package org.apache.hadoop.yarn.server.nodemanager.security;

import com.google.common.annotations.VisibleForTesting;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
import org.apache.hadoop.yarn.api.records.ApplicationId;
import org.apache.hadoop.yarn.api.records.NodeId;
import org.apache.hadoop.yarn.security.NMTokenIdentifier;
import org.apache.hadoop.yarn.server.api.records.MasterKey;
import org.apache.hadoop.yarn.server.security.BaseNMTokenSecretManager;
import org.apache.hadoop.yarn.server.security.MasterKeyData;

/* loaded from: input_file:lib/hadoop-yarn-server-nodemanager-2.3.0-mapr-4.0.0-FCS.jar:org/apache/hadoop/yarn/server/nodemanager/security/NMTokenSecretManagerInNM.class */
public class NMTokenSecretManagerInNM extends BaseNMTokenSecretManager {
    private static final Log LOG = LogFactory.getLog(NMTokenSecretManagerInNM.class);
    private MasterKeyData previousMasterKey;
    private final Map<ApplicationAttemptId, MasterKeyData> oldMasterKeys = new HashMap();
    private final Map<ApplicationId, List<ApplicationAttemptId>> appToAppAttemptMap = new HashMap();
    private NodeId nodeId;

    @InterfaceAudience.Private
    public synchronized void setMasterKey(MasterKey masterKey) {
        LOG.info("Rolling master-key for nm-tokens, got key with id :" + masterKey.getKeyId());
        if (this.currentMasterKey == null) {
            this.currentMasterKey = new MasterKeyData(masterKey, createSecretKey(masterKey.getBytes().array()));
        } else if (this.currentMasterKey.getMasterKey().getKeyId() != masterKey.getKeyId()) {
            this.previousMasterKey = this.currentMasterKey;
            this.currentMasterKey = new MasterKeyData(masterKey, createSecretKey(masterKey.getBytes().array()));
        }
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // org.apache.hadoop.yarn.server.security.BaseNMTokenSecretManager, org.apache.hadoop.security.token.SecretManager
    public synchronized byte[] retrievePassword(NMTokenIdentifier nMTokenIdentifier) throws SecretManager.InvalidToken {
        int keyId = nMTokenIdentifier.getKeyId();
        ApplicationAttemptId applicationAttemptId = nMTokenIdentifier.getApplicationAttemptId();
        MasterKeyData masterKeyData = this.oldMasterKeys.get(applicationAttemptId);
        if (this.previousMasterKey != null && keyId == this.previousMasterKey.getMasterKey().getKeyId()) {
            masterKeyData = this.previousMasterKey;
        } else if (keyId == this.currentMasterKey.getMasterKey().getKeyId()) {
            masterKeyData = this.currentMasterKey;
        }
        if (this.nodeId != null && !nMTokenIdentifier.getNodeId().equals(this.nodeId)) {
            throw new SecretManager.InvalidToken("Given NMToken for application : " + applicationAttemptId.toString() + " is not valid for current node manager.expected : " + this.nodeId.toString() + " found : " + nMTokenIdentifier.getNodeId().toString());
        }
        if (masterKeyData == null) {
            throw new SecretManager.InvalidToken("Given NMToken for application : " + applicationAttemptId.toString() + " seems to have been generated illegally.");
        }
        byte[] retrivePasswordInternal = retrivePasswordInternal(nMTokenIdentifier, masterKeyData);
        LOG.debug("NMToken password retrieved successfully!!");
        return retrivePasswordInternal;
    }

    public synchronized void appFinished(ApplicationId applicationId) {
        List<ApplicationAttemptId> list = this.appToAppAttemptMap.get(applicationId);
        if (list == null) {
            LOG.error("No application Attempt for application : " + applicationId + " started on this NM.");
            return;
        }
        LOG.debug("Removing application attempts NMToken keys for application " + applicationId);
        Iterator<ApplicationAttemptId> it = list.iterator();
        while (it.hasNext()) {
            this.oldMasterKeys.remove(it.next());
        }
        this.appToAppAttemptMap.remove(applicationId);
    }

    public synchronized void appAttemptStartContainer(NMTokenIdentifier nMTokenIdentifier) throws SecretManager.InvalidToken {
        ApplicationAttemptId applicationAttemptId = nMTokenIdentifier.getApplicationAttemptId();
        if (!this.appToAppAttemptMap.containsKey(applicationAttemptId.getApplicationId())) {
            this.appToAppAttemptMap.put(applicationAttemptId.getApplicationId(), new ArrayList());
        }
        MasterKeyData masterKeyData = this.oldMasterKeys.get(applicationAttemptId);
        if (masterKeyData == null) {
            this.appToAppAttemptMap.get(applicationAttemptId.getApplicationId()).add(applicationAttemptId);
        }
        if (masterKeyData == null || masterKeyData.getMasterKey().getKeyId() != nMTokenIdentifier.getKeyId()) {
            LOG.debug("NMToken key updated for application attempt : " + nMTokenIdentifier.getApplicationAttemptId().toString());
            if (nMTokenIdentifier.getKeyId() == this.currentMasterKey.getMasterKey().getKeyId()) {
                this.oldMasterKeys.put(applicationAttemptId, this.currentMasterKey);
            } else {
                if (this.previousMasterKey == null || nMTokenIdentifier.getKeyId() != this.previousMasterKey.getMasterKey().getKeyId()) {
                    throw new SecretManager.InvalidToken("Older NMToken should not be used while starting the container.");
                }
                this.oldMasterKeys.put(applicationAttemptId, this.previousMasterKey);
            }
        }
    }

    public synchronized void setNodeId(NodeId nodeId) {
        LOG.debug("updating nodeId : " + nodeId);
        this.nodeId = nodeId;
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    public synchronized boolean isAppAttemptNMTokenKeyPresent(ApplicationAttemptId applicationAttemptId) {
        return this.oldMasterKeys.containsKey(applicationAttemptId);
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    public synchronized NodeId getNodeId() {
        return this.nodeId;
    }
}
