package io.hops.security;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.hadoop.security.UserGroupInformation;

/* loaded from: input_file:io/hops/security/HopsX509Authenticator.class */
public class HopsX509Authenticator {
    private static final Log LOG = LogFactory.getLog(HopsX509Authenticator.class);
    private final Configuration conf;
    private final Cache<String, Set<InetAddress>> trustedHostnames = CacheBuilder.newBuilder().maximumSize(500).expireAfterWrite(30, TimeUnit.MINUTES).build();

    /* loaded from: input_file:io/hops/security/HopsX509Authenticator$AUTH_MODE.class */
    public enum AUTH_MODE {
        SIMPLE,
        STRICT,
        NONE
    }

    public HopsX509Authenticator(Configuration configuration) {
        this.conf = configuration;
    }

    public void authenticateConnection(UserGroupInformation userGroupInformation, X509Certificate x509Certificate, InetAddress inetAddress) throws HopsX509AuthenticationException {
        authenticateConnection(userGroupInformation, x509Certificate, inetAddress, null);
    }

    public void authenticateConnection(UserGroupInformation userGroupInformation, X509Certificate x509Certificate, InetAddress inetAddress, String str) throws HopsX509AuthenticationException {
        if (isHopsTLS()) {
            Preconditions.checkNotNull(userGroupInformation, "UserGroupInformation should not be null");
            Preconditions.checkNotNull(x509Certificate, "Client X.509 certificate should not be null");
            LOG.debug("Authenticating user: " + userGroupInformation.getUserName());
            String userName = userGroupInformation.getUserName();
            if (userName == null) {
                throw new HopsX509AuthenticationException("Could not extract username from UGI");
            }
            String name = x509Certificate.getSubjectX500Principal().getName("RFC2253");
            String extractCNFromSubject = HopsUtil.extractCNFromSubject(name);
            if (extractCNFromSubject == null) {
                throw new HopsX509AuthenticationException("Problematic CN in client certificate: " + name);
            }
            String extractOFromSubject = HopsUtil.extractOFromSubject(name);
            if (extractOFromSubject != null && (Strings.isNullOrEmpty(str) || !str.equalsIgnoreCase("WebHDFS"))) {
                userGroupInformation.addApplicationId(extractOFromSubject);
            }
            if (userName.equals(extractCNFromSubject)) {
                LOG.debug("Authenticated user " + userName + " - Username matches CN");
                return;
            }
            Preconditions.checkNotNull(inetAddress, "Remote address should not be null");
            String extractLFromSubject = HopsUtil.extractLFromSubject(name);
            if (extractLFromSubject == null) {
                throw new HopsX509AuthenticationException("Incoming RPC claims to be a from a system user but the Locality (L) field of its X.509 is null or cannot be parsed");
            }
            if (getAuthenticationMode().equals(AUTH_MODE.NONE)) {
                LOG.debug("Authentication mode is NONE so we will skip CN verification");
            } else {
                if (isTrustedConnection(inetAddress, extractCNFromSubject, userName, extractLFromSubject)) {
                    return;
                }
                StringBuilder sb = new StringBuilder();
                sb.append("Could not authenticate client with CN ").append(extractCNFromSubject).append(" remote IP ").append(inetAddress).append(" and username ").append(userName);
                if (str != null) {
                    sb.append(" for protocol ").append(str);
                }
                throw new HopsX509AuthenticationException(sb.toString());
            }
        }
    }

    public boolean isTrustedConnection(InetAddress inetAddress, String str) throws HopsX509AuthenticationException {
        return isTrustedConnection(inetAddress, str, null, null);
    }

    public boolean isTrustedConnection(InetAddress inetAddress, String str, String str2, String str3) throws HopsX509AuthenticationException {
        Set<InetAddress> isTrustedFQDN = isTrustedFQDN(str);
        if (isTrustedFQDN != null && isTrustedConnectionInternal(inetAddress, isTrustedFQDN, str2, str3)) {
            LOG.debug("CN " + str + " is an FQDN and it has already been authenticated");
            return true;
        }
        try {
            Set<InetAddress> allInetAddressesAsSet = getAllInetAddressesAsSet(str);
            if (!isTrustedConnectionInternal(inetAddress, allInetAddressesAsSet, str2, str3)) {
                return false;
            }
            this.trustedHostnames.put(str, allInetAddressesAsSet);
            LOG.debug("CN " + str + " is an FQDN and we managed to resolve it and it matches the remote address");
            return true;
        } catch (UnknownHostException e) {
            LOG.error("Could not resolve host " + str, e);
            throw new HopsX509AuthenticationException("Hostname " + str + " is not resolvable and could not authenticate user " + str2);
        }
    }

    @VisibleForTesting
    protected Set<InetAddress> getAllInetAddressesAsSet(String str) throws UnknownHostException {
        InetAddress[] allByName = InetAddress.getAllByName(str);
        HashSet hashSet = new HashSet(allByName.length);
        hashSet.addAll(Arrays.asList(allByName));
        return hashSet;
    }

    private boolean isHopsTLS() {
        return this.conf.getBoolean(CommonConfigurationKeysPublic.IPC_SERVER_SSL_ENABLED, false);
    }

    private boolean isTrustedConnectionInternal(InetAddress inetAddress, Set<InetAddress> set, String str, String str2) {
        if (getAuthenticationMode().equals(AUTH_MODE.SIMPLE)) {
            return true;
        }
        return (str == null && str2 == null) ? doesAddressMatch(set, inetAddress) : doesAddressMatch(set, inetAddress) && doesUsernameMatch(str, str2);
    }

    private boolean doesAddressMatch(Set<InetAddress> set, InetAddress inetAddress) {
        if (isAnyLoopback(set) && inetAddress.isLoopbackAddress()) {
            return true;
        }
        return set.contains(inetAddress);
    }

    private boolean isAnyLoopback(Set<InetAddress> set) {
        Iterator<InetAddress> it = set.iterator();
        while (it.hasNext()) {
            if (it.next().isLoopbackAddress()) {
                return true;
            }
        }
        return false;
    }

    private AUTH_MODE getAuthenticationMode() {
        return (AUTH_MODE) this.conf.getEnum(CommonConfigurationKeysPublic.HOPS_RPC_AUTH_MODE, AUTH_MODE.STRICT);
    }

    private boolean doesUsernameMatch(String str, String str2) {
        return str.equals(str2);
    }

    @VisibleForTesting
    protected Set<InetAddress> isTrustedFQDN(String str) {
        return (Set) this.trustedHostnames.getIfPresent(str);
    }
}
