package org.apache.hadoop.hdfs.security.token.block;

import java.io.ByteArrayInputStream;
import java.io.DataInputStream;
import java.io.IOException;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.hdfs.protocol.ExtendedBlock;
import org.apache.hadoop.io.WritableUtils;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.security.token.Token;

/* JADX WARN: Classes with same name are omitted:
  input_file:classes/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.class
  input_file:hadoop-hdfs-0.23.4/share/hadoop/hdfs/hadoop-hdfs-0.23.4.jar:org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.class
 */
@InterfaceAudience.Private
/* loaded from: input_file:hadoop-hdfs-0.23.4.jar:org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager.class */
public class BlockTokenSecretManager extends SecretManager<BlockTokenIdentifier> {
    public static final Log LOG = LogFactory.getLog(BlockTokenSecretManager.class);
    public static final Token<BlockTokenIdentifier> DUMMY_TOKEN = new Token<>();
    private final boolean isMaster;
    private final long keyUpdateInterval;
    private volatile long tokenLifetime;
    private BlockKey currentKey;
    private BlockKey nextKey;
    private int serialNo = new SecureRandom().nextInt();
    private Map<Integer, BlockKey> allKeys = new HashMap();

    /* JADX WARN: Classes with same name are omitted:
      input_file:classes/org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager$AccessMode.class
      input_file:hadoop-hdfs-0.23.4/share/hadoop/hdfs/hadoop-hdfs-0.23.4.jar:org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager$AccessMode.class
     */
    /* loaded from: input_file:hadoop-hdfs-0.23.4.jar:org/apache/hadoop/hdfs/security/token/block/BlockTokenSecretManager$AccessMode.class */
    public enum AccessMode {
        READ,
        WRITE,
        COPY,
        REPLACE
    }

    public BlockTokenSecretManager(boolean z, long j, long j2) throws IOException {
        this.isMaster = z;
        this.keyUpdateInterval = j;
        this.tokenLifetime = j2;
        generateKeys();
    }

    private synchronized void generateKeys() {
        if (this.isMaster) {
            this.serialNo++;
            this.currentKey = new BlockKey(this.serialNo, System.currentTimeMillis() + (2 * this.keyUpdateInterval) + this.tokenLifetime, generateSecret());
            this.serialNo++;
            this.nextKey = new BlockKey(this.serialNo, System.currentTimeMillis() + (3 * this.keyUpdateInterval) + this.tokenLifetime, generateSecret());
            this.allKeys.put(Integer.valueOf(this.currentKey.getKeyId()), this.currentKey);
            this.allKeys.put(Integer.valueOf(this.nextKey.getKeyId()), this.nextKey);
        }
    }

    public synchronized ExportedBlockKeys exportKeys() {
        if (!this.isMaster) {
            return null;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Exporting access keys");
        }
        return new ExportedBlockKeys(true, this.keyUpdateInterval, this.tokenLifetime, this.currentKey, (BlockKey[]) this.allKeys.values().toArray(new BlockKey[0]));
    }

    private synchronized void removeExpiredKeys() {
        long currentTimeMillis = System.currentTimeMillis();
        Iterator<Map.Entry<Integer, BlockKey>> it = this.allKeys.entrySet().iterator();
        while (it.hasNext()) {
            if (it.next().getValue().getExpiryDate() < currentTimeMillis) {
                it.remove();
            }
        }
    }

    public synchronized void setKeys(ExportedBlockKeys exportedBlockKeys) throws IOException {
        if (this.isMaster || exportedBlockKeys == null) {
            return;
        }
        LOG.info("Setting block keys");
        removeExpiredKeys();
        this.currentKey = exportedBlockKeys.getCurrentKey();
        BlockKey[] allKeys = exportedBlockKeys.getAllKeys();
        for (int i = 0; i < allKeys.length; i++) {
            if (allKeys[i] != null) {
                this.allKeys.put(Integer.valueOf(allKeys[i].getKeyId()), allKeys[i]);
            }
        }
    }

    public boolean updateKeys(long j) throws IOException {
        if (j > this.keyUpdateInterval) {
            return updateKeys();
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public synchronized boolean updateKeys() throws IOException {
        if (!this.isMaster) {
            return false;
        }
        LOG.info("Updating block keys");
        removeExpiredKeys();
        this.allKeys.put(Integer.valueOf(this.currentKey.getKeyId()), new BlockKey(this.currentKey.getKeyId(), System.currentTimeMillis() + this.keyUpdateInterval + this.tokenLifetime, this.currentKey.getKey()));
        this.currentKey = new BlockKey(this.nextKey.getKeyId(), System.currentTimeMillis() + (2 * this.keyUpdateInterval) + this.tokenLifetime, this.nextKey.getKey());
        this.allKeys.put(Integer.valueOf(this.currentKey.getKeyId()), this.currentKey);
        this.serialNo++;
        this.nextKey = new BlockKey(this.serialNo, System.currentTimeMillis() + (3 * this.keyUpdateInterval) + this.tokenLifetime, generateSecret());
        this.allKeys.put(Integer.valueOf(this.nextKey.getKeyId()), this.nextKey);
        return true;
    }

    public Token<BlockTokenIdentifier> generateToken(ExtendedBlock extendedBlock, EnumSet<AccessMode> enumSet) throws IOException {
        UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
        return generateToken(currentUser == null ? null : currentUser.getShortUserName(), extendedBlock, enumSet);
    }

    public Token<BlockTokenIdentifier> generateToken(String str, ExtendedBlock extendedBlock, EnumSet<AccessMode> enumSet) throws IOException {
        return new Token<>(new BlockTokenIdentifier(str, extendedBlock.getBlockPoolId(), extendedBlock.getBlockId(), enumSet), this);
    }

    public void checkAccess(BlockTokenIdentifier blockTokenIdentifier, String str, ExtendedBlock extendedBlock, AccessMode accessMode) throws SecretManager.InvalidToken {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Checking access for user=" + str + ", block=" + extendedBlock + ", access mode=" + accessMode + " using " + blockTokenIdentifier.toString());
        }
        if (str != null && !str.equals(blockTokenIdentifier.getUserId())) {
            throw new SecretManager.InvalidToken("Block token with " + blockTokenIdentifier.toString() + " doesn't belong to user " + str);
        }
        if (!blockTokenIdentifier.getBlockPoolId().equals(extendedBlock.getBlockPoolId())) {
            throw new SecretManager.InvalidToken("Block token with " + blockTokenIdentifier.toString() + " doesn't apply to block " + extendedBlock);
        }
        if (blockTokenIdentifier.getBlockId() != extendedBlock.getBlockId()) {
            throw new SecretManager.InvalidToken("Block token with " + blockTokenIdentifier.toString() + " doesn't apply to block " + extendedBlock);
        }
        if (isExpired(blockTokenIdentifier.getExpiryDate())) {
            throw new SecretManager.InvalidToken("Block token with " + blockTokenIdentifier.toString() + " is expired.");
        }
        if (!blockTokenIdentifier.getAccessModes().contains(accessMode)) {
            throw new SecretManager.InvalidToken("Block token with " + blockTokenIdentifier.toString() + " doesn't have " + accessMode + " permission");
        }
    }

    public void checkAccess(Token<BlockTokenIdentifier> token, String str, ExtendedBlock extendedBlock, AccessMode accessMode) throws SecretManager.InvalidToken {
        BlockTokenIdentifier blockTokenIdentifier = new BlockTokenIdentifier();
        try {
            blockTokenIdentifier.readFields(new DataInputStream(new ByteArrayInputStream(token.getIdentifier())));
            checkAccess(blockTokenIdentifier, str, extendedBlock, accessMode);
            if (!Arrays.equals(retrievePassword(blockTokenIdentifier), token.getPassword())) {
                throw new SecretManager.InvalidToken("Block token with " + blockTokenIdentifier.toString() + " doesn't have the correct token password");
            }
        } catch (IOException e) {
            throw new SecretManager.InvalidToken("Unable to de-serialize block token identifier for user=" + str + ", block=" + extendedBlock + ", access mode=" + accessMode);
        }
    }

    private static boolean isExpired(long j) {
        return System.currentTimeMillis() > j;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isTokenExpired(Token<BlockTokenIdentifier> token) throws IOException {
        return isExpired(WritableUtils.readVLong(new DataInputStream(new ByteArrayInputStream(token.getIdentifier()))));
    }

    public void setTokenLifetime(long j) {
        this.tokenLifetime = j;
    }

    /* renamed from: createIdentifier, reason: merged with bridge method [inline-methods] */
    public BlockTokenIdentifier m269createIdentifier() {
        return new BlockTokenIdentifier();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public byte[] createPassword(BlockTokenIdentifier blockTokenIdentifier) {
        BlockKey blockKey;
        synchronized (this) {
            blockKey = this.currentKey;
        }
        if (blockKey == null) {
            throw new IllegalStateException("currentKey hasn't been initialized.");
        }
        blockTokenIdentifier.setExpiryDate(System.currentTimeMillis() + this.tokenLifetime);
        blockTokenIdentifier.setKeyId(blockKey.getKeyId());
        if (LOG.isDebugEnabled()) {
            LOG.debug("Generating block token for " + blockTokenIdentifier.toString());
        }
        return createPassword(blockTokenIdentifier.getBytes(), blockKey.getKey());
    }

    public byte[] retrievePassword(BlockTokenIdentifier blockTokenIdentifier) throws SecretManager.InvalidToken {
        BlockKey blockKey;
        if (isExpired(blockTokenIdentifier.getExpiryDate())) {
            throw new SecretManager.InvalidToken("Block token with " + blockTokenIdentifier.toString() + " is expired.");
        }
        synchronized (this) {
            blockKey = this.allKeys.get(Integer.valueOf(blockTokenIdentifier.getKeyId()));
        }
        if (blockKey == null) {
            throw new SecretManager.InvalidToken("Can't re-compute password for " + blockTokenIdentifier.toString() + ", since the required block key (keyID=" + blockTokenIdentifier.getKeyId() + ") doesn't exist.");
        }
        return createPassword(blockTokenIdentifier.getBytes(), blockKey.getKey());
    }
}
