package org.apache.hadoop.hbase.ipc;

import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.DataInputStream;
import java.io.DataOutput;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.InetSocketAddress;
import java.net.SocketTimeoutException;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.Map;
import java.util.Random;
import javax.net.SocketFactory;
import javax.security.sasl.SaslException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.client.UserProvider;
import org.apache.hadoop.hbase.ipc.HBaseClient;
import org.apache.hadoop.hbase.security.HBaseSaslRpcClient;
import org.apache.hadoop.hbase.security.HBaseSaslRpcServer;
import org.apache.hadoop.hbase.security.KerberosInfo;
import org.apache.hadoop.hbase.security.TokenInfo;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.token.AuthenticationTokenIdentifier;
import org.apache.hadoop.hbase.security.token.AuthenticationTokenSelector;
import org.apache.hadoop.hbase.thrift.TBoundedThreadPoolServer;
import org.apache.hadoop.io.DataOutputBuffer;
import org.apache.hadoop.io.IOUtils;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.io.Writable;
import org.apache.hadoop.io.WritableUtils;
import org.apache.hadoop.ipc.RemoteException;
import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.hadoop.security.token.TokenSelector;
import org.apache.hadoop.util.ReflectionUtils;

/* loaded from: input_file:org/apache/hadoop/hbase/ipc/SecureClient.class */
public class SecureClient extends HBaseClient {
    public static final String IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_KEY = "hbase.ipc.client.fallback-to-simple-auth-allowed";
    public static final boolean IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_DEFAULT = false;
    private final boolean fallbackAllowed;
    private UserProvider userProvider;
    private static final Log LOG = LogFactory.getLog("org.apache.hadoop.ipc.SecureClient");
    protected static Map<String, TokenSelector<? extends TokenIdentifier>> tokenHandlers = new HashMap();

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/apache/hadoop/hbase/ipc/SecureClient$SecureConnection.class */
    public class SecureConnection extends HBaseClient.Connection {
        private InetSocketAddress server;
        private String serverPrincipal;
        private SecureConnectionHeader header;
        private HBaseSaslRpcServer.AuthMethod authMethod;
        private boolean useSasl;
        private Token<? extends TokenIdentifier> token;
        private HBaseSaslRpcClient saslRpcClient;
        private int reloginMaxBackoff;

        public SecureConnection(HBaseClient.ConnectionId connectionId) throws IOException {
            super(connectionId);
            this.server = connectionId.getAddress();
            User ticket = connectionId.getTicket();
            Class<? extends VersionedProtocol> protocol = connectionId.getProtocol();
            this.useSasl = SecureClient.this.userProvider.isHBaseSecurityEnabled();
            if (this.useSasl && protocol != null) {
                TokenInfo tokenInfo = (TokenInfo) protocol.getAnnotation(TokenInfo.class);
                if (tokenInfo != null) {
                    TokenSelector<? extends TokenIdentifier> tokenSelector = SecureClient.tokenHandlers.get(tokenInfo.value());
                    if (tokenSelector != null) {
                        this.token = tokenSelector.selectToken(new Text(SecureClient.this.clusterId), ticket.getUGI().getTokens());
                    } else if (SecureClient.LOG.isDebugEnabled()) {
                        SecureClient.LOG.debug("No token selector found for type " + tokenInfo.value());
                    }
                }
                KerberosInfo kerberosInfo = (KerberosInfo) protocol.getAnnotation(KerberosInfo.class);
                if (kerberosInfo != null) {
                    String serverPrincipal = kerberosInfo.serverPrincipal();
                    if (serverPrincipal == null) {
                        throw new IOException("Can't obtain server Kerberos config key from KerberosInfo");
                    }
                    this.serverPrincipal = SecurityUtil.getServerPrincipal(SecureClient.this.conf.get(serverPrincipal), this.server.getAddress().getCanonicalHostName().toLowerCase());
                    if (SecureClient.LOG.isDebugEnabled()) {
                        SecureClient.LOG.debug("RPC Server Kerberos principal name for protocol=" + protocol.getCanonicalName() + " is " + this.serverPrincipal);
                    }
                }
            }
            if (!this.useSasl) {
                this.authMethod = HBaseSaslRpcServer.AuthMethod.SIMPLE;
            } else if (this.token != null) {
                this.authMethod = HBaseSaslRpcServer.AuthMethod.DIGEST;
            } else {
                this.authMethod = HBaseSaslRpcServer.AuthMethod.KERBEROS;
            }
            this.header = new SecureConnectionHeader(protocol == null ? null : protocol.getName(), ticket, this.authMethod);
            if (SecureClient.LOG.isDebugEnabled()) {
                SecureClient.LOG.debug("Use " + this.authMethod + " authentication for protocol " + protocol.getSimpleName());
            }
            this.reloginMaxBackoff = SecureClient.this.conf.getInt("hbase.security.relogin.maxbackoff", TBoundedThreadPoolServer.TIME_TO_WAIT_AFTER_SHUTDOWN_MS);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public synchronized void disposeSasl() {
            if (this.saslRpcClient != null) {
                try {
                    this.saslRpcClient.dispose();
                    this.saslRpcClient = null;
                } catch (IOException e) {
                    SecureClient.LOG.info("Error disposing of SASL client", e);
                }
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public synchronized boolean shouldAuthenticateOverKrb() throws IOException {
            UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
            UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
            return this.authMethod == HBaseSaslRpcServer.AuthMethod.KERBEROS && loginUser != null && loginUser.hasKerberosCredentials() && (loginUser.equals(currentUser) || loginUser.equals(currentUser.getRealUser()));
        }

        /* JADX INFO: Access modifiers changed from: private */
        public synchronized boolean setupSaslConnection(InputStream inputStream, OutputStream outputStream) throws IOException {
            this.saslRpcClient = new HBaseSaslRpcClient(this.authMethod, this.token, this.serverPrincipal, SecureClient.this.fallbackAllowed);
            return this.saslRpcClient.saslConnect(inputStream, outputStream);
        }

        private synchronized void handleSaslConnectionFailure(final int i, final int i2, final Exception exc, final Random random, User user) throws IOException, InterruptedException {
            user.runAs(new PrivilegedExceptionAction<Object>() { // from class: org.apache.hadoop.hbase.ipc.SecureClient.SecureConnection.1
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws IOException, InterruptedException {
                    SecureConnection.this.closeConnection();
                    if (!SecureConnection.this.shouldAuthenticateOverKrb()) {
                        SecureClient.LOG.warn("Exception encountered while connecting to the server : " + exc);
                        if (exc instanceof RemoteException) {
                            throw exc;
                        }
                        if (!(exc instanceof SaslException)) {
                            throw new IOException(exc);
                        }
                        SecureClient.LOG.fatal("SASL authentication failed. The most likely cause is missing or invalid credentials. Consider 'kinit'.", exc);
                        throw new RuntimeException("SASL authentication failed. The most likely cause is missing or invalid credentials. Consider 'kinit'.", exc);
                    }
                    if (i >= i2) {
                        String str = "Couldn't setup connection for " + UserGroupInformation.getLoginUser().getUserName() + " to " + SecureConnection.this.serverPrincipal;
                        SecureClient.LOG.warn(str);
                        throw ((IOException) new IOException(str).initCause(exc));
                    }
                    SecureClient.LOG.debug("Exception encountered while connecting to the server : " + exc);
                    if (UserGroupInformation.isLoginKeytabBased()) {
                        UserGroupInformation.getLoginUser().reloginFromKeytab();
                    } else {
                        UserGroupInformation.getLoginUser().reloginFromTicketCache();
                    }
                    SecureConnection.this.disposeSasl();
                    Thread.sleep(random.nextInt(SecureConnection.this.reloginMaxBackoff) + 1);
                    return null;
                }
            });
        }

        @Override // org.apache.hadoop.hbase.ipc.HBaseClient.Connection
        protected synchronized void setupIOstreams() throws IOException, InterruptedException {
            final InputStream inputStream;
            final OutputStream outputStream;
            UserGroupInformation ugi;
            if (this.socket != null || this.shouldCloseConnection.get()) {
                return;
            }
            try {
                if (SecureClient.LOG.isDebugEnabled()) {
                    SecureClient.LOG.debug("Connecting to " + this.server);
                }
                short s = 0;
                Random random = null;
                while (true) {
                    setupConnection();
                    inputStream = NetUtils.getInputStream(this.socket);
                    outputStream = NetUtils.getOutputStream(this.socket, SecureClient.this.pingInterval);
                    writeRpcHeader(outputStream);
                    if (!this.useSasl) {
                        break;
                    }
                    User ticket = this.remoteId.getTicket();
                    if (this.authMethod == HBaseSaslRpcServer.AuthMethod.KERBEROS && (ugi = ticket.getUGI()) != null && ugi.getRealUser() != null) {
                        ticket = SecureClient.this.userProvider.create(ugi.getRealUser());
                    }
                    try {
                        if (((Boolean) ticket.runAs(new PrivilegedExceptionAction<Boolean>() { // from class: org.apache.hadoop.hbase.ipc.SecureClient.SecureConnection.2
                            /* JADX WARN: Can't rename method to resolve collision */
                            @Override // java.security.PrivilegedExceptionAction
                            public Boolean run() throws IOException {
                                return Boolean.valueOf(SecureConnection.this.setupSaslConnection(inputStream, outputStream));
                            }
                        })).booleanValue()) {
                            inputStream = this.saslRpcClient.getInputStream(inputStream);
                            outputStream = this.saslRpcClient.getOutputStream(outputStream);
                        } else {
                            this.authMethod = HBaseSaslRpcServer.AuthMethod.SIMPLE;
                            this.header = new SecureConnectionHeader(this.header.getProtocol(), this.header.getUser(), this.authMethod);
                            this.useSasl = false;
                        }
                    } catch (Exception e) {
                        SecureServer.checkJCEKeyStrength();
                        if (random == null) {
                            random = new Random();
                        }
                        try {
                            short s2 = s;
                            s = (short) (s + 1);
                            handleSaslConnectionFailure(s2, 5, e, random, ticket);
                        } catch (InterruptedException e2) {
                            throw new IOException(e2);
                        }
                    }
                }
                this.in = new DataInputStream(new BufferedInputStream(new HBaseClient.Connection.PingInputStream(inputStream)));
                this.out = new DataOutputStream(new BufferedOutputStream(outputStream));
                writeHeader();
                touch();
                start();
            } catch (IOException e3) {
                markClosed(e3);
                close();
                throw e3;
            }
        }

        private void writeRpcHeader(OutputStream outputStream) throws IOException {
            DataOutputStream dataOutputStream = new DataOutputStream(new BufferedOutputStream(outputStream));
            dataOutputStream.write(SecureServer.HEADER.array());
            dataOutputStream.write(4);
            this.authMethod.write(dataOutputStream);
            dataOutputStream.flush();
        }

        private void writeHeader() throws IOException {
            DataOutput dataOutputBuffer = new DataOutputBuffer();
            this.header.write(dataOutputBuffer);
            int length = dataOutputBuffer.getLength();
            this.out.writeInt(length);
            this.out.write(dataOutputBuffer.getData(), 0, length);
        }

        @Override // org.apache.hadoop.hbase.ipc.HBaseClient.Connection
        protected void receiveResponse() {
            if (this.shouldCloseConnection.get()) {
                return;
            }
            touch();
            try {
                try {
                    int readInt = this.in.readInt();
                    if (SecureClient.LOG.isDebugEnabled()) {
                        SecureClient.LOG.debug(getName() + " got value #" + readInt);
                    }
                    HBaseClient.Call call = this.calls.get(Integer.valueOf(readInt));
                    int readInt2 = this.in.readInt();
                    if (SecureClient.LOG.isDebugEnabled()) {
                        SecureClient.LOG.debug("call #" + readInt + " state is " + readInt2);
                    }
                    if (readInt2 == Status.SUCCESS.state) {
                        Writable writable = (Writable) ReflectionUtils.newInstance(SecureClient.this.valueClass, SecureClient.this.conf);
                        writable.readFields(this.in);
                        if (SecureClient.LOG.isDebugEnabled()) {
                            SecureClient.LOG.debug("call #" + readInt + ", response is:\n" + writable.toString());
                        }
                        if (call != null) {
                            call.setValue(writable);
                        }
                    } else if (readInt2 == Status.ERROR.state) {
                        if (call != null) {
                            call.setException(new RemoteException(WritableUtils.readString(this.in), WritableUtils.readString(this.in)));
                        }
                    } else if (readInt2 == Status.FATAL.state) {
                        RemoteException remoteException = new RemoteException(WritableUtils.readString(this.in), WritableUtils.readString(this.in));
                        if (call != null) {
                            call.setException(remoteException);
                        }
                        markClosed(remoteException);
                    }
                    this.calls.remove(Integer.valueOf(readInt));
                    if (this.remoteId.rpcTimeout > 0) {
                        cleanupCalls(this.remoteId.rpcTimeout);
                    }
                } catch (IOException e) {
                    if (!(e instanceof SocketTimeoutException) || this.remoteId.rpcTimeout <= 0) {
                        markClosed(e);
                    } else {
                        this.closeException = e;
                    }
                    if (this.remoteId.rpcTimeout > 0) {
                        cleanupCalls(this.remoteId.rpcTimeout);
                    }
                }
            } catch (Throwable th) {
                if (this.remoteId.rpcTimeout > 0) {
                    cleanupCalls(this.remoteId.rpcTimeout);
                }
                throw th;
            }
        }

        @Override // org.apache.hadoop.hbase.ipc.HBaseClient.Connection
        protected synchronized void close() {
            if (!this.shouldCloseConnection.get()) {
                SecureClient.LOG.error("The connection is not in the closed state");
                return;
            }
            synchronized (SecureClient.this.connections) {
                SecureClient.this.connections.remove(this.remoteId, this);
            }
            IOUtils.closeStream(this.out);
            IOUtils.closeStream(this.in);
            disposeSasl();
            if (this.closeException != null) {
                if (SecureClient.LOG.isDebugEnabled()) {
                    SecureClient.LOG.debug("closing ipc connection to " + this.server + ": " + this.closeException.getMessage(), this.closeException);
                }
                cleanupCalls();
            } else if (!this.calls.isEmpty()) {
                SecureClient.LOG.warn("A connection is closed for no cause and calls are not empty");
                this.closeException = new IOException("Unexpected closed connection");
                cleanupCalls();
            }
            if (SecureClient.LOG.isDebugEnabled()) {
                SecureClient.LOG.debug(getName() + ": closed");
            }
        }
    }

    public SecureClient(Class<? extends Writable> cls, Configuration configuration, SocketFactory socketFactory, UserProvider userProvider) {
        super(cls, configuration, socketFactory);
        this.fallbackAllowed = configuration.getBoolean(IPC_CLIENT_FALLBACK_TO_SIMPLE_AUTH_ALLOWED_KEY, false);
        if (LOG.isDebugEnabled()) {
            LOG.debug("fallbackAllowed=" + this.fallbackAllowed);
        }
        this.userProvider = userProvider;
    }

    public SecureClient(Class<? extends Writable> cls, Configuration configuration, UserProvider userProvider) {
        this(cls, configuration, NetUtils.getDefaultSocketFactory(configuration), userProvider);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.hadoop.hbase.ipc.HBaseClient
    public SecureConnection createConnection(HBaseClient.ConnectionId connectionId) throws IOException {
        return new SecureConnection(connectionId);
    }

    static {
        tokenHandlers.put(AuthenticationTokenIdentifier.AUTH_TOKEN_TYPE.toString(), new AuthenticationTokenSelector());
    }
}
