package org.apache.hadoop.hbase.security.token;

import java.io.IOException;
import java.util.Iterator;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.atomic.AtomicLong;
import javax.crypto.SecretKey;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.HConstants;
import org.apache.hadoop.hbase.Stoppable;
import org.apache.hadoop.hbase.classification.InterfaceAudience;
import org.apache.hadoop.hbase.util.Bytes;
import org.apache.hadoop.hbase.util.EnvironmentEdgeManager;
import org.apache.hadoop.hbase.zookeeper.ZKClusterId;
import org.apache.hadoop.hbase.zookeeper.ZKLeaderManager;
import org.apache.hadoop.hbase.zookeeper.ZKUtil;
import org.apache.hadoop.hbase.zookeeper.ZooKeeperWatcher;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.security.token.Token;
import org.apache.hive.org.apache.commons.logging.Log;
import org.apache.hive.org.apache.commons.logging.LogFactory;
import org.apache.hive.org.apache.zookeeper.KeeperException;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/hbase/security/token/AuthenticationTokenSecretManager.class */
public class AuthenticationTokenSecretManager extends SecretManager<AuthenticationTokenIdentifier> {
    static final String NAME_PREFIX = "SecretManager-";
    private static Log LOG = LogFactory.getLog(AuthenticationTokenSecretManager.class);
    private long lastKeyUpdate;
    private long keyUpdateInterval;
    private long tokenMaxLifetime;
    private ZKSecretWatcher zkWatcher;
    private LeaderElector leaderElector;
    private ZKClusterId clusterId;
    private AuthenticationKey currentKey;
    private int idSeq;
    private String name;
    private Map<Integer, AuthenticationKey> allKeys = new ConcurrentHashMap();
    private AtomicLong tokenSeq = new AtomicLong();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/hbase/security/token/AuthenticationTokenSecretManager$LeaderElector.class */
    public class LeaderElector extends Thread implements Stoppable {
        private boolean stopped = false;
        private boolean isMaster = false;
        private ZKLeaderManager zkLeader;

        public LeaderElector(ZooKeeperWatcher zooKeeperWatcher, String str) {
            setDaemon(true);
            setName("ZKSecretWatcher-leaderElector");
            this.zkLeader = new ZKLeaderManager(zooKeeperWatcher, ZKUtil.joinZNode(AuthenticationTokenSecretManager.this.zkWatcher.getRootKeyZNode(), "keymaster"), Bytes.toBytes(str), this);
        }

        public boolean isMaster() {
            return this.isMaster;
        }

        @Override // org.apache.hadoop.hbase.Stoppable
        public boolean isStopped() {
            return this.stopped;
        }

        @Override // org.apache.hadoop.hbase.Stoppable
        public void stop(String str) {
            if (this.stopped) {
                return;
            }
            this.stopped = true;
            if (this.isMaster) {
                this.zkLeader.stepDownAsLeader();
            }
            this.isMaster = false;
            AuthenticationTokenSecretManager.LOG.info("Stopping leader election, because: " + str);
            interrupt();
        }

        @Override // java.lang.Thread, java.lang.Runnable
        public void run() {
            this.zkLeader.start();
            this.zkLeader.waitToBecomeLeader();
            this.isMaster = true;
            while (!this.stopped) {
                long currentTime = EnvironmentEdgeManager.currentTime();
                AuthenticationTokenSecretManager.this.removeExpiredKeys();
                if (AuthenticationTokenSecretManager.this.lastKeyUpdate + AuthenticationTokenSecretManager.this.keyUpdateInterval < currentTime) {
                    AuthenticationTokenSecretManager.this.rollCurrentKey();
                }
                try {
                    Thread.sleep(HConstants.DEFAULT_REGIONSERVER_METRICS_PERIOD);
                } catch (InterruptedException e) {
                    if (AuthenticationTokenSecretManager.LOG.isDebugEnabled()) {
                        AuthenticationTokenSecretManager.LOG.debug("Interrupted waiting for next update", e);
                    }
                }
            }
        }
    }

    public AuthenticationTokenSecretManager(Configuration configuration, ZooKeeperWatcher zooKeeperWatcher, String str, long j, long j2) {
        this.zkWatcher = new ZKSecretWatcher(configuration, zooKeeperWatcher, this);
        this.keyUpdateInterval = j;
        this.tokenMaxLifetime = j2;
        this.leaderElector = new LeaderElector(zooKeeperWatcher, str);
        this.name = NAME_PREFIX + str;
        this.clusterId = new ZKClusterId(zooKeeperWatcher, zooKeeperWatcher);
    }

    public void start() {
        try {
            this.zkWatcher.start();
            this.leaderElector.start();
        } catch (KeeperException e) {
            LOG.error("Zookeeper initialization failed", e);
        }
    }

    public void stop() {
        this.leaderElector.stop("SecretManager stopping");
    }

    public boolean isMaster() {
        return this.leaderElector.isMaster();
    }

    public String getName() {
        return this.name;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public byte[] createPassword(AuthenticationTokenIdentifier authenticationTokenIdentifier) {
        long currentTime = EnvironmentEdgeManager.currentTime();
        AuthenticationKey authenticationKey = this.currentKey;
        authenticationTokenIdentifier.setKeyId(authenticationKey.getKeyId());
        authenticationTokenIdentifier.setIssueDate(currentTime);
        authenticationTokenIdentifier.setExpirationDate(currentTime + this.tokenMaxLifetime);
        authenticationTokenIdentifier.setSequenceNumber(this.tokenSeq.getAndIncrement());
        return createPassword(authenticationTokenIdentifier.getBytes(), authenticationKey.getKey());
    }

    public byte[] retrievePassword(AuthenticationTokenIdentifier authenticationTokenIdentifier) throws SecretManager.InvalidToken {
        if (authenticationTokenIdentifier.getExpirationDate() < EnvironmentEdgeManager.currentTime()) {
            throw new SecretManager.InvalidToken("Token has expired");
        }
        AuthenticationKey authenticationKey = this.allKeys.get(Integer.valueOf(authenticationTokenIdentifier.getKeyId()));
        if (authenticationKey == null) {
            throw new SecretManager.InvalidToken("Unknown master key for token (id=" + authenticationTokenIdentifier.getKeyId() + ")");
        }
        return createPassword(authenticationTokenIdentifier.getBytes(), authenticationKey.getKey());
    }

    /* renamed from: createIdentifier, reason: merged with bridge method [inline-methods] */
    public AuthenticationTokenIdentifier m14884createIdentifier() {
        return new AuthenticationTokenIdentifier();
    }

    public Token<AuthenticationTokenIdentifier> generateToken(String str) {
        Token<AuthenticationTokenIdentifier> token = new Token<>(new AuthenticationTokenIdentifier(str), this);
        if (this.clusterId.hasId()) {
            token.setService(new Text(this.clusterId.getId()));
        }
        return token;
    }

    public synchronized void addKey(AuthenticationKey authenticationKey) throws IOException {
        if (this.leaderElector.isMaster()) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Running as master, ignoring new key " + authenticationKey.getKeyId());
                return;
            }
            return;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Adding key " + authenticationKey.getKeyId());
        }
        this.allKeys.put(Integer.valueOf(authenticationKey.getKeyId()), authenticationKey);
        if (this.currentKey == null || authenticationKey.getKeyId() > this.currentKey.getKeyId()) {
            this.currentKey = authenticationKey;
        }
        if (authenticationKey.getKeyId() > this.idSeq) {
            this.idSeq = authenticationKey.getKeyId();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public synchronized boolean removeKey(Integer num) {
        if (this.leaderElector.isMaster()) {
            if (!LOG.isDebugEnabled()) {
                return false;
            }
            LOG.debug("Running as master, ignoring removed key " + num);
            return false;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Removing key " + num);
        }
        this.allKeys.remove(num);
        return true;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthenticationKey getCurrentKey() {
        return this.currentKey;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthenticationKey getKey(int i) {
        return this.allKeys.get(Integer.valueOf(i));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public synchronized void removeExpiredKeys() {
        if (!this.leaderElector.isMaster()) {
            LOG.info("Skipping removeExpiredKeys() because not running as master.");
            return;
        }
        long currentTime = EnvironmentEdgeManager.currentTime();
        Iterator<AuthenticationKey> it2 = this.allKeys.values().iterator();
        while (it2.hasNext()) {
            AuthenticationKey next = it2.next();
            if (next.getExpiration() < currentTime) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Removing expired key " + next.getKeyId());
                }
                it2.remove();
                this.zkWatcher.removeKeyFromZK(next);
            }
        }
    }

    synchronized boolean isCurrentKeyRolled() {
        return this.currentKey != null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public synchronized void rollCurrentKey() {
        if (!this.leaderElector.isMaster()) {
            LOG.info("Skipping rollCurrentKey() because not running as master.");
            return;
        }
        long currentTime = EnvironmentEdgeManager.currentTime();
        AuthenticationKey authenticationKey = this.currentKey;
        int i = this.idSeq + 1;
        this.idSeq = i;
        AuthenticationKey authenticationKey2 = new AuthenticationKey(i, Long.MAX_VALUE, generateSecret());
        this.allKeys.put(Integer.valueOf(authenticationKey2.getKeyId()), authenticationKey2);
        this.currentKey = authenticationKey2;
        this.zkWatcher.addKeyToZK(authenticationKey2);
        this.lastKeyUpdate = currentTime;
        if (authenticationKey != null) {
            authenticationKey.setExpiration(currentTime + this.tokenMaxLifetime);
            this.allKeys.put(Integer.valueOf(authenticationKey.getKeyId()), authenticationKey);
            this.zkWatcher.updateKeyInZK(authenticationKey);
        }
    }

    public static SecretKey createSecretKey(byte[] bArr) {
        return SecretManager.createSecretKey(bArr);
    }
}
