package com.mapr.data.gateway;

import com.mapr.baseutils.cldbutils.CLDBRpcCommonUtils;
import com.mapr.security.JNISecurity;
import com.mapr.security.Security;
import com.mapr.web.security.SslConfig;
import com.mapr.web.security.WebSecurityConfig;
import com.mapr.web.security.WebSecurityManager;
import io.grpc.netty.shaded.io.grpc.netty.GrpcSslContexts;
import io.grpc.netty.shaded.io.netty.handler.ssl.SslContext;
import io.grpc.netty.shaded.io.netty.handler.ssl.SslContextBuilder;
import io.grpc.netty.shaded.io.netty.handler.ssl.SslProvider;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.nio.charset.StandardCharsets;
import java.security.KeyStore;
import javax.net.ssl.KeyManagerFactory;
import org.apache.commons.lang.StringUtils;
import org.ojai.Document;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/mapr/data/gateway/SecurityProvider.class */
public final class SecurityProvider {
    private static final String SSL_OPTION_CLUSTER = "cluster";
    private static final String SSL_PROVIDER_JDK = "jdk";
    private static final String SSL_PROVIDER_OPENSSL = "openssl";
    private static final String KS_TYPE_PKCS12 = "pkcs12";
    private static final String ALGO_SUN_X509 = "SunX509";
    private static final String KS_TYPE_JKS = "jks";
    private static final String ALGO_PKIX = "PKIX";
    private static final String OBFUSCATE_MAGIC = "OBF:";
    static char[] keyStorePassphrase;
    private static volatile boolean intialized;
    private static final Logger log = LoggerFactory.getLogger(SecurityProvider.class);
    private static final String MAPR_IMPERSONATION_ENABLED = System.getenv("MAPR_IMPERSONATION_ENABLED");
    private static final String[] TLS_PROTOCOLS = {"TLSv1.2"};
    private static final String DEFAULT_CLUSTER_NAME = CLDBRpcCommonUtils.getInstance().getCurrentClusterName();
    private static final boolean IS_CLUSTER_SECURED = JNISecurity.IsSecurityEnabled(DEFAULT_CLUSTER_NAME);
    private static final String MAPR_CONF_DIR = WebSecurityConfig.CONFIG.getMaprHome() + "/conf/";

    private SecurityProvider() {
    }

    public static String getDefaultClusterName() {
        return DEFAULT_CLUSTER_NAME;
    }

    public static boolean isClusterSecured() {
        return IS_CLUSTER_SECURED;
    }

    public static void init(Document document) {
        if (intialized) {
            return;
        }
        if (IS_CLUSTER_SECURED) {
            File file = new File(JNISecurity.GetUserTicketAndKeyFileLocation());
            if (file.exists()) {
                int SetTicketAndKeyFile = Security.SetTicketAndKeyFile(file.toString());
                if (SetTicketAndKeyFile == 0) {
                    JNISecurity.UseClusterTicketAsServerTicketInternal();
                } else {
                    log.error("SetTicketAndKeyFile returned Errno: " + SetTicketAndKeyFile);
                }
            }
            if (StringUtils.isBlank(MAPR_IMPERSONATION_ENABLED)) {
                log.warn("Environment variable MAPR_IMPERSONATION_ENABLED is not set. Impersonation will not be supported.");
            }
        }
        if (isSslEnabled(document)) {
            String string = Configs.getString(document, Configs.MAPR_DAG_SSL_KEYSTORE_PASSPHRASE, null);
            if (string != null) {
                keyStorePassphrase = deobfuscate(string).toCharArray();
            } else {
                SslConfig sslConfig = WebSecurityManager.getSslConfig();
                try {
                    keyStorePassphrase = sslConfig.getServerKeystorePassword();
                    log.info("Using SslConfig from WebSecurityManager.");
                    if (sslConfig != null) {
                        sslConfig.close();
                    }
                } catch (Throwable th) {
                    if (sslConfig != null) {
                        try {
                            sslConfig.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            }
            if (keyStorePassphrase == null && string != null) {
                keyStorePassphrase = deobfuscate(string).toCharArray();
            }
            if (keyStorePassphrase == null) {
                throw new RuntimeException("An SSL keystore passphrase is not configured!");
            }
        }
        intialized = true;
    }

    public static boolean isSslEnabled(Document document) {
        String string = Configs.getString(document, Configs.MAPR_DAG_SSL_ENABLED, SSL_OPTION_CLUSTER);
        String lowerCase = string.toLowerCase();
        boolean z = -1;
        switch (lowerCase.hashCode()) {
            case 3569038:
                if (lowerCase.equals("true")) {
                    z = false;
                    break;
                }
                break;
            case 97196323:
                if (lowerCase.equals("false")) {
                    z = true;
                    break;
                }
                break;
            case 872092154:
                if (lowerCase.equals(SSL_OPTION_CLUSTER)) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case true:
                return Boolean.valueOf(string).booleanValue();
            case true:
                return isClusterSecured();
            default:
                throw new IllegalArgumentException("Unrecognized value '" + string + "' for SSL option 'grpc.service.ssl.enabled'. Valid values are 'cluster|true|false'.");
        }
    }

    public static SslContext getSslContext(Document document) throws Exception {
        SslProvider sslProvider;
        SslContextBuilder forServer;
        String string = Configs.getString(document, Configs.MAPR_DAG_SSL_PROVIDER, SslProvider.OPENSSL.name());
        log.info("Creating SslContext with {} as the SSL Provider and TLS protocols {}", string, TLS_PROTOCOLS);
        String lowerCase = string.toLowerCase();
        boolean z = -1;
        switch (lowerCase.hashCode()) {
            case -1263174782:
                if (lowerCase.equals(SSL_PROVIDER_OPENSSL)) {
                    z = true;
                    break;
                }
                break;
            case 105073:
                if (lowerCase.equals(SSL_PROVIDER_JDK)) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                sslProvider = SslProvider.JDK;
                forServer = SslContextBuilder.forServer(getJKSKeyManagerFactory(document));
                break;
            case true:
                sslProvider = SslProvider.OPENSSL;
                forServer = SslContextBuilder.forServer(getPKCS12KeyManagerFactory(document));
                break;
            default:
                throw new IllegalArgumentException("Unrecognized SSL provider '" + string + "'. Valid values are 'jdk|openssl'.");
        }
        return GrpcSslContexts.configure(forServer.sslProvider(sslProvider), sslProvider).protocols(TLS_PROTOCOLS).build();
    }

    private static KeyManagerFactory getPKCS12KeyManagerFactory(Document document) throws Exception {
        return getKeyManagerFactory(document, "ssl_keystore.p12", KS_TYPE_PKCS12, ALGO_SUN_X509);
    }

    private static KeyManagerFactory getJKSKeyManagerFactory(Document document) throws Exception {
        return getKeyManagerFactory(document, "ssl_keystore", KS_TYPE_JKS, ALGO_PKIX);
    }

    private static KeyManagerFactory getKeyManagerFactory(Document document, String str, String str2, String str3) throws Exception {
        File file = new File(Configs.getString(document, Configs.MAPR_DAG_SSL_KEYSTORE, MAPR_CONF_DIR + "/" + str));
        if (!file.exists()) {
            throw new FileNotFoundException("Unable to find the keystore file: " + file);
        }
        String string = Configs.getString(document, Configs.MAPR_DAG_SSL_KEYSTORE_TYPE, str2);
        String string2 = Configs.getString(document, Configs.MAPR_DAG_SSL_KEYSTORE_ALGO, str3);
        log.info("Initializing Java KeyManagerFactory with keystore '{}', type '{}', algorithm '{}'.", new Object[]{file, string, string2});
        KeyStore keyStore = KeyStore.getInstance(string);
        keyStore.load(new FileInputStream(file), keyStorePassphrase);
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(string2);
        keyManagerFactory.init(keyStore, keyStorePassphrase);
        return keyManagerFactory;
    }

    private static String deobfuscate(String str) {
        if (!str.startsWith(OBFUSCATE_MAGIC)) {
            return str;
        }
        String substring = str.substring(4);
        byte[] bArr = new byte[substring.length() / 2];
        int i = 0;
        int i2 = 0;
        while (i2 < substring.length()) {
            if (substring.charAt(i2) == 'U') {
                i2++;
                int i3 = i;
                i++;
                bArr[i3] = (byte) (Integer.parseInt(substring.substring(i2, i2 + 4), 36) >> 8);
            } else {
                int parseInt = Integer.parseInt(substring.substring(i2, i2 + 4), 36);
                int i4 = i;
                i++;
                bArr[i4] = (byte) ((((parseInt / 256) + (parseInt % 256)) - 254) / 2);
            }
            i2 += 4;
        }
        return new String(bArr, 0, i, StandardCharsets.UTF_8);
    }

    static {
        log.info("Default cluster: {}, secured: {}", DEFAULT_CLUSTER_NAME, Boolean.valueOf(IS_CLUSTER_SECURED));
        keyStorePassphrase = null;
        intialized = false;
    }
}
