package org.apache.ranger.raz.hook.abfs;

import java.io.IOException;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.azurebfs.AzureBlobFileSystem;
import org.apache.hadoop.fs.azurebfs.extensions.SASTokenProvider;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier;
import org.apache.ranger.raz.intg.RangerRazErrorCode;
import org.apache.ranger.raz.intg.RangerRazException;
import org.apache.ranger.raz.intg.client.RangerRazClient;
import org.apache.ranger.raz.intg.client.RangerRazClientLogger;
import org.apache.ranger.raz.model.RangerRazRequest;
import org.apache.ranger.raz.model.RangerRazRequestBase;
import org.apache.ranger.raz.model.RangerRazResult;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/ranger/raz/hook/abfs/RangerRazTokenProvider.class */
public class RangerRazTokenProvider implements SASTokenProvider {
    private static final Logger LOG = LoggerFactory.getLogger(RangerRazTokenProvider.class);
    public static final String ADLS_RESOURCE_STORAGE_ACCOUNT = "storageaccount";
    public static final String ADLS_RESOURCE_CONTAINER = "container";
    public static final String ADLS_RESOURCE_RELATIVE_PATH = "relativepath";
    public static final String CONF_DELEGATION_TOKEN_KIND = "delegation-token.token-kind";
    public static final String CONF_ADLS_SERVICE_TYPE = "adls.service.type";
    public static final String DELEGATION_TOKEN_KIND_DEFAULT = "raz-dt";
    public static final String ADLS_SERVICE_TYPE_DEFAULT = "adls";
    public static final String ADLS_CONFIG_PREFIX = "fs.azure.ext.raz.prefix";
    public static final String ADLS_CONFIG_PREFIX_DEFAULT = "fs.azure.ext.raz.";
    public static final String CONF_CLUSTER_NAME = ".access.cluster.name";
    public static final String CONF_CLUSTER_TYPE = ".access.cluster.type";
    public static final String ADDL_INFO_KET_ADLS_DSAS = "ADLS_DSAS";
    public static final String CANONICAL_SERVICE_NAME_STRATEGY = "canonical-service-name-strategy";
    public static final String CANONICAL_SERVICE_NAME_STRATEGY_ACCOUNT_ONLY = "ACCOUNT_ONLY";
    public static final String CANONICAL_SERVICE_NAME_STRATEGY_ACCOUNT_AND_CONTAINER = "ACCOUNT_AND_CONTAINER";
    public static final String CANONICAL_SERVICE_NAME_STRATEGY_DEFAULT = "ACCOUNT_ONLY";
    private String serviceType = ADLS_SERVICE_TYPE_DEFAULT;
    private String clusterName;
    private String clusterType;
    private String userName;
    private String delegationToken;
    private String tokenKindStr;
    private String canonicalServiceNameStrategy;
    private RangerRazClient razClient;

    public void initialize(Configuration configuration, String str) throws IOException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerRazTokenProvider.initialize(accountName={})", str);
        }
        UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
        if (currentUser == null) {
            RangerRazClientLogger.error(LOG, "RangerRazTokenProvider(): {}", "no user is logged in");
            throw new IOException("RangerRazTokenProvider initialization failed: no user is logged in");
        }
        String str2 = configuration.get("fs.azure.ext.raz.prefix", "fs.azure.ext.raz.");
        configuration.set("ranger.raz.client.prefix", str2);
        this.tokenKindStr = configuration.get(str2 + CONF_DELEGATION_TOKEN_KIND, DELEGATION_TOKEN_KIND_DEFAULT);
        this.serviceType = configuration.get(str2 + CONF_ADLS_SERVICE_TYPE, ADLS_SERVICE_TYPE_DEFAULT);
        this.clusterName = configuration.get(str2 + this.serviceType + CONF_CLUSTER_NAME, "");
        this.clusterType = configuration.get(str2 + this.serviceType + CONF_CLUSTER_TYPE, "");
        this.canonicalServiceNameStrategy = configuration.get(str2 + "canonical-service-name-strategy", "ACCOUNT_ONLY");
        this.userName = getUserNameFromUGI(currentUser);
        this.delegationToken = getDelegationTokenFromUGI(currentUser, this.tokenKindStr);
        this.razClient = RangerRazClient.getInstance(configuration, currentUser);
        if (LOG.isDebugEnabled()) {
            LOG.debug("RangerRazTokenProvider.initialize(): configPrefix={}", str2);
            LOG.debug("RangerRazTokenProvider.initialize(): {}={}", CONF_DELEGATION_TOKEN_KIND, this.tokenKindStr);
            LOG.debug("RangerRazTokenProvider.initialize(): {}={}", CONF_ADLS_SERVICE_TYPE, this.serviceType);
            LOG.debug("RangerRazTokenProvider.initialize(): {}={}", this.serviceType + CONF_CLUSTER_NAME, this.clusterName);
            LOG.debug("RangerRazTokenProvider.initialize(): {}={}", this.serviceType + CONF_CLUSTER_TYPE, this.clusterType);
            LOG.debug("<== RangerRazTokenProvider.initialize(accountName={})", str);
        }
    }

    public String getSASToken(String str, String str2, String str3, String str4) throws IOException, AccessControlException {
        String dSASTokenFromResult;
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> RangerRazTokenProvider.getSASToken({}, {}, {}, {})", new Object[]{str, str2, str3, str4});
            AzureBlobFileSystem.printStatistics();
        }
        Map<String, String> createRazResource = createRazResource(str, str2, str3);
        HashSet hashSet = new HashSet();
        hashSet.add(str4);
        RangerRazRequest rangerRazRequest = new RangerRazRequest(this.serviceType, new RangerRazRequestBase.ResourceAccess(createRazResource, str, str4, hashSet), this.userName);
        rangerRazRequest.setClusterName(this.clusterName);
        rangerRazRequest.setClusterType(this.clusterType);
        try {
            dSASTokenFromResult = getDSASTokenFromResult(this.razClient.checkPrivilege(rangerRazRequest, this.delegationToken));
        } catch (RangerRazException e) {
            if (e.getErrorCode() != RangerRazErrorCode.RAZ_CLIENT_ACCESS_DENIED) {
                throw new AccessControlException(e);
            }
            if (!e.getMessage().contains("InvalidToken")) {
                RangerRazClientLogger.error(LOG, "Failed to get DSAS token from Raz", e);
                throw new AccessControlException();
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("InvalidToken delegationToken error, trying to update delegationToken from UGI and retry");
            }
            try {
                dSASTokenFromResult = getDSASTokenFromResult(this.razClient.checkPrivilege(rangerRazRequest, maybeRefreshRazToken(getCanonicalServiceName(str), this.tokenKindStr, this.delegationToken)));
            } catch (RangerRazException e2) {
                LOG.error("Exception while checking privilege new delegationToken, RazRequestID: " + rangerRazRequest.getRequestId(), e2);
                throw new AccessControlException(e2);
            }
        }
        return dSASTokenFromResult;
    }

    private String getDSASTokenFromResult(RangerRazResult rangerRazResult) {
        String str = null;
        if (rangerRazResult != null && rangerRazResult.getOperResult() != null) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("RangerRazTokenProvider.getSASToken(): result=" + rangerRazResult);
            }
            Map additionalInfo = rangerRazResult.getOperResult().getAdditionalInfo();
            if (additionalInfo != null) {
                str = (String) additionalInfo.get(ADDL_INFO_KET_ADLS_DSAS);
            }
        }
        return str;
    }

    private static Map<String, String> createRazResource(String str, String str2, String str3) {
        HashMap hashMap = new HashMap();
        if (!str3.startsWith("/")) {
            str3 = "/" + str3;
        }
        hashMap.put(ADLS_RESOURCE_STORAGE_ACCOUNT, str);
        hashMap.put(ADLS_RESOURCE_CONTAINER, str2);
        hashMap.put(ADLS_RESOURCE_RELATIVE_PATH, str3);
        return hashMap;
    }

    private static String getUserNameFromUGI(UserGroupInformation userGroupInformation) throws AccessControlException {
        String shortUserName = userGroupInformation != null ? userGroupInformation.getShortUserName() : null;
        if (shortUserName != null) {
            return shortUserName;
        }
        RangerRazClientLogger.error(LOG, "Failed to obtain currently logged in user");
        throw new AccessControlException("Failed to obtain currently logged in user");
    }

    /* JADX WARN: Code restructure failed: missing block: B:21:0x0075, code lost:
    
        r6 = r0.encodeToUrlString();
     */
    /* JADX WARN: Code restructure failed: missing block: B:22:0x0083, code lost:
    
        if (org.apache.ranger.raz.hook.abfs.RangerRazTokenProvider.LOG.isDebugEnabled() == false) goto L24;
     */
    /* JADX WARN: Code restructure failed: missing block: B:23:0x0086, code lost:
    
        r7 = org.apache.ranger.raz.intg.client.RangerRazClient.maskParam(r6);
        org.apache.ranger.raz.hook.abfs.RangerRazTokenProvider.LOG.debug("RangerRazTokenProvider.getDelegationTokenFromUGI(): found DT=[{}]", r7);
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public static java.lang.String getDelegationTokenFromUGI(org.apache.hadoop.security.UserGroupInformation r4, java.lang.String r5) {
        /*
            org.slf4j.Logger r0 = org.apache.ranger.raz.hook.abfs.RangerRazTokenProvider.LOG
            boolean r0 = r0.isDebugEnabled()
            if (r0 == 0) goto L15
            org.slf4j.Logger r0 = org.apache.ranger.raz.hook.abfs.RangerRazTokenProvider.LOG
            java.lang.String r1 = "==> RangerRazTokenProvider.getDelegationTokenFromUGI()"
            r0.debug(r1)
        L15:
            r0 = 0
            r6 = r0
            r0 = 0
            r7 = r0
            r0 = r4
            java.util.Collection r0 = r0.getTokens()     // Catch: java.io.IOException -> L9f
            java.util.Iterator r0 = r0.iterator()     // Catch: java.io.IOException -> L9f
            r8 = r0
        L24:
            r0 = r8
            boolean r0 = r0.hasNext()     // Catch: java.io.IOException -> L9f
            if (r0 == 0) goto L9c
            r0 = r8
            java.lang.Object r0 = r0.next()     // Catch: java.io.IOException -> L9f
            org.apache.hadoop.security.token.Token r0 = (org.apache.hadoop.security.token.Token) r0     // Catch: java.io.IOException -> L9f
            r9 = r0
            r0 = r9
            if (r0 == 0) goto L52
            r0 = r9
            org.apache.hadoop.io.Text r0 = r0.getKind()     // Catch: java.io.IOException -> L9f
            if (r0 == 0) goto L52
            r0 = r9
            org.apache.hadoop.io.Text r0 = r0.getKind()     // Catch: java.io.IOException -> L9f
            java.lang.String r0 = r0.toString()     // Catch: java.io.IOException -> L9f
            goto L53
        L52:
            r0 = 0
        L53:
            r10 = r0
            org.slf4j.Logger r0 = org.apache.ranger.raz.hook.abfs.RangerRazTokenProvider.LOG     // Catch: java.io.IOException -> L9f
            boolean r0 = r0.isDebugEnabled()     // Catch: java.io.IOException -> L9f
            if (r0 == 0) goto L6c
            org.slf4j.Logger r0 = org.apache.ranger.raz.hook.abfs.RangerRazTokenProvider.LOG     // Catch: java.io.IOException -> L9f
            java.lang.String r1 = "RangerRazTokenProvider.getDelegationTokenFromUGI(): tokenKind={}"
            r2 = r10
            r0.debug(r1, r2)     // Catch: java.io.IOException -> L9f
        L6c:
            r0 = r5
            r1 = r10
            boolean r0 = r0.equalsIgnoreCase(r1)     // Catch: java.io.IOException -> L9f
            if (r0 == 0) goto L99
            r0 = r9
            java.lang.String r0 = r0.encodeToUrlString()     // Catch: java.io.IOException -> L9f
            r6 = r0
            org.slf4j.Logger r0 = org.apache.ranger.raz.hook.abfs.RangerRazTokenProvider.LOG     // Catch: java.io.IOException -> L9f
            boolean r0 = r0.isDebugEnabled()     // Catch: java.io.IOException -> L9f
            if (r0 == 0) goto L9c
            r0 = r6
            java.lang.String r0 = org.apache.ranger.raz.intg.client.RangerRazClient.maskParam(r0)     // Catch: java.io.IOException -> L9f
            r7 = r0
            org.slf4j.Logger r0 = org.apache.ranger.raz.hook.abfs.RangerRazTokenProvider.LOG     // Catch: java.io.IOException -> L9f
            java.lang.String r1 = "RangerRazTokenProvider.getDelegationTokenFromUGI(): found DT=[{}]"
            r2 = r7
            r0.debug(r1, r2)     // Catch: java.io.IOException -> L9f
            goto L9c
        L99:
            goto L24
        L9c:
            goto Lab
        L9f:
            r8 = move-exception
            org.slf4j.Logger r0 = org.apache.ranger.raz.hook.abfs.RangerRazTokenProvider.LOG
            java.lang.String r1 = "RangerRazTokenProvider.getDelegationTokenFromUGI(): failed"
            r2 = r8
            org.apache.ranger.raz.intg.client.RangerRazClientLogger.error(r0, r1, r2)
        Lab:
            org.slf4j.Logger r0 = org.apache.ranger.raz.hook.abfs.RangerRazTokenProvider.LOG
            boolean r0 = r0.isDebugEnabled()
            if (r0 == 0) goto Lc1
            org.slf4j.Logger r0 = org.apache.ranger.raz.hook.abfs.RangerRazTokenProvider.LOG
            java.lang.String r1 = "<== RangerRazTokenProvider.getDelegationTokenFromUGI(): ret={}"
            r2 = r7
            r0.debug(r1, r2)
        Lc1:
            r0 = r6
            return r0
        */
        throw new UnsupportedOperationException("Method not decompiled: org.apache.ranger.raz.hook.abfs.RangerRazTokenProvider.getDelegationTokenFromUGI(org.apache.hadoop.security.UserGroupInformation, java.lang.String):java.lang.String");
    }

    public String maybeRefreshRazToken(String str, String str2, String str3) {
        String str4 = null;
        String fetchUpdatedTokenFromUGI = fetchUpdatedTokenFromUGI(str, str2);
        if (fetchUpdatedTokenFromUGI != null && !str3.equals(fetchUpdatedTokenFromUGI)) {
            updateDelegationToken(fetchUpdatedTokenFromUGI);
            str4 = fetchUpdatedTokenFromUGI;
            LOG.info("Updated new raz delegationToken from UGI...");
        }
        return str4;
    }

    private synchronized void updateDelegationToken(String str) {
        this.delegationToken = str;
    }

    private String fetchUpdatedTokenFromUGI(String str, String str2) {
        String str3 = null;
        Text text = new Text(str);
        Text text2 = new Text(str2);
        try {
            UserGroupInformation.logAllUserInfo(LOG, UserGroupInformation.getCurrentUser());
            Token lookupToken = lookupToken(UserGroupInformation.getCurrentUser().getCredentials(), text, text2);
            if (lookupToken == null && LOG.isDebugEnabled()) {
                LOG.debug("No ABFS delegationToken found in UGI");
            }
            str3 = lookupToken != null ? lookupToken.encodeToUrlString() : null;
        } catch (IOException e) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Exception while fetching updated ABFS delegationToken from UGI, will keep using older token", e);
            }
        }
        return str3;
    }

    private static <T extends DelegationTokenIdentifier> Token<T> lookupToken(Credentials credentials, Text text, Text text2) throws IOException {
        Token<T> token = null;
        if (text2 == null) {
            throw new IllegalArgumentException("expected TokenKind is null");
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Looking for token for service {} in credentials", text);
        }
        Token<T> token2 = credentials.getToken(text);
        if (token2 != null) {
            Text kind = token2.getKind();
            if (LOG.isDebugEnabled()) {
                LOG.debug("Found token of kind {}", kind);
            }
            if (!text2.equals(kind)) {
                throw new IOException("Token mismatch: expected token for " + text + " of type " + text2 + " but got a token of type " + kind);
            }
            token = token2;
        }
        return token;
    }

    private String getCanonicalServiceName(String str) {
        StringBuilder sb = new StringBuilder(str);
        sb.append(".dfs.core.windows.net");
        sb.append("/");
        return "ACCOUNT_AND_CONTAINER".equalsIgnoreCase(this.canonicalServiceNameStrategy) ? sb.toString() : "abfs://" + ((Object) sb);
    }
}
