package org.apache.hadoop.crypto.key.kms.server;

import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import javax.ws.rs.Consumes;
import javax.ws.rs.DELETE;
import javax.ws.rs.DefaultValue;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Response;
import org.apache.commons.codec.binary.Base64;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.crypto.key.KeyProvider;
import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
import org.apache.hadoop.crypto.key.kms.KMSClientProvider;
import org.apache.hadoop.crypto.key.kms.KMSRESTConstants;
import org.apache.hadoop.crypto.key.kms.server.KMSACLs;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.delegation.web.HttpUserGroupInformation;

@InterfaceAudience.Private
@Path(KMSRESTConstants.SERVICE_VERSION)
/* loaded from: input_file:WEB-INF/lib/hadoop-kms-2.6.1.jar:org/apache/hadoop/crypto/key/kms/server/KMS.class */
public class KMS {
    private KeyProviderCryptoExtension provider = KMSWebApp.getKeyProvider();
    private KMSAudit kmsAudit = KMSWebApp.getKMSAudit();

    /* loaded from: input_file:WEB-INF/lib/hadoop-kms-2.6.1.jar:org/apache/hadoop/crypto/key/kms/server/KMS$KMSOp.class */
    public enum KMSOp {
        CREATE_KEY,
        DELETE_KEY,
        ROLL_NEW_VERSION,
        GET_KEYS,
        GET_KEYS_METADATA,
        GET_KEY_VERSIONS,
        GET_METADATA,
        GET_KEY_VERSION,
        GET_CURRENT_KEY,
        GENERATE_EEK,
        DECRYPT_EEK
    }

    private void assertAccess(KMSACLs.Type type, UserGroupInformation userGroupInformation, KMSOp kMSOp) throws AccessControlException {
        KMSWebApp.getACLs().assertAccess(type, userGroupInformation, kMSOp, null);
    }

    private void assertAccess(KMSACLs.Type type, UserGroupInformation userGroupInformation, KMSOp kMSOp, String str) throws AccessControlException {
        KMSWebApp.getACLs().assertAccess(type, userGroupInformation, kMSOp, str);
    }

    private static KeyProvider.KeyVersion removeKeyMaterial(KeyProvider.KeyVersion keyVersion) {
        return new KMSClientProvider.KMSKeyVersion(keyVersion.getName(), keyVersion.getVersionName(), null);
    }

    private static URI getKeyURI(String str) throws URISyntaxException {
        return new URI("/v1/key/" + str);
    }

    @Path(KMSRESTConstants.KEYS_RESOURCE)
    @Consumes({"application/json"})
    @POST
    @Produces({"application/json"})
    public Response createKey(Map map) throws Exception {
        KMSWebApp.getAdminCallsMeter().mark();
        UserGroupInformation userGroupInformation = HttpUserGroupInformation.get();
        final String str = (String) map.get("name");
        KMSClientProvider.checkNotEmpty(str, "name");
        assertAccess(KMSACLs.Type.CREATE, userGroupInformation, KMSOp.CREATE_KEY, str);
        String str2 = (String) map.get(KMSRESTConstants.CIPHER_FIELD);
        final String str3 = (String) map.get(KMSRESTConstants.MATERIAL_FIELD);
        int intValue = map.containsKey(KMSRESTConstants.LENGTH_FIELD) ? ((Integer) map.get(KMSRESTConstants.LENGTH_FIELD)).intValue() : 0;
        String str4 = (String) map.get(KMSRESTConstants.DESCRIPTION_FIELD);
        Map<String, String> map2 = (Map) map.get(KMSRESTConstants.ATTRIBUTES_FIELD);
        if (str3 != null) {
            assertAccess(KMSACLs.Type.SET_KEY_MATERIAL, userGroupInformation, KMSOp.CREATE_KEY, str);
        }
        final KeyProvider.Options options = new KeyProvider.Options(KMSWebApp.getConfiguration());
        if (str2 != null) {
            options.setCipher(str2);
        }
        if (intValue != 0) {
            options.setBitLength(intValue);
        }
        options.setDescription(str4);
        options.setAttributes(map2);
        KeyProvider.KeyVersion keyVersion = (KeyProvider.KeyVersion) userGroupInformation.doAs(new PrivilegedExceptionAction<KeyProvider.KeyVersion>() { // from class: org.apache.hadoop.crypto.key.kms.server.KMS.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public KeyProvider.KeyVersion run() throws Exception {
                KeyProvider.KeyVersion createKey = str3 != null ? KMS.this.provider.createKey(str, Base64.decodeBase64(str3), options) : KMS.this.provider.createKey(str, options);
                KMS.this.provider.flush();
                return createKey;
            }
        });
        this.kmsAudit.ok(userGroupInformation, KMSOp.CREATE_KEY, str, "UserProvidedMaterial:" + (str3 != null) + " Description:" + str4);
        if (!KMSWebApp.getACLs().hasAccess(KMSACLs.Type.GET, userGroupInformation)) {
            keyVersion = removeKeyMaterial(keyVersion);
        }
        Map json = KMSServerJSONUtils.toJSON(keyVersion);
        String url = KMSMDCFilter.getURL();
        return Response.created(getKeyURI(str)).type("application/json").header("Location", url.substring(0, url.lastIndexOf(KMSRESTConstants.KEYS_RESOURCE)) + "key/" + str).entity(json).build();
    }

    @Path("key/{name:.*}")
    @DELETE
    public Response deleteKey(@PathParam("name") final String str) throws Exception {
        KMSWebApp.getAdminCallsMeter().mark();
        UserGroupInformation userGroupInformation = HttpUserGroupInformation.get();
        assertAccess(KMSACLs.Type.DELETE, userGroupInformation, KMSOp.DELETE_KEY, str);
        KMSClientProvider.checkNotEmpty(str, "name");
        userGroupInformation.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.KMS.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                KMS.this.provider.deleteKey(str);
                KMS.this.provider.flush();
                return null;
            }
        });
        this.kmsAudit.ok(userGroupInformation, KMSOp.DELETE_KEY, str, "");
        return Response.ok().build();
    }

    @Path("key/{name:.*}")
    @Consumes({"application/json"})
    @POST
    @Produces({"application/json"})
    public Response rolloverKey(@PathParam("name") final String str, Map map) throws Exception {
        KMSWebApp.getAdminCallsMeter().mark();
        UserGroupInformation userGroupInformation = HttpUserGroupInformation.get();
        assertAccess(KMSACLs.Type.ROLLOVER, userGroupInformation, KMSOp.ROLL_NEW_VERSION, str);
        KMSClientProvider.checkNotEmpty(str, "name");
        final String str2 = (String) map.get(KMSRESTConstants.MATERIAL_FIELD);
        if (str2 != null) {
            assertAccess(KMSACLs.Type.SET_KEY_MATERIAL, userGroupInformation, KMSOp.ROLL_NEW_VERSION, str);
        }
        KeyProvider.KeyVersion keyVersion = (KeyProvider.KeyVersion) userGroupInformation.doAs(new PrivilegedExceptionAction<KeyProvider.KeyVersion>() { // from class: org.apache.hadoop.crypto.key.kms.server.KMS.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public KeyProvider.KeyVersion run() throws Exception {
                KeyProvider.KeyVersion rollNewVersion = str2 != null ? KMS.this.provider.rollNewVersion(str, Base64.decodeBase64(str2)) : KMS.this.provider.rollNewVersion(str);
                KMS.this.provider.flush();
                return rollNewVersion;
            }
        });
        this.kmsAudit.ok(userGroupInformation, KMSOp.ROLL_NEW_VERSION, str, "UserProvidedMaterial:" + (str2 != null) + " NewVersion:" + keyVersion.getVersionName());
        if (!KMSWebApp.getACLs().hasAccess(KMSACLs.Type.GET, userGroupInformation)) {
            keyVersion = removeKeyMaterial(keyVersion);
        }
        return Response.ok().type("application/json").entity(KMSServerJSONUtils.toJSON(keyVersion)).build();
    }

    @GET
    @Produces({"application/json"})
    @Path(KMSRESTConstants.KEYS_METADATA_RESOURCE)
    public Response getKeysMetadata(@QueryParam("key") List<String> list) throws Exception {
        KMSWebApp.getAdminCallsMeter().mark();
        UserGroupInformation userGroupInformation = HttpUserGroupInformation.get();
        final String[] strArr = (String[]) list.toArray(new String[list.size()]);
        assertAccess(KMSACLs.Type.GET_METADATA, userGroupInformation, KMSOp.GET_KEYS_METADATA);
        List json = KMSServerJSONUtils.toJSON(strArr, (KeyProvider.Metadata[]) userGroupInformation.doAs(new PrivilegedExceptionAction<KeyProvider.Metadata[]>() { // from class: org.apache.hadoop.crypto.key.kms.server.KMS.4
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public KeyProvider.Metadata[] run() throws Exception {
                return KMS.this.provider.getKeysMetadata(strArr);
            }
        }));
        this.kmsAudit.ok(userGroupInformation, KMSOp.GET_KEYS_METADATA, "");
        return Response.ok().type("application/json").entity(json).build();
    }

    @GET
    @Produces({"application/json"})
    @Path(KMSRESTConstants.KEYS_NAMES_RESOURCE)
    public Response getKeyNames() throws Exception {
        KMSWebApp.getAdminCallsMeter().mark();
        UserGroupInformation userGroupInformation = HttpUserGroupInformation.get();
        assertAccess(KMSACLs.Type.GET_KEYS, userGroupInformation, KMSOp.GET_KEYS);
        List list = (List) userGroupInformation.doAs(new PrivilegedExceptionAction<List<String>>() { // from class: org.apache.hadoop.crypto.key.kms.server.KMS.5
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public List<String> run() throws Exception {
                return KMS.this.provider.getKeys();
            }
        });
        this.kmsAudit.ok(userGroupInformation, KMSOp.GET_KEYS, "");
        return Response.ok().type("application/json").entity(list).build();
    }

    @GET
    @Path("key/{name:.*}")
    public Response getKey(@PathParam("name") String str) throws Exception {
        return getMetadata(str);
    }

    @GET
    @Produces({"application/json"})
    @Path("key/{name:.*}/_metadata")
    public Response getMetadata(@PathParam("name") final String str) throws Exception {
        UserGroupInformation userGroupInformation = HttpUserGroupInformation.get();
        KMSClientProvider.checkNotEmpty(str, "name");
        KMSWebApp.getAdminCallsMeter().mark();
        assertAccess(KMSACLs.Type.GET_METADATA, userGroupInformation, KMSOp.GET_METADATA, str);
        Map json = KMSServerJSONUtils.toJSON(str, (KeyProvider.Metadata) userGroupInformation.doAs(new PrivilegedExceptionAction<KeyProvider.Metadata>() { // from class: org.apache.hadoop.crypto.key.kms.server.KMS.6
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public KeyProvider.Metadata run() throws Exception {
                return KMS.this.provider.getMetadata(str);
            }
        }));
        this.kmsAudit.ok(userGroupInformation, KMSOp.GET_METADATA, str, "");
        return Response.ok().type("application/json").entity(json).build();
    }

    @GET
    @Produces({"application/json"})
    @Path("key/{name:.*}/_currentversion")
    public Response getCurrentVersion(@PathParam("name") final String str) throws Exception {
        UserGroupInformation userGroupInformation = HttpUserGroupInformation.get();
        KMSClientProvider.checkNotEmpty(str, "name");
        KMSWebApp.getKeyCallsMeter().mark();
        assertAccess(KMSACLs.Type.GET, userGroupInformation, KMSOp.GET_CURRENT_KEY, str);
        Map json = KMSServerJSONUtils.toJSON((KeyProvider.KeyVersion) userGroupInformation.doAs(new PrivilegedExceptionAction<KeyProvider.KeyVersion>() { // from class: org.apache.hadoop.crypto.key.kms.server.KMS.7
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public KeyProvider.KeyVersion run() throws Exception {
                return KMS.this.provider.getCurrentKey(str);
            }
        }));
        this.kmsAudit.ok(userGroupInformation, KMSOp.GET_CURRENT_KEY, str, "");
        return Response.ok().type("application/json").entity(json).build();
    }

    @GET
    @Produces({"application/json"})
    @Path("keyversion/{versionName:.*}")
    public Response getKeyVersion(@PathParam("versionName") final String str) throws Exception {
        UserGroupInformation userGroupInformation = HttpUserGroupInformation.get();
        KMSClientProvider.checkNotEmpty(str, KMSRESTConstants.VERSION_NAME_FIELD);
        KMSWebApp.getKeyCallsMeter().mark();
        assertAccess(KMSACLs.Type.GET, userGroupInformation, KMSOp.GET_KEY_VERSION);
        KeyProvider.KeyVersion keyVersion = (KeyProvider.KeyVersion) userGroupInformation.doAs(new PrivilegedExceptionAction<KeyProvider.KeyVersion>() { // from class: org.apache.hadoop.crypto.key.kms.server.KMS.8
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public KeyProvider.KeyVersion run() throws Exception {
                return KMS.this.provider.getKeyVersion(str);
            }
        });
        if (keyVersion != null) {
            this.kmsAudit.ok(userGroupInformation, KMSOp.GET_KEY_VERSION, keyVersion.getName(), "");
        }
        return Response.ok().type("application/json").entity(KMSServerJSONUtils.toJSON(keyVersion)).build();
    }

    @GET
    @Produces({"application/json"})
    @Path("key/{name:.*}/_eek")
    public Response generateEncryptedKeys(@PathParam("name") final String str, @QueryParam("eek_op") String str2, @QueryParam("num_keys") @DefaultValue("1") final int i) throws Exception {
        UserGroupInformation userGroupInformation = HttpUserGroupInformation.get();
        KMSClientProvider.checkNotEmpty(str, "name");
        KMSClientProvider.checkNotNull(str2, "eekOp");
        if (!str2.equals(KMSRESTConstants.EEK_GENERATE)) {
            throw new IllegalArgumentException("Wrong eek_op value, it must be generate or decrypt");
        }
        assertAccess(KMSACLs.Type.GENERATE_EEK, userGroupInformation, KMSOp.GENERATE_EEK, str);
        final LinkedList linkedList = new LinkedList();
        try {
            userGroupInformation.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.KMS.9
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Void run() throws Exception {
                    for (int i2 = 0; i2 < i; i2++) {
                        linkedList.add(KMS.this.provider.generateEncryptedKey(str));
                    }
                    return null;
                }
            });
            this.kmsAudit.ok(userGroupInformation, KMSOp.GENERATE_EEK, str, "");
            ArrayList arrayList = new ArrayList();
            Iterator it = linkedList.iterator();
            while (it.hasNext()) {
                arrayList.add(KMSServerJSONUtils.toJSON((KeyProviderCryptoExtension.EncryptedKeyVersion) it.next()));
            }
            KMSWebApp.getGenerateEEKCallsMeter().mark();
            return Response.ok().type("application/json").entity(arrayList).build();
        } catch (Exception e) {
            throw new IOException(e);
        }
    }

    @POST
    @Produces({"application/json"})
    @Path("keyversion/{versionName:.*}/_eek")
    public Response decryptEncryptedKey(@PathParam("versionName") final String str, @QueryParam("eek_op") String str2, Map map) throws Exception {
        UserGroupInformation userGroupInformation = HttpUserGroupInformation.get();
        KMSClientProvider.checkNotEmpty(str, KMSRESTConstants.VERSION_NAME_FIELD);
        KMSClientProvider.checkNotNull(str2, "eekOp");
        final String str3 = (String) map.get("name");
        String str4 = (String) map.get(KMSRESTConstants.IV_FIELD);
        String str5 = (String) map.get(KMSRESTConstants.MATERIAL_FIELD);
        if (!str2.equals(KMSRESTConstants.EEK_DECRYPT)) {
            throw new IllegalArgumentException("Wrong eek_op value, it must be generate or decrypt");
        }
        assertAccess(KMSACLs.Type.DECRYPT_EEK, userGroupInformation, KMSOp.DECRYPT_EEK, str3);
        KMSClientProvider.checkNotNull(str4, KMSRESTConstants.IV_FIELD);
        final byte[] decodeBase64 = Base64.decodeBase64(str4);
        KMSClientProvider.checkNotNull(str5, KMSRESTConstants.MATERIAL_FIELD);
        final byte[] decodeBase642 = Base64.decodeBase64(str5);
        Map json = KMSServerJSONUtils.toJSON((KeyProvider.KeyVersion) userGroupInformation.doAs(new PrivilegedExceptionAction<KeyProvider.KeyVersion>() { // from class: org.apache.hadoop.crypto.key.kms.server.KMS.10
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public KeyProvider.KeyVersion run() throws Exception {
                return KMS.this.provider.decryptEncryptedKey(new KMSClientProvider.KMSEncryptedKeyVersion(str3, str, decodeBase64, KeyProviderCryptoExtension.EEK, decodeBase642));
            }
        }));
        this.kmsAudit.ok(userGroupInformation, KMSOp.DECRYPT_EEK, str3, "");
        KMSWebApp.getDecryptEEKCallsMeter().mark();
        return Response.ok().type("application/json").entity(json).build();
    }

    @GET
    @Produces({"application/json"})
    @Path("key/{name:.*}/_versions")
    public Response getKeyVersions(@PathParam("name") final String str) throws Exception {
        UserGroupInformation userGroupInformation = HttpUserGroupInformation.get();
        KMSClientProvider.checkNotEmpty(str, "name");
        KMSWebApp.getKeyCallsMeter().mark();
        assertAccess(KMSACLs.Type.GET, userGroupInformation, KMSOp.GET_KEY_VERSIONS, str);
        List json = KMSServerJSONUtils.toJSON((List<KeyProvider.KeyVersion>) userGroupInformation.doAs(new PrivilegedExceptionAction<List<KeyProvider.KeyVersion>>() { // from class: org.apache.hadoop.crypto.key.kms.server.KMS.11
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public List<KeyProvider.KeyVersion> run() throws Exception {
                return KMS.this.provider.getKeyVersions(str);
            }
        }));
        this.kmsAudit.ok(userGroupInformation, KMSOp.GET_KEY_VERSIONS, str, "");
        return Response.ok().type("application/json").entity(json).build();
    }
}
