package com.cloudera.enterprise.distcp.util;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.File;
import java.io.FileWriter;
import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.net.InetSocketAddress;
import java.net.URL;
import java.security.AccessController;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;

/* loaded from: input_file:com/cloudera/enterprise/distcp/util/SecurityUtils.class */
public class SecurityUtils {
    private static final Log LOG = LogFactory.getLog(SecurityUtils.class);
    public static final Text HADOOP_CREDSTORE_PASSWORD = new Text("HADOOP_CREDSTORE_PASSWORD");
    private static final Text REMOTE_CLUSTER_TOKENS_KEY = new Text("distcp.remote.cluster.tokens.key");

    public static Collection<Token<?>> replaceHATokensWithNNTokens(Collection<Token<?>> collection, Configuration configuration) throws IOException {
        ArrayList arrayList = new ArrayList();
        for (Token<?> token : collection) {
            List<Token<?>> nNTokensForHAToken = getNNTokensForHAToken(token, configuration);
            if (nNTokensForHAToken != null) {
                Iterator<Token<?>> it = nNTokensForHAToken.iterator();
                while (it.hasNext()) {
                    arrayList.add(it.next());
                }
            } else {
                arrayList.add(token);
            }
        }
        return arrayList;
    }

    public static List<Token<?>> getNNTokensForHAToken(Token<?> token, Configuration configuration) {
        String text = token.getService().toString();
        if (!text.startsWith("ha-")) {
            return null;
        }
        Map<String, Map<String, InetSocketAddress>> haNnRpcAddresses = VersionChecker.isContextCdhPre60() ? Cdh52Utils.getInstance().getHaNnRpcAddresses(configuration) : Cdh60Utils.getInstance().getHaNnRpcAddresses(configuration);
        String substring = text.substring("ha-hdfs:".length());
        ArrayList arrayList = new ArrayList();
        for (InetSocketAddress inetSocketAddress : haNnRpcAddresses.get(substring).values()) {
            Token token2 = new Token(token);
            SecurityUtil.setTokenService(token2, inetSocketAddress);
            arrayList.add(token2);
            LOG.info("Mapped delegation token for HA nameservice " + substring + " to namenode " + inetSocketAddress);
        }
        return arrayList;
    }

    public static void storeRemoteClusterCredsInJob(Credentials credentials, Credentials credentials2) throws IOException {
        if (credentials.getSecretKey(REMOTE_CLUSTER_TOKENS_KEY) != null) {
            throw new IllegalStateException("Job already contains tokens for a remote cluster!");
        }
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        credentials2.writeTokenStorageToStream(new DataOutputStream(byteArrayOutputStream));
        credentials.addSecretKey(REMOTE_CLUSTER_TOKENS_KEY, byteArrayOutputStream.toByteArray());
    }

    public static void loadRemoteClusterCredsFromJob(Credentials credentials, Configuration configuration, Configuration configuration2) throws IOException {
        LOG.info("Loading remote cluster tokens");
        byte[] secretKey = credentials.getSecretKey(REMOTE_CLUSTER_TOKENS_KEY);
        if (secretKey == null) {
            return;
        }
        splitHATokensForCurrentUser(configuration2);
        Credentials credentials2 = new Credentials();
        credentials2.readTokenStorageStream(new DataInputStream(new ByteArrayInputStream(secretKey)));
        Collection<Token<?>> replaceHATokensWithNNTokens = replaceHATokensWithNNTokens(credentials2.getAllTokens(), configuration);
        UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
        Iterator<Token<?>> it = replaceHATokensWithNNTokens.iterator();
        while (it.hasNext()) {
            currentUser.addToken(it.next());
        }
    }

    private static void splitHATokensForCurrentUser(Configuration configuration) {
        LOG.info("Splitting HA tokens");
        Subject subject = Subject.getSubject(AccessController.getContext());
        if (VersionChecker.isContextCdhPre42()) {
            Set<Object> privateCredentials = subject.getPrivateCredentials();
            for (Token token : subject.getPrivateCredentials(Token.class)) {
                List<Token<?>> nNTokensForHAToken = getNNTokensForHAToken(token, configuration);
                if (nNTokensForHAToken != null) {
                    LOG.info(String.format("Replacing nameservice token for %s with namenode tokens", token.getService()));
                    privateCredentials.remove(token);
                    Iterator<Token<?>> it = nNTokensForHAToken.iterator();
                    while (it.hasNext()) {
                        privateCredentials.add(it.next());
                    }
                }
            }
            return;
        }
        Set privateCredentials2 = subject.getPrivateCredentials(Credentials.class);
        if (privateCredentials2.isEmpty()) {
            return;
        }
        Credentials credentials = (Credentials) privateCredentials2.iterator().next();
        Iterator it2 = credentials.getAllTokens().iterator();
        ArrayList<Token> arrayList = new ArrayList();
        while (it2.hasNext()) {
            Token token2 = (Token) it2.next();
            List<Token<?>> nNTokensForHAToken2 = getNNTokensForHAToken(token2, configuration);
            if (nNTokensForHAToken2 != null) {
                LOG.info(String.format("Replacing nameservice token for %s with namenode tokens", token2.getService()));
                it2.remove();
                Iterator<Token<?>> it3 = nNTokensForHAToken2.iterator();
                while (it3.hasNext()) {
                    arrayList.add(it3.next());
                }
            }
        }
        for (Token token3 : arrayList) {
            credentials.addToken(token3.getService(), token3);
        }
    }

    public static void setCredPassword(Credentials credentials, Configuration configuration) throws IOException {
        byte[] secretKey = credentials.getSecretKey(HADOOP_CREDSTORE_PASSWORD);
        if (secretKey == null) {
            return;
        }
        CredentialClassLoader credentialClassLoader = CredentialClassLoader.getInstance();
        try {
            Method declaredMethod = CredentialClassLoader.class.getDeclaredMethod("addURL", URL.class);
            declaredMethod.setAccessible(true);
            File createTempFile = File.createTempFile("pass", ".txt");
            createTempFile.deleteOnExit();
            FileWriter fileWriter = new FileWriter(createTempFile);
            createTempFile.setReadable(false, false);
            createTempFile.setReadable(true);
            fileWriter.write(new String(secretKey));
            fileWriter.close();
            try {
                declaredMethod.invoke(credentialClassLoader, createTempFile.getParentFile().toURI().toURL());
                Thread.currentThread().setContextClassLoader(credentialClassLoader);
                configuration.set("hadoop.security.credstore.java-keystore-provider.password-file", createTempFile.getName());
            } catch (IllegalAccessException e) {
                throw new RuntimeException(e);
            } catch (InvocationTargetException e2) {
                throw new RuntimeException(e2);
            }
        } catch (Throwable th) {
            throw new IOException("Error, could not add URL to system classloader");
        }
    }
}
