package org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime;

import java.io.FilePermission;
import java.io.IOException;
import java.io.OutputStream;
import java.nio.charset.StandardCharsets;
import java.nio.file.DirectoryStream;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.attribute.FileAttribute;
import java.nio.file.attribute.PosixFilePermission;
import java.nio.file.attribute.PosixFilePermissions;
import java.security.AllPermission;
import java.util.Formatter;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.io.IOUtils;
import org.apache.hadoop.security.Groups;
import org.apache.hadoop.yarn.api.ApplicationConstants;
import org.apache.hadoop.yarn.server.nodemanager.Context;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.privileged.PrivilegedOperationExecutor;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerExecutionException;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntimeContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
@InterfaceStability.Unstable
/* loaded from: input_file:org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/JavaSandboxLinuxContainerRuntime.class */
public class JavaSandboxLinuxContainerRuntime extends DefaultLinuxContainerRuntime {
    private Configuration configuration;
    private SandboxMode sandboxMode;
    public static final String POLICY_FILE_DIR = "nm-sandbox-policies";
    private static Path policyFileDir;
    private Map<String, Path> containerPolicies;
    private static final Logger LOG = LoggerFactory.getLogger(DefaultLinuxContainerRuntime.class);
    private static final FileAttribute<Set<PosixFilePermission>> POLICY_ATTR = PosixFilePermissions.asFileAttribute(PosixFilePermissions.fromString("rwxr-xr-x"));

    /* loaded from: input_file:org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/JavaSandboxLinuxContainerRuntime$NMContainerPolicyUtils.class */
    static final class NMContainerPolicyUtils {
        static final String POLICY_FILE = "java.policy";
        static final String SECURITY_DEBUG = " -Djava.security.debug=all";
        static final String SECURITY_FLAG = "-Djava.security.manager";
        static final String POLICY_APPEND_FLAG = "-Djava.security.policy=";
        static final String POLICY_FLAG = "-Djava.security.policy==";
        static final String JVM_SECURITY_CMD = "/bin/java -Djava.security.manager -Djava.security.policy==";
        static final String STRIP_POLICY_FLAG = "-Djava.security.policy=[^ ]+";
        static final String MULTI_COMMAND_REGEX = "(?s).*((&[^>]|&&)|(\\|{1,2})|(\\|&)|(`[^`]+`)|(\\$\\([^)]+\\))|(;)).*";
        static final String CLEAN_CMD_REGEX = "(-Djava.security.manager)|(-Djava.security.policy=[^ ]+)";
        static final String JAVA_CMD = "/bin/java ";
        static final String CONTAINS_JAVA_CMD = "\\$" + ApplicationConstants.Environment.JAVA_HOME + JAVA_CMD + ".*";
        static final String FILE_PERMISSION_FORMAT = "   permission " + FilePermission.class.getCanonicalName() + " \"%1$s/-\", \"%2$s\";%n";
        static final String HADOOP_HOME_PERMISSION = "%ngrant codeBase \"file:" + Paths.get(System.getProperty("hadoop.home.dir"), new String[0]) + "/-\" {%n  permission " + AllPermission.class.getCanonicalName() + ";%n};%n";
        static final Logger LOG = LoggerFactory.getLogger(NMContainerPolicyUtils.class);

        NMContainerPolicyUtils() {
        }

        static void generatePolicyFile(OutputStream outputStream, List<String> list, List<String> list2, Map<org.apache.hadoop.fs.Path, List<String>> map, Configuration configuration) throws IOException {
            String str = configuration.get("yarn.nodemanager.runtime.linux.sandbox-mode.policy");
            String str2 = configuration.get("yarn.nodemanager.runtime.linux.sandbox-mode.local-dirs.permissions", "read");
            HashSet hashSet = new HashSet();
            Iterator<org.apache.hadoop.fs.Path> it = map.keySet().iterator();
            while (it.hasNext()) {
                hashSet.add(it.next().getParent().toString());
            }
            if (list2 != null) {
                Iterator<String> it2 = list2.iterator();
                while (it2.hasNext()) {
                    Files.copy(Paths.get(it2.next(), new String[0]), outputStream);
                }
            } else if (str == null) {
                IOUtils.copyBytes(NMContainerPolicyUtils.class.getResourceAsStream("/java.policy"), outputStream, configuration, false);
            } else {
                Files.copy(Paths.get(str, new String[0]), outputStream);
            }
            Formatter formatter = new Formatter(outputStream, StandardCharsets.UTF_8.name());
            formatter.format(HADOOP_HOME_PERMISSION, new Object[0]);
            formatter.format("grant {%n", new Object[0]);
            Iterator<String> it3 = list.iterator();
            while (it3.hasNext()) {
                formatter.format(FILE_PERMISSION_FORMAT, it3.next(), str2);
            }
            Iterator it4 = hashSet.iterator();
            while (it4.hasNext()) {
                formatter.format(FILE_PERMISSION_FORMAT, (String) it4.next(), str2);
            }
            formatter.format("};%n", new Object[0]);
            formatter.flush();
        }

        static void appendSecurityFlags(List<String> list, Map<String, String> map, Path path, SandboxMode sandboxMode) throws ContainerExecutionException {
            for (int i = 0; i < list.size(); i++) {
                String str = list.get(i);
                if (validateJavaHome(map.get(ApplicationConstants.Environment.JAVA_HOME.name())) && str.matches(CONTAINS_JAVA_CMD) && !str.matches(MULTI_COMMAND_REGEX)) {
                    String replaceAll = str.replaceAll(CLEAN_CMD_REGEX, "");
                    String str2 = JVM_SECURITY_CMD + path + " ";
                    if (LOG.isDebugEnabled()) {
                        str2 = str2 + SECURITY_DEBUG;
                    }
                    list.set(i, replaceAll.replaceFirst(JAVA_CMD, str2));
                } else {
                    if (sandboxMode == SandboxMode.enforcing) {
                        throw new ContainerExecutionException("Only JVM containers permitted in YARN sandbox mode (enforcing). The following command can not be executed securely: " + str);
                    }
                    if (sandboxMode == SandboxMode.permissive) {
                        LOG.warn("The container will run without the java security manager due to an unsupported container command.  The command will be permitted to run in Sandbox permissive mode: " + str);
                    }
                }
            }
        }

        private static boolean validateJavaHome(String str) throws ContainerExecutionException {
            if (System.getenv(ApplicationConstants.Environment.JAVA_HOME.name()) == null) {
                throw new ContainerExecutionException("JAVA_HOME is not set for NodeManager");
            }
            if (str == null) {
                throw new ContainerExecutionException("JAVA_HOME is not set for container");
            }
            return System.getenv(ApplicationConstants.Environment.JAVA_HOME.name()).equals(str);
        }
    }

    /* loaded from: input_file:org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/JavaSandboxLinuxContainerRuntime$SandboxMode.class */
    public enum SandboxMode {
        enforcing("enforcing"),
        permissive("permissive"),
        disabled("disabled");

        private final String mode;

        SandboxMode(String str) {
            this.mode = str;
        }

        public static SandboxMode get(String str) {
            return enforcing.mode.equals(str) ? enforcing : permissive.mode.equals(str) ? permissive : disabled;
        }

        @Override // java.lang.Enum
        public String toString() {
            return this.mode;
        }
    }

    public JavaSandboxLinuxContainerRuntime(PrivilegedOperationExecutor privilegedOperationExecutor) {
        super(privilegedOperationExecutor);
        this.containerPolicies = new HashMap();
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.DefaultLinuxContainerRuntime, org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.LinuxContainerRuntime
    public void initialize(Configuration configuration, Context context) throws ContainerExecutionException {
        this.configuration = configuration;
        this.sandboxMode = SandboxMode.get(this.configuration.get("yarn.nodemanager.runtime.linux.sandbox-mode", "disabled"));
        super.initialize(configuration, context);
    }

    /* JADX WARN: Finally extract failed */
    private void initializePolicyDir() throws ContainerExecutionException {
        String str = this.configuration.get("hadoop.tmp.dir");
        if (str == null) {
            throw new ContainerExecutionException("hadoop.tmp.dir not set!");
        }
        policyFileDir = Paths.get(str, POLICY_FILE_DIR);
        if (!Files.exists(policyFileDir, new LinkOption[0])) {
            try {
                policyFileDir = Files.createDirectories(Paths.get(str, POLICY_FILE_DIR), POLICY_ATTR);
                return;
            } catch (IOException e) {
                throw new ContainerExecutionException("Unable to create policy file directory: " + e);
            }
        }
        try {
            DirectoryStream<Path> newDirectoryStream = Files.newDirectoryStream(policyFileDir);
            Throwable th = null;
            try {
                Iterator<Path> it = newDirectoryStream.iterator();
                while (it.hasNext()) {
                    Files.delete(it.next());
                }
                if (newDirectoryStream != null) {
                    if (0 != 0) {
                        try {
                            newDirectoryStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        newDirectoryStream.close();
                    }
                }
            } catch (Throwable th3) {
                if (newDirectoryStream != null) {
                    if (0 != 0) {
                        try {
                            newDirectoryStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        newDirectoryStream.close();
                    }
                }
                throw th3;
            }
        } catch (IOException e2) {
            throw new ContainerExecutionException("Unable to initialize policy directory: " + e2);
        }
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.DefaultLinuxContainerRuntime, org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime
    public void prepareContainer(ContainerRuntimeContext containerRuntimeContext) throws ContainerExecutionException {
        List list = (List) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.CONTAINER_LOCAL_DIRS);
        Map map = (Map) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.LOCALIZED_RESOURCES);
        List<String> list2 = (List) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.CONTAINER_RUN_CMDS);
        Map environment = containerRuntimeContext.getContainer().getLaunchContext().getEnvironment();
        if (isSandboxContainerWhitelisted((String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.USER), list2)) {
            return;
        }
        if (this.configuration.get("hadoop.tmp.dir") == null) {
            throw new ContainerExecutionException("hadoop.tmp.dir not set!");
        }
        try {
            String str = (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.CONTAINER_ID_STR);
            initializePolicyDir();
            List<String> groupPolicyFiles = getGroupPolicyFiles(this.configuration, (String) containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.USER));
            Path createFile = Files.createFile(Paths.get(policyFileDir.toString(), str + "-java.policy"), POLICY_ATTR);
            OutputStream newOutputStream = Files.newOutputStream(createFile, new OpenOption[0]);
            Throwable th = null;
            try {
                try {
                    this.containerPolicies.put(str, createFile);
                    NMContainerPolicyUtils.generatePolicyFile(newOutputStream, list, groupPolicyFiles, map, this.configuration);
                    NMContainerPolicyUtils.appendSecurityFlags(list2, environment, createFile, this.sandboxMode);
                    if (newOutputStream != null) {
                        if (0 != 0) {
                            try {
                                newOutputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            newOutputStream.close();
                        }
                    }
                } catch (Throwable th3) {
                    th = th3;
                    throw th3;
                }
            } finally {
            }
        } catch (IOException e) {
            throw new ContainerExecutionException(e);
        }
    }

    @Override // org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime.DefaultLinuxContainerRuntime, org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntime
    public void launchContainer(ContainerRuntimeContext containerRuntimeContext) throws ContainerExecutionException {
        try {
            super.launchContainer(containerRuntimeContext);
        } finally {
            deletePolicyFiles(containerRuntimeContext);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isSandboxContainerRequested() {
        return this.sandboxMode != SandboxMode.disabled;
    }

    private static List<String> getGroupPolicyFiles(Configuration configuration, String str) throws ContainerExecutionException {
        try {
            return (List) Groups.getUserToGroupsMappingService(configuration).getGroups(str).stream().map(str2 -> {
                return configuration.get("yarn.nodemanager.runtime.linux.sandbox-mode.policy.group." + str2);
            }).filter(str3 -> {
                return str3 != null;
            }).collect(Collectors.toList());
        } catch (IOException e) {
            throw new ContainerExecutionException("Container user does not exist");
        }
    }

    private boolean isSandboxContainerWhitelisted(String str, List<String> list) throws ContainerExecutionException {
        String str2 = this.configuration.get("yarn.nodemanager.runtime.linux.sandbox-mode.whitelist-group");
        boolean z = false;
        try {
            List groups = Groups.getUserToGroupsMappingService(this.configuration).getGroups(str);
            if (str2 != null && groups.contains(str2)) {
                Iterator<String> it = list.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    if (it.next().contains("-Djava.security.manager")) {
                        z = false;
                        break;
                    }
                    z = true;
                }
            }
            return z;
        } catch (IOException e) {
            throw new ContainerExecutionException("Container user does not exist");
        }
    }

    private void deletePolicyFiles(ContainerRuntimeContext containerRuntimeContext) throws ContainerExecutionException {
        try {
            Files.delete(this.containerPolicies.remove(containerRuntimeContext.getExecutionAttribute(LinuxContainerRuntimeConstants.CONTAINER_ID_STR)));
        } catch (IOException e) {
            throw new ContainerExecutionException("Unable to delete policy file: " + e);
        }
    }
}
