package org.apache.ranger.raz.hook.s3;

import java.io.IOException;
import java.util.Locale;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenRenewer;
import org.apache.hadoop.security.token.delegation.web.DelegationTokenIdentifier;
import org.apache.ranger.raz.intg.RangerRazException;
import org.apache.ranger.raz.intg.client.RangerRazClient;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/ranger/raz/hook/s3/RazS3ATokenRenewer.class */
public class RazS3ATokenRenewer extends TokenRenewer {
    private static final Logger LOG = LoggerFactory.getLogger(RazS3ATokenRenewer.class);
    private static final String ERR_INVALID_RENEWER = "The user (%s) does not match the renewer declared for the token: %s";

    public boolean handleKind(Text text) {
        return RazS3ATokenIdentifier.RAZ_TOKEN_KIND.equals(text);
    }

    public boolean isManaged(Token<?> token) throws IOException {
        return handleKind(token.getKind());
    }

    public long renew(Token<?> token, Configuration configuration) throws IOException, InterruptedException {
        long j = 0;
        RazS3ATokenIdentifier decodeIdentifier = token.decodeIdentifier();
        if (handleKind(decodeIdentifier.getKind())) {
            LOG.info("Renewing {}", decodeIdentifier);
            RazS3ATokenIdentifier razS3ATokenIdentifier = (DelegationTokenIdentifier) decodeIdentifier;
            LOG.debug("Token: {}", razS3ATokenIdentifier);
            j = getTokenExpiration(razS3ATokenIdentifier);
            UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
            if (validateRenewer(currentUser, razS3ATokenIdentifier)) {
                try {
                    j = getRazClient(currentUser, configuration).renewDelegationToken(razS3ATokenIdentifier.getRazToken().getAccessToken()).longValue();
                    if (j == -1) {
                        LOG.error("Token {} could not be renewed.", decodeIdentifier.getKind());
                        throw new IOException(String.format("Token {%s} could not be renewed", decodeIdentifier.getKind()));
                    }
                } catch (RangerRazException e) {
                    throw new IOException("Error during DT renewal from RAZ server: " + e, e);
                }
            } else {
                throwInvalidRenewerException(currentUser.getShortUserName(), decodeIdentifier.getKind());
            }
        } else {
            LOG.error("Token kind {} can not be handled ", decodeIdentifier.getKind());
        }
        return j;
    }

    private void throwInvalidRenewerException(String str, Text text) throws IOException {
        throw new IOException(String.format(ERR_INVALID_RENEWER, str, text));
    }

    private RangerRazClient getRazClient(UserGroupInformation userGroupInformation, Configuration configuration) throws IOException {
        return RazDelegationTokenBinding.createRazClient(configuration, userGroupInformation);
    }

    private static boolean validateRenewer(UserGroupInformation userGroupInformation, DelegationTokenIdentifier delegationTokenIdentifier) throws IllegalArgumentException {
        boolean z = true;
        Text renewer = delegationTokenIdentifier.getRenewer();
        if (renewer == null || renewer.getLength() <= 0) {
            LOG.error("Operation not permitted. No renewer is specified in the identifier.");
            z = false;
        } else if (!renewer.toString().equals(userGroupInformation.getShortUserName())) {
            LOG.error(String.format(Locale.getDefault(), ERR_INVALID_RENEWER, userGroupInformation.getUserName(), renewer));
            z = false;
        }
        return z;
    }

    private long getTokenExpiration(DelegationTokenIdentifier delegationTokenIdentifier) {
        return ((RazS3ATokenIdentifier) delegationTokenIdentifier).getExpiryTime();
    }

    public void cancel(Token<?> token, Configuration configuration) throws IOException {
        RazS3ATokenIdentifier decodeIdentifier = token.decodeIdentifier();
        if (!handleKind(decodeIdentifier.getKind())) {
            LOG.error("Token kind {} can not be handled", decodeIdentifier.getKind());
            return;
        }
        LOG.info("Cancelling {}", decodeIdentifier);
        RazS3ATokenIdentifier razS3ATokenIdentifier = (DelegationTokenIdentifier) decodeIdentifier;
        LOG.debug("Token: {}", razS3ATokenIdentifier);
        UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
        if (!validateRenewer(currentUser, razS3ATokenIdentifier)) {
            throwInvalidRenewerException(currentUser.getShortUserName(), decodeIdentifier.getKind());
            return;
        }
        try {
            if (getRazClient(currentUser, configuration).cancelDelegationToken(razS3ATokenIdentifier.getRazToken().getAccessToken()).booleanValue()) {
            } else {
                throw new IOException(String.format("Token kind %s could not be cancelled.", decodeIdentifier.getKind()));
            }
        } catch (RangerRazException e) {
            throw new IOException("Error during DT renewal from RAZ server: " + e, e);
        }
    }
}
