package com.cloudera.keytrustee;

import com.cloudera.keytrustee.ClouderaKeyStore;
import com.cloudera.keytrustee.dao.DaoManager;
import com.cloudera.keytrustee.dao.DaoUtil;
import com.cloudera.keytrustee.util.Environment;
import com.cloudera.keytrustee.util.HSMKeyProviderConfiguration;
import com.google.common.annotations.VisibleForTesting;
import java.io.IOException;
import java.io.OutputStream;
import java.net.URI;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Date;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import javax.crypto.spec.SecretKeySpec;
import javax.jdo.JDOHelper;
import javax.jdo.PersistenceManagerFactory;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.crypto.key.KeyProvider;
import org.apache.hadoop.crypto.key.KeyProviderFactory;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.permission.FsPermission;
import org.apache.hadoop.security.ProviderUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
/* loaded from: input_file:com/cloudera/keytrustee/ClouderaKeyStoreProvider.class */
public class ClouderaKeyStoreProvider extends KeyProvider {
    private static final String KEY_METADATA = "ClouderaKeyMetadata";
    public static final String SCHEME_NAME = "ccse";
    public static final String KEYSTORE_PASSWORD_FILE_KEY = "hadoop.security.keystore.java-keystore-provider.password-file";
    public static final String KEYSTORE_PASSWORD_ENV_VAR = "HADOOP_KEYSTORE_PASSWORD";
    private final URI uri;
    private final Path path;
    private final FileSystem fs;
    private FsPermission permissions;
    private ClouderaKeyStore keyStore;
    private char[] masterKey;
    private String password;
    private boolean changed;
    private Lock readLock;
    private Lock writeLock;
    private final Map<String, KeyProvider.Metadata> cache;
    public static Properties dbConnectionProperties = new Properties();
    private static final Logger LOG = LoggerFactory.getLogger(ClouderaKeyStoreProvider.class);
    public static final char[] KEYSTORE_PASSWORD_DEFAULT = "none".toCharArray();

    /* loaded from: input_file:com/cloudera/keytrustee/ClouderaKeyStoreProvider$ClouderaKeyMetadata.class */
    public static class ClouderaKeyMetadata extends KeyProvider.Metadata {
        public ClouderaKeyMetadata(String str, int i, String str2, Map<String, String> map, Date date, int i2) {
            super(str, i, str2, map, date, i2);
        }

        public ClouderaKeyMetadata(ClouderaKeyStore.MetadataKeyEntry metadataKeyEntry) {
            super(metadataKeyEntry.getCipher_field(), metadataKeyEntry.getBit_length(), metadataKeyEntry.getDescription(), metadataKeyEntry.getAttributes(), metadataKeyEntry.getDate(), metadataKeyEntry.getVersion_number());
        }

        public static ClouderaKeyStore.MetadataKeyEntry toKeyMetadata(KeyProvider.Metadata metadata) {
            return new ClouderaKeyStore.MetadataKeyEntry(metadata.getCipher(), metadata.getBitLength(), metadata.getDescription(), metadata.getAttributes(), metadata.getCreated(), metadata.getVersions() + HSMKeyProviderConfiguration.DB_PASSWORD_DEFAULT, 1);
        }
    }

    /* loaded from: input_file:com/cloudera/keytrustee/ClouderaKeyStoreProvider$ClouderaKeyVersion.class */
    public static class ClouderaKeyVersion extends KeyProvider.KeyVersion {
        public ClouderaKeyVersion(String str, String str2, byte[] bArr) {
            super(str, str2, bArr);
        }
    }

    /* loaded from: input_file:com/cloudera/keytrustee/ClouderaKeyStoreProvider$Factory.class */
    public static class Factory extends KeyProviderFactory {
        public KeyProvider createProvider(URI uri, Configuration configuration) throws IOException {
            if (ClouderaKeyStoreProvider.SCHEME_NAME.equals(uri.getScheme())) {
                return new ClouderaKeyStoreProvider(uri, configuration);
            }
            return null;
        }
    }

    public static void setProperties(Properties properties) {
        properties.put("javax.jdo.option.ConnectionURL", "jdbc:h2:mem:ckms");
        properties.put("javax.jdo.option.ConnectionDriverName", "org.h2.Driver");
        properties.put("javax.jdo.option.ConnectionUserName", "postgres");
        properties.put("javax.jdo.option.ConnectionPassword", HSMKeyProviderConfiguration.DB_PASSWORD_DEFAULT);
        properties.put("javax.jdo.option.Mapping", "h2");
    }

    @VisibleForTesting
    ClouderaKeyStoreProvider(ClouderaKeyStoreProvider clouderaKeyStoreProvider) {
        super(new Configuration());
        this.password = "password";
        this.changed = false;
        this.cache = new HashMap();
        this.uri = clouderaKeyStoreProvider.uri;
        this.path = clouderaKeyStoreProvider.path;
        this.fs = clouderaKeyStoreProvider.fs;
        this.permissions = clouderaKeyStoreProvider.permissions;
        this.keyStore = clouderaKeyStoreProvider.keyStore;
        this.password = clouderaKeyStoreProvider.password;
        this.changed = clouderaKeyStoreProvider.changed;
        this.readLock = clouderaKeyStoreProvider.readLock;
        this.writeLock = clouderaKeyStoreProvider.writeLock;
    }

    public ClouderaKeyStoreProvider(URI uri, Configuration configuration) throws IOException {
        this(null, uri, configuration);
    }

    public ClouderaKeyStoreProvider(Environment environment, URI uri, Configuration configuration) throws IOException {
        super(configuration);
        this.password = "password";
        this.changed = false;
        this.cache = new HashMap();
        this.uri = uri;
        this.path = ProviderUtils.unnestUri(uri);
        this.fs = this.path.getFileSystem(configuration);
        setProperties(dbConnectionProperties);
        PersistenceManagerFactory persistenceManagerFactory = JDOHelper.getPersistenceManagerFactory(dbConnectionProperties, "ckms");
        if (LOG.isInfoEnabled()) {
            LOG.info("Connection to database [" + persistenceManagerFactory.getConnectionURL() + "] using [" + persistenceManagerFactory.getConnectionDriverName() + "] driver.");
        }
        DaoManager daoManager = new DaoManager();
        daoManager.setPersistenceManagerFactory(persistenceManagerFactory);
        this.keyStore = new ClouderaKeyStore(daoManager);
        ClouderaMasterKey clouderaMasterKey = new ClouderaMasterKey(daoManager);
        clouderaMasterKey.generateKey(this.password);
        try {
            this.masterKey = clouderaMasterKey.getMasterKey(this.password).toCharArray();
            ReentrantReadWriteLock reentrantReadWriteLock = new ReentrantReadWriteLock(true);
            this.readLock = reentrantReadWriteLock.readLock();
            this.writeLock = reentrantReadWriteLock.writeLock();
        } catch (Throwable th) {
            throw new IOException("Could not retrieve master key: " + th.getMessage());
        }
    }

    public boolean needsPassword() throws IOException {
        return null == ProviderUtils.locatePassword("HADOOP_KEYSTORE_PASSWORD", getConf().get("hadoop.security.keystore.java-keystore-provider.password-file"));
    }

    public String noPasswordWarning() {
        return ProviderUtils.noPasswordWarning("HADOOP_KEYSTORE_PASSWORD", "hadoop.security.keystore.java-keystore-provider.password-file");
    }

    public String noPasswordError() {
        return ProviderUtils.noPasswordError("HADOOP_KEYSTORE_PASSWORD", "hadoop.security.keystore.java-keystore-provider.password-file");
    }

    public KeyProvider.KeyVersion getCurrentKey(String str) throws IOException {
        KeyProvider.Metadata metadata = getMetadata(str);
        String latestVersion = this.keyStore.getLatestVersion(str);
        if (metadata == null) {
            return null;
        }
        return getKeyVersion(str, latestVersion);
    }

    public KeyProvider.KeyVersion getKeyVersion(String str) throws IOException {
        this.readLock.lock();
        SecretKeySpec secretKeySpec = null;
        try {
            try {
                try {
                    try {
                        if (!this.keyStore.engineContainsAlias(str)) {
                            this.keyStore.engineLoad(null, this.masterKey);
                            if (!this.keyStore.engineContainsAlias(str)) {
                                return null;
                            }
                        }
                        secretKeySpec = (SecretKeySpec) this.keyStore.engineGetKey(str, this.masterKey);
                        if (secretKeySpec == null) {
                            this.readLock.unlock();
                            return null;
                        }
                        ClouderaKeyVersion clouderaKeyVersion = new ClouderaKeyVersion(getBaseName(str), str, secretKeySpec.getEncoded());
                        this.readLock.unlock();
                        return clouderaKeyVersion;
                    } catch (CertificateException e) {
                        throw new IOException("Certificate exception storing key", e);
                    }
                } catch (UnrecoverableKeyException e2) {
                    throw new IOException("Can't recover key " + secretKeySpec, e2);
                }
            } catch (NoSuchAlgorithmException e3) {
                throw new IOException("Can't get algorithm for key " + secretKeySpec, e3);
            }
        } finally {
            this.readLock.unlock();
        }
    }

    public KeyProvider.KeyVersion getKeyVersion(String str, String str2) throws IOException {
        this.readLock.lock();
        SecretKeySpec secretKeySpec = null;
        try {
            try {
                try {
                    if (!this.keyStore.engineContainsAlias(str)) {
                        this.keyStore.engineLoad(null, this.masterKey);
                        if (!this.keyStore.engineContainsAlias(str)) {
                            return null;
                        }
                    }
                    secretKeySpec = (SecretKeySpec) this.keyStore.engineGetKey(str2, this.masterKey);
                    if (secretKeySpec == null) {
                        this.readLock.unlock();
                        return null;
                    }
                    ClouderaKeyVersion clouderaKeyVersion = new ClouderaKeyVersion(str, str2, secretKeySpec.getEncoded());
                    this.readLock.unlock();
                    return clouderaKeyVersion;
                } catch (NoSuchAlgorithmException e) {
                    throw new IOException("Can't get algorithm for key " + secretKeySpec, e);
                }
            } catch (UnrecoverableKeyException e2) {
                throw new IOException("Can't recover key " + secretKeySpec, e2);
            } catch (CertificateException e3) {
                throw new IOException("Certificate exception storing key", e3);
            }
        } finally {
            this.readLock.unlock();
        }
    }

    public List<String> getKeys() throws IOException {
        new ArrayList();
        HashSet hashSet = new HashSet();
        reloadKeys();
        Enumeration<String> engineAliases = this.keyStore.engineAliases();
        while (engineAliases.hasMoreElements()) {
            String nextElement = engineAliases.nextElement();
            hashSet.add(nextElement.substring(0, nextElement.indexOf("@")));
        }
        return new ArrayList(hashSet);
    }

    public List<KeyProvider.KeyVersion> getKeyVersions(String str) throws IOException {
        this.readLock.lock();
        try {
            ArrayList arrayList = new ArrayList();
            if (getMetadata(str) != null) {
                Iterator<String> it = this.keyStore.getVersions(str).iterator();
                while (it.hasNext()) {
                    KeyProvider.KeyVersion keyVersion = getKeyVersion(str, it.next());
                    if (keyVersion != null) {
                        arrayList.add(keyVersion);
                    }
                }
            }
            return arrayList;
        } finally {
            this.readLock.unlock();
        }
    }

    public KeyProvider.Metadata getMetadata(String str) throws IOException {
        try {
            try {
                this.readLock.lock();
                if (this.cache.containsKey(str)) {
                    KeyProvider.Metadata metadata = this.cache.get(str);
                    this.readLock.unlock();
                    return metadata;
                }
                try {
                    if (!this.keyStore.engineContainsAlias(str)) {
                        this.keyStore.engineLoad(null, this.masterKey);
                        if (!this.keyStore.engineContainsAlias(str)) {
                            return null;
                        }
                    }
                    ClouderaKeyStore.MetadataKeyEntry engineGetMetadata = this.keyStore.engineGetMetadata(str, this.masterKey);
                    if (engineGetMetadata == null) {
                        this.readLock.unlock();
                        return null;
                    }
                    ClouderaKeyMetadata clouderaKeyMetadata = new ClouderaKeyMetadata(engineGetMetadata);
                    this.cache.put(str, clouderaKeyMetadata);
                    this.readLock.unlock();
                    return clouderaKeyMetadata;
                } catch (NoSuchAlgorithmException e) {
                    throw new IOException("Can't get algorithm for " + str, e);
                }
            } catch (Exception e2) {
                throw new IOException("Please try again ", e2);
            }
        } finally {
            this.readLock.unlock();
        }
    }

    public KeyProvider.KeyVersion createKey(String str, byte[] bArr, KeyProvider.Options options) throws IOException {
        reloadKeys();
        if (this.keyStore.engineContainsAlias(str) || this.cache.containsKey(str)) {
            throw new IOException("Key " + str + " already exists");
        }
        ClouderaKeyMetadata clouderaKeyMetadata = new ClouderaKeyMetadata(options.getCipher(), options.getBitLength(), options.getDescription(), options.getAttributes(), new Date(), 1);
        if (options.getBitLength() != 8 * bArr.length) {
            throw new IOException("Wrong key length. Required " + options.getBitLength() + ", but got " + (8 * bArr.length));
        }
        this.cache.put(str, clouderaKeyMetadata);
        return innerSetKeyVersion(str, bArr, clouderaKeyMetadata.getCipher(), clouderaKeyMetadata.getBitLength(), clouderaKeyMetadata.getDescription(), DaoUtil.genUuid(), clouderaKeyMetadata.getAttributes());
    }

    KeyProvider.KeyVersion innerSetKeyVersion(String str, byte[] bArr, String str2, int i, String str3, String str4, Map<String, String> map) throws IOException {
        try {
            this.keyStore.addKeyEntry(str, new SecretKeySpec(bArr, str2), this.masterKey, str2, i, str3, str4, map);
            this.changed = true;
            return new ClouderaKeyVersion(str, str4, bArr);
        } catch (KeyStoreException e) {
            throw new IOException("Can't store key " + str, e);
        }
    }

    public void deleteKey(String str) throws IOException {
        reloadKeys();
        KeyProvider.Metadata metadata = getMetadata(str);
        if (metadata == null) {
            throw new IOException("Key " + str + " does not exist");
        }
        for (int i = 0; i < metadata.getVersions(); i++) {
            String buildVersionName = buildVersionName(str, i);
            try {
                if (this.keyStore.engineContainsAlias(buildVersionName)) {
                    this.keyStore.engineDeleteEntry(buildVersionName);
                }
            } catch (KeyStoreException e) {
                throw new IOException("Problem removing " + buildVersionName, e);
            }
        }
        try {
            if (this.keyStore.engineContainsAlias(str)) {
                this.keyStore.engineDeleteEntry(str);
            }
            this.cache.remove(str);
            this.changed = true;
        } catch (KeyStoreException e2) {
            throw new IOException("Problem removing " + str + " from " + this, e2);
        }
    }

    public KeyProvider.KeyVersion rollNewVersion(String str, byte[] bArr) throws IOException {
        reloadKeys();
        KeyProvider.Metadata metadata = getMetadata(str);
        if (metadata == null) {
            throw new IOException("Key " + str + " not found");
        }
        if (metadata.getBitLength() != 8 * bArr.length) {
            throw new IOException("Wrong key length. Required " + metadata.getBitLength() + ", but got " + (8 * bArr.length));
        }
        return innerSetKeyVersion(str, bArr, metadata.getCipher(), metadata.getBitLength(), metadata.getDescription(), DaoUtil.genUuid(), metadata.getAttributes());
    }

    public void flush() throws IOException {
        try {
            if (this.changed) {
                for (Map.Entry<String, KeyProvider.Metadata> entry : this.cache.entrySet()) {
                }
                try {
                    this.keyStore.engineStore((OutputStream) null, this.masterKey);
                    reloadKeys();
                    this.changed = false;
                } catch (NoSuchAlgorithmException e) {
                    throw new IOException("No such algorithm storing key", e);
                } catch (CertificateException e2) {
                    throw new IOException("Certificate exception storing key", e2);
                }
            }
        } catch (IOException e3) {
            reloadKeys();
            throw e3;
        }
    }

    private void loadKeys(char[] cArr) throws NoSuchAlgorithmException, CertificateException, IOException {
        this.keyStore.engineLoad(null, cArr);
    }

    private void reloadKeys() throws IOException {
        try {
            this.cache.clear();
            loadKeys(this.masterKey);
        } catch (NoSuchAlgorithmException e) {
            throw new IOException("Can't load Keys");
        } catch (CertificateException e2) {
            throw new IOException("Can't load Keys");
        }
    }

    public String toString() {
        return this.uri.toString();
    }
}
