package org.apache.hadoop.has.client;

import com.sun.jersey.api.client.Client;
import com.sun.jersey.api.client.ClientResponse;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.PrintStream;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Date;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.text.CharacterPredicates;
import org.apache.commons.text.RandomStringGenerator;
import org.apache.hadoop.fs.CommonConfigurationKeys;
import org.apache.hadoop.has.common.HasConfig;
import org.apache.hadoop.has.common.HasConfigKey;
import org.apache.hadoop.has.common.HasException;
import org.apache.hadoop.has.common.util.HasUtil;
import org.apache.hadoop.metrics2.sink.ganglia.AbstractGangliaSink;
import org.apache.hadoop.yarn.webapp.util.WebAppUtils;
import org.apache.kerby.kerberos.kerb.KrbCodec;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
import org.apache.kerby.kerberos.kerb.type.base.AuthToken;
import org.apache.kerby.kerberos.kerb.type.base.EncryptedData;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
import org.apache.kerby.kerberos.kerb.type.base.KeyUsage;
import org.apache.kerby.kerberos.kerb.type.base.KrbError;
import org.apache.kerby.kerberos.kerb.type.base.KrbMessage;
import org.apache.kerby.kerberos.kerb.type.base.KrbMessageType;
import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
import org.apache.kerby.kerberos.kerb.type.kdc.EncAsRepPart;
import org.apache.kerby.kerberos.kerb.type.kdc.KdcRep;
import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
import org.apache.kerby.util.IOUtil;
import org.codehaus.jettison.json.JSONException;
import org.codehaus.jettison.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/has/client/HasClient.class */
public class HasClient {
    public static final Logger LOG = LoggerFactory.getLogger((Class<?>) HasClient.class);
    public static final String JAVA_SECURITY_KRB5_CONF = "java.security.krb5.conf";
    public static final String HAS_HTTP_PORT_DEFAULT = "9870";
    public static final String HAS_CONFIG_DEFAULT = "/etc/has/has-client.conf";
    public static final String CA_ROOT_DEFAULT = "/etc/has/ca-root.pem";
    private String hadoopSecurityHas;
    private String type;
    private File clientConfigFolder;
    public static final String HAS_CONFIG = "/etc/has/";

    public HasClient() {
        this.hadoopSecurityHas = null;
    }

    public HasClient(String str) {
        this.hadoopSecurityHas = null;
        this.hadoopSecurityHas = str;
    }

    public TgtTicket requestTgt() throws HasException {
        HasConfig hasConfig = null;
        if (this.hadoopSecurityHas == null) {
            String str = System.getenv("HAS_CONF_DIR");
            if (str == null || str.isEmpty()) {
                str = HAS_CONFIG;
            }
            String str2 = str + "/has-client.conf";
            LOG.debug("has-client conf path: " + str2);
            try {
                hasConfig = HasUtil.getHasConfig(new File(str2));
            } catch (HasException e) {
                LOG.error("Fail to get plugin config: " + e.getMessage());
            }
        } else {
            hasConfig = new HasConfig();
            String str3 = "";
            int i = 0;
            try {
                for (String str4 : this.hadoopSecurityHas.split(CommonConfigurationKeys.NFS_EXPORTS_ALLOWED_HOSTS_SEPARATOR)) {
                    URI uri = new URI(str4.trim());
                    str3 = str3 + uri.getHost() + ",";
                    if (i == 0) {
                        i = uri.getPort();
                    } else if (i != uri.getPort()) {
                        throw new HasException("Invalid port: not even.");
                    }
                    this.type = System.getenv("auth_type");
                    if (this.type == null) {
                        String[] split = uri.getQuery().split(AbstractGangliaSink.EQUAL);
                        if (split[0].equals("auth_type")) {
                            this.type = split[1];
                        } else {
                            LOG.warn("No auth type in conf.");
                        }
                    }
                }
                if (str3 == null || i == 0) {
                    throw new HasException("host is null.");
                }
                hasConfig.setString(HasConfigKey.HTTPS_HOST, str3.substring(0, str3.length() - 1));
                hasConfig.setInt(HasConfigKey.HTTPS_PORT, Integer.valueOf(i));
                hasConfig.setString(HasConfigKey.AUTH_TYPE, this.type);
            } catch (URISyntaxException e2) {
                LOG.error("Errors occurred when getting web url. " + e2.getMessage());
                throw new HasException("Errors occurred when getting web url. " + e2.getMessage());
            }
        }
        if (hasConfig == null) {
            throw new HasException("Failed to get HAS client config.");
        }
        try {
            HasClientPlugin clientTokenPlugin = getClientTokenPlugin(hasConfig);
            try {
                AuthToken login = clientTokenPlugin.login(hasConfig);
                this.type = clientTokenPlugin.getLoginType();
                LOG.info("The plugin type is: " + this.type);
                return requestTgt(login, this.type, hasConfig);
            } catch (HasLoginException e3) {
                LOG.error("Plugin login failed: " + e3.getMessage());
                throw new HasException("Plugin login failed: " + e3.getMessage());
            }
        } catch (HasException e4) {
            LOG.error("Failed to get client token plugin from config: " + e4.getMessage());
            throw new HasException("Failed to get client token plugin from config: " + e4.getMessage());
        }
    }

    private void createKrb5Conf(HasConfig hasConfig) throws HasException {
        HasAdminClient hasAdminClient = new HasAdminClient(hasConfig);
        File file = new File(this.clientConfigFolder + "/krb5.conf");
        if (!file.exists()) {
            String krb5conf = hasAdminClient.getKrb5conf();
            if (krb5conf == null) {
                LOG.error("Failed to get krb5.conf.");
                throw new HasException("Failed to get krb5.conf.");
            }
            try {
                new PrintStream(new FileOutputStream(file)).println(krb5conf);
                LOG.info("krb5.conf has saved in : " + file.getAbsolutePath());
            } catch (FileNotFoundException e) {
                LOG.error(e.getMessage());
                throw new HasException(e);
            }
        }
        System.setProperty("java.security.krb5.conf", file.getAbsolutePath());
    }

    private HasClientPlugin getClientTokenPlugin(HasConfig hasConfig) throws HasException {
        String pluginName = hasConfig.getPluginName();
        LOG.info("The plugin name getting from config is: " + pluginName);
        if (pluginName == null) {
            throw new HasException("Please set the plugin name in has client conf");
        }
        HasClientPlugin createPlugin = HasClientPluginRegistry.createPlugin(pluginName);
        if (createPlugin == null) {
            throw new HasException("Failed to create client plugin: " + pluginName);
        }
        LOG.info("The plugin class is: " + createPlugin);
        return createPlugin;
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:22:0x01a1. Please report as an issue. */
    /* JADX WARN: Removed duplicated region for block: B:39:0x025f  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket requestTgt(org.apache.kerby.kerberos.kerb.type.base.AuthToken r7, java.lang.String r8, org.apache.hadoop.has.common.HasConfig r9) throws org.apache.hadoop.has.common.HasException {
        /*
            Method dump skipped, instructions count: 1008
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.apache.hadoop.has.client.HasClient.requestTgt(org.apache.kerby.kerberos.kerb.type.base.AuthToken, java.lang.String, org.apache.hadoop.has.common.HasConfig):org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket");
    }

    private File loadSslClientConf(HasConfig hasConfig, String str) throws HasException {
        File file = new File(str);
        if (!file.exists()) {
            String httpHost = hasConfig.getHttpHost();
            String httpPort = hasConfig.getHttpPort();
            if (httpHost == null) {
                LOG.info("Can't find the http host in config, the https host will be used.");
                httpHost = hasConfig.getHttpsHost();
            }
            if (httpPort == null) {
                LOG.info("Can't find the http port in config, the default http port will be used.");
                httpPort = HAS_HTTP_PORT_DEFAULT;
            }
            X509Certificate certificate = getCertificate(httpHost, httpPort);
            if (!verifyCertificate(certificate)) {
                throw new HasException("The certificate from HAS server is invalid.");
            }
            createClientSSLConfig(createTrustStore(hasConfig.getHttpsHost(), certificate));
        }
        return file;
    }

    public KrbMessage getKrbMessage(JSONObject jSONObject) throws HasException {
        LOG.debug("Starting to get the message from has server.");
        try {
            if (!jSONObject.getBoolean("success")) {
                throw new HasException("Failed: " + jSONObject.getString("krbMessage"));
            }
            try {
                String string = jSONObject.getString("type");
                if (string == null || !string.equals(this.type)) {
                    throw new HasException("Can't get the right message from server.");
                }
                LOG.debug("The message type is " + this.type);
                String str = null;
                try {
                    str = jSONObject.getString("krbMessage");
                } catch (JSONException e) {
                    LOG.debug("Failed to get the krbMessage. " + e);
                }
                try {
                    return KrbCodec.decodeMessage(ByteBuffer.wrap(new Base64(0).decode(str)));
                } catch (IOException e2) {
                    throw new HasException("Krb decoding message failed", e2);
                }
            } catch (JSONException e3) {
                LOG.debug("Failed to get message." + e3);
                throw new HasException("Failed to get message." + e3);
            }
        } catch (JSONException e4) {
            LOG.debug("Failed to get message." + e4);
            throw new HasException("Failed to get message." + e4);
        }
    }

    public TgtTicket handleResponse(JSONObject jSONObject, String str) throws HasException {
        KrbMessage krbMessage = getKrbMessage(jSONObject);
        KrbMessageType msgType = krbMessage.getMsgType();
        if (msgType == KrbMessageType.AS_REP) {
            return processResponse((KdcRep) krbMessage, str);
        }
        if (msgType != KrbMessageType.KRB_ERROR) {
            return null;
        }
        KrbError krbError = (KrbError) krbMessage;
        LOG.error("KDC server response with message: " + krbError.getErrorCode().getMessage());
        throw new HasException(krbError.getEtext());
    }

    public TgtTicket processResponse(KdcRep kdcRep, String str) throws HasException {
        PrincipalName cname = kdcRep.getCname();
        cname.setRealm(kdcRep.getCrealm());
        try {
            byte[] decryptWithClientKey = decryptWithClientKey(kdcRep.getEncryptedEncPart(), KeyUsage.AS_REP_ENCPART, HasUtil.getClientKey(cname.getName(), str, kdcRep.getEncryptedEncPart().getEType()));
            if ((decryptWithClientKey[0] & 31) == 26) {
                decryptWithClientKey[0] = (byte) (decryptWithClientKey[0] - 1);
            }
            EncAsRepPart encAsRepPart = new EncAsRepPart();
            try {
                encAsRepPart.decode(decryptWithClientKey);
                kdcRep.setEncPart(encAsRepPart);
                TgtTicket ticket = getTicket(kdcRep);
                LOG.info("Ticket expire time: " + ticket.getEncKdcRepPart().getEndTime());
                return ticket;
            } catch (IOException e) {
                throw new HasException("Failed to decode EncAsRepPart", e);
            }
        } catch (KrbException e2) {
            throw new HasException("Could not generate key. " + e2.getMessage());
        }
    }

    protected byte[] decryptWithClientKey(EncryptedData encryptedData, KeyUsage keyUsage, EncryptionKey encryptionKey) throws HasException {
        if (encryptionKey == null) {
            throw new HasException("Client key isn't available");
        }
        try {
            return EncryptionHandler.decrypt(encryptedData, encryptionKey, keyUsage);
        } catch (KrbException e) {
            throw new HasException("Errors occurred when decrypting the data." + e.getMessage());
        }
    }

    public TgtTicket getTicket(KdcRep kdcRep) {
        return new TgtTicket(kdcRep.getTicket(), (EncAsRepPart) kdcRep.getEncPart(), kdcRep.getCname());
    }

    private X509Certificate getCertificate(String str, String str2) throws HasException {
        ClientResponse clientResponse = (ClientResponse) Client.create().resource(WebAppUtils.HTTP_PREFIX + str + ":" + str2 + "/has/v1/getcert").get(ClientResponse.class);
        if (clientResponse.getStatus() != 200) {
            throw new HasException((String) clientResponse.getEntity(String.class));
        }
        try {
            return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(clientResponse.getEntityInputStream());
        } catch (CertificateException e) {
            throw new HasException("Failed to get certificate from HAS server", e);
        }
    }

    private boolean verifyCertificate(X509Certificate x509Certificate) throws HasException {
        try {
            x509Certificate.checkValidity(new Date());
            try {
                String str = System.getenv("CA_ROOT");
                if (str == null) {
                    str = CA_ROOT_DEFAULT;
                }
                if (str == null) {
                    throw new HasException("Please set the CA_ROOT.");
                }
                File file = new File(str);
                if (!file.exists()) {
                    throw new HasException("CA_ROOT: " + str + " not exist.");
                }
                try {
                    x509Certificate.verify(((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new FileInputStream(file))).getPublicKey());
                    return true;
                } catch (GeneralSecurityException e) {
                    return false;
                }
            } catch (FileNotFoundException | CertificateException e2) {
                throw new HasException("Failed to get certificate from ca root file", e2);
            }
        } catch (GeneralSecurityException e3) {
            return false;
        }
    }

    private String createTrustStore(String str, X509Certificate x509Certificate) throws HasException {
        String generate = new RandomStringGenerator.Builder().withinRange(97, 122).filteredBy(CharacterPredicates.LETTERS, CharacterPredicates.DIGITS).build().generate(15);
        File file = new File(this.clientConfigFolder + "/truststore.jks");
        try {
            KeyStore keyStore = KeyStore.getInstance("jks");
            keyStore.load(null, null);
            keyStore.setCertificateEntry(str, x509Certificate);
            FileOutputStream fileOutputStream = new FileOutputStream(file);
            keyStore.store(fileOutputStream, generate.toCharArray());
            fileOutputStream.close();
            return generate;
        } catch (IOException | GeneralSecurityException e) {
            throw new HasException("Failed to create and save truststore file", e);
        }
    }

    private void createClientSSLConfig(String str) throws HasException {
        try {
            IOUtil.writeFile(IOUtil.readInput(getClass().getResourceAsStream("/ssl-client.conf.template")).replaceAll("_location_", this.clientConfigFolder.getAbsolutePath() + "/truststore.jks").replaceAll("_password_", str), new File(this.clientConfigFolder + "/ssl-client.conf"));
        } catch (IOException e) {
            throw new HasException("Failed to create client ssl configuration file", e);
        }
    }
}
