package com.datastax.bdp.cassandra.auth;

import com.datastax.bdp.gms.VersionBarrier;
import com.datastax.bdp.system.TimeSource;
import com.datastax.bdp.transport.server.KerberosServerUtils;
import com.datastax.dse.byos.shade.com.google.common.base.Preconditions;
import java.io.ByteArrayInputStream;
import java.io.DataInputStream;
import java.io.IOError;
import java.io.IOException;
import java.time.Duration;
import java.util.Arrays;
import java.util.Objects;
import java.util.Optional;
import java.util.Random;
import java.util.UUID;
import org.apache.cassandra.db.ConsistencyLevel;
import org.apache.cassandra.exceptions.RequestExecutionException;
import org.apache.cassandra.exceptions.RequestValidationException;
import org.apache.cassandra.utils.Pair;
import org.apache.cassandra.utils.UUIDGen;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier;
import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager;
import org.apache.hadoop.security.token.delegation.DelegationKey;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  
 */
/* loaded from: input_file:com/datastax/bdp/cassandra/auth/CassandraDelegationTokenSecretManager.class */
public class CassandraDelegationTokenSecretManager extends AbstractDelegationTokenSecretManager<CassandraDelegationTokenIdentifier> {
    private static final Logger logger;
    private static final Random randomGen;
    final long tokenMaxLifetime;
    final long tokenRenewInterval;
    private ConsistencyLevel consistencyLevelRead;
    private ConsistencyLevel consistencyLevelWrite;
    private DigestTokensManager digestTokensManager;
    private TimeSource clock;
    static final /* synthetic */ boolean $assertionsDisabled;

    public CassandraDelegationTokenSecretManager(long j, long j2, DigestTokensManager digestTokensManager, TimeSource timeSource) {
        super(0L, j, j2, Duration.ofHours(1L).toMillis());
        this.consistencyLevelRead = ConsistencyLevel.LOCAL_QUORUM;
        this.consistencyLevelWrite = ConsistencyLevel.LOCAL_QUORUM;
        Preconditions.checkArgument(toSeconds(j) >= 1, "Delegation token max life time must be at least 1000 ms (1 second)");
        Preconditions.checkArgument(toSeconds(j2) >= 1, "Delegation token renew interval must be at least 1000 ms (1 second)");
        this.digestTokensManager = digestTokensManager;
        this.tokenMaxLifetime = j;
        this.tokenRenewInterval = j2;
        this.clock = timeSource;
        logger.info("Created CassandraDelegationTokenSecretManager with token max-life: {} and renewal interval: {}", ch.qos.logback.core.util.Duration.buildByMilliseconds(j), ch.qos.logback.core.util.Duration.buildByMilliseconds(j2));
    }

    /* renamed from: createIdentifier, reason: merged with bridge method [inline-methods] */
    public CassandraDelegationTokenIdentifier m419createIdentifier() {
        return new CassandraDelegationTokenIdentifier();
    }

    public void addKey(DelegationKey delegationKey) throws IOException {
    }

    public CassandraDelegationTokenIdentifier cancelToken(Token<CassandraDelegationTokenIdentifier> token, String str) throws IOException {
        return cancelToken(getIdentifier(token), str);
    }

    public CassandraDelegationTokenIdentifier cancelToken(CassandraDelegationTokenIdentifier cassandraDelegationTokenIdentifier, String str) throws IOException {
        logger.info("User {} requested removal of token: {}", str, CassandraDelegationTokenIdentifier.toStringFromId((TokenIdentifier) cassandraDelegationTokenIdentifier));
        String str2 = (String) Optional.ofNullable(str).map(KerberosServerUtils::getOrExtractServiceName).orElse(null);
        if (Objects.equals(str, cassandraDelegationTokenIdentifier.getUser().getUserName()) || (cassandraDelegationTokenIdentifier.hasRenewer() && Objects.equals(str2, cassandraDelegationTokenIdentifier.getRenewer().toString()))) {
            return cancelToken(cassandraDelegationTokenIdentifier);
        }
        throw new AccessControlException(String.format("%s is not authorized to cancel the token %s", str, CassandraDelegationTokenIdentifier.toStringFromId((TokenIdentifier) cassandraDelegationTokenIdentifier)));
    }

    public synchronized CassandraDelegationTokenIdentifier cancelToken(CassandraDelegationTokenIdentifier cassandraDelegationTokenIdentifier) throws IOException {
        try {
            this.digestTokensManager.deleteTokenById(cassandraDelegationTokenIdentifier.getBytes(), this.consistencyLevelWrite);
            logger.info("Removed token: {}", CassandraDelegationTokenIdentifier.toStringFromId((TokenIdentifier) cassandraDelegationTokenIdentifier));
            return cassandraDelegationTokenIdentifier;
        } catch (VersionBarrier.UpgradingException | RequestExecutionException | RequestValidationException e) {
            throw new IOException(String.format("Failed to remove token: %s", CassandraDelegationTokenIdentifier.toStringFromId((TokenIdentifier) cassandraDelegationTokenIdentifier)), e);
        }
    }

    public synchronized byte[] createPassword(CassandraDelegationTokenIdentifier cassandraDelegationTokenIdentifier) {
        try {
            long currentTimeMillis = this.clock.currentTimeMillis();
            cassandraDelegationTokenIdentifier.setIssueDate(currentTimeMillis);
            cassandraDelegationTokenIdentifier.setMaxDate(currentTimeMillis + this.tokenMaxLifetime);
            cassandraDelegationTokenIdentifier.setMasterKeyId(randomGen.nextInt());
            cassandraDelegationTokenIdentifier.setSequenceNumber(randomGen.nextInt());
            byte[] bytes = cassandraDelegationTokenIdentifier.getBytes();
            byte[] decompose = UUIDGen.decompose(UUID.randomUUID());
            this.digestTokensManager.createToken(bytes, decompose, Duration.ofMillis(this.tokenMaxLifetime), this.consistencyLevelWrite, currentTimeMillis);
            logger.info("Created token: {}", CassandraDelegationTokenIdentifier.toStringFromId((TokenIdentifier) cassandraDelegationTokenIdentifier));
            return decompose;
        } catch (VersionBarrier.UpgradingException | RequestExecutionException | RequestValidationException e) {
            throw new IOError(e);
        }
    }

    public boolean isRunning() {
        return true;
    }

    public long renewToken(Token<CassandraDelegationTokenIdentifier> token, String str) throws IOException {
        return renewToken(getIdentifier(token), str);
    }

    public long renewToken(CassandraDelegationTokenIdentifier cassandraDelegationTokenIdentifier, String str) throws IOException {
        logger.info("User {} requested renewal of token: {}", str, CassandraDelegationTokenIdentifier.toStringFromId((TokenIdentifier) cassandraDelegationTokenIdentifier));
        String str2 = (String) Optional.ofNullable(str).map(KerberosServerUtils::getOrExtractServiceName).orElse(null);
        if (cassandraDelegationTokenIdentifier.hasRenewer() && Objects.equals(cassandraDelegationTokenIdentifier.getRenewer().toString(), str2)) {
            return renewToken(cassandraDelegationTokenIdentifier);
        }
        throw new AccessControlException(String.format("User %s is not authorized to renew a token: %s", str2, CassandraDelegationTokenIdentifier.toStringFromId((TokenIdentifier) cassandraDelegationTokenIdentifier)));
    }

    public synchronized long renewToken(CassandraDelegationTokenIdentifier cassandraDelegationTokenIdentifier) throws IOException {
        try {
            long currentTimeMillis = this.clock.currentTimeMillis();
            Optional<Pair<byte[], Long>> passwordById = this.digestTokensManager.getPasswordById(cassandraDelegationTokenIdentifier.getBytes(), this.consistencyLevelRead);
            int seconds = toSeconds(cassandraDelegationTokenIdentifier.getMaxDate() - currentTimeMillis);
            if (!passwordById.isPresent() || seconds < 1) {
                throw new SecretManager.InvalidToken(String.format("Failed to renew token: Token not found: %s", CassandraDelegationTokenIdentifier.toStringFromId((TokenIdentifier) cassandraDelegationTokenIdentifier)));
            }
            this.digestTokensManager.updateToken(cassandraDelegationTokenIdentifier.getBytes(), passwordById.get().left, Duration.ofSeconds(seconds), this.consistencyLevelWrite, currentTimeMillis);
            logger.info("Renewed token: {}", CassandraDelegationTokenIdentifier.toStringFromId((TokenIdentifier) cassandraDelegationTokenIdentifier));
            return currentTimeMillis + this.tokenRenewInterval;
        } catch (VersionBarrier.UpgradingException | RequestExecutionException | RequestValidationException e) {
            throw new IOException(String.format("Failed to renew token: %s", CassandraDelegationTokenIdentifier.toStringFromId((TokenIdentifier) cassandraDelegationTokenIdentifier)), e);
        }
    }

    public synchronized byte[] retrievePassword(CassandraDelegationTokenIdentifier cassandraDelegationTokenIdentifier) throws SecretManager.InvalidToken {
        logger.debug("Requested password of token: {}", CassandraDelegationTokenIdentifier.toStringFromId((TokenIdentifier) cassandraDelegationTokenIdentifier));
        long currentTimeMillis = this.clock.currentTimeMillis();
        Optional<Pair<byte[], Long>> passwordById = this.digestTokensManager.getPasswordById(cassandraDelegationTokenIdentifier.getBytes(), this.consistencyLevelRead);
        if (passwordById.isPresent()) {
            long longValue = passwordById.get().right.longValue();
            byte[] bArr = passwordById.get().left;
            if (longValue + this.tokenRenewInterval > currentTimeMillis) {
                return bArr;
            }
            logger.info("Attempted to retrieve an expired token: {}", CassandraDelegationTokenIdentifier.toStringFromId((TokenIdentifier) cassandraDelegationTokenIdentifier));
        }
        logger.info("Attempted to retrieve a token with invalid identifier: {}", CassandraDelegationTokenIdentifier.toStringFromId((TokenIdentifier) cassandraDelegationTokenIdentifier));
        throw new SecretManager.InvalidToken(CassandraDelegationTokenIdentifier.toStringFromId((TokenIdentifier) cassandraDelegationTokenIdentifier));
    }

    public synchronized Optional<Long> getLastRenewalTime(CassandraDelegationTokenIdentifier cassandraDelegationTokenIdentifier) {
        return this.digestTokensManager.getPasswordById(cassandraDelegationTokenIdentifier.getBytes(), this.consistencyLevelRead).map(pair -> {
            return (Long) pair.right;
        });
    }

    public CassandraDelegationTokenIdentifier getIdentifier(Token<?> token) throws IOException {
        CassandraDelegationTokenIdentifier cassandraDelegationTokenIdentifier = new CassandraDelegationTokenIdentifier();
        cassandraDelegationTokenIdentifier.readFields(new DataInputStream(new ByteArrayInputStream(token.getIdentifier())));
        return cassandraDelegationTokenIdentifier;
    }

    public void startThreads() throws IOException {
    }

    public void stopThreads() {
    }

    public synchronized void verifyToken(CassandraDelegationTokenIdentifier cassandraDelegationTokenIdentifier, byte[] bArr) throws SecretManager.InvalidToken {
        byte[] retrievePassword = retrievePassword(cassandraDelegationTokenIdentifier);
        if (!$assertionsDisabled && (retrievePassword == null || retrievePassword.length <= 0)) {
            throw new AssertionError();
        }
        if (Arrays.equals(bArr, retrievePassword)) {
            logger.debug("Successfully verified a token: {}", CassandraDelegationTokenIdentifier.toStringFromId((TokenIdentifier) cassandraDelegationTokenIdentifier));
        } else {
            logger.info("Attempted to verify a token: {} with an invalid password", CassandraDelegationTokenIdentifier.toStringFromId((TokenIdentifier) cassandraDelegationTokenIdentifier));
            throw new SecretManager.InvalidToken(CassandraDelegationTokenIdentifier.toStringFromId((TokenIdentifier) cassandraDelegationTokenIdentifier));
        }
    }

    private static int toSeconds(long j) {
        return (int) Duration.ofMillis(j).getSeconds();
    }

    /* renamed from: cancelToken, reason: collision with other method in class */
    public /* bridge */ /* synthetic */ AbstractDelegationTokenIdentifier m418cancelToken(Token token, String str) throws IOException {
        return cancelToken((Token<CassandraDelegationTokenIdentifier>) token, str);
    }

    static {
        $assertionsDisabled = !CassandraDelegationTokenSecretManager.class.desiredAssertionStatus();
        logger = LoggerFactory.getLogger(CassandraDelegationTokenSecretManager.class);
        randomGen = new Random(UUID.randomUUID().getLeastSignificantBits());
    }
}
