package com.cloudera.cmf.security.components;

import com.cloudera.api.internal.KerberosCredentials;
import com.cloudera.cmf.CommandRunner;
import com.cloudera.cmf.Constants;
import com.cloudera.cmf.Environment;
import com.cloudera.cmf.cdhclient.util.SecurityUtil;
import com.cloudera.cmf.model.DbCluster;
import com.cloudera.cmf.model.DbCredential;
import com.cloudera.cmf.model.DbRole;
import com.cloudera.cmf.persist.CmfEntityManager;
import com.cloudera.cmf.service.ClusterHandler;
import com.cloudera.cmf.service.ConditionalErrorParamSpecValidator;
import com.cloudera.cmf.service.ReplicationUtils;
import com.cloudera.cmf.service.SecurityParams;
import com.cloudera.cmf.service.ServiceDataProvider;
import com.cloudera.cmf.service.ServiceHandler;
import com.cloudera.cmf.service.Validator;
import com.cloudera.cmf.service.config.BooleanParamSpec;
import com.cloudera.cmf.service.config.CMURLEvaluator;
import com.cloudera.cmf.service.config.ConditionalEvaluator;
import com.cloudera.cmf.service.config.ConfigGenException;
import com.cloudera.cmf.service.scm.ScmParams;
import com.cloudera.enterprise.config.ZipUtil;
import com.cloudera.server.common.KerberosAuthentication;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.collect.Iterables;
import com.google.common.collect.Sets;
import com.google.common.io.Files;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.InetAddress;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.UnknownHostException;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.attribute.PosixFilePermissions;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import org.apache.commons.io.FileUtils;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.annotation.Scope;
import org.springframework.stereotype.Component;

@Scope("singleton")
@Component
/* loaded from: input_file:com/cloudera/cmf/security/components/SecurityUtils.class */
public class SecurityUtils {

    @VisibleForTesting
    public static final String TGTGEN_FILE_NAME = "gen_tgt.sh";
    public static final String KRB5_CONF_ENV = "KRB5_CONFIG";
    public static final String KRB5_CONF_JVM = "java.security.krb5.conf";
    public static final String KRB5_CONF_DEFAULT = "/etc/krb5.conf";
    public static final String HADOOP_HOST_WILDCARD = "_HOST";
    private static final Logger LOG = LoggerFactory.getLogger(SecurityUtils.class);
    private static final String SCM_KEYTAB_FILENAME = Environment.getConfDir() + "/scm.keytab";

    /* loaded from: input_file:com/cloudera/cmf/security/components/SecurityUtils$RunnableWithKrb5Conf.class */
    public interface RunnableWithKrb5Conf<T> {
        T run(String str) throws Exception;
    }

    private static String getKrb5ConfFromEnv() {
        return System.getenv(KRB5_CONF_ENV) != null ? System.getenv(KRB5_CONF_ENV) : System.getProperty(KRB5_CONF_JVM, KRB5_CONF_DEFAULT);
    }

    public String getRolePrincipal(ServiceDataProvider serviceDataProvider, CmfEntityManager cmfEntityManager, DbRole dbRole) {
        ServiceHandler serviceHandler = serviceDataProvider.getServiceHandlerRegistry().get(dbRole.getService());
        if (serviceHandler.requiresCredentials(cmfEntityManager, dbRole.getService())) {
            return (String) Preconditions.checkNotNull(serviceHandler.getRoleHandler(dbRole.getRoleType()).getRequiredPrincipals(dbRole, null).get(KerberosAuthentication.KERBEROS_ROLE_PRINCIPAL));
        }
        return null;
    }

    public String getRealmFromPrincipal(String str) {
        int lastIndexOf = str.lastIndexOf(64);
        if (lastIndexOf == -1 || lastIndexOf == str.length() - 1) {
            throw new IllegalArgumentException(String.format("Principal '%s' does not specify a realm", str));
        }
        return str.substring(lastIndexOf + 1);
    }

    public String getUserFromPrincipal(String str) {
        int indexOf = str.indexOf(47);
        if (indexOf <= 0) {
            throw new IllegalArgumentException(String.format("Malformed principal '%s'", str));
        }
        return str.substring(0, indexOf);
    }

    public KerberosCredentials getCredentialsForRole(ServiceDataProvider serviceDataProvider, CmfEntityManager cmfEntityManager, DbRole dbRole) {
        String rolePrincipal = getRolePrincipal(serviceDataProvider, cmfEntityManager, dbRole);
        if (rolePrincipal == null) {
            throw new IllegalArgumentException(String.format("Could not find a principal for role %s in service %s.", dbRole.getName(), dbRole.getService().getName()));
        }
        if (dbRole.getMergedKeytab() == null) {
            throw new IllegalArgumentException(String.format("Could not find the keytab for role %s in service %s.", dbRole.getName(), dbRole.getService().getName()));
        }
        try {
            return new KerberosCredentials(rolePrincipal, generateTgt(rolePrincipal, dbRole.getMergedKeytab()));
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public KerberosCredentials getCredentialsFromReplicationConfig(ServiceDataProvider serviceDataProvider) {
        KerberosCredentials kerberosCredentials = new KerberosCredentials();
        String customPrincipalName = ReplicationUtils.getCustomPrincipalName(serviceDataProvider.getScmParamTrackerStore());
        if (customPrincipalName == null) {
            LOG.debug("getCredentialsFromReplicationConfig failed: Custom principal name not defined in ScmParams");
            return null;
        }
        kerberosCredentials.setPrincipal(customPrincipalName);
        try {
            byte[] customKerberosKeytab = ReplicationUtils.getCustomKerberosKeytab(serviceDataProvider.getScmParamTrackerStore());
            if (customKerberosKeytab == null) {
                LOG.debug("getCredentialsFromReplicationConfig failed: Custom kerberos keytab not defined in ScmParams");
                return null;
            }
            kerberosCredentials.setTgt(generateTgt(customPrincipalName, customKerberosKeytab));
            return kerberosCredentials;
        } catch (IOException e) {
            LOG.error("Failed to generate keytab from ScmParams", e);
            return null;
        } catch (InterruptedException e2) {
            LOG.error("Failed to generate keytab from ScmParams", e2);
            return null;
        }
    }

    @VisibleForTesting
    String getRunKeytabDir() {
        return Environment.getRunKeytabDir();
    }

    private byte[] generateTgt(String str, byte[] bArr) throws IOException, InterruptedException {
        try {
            File createTempDir = SecurityUtil.createTempDir(getRunKeytabDir());
            setOwnerOnlyReadWrite(createTempDir);
            File file = new File(createTempDir, "input.keytab");
            Preconditions.checkState(file.createNewFile(), "Cannot create new file at " + file.getAbsolutePath());
            setOwnerOnlyReadWrite(file);
            FileUtils.writeByteArrayToFile(file, bArr);
            File file2 = new File(createTempDir, "output.tgt");
            ArrayList arrayList = new ArrayList();
            arrayList.add(((File) Preconditions.checkNotNull(getScriptFile(TGTGEN_FILE_NAME), "Tgt generation script not found!")).getAbsolutePath());
            arrayList.add(file2.getAbsolutePath());
            arrayList.add(str);
            arrayList.add(file.getAbsolutePath());
            CommandRunner.CommandResult runCommand = runCommand(arrayList);
            if (runCommand.retcode != 0) {
                throw new IOException(String.format("Tgt generation for principal '%s' failed with exit code '%d' and output of <<\n%s\n>>", str, Integer.valueOf(runCommand.retcode), runCommand.stderr));
            }
            if (!file2.exists() || !file2.canRead()) {
                throw new IOException("Cannot access generated tgt file " + file2.getAbsolutePath());
            }
            byte[] byteArray = Files.toByteArray(file2);
            if (createTempDir != null) {
                FileUtils.deleteDirectory(createTempDir);
            }
            return byteArray;
        } catch (Throwable th) {
            if (0 != 0) {
                FileUtils.deleteDirectory((File) null);
            }
            throw th;
        }
    }

    @VisibleForTesting
    public CommandRunner.CommandResult runCommand(List<String> list) throws IOException {
        return CommandRunner.run(list);
    }

    public File getScriptFile(String str) throws IOException {
        File file = new File(new File(new File(Environment.getHomeDir()), "bin"), str);
        if (file.canExecute()) {
            return file;
        }
        File createTempFile = createTempFile("cmf_script_", str);
        createTempFile.deleteOnExit();
        copyScriptFromResource(createTempFile, str);
        return createTempFile;
    }

    private void copyScriptFromResource(File file, String str) throws IOException {
        InputStream resourceAsStream = SecurityUtils.class.getResourceAsStream("/com/cloudera/cmf/security/" + str);
        if (resourceAsStream == null) {
            throw new IOException("Could not open script file: " + str);
        }
        FileUtils.copyInputStreamToFile(resourceAsStream, file);
        file.setExecutable(true, true);
    }

    public File createTempFile(String str, String str2) throws IOException {
        try {
            return File.createTempFile(str, str2, new File(Environment.getRunDir()));
        } catch (IOException e) {
            return File.createTempFile(str, str2);
        }
    }

    public void setOwnerOnlyReadWrite(File file) {
        if (!file.setReadable(false, false) || !file.setReadable(true) || !file.setWritable(false, false) || !file.setWritable(true) || !file.setExecutable(false, false) || (file.isDirectory() && !file.setExecutable(true))) {
            throw new IllegalArgumentException("Cannot change permissions for " + file.getAbsolutePath());
        }
    }

    public <T> T runWithGenerateKrb5Conf(ServiceDataProvider serviceDataProvider, RunnableWithKrb5Conf<T> runnableWithKrb5Conf) throws Exception {
        String krb5ConfFromEnv;
        boolean booleanValue = ((Boolean) serviceDataProvider.getScmParamTrackerStore().get(ScmParams.KRB_MANAGE_KRB5_CONF)).booleanValue();
        File file = null;
        if (booleanValue) {
            ClusterHandler clusterHandlerByVersion = serviceDataProvider.getServiceHandlerRegistry().getClusterHandlerByVersion(5L);
            CmfEntityManager cmfEntityManager = new CmfEntityManager(serviceDataProvider.getEntityManagerFactory());
            try {
                try {
                    cmfEntityManager.beginForRollbackAndReadonly();
                    byte[] bArr = (byte[]) Iterables.getOnlyElement(ZipUtil.unzipToBytes(clusterHandlerByVersion.getClientConfigHandler().buildClientConfig(new DbCluster("unused", 5L))).values());
                    file = createTempFile("krb5", ".conf");
                    krb5ConfFromEnv = file.getAbsolutePath();
                    FileOutputStream fileOutputStream = new FileOutputStream(file);
                    fileOutputStream.write(bArr);
                    fileOutputStream.flush();
                    fileOutputStream.close();
                    cmfEntityManager.close();
                } catch (ConfigGenException e) {
                    throw new RuntimeException(e);
                }
            } catch (Throwable th) {
                cmfEntityManager.close();
                throw th;
            }
        } else {
            krb5ConfFromEnv = getKrb5ConfFromEnv();
        }
        try {
            T run = runnableWithKrb5Conf.run(krb5ConfFromEnv);
            if (booleanValue) {
                FileUtils.deleteQuietly(file);
            }
            return run;
        } catch (Throwable th2) {
            if (booleanValue) {
                FileUtils.deleteQuietly(file);
            }
            throw th2;
        }
    }

    public static Validator getSecureWebUIValidator(ServiceDataProvider serviceDataProvider) {
        return getSecureWebUIValidator(serviceDataProvider, SecurityParams.SECURE_WEB_UI);
    }

    public static Validator getSecureWebUIValidator(ServiceDataProvider serviceDataProvider, BooleanParamSpec booleanParamSpec) {
        return ConditionalErrorParamSpecValidator.builder(serviceDataProvider, booleanParamSpec, booleanParamSpec.getTemplateName(), SecurityParams.SECURE_WEB_UI_NOT_ENABLED).condition(ConditionalEvaluator.and(ConditionalEvaluator.kerberos(), ConditionalEvaluator.paramEvaluatesToValue(booleanParamSpec, false))).warnOnly().build();
    }

    public static String getScmHttpPrincipal(ServiceDataProvider serviceDataProvider) throws UnknownHostException {
        String canonicalHostName;
        URL cmUrl;
        if (Constants.SCM_HA_MODE) {
            CmfEntityManager currentCmfEntityManager = CmfEntityManager.currentCmfEntityManager();
            if (currentCmfEntityManager == null) {
                try {
                    CmfEntityManager cmfEntityManager = new CmfEntityManager(serviceDataProvider.getEntityManagerFactory());
                    Throwable th = null;
                    try {
                        try {
                            cmfEntityManager.beginForRollbackAndReadonly();
                            cmUrl = CMURLEvaluator.getCmUrl(cmfEntityManager);
                            if (cmfEntityManager != null) {
                                if (0 != 0) {
                                    try {
                                        cmfEntityManager.close();
                                    } catch (Throwable th2) {
                                        th.addSuppressed(th2);
                                    }
                                } else {
                                    cmfEntityManager.close();
                                }
                            }
                        } finally {
                        }
                    } finally {
                    }
                } catch (MalformedURLException e) {
                    throw new UnknownHostException(e.getMessage());
                }
            } else {
                try {
                    cmUrl = CMURLEvaluator.getCmUrl(currentCmfEntityManager);
                } catch (MalformedURLException e2) {
                    throw new UnknownHostException(e2.getMessage());
                }
            }
            canonicalHostName = cmUrl.getHost();
        } else {
            canonicalHostName = InetAddress.getLocalHost().getCanonicalHostName();
        }
        return String.format("HTTP/%s@%s", canonicalHostName, (String) serviceDataProvider.getScmParamTrackerStore().get(ScmParams.SECURITY_REALM));
    }

    public static String getScmHttpKeytabFile(ServiceDataProvider serviceDataProvider) {
        String str = (String) serviceDataProvider.getScmParamTrackerStore().get(ScmParams.KRB_AUTH_KEYTAB);
        return StringUtils.isEmpty(str) ? SCM_KEYTAB_FILENAME : str;
    }

    public static void writeScmHttpKeytab(CmfEntityManager cmfEntityManager, ServiceDataProvider serviceDataProvider) {
        DbCredential dbCredential = null;
        try {
            dbCredential = cmfEntityManager.findCredentialByPrincipal(getScmHttpPrincipal(serviceDataProvider));
        } catch (UnknownHostException e) {
            LOG.warn("Failed to generate SCM HTTP principal: ", e);
        }
        if (dbCredential == null) {
            throw new IllegalStateException("Could not retrieve SCM HTTP principal");
        }
        try {
            Path path = new File(SCM_KEYTAB_FILENAME).toPath();
            java.nio.file.Files.deleteIfExists(path);
            Path createFile = java.nio.file.Files.createFile(path, PosixFilePermissions.asFileAttribute(PosixFilePermissions.fromString("rw-------")));
            java.nio.file.Files.write(createFile, dbCredential.getKeytab(), new OpenOption[0]);
            LOG.info("Wrote SCM HTTP keytab to: " + createFile);
        } catch (IOException e2) {
            throw new IllegalStateException("Failed to write SCM HTTP keytab:", e2);
        }
    }

    public static Set<String> getScmPrincipals(ServiceDataProvider serviceDataProvider) {
        HashSet newHashSet = Sets.newHashSet();
        boolean booleanValue = ((Boolean) serviceDataProvider.getScmParamTrackerStore().get(ScmParams.KRB_AUTH_ENABLE)).booleanValue();
        String str = (String) serviceDataProvider.getScmParamTrackerStore().get(ScmParams.KRB_AUTH_PRINCIPAL);
        String str2 = (String) serviceDataProvider.getScmParamTrackerStore().get(ScmParams.KRB_AUTH_KEYTAB);
        if (booleanValue && StringUtils.isEmpty(str) && StringUtils.isEmpty(str2)) {
            try {
                String scmHttpPrincipal = getScmHttpPrincipal(serviceDataProvider);
                LOG.debug("Determined HTTP principal for CM host to be: " + scmHttpPrincipal);
                newHashSet.add(scmHttpPrincipal);
            } catch (UnknownHostException e) {
                LOG.warn("Failed to generate CM HTTP principal:", e);
            }
        }
        return newHashSet;
    }

    public static String getIpaAdminuser(ServiceDataProvider serviceDataProvider) {
        return "cmadmin-" + serviceDataProvider.getCMGuid().substring(0, 8);
    }
}
