package org.apache.ranger.raz.hook.s3;

import java.io.IOException;
import java.util.Optional;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.s3a.AWSCredentialProviderList;
import org.apache.hadoop.fs.s3a.auth.RoleModel;
import org.apache.hadoop.fs.s3a.auth.delegation.AbstractDelegationTokenBinding;
import org.apache.hadoop.fs.s3a.auth.delegation.AbstractS3ATokenIdentifier;
import org.apache.hadoop.fs.s3a.auth.delegation.EncryptionSecrets;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier;
import org.apache.hadoop.service.ServiceStateException;
import org.apache.ranger.raz.hook.s3.utils.TokenUtils;
import org.apache.ranger.raz.intg.RangerRazException;
import org.apache.ranger.raz.intg.client.RangerRazClient;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/ranger/raz/hook/s3/RazDelegationTokenBinding.class */
public class RazDelegationTokenBinding extends AbstractDelegationTokenBinding {
    private static final String NAME = "RazDelegationToken";
    public static final String RAZ_S3_CONFIG_PREFIX_NAME = "fs.s3a.ext.raz.prefix";
    public static final String RAZ_S3_CONFIG_PREFIX_DEFAULT = "fs.s3a.ext.raz.";
    private static final Logger LOG = LoggerFactory.getLogger(RazDelegationTokenBinding.class);
    private RazToken razToken;
    private AWSCredentialProviderList credentialProviders;
    RangerRazClient razClient;

    protected RazDelegationTokenBinding(String str, Text text) {
        super(str, text);
    }

    public RazDelegationTokenBinding() {
        this(NAME, RazS3ATokenIdentifier.RAZ_TOKEN_KIND);
    }

    public AbstractS3ATokenIdentifier createTokenIdentifier(Optional<RoleModel.Policy> optional, EncryptionSecrets encryptionSecrets, Text text) throws IOException {
        LOG.debug("Creating token identifier.");
        checkRazClientInitialized();
        RazS3ATokenIdentifier razS3ATokenIdentifier = new RazS3ATokenIdentifier(RazS3ATokenIdentifier.RAZ_TOKEN_KIND, getOwnerText(), text, getCanonicalUri(), "Created from " + this.razClient.getDelegationTokenServiceName(), encryptionSecrets, requestRazAccessToken(text.toString()));
        LOG.debug("Created token identifier. Owner: {}; Bucket: {}", razS3ATokenIdentifier.getOwner(), razS3ATokenIdentifier.getBucket());
        return razS3ATokenIdentifier;
    }

    public AWSCredentialProviderList deployUnbonded() throws IOException {
        LOG.debug("Deploy Unbonded.");
        this.razToken = null;
        return getAwsCredentialProviderList();
    }

    public AbstractS3ATokenIdentifier createEmptyIdentifier() {
        return new RazS3ATokenIdentifier();
    }

    public AWSCredentialProviderList bindToTokenIdentifier(AbstractS3ATokenIdentifier abstractS3ATokenIdentifier) throws IOException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Binding to retrieved token: {}", abstractS3ATokenIdentifier.toString());
        }
        RazS3ATokenIdentifier razS3ATokenIdentifier = (RazS3ATokenIdentifier) convertTokenIdentifier(abstractS3ATokenIdentifier, RazS3ATokenIdentifier.class);
        razS3ATokenIdentifier.validate();
        this.razToken = razS3ATokenIdentifier.getRazToken();
        return getAwsCredentialProviderList();
    }

    private AWSCredentialProviderList getAwsCredentialProviderList() {
        this.credentialProviders = new AWSCredentialProviderList();
        this.credentialProviders.add(new RazAnonymousAWSCredentialsProvider(this, getFileSystem().createStoreContext().getOwner(), getConfig(), this.razClient));
        return this.credentialProviders;
    }

    protected void serviceStop() throws Exception {
        super.serviceStop();
        this.razClient = null;
    }

    protected void serviceStart() throws Exception {
        super.serviceStart();
        this.razClient = createRazClient(getConfig(), getOwner());
    }

    private RazToken requestRazAccessToken(String str) throws IOException {
        LOG.debug("Requesting initial Raz delegation token");
        checkRazClientInitialized();
        Token token = new Token();
        try {
            String delegationToken = this.razClient.getDelegationToken(str);
            token.decodeFromUrlString(delegationToken);
            DelegationTokenIdentifier decodeIdentifier = token.decodeIdentifier();
            RazToken razToken = new RazToken(decodeIdentifier.getIssueDate(), decodeIdentifier.getMaxDate(), delegationToken);
            LOG.debug("Got token from raz server via client.");
            return razToken;
        } catch (RangerRazException e) {
            throw new IOException("Error while getting token from raz server.", e);
        }
    }

    private void checkRazClientInitialized() {
        if (this.razClient == null) {
            throw new ServiceStateException("Raz client is not initialized. The service should be started with " + getClass().getSimpleName() + ".start() so the raz client will be initialized properly.");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static RangerRazClient createRazClient(Configuration configuration, UserGroupInformation userGroupInformation) throws IOException {
        configuration.set("ranger.raz.client.prefix", configuration.get(RAZ_S3_CONFIG_PREFIX_NAME, RAZ_S3_CONFIG_PREFIX_DEFAULT));
        return RangerRazClient.getInstance(configuration, userGroupInformation);
    }

    public RazToken getRazToken() {
        return this.razToken;
    }

    public void maybeRefreshRazToken() {
        RazS3ATokenIdentifier fetchUpdatedTokenFromUGI = fetchUpdatedTokenFromUGI();
        if (fetchUpdatedTokenFromUGI == null || this.razToken.getAccessToken().equals(fetchUpdatedTokenFromUGI.getRazToken().getAccessToken())) {
            return;
        }
        this.razToken = fetchUpdatedTokenFromUGI.getRazToken();
        LOG.info("Updated raz token from UGI in DT binding.");
    }

    private RazS3ATokenIdentifier fetchUpdatedTokenFromUGI() {
        try {
            Token lookupToken = TokenUtils.lookupToken(UserGroupInformation.getCurrentUser().getCredentials(), new Text(getCanonicalUri().toString()), RazS3ATokenIdentifier.RAZ_TOKEN_KIND);
            if (lookupToken == null) {
                LOG.debug("No raz token found in UGI");
            }
            if (lookupToken != null) {
                return lookupToken.decodeIdentifier();
            }
            return null;
        } catch (IOException e) {
            LOG.debug("Exception while fetching updated raz token from UGI, will keep using older token", e);
            return null;
        }
    }
}
