package org.apache.hadoop.hdfs.server.federation.router.security;

import java.io.IOException;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hdfs.DFSUtil;
import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier;
import org.apache.hadoop.hdfs.server.federation.router.FederationUtil;
import org.apache.hadoop.hdfs.server.federation.router.Router;
import org.apache.hadoop.hdfs.server.federation.router.RouterRpcServer;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hdfs/server/federation/router/security/RouterSecurityManager.class */
public class RouterSecurityManager {
    private static final Logger LOG = LoggerFactory.getLogger(RouterSecurityManager.class);
    private AbstractDelegationTokenSecretManager<DelegationTokenIdentifier> dtSecretManager;

    public RouterSecurityManager(Configuration configuration) throws IOException {
        this.dtSecretManager = null;
        if (SecurityUtil.getAuthenticationMethod(configuration).equals(UserGroupInformation.AuthenticationMethod.KERBEROS)) {
            this.dtSecretManager = FederationUtil.newSecretManager(configuration);
            if (this.dtSecretManager == null || !this.dtSecretManager.isRunning()) {
                throw new IOException("Failed to create SecretManager");
            }
        }
    }

    public AbstractDelegationTokenSecretManager<DelegationTokenIdentifier> getSecretManager() {
        return this.dtSecretManager;
    }

    public void stop() {
        LOG.info("Stopping security manager");
        if (this.dtSecretManager != null) {
            this.dtSecretManager.stopThreads();
        }
    }

    private static UserGroupInformation getRemoteUser() throws IOException {
        return RouterRpcServer.getRemoteUser();
    }

    private UserGroupInformation.AuthenticationMethod getConnectionAuthenticationMethod() throws IOException {
        UserGroupInformation remoteUser = getRemoteUser();
        UserGroupInformation.AuthenticationMethod authenticationMethod = remoteUser.getAuthenticationMethod();
        if (authenticationMethod == UserGroupInformation.AuthenticationMethod.PROXY) {
            authenticationMethod = remoteUser.getRealUser().getAuthenticationMethod();
        }
        return authenticationMethod;
    }

    private boolean isAllowedDelegationTokenOp() throws IOException {
        UserGroupInformation.AuthenticationMethod connectionAuthenticationMethod = getConnectionAuthenticationMethod();
        return !UserGroupInformation.isSecurityEnabled() || connectionAuthenticationMethod == UserGroupInformation.AuthenticationMethod.KERBEROS || connectionAuthenticationMethod == UserGroupInformation.AuthenticationMethod.KERBEROS_SSL || connectionAuthenticationMethod == UserGroupInformation.AuthenticationMethod.CERTIFICATE;
    }

    public Token<DelegationTokenIdentifier> getDelegationToken(Text text) throws IOException {
        LOG.debug("Generate delegation token with renewer " + text);
        try {
            if (!isAllowedDelegationTokenOp()) {
                throw new IOException("Delegation Token can be issued only with kerberos or web authentication");
            }
            if (this.dtSecretManager == null || !this.dtSecretManager.isRunning()) {
                LOG.warn("trying to get DT with no secret manager running");
                logAuditEvent(false, "getDelegationToken", "");
                return null;
            }
            UserGroupInformation remoteUser = getRemoteUser();
            Text text2 = new Text(remoteUser.getUserName());
            Text text3 = null;
            if (remoteUser.getRealUser() != null) {
                text3 = new Text(remoteUser.getRealUser().getUserName());
            }
            DelegationTokenIdentifier delegationTokenIdentifier = new DelegationTokenIdentifier(text2, text, text3);
            Token<DelegationTokenIdentifier> token = new Token<>(delegationTokenIdentifier, this.dtSecretManager);
            logAuditEvent(true, "getDelegationToken", delegationTokenIdentifier.toStringStable());
            return token;
        } catch (Throwable th) {
            logAuditEvent(false, "getDelegationToken", "");
            throw th;
        }
    }

    public long renewDelegationToken(Token<DelegationTokenIdentifier> token) throws SecretManager.InvalidToken, IOException {
        LOG.debug("Renew delegation token");
        try {
            try {
                if (!isAllowedDelegationTokenOp()) {
                    throw new IOException("Delegation Token can be renewed only with kerberos or web authentication");
                }
                long renewToken = this.dtSecretManager.renewToken(token, getRemoteUser().getShortUserName());
                logAuditEvent(true, "renewDelegationToken", DFSUtil.decodeDelegationToken(token).toStringStable());
                return renewToken;
            } catch (AccessControlException e) {
                DFSUtil.decodeDelegationToken(token).toStringStable();
                throw e;
            }
        } catch (Throwable th) {
            logAuditEvent(false, "renewDelegationToken", "");
            throw th;
        }
    }

    public void cancelDelegationToken(Token<DelegationTokenIdentifier> token) throws IOException {
        LOG.debug("Cancel delegation token");
        boolean z = false;
        String str = "";
        try {
            try {
                String userName = getRemoteUser().getUserName();
                LOG.info("Cancel request by " + userName);
                str = this.dtSecretManager.cancelToken(token, userName).toStringStable();
                z = true;
                logAuditEvent(true, "cancelDelegationToken", str);
            } catch (AccessControlException e) {
                str = DFSUtil.decodeDelegationToken(token).toStringStable();
                throw e;
            }
        } catch (Throwable th) {
            logAuditEvent(z, "cancelDelegationToken", str);
            throw th;
        }
    }

    public void verifyToken(DelegationTokenIdentifier delegationTokenIdentifier, byte[] bArr) throws SecretManager.InvalidToken {
        this.dtSecretManager.verifyToken(delegationTokenIdentifier, bArr);
    }

    public static Credentials createCredentials(Router router, UserGroupInformation userGroupInformation, String str) throws IOException {
        Token<DelegationTokenIdentifier> delegationToken = router.getRpcServer().getDelegationToken(new Text(str));
        if (delegationToken == null) {
            return null;
        }
        SecurityUtil.setTokenService(delegationToken, router.getRpcServerAddress());
        Credentials credentials = new Credentials();
        credentials.addToken(new Text(userGroupInformation.getShortUserName()), delegationToken);
        return credentials;
    }

    void logAuditEvent(boolean z, String str, String str2) throws IOException {
        LOG.debug("Operation:" + str + " Status:" + z + " TokenId:" + str2);
    }
}
