package org.apache.hadoop.crypto.key.kms.server;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.RemovalListener;
import com.google.common.cache.RemovalNotification;
import com.google.common.collect.Sets;
import com.google.common.util.concurrent.ThreadFactoryBuilder;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Set;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.crypto.key.kms.server.KMS;
import org.apache.hadoop.crypto.key.kms.server.KMSAuditLogger;
import org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.util.ReflectionUtils;
import org.apache.hadoop.util.Time;
import org.mortbay.jetty.HttpStatus;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/hadoop-kms-2.10.2.jar:org/apache/hadoop/crypto/key/kms/server/KMSAudit.class */
public class KMSAudit {
    private Cache<String, KMSAuditLogger.AuditEvent> cache;
    private ScheduledExecutorService executor;
    public static final String KMS_LOGGER_NAME = "kms-audit";
    private final List<KMSAuditLogger> auditLoggers = new LinkedList();

    @VisibleForTesting
    static final Set<KMS.KMSOp> AGGREGATE_OPS_WHITELIST = Sets.newHashSet(KMS.KMSOp.GET_KEY_VERSION, KMS.KMSOp.GET_CURRENT_KEY, KMS.KMSOp.DECRYPT_EEK, KMS.KMSOp.GENERATE_EEK);
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) KMSAudit.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    public KMSAudit(Configuration configuration) {
        long j = configuration.getLong(KMSConfiguration.KMS_AUDIT_AGGREGATION_WINDOW, KMSConfiguration.KMS_AUDIT_AGGREGATION_WINDOW_DEFAULT);
        this.cache = CacheBuilder.newBuilder().expireAfterWrite(j, TimeUnit.MILLISECONDS).removalListener(new RemovalListener<String, KMSAuditLogger.AuditEvent>() { // from class: org.apache.hadoop.crypto.key.kms.server.KMSAudit.1
            @Override // com.google.common.cache.RemovalListener
            public void onRemoval(RemovalNotification<String, KMSAuditLogger.AuditEvent> removalNotification) {
                KMSAuditLogger.AuditEvent value = removalNotification.getValue();
                if (value.getAccessCount().get() > 0) {
                    KMSAudit.this.logEvent(KMSAuditLogger.OpStatus.OK, value);
                    value.getAccessCount().set(0L);
                    KMSAudit.this.cache.put(removalNotification.getKey(), value);
                }
            }
        }).build();
        this.executor = Executors.newScheduledThreadPool(1, new ThreadFactoryBuilder().setDaemon(true).setNameFormat("kms-audit_thread").build());
        this.executor.scheduleAtFixedRate(new Runnable() { // from class: org.apache.hadoop.crypto.key.kms.server.KMSAudit.2
            @Override // java.lang.Runnable
            public void run() {
                KMSAudit.this.cache.cleanUp();
            }
        }, j / 10, j / 10, TimeUnit.MILLISECONDS);
        initializeAuditLoggers(configuration);
    }

    private Set<Class<? extends KMSAuditLogger>> getAuditLoggerClasses(Configuration configuration) {
        HashSet hashSet = new HashSet();
        Collection<String> trimmedStringCollection = configuration.getTrimmedStringCollection(KMSConfiguration.KMS_AUDIT_LOGGER_KEY);
        if (trimmedStringCollection.isEmpty()) {
            LOG.info("No audit logger configured, using default.");
            hashSet.add(SimpleKMSAuditLogger.class);
            return hashSet;
        }
        for (String str : trimmedStringCollection) {
            try {
                hashSet.add(configuration.getClassByName(str).asSubclass(KMSAuditLogger.class));
            } catch (ClassNotFoundException e) {
                throw new RuntimeException("Failed to load " + str + ", please check configuration " + KMSConfiguration.KMS_AUDIT_LOGGER_KEY, e);
            }
        }
        return hashSet;
    }

    private void initializeAuditLoggers(Configuration configuration) {
        Set<Class<? extends KMSAuditLogger>> auditLoggerClasses = getAuditLoggerClasses(configuration);
        Preconditions.checkState(!auditLoggerClasses.isEmpty(), "Should have at least 1 audit logger.");
        Iterator<Class<? extends KMSAuditLogger>> it = auditLoggerClasses.iterator();
        while (it.hasNext()) {
            this.auditLoggers.add((KMSAuditLogger) ReflectionUtils.newInstance(it.next(), configuration));
        }
        for (KMSAuditLogger kMSAuditLogger : this.auditLoggers) {
            try {
                LOG.info("Initializing audit logger {}", kMSAuditLogger.getClass());
                kMSAuditLogger.initialize(configuration);
            } catch (Exception e) {
                throw new RuntimeException("Failed to initialize " + kMSAuditLogger.getClass().getName(), e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void logEvent(KMSAuditLogger.OpStatus opStatus, KMSAuditLogger.AuditEvent auditEvent) {
        auditEvent.setEndTime(Time.now());
        Iterator<KMSAuditLogger> it = this.auditLoggers.iterator();
        while (it.hasNext()) {
            it.next().logAuditEvent(opStatus, auditEvent);
        }
    }

    private void op(KMSAuditLogger.OpStatus opStatus, final Object obj, final UserGroupInformation userGroupInformation, final String str, final String str2, final String str3) {
        String shortUserName = userGroupInformation == null ? null : userGroupInformation.getShortUserName();
        if (Strings.isNullOrEmpty(shortUserName) || Strings.isNullOrEmpty(str) || obj == null || !AGGREGATE_OPS_WHITELIST.contains(obj)) {
            logEvent(opStatus, new KMSAuditLogger.AuditEvent(obj, userGroupInformation, str, str2, str3));
            return;
        }
        String createCacheKey = createCacheKey(shortUserName, str, obj);
        if (opStatus == KMSAuditLogger.OpStatus.UNAUTHORIZED) {
            this.cache.invalidate(createCacheKey);
            logEvent(opStatus, new KMSAuditLogger.AuditEvent(obj, userGroupInformation, str, str2, str3));
            return;
        }
        try {
            KMSAuditLogger.AuditEvent auditEvent = this.cache.get(createCacheKey, new Callable<KMSAuditLogger.AuditEvent>() { // from class: org.apache.hadoop.crypto.key.kms.server.KMSAudit.3
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.util.concurrent.Callable
                public KMSAuditLogger.AuditEvent call() throws Exception {
                    return new KMSAuditLogger.AuditEvent(obj, userGroupInformation, str, str2, str3);
                }
            });
            if (auditEvent.getAccessCount().incrementAndGet() == 0) {
                auditEvent.getAccessCount().incrementAndGet();
                logEvent(opStatus, auditEvent);
            }
        } catch (ExecutionException e) {
            throw new RuntimeException(e);
        }
    }

    public void ok(UserGroupInformation userGroupInformation, KMS.KMSOp kMSOp, String str, String str2) {
        op(KMSAuditLogger.OpStatus.OK, kMSOp, userGroupInformation, str, HttpStatus.Unknown, str2);
    }

    public void ok(UserGroupInformation userGroupInformation, KMS.KMSOp kMSOp, String str) {
        op(KMSAuditLogger.OpStatus.OK, kMSOp, userGroupInformation, null, HttpStatus.Unknown, str);
    }

    public void unauthorized(UserGroupInformation userGroupInformation, KMS.KMSOp kMSOp, String str) {
        op(KMSAuditLogger.OpStatus.UNAUTHORIZED, kMSOp, userGroupInformation, str, HttpStatus.Unknown, "");
    }

    public void unauthorized(UserGroupInformation userGroupInformation, KeyAuthorizationKeyProvider.KeyOpType keyOpType, String str) {
        op(KMSAuditLogger.OpStatus.UNAUTHORIZED, keyOpType, userGroupInformation, str, HttpStatus.Unknown, "");
    }

    public void error(UserGroupInformation userGroupInformation, String str, String str2, String str3) {
        op(KMSAuditLogger.OpStatus.ERROR, null, userGroupInformation, null, HttpStatus.Unknown, "Method:'" + str + "' Exception:'" + str3 + "'");
    }

    public void unauthenticated(String str, String str2, String str3, String str4) {
        op(KMSAuditLogger.OpStatus.UNAUTHENTICATED, null, null, null, str, "RemoteHost:" + str + " Method:" + str2 + " URL:" + str3 + " ErrorMsg:'" + str4 + "'");
    }

    private static String createCacheKey(String str, String str2, Object obj) {
        return str + "#" + str2 + "#" + obj;
    }

    public void shutdown() {
        this.executor.shutdownNow();
        for (KMSAuditLogger kMSAuditLogger : this.auditLoggers) {
            try {
                kMSAuditLogger.cleanup();
            } catch (Exception e) {
                LOG.error("Failed to cleanup logger {}", kMSAuditLogger.getClass(), e);
            }
        }
    }

    @VisibleForTesting
    void evictCacheForTesting() {
        this.cache.invalidateAll();
    }
}
