package io.hops.security;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.UnmodifiableIterator;
import io.hops.hadoop.shaded.org.apache.commons.io.FileUtils;
import io.hops.hadoop.shaded.org.eclipse.jetty.util.ajax.JSON;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.channels.FileChannel;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.attribute.PosixFilePermission;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.ArrayBlockingQueue;
import java.util.concurrent.BlockingQueue;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.locks.ReentrantLock;
import javax.management.ObjectName;
import javax.management.StandardMBean;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.metrics2.util.MBeans;
import org.apache.hadoop.net.HopsSSLSocketFactory;
import org.apache.hadoop.security.ssl.JWTSecurityMaterial;
import org.apache.hadoop.security.ssl.SecurityMaterial;
import org.apache.hadoop.security.ssl.X509SecurityMaterial;
import org.apache.hadoop.service.AbstractService;
import org.apache.log4j.LogManager;
import org.apache.log4j.Logger;
import org.eclipse.persistence.internal.xr.Util;
import org.eclipse.persistence.jpa.jpql.parser.Expression;
import org.eclipse.persistence.jpa.jpql.parser.UnknownExpressionFactory;

@InterfaceAudience.LimitedPrivate({"Hive"})
/* loaded from: input_file:WEB-INF/lib/hadoop-client-api-3.2.0.6-EE-SNAPSHOT.jar:io/hops/security/CertificateLocalizationService.class */
public class CertificateLocalizationService extends AbstractService implements CertificateLocalization, CertificateLocalizationMBean {
    private final Logger LOG;
    private final String SYSTEM_TMP;
    private final String LOCALIZATION_DIR_NAME = "certLoc";
    private Path materializeDir;
    private final Map<StorageKey, SecurityMaterial> materialLocation;
    private ObjectName mbeanObjectName;
    private final ServiceType service;
    public static final String JMX_MATERIALIZED_KEY = "materialized";
    public static final String JMX_FORCE_REMOVE_OP = "forceRemoveMaterial";
    private final ReentrantLock lock;
    private final BlockingQueue<LocalizationEvent> localizationEventsQ;
    private Thread localizationEventsHandler;
    private X509SecurityMaterial superuserMaterial;
    private char[] keystoresPassword;

    /* JADX INFO: Access modifiers changed from: protected */
    @InterfaceAudience.Private
    @VisibleForTesting
    /* loaded from: input_file:WEB-INF/lib/hadoop-client-api-3.2.0.6-EE-SNAPSHOT.jar:io/hops/security/CertificateLocalizationService$LocalizationEvent.class */
    public interface LocalizationEvent {
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/hadoop-client-api-3.2.0.6-EE-SNAPSHOT.jar:io/hops/security/CertificateLocalizationService$LocalizationEventsHandler.class */
    public class LocalizationEventsHandler extends Thread {
        private LocalizationEventsHandler() {
        }

        @Override // java.lang.Thread, java.lang.Runnable
        public void run() {
            while (!Thread.currentThread().isInterrupted()) {
                try {
                    LocalizationEvent localizationEvent = (LocalizationEvent) CertificateLocalizationService.this.localizationEventsQ.take();
                    if (localizationEvent instanceof MaterializeEvent) {
                        CertificateLocalizationService.this.materializeInternal((MaterializeEvent) localizationEvent);
                    } else if (localizationEvent instanceof RemoveEvent) {
                        CertificateLocalizationService.this.removeInternal((RemoveEvent) localizationEvent);
                    } else if (localizationEvent instanceof UpdateEvent) {
                        CertificateLocalizationService.this.updateInternal((UpdateEvent) localizationEvent);
                    } else {
                        CertificateLocalizationService.this.LOG.warn("Unknown event type");
                    }
                } catch (InterruptedException e) {
                    Thread.currentThread().interrupt();
                }
            }
            CertificateLocalizationService.this.LOG.info("Stopping localization events handler thread");
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/hadoop-client-api-3.2.0.6-EE-SNAPSHOT.jar:io/hops/security/CertificateLocalizationService$MaterialNotFoundException.class */
    public class MaterialNotFoundException extends Exception {
        private static final long serialVersionUID = 1;

        public MaterialNotFoundException(String str) {
            super(str);
        }

        public MaterialNotFoundException(String str, Throwable th) {
            super(str, th);
        }

        public MaterialNotFoundException(Throwable th) {
            super(th);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @InterfaceAudience.Private
    @VisibleForTesting
    /* loaded from: input_file:WEB-INF/lib/hadoop-client-api-3.2.0.6-EE-SNAPSHOT.jar:io/hops/security/CertificateLocalizationService$MaterializeEvent.class */
    public class MaterializeEvent implements LocalizationEvent {
        private final StorageKey key;
        private final SecurityMaterial cryptoMaterial;

        private MaterializeEvent(StorageKey storageKey, SecurityMaterial securityMaterial) {
            this.key = storageKey;
            this.cryptoMaterial = securityMaterial;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @InterfaceAudience.Private
    @VisibleForTesting
    /* loaded from: input_file:WEB-INF/lib/hadoop-client-api-3.2.0.6-EE-SNAPSHOT.jar:io/hops/security/CertificateLocalizationService$RemoveEvent.class */
    public class RemoveEvent implements LocalizationEvent {
        private final SecurityMaterial cryptoMaterial;

        private RemoveEvent(SecurityMaterial securityMaterial) {
            this.cryptoMaterial = securityMaterial;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/hadoop-client-api-3.2.0.6-EE-SNAPSHOT.jar:io/hops/security/CertificateLocalizationService$ReturnState.class */
    private class ReturnState<S, T> extends HashMap<S, T> {
        private static final long serialVersionUID = 1;

        private ReturnState() {
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/hadoop-client-api-3.2.0.6-EE-SNAPSHOT.jar:io/hops/security/CertificateLocalizationService$STORAGE_KEY_TYPE.class */
    public enum STORAGE_KEY_TYPE {
        X509,
        JWT
    }

    /* loaded from: input_file:WEB-INF/lib/hadoop-client-api-3.2.0.6-EE-SNAPSHOT.jar:io/hops/security/CertificateLocalizationService$ServiceType.class */
    public enum ServiceType {
        RM("RM"),
        NM("NM"),
        HS2("HS2"),
        HM("HM"),
        LLAP("LLAP"),
        DN("DN"),
        LIVY("LIVY");

        private final String service;

        ServiceType(String str) {
            this.service = str;
        }

        @Override // java.lang.Enum
        public String toString() {
            return this.service;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/hadoop-client-api-3.2.0.6-EE-SNAPSHOT.jar:io/hops/security/CertificateLocalizationService$StorageKey.class */
    public static class StorageKey {
        private final String username;
        private final String applicationId;
        private final STORAGE_KEY_TYPE type;

        /* JADX INFO: Access modifiers changed from: private */
        public static StorageKey newX509Instance(String str, String str2) {
            return new StorageKey(str, str2, STORAGE_KEY_TYPE.X509);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static StorageKey newJWTInstance(String str, String str2) {
            return new StorageKey(str, str2, STORAGE_KEY_TYPE.JWT);
        }

        public StorageKey(String str, String str2, STORAGE_KEY_TYPE storage_key_type) {
            this.username = str;
            this.applicationId = str2;
            this.type = storage_key_type;
        }

        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (obj instanceof StorageKey) {
                return this.applicationId != null ? this.username.equals(((StorageKey) obj).username) && this.applicationId.equals(((StorageKey) obj).applicationId) && this.type.equals(((StorageKey) obj).type) : this.username.equals(((StorageKey) obj).username);
            }
            return false;
        }

        public int hashCode() {
            int hashCode = (31 * 17) + this.username.hashCode();
            if (this.applicationId != null) {
                hashCode = (31 * hashCode) + this.applicationId.hashCode();
            }
            return (31 * hashCode) + this.type.ordinal();
        }

        public String toString() {
            return "CryptoKey <" + this.username + ", " + (this.applicationId != null ? this.applicationId : UnknownExpressionFactory.ID) + ", " + this.type + Expression.GREATER_THAN;
        }

        public String compactToString() {
            return this.username + "/" + (this.applicationId != null ? this.applicationId : UnknownExpressionFactory.ID) + "/" + this.type;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:WEB-INF/lib/hadoop-client-api-3.2.0.6-EE-SNAPSHOT.jar:io/hops/security/CertificateLocalizationService$UpdateEvent.class */
    public class UpdateEvent implements LocalizationEvent {
        private final StorageKey key;
        private final SecurityMaterial cryptoMaterial;

        private UpdateEvent(StorageKey storageKey, SecurityMaterial securityMaterial) {
            this.key = storageKey;
            this.cryptoMaterial = securityMaterial;
        }
    }

    public CertificateLocalizationService(ServiceType serviceType) {
        super(CertificateLocalizationService.class.getName());
        this.LOG = LogManager.getLogger(CertificateLocalizationService.class);
        this.SYSTEM_TMP = System.getProperty("java.io.tmpdir", "/tmp");
        this.LOCALIZATION_DIR_NAME = "certLoc";
        this.materialLocation = new ConcurrentHashMap();
        this.lock = new ReentrantLock(true);
        this.service = serviceType;
        this.localizationEventsQ = new ArrayBlockingQueue(100);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.hadoop.service.AbstractService
    public void serviceInit(Configuration configuration) throws Exception {
        this.superuserMaterial = loadSuperuserMaterialInternal(configuration);
        this.keystoresPassword = readSupersuperPassword();
        this.materializeDir = Paths.get(this.SYSTEM_TMP, this.service.toString() + Util.UNDERSCORE_STR + "certLoc");
        File file = this.materializeDir.toFile();
        if (!file.exists()) {
            file.mkdir();
            Files.setPosixFilePermissions(this.materializeDir, this.service == ServiceType.NM ? EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE, PosixFilePermission.OWNER_EXECUTE, PosixFilePermission.GROUP_EXECUTE, PosixFilePermission.OTHERS_EXECUTE) : EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE, PosixFilePermission.OWNER_EXECUTE));
        }
        this.LOG.debug("Initialized at dir: " + this.materializeDir.toString());
        super.serviceInit(configuration);
    }

    private X509SecurityMaterial loadSuperuserMaterialInternal(Configuration configuration) throws IOException {
        return new SuperuserKeystoresLoader(configuration).loadSuperUserMaterial();
    }

    public char[] readSupersuperPassword() throws IOException {
        return FileUtils.readFileToString(this.superuserMaterial.getPasswdLocation().toFile()).toCharArray();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.hadoop.service.AbstractService
    public void serviceStart() throws Exception {
        this.localizationEventsHandler = createLocalizationEventsHandler();
        this.localizationEventsHandler.setDaemon(true);
        this.localizationEventsHandler.setName("CertificateLocalizationEvents handler");
        this.localizationEventsHandler.start();
        this.mbeanObjectName = MBeans.register(this.service.toString(), "CertificateLocalizer", new StandardMBean(this, CertificateLocalizationMBean.class));
        super.serviceStart();
    }

    @Override // io.hops.security.CertificateLocalization
    public String getSuperKeystoreLocation() {
        return this.superuserMaterial.getKeyStoreLocation().toString();
    }

    @Override // io.hops.security.CertificateLocalization
    public String getSuperKeystorePass() {
        return String.valueOf(this.keystoresPassword);
    }

    @Override // io.hops.security.CertificateLocalization
    public String getSuperKeyPassword() {
        return String.valueOf(this.keystoresPassword);
    }

    @Override // io.hops.security.CertificateLocalization
    public String getSuperTruststoreLocation() {
        return this.superuserMaterial.getTrustStoreLocation().toString();
    }

    @Override // io.hops.security.CertificateLocalization
    public String getSuperTruststorePass() {
        return String.valueOf(this.keystoresPassword);
    }

    @Override // io.hops.security.CertificateLocalization
    public String getSuperMaterialPasswordFile() {
        return this.superuserMaterial.getPasswdLocation().toString();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.hadoop.service.AbstractService
    public void serviceStop() throws Exception {
        if (this.mbeanObjectName != null) {
            MBeans.unregister(this.mbeanObjectName);
        }
        if (this.localizationEventsHandler != null) {
            this.localizationEventsHandler.interrupt();
        }
        if (null != this.materializeDir) {
            FileUtils.deleteQuietly(this.materializeDir.toFile());
        }
        for (int i = 0; i < this.keystoresPassword.length; i++) {
            this.keystoresPassword[i] = 'x';
        }
        this.LOG.debug("Stopped CertificateLocalization service");
        super.serviceStop();
    }

    @VisibleForTesting
    public Path getMaterializeDirectory() {
        return this.materializeDir;
    }

    @Override // io.hops.security.CertificateLocalization
    public void materializeCertificates(String str, String str2, ByteBuffer byteBuffer, String str3, ByteBuffer byteBuffer2, String str4) throws InterruptedException {
        materializeCertificates(str, null, str2, byteBuffer, str3, byteBuffer2, str4);
    }

    @Override // io.hops.security.CertificateLocalization
    public void materializeCertificates(String str, String str2, String str3, ByteBuffer byteBuffer, String str4, ByteBuffer byteBuffer2, String str5) throws InterruptedException {
        StorageKey newX509Instance = StorageKey.newX509Instance(str, str2);
        try {
            this.lock.lock();
            SecurityMaterial securityMaterial = this.materialLocation.get(newX509Instance);
            if (securityMaterial != null) {
                securityMaterial.incrementRequestedApplications();
                this.LOG.debug("Incrementing requested application to " + securityMaterial.getRequestedApplications() + " for key " + newX509Instance);
            } else {
                Path path = str2 != null ? Paths.get(this.materializeDir.toString(), str3, str2) : Paths.get(this.materializeDir.toString(), str3);
                X509SecurityMaterial x509SecurityMaterial = new X509SecurityMaterial(path, Paths.get(path.toFile().getAbsolutePath(), str + HopsSSLSocketFactory.KEYSTORE_SUFFIX), Paths.get(path.toFile().getAbsolutePath(), str + HopsSSLSocketFactory.TRUSTSTORE_SUFFIX), Paths.get(path.toFile().getAbsolutePath(), str + HopsSSLSocketFactory.PASSWD_FILE_SUFFIX), byteBuffer, str4, byteBuffer2, str5);
                this.materialLocation.put(newX509Instance, x509SecurityMaterial);
                dispatchEvent(new MaterializeEvent(newX509Instance, x509SecurityMaterial));
                this.LOG.debug("Dispatch materialize event for key " + newX509Instance);
            }
        } finally {
            this.lock.unlock();
        }
    }

    private SecurityMaterial prepareMaterialForChange(StorageKey storageKey) throws MaterialNotFoundException, InterruptedException {
        try {
            this.lock.lock();
            SecurityMaterial securityMaterial = this.materialLocation.get(storageKey);
            if (securityMaterial == null) {
                throw new MaterialNotFoundException("Material for key " + storageKey + " is missing");
            }
            synchronized (securityMaterial) {
                while (!securityMaterial.getState().equals(SecurityMaterial.STATE.FINISHED)) {
                    securityMaterial.wait();
                }
                securityMaterial.changeState(SecurityMaterial.STATE.ONGOING);
            }
            return securityMaterial;
        } finally {
            this.lock.unlock();
        }
    }

    @Override // io.hops.security.CertificateLocalization
    public void updateX509(String str, String str2, ByteBuffer byteBuffer, String str3, ByteBuffer byteBuffer2, String str4) throws InterruptedException {
        StorageKey newX509Instance = StorageKey.newX509Instance(str, str2);
        try {
            X509SecurityMaterial x509SecurityMaterial = (X509SecurityMaterial) prepareMaterialForChange(newX509Instance);
            x509SecurityMaterial.updateKeyStoreMem(byteBuffer);
            x509SecurityMaterial.updateKeyStorePass(str3);
            x509SecurityMaterial.updateTrustStoreMem(byteBuffer2);
            x509SecurityMaterial.updateTrustStorePass(str4);
            dispatchEvent(new UpdateEvent(newX509Instance, x509SecurityMaterial));
            this.LOG.debug("Dispatched update event for key " + newX509Instance);
        } catch (MaterialNotFoundException e) {
            this.LOG.warn("Requested X.509 update but got an exception", e);
        }
    }

    @Override // io.hops.security.CertificateLocalization
    public void updateJWT(String str, String str2, String str3) throws InterruptedException {
        StorageKey newJWTInstance = StorageKey.newJWTInstance(str, str2);
        try {
            JWTSecurityMaterial jWTSecurityMaterial = (JWTSecurityMaterial) prepareMaterialForChange(newJWTInstance);
            jWTSecurityMaterial.updateToken(str3);
            dispatchEvent(new UpdateEvent(newJWTInstance, jWTSecurityMaterial));
            this.LOG.debug("Dispatched JWT update event for key " + newJWTInstance);
        } catch (MaterialNotFoundException e) {
            this.LOG.warn("Requested JWT update but got an exception", e);
        }
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected void updateInternal(UpdateEvent updateEvent) {
        try {
            try {
                if (this.materialLocation.get(updateEvent.key) == null) {
                    this.LOG.warn("Requested X.509 update for key " + updateEvent.key + " but material is missing or has been removed");
                    if (updateEvent.cryptoMaterial != null) {
                        synchronized (updateEvent.cryptoMaterial) {
                            updateEvent.cryptoMaterial.changeState(SecurityMaterial.STATE.FINISHED);
                            updateEvent.cryptoMaterial.notifyAll();
                        }
                        return;
                    }
                    return;
                }
                if (updateEvent.cryptoMaterial instanceof X509SecurityMaterial) {
                    String str = "Could not update X.509 security material for key " + updateEvent.key;
                    updateInternalX509((X509SecurityMaterial) updateEvent.cryptoMaterial);
                } else if (updateEvent.cryptoMaterial instanceof JWTSecurityMaterial) {
                    String str2 = "Could not update JWT security material for key " + updateEvent.key;
                    updateInternalJWT((JWTSecurityMaterial) updateEvent.cryptoMaterial);
                } else {
                    String str3 = "Unknown security material type " + updateEvent.cryptoMaterial.getClass().getCanonicalName();
                }
                if (updateEvent.cryptoMaterial != null) {
                    synchronized (updateEvent.cryptoMaterial) {
                        updateEvent.cryptoMaterial.changeState(SecurityMaterial.STATE.FINISHED);
                        updateEvent.cryptoMaterial.notifyAll();
                    }
                }
            } catch (IOException e) {
                this.LOG.error("Error updating security material: ", e);
                if (updateEvent.cryptoMaterial != null) {
                    synchronized (updateEvent.cryptoMaterial) {
                        updateEvent.cryptoMaterial.changeState(SecurityMaterial.STATE.FINISHED);
                        updateEvent.cryptoMaterial.notifyAll();
                    }
                }
            }
        } catch (Throwable th) {
            if (updateEvent.cryptoMaterial != null) {
                synchronized (updateEvent.cryptoMaterial) {
                    updateEvent.cryptoMaterial.changeState(SecurityMaterial.STATE.FINISHED);
                    updateEvent.cryptoMaterial.notifyAll();
                }
            }
            throw th;
        }
    }

    private void updateInternalX509(X509SecurityMaterial x509SecurityMaterial) throws IOException {
        writeX509ToLocalFS(x509SecurityMaterial.getKeyStoreMem(), x509SecurityMaterial.getKeyStoreLocation().toFile(), x509SecurityMaterial.getTrustStoreMem(), x509SecurityMaterial.getTrustStoreLocation().toFile(), x509SecurityMaterial.getKeyStorePass(), x509SecurityMaterial.getPasswdLocation().toFile());
    }

    private void updateInternalJWT(JWTSecurityMaterial jWTSecurityMaterial) throws IOException {
        FileUtils.writeStringToFile(jWTSecurityMaterial.getTokenLocation().toFile(), jWTSecurityMaterial.getToken());
    }

    @Override // io.hops.security.CertificateLocalization
    public void materializeJWT(String str, String str2, String str3, String str4) throws InterruptedException {
        StorageKey newJWTInstance = StorageKey.newJWTInstance(str, str2);
        try {
            this.lock.lock();
            SecurityMaterial securityMaterial = this.materialLocation.get(newJWTInstance);
            if (securityMaterial != null) {
                securityMaterial.incrementRequestedApplications();
                this.LOG.debug("Incrementing requested application to " + securityMaterial.getRequestedApplications() + " for key " + newJWTInstance);
            } else {
                Path path = str2 != null ? Paths.get(this.materializeDir.toString(), str3, str2) : Paths.get(this.materializeDir.toString(), str3);
                JWTSecurityMaterial jWTSecurityMaterial = new JWTSecurityMaterial(path, Paths.get(path.toFile().getAbsolutePath(), str + JWTSecurityMaterial.JWT_FILE_SUFFIX), str4);
                this.materialLocation.put(newJWTInstance, jWTSecurityMaterial);
                dispatchEvent(new MaterializeEvent(newJWTInstance, jWTSecurityMaterial));
                this.LOG.debug("Dispatch materialize event for key " + newJWTInstance);
            }
        } finally {
            this.lock.unlock();
        }
    }

    private void writeX509ToLocalFS(ByteBuffer byteBuffer, File file, ByteBuffer byteBuffer2, File file2, String str, File file3) throws IOException {
        FileChannel channel = new FileOutputStream(file, false).getChannel();
        channel.write(byteBuffer);
        channel.close();
        FileChannel channel2 = new FileOutputStream(file2, false).getChannel();
        channel2.write(byteBuffer2);
        channel2.close();
        FileUtils.writeStringToFile(file3, str);
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected boolean materializeInternal(MaterializeEvent materializeEvent) {
        synchronized (materializeEvent.cryptoMaterial) {
            if (materializeEvent.cryptoMaterial.hasBeenCanceled()) {
                this.LOG.debug("Tried to materialize " + materializeEvent.key + " but it has already been canceled, ignoring...");
                materializeEvent.cryptoMaterial.changeState(SecurityMaterial.STATE.FINISHED);
                materializeEvent.cryptoMaterial.notifyAll();
                return false;
            }
            materializeEvent.cryptoMaterial.changeState(SecurityMaterial.STATE.ONGOING);
            this.LOG.debug("Materializing internal for " + materializeEvent.key);
            File file = materializeEvent.cryptoMaterial.getCertFolder().toFile();
            if (!file.exists()) {
                file.mkdirs();
            }
            try {
                if (materializeEvent.cryptoMaterial instanceof X509SecurityMaterial) {
                    materializeInternalX509((X509SecurityMaterial) materializeEvent.cryptoMaterial);
                } else if (materializeEvent.cryptoMaterial instanceof JWTSecurityMaterial) {
                    materializeInternalJWT((JWTSecurityMaterial) materializeEvent.cryptoMaterial);
                }
                synchronized (materializeEvent.cryptoMaterial) {
                    materializeEvent.cryptoMaterial.changeState(SecurityMaterial.STATE.FINISHED);
                    materializeEvent.cryptoMaterial.notifyAll();
                }
                this.LOG.debug("Finished materialization for " + materializeEvent.key);
                return true;
            } catch (IOException e) {
                this.LOG.error(e, e);
                try {
                    this.lock.lock();
                    this.materialLocation.remove(materializeEvent.key);
                    FileUtils.deleteQuietly(materializeEvent.cryptoMaterial.getCertFolder().toFile());
                    synchronized (materializeEvent.cryptoMaterial) {
                        materializeEvent.cryptoMaterial.changeState(SecurityMaterial.STATE.FINISHED);
                        materializeEvent.cryptoMaterial.notifyAll();
                        return false;
                    }
                } finally {
                    this.lock.unlock();
                }
            }
        }
    }

    private void materializeInternalX509(X509SecurityMaterial x509SecurityMaterial) throws IOException {
        writeX509ToLocalFS(x509SecurityMaterial.getKeyStoreMem(), x509SecurityMaterial.getKeyStoreLocation().toFile(), x509SecurityMaterial.getTrustStoreMem(), x509SecurityMaterial.getTrustStoreLocation().toFile(), x509SecurityMaterial.getKeyStorePass(), x509SecurityMaterial.getPasswdLocation().toFile());
        if (this.service == ServiceType.NM) {
            EnumSet of = EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE, PosixFilePermission.OWNER_EXECUTE, PosixFilePermission.GROUP_READ, PosixFilePermission.GROUP_EXECUTE);
            Files.setPosixFilePermissions(x509SecurityMaterial.getCertFolder(), of);
            Files.setPosixFilePermissions(x509SecurityMaterial.getKeyStoreLocation(), of);
            Files.setPosixFilePermissions(x509SecurityMaterial.getTrustStoreLocation(), of);
            Files.setPosixFilePermissions(x509SecurityMaterial.getPasswdLocation(), of);
        }
    }

    private void materializeInternalJWT(JWTSecurityMaterial jWTSecurityMaterial) throws IOException {
        FileUtils.writeStringToFile(jWTSecurityMaterial.getTokenLocation().toFile(), jWTSecurityMaterial.getToken());
        if (this.service == ServiceType.NM) {
            EnumSet of = EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE, PosixFilePermission.OWNER_EXECUTE, PosixFilePermission.GROUP_READ, PosixFilePermission.GROUP_EXECUTE);
            Files.setPosixFilePermissions(jWTSecurityMaterial.getCertFolder(), of);
            Files.setPosixFilePermissions(jWTSecurityMaterial.getTokenLocation(), of);
        }
    }

    private void dispatchEvent(LocalizationEvent localizationEvent) throws InterruptedException {
        this.localizationEventsQ.put(localizationEvent);
    }

    @Override // io.hops.security.CertificateLocalization
    public void removeX509Material(String str) throws InterruptedException {
        removeX509Material(str, null);
    }

    @Override // io.hops.security.CertificateLocalization
    public void removeX509Material(String str, String str2) throws InterruptedException {
        checkAndRemoveAsync(StorageKey.newX509Instance(str, str2));
    }

    @Override // io.hops.security.CertificateLocalization
    public void removeJWTMaterial(String str, String str2) throws InterruptedException {
        checkAndRemoveAsync(StorageKey.newJWTInstance(str, str2));
    }

    private void checkAndRemoveAsync(StorageKey storageKey) throws InterruptedException {
        try {
            this.lock.lock();
            SecurityMaterial securityMaterial = this.materialLocation.get(storageKey);
            if (securityMaterial != null) {
                securityMaterial.decrementRequestedApplications();
                this.LOG.debug("Decrementing requested applications to " + securityMaterial.getRequestedApplications() + " for key " + storageKey);
                if (securityMaterial.isSafeToRemove()) {
                    securityMaterial.changeState(SecurityMaterial.STATE.ONGOING);
                    RemoveEvent removeEvent = new RemoveEvent(securityMaterial);
                    this.materialLocation.remove(storageKey);
                    dispatchEvent(removeEvent);
                    this.LOG.debug("Dispatching remove event for key " + storageKey);
                }
            }
        } finally {
            this.lock.unlock();
        }
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected void removeInternal(RemoveEvent removeEvent) {
        if (removeEvent.cryptoMaterial instanceof X509SecurityMaterial) {
            removeInternalX509((X509SecurityMaterial) removeEvent.cryptoMaterial);
        } else if (removeEvent.cryptoMaterial instanceof JWTSecurityMaterial) {
            removeInternalJWT((JWTSecurityMaterial) removeEvent.cryptoMaterial);
        }
    }

    private void removeInternalX509(X509SecurityMaterial x509SecurityMaterial) {
        FileUtils.deleteQuietly(x509SecurityMaterial.getKeyStoreLocation().toFile());
        this.LOG.debug("Deleted " + x509SecurityMaterial.getKeyStoreLocation());
        FileUtils.deleteQuietly(x509SecurityMaterial.getTrustStoreLocation().toFile());
        this.LOG.debug("Deleted " + x509SecurityMaterial.getTrustStoreLocation());
        FileUtils.deleteQuietly(x509SecurityMaterial.getPasswdLocation().toFile());
        this.LOG.debug("Deleted " + x509SecurityMaterial.getPasswdLocation());
        deleteAppDirectoryIfEmpty(x509SecurityMaterial.getCertFolder().toFile());
    }

    private void removeInternalJWT(JWTSecurityMaterial jWTSecurityMaterial) {
        FileUtils.deleteQuietly(jWTSecurityMaterial.getTokenLocation().toFile());
        this.LOG.debug("Deleted " + jWTSecurityMaterial.getTokenLocation());
        deleteAppDirectoryIfEmpty(jWTSecurityMaterial.getCertFolder().toFile());
    }

    private void deleteAppDirectoryIfEmpty(File file) {
        String[] list = file.list();
        if (list == null || list.length != 0) {
            return;
        }
        FileUtils.deleteQuietly(file);
        this.LOG.debug("Deleted app directory " + file);
    }

    @Override // io.hops.security.CertificateLocalization
    public X509SecurityMaterial getX509MaterialLocation(String str) throws FileNotFoundException, InterruptedException {
        return getX509MaterialLocation(str, null);
    }

    @Override // io.hops.security.CertificateLocalization
    public X509SecurityMaterial getX509MaterialLocation(String str, String str2) throws FileNotFoundException, InterruptedException {
        return (X509SecurityMaterial) getSecurityMaterialInternal(StorageKey.newX509Instance(str, str2));
    }

    @Override // io.hops.security.CertificateLocalization
    public JWTSecurityMaterial getJWTMaterialLocation(String str, String str2) throws FileNotFoundException, InterruptedException {
        return (JWTSecurityMaterial) getSecurityMaterialInternal(StorageKey.newJWTInstance(str, str2));
    }

    private SecurityMaterial getSecurityMaterialInternal(StorageKey storageKey) throws FileNotFoundException, InterruptedException {
        SecurityMaterial securityMaterial;
        SecurityMaterial securityMaterial2 = this.materialLocation.get(storageKey);
        this.LOG.debug("Trying to get material for key " + storageKey);
        if (securityMaterial2 == null) {
            throw new FileNotFoundException("Materialized crypto material could not be found for user " + storageKey);
        }
        synchronized (securityMaterial2) {
            while (!securityMaterial2.getState().equals(SecurityMaterial.STATE.FINISHED)) {
                this.LOG.debug("Waiting to get notified for key " + storageKey);
                securityMaterial2.wait();
            }
            this.LOG.debug("Notified for key " + storageKey);
            securityMaterial = this.materialLocation.get(storageKey);
            if (securityMaterial == null) {
                throw new FileNotFoundException("Materializer could not materialize certificate for " + storageKey);
            }
        }
        return securityMaterial;
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected LocalizationEvent dequeue() throws InterruptedException {
        return this.localizationEventsQ.take();
    }

    @Override // io.hops.security.CertificateLocalizationMBean
    public String getState() {
        try {
            this.lock.lock();
            ImmutableMap copyOf = ImmutableMap.copyOf((Map) this.materialLocation);
            ReturnState returnState = new ReturnState();
            ReturnState returnState2 = new ReturnState();
            UnmodifiableIterator it = copyOf.entrySet().iterator();
            while (it.hasNext()) {
                Map.Entry entry = (Map.Entry) it.next();
                returnState2.put(((StorageKey) entry.getKey()).compactToString(), Integer.valueOf(((SecurityMaterial) entry.getValue()).getRequestedApplications()));
            }
            returnState.put(JMX_MATERIALIZED_KEY, JSON.toString(returnState2));
            return JSON.toString(returnState);
        } finally {
            this.lock.unlock();
        }
    }

    @Override // io.hops.security.CertificateLocalizationMBean
    public boolean forceRemoveMaterial(String str) throws InterruptedException, ExecutionException {
        return forceRemoveMaterial(str, null);
    }

    @Override // io.hops.security.CertificateLocalizationMBean
    public boolean forceRemoveMaterial(String str, String str2) throws InterruptedException, ExecutionException {
        boolean tryToCancel;
        SecurityMaterial remove = this.materialLocation.remove(StorageKey.newX509Instance(str, str2));
        if (remove == null) {
            return false;
        }
        synchronized (remove) {
            tryToCancel = remove.tryToCancel();
        }
        if (tryToCancel) {
            FileUtils.deleteQuietly(remove.getCertFolder().toFile());
            return true;
        }
        synchronized (remove) {
            while (!remove.getState().equals(SecurityMaterial.STATE.FINISHED)) {
                remove.wait();
            }
            FileUtils.deleteQuietly(remove.getCertFolder().toFile());
        }
        return true;
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    protected Thread createLocalizationEventsHandler() {
        return new LocalizationEventsHandler();
    }
}
