package org.apache.hadoop.ozone.security;

import java.io.IOException;
import java.time.Instant;
import java.util.EnumSet;
import org.apache.hadoop.hdds.annotation.InterfaceAudience;
import org.apache.hadoop.hdds.annotation.InterfaceStability;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
import org.apache.hadoop.hdds.security.token.OzoneBlockTokenIdentifier;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.util.Time;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceStability.Unstable
@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/ozone/security/OzoneBlockTokenSecretManager.class */
public class OzoneBlockTokenSecretManager extends OzoneSecretManager<OzoneBlockTokenIdentifier> {
    private static final Logger LOG = LoggerFactory.getLogger(OzoneBlockTokenSecretManager.class);
    static final Text SERVICE = new Text("HDDS_SERVICE");
    private final String omCertSerialId;

    public OzoneBlockTokenSecretManager(SecurityConfig securityConfig, long j, String str) {
        super(securityConfig, j, j, SERVICE, LOG);
        this.omCertSerialId = str;
    }

    /* renamed from: createIdentifier, reason: merged with bridge method [inline-methods] */
    public OzoneBlockTokenIdentifier m107createIdentifier() {
        throw new SecurityException("Ozone block token can't be created without owner and access mode information.");
    }

    public OzoneBlockTokenIdentifier createIdentifier(String str, String str2, EnumSet<HddsProtos.BlockTokenSecretProto.AccessModeProto> enumSet, long j) {
        return new OzoneBlockTokenIdentifier(str, str2, enumSet, getTokenExpiryTime(), this.omCertSerialId, j);
    }

    public Token<OzoneBlockTokenIdentifier> generateToken(String str, String str2, EnumSet<HddsProtos.BlockTokenSecretProto.AccessModeProto> enumSet, long j) {
        OzoneBlockTokenIdentifier createIdentifier = createIdentifier(str, str2, enumSet, j);
        if (LOG.isDebugEnabled()) {
            LOG.info("Issued delegation token -> expiryTime:{}, tokenId:{}", Instant.ofEpochMilli(createIdentifier.getExpiryDate()), createIdentifier);
        }
        return new Token<>(createIdentifier.getBytes(), createPassword(createIdentifier), createIdentifier.getKind(), new Text(str2));
    }

    public Token<OzoneBlockTokenIdentifier> generateToken(String str, EnumSet<HddsProtos.BlockTokenSecretProto.AccessModeProto> enumSet, long j) throws IOException {
        UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
        return generateToken(currentUser == null ? null : currentUser.getShortUserName(), str, enumSet, j);
    }

    public byte[] retrievePassword(OzoneBlockTokenIdentifier ozoneBlockTokenIdentifier) throws SecretManager.InvalidToken {
        validateToken(ozoneBlockTokenIdentifier);
        return createPassword(ozoneBlockTokenIdentifier);
    }

    @Override // org.apache.hadoop.ozone.security.OzoneSecretManager
    public long renewToken(Token<OzoneBlockTokenIdentifier> token, String str) throws IOException {
        throw new UnsupportedOperationException("Renew token operation is not supported for ozone block tokens.");
    }

    @Override // org.apache.hadoop.ozone.security.OzoneSecretManager
    public OzoneBlockTokenIdentifier cancelToken(Token<OzoneBlockTokenIdentifier> token, String str) throws IOException {
        throw new UnsupportedOperationException("Cancel token operation is not supported for ozone block tokens.");
    }

    public boolean validateToken(OzoneBlockTokenIdentifier ozoneBlockTokenIdentifier) throws SecretManager.InvalidToken {
        long now = Time.now();
        if (ozoneBlockTokenIdentifier.getExpiryDate() < now) {
            throw new SecretManager.InvalidToken("token " + formatTokenId(ozoneBlockTokenIdentifier) + " is expired, current time: " + Time.formatTime(now) + " expiry time: " + ozoneBlockTokenIdentifier.getExpiryDate());
        }
        if (verifySignature(ozoneBlockTokenIdentifier, createPassword(ozoneBlockTokenIdentifier))) {
            return true;
        }
        throw new SecretManager.InvalidToken("Tampered/Invalid token.");
    }

    public boolean verifySignature(OzoneBlockTokenIdentifier ozoneBlockTokenIdentifier, byte[] bArr) {
        throw new UnsupportedOperationException("This operation is not supported for block tokens.");
    }

    @Override // org.apache.hadoop.ozone.security.OzoneSecretManager
    public synchronized void start(CertificateClient certificateClient) throws IOException {
        super.start(certificateClient);
    }

    private long getTokenExpiryTime() {
        return Time.now() + getTokenRenewInterval();
    }

    @Override // org.apache.hadoop.ozone.security.OzoneSecretManager
    public synchronized void stop() throws IOException {
        super.stop();
    }
}
