package com.datastax.bdp.cassandra.crypto;

import com.datastax.bdp.system.DseSystemKeyspace;
import com.datastax.bdp.util.Addresses;
import com.datastax.bdp.util.CassandraProxyClient;
import com.datastax.dse.byos.shade.com.google.common.collect.Maps;
import com.datastax.dse.byos.shade.org.stringtemplate.v4.STGroup;
import java.io.File;
import java.io.IOException;
import java.net.InetAddress;
import java.nio.ByteBuffer;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Iterator;
import java.util.List;
import java.util.UUID;
import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.TimeUnit;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import org.apache.cassandra.config.CFMetaData;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.cql3.QueryProcessor;
import org.apache.cassandra.cql3.UntypedResultSet;
import org.apache.cassandra.db.ConsistencyLevel;
import org.apache.cassandra.db.KeyspaceNotDefinedException;
import org.apache.cassandra.db.ReadCommand;
import org.apache.cassandra.db.ReadResponse;
import org.apache.cassandra.db.SinglePartitionReadCommand;
import org.apache.cassandra.db.Slices;
import org.apache.cassandra.db.SystemKeyspace;
import org.apache.cassandra.db.filter.ClusteringIndexSliceFilter;
import org.apache.cassandra.db.filter.ColumnFilter;
import org.apache.cassandra.db.marshal.UTF8Type;
import org.apache.cassandra.db.marshal.UUIDType;
import org.apache.cassandra.db.partitions.UnfilteredPartitionIterator;
import org.apache.cassandra.db.partitions.UnfilteredPartitionIterators;
import org.apache.cassandra.exceptions.InvalidRequestException;
import org.apache.cassandra.exceptions.RequestValidationException;
import org.apache.cassandra.exceptions.UnavailableException;
import org.apache.cassandra.net.IAsyncCallback;
import org.apache.cassandra.net.MessageIn;
import org.apache.cassandra.net.MessageOut;
import org.apache.cassandra.net.MessagingService;
import org.apache.cassandra.service.StorageService;
import org.apache.cassandra.thrift.Column;
import org.apache.cassandra.thrift.Compression;
import org.apache.cassandra.thrift.CqlRow;
import org.apache.cassandra.utils.ByteBufferUtil;
import org.apache.cassandra.utils.FBUtilities;
import org.apache.cassandra.utils.Pair;
import org.apache.cassandra.utils.UUIDGen;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.digest.MessageDigestAlgorithms;
import org.apache.commons.lang.ArrayUtils;
import org.apache.thrift.protocol.TMultiplexedProtocol;

/* loaded from: input_file:com/datastax/bdp/cassandra/crypto/ReplicatedKeyProvider.class */
public class ReplicatedKeyProvider implements IMultiKeyProvider {
    private static final int HEADER_VERSION_SIZE = 1;
    private static final int UUID_HASH_SIZE = 16;
    private static final int UUID_SIZE = 16;
    private static final SecureRandom random;
    private final SystemKey systemKey;
    private final LocalFileSystemKeyProvider localKeyProvider;
    private final ThreadLocal<Cipher> systemReadCipher = new ThreadLocal<>();
    private final ThreadLocal<Cipher> systemWriteCipher = new ThreadLocal<>();
    private final ConcurrentMap<String, Pair<UUID, SecretKey>> writeKeys = Maps.newConcurrentMap();
    private final ConcurrentMap<String, SecretKey> readKeys = Maps.newConcurrentMap();
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/datastax/bdp/cassandra/crypto/ReplicatedKeyProvider$RemoteReadCallback.class */
    public class RemoteReadCallback implements IAsyncCallback<ReadResponse> {
        final ReadCommand command;
        volatile UnfilteredPartitionIterator results = null;
        CountDownLatch latch = new CountDownLatch(1);

        RemoteReadCallback(ReadCommand readCommand) {
            this.command = readCommand;
        }

        @Override // org.apache.cassandra.net.IAsyncCallback
        public void response(MessageIn<ReadResponse> messageIn) {
            this.results = messageIn.payload.makeIterator(this.command);
            this.latch.countDown();
        }

        @Override // org.apache.cassandra.net.IAsyncCallback
        public boolean isLatencyForSnitch() {
            return false;
        }

        public UnfilteredPartitionIterator getResults() {
            try {
                this.latch.await(DatabaseDescriptor.getReadRpcTimeout(), TimeUnit.MILLISECONDS);
                return this.results;
            } catch (InterruptedException e) {
                throw new AssertionError(e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/datastax/bdp/cassandra/crypto/ReplicatedKeyProvider$ResultSetRowWrapper.class */
    public static class ResultSetRowWrapper implements RowWrapper {
        private final UntypedResultSet.Row row;

        private ResultSetRowWrapper(UntypedResultSet.Row row) {
            this.row = row;
        }

        @Override // com.datastax.bdp.cassandra.crypto.ReplicatedKeyProvider.RowWrapper
        public UUID getUUID(String str) {
            return this.row.getUUID(str);
        }

        @Override // com.datastax.bdp.cassandra.crypto.ReplicatedKeyProvider.RowWrapper
        public String getString(String str) {
            return this.row.getString(str);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/datastax/bdp/cassandra/crypto/ReplicatedKeyProvider$RowWrapper.class */
    public interface RowWrapper {
        UUID getUUID(String str);

        String getString(String str);
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/datastax/bdp/cassandra/crypto/ReplicatedKeyProvider$ThriftRowWrapper.class */
    public static class ThriftRowWrapper implements RowWrapper {
        private final CqlRow row;

        private ThriftRowWrapper(CqlRow cqlRow) {
            this.row = cqlRow;
        }

        private ByteBuffer getFieldBuffer(String str) {
            for (Column column : this.row.getColumns()) {
                if (str.equals(new String(column.getName()))) {
                    return column.bufferForValue();
                }
            }
            throw new IllegalArgumentException("Row does not include the column: " + str);
        }

        @Override // com.datastax.bdp.cassandra.crypto.ReplicatedKeyProvider.RowWrapper
        public UUID getUUID(String str) {
            return UUIDType.instance.compose(getFieldBuffer(str));
        }

        @Override // com.datastax.bdp.cassandra.crypto.ReplicatedKeyProvider.RowWrapper
        public String getString(String str) {
            return UTF8Type.instance.compose(getFieldBuffer(str));
        }
    }

    public ReplicatedKeyProvider(SystemKey systemKey, File file) throws IOException {
        LocalFileSystemKeyProvider localFileSystemKeyProvider;
        if (!$assertionsDisabled && systemKey == null) {
            throw new AssertionError();
        }
        this.systemKey = systemKey;
        try {
            localFileSystemKeyProvider = new LocalFileSystemKeyProvider(file);
        } catch (IOException e) {
            localFileSystemKeyProvider = null;
        }
        this.localKeyProvider = localFileSystemKeyProvider;
    }

    private void fetchRemoteKeys() {
        CFMetaData cFMetaData = DseSystemKeyspace.EncryptedKeys;
        SinglePartitionReadCommand create = SinglePartitionReadCommand.create(cFMetaData, FBUtilities.nowInSeconds(), cFMetaData.decorateKey(ByteBufferUtil.bytes(this.systemKey.getName())), ColumnFilter.all(cFMetaData), new ClusteringIndexSliceFilter(Slices.ALL, false));
        MessageOut messageOut = new MessageOut(MessagingService.Verb.READ, create, ReadCommand.serializer);
        for (InetAddress inetAddress : SystemKeyspace.loadHostIds().keySet()) {
            if (!Addresses.Internode.isLocalEndpoint(inetAddress)) {
                RemoteReadCallback remoteReadCallback = new RemoteReadCallback(create);
                MessagingService.instance().sendRR(messageOut, inetAddress, remoteReadCallback);
                UnfilteredPartitionIterator results = remoteReadCallback.getResults();
                if (results != null) {
                    Iterator<UntypedResultSet.Row> it = QueryProcessor.resultify(String.format("SELECT * FROM %s.%s", "dse_system", DseSystemKeyspace.ENCRYPTED_KEYS), UnfilteredPartitionIterators.filter(results, FBUtilities.nowInSeconds())).iterator();
                    while (it.hasNext()) {
                        UntypedResultSet.Row next = it.next();
                        String mapKey = getMapKey(next.getString("cipher"), next.getInt("strength"), next.getUUID("key_id"));
                        String mapKey2 = getMapKey(next.getString("cipher"), next.getInt("strength"));
                        try {
                            SecretKey decodeKey = decodeKey(next.getString(STGroup.DICT_KEY), next.getString("cipher"));
                            this.readKeys.put(mapKey, decodeKey);
                            this.writeKeys.putIfAbsent(mapKey2, Pair.create(next.getUUID("key_id"), decodeKey));
                        } catch (IOException e) {
                            throw new AssertionError(e);
                        }
                    }
                    return;
                }
            }
        }
    }

    private static RowWrapper querySingleRow(String str, boolean z) throws KeyAccessException {
        if (!Boolean.getBoolean("dse.replicatedkeyprovider.usethrift")) {
            try {
                UntypedResultSet executeOnceInternal = z ? QueryProcessor.executeOnceInternal(str, new Object[0]) : QueryProcessor.process(str, ConsistencyLevel.ONE);
                if (executeOnceInternal == null || executeOnceInternal.size() <= 0) {
                    return null;
                }
                return new ResultSetRowWrapper(executeOnceInternal.one());
            } catch (RequestValidationException e) {
                throw new KeyAccessException(e);
            }
        }
        if (!$assertionsDisabled && z) {
            throw new AssertionError();
        }
        try {
            List<CqlRow> rows = new CassandraProxyClient.Builder().setFromSystemProperties().newProxyConnection().execute_cql3_query(ByteBuffer.wrap(str.getBytes()), Compression.NONE, org.apache.cassandra.thrift.ConsistencyLevel.ONE).getRows();
            if (rows == null || rows.size() <= 0) {
                return null;
            }
            return new ThriftRowWrapper(rows.get(0));
        } catch (Exception e2) {
            throw new KeyAccessException(e2);
        }
    }

    private static RowWrapper querySingleRow(String str) throws KeyAccessException {
        return querySingleRow(str, false);
    }

    private static RowWrapper querySingleRowWithLocalRetry(String str) throws KeyAccessException {
        if (StorageService.instance.isStarting() && !Boolean.getBoolean("dse.replicatedkeyprovider.usethrift")) {
            return querySingleRow(str, true);
        }
        try {
            return querySingleRow(str, false);
        } catch (UnavailableException e) {
            return querySingleRow(str, true);
        }
    }

    @Override // com.datastax.bdp.cassandra.crypto.IKeyProvider
    public SecretKey getSecretKey(String str, int i) throws KeyAccessException, KeyGenerationException {
        try {
            return getWriteKey(getKeyType(str), i).right;
        } catch (Throwable th) {
            if (((th.getCause() instanceof KeyspaceNotDefinedException) || (th.getCause() instanceof InvalidRequestException)) && this.localKeyProvider != null) {
                return this.localKeyProvider.getSecretKey(str, i);
            }
            throw th;
        }
    }

    private SecretKey generateNewKey(String str, int i) throws IOException, NoSuchAlgorithmException {
        KeyGenerator keyGenerator = KeyGenerator.getInstance(getKeyType(str));
        keyGenerator.init(i, random);
        return keyGenerator.generateKey();
    }

    private String getMapKey(String str, int i) {
        return str + TMultiplexedProtocol.SEPARATOR + i;
    }

    private String getMapKey(String str, int i, UUID uuid) {
        return getMapKey(str, i) + TMultiplexedProtocol.SEPARATOR + uuid;
    }

    private static String getKeyType(String str) {
        return str.replaceAll("/.*", "");
    }

    private String encodeKey(SecretKey secretKey) throws IOException {
        return Base64.encodeBase64String(this.systemKey.encrypt(secretKey.getEncoded()));
    }

    private SecretKey decodeKey(String str, String str2) throws IOException {
        return new SecretKeySpec(this.systemKey.decrypt(Base64.decodeBase64(str)), getKeyType(str2));
    }

    private Pair<UUID, SecretKey> getWriteKey(String str, int i) throws KeyGenerationException, KeyAccessException {
        String mapKey = getMapKey(str, i);
        Pair<UUID, SecretKey> pair = this.writeKeys.get(mapKey);
        if (pair == null && StorageService.instance.isBootstrapMode()) {
            fetchRemoteKeys();
            pair = this.writeKeys.get(mapKey);
        }
        if (pair == null) {
            RowWrapper querySingleRowWithLocalRetry = querySingleRowWithLocalRetry(String.format("SELECT * FROM %s.%s WHERE key_file='%s' AND cipher='%s' AND strength=%s LIMIT 1;", "dse_system", DseSystemKeyspace.ENCRYPTED_KEYS, this.systemKey.getName(), str, Integer.valueOf(i)));
            if (querySingleRowWithLocalRetry != null) {
                UUID uuid = querySingleRowWithLocalRetry.getUUID("key_id");
                try {
                    SecretKey decodeKey = decodeKey(querySingleRowWithLocalRetry.getString(STGroup.DICT_KEY), str);
                    pair = Pair.create(uuid, decodeKey);
                    Pair<UUID, SecretKey> putIfAbsent = this.writeKeys.putIfAbsent(mapKey, pair);
                    this.readKeys.put(getMapKey(str, i, uuid), decodeKey);
                    if (putIfAbsent != null) {
                        pair = putIfAbsent;
                    }
                } catch (IOException e) {
                    throw new KeyAccessException(e);
                }
            } else {
                UUID timeUUID = UUIDGen.getTimeUUID();
                try {
                    SecretKey generateNewKey = generateNewKey(str, i);
                    try {
                        querySingleRow(String.format("INSERT INTO %s.%s (key_file, cipher, strength, key_id, key) VALUES ('%s', '%s', %s, %s, '%s')", "dse_system", DseSystemKeyspace.ENCRYPTED_KEYS, this.systemKey.getName(), str, Integer.valueOf(i), timeUUID.toString(), encodeKey(generateNewKey)));
                        pair = Pair.create(timeUUID, generateNewKey);
                        this.writeKeys.put(mapKey, pair);
                        this.readKeys.put(getMapKey(str, i, timeUUID), generateNewKey);
                    } catch (IOException e2) {
                        throw new KeyGenerationException(e2);
                    }
                } catch (IOException | NoSuchAlgorithmException e3) {
                    throw new KeyGenerationException(e3);
                }
            }
        }
        return pair;
    }

    private SecretKey getReadKey(String str, int i, UUID uuid) throws KeyAccessException {
        String mapKey = getMapKey(str, i, uuid);
        SecretKey secretKey = this.readKeys.get(mapKey);
        if (secretKey == null && StorageService.instance.isBootstrapMode()) {
            fetchRemoteKeys();
            secretKey = this.readKeys.get(mapKey);
        }
        if (secretKey == null) {
            RowWrapper querySingleRowWithLocalRetry = querySingleRowWithLocalRetry(String.format("SELECT * FROM %s.%s WHERE key_file='%s' AND cipher='%s' AND strength=%s AND key_id=%s;", "dse_system", DseSystemKeyspace.ENCRYPTED_KEYS, this.systemKey.getName(), str, Integer.valueOf(i), uuid));
            if (querySingleRowWithLocalRetry == null) {
                throw new KeyAccessException(String.format("Unable to find key for cipher=%s strength=%s id=%s", str, Integer.valueOf(i), uuid));
            }
            try {
                secretKey = decodeKey(querySingleRowWithLocalRetry.getString(STGroup.DICT_KEY), str);
                this.readKeys.put(mapKey, secretKey);
            } catch (IOException e) {
                throw new KeyAccessException(e);
            }
        }
        return secretKey;
    }

    @Override // com.datastax.bdp.cassandra.crypto.IMultiKeyProvider
    public SecretKey writeHeader(String str, int i, ByteBuffer byteBuffer) throws KeyGenerationException, KeyAccessException {
        try {
            Pair<UUID, SecretKey> writeKey = getWriteKey(getKeyType(str), i);
            ByteBuffer allocate = ByteBuffer.allocate(16);
            allocate.putLong(writeKey.left.getMostSignificantBits());
            allocate.putLong(writeKey.left.getLeastSignificantBits());
            try {
                byte[] digest = MessageDigest.getInstance(MessageDigestAlgorithms.MD5).digest(allocate.array());
                byteBuffer.put((byte) 0);
                byteBuffer.put(allocate.array());
                byteBuffer.put(digest);
                return writeKey.right;
            } catch (NoSuchAlgorithmException e) {
                throw new RuntimeException(e);
            }
        } catch (Throwable th) {
            if (((th.getCause() instanceof KeyspaceNotDefinedException) || (th.getCause() instanceof InvalidRequestException)) && this.localKeyProvider != null) {
                return this.localKeyProvider.getSecretKey(str, i);
            }
            throw th;
        }
    }

    @Override // com.datastax.bdp.cassandra.crypto.IMultiKeyProvider
    public SecretKey readHeader(String str, int i, ByteBuffer byteBuffer) throws KeyAccessException, KeyGenerationException {
        SecretKey secretKey = null;
        ByteBuffer duplicate = byteBuffer.duplicate();
        if (duplicate.get() == 0 && duplicate.limit() >= 32) {
            byte[] bArr = new byte[16];
            duplicate.get(bArr);
            byte[] bArr2 = new byte[16];
            duplicate.get(bArr2);
            try {
                if (ArrayUtils.isEquals(bArr2, MessageDigest.getInstance(MessageDigestAlgorithms.MD5).digest(bArr))) {
                    ByteBuffer wrap = ByteBuffer.wrap(bArr);
                    secretKey = getReadKey(getKeyType(str), i, new UUID(wrap.getLong(), wrap.getLong()));
                    byteBuffer.position(duplicate.position());
                }
            } catch (NoSuchAlgorithmException e) {
                throw new RuntimeException(e);
            }
        }
        if (secretKey == null) {
            if (this.localKeyProvider == null) {
                throw new KeyAccessException(String.format("Unable to find key for cipher=%s strength=%s", str, Integer.valueOf(i)));
            }
            secretKey = this.localKeyProvider.getSecretKey(str, i);
        }
        return secretKey;
    }

    @Override // com.datastax.bdp.cassandra.crypto.IMultiKeyProvider
    public int headerLength() {
        return 33;
    }

    static {
        $assertionsDisabled = !ReplicatedKeyProvider.class.desiredAssertionStatus();
        random = new SecureRandom();
    }
}
