package org.apache.hadoop.net;

import io.hops.security.CertificateLocalization;
import java.io.IOException;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.net.UnknownHostException;
import java.nio.file.Paths;
import java.security.GeneralSecurityException;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.TreeSet;
import java.util.concurrent.TimeUnit;
import javax.net.SocketFactory;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configurable;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.hadoop.net.hopssslchecks.EnvVariableHopsSSLCheck;
import org.apache.hadoop.net.hopssslchecks.HopsSSLCheck;
import org.apache.hadoop.net.hopssslchecks.HopsSSLCryptoMaterial;
import org.apache.hadoop.net.hopssslchecks.LocalResourceHopsSSLCheck;
import org.apache.hadoop.net.hopssslchecks.NormalUserCertLocServiceHopsSSLCheck;
import org.apache.hadoop.net.hopssslchecks.NormalUserMaterilizeDirSSLCheck;
import org.apache.hadoop.net.hopssslchecks.SuperUserHopsSSLCheck;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory;
import org.apache.hadoop.security.ssl.ReloadingX509KeyManager;
import org.apache.hadoop.security.ssl.ReloadingX509TrustManager;
import org.apache.hadoop.security.ssl.SSLFactory;

/* loaded from: input_file:WEB-INF/lib/hadoop-common-2.8.2.9.jar:org/apache/hadoop/net/HopsSSLSocketFactory.class */
public class HopsSSLSocketFactory extends SocketFactory implements Configurable {
    public static final String FORCE_CONFIGURE = "client.rpc.ssl.force.configure";
    public static final boolean DEFAULT_FORCE_CONFIGURE = false;
    private static final String KEY_STORE_FILEPATH_DEFAULT = "client.keystore.jks";
    private static final String KEY_STORE_PASSWORD_DEFAULT = "";
    private static final String KEY_PASSWORD_DEFAULT = "";
    private static final String TRUST_STORE_FILEPATH_DEFAULT = "client.truststore.jks";
    private static final String TRUST_STORE_PASSWORD_DEFAULT = "";
    private static final String SOCKET_ENABLED_PROTOCOL_DEFAULT = "TLSv1.2";
    public static final String PASSWD_FILE_SUFFIX = "__cert.key";
    public static final String KEYSTORE_SUFFIX = "__kstore.jks";
    public static final String TRUSTSTORE_SUFFIX = "__tstore.jks";
    public static final String CRYPTO_MATERIAL_ENV_VAR = "MATERIAL_DIRECTORY";
    private static final String PASSPHRASE = "adminpw";
    private static final String SERVICE_CERTS_DIR_DEFAULT = "/srv/hops/kagent-certs/keystores";
    private static final String CLIENT_MATERIALIZE_DIR_DEFAULT = "/srv/hops/domains/domain1/kafkacerts";
    public static final String USERNAME_PATTERN = "\\w*__\\w*";
    private HopsSSLCryptoMaterial configuredCryptoMaterial = null;
    private ReloadingX509KeyManager reloadingKeyManager = null;
    private ReloadingX509TrustManager reloadingTrustManager = null;
    private static Map<CryptoKeys, String> DEPRECATED_CRYPTO_KEYS;
    private Configuration conf;
    private Configuration sslClientConf;
    private String keyStoreFilePath;
    private static final String SOCKET_FACTORY_NAME = HopsSSLSocketFactory.class.getCanonicalName();
    private static final Log LOG = LogFactory.getLog(HopsSSLSocketFactory.class);
    private static final HopsSSLCheck ENV_VARIABLE_CHECK = new EnvVariableHopsSSLCheck();
    private static final HopsSSLCheck LOCAL_RESOURCE = new LocalResourceHopsSSLCheck();
    private static final HopsSSLCheck NORMAL_USER_MATERIALIZE_DIR = new NormalUserMaterilizeDirSSLCheck();
    private static final HopsSSLCheck NORMAL_USER_CERTIFICATE_LOCALIZATION = new NormalUserCertLocServiceHopsSSLCheck();
    private static final HopsSSLCheck SUPER_USER = new SuperUserHopsSSLCheck();
    private static final Set<HopsSSLCheck> HOPS_SSL_CHECKS = new TreeSet();

    /* loaded from: input_file:WEB-INF/lib/hadoop-common-2.8.2.9.jar:org/apache/hadoop/net/HopsSSLSocketFactory$CryptoKeys.class */
    public enum CryptoKeys {
        KEY_STORE_FILEPATH_KEY("client.rpc.ssl.keystore.filepath", HopsSSLSocketFactory.KEY_STORE_FILEPATH_DEFAULT, PropType.FILEPATH),
        KEY_STORE_PASSWORD_KEY("client.rpc.ssl.keystore.password", "", PropType.LITERAL),
        KEY_PASSWORD_KEY("client.rpc.ssl.keypassword", "", PropType.LITERAL),
        TRUST_STORE_FILEPATH_KEY("client.rpc.ssl.truststore.filepath", HopsSSLSocketFactory.TRUST_STORE_FILEPATH_DEFAULT, PropType.FILEPATH),
        TRUST_STORE_PASSWORD_KEY("client.rpc.ssl.truststore.password", "", PropType.LITERAL),
        SOCKET_ENABLED_PROTOCOL("client.rpc.ssl.enabled.protocol", HopsSSLSocketFactory.SOCKET_ENABLED_PROTOCOL_DEFAULT, PropType.LITERAL),
        CLIENT_MATERIALIZE_DIR("client.materialize.directory", HopsSSLSocketFactory.CLIENT_MATERIALIZE_DIR_DEFAULT, PropType.LITERAL);

        private final String value;
        private final String defaultValue;
        private final PropType type;

        CryptoKeys(String str, String str2, PropType propType) {
            this.value = str;
            this.defaultValue = str2;
            this.type = propType;
        }

        public String getValue() {
            handleDeprecation();
            return this.value;
        }

        public String getDefaultValue() {
            return this.defaultValue;
        }

        public PropType getType() {
            return this.type;
        }

        private void handleDeprecation() {
            String str = (String) HopsSSLSocketFactory.DEPRECATED_CRYPTO_KEYS.get(this);
            if (str != null) {
                HopsSSLSocketFactory.LOG.warn(str);
            }
        }
    }

    /* loaded from: input_file:WEB-INF/lib/hadoop-common-2.8.2.9.jar:org/apache/hadoop/net/HopsSSLSocketFactory$PropType.class */
    public enum PropType {
        FILEPATH,
        LITERAL
    }

    @Override // org.apache.hadoop.conf.Configurable
    public void setConf(Configuration configuration) {
        this.conf = new Configuration(configuration);
        this.sslClientConf = new Configuration(false);
        this.sslClientConf.addResource(configuration.get(SSLFactory.SSL_CLIENT_CONF_KEY, "ssl-client.xml"));
    }

    public void configureCryptoMaterial(CertificateLocalization certificateLocalization, Set<String> set) throws SSLCertificateException {
        UserGroupInformation userGroupInformation = null;
        try {
            UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
            Iterator<HopsSSLCheck> it = HOPS_SSL_CHECKS.iterator();
            while (it.hasNext()) {
                this.configuredCryptoMaterial = it.next().check(currentUser, set, this.conf, certificateLocalization);
                if (this.configuredCryptoMaterial != null) {
                    break;
                }
            }
            if (this.configuredCryptoMaterial == null) {
                String str = "> HopsSSLSocketFactory could not determine cryptographic material for user <" + currentUser.getUserName() + ">. Check your configuration!";
                SSLCertificateException sSLCertificateException = new SSLCertificateException(str);
                LOG.error(str, sSLCertificateException);
                throw sSLCertificateException;
            }
            setTlsConfiguration(this.configuredCryptoMaterial.getKeyStoreLocation(), this.configuredCryptoMaterial.getKeyStorePassword(), this.configuredCryptoMaterial.getKeyPassword(), this.configuredCryptoMaterial.getTrustStoreLocation(), this.configuredCryptoMaterial.getTrustStorePassword(), this.conf);
            this.keyStoreFilePath = this.conf.get(CryptoKeys.KEY_STORE_FILEPATH_KEY.getValue(), KEY_STORE_FILEPATH_DEFAULT);
            if (LOG.isDebugEnabled()) {
                LOG.debug("Finally, the keystore that is used is: " + this.keyStoreFilePath);
            }
            this.conf.setBoolean(FORCE_CONFIGURE, false);
        } catch (IOException e) {
            LOG.error("Error while configuring SocketFactory for user <" + (0 != 0 ? userGroupInformation.getUserName() : "Could not find user from UGI") + "> " + e.getMessage(), e);
            throw new SSLCertificateException(e);
        }
    }

    public static void configureTlsClient(String str, String str2, Configuration configuration) {
        String path = Paths.get(str, str2).toString();
        setTlsConfiguration(path + KEYSTORE_SUFFIX, path + TRUSTSTORE_SUFFIX, configuration);
    }

    public static void configureTlsClient(String str, String str2, String str3, String str4, String str5, Configuration configuration) {
        configuration.set(CryptoKeys.KEY_STORE_FILEPATH_KEY.getValue(), str);
        configuration.set(CryptoKeys.KEY_STORE_PASSWORD_KEY.getValue(), str2);
        configuration.set(CryptoKeys.KEY_PASSWORD_KEY.getValue(), str3);
        configuration.set(CryptoKeys.TRUST_STORE_FILEPATH_KEY.getValue(), str4);
        configuration.set(CryptoKeys.TRUST_STORE_PASSWORD_KEY.getValue(), str5);
        configuration.set(CommonConfigurationKeysPublic.HADOOP_RPC_SOCKET_FACTORY_CLASS_DEFAULT_KEY, SOCKET_FACTORY_NAME);
    }

    private static void setTlsConfiguration(String str, String str2, Configuration configuration) {
        setTlsConfiguration(str, PASSPHRASE, PASSPHRASE, str2, PASSPHRASE, configuration);
    }

    public static void setTlsConfiguration(String str, String str2, String str3, String str4, Configuration configuration) {
        setTlsConfiguration(str, str2, str2, str3, str4, configuration);
    }

    public static void setTlsConfiguration(String str, String str2, String str3, String str4, String str5, Configuration configuration) {
        configuration.set(CryptoKeys.KEY_STORE_FILEPATH_KEY.getValue(), str);
        configuration.set(CryptoKeys.KEY_STORE_PASSWORD_KEY.getValue(), str2);
        configuration.set(CryptoKeys.KEY_PASSWORD_KEY.getValue(), str3);
        configuration.set(CryptoKeys.TRUST_STORE_FILEPATH_KEY.getValue(), str4);
        configuration.set(CryptoKeys.TRUST_STORE_PASSWORD_KEY.getValue(), str5);
        configuration.set(CommonConfigurationKeysPublic.HADOOP_RPC_SOCKET_FACTORY_CLASS_DEFAULT_KEY, SOCKET_FACTORY_NAME);
    }

    @Override // org.apache.hadoop.conf.Configurable
    public Configuration getConf() {
        return this.conf;
    }

    public void stopReloadingKeyManagers() {
        if (this.reloadingKeyManager != null) {
            this.reloadingKeyManager.stop();
        }
        if (this.reloadingTrustManager != null) {
            this.reloadingTrustManager.destroy();
        }
    }

    @Override // javax.net.SocketFactory
    public Socket createSocket() throws IOException, UnknownHostException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Creating SSL client socket");
        }
        if (this.conf.getBoolean(FORCE_CONFIGURE, false)) {
            setConf(this.conf);
        }
        return initializeSSLContext().getSocketFactory().createSocket();
    }

    private SSLContext initializeSSLContext() throws IOException {
        try {
            SSLContext sSLContext = SSLContext.getInstance(this.conf.get(CryptoKeys.SOCKET_ENABLED_PROTOCOL.getValue(), CryptoKeys.SOCKET_ENABLED_PROTOCOL.getDefaultValue()));
            long j = 10000;
            String str = FileBasedKeyStoresFactory.DEFAULT_SSL_KEYSTORE_RELOAD_TIMEUNIT;
            long j2 = 10000;
            if (this.sslClientConf != null) {
                try {
                    j = this.sslClientConf.getLong(FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.CLIENT, FileBasedKeyStoresFactory.SSL_KEYSTORE_RELOAD_INTERVAL_TPL_KEY), FileBasedKeyStoresFactory.DEFAULT_SSL_KEYSTORE_RELOAD_INTERVAL);
                    str = this.sslClientConf.get(FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.CLIENT, FileBasedKeyStoresFactory.SSL_KEYSTORE_RELOAD_TIMEUNIT_TPL_KEY), FileBasedKeyStoresFactory.DEFAULT_SSL_KEYSTORE_RELOAD_TIMEUNIT);
                    j2 = this.sslClientConf.getLong(FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.CLIENT, FileBasedKeyStoresFactory.SSL_TRUSTSTORE_RELOAD_INTERVAL_TPL_KEY), FileBasedKeyStoresFactory.DEFAULT_SSL_KEYSTORE_RELOAD_INTERVAL);
                } catch (RuntimeException e) {
                    LOG.warn("ssl-client.xml exists but we can't read it, falling back to default configuration");
                }
            }
            sSLContext.init(createKeyManagers(j, TimeUnit.valueOf(str)), createTrustManagers(j2), null);
            return sSLContext;
        } catch (GeneralSecurityException e2) {
            LOG.error("Could not initialize SSLContext with keystore " + this.conf.get(CryptoKeys.KEY_STORE_FILEPATH_KEY.getValue()), e2);
            throw new IOException("Error initializing SSLContext", e2);
        }
    }

    private KeyManager[] createKeyManagers(long j, TimeUnit timeUnit) throws GeneralSecurityException, IOException {
        this.reloadingKeyManager = new ReloadingX509KeyManager("JKS", this.configuredCryptoMaterial.getKeyStoreLocation(), this.configuredCryptoMaterial.getKeyStorePassword(), this.configuredCryptoMaterial.getPasswordFileLocation(), this.configuredCryptoMaterial.getKeyStorePassword(), j, timeUnit);
        if (this.configuredCryptoMaterial.needsReloading()) {
            this.reloadingKeyManager.init();
        }
        return new KeyManager[]{this.reloadingKeyManager};
    }

    private TrustManager[] createTrustManagers(long j) throws GeneralSecurityException, IOException {
        this.reloadingTrustManager = new ReloadingX509TrustManager("JKS", this.configuredCryptoMaterial.getTrustStoreLocation(), this.configuredCryptoMaterial.getTrustStorePassword(), this.configuredCryptoMaterial.getPasswordFileLocation(), j);
        if (this.configuredCryptoMaterial.needsReloading()) {
            this.reloadingTrustManager.init();
        }
        return new TrustManager[]{this.reloadingTrustManager};
    }

    @Override // javax.net.SocketFactory
    public Socket createSocket(String str, int i) throws IOException, UnknownHostException {
        Socket createSocket = createSocket();
        createSocket.connect(new InetSocketAddress(str, i));
        return createSocket;
    }

    @Override // javax.net.SocketFactory
    public Socket createSocket(String str, int i, InetAddress inetAddress, int i2) throws IOException, UnknownHostException {
        Socket createSocket = createSocket();
        createSocket.bind(new InetSocketAddress(inetAddress, i2));
        createSocket.connect(new InetSocketAddress(str, i));
        return createSocket;
    }

    @Override // javax.net.SocketFactory
    public Socket createSocket(InetAddress inetAddress, int i) throws IOException {
        Socket createSocket = createSocket();
        createSocket.connect(new InetSocketAddress(inetAddress, i));
        return createSocket;
    }

    @Override // javax.net.SocketFactory
    public Socket createSocket(InetAddress inetAddress, int i, InetAddress inetAddress2, int i2) throws IOException {
        Socket createSocket = createSocket();
        createSocket.bind(new InetSocketAddress(inetAddress2, i2));
        createSocket.connect(new InetSocketAddress(inetAddress, i));
        return createSocket;
    }

    public String getKeyStoreFilePath() {
        return this.keyStoreFilePath;
    }

    public boolean equals(Object obj) {
        if (obj instanceof HopsSSLSocketFactory) {
            return this == obj || ((HopsSSLSocketFactory) obj).getKeyStoreFilePath().equals(getKeyStoreFilePath());
        }
        return false;
    }

    public int hashCode() {
        return (37 * ((37 * 3) + getClass().hashCode())) + this.keyStoreFilePath.hashCode();
    }

    static {
        HOPS_SSL_CHECKS.add(ENV_VARIABLE_CHECK);
        HOPS_SSL_CHECKS.add(NORMAL_USER_CERTIFICATE_LOCALIZATION);
        HOPS_SSL_CHECKS.add(LOCAL_RESOURCE);
        HOPS_SSL_CHECKS.add(NORMAL_USER_MATERIALIZE_DIR);
        HOPS_SSL_CHECKS.add(SUPER_USER);
        DEPRECATED_CRYPTO_KEYS = new HashMap();
    }
}
