package org.apache.hadoop.hbase.io.asyncfs;

import java.io.IOException;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.RealmCallback;
import javax.security.sasl.RealmChoiceCallback;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.crypto.CipherOption;
import org.apache.hadoop.crypto.CipherSuite;
import org.apache.hadoop.crypto.CryptoCodec;
import org.apache.hadoop.crypto.Decryptor;
import org.apache.hadoop.crypto.Encryptor;
import org.apache.hadoop.crypto.key.KeyProvider;
import org.apache.hadoop.fs.FileEncryptionInfo;
import org.apache.hadoop.hbase.shaded.com.google.protobuf.ByteString;
import org.apache.hadoop.hbase.shaded.com.google.protobuf.CodedOutputStream;
import org.apache.hadoop.hbase.shaded.org.apache.commons.codec.binary.Base64;
import org.apache.hadoop.hbase.shaded.org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.hdfs.DFSClient;
import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
import org.apache.hadoop.hdfs.protocol.HdfsFileStatus;
import org.apache.hadoop.hdfs.protocol.datatransfer.InvalidEncryptionKeyException;
import org.apache.hadoop.hdfs.protocol.datatransfer.TrustedChannelResolver;
import org.apache.hadoop.hdfs.protocol.datatransfer.sasl.SaslDataTransferClient;
import org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos;
import org.apache.hadoop.hdfs.protocolPB.PBHelperClient;
import org.apache.hadoop.hdfs.security.token.block.BlockTokenIdentifier;
import org.apache.hadoop.hdfs.security.token.block.DataEncryptionKey;
import org.apache.hadoop.security.SaslPropertiesResolver;
import org.apache.hadoop.security.SaslRpcServer;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hbase.thirdparty.com.google.common.base.Charsets;
import org.apache.hbase.thirdparty.com.google.common.base.Throwables;
import org.apache.hbase.thirdparty.com.google.common.collect.ImmutableSet;
import org.apache.hbase.thirdparty.com.google.common.collect.Maps;
import org.apache.hbase.thirdparty.io.netty.buffer.ByteBuf;
import org.apache.hbase.thirdparty.io.netty.buffer.ByteBufOutputStream;
import org.apache.hbase.thirdparty.io.netty.buffer.CompositeByteBuf;
import org.apache.hbase.thirdparty.io.netty.buffer.Unpooled;
import org.apache.hbase.thirdparty.io.netty.channel.Channel;
import org.apache.hbase.thirdparty.io.netty.channel.ChannelDuplexHandler;
import org.apache.hbase.thirdparty.io.netty.channel.ChannelHandlerContext;
import org.apache.hbase.thirdparty.io.netty.channel.ChannelOutboundHandlerAdapter;
import org.apache.hbase.thirdparty.io.netty.channel.ChannelPipeline;
import org.apache.hbase.thirdparty.io.netty.channel.ChannelPromise;
import org.apache.hbase.thirdparty.io.netty.channel.SimpleChannelInboundHandler;
import org.apache.hbase.thirdparty.io.netty.handler.codec.LengthFieldBasedFrameDecoder;
import org.apache.hbase.thirdparty.io.netty.handler.codec.MessageToByteEncoder;
import org.apache.hbase.thirdparty.io.netty.handler.codec.protobuf.ProtobufVarint32FrameDecoder;
import org.apache.hbase.thirdparty.io.netty.handler.timeout.IdleState;
import org.apache.hbase.thirdparty.io.netty.handler.timeout.IdleStateEvent;
import org.apache.hbase.thirdparty.io.netty.handler.timeout.IdleStateHandler;
import org.apache.hbase.thirdparty.io.netty.util.concurrent.Promise;
import org.apache.yetus.audience.InterfaceAudience;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/hbase/io/asyncfs/FanOutOneBlockAsyncDFSOutputSaslHelper.class */
public final class FanOutOneBlockAsyncDFSOutputSaslHelper {
    private static final Logger LOG = LoggerFactory.getLogger(FanOutOneBlockAsyncDFSOutputSaslHelper.class);
    private static final String SERVER_NAME = "0";
    private static final String PROTOCOL = "hdfs";
    private static final String MECHANISM = "DIGEST-MD5";
    private static final int SASL_TRANSFER_MAGIC_NUMBER = -559038737;
    private static final String NAME_DELIMITER = " ";
    private static final SaslAdaptor SASL_ADAPTOR;
    private static final TransparentCryptoHelper TRANSPARENT_CRYPTO_HELPER;

    /* loaded from: input_file:org/apache/hadoop/hbase/io/asyncfs/FanOutOneBlockAsyncDFSOutputSaslHelper$DecryptHandler.class */
    private static final class DecryptHandler extends SimpleChannelInboundHandler<ByteBuf> {
        private final Decryptor decryptor;

        public DecryptHandler(CryptoCodec cryptoCodec, byte[] bArr, byte[] bArr2) throws GeneralSecurityException, IOException {
            this.decryptor = cryptoCodec.createDecryptor();
            this.decryptor.init(bArr, Arrays.copyOf(bArr2, bArr2.length));
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.apache.hbase.thirdparty.io.netty.channel.SimpleChannelInboundHandler
        public void channelRead0(ChannelHandlerContext channelHandlerContext, ByteBuf byteBuf) throws Exception {
            ByteBuf directBuffer;
            boolean z = false;
            if (byteBuf.nioBufferCount() == 1) {
                directBuffer = byteBuf;
            } else {
                directBuffer = channelHandlerContext.alloc().directBuffer(byteBuf.readableBytes());
                byteBuf.readBytes(directBuffer);
                z = true;
            }
            ByteBuffer nioBuffer = directBuffer.nioBuffer();
            ByteBuf directBuffer2 = channelHandlerContext.alloc().directBuffer(directBuffer.readableBytes());
            this.decryptor.decrypt(nioBuffer, directBuffer2.nioBuffer(0, directBuffer.readableBytes()));
            directBuffer2.writerIndex(directBuffer.readableBytes());
            if (z) {
                directBuffer.release();
            }
            channelHandlerContext.fireChannelRead((Object) directBuffer2);
        }
    }

    /* loaded from: input_file:org/apache/hadoop/hbase/io/asyncfs/FanOutOneBlockAsyncDFSOutputSaslHelper$EncryptHandler.class */
    private static final class EncryptHandler extends MessageToByteEncoder<ByteBuf> {
        private final Encryptor encryptor;

        public EncryptHandler(CryptoCodec cryptoCodec, byte[] bArr, byte[] bArr2) throws GeneralSecurityException, IOException {
            this.encryptor = cryptoCodec.createEncryptor();
            this.encryptor.init(bArr, Arrays.copyOf(bArr2, bArr2.length));
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.apache.hbase.thirdparty.io.netty.handler.codec.MessageToByteEncoder
        public ByteBuf allocateBuffer(ChannelHandlerContext channelHandlerContext, ByteBuf byteBuf, boolean z) throws Exception {
            return z ? channelHandlerContext.alloc().directBuffer(byteBuf.readableBytes()) : channelHandlerContext.alloc().buffer(byteBuf.readableBytes());
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.apache.hbase.thirdparty.io.netty.handler.codec.MessageToByteEncoder
        public void encode(ChannelHandlerContext channelHandlerContext, ByteBuf byteBuf, ByteBuf byteBuf2) throws Exception {
            ByteBuf directBuffer;
            boolean z = false;
            if (byteBuf.nioBufferCount() == 1) {
                directBuffer = byteBuf;
            } else {
                directBuffer = channelHandlerContext.alloc().directBuffer(byteBuf.readableBytes());
                byteBuf.readBytes(directBuffer);
                z = true;
            }
            this.encryptor.encrypt(directBuffer.nioBuffer(), byteBuf2.nioBuffer(0, directBuffer.readableBytes()));
            byteBuf2.writerIndex(directBuffer.readableBytes());
            if (z) {
                directBuffer.release();
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/hbase/io/asyncfs/FanOutOneBlockAsyncDFSOutputSaslHelper$SaslAdaptor.class */
    public interface SaslAdaptor {
        TrustedChannelResolver getTrustedChannelResolver(SaslDataTransferClient saslDataTransferClient);

        SaslPropertiesResolver getSaslPropsResolver(SaslDataTransferClient saslDataTransferClient);

        AtomicBoolean getFallbackToSimpleAuth(SaslDataTransferClient saslDataTransferClient);
    }

    /* loaded from: input_file:org/apache/hadoop/hbase/io/asyncfs/FanOutOneBlockAsyncDFSOutputSaslHelper$SaslClientCallbackHandler.class */
    private static final class SaslClientCallbackHandler implements CallbackHandler {
        private final char[] password;
        private final String userName;

        public SaslClientCallbackHandler(String str, char[] cArr) {
            this.password = cArr;
            this.userName = str;
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            NameCallback nameCallback = null;
            PasswordCallback passwordCallback = null;
            RealmCallback realmCallback = null;
            for (Callback callback : callbackArr) {
                if (!(callback instanceof RealmChoiceCallback)) {
                    if (callback instanceof NameCallback) {
                        nameCallback = (NameCallback) callback;
                    } else if (callback instanceof PasswordCallback) {
                        passwordCallback = (PasswordCallback) callback;
                    } else {
                        if (!(callback instanceof RealmCallback)) {
                            throw new UnsupportedCallbackException(callback, "Unrecognized SASL client callback");
                        }
                        realmCallback = (RealmCallback) callback;
                    }
                }
            }
            if (nameCallback != null) {
                nameCallback.setName(this.userName);
            }
            if (passwordCallback != null) {
                passwordCallback.setPassword(this.password);
            }
            if (realmCallback != null) {
                realmCallback.setText(realmCallback.getDefaultText());
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/hbase/io/asyncfs/FanOutOneBlockAsyncDFSOutputSaslHelper$SaslNegotiateHandler.class */
    public static final class SaslNegotiateHandler extends ChannelDuplexHandler {
        private final Configuration conf;
        private final Map<String, String> saslProps;
        private final SaslClient saslClient;
        private final int timeoutMs;
        private final Promise<Void> promise;
        private final DFSClient dfsClient;
        private int step = 0;
        static final /* synthetic */ boolean $assertionsDisabled;

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:org/apache/hadoop/hbase/io/asyncfs/FanOutOneBlockAsyncDFSOutputSaslHelper$SaslNegotiateHandler$BuilderPayloadSetter.class */
        public static class BuilderPayloadSetter {
            private static Method setPayloadMethod;
            private static Constructor<?> constructor;

            private BuilderPayloadSetter() {
            }

            static void wrapAndSetPayload(DataTransferProtos.DataTransferEncryptorMessageProto.Builder builder, byte[] bArr) throws IOException {
                try {
                    setPayloadMethod.invoke(builder, constructor.getDeclaringClass().cast(constructor.newInstance(bArr)));
                } catch (IllegalAccessException | InstantiationException e) {
                    throw new RuntimeException(e);
                } catch (InvocationTargetException e2) {
                    Throwables.propagateIfPossible(e2.getTargetException(), IOException.class);
                    throw new RuntimeException(e2.getTargetException());
                }
            }

            static {
                Class<?> cls;
                Class<?> cls2 = ByteString.class;
                try {
                    cls2 = Class.forName("org.apache.hadoop.thirdparty.protobuf.ByteString");
                    FanOutOneBlockAsyncDFSOutputSaslHelper.LOG.debug("Found relocated ByteString class from hadoop-thirdparty. Assuming this is Hadoop 3.3.0+.");
                } catch (ClassNotFoundException e) {
                    FanOutOneBlockAsyncDFSOutputSaslHelper.LOG.debug("Did not find relocated ByteString class from hadoop-thirdparty. Assuming this is below Hadoop 3.3.0", e);
                }
                try {
                    cls = Class.forName("org.apache.hadoop.thirdparty.protobuf.ByteString$LiteralByteString");
                    FanOutOneBlockAsyncDFSOutputSaslHelper.LOG.debug("Shaded LiteralByteString from hadoop-thirdparty is found.");
                } catch (ClassNotFoundException e2) {
                    try {
                        cls = Class.forName("org.apache.hadoop.hbase.shaded.com.google.protobuf.LiteralByteString");
                        FanOutOneBlockAsyncDFSOutputSaslHelper.LOG.debug("org.apache.hadoop.hbase.shaded.com.google.protobuf.LiteralByteString found.");
                    } catch (ClassNotFoundException e3) {
                        throw new RuntimeException(e3);
                    }
                }
                try {
                    constructor = cls.getDeclaredConstructor(byte[].class);
                    constructor.setAccessible(true);
                    try {
                        setPayloadMethod = DataTransferProtos.DataTransferEncryptorMessageProto.Builder.class.getMethod("setPayload", cls2);
                    } catch (NoSuchMethodException e4) {
                        throw new RuntimeException(e4);
                    }
                } catch (NoSuchMethodException e5) {
                    throw new RuntimeException(e5);
                }
            }
        }

        public SaslNegotiateHandler(Configuration configuration, String str, char[] cArr, Map<String, String> map, int i, Promise<Void> promise, DFSClient dFSClient) throws SaslException {
            this.conf = configuration;
            this.saslProps = map;
            this.saslClient = Sasl.createSaslClient(new String[]{FanOutOneBlockAsyncDFSOutputSaslHelper.MECHANISM}, str, FanOutOneBlockAsyncDFSOutputSaslHelper.PROTOCOL, "0", map, new SaslClientCallbackHandler(str, cArr));
            this.timeoutMs = i;
            this.promise = promise;
            this.dfsClient = dFSClient;
        }

        private void sendSaslMessage(ChannelHandlerContext channelHandlerContext, byte[] bArr) throws IOException {
            sendSaslMessage(channelHandlerContext, bArr, null);
        }

        private List<CipherOption> getCipherOptions() throws IOException {
            String str = this.conf.get("dfs.encrypt.data.transfer.cipher.suites");
            if (StringUtils.isBlank(str)) {
                return null;
            }
            if (str.equals(CipherSuite.AES_CTR_NOPADDING.getName())) {
                return Collections.singletonList(new CipherOption(CipherSuite.AES_CTR_NOPADDING));
            }
            throw new IOException(String.format("Invalid cipher suite, %s=%s", "dfs.encrypt.data.transfer.cipher.suites", str));
        }

        private void sendSaslMessage(ChannelHandlerContext channelHandlerContext, byte[] bArr, List<CipherOption> list) throws IOException {
            DataTransferProtos.DataTransferEncryptorMessageProto.Builder newBuilder = DataTransferProtos.DataTransferEncryptorMessageProto.newBuilder();
            newBuilder.setStatus(DataTransferProtos.DataTransferEncryptorMessageProto.DataTransferEncryptorStatus.SUCCESS);
            if (bArr != null) {
                BuilderPayloadSetter.wrapAndSetPayload(newBuilder, bArr);
            }
            if (list != null) {
                newBuilder.addAllCipherOption(PBHelperClient.convertCipherOptions(list));
            }
            DataTransferProtos.DataTransferEncryptorMessageProto build = newBuilder.build();
            int serializedSize = build.getSerializedSize();
            ByteBuf buffer = channelHandlerContext.alloc().buffer(serializedSize + CodedOutputStream.computeRawVarint32Size(serializedSize));
            build.writeDelimitedTo(new ByteBufOutputStream(buffer));
            channelHandlerContext.write(buffer);
        }

        @Override // org.apache.hbase.thirdparty.io.netty.channel.ChannelHandlerAdapter, org.apache.hbase.thirdparty.io.netty.channel.ChannelHandler
        public void handlerAdded(ChannelHandlerContext channelHandlerContext) throws Exception {
            channelHandlerContext.write(channelHandlerContext.alloc().buffer(4).writeInt(FanOutOneBlockAsyncDFSOutputSaslHelper.SASL_TRANSFER_MAGIC_NUMBER));
            sendSaslMessage(channelHandlerContext, new byte[0]);
            channelHandlerContext.flush();
            this.step++;
        }

        @Override // org.apache.hbase.thirdparty.io.netty.channel.ChannelInboundHandlerAdapter, org.apache.hbase.thirdparty.io.netty.channel.ChannelInboundHandler
        public void channelInactive(ChannelHandlerContext channelHandlerContext) throws Exception {
            this.saslClient.dispose();
        }

        private void check(DataTransferProtos.DataTransferEncryptorMessageProto dataTransferEncryptorMessageProto) throws IOException {
            if (dataTransferEncryptorMessageProto.getStatus() == DataTransferProtos.DataTransferEncryptorMessageProto.DataTransferEncryptorStatus.ERROR_UNKNOWN_KEY) {
                this.dfsClient.clearDataEncryptionKey();
                throw new InvalidEncryptionKeyException(dataTransferEncryptorMessageProto.getMessage());
            }
            if (dataTransferEncryptorMessageProto.getStatus() == DataTransferProtos.DataTransferEncryptorMessageProto.DataTransferEncryptorStatus.ERROR) {
                throw new IOException(dataTransferEncryptorMessageProto.getMessage());
            }
        }

        private String getNegotiatedQop() {
            return (String) this.saslClient.getNegotiatedProperty("javax.security.sasl.qop");
        }

        private boolean isNegotiatedQopPrivacy() {
            String negotiatedQop = getNegotiatedQop();
            return negotiatedQop != null && "auth-conf".equalsIgnoreCase(negotiatedQop);
        }

        private boolean requestedQopContainsPrivacy() {
            return ImmutableSet.copyOf((Collection) Arrays.asList(this.saslProps.get("javax.security.sasl.qop").split(","))).contains("auth-conf");
        }

        private void checkSaslComplete() throws IOException {
            if (!this.saslClient.isComplete()) {
                throw new IOException("Failed to complete SASL handshake");
            }
            ImmutableSet copyOf = ImmutableSet.copyOf((Collection) Arrays.asList(this.saslProps.get("javax.security.sasl.qop").split(",")));
            String negotiatedQop = getNegotiatedQop();
            FanOutOneBlockAsyncDFSOutputSaslHelper.LOG.debug("Verifying QOP, requested QOP = " + copyOf + ", negotiated QOP = " + negotiatedQop);
            if (!copyOf.contains(negotiatedQop)) {
                throw new IOException(String.format("SASL handshake completed, but channel does not have acceptable quality of protection, requested = %s, negotiated = %s", copyOf, negotiatedQop));
            }
        }

        private boolean useWrap() {
            String str = (String) this.saslClient.getNegotiatedProperty("javax.security.sasl.qop");
            return (str == null || "auth".equalsIgnoreCase(str)) ? false : true;
        }

        private CipherOption unwrap(CipherOption cipherOption, SaslClient saslClient) throws IOException {
            byte[] inKey = cipherOption.getInKey();
            if (inKey != null) {
                inKey = saslClient.unwrap(inKey, 0, inKey.length);
            }
            byte[] outKey = cipherOption.getOutKey();
            if (outKey != null) {
                outKey = saslClient.unwrap(outKey, 0, outKey.length);
            }
            return new CipherOption(cipherOption.getCipherSuite(), inKey, cipherOption.getInIv(), outKey, cipherOption.getOutIv());
        }

        private CipherOption getCipherOption(DataTransferProtos.DataTransferEncryptorMessageProto dataTransferEncryptorMessageProto, boolean z, SaslClient saslClient) throws IOException {
            List convertCipherOptionProtos = PBHelperClient.convertCipherOptionProtos(dataTransferEncryptorMessageProto.getCipherOptionList());
            if (convertCipherOptionProtos == null || convertCipherOptionProtos.isEmpty()) {
                return null;
            }
            CipherOption cipherOption = (CipherOption) convertCipherOptionProtos.get(0);
            return z ? unwrap(cipherOption, saslClient) : cipherOption;
        }

        @Override // org.apache.hbase.thirdparty.io.netty.channel.ChannelInboundHandlerAdapter, org.apache.hbase.thirdparty.io.netty.channel.ChannelInboundHandler
        public void channelRead(ChannelHandlerContext channelHandlerContext, Object obj) throws Exception {
            if (!(obj instanceof DataTransferProtos.DataTransferEncryptorMessageProto)) {
                channelHandlerContext.fireChannelRead(obj);
                return;
            }
            DataTransferProtos.DataTransferEncryptorMessageProto dataTransferEncryptorMessageProto = (DataTransferProtos.DataTransferEncryptorMessageProto) obj;
            check(dataTransferEncryptorMessageProto);
            byte[] evaluateChallenge = this.saslClient.evaluateChallenge(dataTransferEncryptorMessageProto.getPayload().toByteArray());
            switch (this.step) {
                case 1:
                    List<CipherOption> list = null;
                    if (requestedQopContainsPrivacy()) {
                        list = getCipherOptions();
                    }
                    sendSaslMessage(channelHandlerContext, evaluateChallenge, list);
                    channelHandlerContext.flush();
                    this.step++;
                    return;
                case 2:
                    if (!$assertionsDisabled && evaluateChallenge != null) {
                        throw new AssertionError();
                    }
                    checkSaslComplete();
                    CipherOption cipherOption = getCipherOption(dataTransferEncryptorMessageProto, isNegotiatedQopPrivacy(), this.saslClient);
                    ChannelPipeline pipeline = channelHandlerContext.pipeline();
                    while (pipeline.first() != null) {
                        pipeline.removeFirst();
                    }
                    if (cipherOption != null) {
                        CryptoCodec cryptoCodec = CryptoCodec.getInstance(this.conf, cipherOption.getCipherSuite());
                        pipeline.addLast(new EncryptHandler(cryptoCodec, cipherOption.getInKey(), cipherOption.getInIv()), new DecryptHandler(cryptoCodec, cipherOption.getOutKey(), cipherOption.getOutIv()));
                    } else if (useWrap()) {
                        pipeline.addLast(new SaslWrapHandler(this.saslClient), new LengthFieldBasedFrameDecoder(Integer.MAX_VALUE, 0, 4), new SaslUnwrapHandler(this.saslClient));
                    }
                    this.promise.trySuccess(null);
                    return;
                default:
                    throw new IllegalArgumentException("Unrecognized negotiation step: " + this.step);
            }
        }

        @Override // org.apache.hbase.thirdparty.io.netty.channel.ChannelInboundHandlerAdapter, org.apache.hbase.thirdparty.io.netty.channel.ChannelHandlerAdapter, org.apache.hbase.thirdparty.io.netty.channel.ChannelHandler, org.apache.hbase.thirdparty.io.netty.channel.ChannelInboundHandler
        public void exceptionCaught(ChannelHandlerContext channelHandlerContext, Throwable th) throws Exception {
            this.promise.tryFailure(th);
        }

        @Override // org.apache.hbase.thirdparty.io.netty.channel.ChannelInboundHandlerAdapter, org.apache.hbase.thirdparty.io.netty.channel.ChannelInboundHandler
        public void userEventTriggered(ChannelHandlerContext channelHandlerContext, Object obj) throws Exception {
            if ((obj instanceof IdleStateEvent) && ((IdleStateEvent) obj).state() == IdleState.READER_IDLE) {
                this.promise.tryFailure(new IOException("Timeout(" + this.timeoutMs + "ms) waiting for response"));
            } else {
                super.userEventTriggered(channelHandlerContext, obj);
            }
        }

        static {
            $assertionsDisabled = !FanOutOneBlockAsyncDFSOutputSaslHelper.class.desiredAssertionStatus();
        }
    }

    /* loaded from: input_file:org/apache/hadoop/hbase/io/asyncfs/FanOutOneBlockAsyncDFSOutputSaslHelper$SaslUnwrapHandler.class */
    private static final class SaslUnwrapHandler extends SimpleChannelInboundHandler<ByteBuf> {
        private final SaslClient saslClient;

        public SaslUnwrapHandler(SaslClient saslClient) {
            this.saslClient = saslClient;
        }

        @Override // org.apache.hbase.thirdparty.io.netty.channel.ChannelInboundHandlerAdapter, org.apache.hbase.thirdparty.io.netty.channel.ChannelInboundHandler
        public void channelInactive(ChannelHandlerContext channelHandlerContext) throws Exception {
            this.saslClient.dispose();
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.apache.hbase.thirdparty.io.netty.channel.SimpleChannelInboundHandler
        public void channelRead0(ChannelHandlerContext channelHandlerContext, ByteBuf byteBuf) throws Exception {
            byteBuf.skipBytes(4);
            byte[] bArr = new byte[byteBuf.readableBytes()];
            byteBuf.readBytes(bArr);
            channelHandlerContext.fireChannelRead((Object) Unpooled.wrappedBuffer(this.saslClient.unwrap(bArr, 0, bArr.length)));
        }
    }

    /* loaded from: input_file:org/apache/hadoop/hbase/io/asyncfs/FanOutOneBlockAsyncDFSOutputSaslHelper$SaslWrapHandler.class */
    private static final class SaslWrapHandler extends ChannelOutboundHandlerAdapter {
        private final SaslClient saslClient;
        private CompositeByteBuf cBuf;

        public SaslWrapHandler(SaslClient saslClient) {
            this.saslClient = saslClient;
        }

        @Override // org.apache.hbase.thirdparty.io.netty.channel.ChannelHandlerAdapter, org.apache.hbase.thirdparty.io.netty.channel.ChannelHandler
        public void handlerAdded(ChannelHandlerContext channelHandlerContext) throws Exception {
            this.cBuf = new CompositeByteBuf(channelHandlerContext.alloc(), false, Integer.MAX_VALUE);
        }

        @Override // org.apache.hbase.thirdparty.io.netty.channel.ChannelOutboundHandlerAdapter, org.apache.hbase.thirdparty.io.netty.channel.ChannelOutboundHandler
        public void write(ChannelHandlerContext channelHandlerContext, Object obj, ChannelPromise channelPromise) throws Exception {
            if (!(obj instanceof ByteBuf)) {
                channelHandlerContext.write(obj);
                return;
            }
            ByteBuf byteBuf = (ByteBuf) obj;
            this.cBuf.addComponent(byteBuf);
            this.cBuf.writerIndex(this.cBuf.writerIndex() + byteBuf.readableBytes());
        }

        @Override // org.apache.hbase.thirdparty.io.netty.channel.ChannelOutboundHandlerAdapter, org.apache.hbase.thirdparty.io.netty.channel.ChannelOutboundHandler
        public void flush(ChannelHandlerContext channelHandlerContext) throws Exception {
            if (this.cBuf.isReadable()) {
                byte[] bArr = new byte[this.cBuf.readableBytes()];
                this.cBuf.readBytes(bArr);
                this.cBuf.discardReadComponents();
                byte[] wrap = this.saslClient.wrap(bArr, 0, bArr.length);
                ByteBuf ioBuffer = channelHandlerContext.alloc().ioBuffer(4 + wrap.length);
                ioBuffer.writeInt(wrap.length);
                ioBuffer.writeBytes(wrap);
                channelHandlerContext.write(ioBuffer);
            }
            channelHandlerContext.flush();
        }

        @Override // org.apache.hbase.thirdparty.io.netty.channel.ChannelHandlerAdapter, org.apache.hbase.thirdparty.io.netty.channel.ChannelHandler
        public void handlerRemoved(ChannelHandlerContext channelHandlerContext) throws Exception {
            this.cBuf.release();
            this.cBuf = null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/hbase/io/asyncfs/FanOutOneBlockAsyncDFSOutputSaslHelper$TransparentCryptoHelper.class */
    public interface TransparentCryptoHelper {
        Encryptor createEncryptor(Configuration configuration, FileEncryptionInfo fileEncryptionInfo, DFSClient dFSClient) throws IOException;
    }

    private FanOutOneBlockAsyncDFSOutputSaslHelper() {
    }

    private static SaslAdaptor createSaslAdaptor() throws NoSuchFieldException, NoSuchMethodException {
        final Field declaredField = SaslDataTransferClient.class.getDeclaredField("saslPropsResolver");
        declaredField.setAccessible(true);
        final Field declaredField2 = SaslDataTransferClient.class.getDeclaredField("trustedChannelResolver");
        declaredField2.setAccessible(true);
        final Field declaredField3 = SaslDataTransferClient.class.getDeclaredField("fallbackToSimpleAuth");
        declaredField3.setAccessible(true);
        return new SaslAdaptor() { // from class: org.apache.hadoop.hbase.io.asyncfs.FanOutOneBlockAsyncDFSOutputSaslHelper.1
            @Override // org.apache.hadoop.hbase.io.asyncfs.FanOutOneBlockAsyncDFSOutputSaslHelper.SaslAdaptor
            public TrustedChannelResolver getTrustedChannelResolver(SaslDataTransferClient saslDataTransferClient) {
                try {
                    return (TrustedChannelResolver) declaredField2.get(saslDataTransferClient);
                } catch (IllegalAccessException e) {
                    throw new RuntimeException(e);
                }
            }

            @Override // org.apache.hadoop.hbase.io.asyncfs.FanOutOneBlockAsyncDFSOutputSaslHelper.SaslAdaptor
            public SaslPropertiesResolver getSaslPropsResolver(SaslDataTransferClient saslDataTransferClient) {
                try {
                    return (SaslPropertiesResolver) declaredField.get(saslDataTransferClient);
                } catch (IllegalAccessException e) {
                    throw new RuntimeException(e);
                }
            }

            @Override // org.apache.hadoop.hbase.io.asyncfs.FanOutOneBlockAsyncDFSOutputSaslHelper.SaslAdaptor
            public AtomicBoolean getFallbackToSimpleAuth(SaslDataTransferClient saslDataTransferClient) {
                try {
                    return (AtomicBoolean) declaredField3.get(saslDataTransferClient);
                } catch (IllegalAccessException e) {
                    throw new RuntimeException(e);
                }
            }
        };
    }

    private static TransparentCryptoHelper createTransparentCryptoHelperWithoutHDFS12396() throws NoSuchMethodException {
        final Method declaredMethod = DFSClient.class.getDeclaredMethod("decryptEncryptedDataEncryptionKey", FileEncryptionInfo.class);
        declaredMethod.setAccessible(true);
        return new TransparentCryptoHelper() { // from class: org.apache.hadoop.hbase.io.asyncfs.FanOutOneBlockAsyncDFSOutputSaslHelper.2
            @Override // org.apache.hadoop.hbase.io.asyncfs.FanOutOneBlockAsyncDFSOutputSaslHelper.TransparentCryptoHelper
            public Encryptor createEncryptor(Configuration configuration, FileEncryptionInfo fileEncryptionInfo, DFSClient dFSClient) throws IOException {
                try {
                    KeyProvider.KeyVersion keyVersion = (KeyProvider.KeyVersion) declaredMethod.invoke(dFSClient, fileEncryptionInfo);
                    Encryptor createEncryptor = CryptoCodec.getInstance(configuration, fileEncryptionInfo.getCipherSuite()).createEncryptor();
                    createEncryptor.init(keyVersion.getMaterial(), fileEncryptionInfo.getIV());
                    return createEncryptor;
                } catch (IllegalAccessException e) {
                    throw new RuntimeException(e);
                } catch (InvocationTargetException e2) {
                    Throwables.propagateIfPossible(e2.getTargetException(), IOException.class);
                    throw new RuntimeException(e2.getTargetException());
                } catch (GeneralSecurityException e3) {
                    throw new IOException(e3);
                }
            }
        };
    }

    private static TransparentCryptoHelper createTransparentCryptoHelperWithHDFS12396() throws ClassNotFoundException, NoSuchMethodException {
        final Method declaredMethod = Class.forName("org.apache.hadoop.hdfs.HdfsKMSUtil").getDeclaredMethod("decryptEncryptedDataEncryptionKey", FileEncryptionInfo.class, KeyProvider.class);
        declaredMethod.setAccessible(true);
        return new TransparentCryptoHelper() { // from class: org.apache.hadoop.hbase.io.asyncfs.FanOutOneBlockAsyncDFSOutputSaslHelper.3
            @Override // org.apache.hadoop.hbase.io.asyncfs.FanOutOneBlockAsyncDFSOutputSaslHelper.TransparentCryptoHelper
            public Encryptor createEncryptor(Configuration configuration, FileEncryptionInfo fileEncryptionInfo, DFSClient dFSClient) throws IOException {
                try {
                    KeyProvider.KeyVersion keyVersion = (KeyProvider.KeyVersion) declaredMethod.invoke(null, fileEncryptionInfo, dFSClient.getKeyProvider());
                    Encryptor createEncryptor = CryptoCodec.getInstance(configuration, fileEncryptionInfo.getCipherSuite()).createEncryptor();
                    createEncryptor.init(keyVersion.getMaterial(), fileEncryptionInfo.getIV());
                    return createEncryptor;
                } catch (IllegalAccessException e) {
                    throw new RuntimeException(e);
                } catch (InvocationTargetException e2) {
                    Throwables.propagateIfPossible(e2.getTargetException(), IOException.class);
                    throw new RuntimeException(e2.getTargetException());
                } catch (GeneralSecurityException e3) {
                    throw new IOException(e3);
                }
            }
        };
    }

    private static TransparentCryptoHelper createTransparentCryptoHelper() throws NoSuchMethodException, ClassNotFoundException {
        try {
            return createTransparentCryptoHelperWithoutHDFS12396();
        } catch (NoSuchMethodException e) {
            LOG.debug("No decryptEncryptedDataEncryptionKey method in DFSClient, should be hadoop version with HDFS-12396", e);
            return createTransparentCryptoHelperWithHDFS12396();
        }
    }

    private static String getUserNameFromEncryptionKey(DataEncryptionKey dataEncryptionKey) {
        return dataEncryptionKey.keyId + " " + dataEncryptionKey.blockPoolId + " " + new String(Base64.encodeBase64(dataEncryptionKey.nonce, false), Charsets.UTF_8);
    }

    private static char[] encryptionKeyToPassword(byte[] bArr) {
        return new String(Base64.encodeBase64(bArr, false), Charsets.UTF_8).toCharArray();
    }

    private static String buildUsername(Token<BlockTokenIdentifier> token) {
        return new String(Base64.encodeBase64(token.getIdentifier(), false), Charsets.UTF_8);
    }

    private static char[] buildClientPassword(Token<BlockTokenIdentifier> token) {
        return new String(Base64.encodeBase64(token.getPassword(), false), Charsets.UTF_8).toCharArray();
    }

    private static Map<String, String> createSaslPropertiesForEncryption(String str) {
        HashMap newHashMapWithExpectedSize = Maps.newHashMapWithExpectedSize(3);
        newHashMapWithExpectedSize.put("javax.security.sasl.qop", SaslRpcServer.QualityOfProtection.PRIVACY.getSaslQop());
        newHashMapWithExpectedSize.put("javax.security.sasl.server.authentication", "true");
        newHashMapWithExpectedSize.put("com.sun.security.sasl.digest.cipher", str);
        return newHashMapWithExpectedSize;
    }

    private static void doSaslNegotiation(Configuration configuration, Channel channel, int i, String str, char[] cArr, Map<String, String> map, Promise<Void> promise, DFSClient dFSClient) {
        try {
            channel.pipeline().addLast(new IdleStateHandler(i, 0L, 0L, TimeUnit.MILLISECONDS), new ProtobufVarint32FrameDecoder(), new ProtobufDecoder(DataTransferProtos.DataTransferEncryptorMessageProto.getDefaultInstance()), new SaslNegotiateHandler(configuration, str, cArr, map, i, promise, dFSClient));
        } catch (SaslException e) {
            promise.tryFailure(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void trySaslNegotiate(Configuration configuration, Channel channel, DatanodeInfo datanodeInfo, int i, DFSClient dFSClient, Token<BlockTokenIdentifier> token, Promise<Void> promise) throws IOException {
        SaslDataTransferClient saslDataTransferClient = dFSClient.getSaslDataTransferClient();
        SaslPropertiesResolver saslPropsResolver = SASL_ADAPTOR.getSaslPropsResolver(saslDataTransferClient);
        TrustedChannelResolver trustedChannelResolver = SASL_ADAPTOR.getTrustedChannelResolver(saslDataTransferClient);
        AtomicBoolean fallbackToSimpleAuth = SASL_ADAPTOR.getFallbackToSimpleAuth(saslDataTransferClient);
        InetAddress address = ((InetSocketAddress) channel.remoteAddress()).getAddress();
        if (trustedChannelResolver.isTrusted() || trustedChannelResolver.isTrusted(address)) {
            promise.trySuccess(null);
            return;
        }
        DataEncryptionKey newDataEncryptionKey = dFSClient.newDataEncryptionKey();
        if (newDataEncryptionKey != null) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("SASL client doing encrypted handshake for addr = " + address + ", datanodeId = " + datanodeInfo);
            }
            doSaslNegotiation(configuration, channel, i, getUserNameFromEncryptionKey(newDataEncryptionKey), encryptionKeyToPassword(newDataEncryptionKey.encryptionKey), createSaslPropertiesForEncryption(newDataEncryptionKey.encryptionAlgorithm), promise, dFSClient);
            return;
        }
        if (!UserGroupInformation.isSecurityEnabled()) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("SASL client skipping handshake in unsecured configuration for addr = " + address + ", datanodeId = " + datanodeInfo);
            }
            promise.trySuccess(null);
            return;
        }
        if (datanodeInfo.getXferPort() < 1024) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("SASL client skipping handshake in secured configuration with privileged port for addr = " + address + ", datanodeId = " + datanodeInfo);
            }
            promise.trySuccess(null);
        } else if (fallbackToSimpleAuth != null && fallbackToSimpleAuth.get()) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("SASL client skipping handshake in secured configuration with unsecured cluster for addr = " + address + ", datanodeId = " + datanodeInfo);
            }
            promise.trySuccess(null);
        } else if (saslPropsResolver != null) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("SASL client doing general handshake for addr = " + address + ", datanodeId = " + datanodeInfo);
            }
            doSaslNegotiation(configuration, channel, i, buildUsername(token), buildClientPassword(token), saslPropsResolver.getClientProperties(address), promise, dFSClient);
        } else {
            if (LOG.isDebugEnabled()) {
                LOG.debug("SASL client skipping handshake in secured configuration with no SASL protection configured for addr = " + address + ", datanodeId = " + datanodeInfo);
            }
            promise.trySuccess(null);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Encryptor createEncryptor(Configuration configuration, HdfsFileStatus hdfsFileStatus, DFSClient dFSClient) throws IOException {
        FileEncryptionInfo fileEncryptionInfo = hdfsFileStatus.getFileEncryptionInfo();
        if (fileEncryptionInfo == null) {
            return null;
        }
        return TRANSPARENT_CRYPTO_HELPER.createEncryptor(configuration, fileEncryptionInfo, dFSClient);
    }

    static {
        try {
            SASL_ADAPTOR = createSaslAdaptor();
            TRANSPARENT_CRYPTO_HELPER = createTransparentCryptoHelper();
        } catch (Exception e) {
            LOG.error("Couldn't properly initialize access to HDFS internals. Please update your WAL Provider to not make use of the 'asyncfs' provider. See HBASE-16110 for more information.", e);
            throw new Error("Couldn't properly initialize access to HDFS internals. Please update your WAL Provider to not make use of the 'asyncfs' provider. See HBASE-16110 for more information.", e);
        }
    }
}
