package org.apache.ranger.raz.hook.s3;

import com.amazonaws.AmazonServiceException;
import com.amazonaws.HandlerContextAware;
import com.amazonaws.Request;
import com.amazonaws.SignableRequest;
import com.amazonaws.auth.AWSCredentials;
import com.amazonaws.auth.CanHandleNullCredentials;
import com.amazonaws.auth.EndpointPrefixAwareSigner;
import com.amazonaws.auth.ServiceAwareSigner;
import com.amazonaws.auth.Signer;
import com.amazonaws.services.signer.model.AccessDeniedException;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.UUID;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.s3a.CredentialInitializationException;
import org.apache.hadoop.fs.s3a.audit.AWSAuditEventCallbacks;
import org.apache.hadoop.fs.s3a.audit.AuditIntegration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ranger.raz.hook.s3.RazAnonymousAWSCredentialsProvider;
import org.apache.ranger.raz.hook.s3.cache.SignerCache;
import org.apache.ranger.raz.hook.s3.utils.S3Utils;
import org.apache.ranger.raz.intg.RangerRazErrorCode;
import org.apache.ranger.raz.intg.RangerRazException;
import org.apache.ranger.raz.intg.client.RangerRazClient;
import org.apache.ranger.raz.model.RangerRazRequest;
import org.apache.ranger.raz.model.RangerRazRequestBase;
import org.apache.ranger.raz.model.RangerRazResult;
import org.apache.ranger.raz.model.RangerRazResultBase;
import org.apache.ranger.raz.s3.lib.HttpMethod;
import org.apache.ranger.raz.s3.lib.aws.exceptions.RCSAWSException;
import org.apache.ranger.raz.s3.lib.aws.fsrequests.AwsRequest;
import org.apache.ranger.raz.s3.lib.aws.fsrequests.AwsRequestCacheKey;
import org.apache.ranger.raz.s3.lib.aws.parsers.AwsRequestParser;
import org.apache.ranger.raz.s3.lib.signer.SignResponse;
import org.apache.ranger.raz.s3.lib.signer.impl.SignRequestImpl;
import org.apache.ranger.raz.s3.lib.signer.util.ProtoConverters;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/ranger/raz/hook/s3/RazS3SignerPlugin.class */
public class RazS3SignerPlugin implements Signer, ServiceAwareSigner, EndpointPrefixAwareSigner, CanHandleNullCredentials {
    private static final Logger LOG = LoggerFactory.getLogger(RazS3SignerPlugin.class);
    private static final Set<String> listOfSignerHeadersToLogWhenReplaced = new HashSet(Arrays.asList("Host", "X-Amz-Date", "x-amz-content-sha256", "Authorization"));
    private String endpointPrefix;
    private String serviceName;
    static final String DEFAULT_SERVICE_TYPE = "s3";
    static final String DEFAULT_SERVICE_NAME = "cm_s3";
    static final String SERVICE_TYPE_CONFIG_KEY = "s3a.service.type";
    static final String SERVICE_NAME_CONFIG_KEY = "s3a.service.name";
    static final String CLUSTER_NAME_CONFIG_KEY = ".access.cluster.name";
    static final String ACCESS_DENIED_EXCEPTION = "AccessDeniedException";
    static final String PREFIX_TO_TRUNCATE = "op_";

    /* renamed from: org.apache.ranger.raz.hook.s3.RazS3SignerPlugin$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/ranger/raz/hook/s3/RazS3SignerPlugin$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$ranger$raz$model$RangerRazResultBase$AccessResult = new int[RangerRazResultBase.AccessResult.values().length];

        static {
            try {
                $SwitchMap$org$apache$ranger$raz$model$RangerRazResultBase$AccessResult[RangerRazResultBase.AccessResult.ALLOWED.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$ranger$raz$model$RangerRazResultBase$AccessResult[RangerRazResultBase.AccessResult.DENIED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$ranger$raz$model$RangerRazResultBase$AccessResult[RangerRazResultBase.AccessResult.NOT_DETERMINED.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    public RazS3SignerPlugin() {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> Raz S3 Signer client constructor");
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== Raz S3 Signer client constructor");
        }
    }

    public void sign(SignableRequest<?> signableRequest, AWSCredentials aWSCredentials) {
        RangerRazResult checkPrivilege;
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> Sign request: {}, AWSCredentials: {}", signableRequest, aWSCredentials);
        }
        if (aWSCredentials.getAWSSecretKey() == null) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Secret key is null from credentials. Returning from the signer without signing the request.");
                return;
            }
            return;
        }
        String str = null;
        String retrieveOperationName = retrieveOperationName(signableRequest);
        if (!(aWSCredentials instanceof RazAnonymousAWSCredentialsProvider.RazAnonymousAWSCredentials)) {
            throw new CredentialInitializationException(String.format("Credentials are not an instance of %s, classname: %s, toString: %s", RazAnonymousAWSCredentialsProvider.class.getName(), aWSCredentials.getClass().getName(), aWSCredentials.toString()));
        }
        RazAnonymousAWSCredentialsProvider.RazAnonymousAWSCredentials razAnonymousAWSCredentials = (RazAnonymousAWSCredentialsProvider.RazAnonymousAWSCredentials) aWSCredentials;
        RazDelegationTokenBinding razDelegationTokenBinding = razAnonymousAWSCredentials.getRazDelegationTokenBinding();
        if (LOG.isDebugEnabled()) {
            LOG.debug("Getting raz delegation token from the filesystem.");
        }
        if (razDelegationTokenBinding.getRazToken() != null) {
            str = razDelegationTokenBinding.getRazToken().getAccessToken();
        }
        UserGroupInformation owner = razAnonymousAWSCredentials.getOwner();
        String userName = owner.getUserName();
        RangerRazClient razClient = razAnonymousAWSCredentials.getRazClient();
        SignerCache<AwsRequestCacheKey, Map<String, String>> signerCache = razAnonymousAWSCredentials.getSignerCache();
        if (razClient == null) {
            throw new RuntimeException("Raz client from DT binding is null.");
        }
        Configuration config = razAnonymousAWSCredentials.getConfig();
        if (LOG.isDebugEnabled()) {
            if (StringUtils.isEmpty(str)) {
                LOG.debug("No razToken found, owner: {}, userName: {}", owner, userName);
            } else {
                LOG.debug("razToken: {}, owner: {}, userName: {}", new Object[]{str.substring(0, 6), owner, userName});
            }
        }
        String bucketNameFromHost = S3Utils.getBucketNameFromHost(signableRequest.getEndpoint().getHost());
        Objects.requireNonNull(bucketNameFromHost, "Unable to look up bucketname from hostname=[" + signableRequest.getEndpoint().getHost() + "]");
        String lookupRegionFromCache = S3Utils.lookupRegionFromCache(bucketNameFromHost);
        AwsRequestParser awsRequestParser = new AwsRequestParser();
        byte[] bArr = null;
        if (awsRequestParser.isContentSigningRequired((Request) signableRequest)) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Content signing required for Request: {}", signableRequest);
            }
            try {
                bArr = awsRequestParser.getRequestContents((Request) signableRequest);
            } catch (IOException e) {
                throw new RCSAWSException(RCSAWSException.StatusCode.OTHER, "Unable to extract request contents for request: [" + signableRequest + "]", e);
            }
        }
        AwsRequest parseAwsRequest = awsRequestParser.parseAwsRequest((Request) signableRequest);
        AwsRequestCacheKey awsRequestCacheKey = new AwsRequestCacheKey(parseAwsRequest, userName);
        if (LOG.isDebugEnabled()) {
            LOG.debug("Incoming request: {} Cache key generated: {} ", parseAwsRequest, awsRequestCacheKey);
        }
        Map<String, String> map = signerCache.get(awsRequestCacheKey);
        if (map != null) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Reusing aws request key from cache : {}", awsRequestCacheKey);
            }
            addSignedHeadersToRequest(signableRequest, map);
            return;
        }
        SignRequestImpl signRequestImpl = new SignRequestImpl(signableRequest.getEndpoint(), HttpMethod.valueOf(signableRequest.getHttpMethod().name()), signableRequest.getHeaders(), signableRequest.getParameters(), signableRequest.getResourcePath(), bArr, signableRequest.getTimeOffset(), this.endpointPrefix, this.serviceName);
        if (LOG.isDebugEnabled()) {
            LOG.debug("Sign request: {}", signRequestImpl);
        }
        HashMap hashMap = new HashMap();
        try {
            hashMap.put("S3_SIGN_REQUEST", ProtoConverters.toBase64(signRequestImpl));
            RangerRazRequest rangerRazRequestWithSetup = getRangerRazRequestWithSetup(config, hashMap, userName, retrieveOperationName);
            try {
                checkPrivilege = razClient.checkPrivilege(rangerRazRequestWithSetup, str);
            } catch (RangerRazException e2) {
                LOG.debug("Got exception from RAZ server, checking if this is InvalidToken error");
                if (!e2.getErrorCode().equals(RangerRazErrorCode.RAZ_CLIENT_ACCESS_DENIED) || !e2.getMessage().contains("InvalidToken")) {
                    rangerRazExceptionToASEAndThrow(e2, rangerRazRequestWithSetup.getRequestId());
                    LOG.error("Exception while checking privilege, RazRequestID: " + rangerRazRequestWithSetup.getRequestId(), e2);
                    throw new RazS3ClientCredentialsException(e2.getMessage(), e2);
                }
                LOG.debug("InvalidToken error, trying to update token from UGI and retry");
                razDelegationTokenBinding.maybeRefreshRazToken();
                try {
                    checkPrivilege = razClient.checkPrivilege(rangerRazRequestWithSetup, razDelegationTokenBinding.getRazToken().getAccessToken());
                } catch (RangerRazException e3) {
                    LOG.error("Exception while checking privilege, RazRequestID: " + rangerRazRequestWithSetup.getRequestId(), e2);
                    throw new RazS3ClientCredentialsException(e2.getMessage(), e2);
                }
            }
            if (checkPrivilege == null) {
                if (!isKerberosAuthenticated()) {
                    throw new RuntimeException("User: " + userName + " doesn't have Kerberos Authentication.");
                }
                throw new RuntimeException("User: " + userName + " have kinited but RAZ server may be down. Please verify if RAZ server is up or not.");
            }
            RangerRazResultBase.AccessResult result = checkPrivilege.getOperResult().getResult();
            switch (AnonymousClass1.$SwitchMap$org$apache$ranger$raz$model$RangerRazResultBase$AccessResult[result.ordinal()]) {
                case 1:
                    try {
                        SignResponse respFromBase64 = ProtoConverters.respFromBase64((String) checkPrivilege.getOperResult().getAdditionalInfo().get("S3_SIGN_RESPONSE"));
                        maybeUpdateRegionNameInCache(bucketNameFromHost, lookupRegionFromCache, respFromBase64);
                        Map<String, String> signerGeneratedHeaders = respFromBase64.getSignerGeneratedHeaders();
                        if (parseAwsRequest.isSignatureCachingAllowed()) {
                            if (LOG.isDebugEnabled()) {
                                LOG.debug("Caching aws request key : {}", awsRequestCacheKey);
                            }
                            signerCache.put(awsRequestCacheKey, signerGeneratedHeaders);
                        }
                        addSignedHeadersToRequest(signableRequest, signerGeneratedHeaders);
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("<== Sign request end. Request: {}, Credentials: {}, Result: {}", new Object[]{signableRequest, aWSCredentials, checkPrivilege});
                            return;
                        }
                        return;
                    } catch (IOException e4) {
                        throw new UncheckedIOException("RAZ result cannot be read. request id: " + rangerRazRequestWithSetup.getRequestId() + " exception message: " + e4.toString(), e4);
                    }
                case 2:
                case 3:
                    throw constructAccessDeniedException(checkPrivilege, userName);
                default:
                    throw new UnsupportedOperationException("Unknown operation result from RAZ: " + result);
            }
        } catch (IOException e5) {
            throw new RuntimeException("Can't convert sign request to protobuffed base64.", e5);
        }
    }

    private String retrieveOperationName(SignableRequest<?> signableRequest) {
        AWSAuditEventCallbacks retrieveAttachedSpan;
        if ((signableRequest instanceof HandlerContextAware) && (retrieveAttachedSpan = AuditIntegration.retrieveAttachedSpan((HandlerContextAware) signableRequest)) != null) {
            return getOpNameWithoutPrefix(retrieveAttachedSpan.getOperationName());
        }
        LOG.debug("Unable to figure out operation name from incoming request.So setting to {}", "UNKNOWN_AWS_OPERATION");
        return "UNKNOWN_AWS_OPERATION";
    }

    @VisibleForTesting
    public String getOpNameWithoutPrefix(String str) {
        return str.startsWith(PREFIX_TO_TRUNCATE) ? str.substring(PREFIX_TO_TRUNCATE.length()) : str;
    }

    private void rangerRazExceptionToASEAndThrow(RangerRazException rangerRazException, String str) {
        Map rangerRazExceptionHeadersMap = rangerRazException.getRangerRazExceptionHeadersMap();
        if (rangerRazExceptionHeadersMap == null || !rangerRazExceptionHeadersMap.containsKey("x-ranger-amz-status-code")) {
            return;
        }
        AmazonServiceException amazonServiceException = new AmazonServiceException(rangerRazException.getMessage() + ", RazRequestID: " + str);
        amazonServiceException.setServiceName("Amazon S3");
        if (rangerRazExceptionHeadersMap.containsKey("x-ranger-amz-error-code")) {
            amazonServiceException.setErrorCode((String) rangerRazExceptionHeadersMap.get("x-ranger-amz-error-code"));
        }
        if (rangerRazExceptionHeadersMap.containsKey("x-ranger-amz-status-code")) {
            String str2 = (String) rangerRazExceptionHeadersMap.get("x-ranger-amz-status-code");
            try {
                amazonServiceException.setStatusCode(Integer.parseInt(str2));
            } catch (NumberFormatException e) {
                LOG.error("String: " + str2 + " can't be parsed into an Integer.");
                amazonServiceException.setStatusCode(400);
            }
        }
        if (rangerRazExceptionHeadersMap.containsKey("x-ranger-amz-request-id")) {
            amazonServiceException.setRequestId((String) rangerRazExceptionHeadersMap.get("x-ranger-amz-request-id"));
        }
        if (rangerRazExceptionHeadersMap.containsKey("x-ranger-amz-id-2")) {
            HashMap hashMap = new HashMap();
            hashMap.put("x-amz-id-2", rangerRazExceptionHeadersMap.get("x-ranger-amz-id-2"));
            amazonServiceException.setHttpHeaders(hashMap);
        }
        throw amazonServiceException;
    }

    private boolean isKerberosAuthenticated() {
        try {
            UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
            boolean isSecurityEnabled = UserGroupInformation.isSecurityEnabled();
            boolean hasKerberosCredentials = loginUser.hasKerberosCredentials();
            UserGroupInformation.AuthenticationMethod authenticationMethod = loginUser.getAuthenticationMethod();
            if (isSecurityEnabled && hasKerberosCredentials) {
                if (authenticationMethod.equals(UserGroupInformation.AuthenticationMethod.KERBEROS)) {
                    return true;
                }
            }
            return false;
        } catch (IOException e) {
            throw new RuntimeException("Failed to get authentication details, Exception: " + e.toString());
        }
    }

    public void setEndpointPrefix(String str) {
        this.endpointPrefix = str;
    }

    public void setServiceName(String str) {
        this.serviceName = str;
    }

    private AccessDeniedException constructAccessDeniedException(RangerRazResult rangerRazResult, String str) {
        AccessDeniedException accessDeniedException = new AccessDeniedException(String.format("Ranger result: %s, Audit: %s, Username: %s", rangerRazResult.getOperResult().getResult(), rangerRazResult.getOperResult().getAuditLogs(), str));
        accessDeniedException.setStatusCode(RCSAWSException.StatusCode.ACCESS_DENIED.getCode());
        accessDeniedException.setErrorCode(ACCESS_DENIED_EXCEPTION);
        accessDeniedException.setRequestId(rangerRazResult.getRequestId());
        if (LOG.isDebugEnabled()) {
            LOG.debug("Constructing AccessDeniedException for RangerRazResult (for raz, not for signer).");
        }
        return accessDeniedException;
    }

    private void maybeUpdateRegionNameInCache(String str, String str2, SignResponse signResponse) {
        if (signResponse.getRegion() != null) {
            if (str2 != null) {
                Preconditions.checkState(str2.equalsIgnoreCase(signResponse.getRegion()), "region and region from signedResponse must match");
                return;
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("Updating region in cache for bucket=[{}], from sign response to [{}] ", str, signResponse.getRegion());
            }
            S3Utils.updateBucketToRegionCache(str, signResponse.getRegion());
        }
    }

    private void addSignedHeaderToRequest(SignableRequest<?> signableRequest, String str, String str2) {
        if (listOfSignerHeadersToLogWhenReplaced.contains(str) && signableRequest.getHeaders().containsKey(str)) {
            LOG.warn("Original request already contains the header: {}. Replacing...", str);
        }
        signableRequest.addHeader(str, str2);
    }

    private void addSignedHeadersToRequest(SignableRequest<?> signableRequest, Map<String, String> map) {
        for (Map.Entry<String, String> entry : map.entrySet()) {
            addSignedHeaderToRequest(signableRequest, entry.getKey(), entry.getValue());
        }
    }

    public static RangerRazRequest getRangerRazRequestWithSetup(Configuration configuration, Map<String, String> map, String str, String str2) {
        RangerRazRequest rangerRazRequest = new RangerRazRequest();
        rangerRazRequest.setContext(map);
        String str3 = configuration.get(RazDelegationTokenBinding.RAZ_S3_CONFIG_PREFIX_NAME, RazDelegationTokenBinding.RAZ_S3_CONFIG_PREFIX_DEFAULT);
        String str4 = configuration.get(str3 + SERVICE_TYPE_CONFIG_KEY, DEFAULT_SERVICE_TYPE);
        rangerRazRequest.setServiceType(str4);
        rangerRazRequest.setServiceName(configuration.get(str3 + SERVICE_NAME_CONFIG_KEY, DEFAULT_SERVICE_NAME));
        rangerRazRequest.setUser(str);
        rangerRazRequest.setKeysToRedact(RangerRazClient.RAZ_CLIENT_KEYS_TO_REDACT);
        rangerRazRequest.setOperation(new RangerRazRequestBase.ResourceAccess(new HashMap(), str2));
        rangerRazRequest.setClusterName(configuration.get(str3 + str4 + CLUSTER_NAME_CONFIG_KEY, ""));
        rangerRazRequest.setRequestId(String.valueOf(UUID.randomUUID()));
        return rangerRazRequest;
    }

    @VisibleForTesting
    public void translateToASEAndThrow(RangerRazException rangerRazException, String str) {
        rangerRazExceptionToASEAndThrow(rangerRazException, str);
    }
}
