package org.apache.hadoop.crypto.key.kms.server;

import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableMap;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.NoSuchAlgorithmException;
import java.util.List;
import java.util.Map;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import org.apache.hadoop.crypto.key.KeyProvider;
import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AuthorizationException;

/* loaded from: input_file:WEB-INF/lib/hadoop-kms-2.7.0-mapr-1710.jar:org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider.class */
public class KeyAuthorizationKeyProvider extends KeyProviderCryptoExtension {
    public static final String KEY_ACL = "key.acl.";
    private static final String KEY_ACL_NAME = "key.acl.name";
    private final KeyProviderCryptoExtension provider;
    private final KeyACLs acls;
    private Lock readLock;
    private Lock writeLock;

    /* loaded from: input_file:WEB-INF/lib/hadoop-kms-2.7.0-mapr-1710.jar:org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider$KeyACLs.class */
    public interface KeyACLs {
        boolean hasAccessToKey(String str, UserGroupInformation userGroupInformation, KeyOpType keyOpType);

        boolean isACLPresent(String str, KeyOpType keyOpType);
    }

    /* loaded from: input_file:WEB-INF/lib/hadoop-kms-2.7.0-mapr-1710.jar:org/apache/hadoop/crypto/key/kms/server/KeyAuthorizationKeyProvider$KeyOpType.class */
    public enum KeyOpType {
        ALL,
        READ,
        MANAGEMENT,
        GENERATE_EEK,
        DECRYPT_EEK
    }

    public KeyAuthorizationKeyProvider(KeyProviderCryptoExtension keyProviderCryptoExtension, KeyACLs keyACLs) {
        super(keyProviderCryptoExtension, null);
        this.provider = keyProviderCryptoExtension;
        this.acls = keyACLs;
        ReentrantReadWriteLock reentrantReadWriteLock = new ReentrantReadWriteLock(true);
        this.readLock = reentrantReadWriteLock.readLock();
        this.writeLock = reentrantReadWriteLock.writeLock();
    }

    private void authorizeCreateKey(String str, KeyProvider.Options options, UserGroupInformation userGroupInformation) throws IOException {
        boolean z;
        Preconditions.checkNotNull(userGroupInformation, "UserGroupInformation cannot be null");
        Map<String, String> attributes = options.getAttributes();
        String str2 = attributes.get(KEY_ACL_NAME);
        if (!Strings.isNullOrEmpty(str2)) {
            z = this.acls.isACLPresent(str2, KeyOpType.MANAGEMENT) && (this.acls.hasAccessToKey(str2, userGroupInformation, KeyOpType.MANAGEMENT) || this.acls.hasAccessToKey(str2, userGroupInformation, KeyOpType.ALL));
        } else if (this.acls.isACLPresent(str, KeyOpType.MANAGEMENT)) {
            options.setAttributes(ImmutableMap.builder().putAll(attributes).put(KEY_ACL_NAME, str).build());
            z = this.acls.hasAccessToKey(str, userGroupInformation, KeyOpType.MANAGEMENT) || this.acls.hasAccessToKey(str, userGroupInformation, KeyOpType.ALL);
        } else {
            z = false;
        }
        if (!z) {
            throw new AuthorizationException(String.format("User [%s] is not authorized to create key !!", userGroupInformation.getShortUserName()));
        }
    }

    private void checkAccess(String str, UserGroupInformation userGroupInformation, KeyOpType keyOpType) throws AuthorizationException {
        Preconditions.checkNotNull(str, "Key ACL name cannot be null");
        Preconditions.checkNotNull(userGroupInformation, "UserGroupInformation cannot be null");
        if (!this.acls.isACLPresent(str, keyOpType) || (!this.acls.hasAccessToKey(str, userGroupInformation, keyOpType) && !this.acls.hasAccessToKey(str, userGroupInformation, KeyOpType.ALL))) {
            throw new AuthorizationException(String.format("User [%s] is not authorized to perform [%s] on key with ACL name [%s]!!", userGroupInformation.getShortUserName(), keyOpType, str));
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderExtension, org.apache.hadoop.crypto.key.KeyProvider
    public KeyProvider.KeyVersion createKey(String str, KeyProvider.Options options) throws NoSuchAlgorithmException, IOException {
        this.writeLock.lock();
        try {
            authorizeCreateKey(str, options, getUser());
            KeyProvider.KeyVersion createKey = this.provider.createKey(str, options);
            this.writeLock.unlock();
            return createKey;
        } catch (Throwable th) {
            this.writeLock.unlock();
            throw th;
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderExtension, org.apache.hadoop.crypto.key.KeyProvider
    public KeyProvider.KeyVersion createKey(String str, byte[] bArr, KeyProvider.Options options) throws IOException {
        this.writeLock.lock();
        try {
            authorizeCreateKey(str, options, getUser());
            KeyProvider.KeyVersion createKey = this.provider.createKey(str, bArr, options);
            this.writeLock.unlock();
            return createKey;
        } catch (Throwable th) {
            this.writeLock.unlock();
            throw th;
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderExtension, org.apache.hadoop.crypto.key.KeyProvider
    public KeyProvider.KeyVersion rollNewVersion(String str) throws NoSuchAlgorithmException, IOException {
        this.writeLock.lock();
        try {
            doAccessCheck(str, KeyOpType.MANAGEMENT);
            KeyProvider.KeyVersion rollNewVersion = this.provider.rollNewVersion(str);
            this.writeLock.unlock();
            return rollNewVersion;
        } catch (Throwable th) {
            this.writeLock.unlock();
            throw th;
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderExtension, org.apache.hadoop.crypto.key.KeyProvider
    public void deleteKey(String str) throws IOException {
        this.writeLock.lock();
        try {
            doAccessCheck(str, KeyOpType.MANAGEMENT);
            this.provider.deleteKey(str);
            this.writeLock.unlock();
        } catch (Throwable th) {
            this.writeLock.unlock();
            throw th;
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderExtension, org.apache.hadoop.crypto.key.KeyProvider
    public KeyProvider.KeyVersion rollNewVersion(String str, byte[] bArr) throws IOException {
        this.writeLock.lock();
        try {
            doAccessCheck(str, KeyOpType.MANAGEMENT);
            KeyProvider.KeyVersion rollNewVersion = this.provider.rollNewVersion(str, bArr);
            this.writeLock.unlock();
            return rollNewVersion;
        } catch (Throwable th) {
            this.writeLock.unlock();
            throw th;
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderCryptoExtension
    public void warmUpEncryptedKeys(String... strArr) throws IOException {
        this.readLock.lock();
        try {
            for (String str : strArr) {
                doAccessCheck(str, KeyOpType.GENERATE_EEK);
            }
            this.provider.warmUpEncryptedKeys(strArr);
            this.readLock.unlock();
        } catch (Throwable th) {
            this.readLock.unlock();
            throw th;
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderCryptoExtension
    public KeyProviderCryptoExtension.EncryptedKeyVersion generateEncryptedKey(String str) throws IOException, GeneralSecurityException {
        this.readLock.lock();
        try {
            doAccessCheck(str, KeyOpType.GENERATE_EEK);
            KeyProviderCryptoExtension.EncryptedKeyVersion generateEncryptedKey = this.provider.generateEncryptedKey(str);
            this.readLock.unlock();
            return generateEncryptedKey;
        } catch (Throwable th) {
            this.readLock.unlock();
            throw th;
        }
    }

    private void verifyKeyVersionBelongsToKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion) throws IOException {
        String encryptionKeyName = encryptedKeyVersion.getEncryptionKeyName();
        String encryptionKeyVersionName = encryptedKeyVersion.getEncryptionKeyVersionName();
        KeyProvider.KeyVersion keyVersion = this.provider.getKeyVersion(encryptionKeyVersionName);
        if (keyVersion == null) {
            throw new IllegalArgumentException(String.format("'%s' not found", encryptionKeyVersionName));
        }
        if (!keyVersion.getName().equals(encryptionKeyName)) {
            throw new IllegalArgumentException(String.format("KeyVersion '%s' does not belong to the key '%s'", encryptionKeyVersionName, encryptionKeyName));
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderCryptoExtension
    public KeyProvider.KeyVersion decryptEncryptedKey(KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion) throws IOException, GeneralSecurityException {
        this.readLock.lock();
        try {
            verifyKeyVersionBelongsToKey(encryptedKeyVersion);
            doAccessCheck(encryptedKeyVersion.getEncryptionKeyName(), KeyOpType.DECRYPT_EEK);
            KeyProvider.KeyVersion decryptEncryptedKey = this.provider.decryptEncryptedKey(encryptedKeyVersion);
            this.readLock.unlock();
            return decryptEncryptedKey;
        } catch (Throwable th) {
            this.readLock.unlock();
            throw th;
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderExtension, org.apache.hadoop.crypto.key.KeyProvider
    public KeyProvider.KeyVersion getKeyVersion(String str) throws IOException {
        this.readLock.lock();
        try {
            KeyProvider.KeyVersion keyVersion = this.provider.getKeyVersion(str);
            if (keyVersion != null) {
                doAccessCheck(keyVersion.getName(), KeyOpType.READ);
            }
            return keyVersion;
        } finally {
            this.readLock.unlock();
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderExtension, org.apache.hadoop.crypto.key.KeyProvider
    public List<String> getKeys() throws IOException {
        return this.provider.getKeys();
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderExtension, org.apache.hadoop.crypto.key.KeyProvider
    public List<KeyProvider.KeyVersion> getKeyVersions(String str) throws IOException {
        this.readLock.lock();
        try {
            doAccessCheck(str, KeyOpType.READ);
            List<KeyProvider.KeyVersion> keyVersions = this.provider.getKeyVersions(str);
            this.readLock.unlock();
            return keyVersions;
        } catch (Throwable th) {
            this.readLock.unlock();
            throw th;
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderExtension, org.apache.hadoop.crypto.key.KeyProvider
    public KeyProvider.Metadata getMetadata(String str) throws IOException {
        this.readLock.lock();
        try {
            doAccessCheck(str, KeyOpType.READ);
            KeyProvider.Metadata metadata = this.provider.getMetadata(str);
            this.readLock.unlock();
            return metadata;
        } catch (Throwable th) {
            this.readLock.unlock();
            throw th;
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderExtension, org.apache.hadoop.crypto.key.KeyProvider
    public KeyProvider.Metadata[] getKeysMetadata(String... strArr) throws IOException {
        this.readLock.lock();
        try {
            for (String str : strArr) {
                doAccessCheck(str, KeyOpType.READ);
            }
            KeyProvider.Metadata[] keysMetadata = this.provider.getKeysMetadata(strArr);
            this.readLock.unlock();
            return keysMetadata;
        } catch (Throwable th) {
            this.readLock.unlock();
            throw th;
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderExtension, org.apache.hadoop.crypto.key.KeyProvider
    public KeyProvider.KeyVersion getCurrentKey(String str) throws IOException {
        this.readLock.lock();
        try {
            doAccessCheck(str, KeyOpType.READ);
            KeyProvider.KeyVersion currentKey = this.provider.getCurrentKey(str);
            this.readLock.unlock();
            return currentKey;
        } catch (Throwable th) {
            this.readLock.unlock();
            throw th;
        }
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderExtension, org.apache.hadoop.crypto.key.KeyProvider
    public void flush() throws IOException {
        this.provider.flush();
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderExtension, org.apache.hadoop.crypto.key.KeyProvider
    public boolean isTransient() {
        return this.provider.isTransient();
    }

    private void doAccessCheck(String str, KeyOpType keyOpType) throws IOException {
        KeyProvider.Metadata metadata = this.provider.getMetadata(str);
        if (metadata != null) {
            String str2 = metadata.getAttributes().get(KEY_ACL_NAME);
            checkAccess(str2 == null ? str : str2, getUser(), keyOpType);
        }
    }

    private UserGroupInformation getUser() throws IOException {
        return UserGroupInformation.getCurrentUser();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.hadoop.crypto.key.KeyProviderExtension
    public KeyProvider getKeyProvider() {
        return this;
    }

    @Override // org.apache.hadoop.crypto.key.KeyProviderExtension
    public String toString() {
        return this.provider.toString();
    }
}
