package io.hops.security;

import com.google.common.base.Strings;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManager;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.hadoop.net.HopsSSLSocketFactory;
import org.apache.hadoop.net.hopssslchecks.HopsSSLCryptoMaterial;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory;
import org.apache.hadoop.security.ssl.KeyStoresFactory;
import org.apache.hadoop.security.ssl.ReloadingX509KeyManager;
import org.apache.hadoop.security.ssl.ReloadingX509TrustManager;
import org.apache.hadoop.security.ssl.SSLFactory;

/* loaded from: input_file:WEB-INF/lib/hadoop-client-api-3.2.0.8-RC0.jar:io/hops/security/HopsFileBasedKeyStoresFactory.class */
public class HopsFileBasedKeyStoresFactory implements KeyStoresFactory {
    private static final Log LOG = LogFactory.getLog(HopsFileBasedKeyStoresFactory.class);
    private Configuration sslConf;
    private Configuration systemConf;
    private ReloadingX509KeyManager keyManager;
    private KeyManager[] keyManagers;
    private ReloadingX509TrustManager trustManager;
    private TrustManager[] trustManagers;

    @Override // org.apache.hadoop.security.ssl.KeyStoresFactory
    public void init(SSLFactory.Mode mode) throws IOException, GeneralSecurityException {
        HopsSSLCryptoMaterial loadCryptoMaterial = loadCryptoMaterial(mode);
        createKeyManagers(mode, loadCryptoMaterial);
        createTrustManagers(mode, loadCryptoMaterial);
    }

    public HopsSSLCryptoMaterial loadCryptoMaterial(SSLFactory.Mode mode) throws IOException {
        try {
            CertificateLocalizationCtx certificateLocalizationCtx = CertificateLocalizationCtx.getInstance();
            certificateLocalizationCtx.setProxySuperusers(this.systemConf);
            Configuration configuration = new Configuration(false);
            configuration.set(CommonConfigurationKeysPublic.HOPS_TLS_SUPER_MATERIAL_DIRECTORY, this.systemConf.get(CommonConfigurationKeysPublic.HOPS_TLS_SUPER_MATERIAL_DIRECTORY, ""));
            HopsSSLSocketFactory hopsSSLSocketFactory = new HopsSSLSocketFactory();
            hopsSSLSocketFactory.setConf(configuration);
            return hopsSSLSocketFactory.configureCryptoMaterial(certificateLocalizationCtx.getCertificateLocalization(), certificateLocalizationCtx.getProxySuperusers());
        } catch (Exception e) {
            UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
            LOG.warn("Could not locate cryptographic material for <" + currentUser.getUserName() + "> Falling back to ssl-{client,server}.xml");
            String str = this.sslConf.get(FileBasedKeyStoresFactory.resolvePropertyName(mode, FileBasedKeyStoresFactory.SSL_KEYSTORE_LOCATION_TPL_KEY));
            String str2 = this.sslConf.get(FileBasedKeyStoresFactory.resolvePropertyName(mode, FileBasedKeyStoresFactory.SSL_KEYSTORE_PASSWORD_TPL_KEY));
            String str3 = this.sslConf.get(FileBasedKeyStoresFactory.resolvePropertyName(mode, FileBasedKeyStoresFactory.SSL_KEYSTORE_KEYPASSWORD_TPL_KEY), str2);
            String str4 = this.sslConf.get(FileBasedKeyStoresFactory.resolvePropertyName(mode, FileBasedKeyStoresFactory.SSL_TRUSTSTORE_LOCATION_TPL_KEY));
            String str5 = this.sslConf.get(FileBasedKeyStoresFactory.resolvePropertyName(mode, FileBasedKeyStoresFactory.SSL_PASSWORDFILE_LOCATION_TPL_KEY), null);
            if (Strings.isNullOrEmpty(str) || Strings.isNullOrEmpty(str4) || Strings.isNullOrEmpty(str2) || Strings.isNullOrEmpty(str3)) {
                throw new IOException("Failed to determine cryptographic material for user <" + currentUser.getUserName() + ">. Exhausted all methods!");
            }
            return new HopsSSLCryptoMaterial(str, str2, str3, str4, str2, str5, true);
        }
    }

    @Override // org.apache.hadoop.security.ssl.KeyStoresFactory
    public void destroy() {
        if (this.trustManager != null) {
            this.trustManager.destroy();
            this.trustManager = null;
            this.trustManagers = null;
        }
        if (this.keyManager != null) {
            this.keyManager.stop();
            this.keyManager = null;
            this.keyManagers = null;
        }
    }

    @Override // org.apache.hadoop.security.ssl.KeyStoresFactory
    public KeyManager[] getKeyManagers() {
        return this.keyManagers;
    }

    @Override // org.apache.hadoop.security.ssl.KeyStoresFactory
    public TrustManager[] getTrustManagers() {
        return this.trustManagers;
    }

    @Override // org.apache.hadoop.conf.Configurable
    public void setConf(Configuration configuration) {
        this.sslConf = configuration;
    }

    @Override // org.apache.hadoop.conf.Configurable
    public Configuration getConf() {
        return this.sslConf;
    }

    public void setSystemConf(Configuration configuration) {
        this.systemConf = configuration;
    }

    public Configuration getSystemConf() {
        return this.systemConf;
    }

    private void createKeyManagers(SSLFactory.Mode mode, HopsSSLCryptoMaterial hopsSSLCryptoMaterial) throws IOException, GeneralSecurityException {
        boolean z = this.sslConf.getBoolean(SSLFactory.SSL_REQUIRE_CLIENT_CERT_KEY, false);
        String str = this.sslConf.get(FileBasedKeyStoresFactory.resolvePropertyName(mode, FileBasedKeyStoresFactory.SSL_KEYSTORE_TYPE_TPL_KEY), "jks");
        if (!z && mode != SSLFactory.Mode.SERVER) {
            KeyStore keyStore = KeyStore.getInstance(str);
            keyStore.load(null, null);
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(SSLFactory.SSLCERTIFICATE);
            keyManagerFactory.init(keyStore, null);
            this.keyManagers = keyManagerFactory.getKeyManagers();
            return;
        }
        String keyStoreLocation = hopsSSLCryptoMaterial.getKeyStoreLocation();
        if (Strings.isNullOrEmpty(keyStoreLocation)) {
            throw new GeneralSecurityException("Could not identify correct keystore");
        }
        String keyStorePassword = hopsSSLCryptoMaterial.getKeyStorePassword();
        if (Strings.isNullOrEmpty(keyStorePassword)) {
            throw new GeneralSecurityException("Could not load keystore password");
        }
        String keyPassword = hopsSSLCryptoMaterial.getKeyPassword();
        if (Strings.isNullOrEmpty(keyPassword)) {
            throw new GeneralSecurityException("Could not load key password");
        }
        this.keyManager = new ReloadingX509KeyManager(str, keyStoreLocation, keyStorePassword, hopsSSLCryptoMaterial.getPasswordFileLocation(), keyPassword, this.sslConf.getLong(FileBasedKeyStoresFactory.resolvePropertyName(mode, FileBasedKeyStoresFactory.SSL_KEYSTORE_RELOAD_INTERVAL_TPL_KEY), 10000L), TimeUnit.valueOf(this.sslConf.get(FileBasedKeyStoresFactory.resolvePropertyName(mode, FileBasedKeyStoresFactory.SSL_KEYSTORE_RELOAD_TIMEUNIT_TPL_KEY), FileBasedKeyStoresFactory.DEFAULT_SSL_KEYSTORE_RELOAD_TIMEUNIT).toUpperCase()));
        this.keyManager.init();
        if (LOG.isDebugEnabled()) {
            LOG.debug(mode.toString() + " Loaded KeyStore: " + keyStoreLocation);
        }
        this.keyManagers = new KeyManager[]{this.keyManager};
    }

    private void createTrustManagers(SSLFactory.Mode mode, HopsSSLCryptoMaterial hopsSSLCryptoMaterial) throws IOException, GeneralSecurityException {
        String str = this.sslConf.get(FileBasedKeyStoresFactory.resolvePropertyName(mode, FileBasedKeyStoresFactory.SSL_TRUSTSTORE_TYPE_TPL_KEY), "jks");
        String trustStoreLocation = hopsSSLCryptoMaterial.getTrustStoreLocation();
        if (Strings.isNullOrEmpty(trustStoreLocation)) {
            throw new GeneralSecurityException("Could not identify correct truststore");
        }
        String trustStorePassword = hopsSSLCryptoMaterial.getTrustStorePassword();
        if (Strings.isNullOrEmpty(trustStorePassword)) {
            throw new GeneralSecurityException("Could not load truststore password");
        }
        String passwordFileLocation = hopsSSLCryptoMaterial.getPasswordFileLocation();
        long j = this.sslConf.getLong(FileBasedKeyStoresFactory.resolvePropertyName(mode, FileBasedKeyStoresFactory.SSL_TRUSTSTORE_RELOAD_INTERVAL_TPL_KEY), 10000L);
        if (LOG.isDebugEnabled()) {
            LOG.debug(mode.toString() + " TrustStore: " + trustStoreLocation);
        }
        this.trustManager = new ReloadingX509TrustManager(str, trustStoreLocation, trustStorePassword, passwordFileLocation, j);
        this.trustManager.init();
        if (LOG.isDebugEnabled()) {
            LOG.debug(mode.toString() + " Loaded TrustStore: " + trustStoreLocation);
        }
        this.trustManagers = new TrustManager[]{this.trustManager};
    }
}
