package com.cloudera.cmf.security;

import com.beust.jcommander.internal.Sets;
import com.cloudera.api.DeleteCredentialsMode;
import com.cloudera.cmf.CommandRunner;
import com.cloudera.cmf.Environment;
import com.cloudera.cmf.command.CommandHelpers;
import com.cloudera.cmf.command.DeleteCredentialsCmdArgs;
import com.cloudera.cmf.event.CommandEventCode;
import com.cloudera.cmf.model.DbCommand;
import com.cloudera.cmf.model.DbCredential;
import com.cloudera.cmf.model.DbNull;
import com.cloudera.cmf.model.DbRole;
import com.cloudera.cmf.model.DbService;
import com.cloudera.cmf.model.Enums;
import com.cloudera.cmf.model.RoleState;
import com.cloudera.cmf.persist.CmfEntityManager;
import com.cloudera.cmf.security.components.SecurityUtils;
import com.cloudera.cmf.service.AbstractGatewayRoleHandler;
import com.cloudera.cmf.service.CommandException;
import com.cloudera.cmf.service.CommandUtils;
import com.cloudera.cmf.service.RoleHandler;
import com.cloudera.cmf.service.ServiceDataProvider;
import com.cloudera.cmf.service.ServiceHandler;
import com.cloudera.cmf.service.ServiceHandlerRegistry;
import com.cloudera.cmf.service.config.ParamSpecUtils;
import com.cloudera.cmf.service.mgmt.MgmtServiceHandler;
import com.cloudera.cmf.service.scm.ScmParams;
import com.cloudera.server.web.common.I18n;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.Callable;
import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.Future;
import org.apache.commons.io.FileUtils;
import org.apache.cxf.common.util.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/cloudera/cmf/security/DeleteCredentialsCommand.class */
public class DeleteCredentialsCommand extends AbstractCredentialsCommand<DeleteCredentialsCmdArgs> {
    public static final String COMMAND_NAME = "DeleteCredentials";
    static final String MSG_PREFIX = "message.command.deleteCredentials";
    static final String KDC_TYPE = "KDC_TYPE";
    private static final String DELCREDS_FILE_NAME = "delete_credentials.sh";
    private static final String DELCREDS_AD_FILE_NAME = "delete_credentials_ad.sh";
    private static final String DELCREDS_IPA_FILE_NAME = "delete_credentials_ipa.sh";
    private File DELCREDS_FILE;
    private final ConcurrentMap<Long, Future<CredentialsToDelete>> runningCommands;

    @VisibleForTesting
    static final CommandHelpers.AsynchronousCommandResultProcessor<CredentialsToDelete> RESULT_PROCESSOR = new CommandHelpers.AsynchronousCommandResultProcessor<CredentialsToDelete>() { // from class: com.cloudera.cmf.security.DeleteCredentialsCommand.1
        @Override // com.cloudera.cmf.command.CommandHelpers.AsynchronousCommandResultProcessor
        public void processResult(CmfEntityManager cmfEntityManager, CredentialsToDelete credentialsToDelete) {
            cmfEntityManager.flush();
            if (credentialsToDelete.deleteAllGlobal) {
                DeleteCredentialsCommand.LOG.info("Deleted from Credentials " + cmfEntityManager.deleteAllCredentials() + " items.");
                DeleteCredentialsCommand.LOG.info("Cleared " + cmfEntityManager.clearRoleKeytabs() + " keytabs of roles.");
                return;
            }
            cmfEntityManager.deleteCredentialsList(credentialsToDelete.existingPrincipals);
            DeleteCredentialsCommand.LOG.info("Deleted from credentials " + credentialsToDelete.existingPrincipals.size() + "items.");
            if (credentialsToDelete.clusterName != null) {
                DeleteCredentialsCommand.LOG.info("Cleared " + cmfEntityManager.clearRoleKeytabsByCluster(cmfEntityManager.findClusterByName(credentialsToDelete.clusterName)) + " keytabs of roles.");
            }
        }
    };
    private static Logger LOG = LoggerFactory.getLogger(DeleteCredentialsCommand.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    /* loaded from: input_file:com/cloudera/cmf/security/DeleteCredentialsCommand$CredentialsToDelete.class */
    public static class CredentialsToDelete {
        public List<String> existingPrincipals = Lists.newArrayList();
        public boolean deleteAllGlobal = false;
        public String clusterName = null;

        CredentialsToDelete() {
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void setupScripts(Map<String, String> map) throws IOException {
        if (ScmParams.AD_KDC.equals(map.get("KDC_TYPE"))) {
            this.DELCREDS_FILE = getUtils().getScriptFile(DELCREDS_AD_FILE_NAME);
        } else if (ScmParams.MIT_KDC.equals(map.get("KDC_TYPE"))) {
            this.DELCREDS_FILE = getUtils().getScriptFile(DELCREDS_FILE_NAME);
        } else if (ScmParams.IPA_KDC.equals(map.get("KDC_TYPE"))) {
            this.DELCREDS_FILE = getUtils().getScriptFile(DELCREDS_IPA_FILE_NAME);
        }
    }

    private List<Long> checkRoleState(CmfEntityManager cmfEntityManager, DbCommand dbCommand, List<DbRole> list) {
        ArrayList newArrayList = Lists.newArrayList();
        for (DbRole dbRole : list) {
            if (dbRole.getMergedKeytab() != null && dbRole.getConfiguredStatusEnum() != RoleState.STOPPED && dbRole.getConfiguredStatusEnum() != RoleState.NA) {
                LOG.error("DeleteCredentialsCommand failed because affected roles are not stopped");
                CommandHelpers.failCmd(dbCommand, I18n.t("message.deleteCredentials.badRoleState", dbRole.getDisplayName()));
                return null;
            }
            if (dbRole.getMergedKeytab() != null) {
                newArrayList.add(dbRole.getId());
            }
        }
        return newArrayList;
    }

    private CredentialsToDelete findCredentials(CmfEntityManager cmfEntityManager, DbCommand dbCommand) throws IllegalStateException {
        CredentialsToDelete credentialsToDelete = new CredentialsToDelete();
        credentialsToDelete.deleteAllGlobal = true;
        List<Long> checkRoleState = checkRoleState(cmfEntityManager, dbCommand, cmfEntityManager.findAllRoles());
        if (checkRoleState == null) {
            return credentialsToDelete;
        }
        Iterator it = cmfEntityManager.findAllCredentials().iterator();
        while (it.hasNext()) {
            credentialsToDelete.existingPrincipals.add(((DbCredential) it.next()).getPrincipal());
        }
        if (credentialsToDelete.existingPrincipals.isEmpty() && checkRoleState.isEmpty()) {
            dbCommand.finish(Enums.CommandState.FINISHED, true, I18n.t("message.command.deleteCredentials.noop"));
        }
        return credentialsToDelete;
    }

    private CredentialsToDelete findAllCredentialsByCluster(CmfEntityManager cmfEntityManager, DbCommand dbCommand) throws IllegalStateException {
        DeleteCredentialsCmdArgs deleteCredentialsCmdArgs = (DeleteCredentialsCmdArgs) CommandUtils.getCmdArguments(dbCommand);
        List<DbService> findServicesInCluster = cmfEntityManager.findServicesInCluster(cmfEntityManager.findClusterByName(deleteCredentialsCmdArgs.getClusterName()));
        CredentialsToDelete credentialsToDelete = new CredentialsToDelete();
        List<Long> checkRoleState = checkRoleState(cmfEntityManager, dbCommand, cmfEntityManager.findRolesInCluster(cmfEntityManager.findClusterByName(deleteCredentialsCmdArgs.getClusterName())));
        if (checkRoleState == null) {
            return credentialsToDelete;
        }
        credentialsToDelete.existingPrincipals.addAll(getUsedCredentials(cmfEntityManager, findServicesInCluster));
        credentialsToDelete.existingPrincipals.removeAll(getUsedCredentials(cmfEntityManager, cmfEntityManager.findServicesByType(MgmtServiceHandler.SERVICE_TYPE)));
        credentialsToDelete.clusterName = deleteCredentialsCmdArgs.getClusterName();
        if (credentialsToDelete.existingPrincipals.isEmpty() && checkRoleState.isEmpty()) {
            dbCommand.finish(Enums.CommandState.FINISHED, true, I18n.t("message.command.deleteCredentials.noop"));
        }
        return credentialsToDelete;
    }

    private List<String> getUsedCredentials(CmfEntityManager cmfEntityManager, List<DbService> list) {
        ArrayList newArrayList = Lists.newArrayList();
        ServiceHandlerRegistry serviceHandlerRegistry = this.sdp.getServiceHandlerRegistry();
        for (DbService dbService : list) {
            ServiceHandler serviceHandler = serviceHandlerRegistry.get(dbService);
            if (serviceHandler.requiresCredentials(cmfEntityManager, dbService)) {
                Set newHashSet = Sets.newHashSet();
                for (RoleHandler roleHandler : serviceHandler.getRoleHandlers()) {
                    for (DbRole dbRole : dbService.getRolesWithType(roleHandler.getRoleName())) {
                        if (requiresKeytab(cmfEntityManager, roleHandler, dbRole)) {
                            newHashSet.addAll(roleHandler.getRequiredPrincipals(dbRole, null).values());
                        }
                    }
                }
                Iterator it = cmfEntityManager.findCredentialsByPrincipals(Lists.newArrayList(newHashSet)).iterator();
                while (it.hasNext()) {
                    newArrayList.add(((DbCredential) it.next()).getPrincipal());
                }
            }
        }
        return newArrayList;
    }

    private CredentialsToDelete findUnusedCredentials(CmfEntityManager cmfEntityManager, DbCommand dbCommand) throws IllegalStateException {
        ArrayList newArrayList = Lists.newArrayList();
        Iterator it = cmfEntityManager.findAllCredentials().iterator();
        while (it.hasNext()) {
            newArrayList.add(((DbCredential) it.next()).getPrincipal());
        }
        CredentialsToDelete credentialsToDelete = new CredentialsToDelete();
        newArrayList.removeAll(getUsedCredentials(cmfEntityManager, cmfEntityManager.findAllServices()));
        credentialsToDelete.existingPrincipals = newArrayList;
        if (credentialsToDelete.existingPrincipals.isEmpty()) {
            dbCommand.finish(Enums.CommandState.FINISHED, true, I18n.t("message.command.deleteCredentials.noop"));
        }
        credentialsToDelete.deleteAllGlobal = false;
        return credentialsToDelete;
    }

    public static boolean requiresKeytab(CmfEntityManager cmfEntityManager, RoleHandler roleHandler, DbRole dbRole) {
        return !(roleHandler instanceof AbstractGatewayRoleHandler) && roleHandler.requiresCredentials(cmfEntityManager, dbRole);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public CredentialsToDelete deleteExistingCreds(ServiceHandlerRegistry serviceHandlerRegistry, Map<String, String> map, CredentialsToDelete credentialsToDelete) throws Exception {
        LOG.info("Deleting credentials");
        if (!StringUtils.isEmpty((String) this.sdp.getScmParamTrackerStore().get(ScmParams.GEN_KEYTAB_SCRIPT))) {
            LOG.info("Using custom script to maintain credentials. It's enough to clear credentials from CM.");
            return credentialsToDelete;
        }
        Iterator<String> it = credentialsToDelete.existingPrincipals.iterator();
        while (it.hasNext()) {
            deleteCred(it.next(), map);
        }
        return credentialsToDelete;
    }

    private void deleteCred(String str, Map<String, String> map) throws IOException, InterruptedException {
        if (Environment.getDevMode()) {
            return;
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(this.DELCREDS_FILE.getAbsolutePath());
        arrayList.add(str);
        CommandRunner.CommandResult run = CommandRunner.run(arrayList, (InputStream) null, map);
        int i = run.retcode;
        if (i != 0) {
            String str2 = run.stderr;
            if (map.containsKey("SIMPLE_AUTH_PASSWORD_KEY")) {
                str2 = str2.replace(map.get("SIMPLE_AUTH_PASSWORD_KEY"), ParamSpecUtils.REDACTED);
            }
            throw new IOException(this.DELCREDS_FILE + " failed with exit code " + i + " and output of <<\n" + str2 + "\n>>");
        }
    }

    public DeleteCredentialsCommand(ServiceDataProvider serviceDataProvider) {
        super(serviceDataProvider);
        this.DELCREDS_FILE = null;
        this.runningCommands = Maps.newConcurrentMap();
    }

    @VisibleForTesting
    DeleteCredentialsCommand(ServiceDataProvider serviceDataProvider, KerberosCredentialsReader kerberosCredentialsReader) {
        super(serviceDataProvider, kerberosCredentialsReader);
        this.DELCREDS_FILE = null;
        this.runningCommands = Maps.newConcurrentMap();
    }

    @VisibleForTesting
    protected Callable<CredentialsToDelete> createCallable(final CredentialsToDelete credentialsToDelete) {
        return new Callable<CredentialsToDelete>() { // from class: com.cloudera.cmf.security.DeleteCredentialsCommand.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public CredentialsToDelete call() throws Exception {
                return (CredentialsToDelete) AbstractCredentialsCommand.getUtils().runWithGenerateKrb5Conf(DeleteCredentialsCommand.this.sdp, new SecurityUtils.RunnableWithKrb5Conf<CredentialsToDelete>() { // from class: com.cloudera.cmf.security.DeleteCredentialsCommand.2.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // com.cloudera.cmf.security.components.SecurityUtils.RunnableWithKrb5Conf
                    public CredentialsToDelete run(String str) throws Exception {
                        Map<String, String> map = null;
                        try {
                            map = DeleteCredentialsCommand.this.setupEnv();
                            DeleteCredentialsCommand.this.setupScripts(map);
                            map.put(SecurityUtils.KRB5_CONF_ENV, str);
                            CredentialsToDelete deleteExistingCreds = DeleteCredentialsCommand.this.deleteExistingCreds(DeleteCredentialsCommand.this.sdp.getServiceHandlerRegistry(), map, credentialsToDelete);
                            if (map != null && Boolean.TRUE.toString().equals(map.get(KerberosCredentialsReader.DELETE_ADMIN_KEYTAB_AT_END))) {
                                FileUtils.deleteQuietly(new File(map.get(KerberosCredentialsReader.CMF_KEYTAB_FILE_KEY)));
                            }
                            return deleteExistingCreds;
                        } catch (Throwable th) {
                            if (map != null && Boolean.TRUE.toString().equals(map.get(KerberosCredentialsReader.DELETE_ADMIN_KEYTAB_AT_END))) {
                                FileUtils.deleteQuietly(new File(map.get(KerberosCredentialsReader.CMF_KEYTAB_FILE_KEY)));
                            }
                            throw th;
                        }
                    }
                });
            }
        };
    }

    @Override // com.cloudera.cmf.command.CommandHandler
    public void abort(DbCommand dbCommand) throws CommandException {
        synchronized (this) {
            CommandHelpers.abortAsynchronousCommand(dbCommand, this.runningCommands, MSG_PREFIX);
        }
    }

    @Override // com.cloudera.cmf.command.CommandHandler
    public void update(CmfEntityManager cmfEntityManager, DbCommand dbCommand) {
        if (this.runningCommands.isEmpty() || this.runningCommands.containsKey(dbCommand.getId())) {
            if (!this.runningCommands.containsKey(dbCommand.getId())) {
                DeleteCredentialsCmdArgs deleteCredentialsCmdArgs = (DeleteCredentialsCmdArgs) CommandUtils.getCmdArguments(dbCommand);
                CredentialsToDelete findCredentials = deleteCredentialsCmdArgs.getClusterName() == null ? deleteCredentialsCmdArgs.getMode() == DeleteCredentialsMode.ALL ? findCredentials(cmfEntityManager, dbCommand) : findUnusedCredentials(cmfEntityManager, dbCommand) : findAllCredentialsByCluster(cmfEntityManager, dbCommand);
                if (!dbCommand.isActive()) {
                    return;
                } else {
                    this.runningCommands.put(dbCommand.getId(), this.execService.submit(createCallable(findCredentials)));
                }
            }
            synchronized (this) {
                CommandHelpers.updateAsynchronousCommand(dbCommand, this.runningCommands, MSG_PREFIX, RESULT_PROCESSOR);
            }
        }
    }

    @Override // com.cloudera.cmf.service.AbstractCommandHandler, com.cloudera.cmf.command.BasicCommandHandler
    public boolean isAvailable(DbNull dbNull) {
        Iterator it = CmfEntityManager.currentCmfEntityManager().findCommandsByName(getName()).iterator();
        while (it.hasNext()) {
            if (!this.runningCommands.containsKey(((DbCommand) it.next()).getId())) {
                return false;
            }
        }
        return true;
    }

    @VisibleForTesting
    ConcurrentMap<Long, Future<CredentialsToDelete>> getRunningCommands() {
        return this.runningCommands;
    }

    @Override // com.cloudera.cmf.command.CommandHandler
    public String getName() {
        return COMMAND_NAME;
    }

    @Override // com.cloudera.cmf.command.CommandHandler
    public CommandEventCode getCommandEventCode() {
        return CommandEventCode.EV_DELETE_CREDENTIALS;
    }

    @Override // com.cloudera.cmf.command.CommandHandler
    public String getDisplayName() {
        return I18n.t("message.command.deleteCredentials.name");
    }

    @Override // com.cloudera.cmf.command.CommandHandler
    public String getHelp() {
        return I18n.t("message.command.deleteCredentials.help");
    }

    @Override // com.cloudera.cmf.command.BasicCommandHandler
    public DbCommand execute(DbNull dbNull, DeleteCredentialsCmdArgs deleteCredentialsCmdArgs, DbCommand dbCommand) {
        DbCommand createCommand = CommandUtils.createCommand(getName());
        CommandUtils.storeCmdArguments(createCommand, deleteCredentialsCmdArgs);
        CmfEntityManager.currentCmfEntityManager().persistCommand(createCommand);
        createCommand.setParent(dbCommand);
        return createCommand;
    }
}
