package com.cloudera.cmf.service.config.transform;

import com.cloudera.cmf.Constants;
import com.cloudera.cmf.model.Enums;
import com.cloudera.cmf.service.CommandUtils;
import com.cloudera.cmf.service.ConfigFilesTransform;
import com.cloudera.cmf.service.config.ConfigEvaluationContext;
import com.cloudera.cmf.service.config.ConfigEvaluator;
import com.cloudera.cmf.service.config.ConfigFile;
import com.cloudera.cmf.service.config.ConfigFileGenerator;
import com.cloudera.cmf.service.config.ConfigGenException;
import com.cloudera.cmf.service.config.ConfigSection;
import com.cloudera.cmf.service.config.EvaluatedConfig;
import com.cloudera.cmf.service.config.GenericKeyStoreConfigFileGenerator;
import com.cloudera.cmf.service.config.PasswordScriptConfigFileGenerator;
import com.cloudera.cmf.service.config.SimpleConfigFile;
import com.cloudera.cmf.service.config.SimpleConfigSection;
import com.cloudera.parcel.ParcelIdentity;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.Iterables;
import com.google.common.collect.Lists;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.ListIterator;
import java.util.Map;
import java.util.Set;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/cloudera/cmf/service/config/transform/CredentialProviderConfigTransform.class */
public class CredentialProviderConfigTransform implements ConfigFilesTransform {
    private static final Logger LOG = LoggerFactory.getLogger(CredentialProviderConfigTransform.class);
    private static final String SYSTEM_DISABLE_KEY = "com.cloudera.cmf.secure.sensitive.disable";
    public String keyStoreType;
    public String keyStoreFileName;
    public String keyStoreURI;
    public String hadoopSchemeName;
    public static final String CREDENTIAL_PROVIDER = "hadoop.security.credential.provider.path";
    public static final String MASKED_VALUE = "********";

    @VisibleForTesting
    static final String ALTSCRIPT_SHORT = "altscript.sh";

    @VisibleForTesting
    static final String ALTSCRIPT_FULL = "{{CMF_CONF_DIR}}/altscript.sh";
    private final boolean disabled;
    private final String password;

    public CredentialProviderConfigTransform(String str) {
        this(str, null);
    }

    public CredentialProviderConfigTransform(String str, String str2) {
        this.disabled = Boolean.getBoolean(SYSTEM_DISABLE_KEY);
        this.password = str;
        if (str2 != null) {
            this.keyStoreType = str2;
        } else {
            this.keyStoreType = "jceks";
            if (Constants.FIPS_COMPLIANT_MODE) {
                this.keyStoreType = "bcfks";
                String str3 = Constants.ALT_FIPS_KEYSTORE_TYPE;
                if (!StringUtils.isEmpty(str3)) {
                    this.keyStoreType = str3.toLowerCase();
                }
            }
        }
        this.hadoopSchemeName = "local" + this.keyStoreType.toLowerCase();
        this.keyStoreFileName = "creds." + this.hadoopSchemeName;
        this.keyStoreURI = this.hadoopSchemeName + "://file/{{CMF_CONF_DIR}}/" + this.keyStoreFileName;
        LOG.debug("keystore type set to " + this.keyStoreType.toUpperCase());
    }

    @VisibleForTesting
    static String uniqueifyConfigName(String str, int i) {
        return "sec-" + i + ParcelIdentity.SEP + str;
    }

    private boolean transformOneConfig(SimpleConfigFile simpleConfigFile, int i, ListIterator<EvaluatedConfig> listIterator, Set<EvaluatedConfig> set, Set<EvaluatedConfig> set2) {
        EvaluatedConfig next = listIterator.next();
        if (next.isConcealed()) {
            return false;
        }
        if (next.usesCredentialProvider()) {
            String evaluatedConfig = next.toString();
            Preconditions.checkNotNull(next.getName(), "Null name for " + evaluatedConfig);
            Preconditions.checkNotNull(next.getValue(), "Null value for " + evaluatedConfig);
            Preconditions.checkState(!next.getName().isEmpty(), "Empty name for " + evaluatedConfig);
            if (next.getValue().isEmpty()) {
                return false;
            }
            Preconditions.checkState(i == 0);
            listIterator.set(next.newEncryptedConfig(MASKED_VALUE));
            set.add(new EvaluatedConfig(next.getName(), next.getValue()));
            LOG.debug("CredentialProvider in use for parameter {} in file {}.", next.getName(), simpleConfigFile.getPath());
            return true;
        }
        String alternateScriptName = next.getAlternateScriptName();
        if (alternateScriptName == null) {
            return false;
        }
        String evaluatedConfig2 = next.toString();
        Preconditions.checkNotNull(next.getName(), "Null name for " + evaluatedConfig2);
        Preconditions.checkNotNull(next.getValue(), "Null value for " + evaluatedConfig2);
        Preconditions.checkState(!next.getName().isEmpty(), "Empty name for " + evaluatedConfig2);
        if (next.getValue().isEmpty()) {
            listIterator.remove();
            return false;
        }
        String uniqueifyConfigName = uniqueifyConfigName(next.getName(), i);
        set.add(new EvaluatedConfig(uniqueifyConfigName, next.getValue()));
        set2.add(new EvaluatedConfig(uniqueifyConfigName, CommandUtils.CONFIG_TOP_LEVEL_DIR));
        listIterator.set(new EvaluatedConfig(alternateScriptName, "{{CMF_CONF_DIR}}/altscript.sh " + uniqueifyConfigName));
        LOG.debug("CredentialProvider holding {} for use in password script for {}", uniqueifyConfigName, simpleConfigFile.getPath());
        return false;
    }

    private void transformOneFile(SimpleConfigFile simpleConfigFile, Set<EvaluatedConfig> set, Set<EvaluatedConfig> set2) {
        boolean z = false;
        ListIterator<EvaluatedConfig> listIterator = simpleConfigFile.getMutableConfigs().listIterator();
        while (listIterator.hasNext()) {
            z |= transformOneConfig(simpleConfigFile, 0, listIterator, set, set2);
        }
        int i = 0 + 1;
        Iterator<SimpleConfigSection> it = simpleConfigFile.getSimpleSections().iterator();
        while (it.hasNext()) {
            ListIterator<EvaluatedConfig> listIterator2 = it.next().getMutableConfigs().listIterator();
            while (listIterator2.hasNext()) {
                z |= transformOneConfig(simpleConfigFile, i, listIterator2, set, set2);
            }
            i++;
        }
        if (z) {
            simpleConfigFile.addConfig(new EvaluatedConfig(CREDENTIAL_PROVIDER, this.keyStoreURI));
        }
    }

    private boolean hasTransformableConfigs(ConfigFile configFile) {
        Iterator it = Iterables.concat(ImmutableList.of(configFile), configFile.getSections()).iterator();
        while (it.hasNext()) {
            for (EvaluatedConfig evaluatedConfig : ((ConfigSection) it.next()).getConfigs()) {
                if (!evaluatedConfig.isConcealed() && (evaluatedConfig.usesCredentialProvider() || null != evaluatedConfig.getAlternateScriptName())) {
                    if (!evaluatedConfig.getValue().isEmpty()) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    private void transformAllFiles(Map<ConfigFile, ConfigFileGenerator> map, Set<EvaluatedConfig> set, Set<EvaluatedConfig> set2) {
        HashMap hashMap = new HashMap();
        Iterator<Map.Entry<ConfigFile, ConfigFileGenerator>> it = map.entrySet().iterator();
        while (it.hasNext()) {
            Map.Entry<ConfigFile, ConfigFileGenerator> next = it.next();
            ConfigFile key = next.getKey();
            ConfigFileGenerator value = next.getValue();
            if (hasTransformableConfigs(key)) {
                it.remove();
                SimpleConfigFile simpleConfigFile = new SimpleConfigFile(key);
                hashMap.put(simpleConfigFile, value);
                transformOneFile(simpleConfigFile, set, set2);
            }
        }
        map.putAll(hashMap);
    }

    @Override // com.cloudera.cmf.service.ConfigFilesTransform
    public void transform(ConfigEvaluationContext configEvaluationContext, Map<ConfigFile, ConfigFileGenerator> map) throws ConfigGenException {
        if (this.disabled) {
            return;
        }
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        transformAllFiles(map, hashSet, hashSet2);
        generateAdditionalCredentials(configEvaluationContext, hashSet);
        if (!hashSet.isEmpty()) {
            ConfigFileGenerator genericKeyStoreConfigFileGenerator = new GenericKeyStoreConfigFileGenerator(this.keyStoreFileName, this.password, this.keyStoreType);
            SimpleConfigFile simpleConfigFile = new SimpleConfigFile(this.keyStoreFileName);
            simpleConfigFile.addAll(Lists.newArrayList(hashSet));
            map.put(simpleConfigFile, genericKeyStoreConfigFileGenerator);
        }
        if (hashSet2.isEmpty()) {
            return;
        }
        ConfigFileGenerator passwordScriptConfigFileGenerator = new PasswordScriptConfigFileGenerator(ALTSCRIPT_SHORT, this.keyStoreFileName, this.keyStoreType);
        SimpleConfigFile simpleConfigFile2 = new SimpleConfigFile(ALTSCRIPT_SHORT);
        simpleConfigFile2.addAll(Lists.newArrayList(hashSet2));
        map.put(simpleConfigFile2, passwordScriptConfigFileGenerator);
    }

    private void generateAdditionalCredentials(ConfigEvaluationContext configEvaluationContext, Set<EvaluatedConfig> set) throws ConfigGenException {
        if (configEvaluationContext == null || configEvaluationContext.getScope() != Enums.ConfigScope.ROLE) {
            return;
        }
        Iterator<ConfigEvaluator> it = configEvaluationContext.getRh().getExplicitCredProvEvaluators(configEvaluationContext).iterator();
        while (it.hasNext()) {
            for (EvaluatedConfig evaluatedConfig : it.next().evaluateConfig(configEvaluationContext)) {
                if (!evaluatedConfig.isConcealed() && (evaluatedConfig.usesCredentialProvider() || null != evaluatedConfig.getAlternateScriptName())) {
                    if (!evaluatedConfig.getValue().isEmpty()) {
                        set.add(evaluatedConfig);
                    }
                }
            }
        }
    }
}
