package com.cloudera.enterprise.distcp;

import com.cloudera.enterprise.distcp.util.Cdh41Utils;
import com.cloudera.enterprise.distcp.util.VersionChecker;
import com.google.common.annotations.VisibleForTesting;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.security.PrivilegedExceptionAction;
import java.util.Collection;
import java.util.Date;
import java.util.HashSet;
import java.util.List;
import java.util.Timer;
import java.util.TimerTask;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.atomic.AtomicBoolean;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.mapreduce.security.TokenCache;
import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import sun.security.krb5.KrbException;
import sun.security.krb5.PrincipalName;
import sun.security.krb5.RealmException;

/* loaded from: input_file:com/cloudera/enterprise/distcp/DelegationTokenRenewer.class */
public class DelegationTokenRenewer {
    private static final Log LOG = LogFactory.getLog(DelegationTokenRenewer.class);
    public static final Text HDFS_DELEGATION_KIND = new Text("HDFS_DELEGATION_TOKEN");
    public static final String SCHEME = "hdfs";
    private volatile UserGroupInformation ugi;
    private String ticketCache;
    private String principal;
    private String proxyUser;
    private boolean useWebHdfs;

    @VisibleForTesting
    TicketRenewalTimerTask ticketRenewaltask;

    @VisibleForTesting
    ConcurrentMap<Token<?>, DelegationTokenToRenew> allTokens = new ConcurrentHashMap();

    @VisibleForTesting
    Timer renewalTimer = new Timer(true);

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    /* loaded from: input_file:com/cloudera/enterprise/distcp/DelegationTokenRenewer$DelegationTokenToRenew.class */
    public static class DelegationTokenToRenew {
        public final Token<?> token;
        public final Configuration conf;
        public long expirationDate;
        public TokenRenewalTimerTask timerTask = null;

        public DelegationTokenToRenew(Token<?> token, Configuration configuration, long j) {
            this.token = token;
            this.conf = configuration;
            this.expirationDate = j;
        }

        public void setTimerTask(TokenRenewalTimerTask tokenRenewalTimerTask) {
            this.timerTask = tokenRenewalTimerTask;
        }

        @VisibleForTesting
        public void cancelTimer() {
            if (this.timerTask != null) {
                this.timerTask.cancel();
            }
        }

        @VisibleForTesting
        public boolean isTimerCancelled() {
            return this.timerTask != null && this.timerTask.cancelled.get();
        }

        public String toString() {
            return this.token + ";exp=" + this.expirationDate;
        }

        public boolean equals(Object obj) {
            return obj != null && (obj instanceof DelegationTokenToRenew) && this.token.equals(((DelegationTokenToRenew) obj).token);
        }

        public int hashCode() {
            return this.token.hashCode();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    /* loaded from: input_file:com/cloudera/enterprise/distcp/DelegationTokenRenewer$TicketRenewalTimerTask.class */
    public class TicketRenewalTimerTask extends TimerTask {

        @VisibleForTesting
        AtomicBoolean cancelled = new AtomicBoolean(false);

        TicketRenewalTimerTask() {
        }

        @Override // java.util.TimerTask, java.lang.Runnable
        public void run() {
            if (this.cancelled.get()) {
                return;
            }
            try {
                DelegationTokenRenewer.this.renewTicketCache();
                DelegationTokenRenewer.this.setTimerForTicketRenewal();
            } catch (Exception e) {
                DelegationTokenRenewer.LOG.error("Exception renewing ticket cache for user " + DelegationTokenRenewer.this.principal + ". Not rescheduled", e);
                cancel();
            }
        }

        @Override // java.util.TimerTask
        public boolean cancel() {
            this.cancelled.set(true);
            return super.cancel();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    /* loaded from: input_file:com/cloudera/enterprise/distcp/DelegationTokenRenewer$TokenRenewalTimerTask.class */
    public class TokenRenewalTimerTask extends TimerTask {
        private DelegationTokenToRenew dttr;
        private AtomicBoolean cancelled = new AtomicBoolean(false);

        TokenRenewalTimerTask(DelegationTokenToRenew delegationTokenToRenew) {
            this.dttr = delegationTokenToRenew;
        }

        @Override // java.util.TimerTask, java.lang.Runnable
        public void run() {
            if (this.cancelled.get()) {
                return;
            }
            try {
                if (this.dttr.isTimerCancelled()) {
                    DelegationTokenRenewer.LOG.info("The token was removed already. Token = [" + this.dttr + "]");
                } else {
                    DelegationTokenRenewer.this.renewToken(this.dttr);
                    DelegationTokenRenewer.this.setTimerForTokenRenewal(this.dttr);
                }
            } catch (Exception e) {
                DelegationTokenRenewer.LOG.error("Exception renewing token" + this.dttr + ". Not rescheduled", e);
                DelegationTokenRenewer.this.removeFailedDelegationToken(this.dttr);
            }
        }

        @Override // java.util.TimerTask
        public boolean cancel() {
            this.cancelled.set(true);
            return super.cancel();
        }
    }

    public void stop() {
        if (this.renewalTimer != null) {
            this.renewalTimer.cancel();
        }
        this.allTokens.clear();
    }

    @VisibleForTesting
    void submitTokensForRenewal(Configuration configuration, UserGroupInformation userGroupInformation, Credentials credentials) throws IOException, InterruptedException {
        if (credentials == null) {
            return;
        }
        Collection<Token> allTokens = credentials.getAllTokens();
        long currentTimeMillis = System.currentTimeMillis();
        HashSet<DelegationTokenToRenew> hashSet = new HashSet();
        for (Token token : allTokens) {
            if (token.isManaged()) {
                DelegationTokenToRenew delegationTokenToRenew = this.allTokens.get(token);
                if (delegationTokenToRenew == null) {
                    delegationTokenToRenew = new DelegationTokenToRenew(token, configuration, currentTimeMillis);
                    try {
                        renewToken(delegationTokenToRenew);
                    } catch (IOException e) {
                        throw new IOException("Failed to renew token: " + delegationTokenToRenew.token, e);
                    }
                }
                hashSet.add(delegationTokenToRenew);
            } else {
                LOG.info("Not scheduling token [" + token + "] for renewal as it is not managed");
            }
        }
        if (hashSet.isEmpty()) {
            return;
        }
        for (DelegationTokenToRenew delegationTokenToRenew2 : hashSet) {
            if (this.allTokens.putIfAbsent(delegationTokenToRenew2.token, delegationTokenToRenew2) == null) {
                setTimerForTokenRenewal(delegationTokenToRenew2);
            }
        }
    }

    @VisibleForTesting
    void setTimerForTokenRenewal(DelegationTokenToRenew delegationTokenToRenew) throws IOException {
        long renewTime = getRenewTime(delegationTokenToRenew.expirationDate);
        delegationTokenToRenew.setTimerTask(new TokenRenewalTimerTask(delegationTokenToRenew));
        this.renewalTimer.schedule(delegationTokenToRenew.timerTask, new Date(renewTime));
        LOG.info("Renew " + delegationTokenToRenew + " at " + renewTime + " ms");
    }

    @VisibleForTesting
    boolean renewToken(final DelegationTokenToRenew delegationTokenToRenew) throws IOException {
        try {
            delegationTokenToRenew.expirationDate = ((Long) this.ugi.doAs(new PrivilegedExceptionAction<Long>() { // from class: com.cloudera.enterprise.distcp.DelegationTokenRenewer.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Long run() throws Exception {
                    return Long.valueOf(delegationTokenToRenew.token.renew(delegationTokenToRenew.conf));
                }
            })).longValue();
            LOG.info("Renewed delegation-token= [" + delegationTokenToRenew + "]");
            return true;
        } catch (InterruptedException e) {
            LOG.error(e.getMessage(), e);
            throw new IOException(e);
        }
    }

    @VisibleForTesting
    void setTimerForTicketRenewal() {
        if (sourceClusterNotKerberized()) {
            LOG.info("Not setting up timer for ticket renewal as either ticketCache is null or Kerberos security is not enabled");
            return;
        }
        try {
            sun.security.krb5.Credentials credentialsFromCache = getCredentialsFromCache();
            Date endTime = credentialsFromCache.getEndTime();
            if (endTime == null) {
                LOG.info("Not setting up timer for ticket renewal as ticket does not have end time");
                return;
            }
            long renewTime = getRenewTime(endTime.getTime());
            Date renewTill = credentialsFromCache.getRenewTill();
            if (renewTill != null && renewTill.getTime() < endTime.getTime()) {
                LOG.warn("Not setting up timer for ticket renewal as ticket renewable time left is less than its expiration time");
                LOG.warn("Replication will fail if it does not complete before " + (endTime.getTime() - System.currentTimeMillis()) + "ms. If it fails, you can either restart the replication or increase peer cluster's ticket renewable lifetime in order for replication to succeed");
            } else {
                TicketRenewalTimerTask ticketRenewalTimerTask = new TicketRenewalTimerTask();
                this.ticketRenewaltask = ticketRenewalTimerTask;
                this.renewalTimer.schedule(ticketRenewalTimerTask, new Date(renewTime));
                LOG.info("Renew kerberos ticket for user " + this.principal + " at " + renewTime + " ms");
            }
        } catch (Exception e) {
            LOG.error("Setting up timer for ticket renewal for user " + this.principal + " failed", e);
        }
    }

    private long getRenewTime(long j) {
        return j - ((j - System.currentTimeMillis()) / 10);
    }

    @VisibleForTesting
    boolean sourceClusterNotKerberized() {
        return (this.ticketCache != null && UserGroupInformation.isSecurityEnabled() && (this.ugi.getRealUser() != null ? this.ugi.getRealUser() : this.ugi).getAuthenticationMethod() == UserGroupInformation.AuthenticationMethod.KERBEROS) ? false : true;
    }

    @VisibleForTesting
    sun.security.krb5.Credentials getCredentialsFromCache() throws RealmException, KrbException, IOException {
        return sun.security.krb5.Credentials.acquireTGTFromCache(new PrincipalName(this.principal, 1), this.ticketCache);
    }

    @VisibleForTesting
    boolean renewTicketCache() {
        if (StringUtils.isEmpty(this.ticketCache)) {
            return false;
        }
        LOG.info("Renewing kerberos ticket for user " + this.principal);
        Process process = null;
        try {
            try {
                try {
                    ProcessBuilder processBuilder = new ProcessBuilder("kinit", "-R", "-c", this.ticketCache);
                    processBuilder.inheritIO();
                    Process start = processBuilder.start();
                    if (start.waitFor() != 0) {
                        BufferedReader bufferedReader = null;
                        LOG.error("Ticket Cache renewal failed: ");
                        try {
                            bufferedReader = new BufferedReader(new InputStreamReader(start.getErrorStream()));
                            while (true) {
                                String readLine = bufferedReader.readLine();
                                if (readLine == null) {
                                    break;
                                }
                                LOG.error(readLine);
                            }
                            if (bufferedReader != null) {
                                bufferedReader.close();
                            }
                        } catch (Throwable th) {
                            if (bufferedReader != null) {
                                bufferedReader.close();
                            }
                            throw th;
                        }
                    } else {
                        this.ugi = getSourceUser(this.ticketCache, this.principal, this.proxyUser, this.useWebHdfs);
                    }
                    if (start == null) {
                        return true;
                    }
                    start.destroy();
                    return true;
                } catch (IOException e) {
                    LOG.error("Ticket Cache renewal failed", e);
                    if (0 != 0) {
                        process.destroy();
                    }
                    return false;
                }
            } catch (InterruptedException e2) {
                LOG.error("Ticket Cache renewal failed", e2);
                if (0 != 0) {
                    process.destroy();
                }
                return false;
            }
        } catch (Throwable th2) {
            if (0 != 0) {
                process.destroy();
            }
            throw th2;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void removeFailedDelegationToken(DelegationTokenToRenew delegationTokenToRenew) {
        this.allTokens.remove(delegationTokenToRenew.token);
        delegationTokenToRenew.cancelTimer();
    }

    public void createDelegationTokens(Configuration configuration, UserGroupInformation userGroupInformation, List<Path> list, Credentials credentials, String str, String str2, String str3, boolean z) throws IOException, InterruptedException {
        this.ticketCache = str;
        this.principal = str2;
        this.proxyUser = str3;
        this.useWebHdfs = z;
        this.ugi = userGroupInformation;
        obtainDelegationTokens(configuration, userGroupInformation, credentials, list);
        try {
            submitTokensForRenewal(configuration, userGroupInformation, credentials);
            setTimerForTicketRenewal();
        } catch (Exception e) {
            LOG.error("Unable to schedule tokens for renewal: ", e);
        }
    }

    private void obtainDelegationTokens(final Configuration configuration, UserGroupInformation userGroupInformation, final Credentials credentials, List<Path> list) throws IOException, InterruptedException {
        final Path[] pathArr = (Path[]) list.toArray(new Path[list.size()]);
        userGroupInformation.doAs(new PrivilegedExceptionAction<Object>() { // from class: com.cloudera.enterprise.distcp.DelegationTokenRenewer.2
            @Override // java.security.PrivilegedExceptionAction
            public Object run() throws Exception {
                TokenCache.obtainTokensForNamenodes(credentials, pathArr, configuration);
                return null;
            }
        });
    }

    public static UserGroupInformation getSourceUser(String str, String str2, String str3, boolean z) throws IOException {
        UserGroupInformation currentUser;
        boolean z2 = z && VersionChecker.isContextCdhPre50();
        if (str != null) {
            currentUser = Cdh41Utils.getUGIFromTicketCache(str, str2);
            if (!z2 && str3 != null) {
                currentUser = UserGroupInformation.createProxyUser(str3, currentUser);
            }
        } else {
            currentUser = UserGroupInformation.getCurrentUser();
            if (z2 && currentUser.getRealUser() != null) {
                currentUser = currentUser.getRealUser();
            }
        }
        return currentUser;
    }
}
