package org.apache.hadoop.security.alias;

import com.google.common.base.Charsets;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.URI;
import java.net.URL;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.io.IOUtils;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.hdfs.DFSConfigKeys;
import org.apache.hadoop.security.ProviderUtils;
import org.apache.hadoop.security.alias.CredentialProvider;

@InterfaceAudience.Private
/* loaded from: input_file:lib/hadoop-common-2.7.7.jar:org/apache/hadoop/security/alias/AbstractJavaKeyStoreProvider.class */
public abstract class AbstractJavaKeyStoreProvider extends CredentialProvider {
    public static final String CREDENTIAL_PASSWORD_NAME = "HADOOP_CREDSTORE_PASSWORD";
    public static final String KEYSTORE_PASSWORD_FILE_KEY = "hadoop.security.credstore.java-keystore-provider.password-file";
    public static final String KEYSTORE_PASSWORD_DEFAULT = "none";
    private Path path;
    private final URI uri;
    private final KeyStore keyStore;
    private char[] password;
    private Lock readLock;
    private Lock writeLock;
    private boolean changed = false;
    private final Map<String, CredentialProvider.CredentialEntry> cache = new HashMap();

    /* JADX INFO: Access modifiers changed from: protected */
    public AbstractJavaKeyStoreProvider(URI uri, Configuration configuration) throws IOException {
        String str;
        URL resource;
        this.password = null;
        this.uri = uri;
        initFileSystem(uri, configuration);
        if (System.getenv().containsKey(CREDENTIAL_PASSWORD_NAME)) {
            this.password = System.getenv(CREDENTIAL_PASSWORD_NAME).toCharArray();
        }
        if (this.password == null && (str = configuration.get(KEYSTORE_PASSWORD_FILE_KEY)) != null && (resource = Thread.currentThread().getContextClassLoader().getResource(str)) != null) {
            InputStream openStream = resource.openStream();
            Throwable th = null;
            try {
                try {
                    this.password = IOUtils.toString(openStream).trim().toCharArray();
                    if (openStream != null) {
                        if (0 != 0) {
                            try {
                                openStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            openStream.close();
                        }
                    }
                } finally {
                }
            } catch (Throwable th3) {
                if (openStream != null) {
                    if (th != null) {
                        try {
                            openStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        openStream.close();
                    }
                }
                throw th3;
            }
        }
        if (this.password == null) {
            this.password = "none".toCharArray();
        }
        try {
            this.keyStore = KeyStore.getInstance("jceks");
            if (keystoreExists()) {
                stashOriginalFilePermissions();
                InputStream inputStreamForFile = getInputStreamForFile();
                Throwable th5 = null;
                try {
                    try {
                        this.keyStore.load(inputStreamForFile, this.password);
                        if (inputStreamForFile != null) {
                            if (0 != 0) {
                                try {
                                    inputStreamForFile.close();
                                } catch (Throwable th6) {
                                    th5.addSuppressed(th6);
                                }
                            } else {
                                inputStreamForFile.close();
                            }
                        }
                    } finally {
                    }
                } catch (Throwable th7) {
                    if (inputStreamForFile != null) {
                        if (th5 != null) {
                            try {
                                inputStreamForFile.close();
                            } catch (Throwable th8) {
                                th5.addSuppressed(th8);
                            }
                        } else {
                            inputStreamForFile.close();
                        }
                    }
                    throw th7;
                }
            } else {
                createPermissions(DFSConfigKeys.DFS_DATANODE_DATA_DIR_PERMISSION_DEFAULT);
                this.keyStore.load(null, this.password);
            }
            ReentrantReadWriteLock reentrantReadWriteLock = new ReentrantReadWriteLock(true);
            this.readLock = reentrantReadWriteLock.readLock();
            this.writeLock = reentrantReadWriteLock.writeLock();
        } catch (KeyStoreException e) {
            throw new IOException("Can't create keystore", e);
        } catch (NoSuchAlgorithmException e2) {
            throw new IOException("Can't load keystore " + getPathAsString(), e2);
        } catch (CertificateException e3) {
            throw new IOException("Can't load keystore " + getPathAsString(), e3);
        }
    }

    public Path getPath() {
        return this.path;
    }

    public void setPath(Path path) {
        this.path = path;
    }

    public char[] getPassword() {
        return this.password;
    }

    public void setPassword(char[] cArr) {
        this.password = cArr;
    }

    public boolean isChanged() {
        return this.changed;
    }

    public void setChanged(boolean z) {
        this.changed = z;
    }

    public Lock getReadLock() {
        return this.readLock;
    }

    public void setReadLock(Lock lock) {
        this.readLock = lock;
    }

    public Lock getWriteLock() {
        return this.writeLock;
    }

    public void setWriteLock(Lock lock) {
        this.writeLock = lock;
    }

    public URI getUri() {
        return this.uri;
    }

    public KeyStore getKeyStore() {
        return this.keyStore;
    }

    public Map<String, CredentialProvider.CredentialEntry> getCache() {
        return this.cache;
    }

    protected final String getPathAsString() {
        return getPath().toString();
    }

    protected abstract String getSchemeName();

    protected abstract OutputStream getOutputStreamForKeystore() throws IOException;

    protected abstract boolean keystoreExists() throws IOException;

    protected abstract InputStream getInputStreamForFile() throws IOException;

    protected abstract void createPermissions(String str) throws IOException;

    protected abstract void stashOriginalFilePermissions() throws IOException;

    /* JADX INFO: Access modifiers changed from: protected */
    public void initFileSystem(URI uri, Configuration configuration) throws IOException {
        this.path = ProviderUtils.unnestUri(uri);
    }

    @Override // org.apache.hadoop.security.alias.CredentialProvider
    public CredentialProvider.CredentialEntry getCredentialEntry(String str) throws IOException {
        this.readLock.lock();
        try {
            try {
                try {
                    try {
                        if (this.cache.containsKey(str)) {
                            CredentialProvider.CredentialEntry credentialEntry = this.cache.get(str);
                            this.readLock.unlock();
                            return credentialEntry;
                        }
                        if (!this.keyStore.containsAlias(str)) {
                            return null;
                        }
                        CredentialProvider.CredentialEntry credentialEntry2 = new CredentialProvider.CredentialEntry(str, bytesToChars(((SecretKeySpec) this.keyStore.getKey(str, this.password)).getEncoded()));
                        this.readLock.unlock();
                        return credentialEntry2;
                    } catch (NoSuchAlgorithmException e) {
                        throw new IOException("Can't get algorithm for credential " + str + " from " + getPathAsString(), e);
                    }
                } catch (UnrecoverableKeyException e2) {
                    throw new IOException("Can't recover credential " + str + " from " + getPathAsString(), e2);
                }
            } catch (KeyStoreException e3) {
                throw new IOException("Can't get credential " + str + " from " + getPathAsString(), e3);
            }
        } finally {
            this.readLock.unlock();
        }
    }

    public static char[] bytesToChars(byte[] bArr) throws IOException {
        return new String(bArr, Charsets.UTF_8).toCharArray();
    }

    @Override // org.apache.hadoop.security.alias.CredentialProvider
    public List<String> getAliases() throws IOException {
        this.readLock.lock();
        try {
            ArrayList arrayList = new ArrayList();
            String str = null;
            try {
                Enumeration<String> aliases = this.keyStore.aliases();
                while (aliases.hasMoreElements()) {
                    str = aliases.nextElement();
                    arrayList.add(str);
                }
                return arrayList;
            } catch (KeyStoreException e) {
                throw new IOException("Can't get alias " + str + " from " + getPathAsString(), e);
            }
        } finally {
            this.readLock.unlock();
        }
    }

    @Override // org.apache.hadoop.security.alias.CredentialProvider
    public CredentialProvider.CredentialEntry createCredentialEntry(String str, char[] cArr) throws IOException {
        this.writeLock.lock();
        try {
            try {
                if (this.keyStore.containsAlias(str) || this.cache.containsKey(str)) {
                    throw new IOException("Credential " + str + " already exists in " + this);
                }
                CredentialProvider.CredentialEntry innerSetCredential = innerSetCredential(str, cArr);
                this.writeLock.unlock();
                return innerSetCredential;
            } catch (KeyStoreException e) {
                throw new IOException("Problem looking up credential " + str + " in " + this, e);
            }
        } catch (Throwable th) {
            this.writeLock.unlock();
            throw th;
        }
    }

    @Override // org.apache.hadoop.security.alias.CredentialProvider
    public void deleteCredentialEntry(String str) throws IOException {
        this.writeLock.lock();
        try {
            try {
                if (!this.keyStore.containsAlias(str)) {
                    throw new IOException("Credential " + str + " does not exist in " + this);
                }
                this.keyStore.deleteEntry(str);
                this.cache.remove(str);
                this.changed = true;
                this.writeLock.unlock();
            } catch (KeyStoreException e) {
                throw new IOException("Problem removing " + str + " from " + this, e);
            }
        } catch (Throwable th) {
            this.writeLock.unlock();
            throw th;
        }
    }

    CredentialProvider.CredentialEntry innerSetCredential(String str, char[] cArr) throws IOException {
        this.writeLock.lock();
        try {
            try {
                this.keyStore.setKeyEntry(str, new SecretKeySpec(new String(cArr).getBytes("UTF-8"), "AES"), this.password, null);
                this.writeLock.unlock();
                this.changed = true;
                return new CredentialProvider.CredentialEntry(str, cArr);
            } catch (KeyStoreException e) {
                throw new IOException("Can't store credential " + str + " in " + this, e);
            }
        } catch (Throwable th) {
            this.writeLock.unlock();
            throw th;
        }
    }

    @Override // org.apache.hadoop.security.alias.CredentialProvider
    public void flush() throws IOException {
        this.writeLock.lock();
        try {
            if (this.changed) {
                try {
                    OutputStream outputStreamForKeystore = getOutputStreamForKeystore();
                    Throwable th = null;
                    try {
                        this.keyStore.store(outputStreamForKeystore, this.password);
                        if (outputStreamForKeystore != null) {
                            if (0 != 0) {
                                try {
                                    outputStreamForKeystore.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                outputStreamForKeystore.close();
                            }
                        }
                        this.changed = false;
                        this.writeLock.unlock();
                    } catch (Throwable th3) {
                        if (outputStreamForKeystore != null) {
                            if (0 != 0) {
                                try {
                                    outputStreamForKeystore.close();
                                } catch (Throwable th4) {
                                    th.addSuppressed(th4);
                                }
                            } else {
                                outputStreamForKeystore.close();
                            }
                        }
                        throw th3;
                    }
                } catch (KeyStoreException e) {
                    throw new IOException("Can't store keystore " + this, e);
                } catch (NoSuchAlgorithmException e2) {
                    throw new IOException("No such algorithm storing keystore " + this, e2);
                } catch (CertificateException e3) {
                    throw new IOException("Certificate exception storing keystore " + this, e3);
                }
            }
        } finally {
            this.writeLock.unlock();
        }
    }

    public String toString() {
        return this.uri.toString();
    }
}
