package com.mapr.security.client;

import com.google.common.io.BaseEncoding;
import com.google.protobuf.ByteString;
import com.google.protobuf.InvalidProtocolBufferException;
import com.mapr.baseutils.audit.AuditConstants;
import com.mapr.fs.jni.MapRConstants;
import com.mapr.fs.proto.Security;
import com.mapr.security.maprsasl.MaprSecurityLoginModule;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.concurrent.ThreadLocalRandom;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.spec.GCMParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/mapr/security/client/ClientSecurity.class */
public class ClientSecurity {
    public static final String WWW_AUTHENTICATE = "WWW-Authenticate";
    public static final String AUTHORIZATION = "Authorization";
    public static final String WWW_ERR_AUTHENTICATE = "WWW-MAPR-Err-Authenticate";
    public static final String NEGOTIATE = "MAPR-Negotiate";
    public static final String CLUSTER_CONFIG_LOCATION = "/conf/mapr-clusters.conf";
    public static final String DEFAULT_INSTALL_LOCATION = "/opt/mapr";
    private String currentClusterName;
    private long randomSecret;
    private Security.Key userKey;
    private String userTicketFile;
    private boolean isClusterSecure;
    private boolean isClusterValid;
    private String[] cldbs;
    private static final Logger LOG = LoggerFactory.getLogger(ClientSecurity.class);
    private static int KEY_SIZE_IN_BYTES = 32;
    private static int TAG_SIZE_IN_BYTES = 16;
    private static int IV_SIZE_IN_BYTES = 16;

    public ClientSecurity() {
        this(null);
    }

    public ClientSecurity(String str) {
        this.userTicketFile = null;
        this.isClusterSecure = false;
        this.randomSecret = 0L;
        this.isClusterValid = false;
        this.currentClusterName = str;
        parseMaprClustersConf();
    }

    public boolean isSecurityEnabled() {
        return this.isClusterSecure;
    }

    public boolean isClusterNameValid() {
        return this.isClusterValid;
    }

    public String getUserTicketAndKeyFileLocation() throws MapRClientSecurityException {
        String str;
        String executeCommandAndReturnOutput;
        String str2 = System.getenv(MaprSecurityLoginModule.USER_TICKET_FILE_LOCATION);
        if (str2 != null && !str2.isEmpty()) {
            return str2;
        }
        if (System.getProperty("os.name").equalsIgnoreCase("Windows")) {
            str = System.getenv("TEMP");
            executeCommandAndReturnOutput = System.getProperty("user.name");
        } else {
            str = "/tmp";
            String property = System.getProperty("user.name");
            ArrayList<String> arrayList = new ArrayList<>();
            arrayList.add("id");
            arrayList.add("-u");
            arrayList.add(property);
            try {
                executeCommandAndReturnOutput = executeCommandAndReturnOutput(arrayList);
            } catch (IOException e) {
                LOG.error("Unable to obtain effective UID for user " + property + ":" + e.getMessage());
                throw new MapRClientSecurityException("Unable to obtain effective UID for user " + property + ":" + e.getMessage());
            } catch (InterruptedException e2) {
                LOG.error("Error executing command id -u " + property + ": " + e2.getMessage());
                throw new MapRClientSecurityException("Error execuring command id -u " + property + ": " + e2.getMessage());
            }
        }
        return str + File.separator + "maprticket_" + executeCommandAndReturnOutput;
    }

    public String generateChallenge() throws MapRClientSecurityException {
        try {
            LOG.debug("Generating challenge for cluster " + this.currentClusterName);
            Security.TicketAndKey authenticateIfNeeded = authenticateIfNeeded();
            if (authenticateIfNeeded == null) {
                LOG.error("No good client ticket found for cluster " + this.currentClusterName);
                throw new MapRClientSecurityException("No good client ticket found for cluster " + this.currentClusterName);
            }
            this.userKey = authenticateIfNeeded.getUserKey();
            this.randomSecret = generateRandomNumber();
            byte[] bArr = {(byte) (this.randomSecret >>> 56), (byte) (this.randomSecret >>> 48), (byte) (this.randomSecret >>> 40), (byte) (this.randomSecret >>> 32), (byte) (this.randomSecret >>> 24), (byte) (this.randomSecret >>> 16), (byte) (this.randomSecret >>> 8), (byte) (this.randomSecret >>> 0)};
            Security.AuthenticationReqFull.Builder newBuilder = Security.AuthenticationReqFull.newBuilder();
            try {
                try {
                    try {
                        try {
                            newBuilder.setEncryptedRandomSecret(ByteString.copyFrom(aesEncrypt(this.userKey.getKey().toByteArray(), bArr)));
                            newBuilder.setEncryptedTicket(authenticateIfNeeded.getEncryptedTicket());
                            for (String str : this.cldbs) {
                                newBuilder.addCldb(str);
                            }
                            try {
                                String encode = BaseEncoding.base64().encode(newBuilder.m84905build().toByteArray());
                                LOG.debug("Successfully obtained challenge");
                                return encode;
                            } catch (Exception e) {
                                throw new MapRClientSecurityException("Unable to encode challenge: " + e.getMessage());
                            }
                        } catch (NoSuchAlgorithmException e2) {
                            LOG.error("AES-256 GCM not supported: " + e2.getMessage());
                            throw new MapRClientSecurityException("AES-256 GCM not supported: " + e2.getMessage());
                        }
                    } catch (NoSuchPaddingException e3) {
                        LOG.error("AES-256 GCM with no padding not supported: " + e3.getMessage());
                        throw new MapRClientSecurityException("AES-256 GCM with no padding not supported: " + e3.getMessage());
                    }
                } catch (InvalidKeyException e4) {
                    LOG.error("Invalid AES-256 GCM user key: " + e4.getMessage());
                    throw new MapRClientSecurityException("Invalid AES-256 GCM user key: " + e4.getMessage());
                } catch (IllegalBlockSizeException e5) {
                    LOG.error("Illegal AES-256 GCM block size: " + e5.getMessage());
                    throw new MapRClientSecurityException("Illegal AES-256 GCM block size: " + e5.getMessage());
                }
            } catch (InvalidAlgorithmParameterException e6) {
                LOG.error("Invalid parameters for AES-256 GCM: " + e6.getMessage());
                throw new MapRClientSecurityException("Invalid parameters for AES-256 GCM: " + e6.getMessage());
            } catch (BadPaddingException e7) {
                LOG.error("Bad padding for AES-256 GCM: " + e7.getMessage());
                throw new MapRClientSecurityException("Bad padding for AES-256 GCM: " + e7.getMessage());
            }
        } catch (MapRClientSecurityException e8) {
            LOG.error("Exception while processing ticket data: " + e8.getMessage());
            throw new MapRClientSecurityException("Exception while processing ticket data", e8);
        }
    }

    public boolean hasValidTicket() throws MapRClientSecurityException {
        return authenticateIfNeeded() != null;
    }

    public String getClusterName() {
        return this.currentClusterName;
    }

    public boolean validateServerResponseToChallenge(String str) throws MapRClientSecurityException {
        try {
            try {
                Security.AuthenticationResp parseFrom = Security.AuthenticationResp.parseFrom(aesDecrypt(this.userKey.getKey().toByteArray(), BaseEncoding.base64().decode(str)));
                if (parseFrom == null) {
                    throw new MapRClientSecurityException("Response is null");
                }
                if (!parseFrom.hasChallengeResponse()) {
                    throw new MapRClientSecurityException("No response secret");
                }
                LOG.debug("Response to challenge found");
                if (parseFrom.getChallengeResponse() != this.randomSecret + 1) {
                    throw new MapRClientSecurityException("Incorrect challenge response");
                }
                LOG.debug("Successfully validated server response");
                return true;
            } catch (Exception e) {
                throw new MapRClientSecurityException("Error while decrypting response " + e.getMessage());
            }
        } catch (Exception e2) {
            throw new MapRClientSecurityException("Unable to decode Base64-encoded server challenge: " + e2.getMessage());
        }
    }

    private byte[] aesEncrypt(byte[] bArr, byte[] bArr2) throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException {
        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
        SecureRandom instanceStrong = SecureRandom.getInstanceStrong();
        SecretKeySpec secretKeySpec = new SecretKeySpec(bArr, 0, bArr.length, "AES");
        byte[] bArr3 = new byte[IV_SIZE_IN_BYTES];
        instanceStrong.nextBytes(bArr3);
        cipher.init(1, secretKeySpec, new GCMParameterSpec(TAG_SIZE_IN_BYTES * 8, bArr3));
        byte[] doFinal = cipher.doFinal(bArr2);
        byte[] copyOf = Arrays.copyOf(bArr3, bArr3.length + doFinal.length);
        System.arraycopy(doFinal, 0, copyOf, bArr3.length, doFinal.length);
        return copyOf;
    }

    private byte[] aesDecrypt(byte[] bArr, byte[] bArr2) throws NoSuchAlgorithmException, NoSuchPaddingException, InvalidKeyException, InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException {
        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
        SecretKeySpec secretKeySpec = new SecretKeySpec(bArr, 0, bArr.length, "AES");
        byte[] bArr3 = new byte[IV_SIZE_IN_BYTES];
        for (int i = 0; i < IV_SIZE_IN_BYTES; i++) {
            bArr3[i] = bArr2[i];
        }
        cipher.init(2, secretKeySpec, new GCMParameterSpec(TAG_SIZE_IN_BYTES * 8, bArr3));
        return cipher.doFinal(Arrays.copyOfRange(bArr2, IV_SIZE_IN_BYTES, bArr2.length));
    }

    private String executeCommandAndReturnOutput(ArrayList<String> arrayList) throws IOException, InterruptedException {
        ProcessBuilder processBuilder = new ProcessBuilder(arrayList);
        processBuilder.redirectErrorStream(true);
        Process start = processBuilder.start();
        StringBuilder sb = new StringBuilder();
        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(start.getInputStream()));
        while (true) {
            try {
                String readLine = bufferedReader.readLine();
                if (readLine == null) {
                    start.waitFor();
                    bufferedReader.close();
                    return sb.toString().trim();
                }
                sb.append(readLine + System.lineSeparator());
            } catch (Throwable th) {
                try {
                    bufferedReader.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        }
    }

    private boolean isTicketAndKeyUsable(Security.TicketAndKey ticketAndKey) {
        return System.currentTimeMillis() / 1000 < ticketAndKey.getExpiryTime();
    }

    private byte[] decodeDataFromKeyFile(String str) {
        try {
            try {
                return aesDecrypt(getKeyForKeyFile(), BaseEncoding.base64().decode(str));
            } catch (Exception e) {
                LOG.error("Unable to decrypt data: " + e.getMessage());
                return null;
            }
        } catch (Exception e2) {
            LOG.error("Unable to decode Base-64 encoded ticket: " + e2.getMessage());
            return null;
        }
    }

    private byte[] getKeyForKeyFile() {
        byte[] bArr = new byte[KEY_SIZE_IN_BYTES];
        for (int i = 0; i < KEY_SIZE_IN_BYTES; i++) {
            bArr[i] = 65;
        }
        return bArr;
    }

    private void parseMaprClustersConf() {
        String str = System.getenv(MapRConstants.MAPR_ENV_VAR);
        try {
            BufferedReader bufferedReader = new BufferedReader(new FileReader(new File((str != null ? !str.isEmpty() ? str : DEFAULT_INSTALL_LOCATION : DEFAULT_INSTALL_LOCATION) + "/conf/mapr-clusters.conf")));
            boolean z = true;
            while (true) {
                String readLine = bufferedReader.readLine();
                if (readLine == null) {
                    bufferedReader.close();
                    return;
                }
                String[] split = readLine.split(AuditConstants.SPACE);
                String str2 = split[0];
                if (z) {
                    if (this.currentClusterName == null) {
                        this.currentClusterName = str2;
                    }
                    z = false;
                }
                if (this.currentClusterName.equals(str2)) {
                    this.isClusterValid = true;
                    int i = 1;
                    int i2 = 1;
                    while (true) {
                        if (i2 >= split.length) {
                            break;
                        }
                        if (split[i2].startsWith("secure=")) {
                            String[] split2 = split[i2].split("=");
                            this.isClusterSecure = false;
                            if (split2[1].equalsIgnoreCase("true")) {
                                this.isClusterSecure = true;
                            }
                            i = i2 + 1;
                        } else {
                            i2++;
                        }
                    }
                    this.cldbs = new String[split.length - i];
                    for (int i3 = i; i3 < split.length; i3++) {
                        this.cldbs[i3 - i] = split[i3].split(";")[0];
                    }
                }
            }
        } catch (IOException e) {
            LOG.error("Failed to parse mapr-clusters.conf: " + e.getMessage());
        }
    }

    private long generateRandomNumber() {
        return ThreadLocalRandom.current().nextLong(1L, Long.MAX_VALUE);
    }

    private Security.TicketAndKey authenticateIfNeeded() throws MapRClientSecurityException {
        if (!isSecurityEnabled()) {
            LOG.debug("security appears to be off");
            return null;
        }
        try {
            Security.TicketAndKey ticketAndKeyForCluster = getTicketAndKeyForCluster();
            if (!isTicketAndKeyUsable(ticketAndKeyForCluster)) {
                return null;
            }
            LOG.debug("Already have good ticket, done");
            return ticketAndKeyForCluster;
        } catch (MapRClientSecurityException e) {
            LOG.info("Unable to obtain user ticket for cluster " + this.currentClusterName);
            throw new MapRClientSecurityException(e);
        }
    }

    private Security.TicketAndKey getTicketAndKeyForCluster() throws MapRClientSecurityException {
        Security.TicketAndKey ticketAndKey = null;
        String str = null;
        try {
            this.userTicketFile = getUserTicketAndKeyFileLocation();
            File file = new File(this.userTicketFile);
            if (!file.exists()) {
                throw new MapRClientSecurityException("Ticket file " + this.userTicketFile + " does not exist");
            }
            BufferedReader bufferedReader = new BufferedReader(new FileReader(file));
            boolean z = false;
            while (true) {
                String readLine = bufferedReader.readLine();
                if (readLine == null) {
                    break;
                }
                String[] split = readLine.split(AuditConstants.SPACE);
                if (split[0].equals(this.currentClusterName)) {
                    str = split[1];
                    z = true;
                    break;
                }
            }
            bufferedReader.close();
            if (!z) {
                throw new MapRClientSecurityException("No user ticket found for cluster " + this.currentClusterName + " in " + this.userTicketFile);
            }
            if (str == null) {
                throw new MapRClientSecurityException("Unable to obtain encrypted user ticket");
            }
            try {
                ticketAndKey = Security.TicketAndKey.parseFrom(decodeDataFromKeyFile(str));
            } catch (InvalidProtocolBufferException e) {
                LOG.error("Failed to parse decrypted user ticket byte stream");
                e.printStackTrace();
            }
            return ticketAndKey;
        } catch (IOException e2) {
            LOG.error("IO Exception: " + e2.getMessage());
            throw new MapRClientSecurityException("I/O Exception: " + e2.getMessage());
        }
    }
}
