));
            }
            throw e;
        } catch (UndeclaredThrowableException e2) {
            throw new IOException(e2.getUndeclaredThrowable());
        } catch (Exception e3) {
            throw new IOException(e3);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public <T> T call(HttpURLConnection httpURLConnection, Object obj, int i, Class<T> cls) throws IOException {
        return (T) call(httpURLConnection, obj, i, cls, this.authRetry);
    }

    /* JADX WARN: Multi-variable type inference failed */
    private <T> T call(HttpURLConnection httpURLConnection, Object obj, int i, Class<T> cls, int i2) throws IOException {
        T t = null;
        OutputStream outputStream = null;
        if (obj != null) {
            try {
                outputStream = httpURLConnection.getOutputStream();
                writeJson(obj, outputStream);
            } catch (IOException e) {
                if (outputStream == null) {
                    httpURLConnection.disconnect();
                } else {
                    IOUtils.closeStream(httpURLConnection.getInputStream());
                }
                throw e;
            }
        }
        if ((httpURLConnection.getResponseCode() == 403 && (httpURLConnection.getResponseMessage().equals(ANONYMOUS_REQUESTS_DISALLOWED) || httpURLConnection.getResponseMessage().contains(INVALID_SIGNATURE))) || httpURLConnection.getResponseCode() == 401) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Response={}({}), resetting authToken", Integer.valueOf(httpURLConnection.getResponseCode()), httpURLConnection.getResponseMessage());
            }
            this.authToken = new DelegationTokenAuthenticatedURL.Token();
            if (i2 > 0) {
                String requestProperty = httpURLConnection.getRequestProperty("Content-Type");
                HttpURLConnection createConnection = createConnection(httpURLConnection.getURL(), httpURLConnection.getRequestMethod());
                if (requestProperty != null && !requestProperty.isEmpty()) {
                    createConnection.setRequestProperty("Content-Type", requestProperty);
                }
                return (T) call(createConnection, obj, i, cls, i2 - 1);
            }
        }
        HttpExceptionUtils.validateResponse(httpURLConnection, i);
        if (httpURLConnection.getContentType() != null && httpURLConnection.getContentType().trim().toLowerCase().startsWith("application/json") && cls != null) {
            ObjectMapper objectMapper = new ObjectMapper();
            InputStream inputStream = null;
            try {
                inputStream = httpURLConnection.getInputStream();
                t = objectMapper.readValue(inputStream, cls);
                IOUtils.closeStream(inputStream);
            } catch (Throwable th) {
                IOUtils.closeStream(inputStream);
                throw th;
            }
        }
        return t;
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public KeyProvider.KeyVersion getKeyVersion(String str) throws IOException {
        KMSUtil.checkNotEmpty(str, KMSRESTConstants.VERSION_NAME_FIELD);
        return KMSUtil.parseJSONKeyVersion((Map) call(createConnection(createURL(KMSRESTConstants.KEY_VERSION_RESOURCE, str, null, null), "GET"), null, 200, Map.class));
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public KeyProvider.KeyVersion getCurrentKey(String str) throws IOException {
        KMSUtil.checkNotEmpty(str, "name");
        return KMSUtil.parseJSONKeyVersion((Map) call(createConnection(createURL("key", str, KMSRESTConstants.CURRENT_VERSION_SUB_RESOURCE, null), "GET"), null, 200, Map.class));
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public List<String> getKeys() throws IOException {
        return (List) call(createConnection(createURL(KMSRESTConstants.KEYS_NAMES_RESOURCE, null, null, null), "GET"), null, 200, List.class);
    }

    private List<String[]> createKeySets(String[] strArr) {
        ArrayList arrayList = new ArrayList();
        ArrayList arrayList2 = new ArrayList();
        int i = 0;
        for (String str : strArr) {
            int length = "key".length() + 1 + str.length();
            i += length;
            if (i > 1500) {
                arrayList.add(arrayList2.toArray(new String[arrayList2.size()]));
                arrayList2 = new ArrayList();
                i = length;
            }
            arrayList2.add(str);
        }
        if (!arrayList2.isEmpty()) {
            arrayList.add(arrayList2.toArray(new String[arrayList2.size()]));
        }
        return arrayList;
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public KeyProvider.Metadata[] getKeysMetadata(String... strArr) throws IOException {
        ArrayList arrayList = new ArrayList();
        for (String[] strArr2 : createKeySets(strArr)) {
            if (strArr.length > 0) {
                HashMap hashMap = new HashMap();
                hashMap.put("key", strArr2);
                Iterator it = ((List) call(createConnection(createURL(KMSRESTConstants.KEYS_METADATA_RESOURCE, null, null, hashMap), "GET"), null, 200, List.class)).iterator();
                while (it.hasNext()) {
                    arrayList.add(KMSUtil.parseJSONMetadata((Map) it.next()));
                }
            }
        }
        return (KeyProvider.Metadata[]) arrayList.toArray(new KeyProvider.Metadata[arrayList.size()]);
    }

    private KeyProvider.KeyVersion createKeyInternal(String str, byte[] bArr, KeyProvider.Options options) throws NoSuchAlgorithmException, IOException {
        KMSUtil.checkNotEmpty(str, "name");
        KMSUtil.checkNotNull(options, "options");
        HashMap hashMap = new HashMap();
        hashMap.put("name", str);
        hashMap.put(KMSRESTConstants.CIPHER_FIELD, options.getCipher());
        hashMap.put("length", Integer.valueOf(options.getBitLength()));
        if (bArr != null) {
            hashMap.put(KMSRESTConstants.MATERIAL_FIELD, Base64.encodeBase64String(bArr));
        }
        if (options.getDescription() != null) {
            hashMap.put(KMSRESTConstants.DESCRIPTION_FIELD, options.getDescription());
        }
        if (options.getAttributes() != null && !options.getAttributes().isEmpty()) {
            hashMap.put(KMSRESTConstants.ATTRIBUTES_FIELD, options.getAttributes());
        }
        HttpURLConnection createConnection = createConnection(createURL(KMSRESTConstants.KEYS_RESOURCE, null, null, null), "POST");
        createConnection.setRequestProperty("Content-Type", "application/json");
        return KMSUtil.parseJSONKeyVersion((Map) call(createConnection, hashMap, HttpStatus.SC_CREATED, Map.class));
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public KeyProvider.KeyVersion createKey(String str, KeyProvider.Options options) throws NoSuchAlgorithmException, IOException {
        return createKeyInternal(str, null, options);
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public KeyProvider.KeyVersion createKey(String str, byte[] bArr, KeyProvider.Options options) throws IOException {
        KMSUtil.checkNotNull(bArr, KMSRESTConstants.MATERIAL_FIELD);
        try {
            return createKeyInternal(str, bArr, options);
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("It should not happen", e);
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public void invalidateCache(String str) throws IOException {
        KMSUtil.checkNotEmpty(str, "name");
        call(createConnection(createURL("key", str, KMSRESTConstants.INVALIDATECACHE_RESOURCE, null), "POST"), null, 200, null);
        drain(str);
    }

    private KeyProvider.KeyVersion rollNewVersionInternal(String str, byte[] bArr) throws NoSuchAlgorithmException, IOException {
        KMSUtil.checkNotEmpty(str, "name");
        HashMap hashMap = new HashMap();
        if (bArr != null) {
            hashMap.put(KMSRESTConstants.MATERIAL_FIELD, Base64.encodeBase64String(bArr));
        }
        HttpURLConnection createConnection = createConnection(createURL("key", str, null, null), "POST");
        createConnection.setRequestProperty("Content-Type", "application/json");
        KeyProvider.KeyVersion parseJSONKeyVersion = KMSUtil.parseJSONKeyVersion((Map) call(createConnection, hashMap, 200, Map.class));
        invalidateCache(str);
        return parseJSONKeyVersion;
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public KeyProvider.KeyVersion rollNewVersion(String str) throws NoSuchAlgorithmException, IOException {
        return rollNewVersionInternal(str, null);
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public KeyProvider.KeyVersion rollNewVersion(String str, byte[] bArr) throws IOException {
        KMSUtil.checkNotNull(bArr, KMSRESTConstants.MATERIAL_FIELD);
        try {
            return rollNewVersionInternal(str, bArr);
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("It should not happen", e);
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension
    public KeyProviderCryptoExtension.EncryptedKeyVersion generateEncryptedKey(String str) throws IOException, GeneralSecurityException {
        try {
            return this.encKeyVersionQueue.getNext(str);
        } catch (ExecutionException e) {
            if (e.getCause() instanceof SocketTimeoutException) {
                throw ((SocketTimeoutException) e.getCause());
            }
            throw new IOException(e);
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension
    public KeyProvider.KeyVersion decryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion) throws IOException, GeneralSecurityException {
        KMSUtil.checkNotNull(encryptedKeyVersion.getEncryptionKeyVersionName(), KMSRESTConstants.VERSION_NAME_FIELD);
        KMSUtil.checkNotNull(encryptedKeyVersion.getEncryptedKeyIv(), KMSRESTConstants.IV_FIELD);
        Preconditions.checkArgument(encryptedKeyVersion.getEncryptedKeyVersion().getVersionName().equals(KeyProviderCryptoExtension.EEK), "encryptedKey version name must be '%s', is '%s'", KeyProviderCryptoExtension.EEK, encryptedKeyVersion.getEncryptedKeyVersion().getVersionName());
        KMSUtil.checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey");
        Map<String, ?> hashMap = new HashMap<>();
        hashMap.put(KMSRESTConstants.EEK_OP, KMSRESTConstants.EEK_DECRYPT);
        HashMap hashMap2 = new HashMap();
        hashMap2.put("name", encryptedKeyVersion.getEncryptionKeyName());
        hashMap2.put(KMSRESTConstants.IV_FIELD, Base64.encodeBase64String(encryptedKeyVersion.getEncryptedKeyIv()));
        hashMap2.put(KMSRESTConstants.MATERIAL_FIELD, Base64.encodeBase64String(encryptedKeyVersion.getEncryptedKeyVersion().getMaterial()));
        HttpURLConnection createConnection = createConnection(createURL(KMSRESTConstants.KEY_VERSION_RESOURCE, encryptedKeyVersion.getEncryptionKeyVersionName(), KMSRESTConstants.EEK_SUB_RESOURCE, hashMap), "POST");
        createConnection.setRequestProperty("Content-Type", "application/json");
        return KMSUtil.parseJSONKeyVersion((Map) call(createConnection, hashMap2, 200, Map.class));
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension
    public KeyProviderCryptoExtension.EncryptedKeyVersion reencryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion) throws IOException, GeneralSecurityException {
        KMSUtil.checkNotNull(encryptedKeyVersion.getEncryptionKeyVersionName(), KMSRESTConstants.VERSION_NAME_FIELD);
        KMSUtil.checkNotNull(encryptedKeyVersion.getEncryptedKeyIv(), KMSRESTConstants.IV_FIELD);
        KMSUtil.checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey");
        Preconditions.checkArgument(encryptedKeyVersion.getEncryptedKeyVersion().getVersionName().equals(KeyProviderCryptoExtension.EEK), "encryptedKey version name must be '%s', is '%s'", KeyProviderCryptoExtension.EEK, encryptedKeyVersion.getEncryptedKeyVersion().getVersionName());
        Map<String, ?> hashMap = new HashMap<>();
        hashMap.put(KMSRESTConstants.EEK_OP, KMSRESTConstants.EEK_REENCRYPT);
        HashMap hashMap2 = new HashMap();
        hashMap2.put("name", encryptedKeyVersion.getEncryptionKeyName());
        hashMap2.put(KMSRESTConstants.IV_FIELD, Base64.encodeBase64String(encryptedKeyVersion.getEncryptedKeyIv()));
        hashMap2.put(KMSRESTConstants.MATERIAL_FIELD, Base64.encodeBase64String(encryptedKeyVersion.getEncryptedKeyVersion().getMaterial()));
        HttpURLConnection createConnection = createConnection(createURL(KMSRESTConstants.KEY_VERSION_RESOURCE, encryptedKeyVersion.getEncryptionKeyVersionName(), KMSRESTConstants.EEK_SUB_RESOURCE, hashMap), "POST");
        createConnection.setRequestProperty("Content-Type", "application/json");
        return KMSUtil.parseJSONEncKeyVersion(encryptedKeyVersion.getEncryptionKeyName(), (Map) call(createConnection, hashMap2, 200, Map.class));
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension
    public void reencryptEncryptedKeys(List<KeyProviderCryptoExtension.EncryptedKeyVersion> list) throws IOException, GeneralSecurityException {
        KMSUtil.checkNotNull(list, "ekvs");
        if (list.isEmpty()) {
            return;
        }
        ArrayList arrayList = new ArrayList();
        String str = null;
        for (KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion : list) {
            KMSUtil.checkNotNull(encryptedKeyVersion.getEncryptionKeyName(), "keyName");
            KMSUtil.checkNotNull(encryptedKeyVersion.getEncryptionKeyVersionName(), KMSRESTConstants.VERSION_NAME_FIELD);
            KMSUtil.checkNotNull(encryptedKeyVersion.getEncryptedKeyIv(), KMSRESTConstants.IV_FIELD);
            KMSUtil.checkNotNull(encryptedKeyVersion.getEncryptedKeyVersion(), "encryptedKey");
            Preconditions.checkArgument(encryptedKeyVersion.getEncryptedKeyVersion().getVersionName().equals(KeyProviderCryptoExtension.EEK), "encryptedKey version name must be '%s', is '%s'", KeyProviderCryptoExtension.EEK, encryptedKeyVersion.getEncryptedKeyVersion().getVersionName());
            if (str == null) {
                str = encryptedKeyVersion.getEncryptionKeyName();
            } else {
                Preconditions.checkArgument(str.equals(encryptedKeyVersion.getEncryptionKeyName()), "All EncryptedKey must have the same key name.");
            }
            arrayList.add(KMSUtil.toJSON(encryptedKeyVersion));
        }
        HttpURLConnection createConnection = createConnection(createURL("key", str, KMSRESTConstants.REENCRYPT_BATCH_SUB_RESOURCE, null), "POST");
        createConnection.setRequestProperty("Content-Type", "application/json");
        List list2 = (List) call(createConnection, arrayList, 200, List.class);
        Preconditions.checkArgument(list2.size() == list.size(), "Response size is different than input size.");
        for (int i = 0; i < list2.size(); i++) {
            list.set(i, KMSUtil.parseJSONEncKeyVersion(str, (Map) list2.get(i)));
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public List<KeyProvider.KeyVersion> getKeyVersions(String str) throws IOException {
        KMSUtil.checkNotEmpty(str, "name");
        List list = (List) call(createConnection(createURL("key", str, KMSRESTConstants.VERSIONS_SUB_RESOURCE, null), "GET"), null, 200, List.class);
        ArrayList arrayList = null;
        if (!list.isEmpty()) {
            arrayList = new ArrayList();
            Iterator it = list.iterator();
            while (it.hasNext()) {
                arrayList.add(KMSUtil.parseJSONKeyVersion((Map) it.next()));
            }
        }
        return arrayList;
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public KeyProvider.Metadata getMetadata(String str) throws IOException {
        KMSUtil.checkNotEmpty(str, "name");
        return KMSUtil.parseJSONMetadata((Map) call(createConnection(createURL("key", str, KMSRESTConstants.METADATA_SUB_RESOURCE, null), "GET"), null, 200, Map.class));
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public void deleteKey(String str) throws IOException {
        KMSUtil.checkNotEmpty(str, "name");
        call(createConnection(createURL("key", str, null, null), "DELETE"), null, 200, null);
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public void flush() throws IOException {
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension
    public void warmUpEncryptedKeys(String... strArr) throws IOException {
        try {
            this.encKeyVersionQueue.initializeQueuesForKeys(strArr);
        } catch (ExecutionException e) {
            throw new IOException(e);
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderCryptoExtension.CryptoExtension
    public void drain(String str) {
        this.encKeyVersionQueue.drain(str);
    }

    @VisibleForTesting
    public int getEncKeyQueueSize(String str) {
        return this.encKeyVersionQueue.getSize(str);
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension.DelegationTokenExtension
    public long renewDelegationToken(Token<?> token) throws IOException {
        try {
            final String doAsUser = getDoAsUser();
            final DelegationTokenAuthenticatedURL.Token generateDelegationToken = generateDelegationToken(token);
            final URL createURL = createURL(null, null, null, null);
            LOG.debug("Renewing delegation token {} with url:{}, as:{}", new Object[]{generateDelegationToken, createURL, doAsUser});
            final DelegationTokenAuthenticatedURL delegationTokenAuthenticatedURL = new DelegationTokenAuthenticatedURL(this.configurator);
            return ((Long) getActualUgi().doAs(new PrivilegedExceptionAction<Long>() { // from class: org.apache.hadoop.crypto.key.kms.KMSClientProvider.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Long run() throws Exception {
                    return Long.valueOf(delegationTokenAuthenticatedURL.renewDelegationToken(createURL, generateDelegationToken, doAsUser));
                }
            })).longValue();
        } catch (Exception e) {
            if (e instanceof IOException) {
                throw ((IOException) e);
            }
            throw new IOException(e);
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension.DelegationTokenExtension
    public Void cancelDelegationToken(final Token<?> token) throws IOException {
        try {
            final String doAsUser = getDoAsUser();
            final DelegationTokenAuthenticatedURL.Token generateDelegationToken = generateDelegationToken(token);
            return (Void) getActualUgi().doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.KMSClientProvider.3
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Void run() throws Exception {
                    URL createURL = KMSClientProvider.this.createURL(null, null, null, null);
                    KMSClientProvider.LOG.debug("Cancelling delegation token {} with url:{}, as:{}", new Object[]{token, createURL, doAsUser});
                    new DelegationTokenAuthenticatedURL(KMSClientProvider.this.configurator).cancelDelegationToken(createURL, generateDelegationToken, doAsUser);
                    return null;
                }
            });
        } catch (Exception e) {
            if (e instanceof IOException) {
                throw ((IOException) e);
            }
            throw new IOException(e);
        }
    }

    private String getDoAsUser() throws IOException {
        UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
        if (currentUser.getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.PROXY) {
            return currentUser.getShortUserName();
        }
        return null;
    }

    private DelegationTokenAuthenticatedURL.Token generateDelegationToken(Token<?> token) {
        DelegationTokenAuthenticatedURL.Token token2 = new DelegationTokenAuthenticatedURL.Token();
        token2.setDelegationToken(new Token<>(token.getIdentifier(), token.getPassword(), token.getKind(), token.getService()));
        return token2;
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension.DelegationTokenExtension
    public Token<?>[] addDelegationTokens(final String str, Credentials credentials) throws IOException {
        Token<?>[] tokenArr = null;
        if (credentials.getToken(this.dtService) == null) {
            final URL createURL = createURL(null, null, null, null);
            final DelegationTokenAuthenticatedURL delegationTokenAuthenticatedURL = new DelegationTokenAuthenticatedURL(this.configurator);
            try {
                final String doAsUser = getDoAsUser();
                Token<? extends TokenIdentifier> token = (Token) getActualUgi().doAs(new PrivilegedExceptionAction<Token<?>>() { // from class: org.apache.hadoop.crypto.key.kms.KMSClientProvider.4
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Token<?> run() throws Exception {
                        KMSClientProvider.LOG.debug("Getting new token from {}, renewer:{}", createURL, str);
                        return delegationTokenAuthenticatedURL.getDelegationToken(createURL, new DelegationTokenAuthenticatedURL.Token(), str, doAsUser);
                    }
                });
                if (token == null) {
                    throw new IOException("Got NULL as delegation token");
                }
                LOG.debug("New token received: ({})", token);
                credentials.addToken(token.getService(), token);
                tokenArr = new Token[]{token};
            } catch (InterruptedException e) {
                Thread.currentThread().interrupt();
            } catch (Exception e2) {
                if (e2 instanceof IOException) {
                    throw ((IOException) e2);
                }
                throw new IOException(e2);
            }
        }
        return tokenArr;
    }

    private boolean containsKmsDt(UserGroupInformation userGroupInformation) throws IOException {
        Credentials credentials = userGroupInformation.getCredentials();
        if (credentials.getAllTokens().isEmpty()) {
            return false;
        }
        LOG.debug("Searching for token that matches service: {}", this.dtService);
        return credentials.getToken(this.dtService) != null;
    }

    private UserGroupInformation getActualUgi() throws IOException {
        UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
        UserGroupInformation.logAllUserInfo(LOG, currentUser);
        UserGroupInformation userGroupInformation = currentUser;
        if (currentUser.getRealUser() != null) {
            userGroupInformation = currentUser.getRealUser();
        }
        if (UserGroupInformation.isSecurityEnabled() && !containsKmsDt(userGroupInformation) && !userGroupInformation.shouldRelogin()) {
            LOG.debug("Using loginUser when Kerberos is enabled but the actual user does not have either KMS Delegation Token or Kerberos Credentials");
            userGroupInformation = UserGroupInformation.getLoginUser();
        }
        return userGroupInformation;
    }

    @Override // org.apache.hadoop.crypto.key.KeyProvider
    public void close() throws IOException {
        try {
            try {
                this.encKeyVersionQueue.shutdown();
                if (this.sslFactory != null) {
                    this.sslFactory.destroy();
                    this.sslFactory = null;
                }
            } catch (Exception e) {
                throw new IOException(e);
            }
        } catch (Throwable th) {
            if (this.sslFactory != null) {
                this.sslFactory.destroy();
                this.sslFactory = null;
            }
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    public String getKMSUrl() {
        return this.kmsUrl.toString();
    }
}
