package org.apache.hadoop.hbase.security.token;

import java.io.IOException;
import java.util.Collections;
import org.apache.hadoop.hbase.CoprocessorEnvironment;
import org.apache.hadoop.hbase.coprocessor.CoreCoprocessor;
import org.apache.hadoop.hbase.coprocessor.HasRegionServerServices;
import org.apache.hadoop.hbase.coprocessor.RegionCoprocessor;
import org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment;
import org.apache.hadoop.hbase.ipc.CoprocessorRpcUtils;
import org.apache.hadoop.hbase.ipc.RpcServer;
import org.apache.hadoop.hbase.security.AccessDeniedException;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.shaded.protobuf.generated.AuthenticationProtos;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.hbase.thirdparty.com.google.protobuf.RpcCallback;
import org.apache.hbase.thirdparty.com.google.protobuf.RpcController;
import org.apache.hbase.thirdparty.com.google.protobuf.Service;
import org.apache.yetus.audience.InterfaceAudience;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
@CoreCoprocessor
/* loaded from: input_file:org/apache/hadoop/hbase/security/token/TokenProvider.class */
public class TokenProvider implements AuthenticationProtos.AuthenticationService.Interface, RegionCoprocessor {
    private static final Logger LOG = LoggerFactory.getLogger(TokenProvider.class);
    private AuthenticationTokenSecretManager secretManager;

    public void start(CoprocessorEnvironment coprocessorEnvironment) {
        if (coprocessorEnvironment instanceof RegionCoprocessorEnvironment) {
            SecretManager<? extends TokenIdentifier> secretManager = ((RpcServer) ((HasRegionServerServices) ((RegionCoprocessorEnvironment) coprocessorEnvironment)).getRegionServerServices().getRpcServer()).getSecretManager();
            if (secretManager instanceof AuthenticationTokenSecretManager) {
                this.secretManager = (AuthenticationTokenSecretManager) secretManager;
            }
        }
    }

    public void stop(CoprocessorEnvironment coprocessorEnvironment) throws IOException {
    }

    private boolean isAllowedDelegationTokenOp(UserGroupInformation userGroupInformation) throws IOException {
        UserGroupInformation.AuthenticationMethod authenticationMethod = userGroupInformation.getAuthenticationMethod();
        if (authenticationMethod == UserGroupInformation.AuthenticationMethod.PROXY) {
            authenticationMethod = userGroupInformation.getRealUser().getAuthenticationMethod();
        }
        return authenticationMethod == UserGroupInformation.AuthenticationMethod.KERBEROS || authenticationMethod == UserGroupInformation.AuthenticationMethod.KERBEROS_SSL || authenticationMethod == UserGroupInformation.AuthenticationMethod.CERTIFICATE;
    }

    public Iterable<Service> getServices() {
        return Collections.singleton(AuthenticationProtos.AuthenticationService.newReflectiveService(this));
    }

    public void getAuthenticationToken(RpcController rpcController, AuthenticationProtos.GetAuthenticationTokenRequest getAuthenticationTokenRequest, RpcCallback<AuthenticationProtos.GetAuthenticationTokenResponse> rpcCallback) {
        AuthenticationProtos.GetAuthenticationTokenResponse.Builder newBuilder = AuthenticationProtos.GetAuthenticationTokenResponse.newBuilder();
        try {
        } catch (IOException e) {
            CoprocessorRpcUtils.setControllerException(rpcController, e);
        }
        if (this.secretManager == null) {
            throw new IOException("No secret manager configured for token authentication");
        }
        User orElseThrow = RpcServer.getRequestUser().orElseThrow(() -> {
            return new AccessDeniedException("No authenticated user for request!");
        });
        UserGroupInformation ugi = orElseThrow.getUGI();
        if (!isAllowedDelegationTokenOp(ugi)) {
            LOG.warn("Token generation denied for user=" + orElseThrow.getName() + ", authMethod=" + ugi.getAuthenticationMethod());
            throw new AccessDeniedException("Token generation only allowed for Kerberos authenticated clients");
        }
        newBuilder.setToken(ClientTokenUtil.toToken(this.secretManager.generateToken(orElseThrow.getName()))).build();
        rpcCallback.run(newBuilder.build());
    }

    public void whoAmI(RpcController rpcController, AuthenticationProtos.WhoAmIRequest whoAmIRequest, RpcCallback<AuthenticationProtos.WhoAmIResponse> rpcCallback) {
        AuthenticationProtos.WhoAmIResponse.Builder newBuilder = AuthenticationProtos.WhoAmIResponse.newBuilder();
        RpcServer.getRequestUser().ifPresent(user -> {
            newBuilder.setUsername(user.getShortName());
            UserGroupInformation.AuthenticationMethod authenticationMethod = user.getUGI().getAuthenticationMethod();
            if (authenticationMethod != null) {
                newBuilder.setAuthMethod(authenticationMethod.name());
            }
        });
        rpcCallback.run(newBuilder.build());
    }
}
