package org.apache.hadoop.yarn.server.resourcemanager.security;

import java.io.IOException;
import java.security.SecureRandom;
import java.util.HashSet;
import java.util.Set;
import java.util.Timer;
import java.util.TimerTask;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReadWriteLock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.thirdparty.com.google.common.annotations.VisibleForTesting;
import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
import org.apache.hadoop.yarn.security.AMRMTokenIdentifier;
import org.apache.hadoop.yarn.server.api.records.MasterKey;
import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
import org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore;
import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.AMRMTokenSecretManagerState;
import org.apache.hadoop.yarn.server.security.MasterKeyData;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/AMRMTokenSecretManager.class */
public class AMRMTokenSecretManager extends SecretManager<AMRMTokenIdentifier> {
    private static final Logger LOG = LoggerFactory.getLogger(AMRMTokenSecretManager.class);
    private MasterKeyData nextMasterKey;
    private MasterKeyData currentMasterKey;
    private final long rollingInterval;
    private final long activationDelay;
    private RMContext rmContext;
    private int serialNo = new SecureRandom().nextInt();
    private final ReadWriteLock readWriteLock = new ReentrantReadWriteLock();
    private final Lock readLock = this.readWriteLock.readLock();
    private final Lock writeLock = this.readWriteLock.writeLock();
    private final Set<ApplicationAttemptId> appAttemptSet = new HashSet();
    private final Timer timer = new Timer();

    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/AMRMTokenSecretManager$MasterKeyRoller.class */
    private class MasterKeyRoller extends TimerTask {
        private MasterKeyRoller() {
        }

        @Override // java.util.TimerTask, java.lang.Runnable
        public void run() {
            AMRMTokenSecretManager.this.rollMasterKey();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/AMRMTokenSecretManager$NextKeyActivator.class */
    public class NextKeyActivator extends TimerTask {
        private NextKeyActivator() {
        }

        @Override // java.util.TimerTask, java.lang.Runnable
        public void run() {
            AMRMTokenSecretManager.this.activateNextMasterKey();
        }
    }

    public AMRMTokenSecretManager(Configuration configuration, RMContext rMContext) {
        this.rmContext = rMContext;
        this.rollingInterval = configuration.getLong("yarn.resourcemanager.am-rm-tokens.master-key-rolling-interval-secs", 86400L) * 1000;
        this.activationDelay = (long) (configuration.getLong("yarn.am.liveness-monitor.expiry-interval-ms", 600000L) * 1.5d);
        LOG.info("AMRMTokenKeyRollingInterval: " + this.rollingInterval + "ms and AMRMTokenKeyActivationDelay: " + this.activationDelay + " ms");
        if (this.rollingInterval <= this.activationDelay * 2) {
            throw new IllegalArgumentException("yarn.resourcemanager.am-rm-tokens.master-key-rolling-interval-secs should be more than 3 X yarn.am.liveness-monitor.expiry-interval-ms");
        }
    }

    public void start() {
        if (this.currentMasterKey == null) {
            this.currentMasterKey = createNewMasterKey();
            this.rmContext.getStateStore().storeOrUpdateAMRMTokenSecretManager(AMRMTokenSecretManagerState.newInstance(this.currentMasterKey.getMasterKey(), null), false);
        }
        this.timer.scheduleAtFixedRate(new MasterKeyRoller(), this.rollingInterval, this.rollingInterval);
    }

    public void stop() {
        this.timer.cancel();
    }

    public void applicationMasterFinished(ApplicationAttemptId applicationAttemptId) {
        this.writeLock.lock();
        try {
            LOG.info("Application finished, removing password for " + applicationAttemptId);
            this.appAttemptSet.remove(applicationAttemptId);
        } finally {
            this.writeLock.unlock();
        }
    }

    @InterfaceAudience.Private
    void rollMasterKey() {
        this.writeLock.lock();
        try {
            LOG.info("Rolling master-key for amrm-tokens");
            this.nextMasterKey = createNewMasterKey();
            this.rmContext.getStateStore().storeOrUpdateAMRMTokenSecretManager(AMRMTokenSecretManagerState.newInstance(this.currentMasterKey.getMasterKey(), this.nextMasterKey.getMasterKey()), true);
            this.timer.schedule(new NextKeyActivator(), this.activationDelay);
        } finally {
            this.writeLock.unlock();
        }
    }

    public void activateNextMasterKey() {
        this.writeLock.lock();
        try {
            LOG.info("Activating next master key with id: " + this.nextMasterKey.getMasterKey().getKeyId());
            this.currentMasterKey = this.nextMasterKey;
            this.nextMasterKey = null;
            this.rmContext.getStateStore().storeOrUpdateAMRMTokenSecretManager(AMRMTokenSecretManagerState.newInstance(this.currentMasterKey.getMasterKey(), null), true);
        } finally {
            this.writeLock.unlock();
        }
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    public MasterKeyData createNewMasterKey() {
        this.writeLock.lock();
        try {
            int i = this.serialNo;
            this.serialNo = i + 1;
            return new MasterKeyData(i, generateSecret());
        } finally {
            this.writeLock.unlock();
        }
    }

    public Token<AMRMTokenIdentifier> createAndGetAMRMToken(ApplicationAttemptId applicationAttemptId) {
        this.writeLock.lock();
        try {
            LOG.info("Create AMRMToken for ApplicationAttempt: " + applicationAttemptId);
            AMRMTokenIdentifier aMRMTokenIdentifier = new AMRMTokenIdentifier(applicationAttemptId, getMasterKey().getMasterKey().getKeyId());
            byte[] createPassword = createPassword(aMRMTokenIdentifier);
            this.appAttemptSet.add(applicationAttemptId);
            Token<AMRMTokenIdentifier> token = new Token<>(aMRMTokenIdentifier.getBytes(), createPassword, aMRMTokenIdentifier.getKind(), new Text());
            this.writeLock.unlock();
            return token;
        } catch (Throwable th) {
            this.writeLock.unlock();
            throw th;
        }
    }

    @VisibleForTesting
    public MasterKeyData getMasterKey() {
        this.readLock.lock();
        try {
            return this.nextMasterKey == null ? this.currentMasterKey : this.nextMasterKey;
        } finally {
            this.readLock.unlock();
        }
    }

    public void addPersistedPassword(Token<AMRMTokenIdentifier> token) throws IOException {
        this.writeLock.lock();
        try {
            AMRMTokenIdentifier decodeIdentifier = token.decodeIdentifier();
            LOG.debug("Adding password for " + decodeIdentifier.getApplicationAttemptId());
            this.appAttemptSet.add(decodeIdentifier.getApplicationAttemptId());
        } finally {
            this.writeLock.unlock();
        }
    }

    public byte[] retrievePassword(AMRMTokenIdentifier aMRMTokenIdentifier) throws SecretManager.InvalidToken {
        this.readLock.lock();
        try {
            ApplicationAttemptId applicationAttemptId = aMRMTokenIdentifier.getApplicationAttemptId();
            LOG.debug("Trying to retrieve password for {}", applicationAttemptId);
            if (!this.appAttemptSet.contains(applicationAttemptId)) {
                throw new SecretManager.InvalidToken(applicationAttemptId + " not found in AMRMTokenSecretManager.");
            }
            if (aMRMTokenIdentifier.getKeyId() == this.currentMasterKey.getMasterKey().getKeyId()) {
                byte[] createPassword = createPassword(aMRMTokenIdentifier.getBytes(), this.currentMasterKey.getSecretKey());
                this.readLock.unlock();
                return createPassword;
            }
            if (this.nextMasterKey == null || aMRMTokenIdentifier.getKeyId() != this.nextMasterKey.getMasterKey().getKeyId()) {
                throw new SecretManager.InvalidToken("Invalid AMRMToken from " + applicationAttemptId);
            }
            byte[] createPassword2 = createPassword(aMRMTokenIdentifier.getBytes(), this.nextMasterKey.getSecretKey());
            this.readLock.unlock();
            return createPassword2;
        } catch (Throwable th) {
            this.readLock.unlock();
            throw th;
        }
    }

    /* renamed from: createIdentifier, reason: merged with bridge method [inline-methods] */
    public AMRMTokenIdentifier m16193createIdentifier() {
        return new AMRMTokenIdentifier();
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    public MasterKeyData getCurrnetMasterKeyData() {
        this.readLock.lock();
        try {
            return this.currentMasterKey;
        } finally {
            this.readLock.unlock();
        }
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    public MasterKeyData getNextMasterKeyData() {
        this.readLock.lock();
        try {
            return this.nextMasterKey;
        } finally {
            this.readLock.unlock();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @InterfaceAudience.Private
    public byte[] createPassword(AMRMTokenIdentifier aMRMTokenIdentifier) {
        this.readLock.lock();
        try {
            LOG.info("Creating password for " + aMRMTokenIdentifier.getApplicationAttemptId());
            byte[] createPassword = createPassword(aMRMTokenIdentifier.getBytes(), getMasterKey().getSecretKey());
            this.readLock.unlock();
            return createPassword;
        } catch (Throwable th) {
            this.readLock.unlock();
            throw th;
        }
    }

    public void recover(RMStateStore.RMState rMState) {
        if (rMState.getAMRMTokenSecretManagerState() != null) {
            MasterKey currentMasterKey = rMState.getAMRMTokenSecretManagerState().getCurrentMasterKey();
            this.currentMasterKey = new MasterKeyData(currentMasterKey, createSecretKey(currentMasterKey.getBytes().array()));
            MasterKey nextMasterKey = rMState.getAMRMTokenSecretManagerState().getNextMasterKey();
            if (nextMasterKey != null) {
                this.nextMasterKey = new MasterKeyData(nextMasterKey, createSecretKey(nextMasterKey.getBytes().array()));
                this.timer.schedule(new NextKeyActivator(), this.activationDelay);
            }
        }
    }
}
