package org.apache.hadoop.hdfs.server.datanode.web.webhdfs;

import com.google.common.base.Preconditions;
import io.hops.common.security.FsSecurityActions;
import io.hops.common.security.HopsworksFsSecurityActions;
import io.hops.hadoop.shaded.io.netty.channel.ChannelHandlerContext;
import io.hops.hadoop.shaded.io.netty.handler.codec.http.HttpRequest;
import io.hops.hadoop.shaded.io.netty.handler.ssl.SslHandler;
import io.hops.hadoop.shaded.org.apache.commons.net.util.Base64;
import io.hops.security.CertificateLocalizationCtx;
import io.hops.security.HopsSecurityActionsFactory;
import io.hops.security.HopsX509AuthenticationException;
import io.hops.security.HopsX509Authenticator;
import io.hops.security.HopsX509AuthenticatorFactory;
import java.io.IOException;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.URISyntaxException;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLPeerUnverifiedException;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hdfs.DFSConfigKeys;

/* loaded from: input_file:WEB-INF/lib/hadoop-client-api-3.2.0.12-EE-RC0.jar:org/apache/hadoop/hdfs/server/datanode/web/webhdfs/HopsWebHdfsHandler.class */
public class HopsWebHdfsHandler extends WebHdfsHandler {
    private final HopsX509Authenticator authenticator;
    private final FsSecurityActions fsSecurityActions;

    public HopsWebHdfsHandler(Configuration configuration, Configuration configuration2) throws Exception {
        super(configuration, configuration2);
        this.authenticator = HopsX509AuthenticatorFactory.getInstance(configuration).getAuthenticator();
        this.fsSecurityActions = (FsSecurityActions) HopsSecurityActionsFactory.getInstance().getActor(configuration, configuration.get(DFSConfigKeys.FS_SECURITY_ACTIONS_ACTOR_KEY, DFSConfigKeys.DEFAULT_FS_SECURITY_ACTIONS_ACTOR));
    }

    @Override // org.apache.hadoop.hdfs.server.datanode.web.webhdfs.WebHdfsHandler
    public void channelRead0(ChannelHandlerContext channelHandlerContext, HttpRequest httpRequest) throws Exception {
        Preconditions.checkArgument(httpRequest.getUri().startsWith("/webhdfs/v1"));
        extractParams(httpRequest);
        buildUGI();
        injectToken();
        InetAddress address = ((InetSocketAddress) channelHandlerContext.channel().remoteAddress()).getAddress();
        this.authenticator.authenticateConnection(this.ugi, extractUserX509(channelHandlerContext), address, "WebHDFS");
        localizeUserX509Material();
        doHandle(channelHandlerContext, httpRequest);
    }

    @Override // org.apache.hadoop.hdfs.server.datanode.web.webhdfs.WebHdfsHandler
    public void exceptionCaught(ChannelHandlerContext channelHandlerContext, Throwable th) {
        super.exceptionCaught(channelHandlerContext, th);
        try {
            CertificateLocalizationCtx.getInstance().getCertificateLocalization().removeX509Material(this.ugi.getUserName());
        } catch (InterruptedException e) {
            Thread.currentThread().interrupt();
        }
    }

    private void localizeUserX509Material() throws URISyntaxException, GeneralSecurityException, IOException, InterruptedException {
        HopsworksFsSecurityActions.X509CredentialsDTO x509Credentials = this.fsSecurityActions.getX509Credentials(this.ugi.getUserName());
        if (!"jks".equals(x509Credentials.getFileExtension())) {
            throw new IOException("Unknown X.509 format: " + x509Credentials.getFileExtension());
        }
        ByteBuffer wrap = ByteBuffer.wrap(Base64.decodeBase64(x509Credentials.getkStore()));
        ByteBuffer wrap2 = ByteBuffer.wrap(Base64.decodeBase64(x509Credentials.gettStore()));
        String password = x509Credentials.getPassword();
        CertificateLocalizationCtx.getInstance().getCertificateLocalization().materializeCertificates(this.ugi.getUserName(), this.ugi.getUserName(), wrap, password, wrap2, password);
    }

    private X509Certificate extractUserX509(ChannelHandlerContext channelHandlerContext) throws HopsX509AuthenticationException {
        SslHandler sslHandler = channelHandlerContext.pipeline().get(SslHandler.class);
        if (sslHandler == null) {
            throw new HopsX509AuthenticationException("Could not get SSLHandler from pipeline");
        }
        try {
            return (X509Certificate) sslHandler.engine().getSession().getPeerCertificates()[0];
        } catch (SSLPeerUnverifiedException e) {
            throw new HopsX509AuthenticationException(e);
        }
    }
}
