package org.apache.flink.fs.s3hadoop.shaded.org.apache.hadoop.hdfs.protocol.datatransfer.sasl;

import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.InetAddress;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.flink.fs.s3hadoop.shaded.com.google.common.base.Charsets;
import org.apache.flink.fs.s3hadoop.shaded.com.google.common.collect.ImmutableSet;
import org.apache.flink.fs.s3hadoop.shaded.com.google.common.collect.Maps;
import org.apache.flink.fs.s3hadoop.shaded.com.google.common.net.InetAddresses;
import org.apache.flink.fs.s3hadoop.shaded.com.google.protobuf.ByteString;
import org.apache.flink.fs.s3hadoop.shaded.org.apache.commons.codec.binary.Base64;
import org.apache.flink.fs.s3hadoop.shaded.org.apache.hadoop.classification.InterfaceAudience;
import org.apache.flink.fs.s3hadoop.shaded.org.apache.hadoop.conf.Configuration;
import org.apache.flink.fs.s3hadoop.shaded.org.apache.hadoop.crypto.CipherOption;
import org.apache.flink.fs.s3hadoop.shaded.org.apache.hadoop.crypto.CipherSuite;
import org.apache.flink.fs.s3hadoop.shaded.org.apache.hadoop.crypto.CryptoCodec;
import org.apache.flink.fs.s3hadoop.shaded.org.apache.hadoop.crypto.CryptoInputStream;
import org.apache.flink.fs.s3hadoop.shaded.org.apache.hadoop.crypto.CryptoOutputStream;
import org.apache.flink.fs.s3hadoop.shaded.org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.flink.fs.s3hadoop.shaded.org.apache.hadoop.hdfs.net.Peer;
import org.apache.flink.fs.s3hadoop.shaded.org.apache.hadoop.hdfs.protocol.datatransfer.IOStreamPair;
import org.apache.flink.fs.s3hadoop.shaded.org.apache.hadoop.hdfs.protocol.datatransfer.InvalidEncryptionKeyException;
import org.apache.flink.fs.s3hadoop.shaded.org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos;
import org.apache.flink.fs.s3hadoop.shaded.org.apache.hadoop.hdfs.protocol.proto.HdfsProtos;
import org.apache.flink.fs.s3hadoop.shaded.org.apache.hadoop.hdfs.protocolPB.PBHelperClient;
import org.apache.flink.fs.s3hadoop.shaded.org.apache.hadoop.hdfs.web.resources.CreateParentParam;
import org.apache.flink.fs.s3hadoop.shaded.org.apache.hadoop.security.SaslPropertiesResolver;
import org.apache.flink.fs.s3hadoop.shaded.org.apache.hadoop.security.SaslRpcServer;
import org.apache.flink.fs.s3hadoop.shaded.org.slf4j.Logger;
import org.apache.flink.fs.s3hadoop.shaded.org.slf4j.LoggerFactory;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/flink/fs/s3hadoop/shaded/org/apache/hadoop/hdfs/protocol/datatransfer/sasl/DataTransferSaslUtil.class */
public final class DataTransferSaslUtil {
    private static final Logger LOG;
    public static final String NAME_DELIMITER = " ";
    public static final int SASL_TRANSFER_MAGIC_NUMBER = -559038737;
    static final /* synthetic */ boolean $assertionsDisabled;

    public static void checkSaslComplete(SaslParticipant saslParticipant, Map<String, String> map) throws IOException {
        if (!saslParticipant.isComplete()) {
            throw new IOException("Failed to complete SASL handshake");
        }
        ImmutableSet copyOf = ImmutableSet.copyOf((Collection) Arrays.asList(map.get("javax.security.sasl.qop").split(",")));
        String negotiatedQop = saslParticipant.getNegotiatedQop();
        LOG.debug("Verifying QOP, requested QOP = {}, negotiated QOP = {}", copyOf, negotiatedQop);
        if (!copyOf.contains(negotiatedQop)) {
            throw new IOException(String.format("SASL handshake completed, but channel does not have acceptable quality of protection, requested = %s, negotiated = %s", copyOf, negotiatedQop));
        }
    }

    public static boolean requestedQopContainsPrivacy(Map<String, String> map) {
        return ImmutableSet.copyOf((Collection) Arrays.asList(map.get("javax.security.sasl.qop").split(","))).contains("auth-conf");
    }

    public static Map<String, String> createSaslPropertiesForEncryption(String str) {
        HashMap newHashMapWithExpectedSize = Maps.newHashMapWithExpectedSize(3);
        newHashMapWithExpectedSize.put("javax.security.sasl.qop", SaslRpcServer.QualityOfProtection.PRIVACY.getSaslQop());
        newHashMapWithExpectedSize.put("javax.security.sasl.server.authentication", CreateParentParam.DEFAULT);
        newHashMapWithExpectedSize.put("org.apache.flink.fs.s3hadoop.shaded.com.sun.security.sasl.digest.cipher", str);
        return newHashMapWithExpectedSize;
    }

    public static char[] encryptionKeyToPassword(byte[] bArr) {
        return new String(Base64.encodeBase64(bArr, false), Charsets.UTF_8).toCharArray();
    }

    public static InetAddress getPeerAddress(Peer peer) {
        String str = peer.getRemoteAddressString().split(":")[0];
        int indexOf = str.indexOf(47);
        return InetAddresses.forString(indexOf != -1 ? str.substring(indexOf + 1, str.length()) : str);
    }

    public static SaslPropertiesResolver getSaslPropertiesResolver(Configuration configuration) {
        String str = configuration.get("dfs.data.transfer.protection");
        if (str == null || str.isEmpty()) {
            LOG.debug("DataTransferProtocol not using SaslPropertiesResolver, no QOP found in configuration for {}", "dfs.data.transfer.protection");
            return null;
        }
        Configuration configuration2 = new Configuration(configuration);
        configuration2.set(CommonConfigurationKeysPublic.HADOOP_RPC_PROTECTION, str);
        Class<?> cls = configuration.getClass("dfs.data.transfer.saslproperties.resolver.class", configuration.getClass(CommonConfigurationKeysPublic.HADOOP_SECURITY_SASL_PROPS_RESOLVER_CLASS, SaslPropertiesResolver.class, SaslPropertiesResolver.class), SaslPropertiesResolver.class);
        configuration2.setClass(CommonConfigurationKeysPublic.HADOOP_SECURITY_SASL_PROPS_RESOLVER_CLASS, cls, SaslPropertiesResolver.class);
        SaslPropertiesResolver saslPropertiesResolver = SaslPropertiesResolver.getInstance(configuration2);
        LOG.debug("DataTransferProtocol using SaslPropertiesResolver, configured QOP {} = {}, configured class {} = {}", new Object[]{"dfs.data.transfer.protection", str, "dfs.data.transfer.saslproperties.resolver.class", cls});
        return saslPropertiesResolver;
    }

    public static byte[] readSaslMessage(InputStream inputStream) throws IOException {
        DataTransferProtos.DataTransferEncryptorMessageProto parseFrom = DataTransferProtos.DataTransferEncryptorMessageProto.parseFrom(PBHelperClient.vintPrefixed(inputStream));
        if (parseFrom.getStatus() == DataTransferProtos.DataTransferEncryptorMessageProto.DataTransferEncryptorStatus.ERROR_UNKNOWN_KEY) {
            throw new InvalidEncryptionKeyException(parseFrom.getMessage());
        }
        if (parseFrom.getStatus() == DataTransferProtos.DataTransferEncryptorMessageProto.DataTransferEncryptorStatus.ERROR) {
            throw new IOException(parseFrom.getMessage());
        }
        return parseFrom.getPayload().toByteArray();
    }

    public static byte[] readSaslMessageAndNegotiationCipherOptions(InputStream inputStream, List<CipherOption> list) throws IOException {
        DataTransferProtos.DataTransferEncryptorMessageProto parseFrom = DataTransferProtos.DataTransferEncryptorMessageProto.parseFrom(PBHelperClient.vintPrefixed(inputStream));
        if (parseFrom.getStatus() == DataTransferProtos.DataTransferEncryptorMessageProto.DataTransferEncryptorStatus.ERROR_UNKNOWN_KEY) {
            throw new InvalidEncryptionKeyException(parseFrom.getMessage());
        }
        if (parseFrom.getStatus() == DataTransferProtos.DataTransferEncryptorMessageProto.DataTransferEncryptorStatus.ERROR) {
            throw new IOException(parseFrom.getMessage());
        }
        List<HdfsProtos.CipherOptionProto> cipherOptionList = parseFrom.getCipherOptionList();
        if (cipherOptionList != null) {
            Iterator<HdfsProtos.CipherOptionProto> it = cipherOptionList.iterator();
            while (it.hasNext()) {
                list.add(PBHelperClient.convert(it.next()));
            }
        }
        return parseFrom.getPayload().toByteArray();
    }

    public static CipherOption negotiateCipherOption(Configuration configuration, List<CipherOption> list) throws IOException {
        String str = configuration.get("dfs.encrypt.data.transfer.cipher.suites");
        if (str == null || str.isEmpty()) {
            return null;
        }
        if (!str.equals(CipherSuite.AES_CTR_NOPADDING.getName())) {
            throw new IOException(String.format("Invalid cipher suite, %s=%s", "dfs.encrypt.data.transfer.cipher.suites", str));
        }
        if (list == null) {
            return null;
        }
        Iterator<CipherOption> it = list.iterator();
        while (it.hasNext()) {
            CipherSuite cipherSuite = it.next().getCipherSuite();
            if (cipherSuite == CipherSuite.AES_CTR_NOPADDING) {
                int i = configuration.getInt("dfs.encrypt.data.transfer.cipher.key.bitlength", 128) / 8;
                CryptoCodec cryptoCodec = CryptoCodec.getInstance(configuration, cipherSuite);
                byte[] bArr = new byte[i];
                byte[] bArr2 = new byte[cipherSuite.getAlgorithmBlockSize()];
                byte[] bArr3 = new byte[i];
                byte[] bArr4 = new byte[cipherSuite.getAlgorithmBlockSize()];
                if (!$assertionsDisabled && cryptoCodec == null) {
                    throw new AssertionError();
                }
                cryptoCodec.generateSecureRandom(bArr);
                cryptoCodec.generateSecureRandom(bArr2);
                cryptoCodec.generateSecureRandom(bArr3);
                cryptoCodec.generateSecureRandom(bArr4);
                return new CipherOption(cipherSuite, bArr, bArr2, bArr3, bArr4);
            }
        }
        return null;
    }

    public static void sendSaslMessageAndNegotiatedCipherOption(OutputStream outputStream, byte[] bArr, CipherOption cipherOption) throws IOException {
        DataTransferProtos.DataTransferEncryptorMessageProto.Builder newBuilder = DataTransferProtos.DataTransferEncryptorMessageProto.newBuilder();
        newBuilder.setStatus(DataTransferProtos.DataTransferEncryptorMessageProto.DataTransferEncryptorStatus.SUCCESS);
        if (bArr != null) {
            newBuilder.setPayload(ByteString.copyFrom(bArr));
        }
        if (cipherOption != null) {
            newBuilder.addCipherOption(PBHelperClient.convert(cipherOption));
        }
        newBuilder.build().writeDelimitedTo(outputStream);
        outputStream.flush();
    }

    public static IOStreamPair createStreamPair(Configuration configuration, CipherOption cipherOption, OutputStream outputStream, InputStream inputStream, boolean z) throws IOException {
        LOG.debug("Creating IOStreamPair of CryptoInputStream and CryptoOutputStream.");
        CryptoCodec cryptoCodec = CryptoCodec.getInstance(configuration, cipherOption.getCipherSuite());
        byte[] inKey = cipherOption.getInKey();
        byte[] inIv = cipherOption.getInIv();
        byte[] outKey = cipherOption.getOutKey();
        byte[] outIv = cipherOption.getOutIv();
        return new IOStreamPair(new CryptoInputStream(inputStream, cryptoCodec, z ? inKey : outKey, z ? inIv : outIv), new CryptoOutputStream(outputStream, cryptoCodec, z ? outKey : inKey, z ? outIv : inIv));
    }

    public static void sendGenericSaslErrorMessage(OutputStream outputStream, String str) throws IOException {
        sendSaslMessage(outputStream, DataTransferProtos.DataTransferEncryptorMessageProto.DataTransferEncryptorStatus.ERROR, null, str);
    }

    public static void sendSaslMessage(OutputStream outputStream, byte[] bArr) throws IOException {
        sendSaslMessage(outputStream, DataTransferProtos.DataTransferEncryptorMessageProto.DataTransferEncryptorStatus.SUCCESS, bArr, null);
    }

    public static void sendSaslMessageAndNegotiationCipherOptions(OutputStream outputStream, byte[] bArr, List<CipherOption> list) throws IOException {
        DataTransferProtos.DataTransferEncryptorMessageProto.Builder newBuilder = DataTransferProtos.DataTransferEncryptorMessageProto.newBuilder();
        newBuilder.setStatus(DataTransferProtos.DataTransferEncryptorMessageProto.DataTransferEncryptorStatus.SUCCESS);
        if (bArr != null) {
            newBuilder.setPayload(ByteString.copyFrom(bArr));
        }
        if (list != null) {
            newBuilder.addAllCipherOption(PBHelperClient.convertCipherOptions(list));
        }
        newBuilder.build().writeDelimitedTo(outputStream);
        outputStream.flush();
    }

    public static SaslResponseWithNegotiatedCipherOption readSaslMessageAndNegotiatedCipherOption(InputStream inputStream) throws IOException {
        DataTransferProtos.DataTransferEncryptorMessageProto parseFrom = DataTransferProtos.DataTransferEncryptorMessageProto.parseFrom(PBHelperClient.vintPrefixed(inputStream));
        if (parseFrom.getStatus() == DataTransferProtos.DataTransferEncryptorMessageProto.DataTransferEncryptorStatus.ERROR_UNKNOWN_KEY) {
            throw new InvalidEncryptionKeyException(parseFrom.getMessage());
        }
        if (parseFrom.getStatus() == DataTransferProtos.DataTransferEncryptorMessageProto.DataTransferEncryptorStatus.ERROR) {
            throw new IOException(parseFrom.getMessage());
        }
        byte[] byteArray = parseFrom.getPayload().toByteArray();
        List<CipherOption> convertCipherOptionProtos = PBHelperClient.convertCipherOptionProtos(parseFrom.getCipherOptionList());
        CipherOption cipherOption = null;
        if (convertCipherOptionProtos != null && !convertCipherOptionProtos.isEmpty()) {
            cipherOption = convertCipherOptionProtos.get(0);
        }
        return new SaslResponseWithNegotiatedCipherOption(byteArray, cipherOption);
    }

    public static CipherOption wrap(CipherOption cipherOption, SaslParticipant saslParticipant) throws IOException {
        if (cipherOption == null) {
            return null;
        }
        byte[] inKey = cipherOption.getInKey();
        if (inKey != null) {
            inKey = saslParticipant.wrap(inKey, 0, inKey.length);
        }
        byte[] outKey = cipherOption.getOutKey();
        if (outKey != null) {
            outKey = saslParticipant.wrap(outKey, 0, outKey.length);
        }
        return new CipherOption(cipherOption.getCipherSuite(), inKey, cipherOption.getInIv(), outKey, cipherOption.getOutIv());
    }

    public static CipherOption unwrap(CipherOption cipherOption, SaslParticipant saslParticipant) throws IOException {
        if (cipherOption == null) {
            return null;
        }
        byte[] inKey = cipherOption.getInKey();
        if (inKey != null) {
            inKey = saslParticipant.unwrap(inKey, 0, inKey.length);
        }
        byte[] outKey = cipherOption.getOutKey();
        if (outKey != null) {
            outKey = saslParticipant.unwrap(outKey, 0, outKey.length);
        }
        return new CipherOption(cipherOption.getCipherSuite(), inKey, cipherOption.getInIv(), outKey, cipherOption.getOutIv());
    }

    public static void sendSaslMessage(OutputStream outputStream, DataTransferProtos.DataTransferEncryptorMessageProto.DataTransferEncryptorStatus dataTransferEncryptorStatus, byte[] bArr, String str) throws IOException {
        DataTransferProtos.DataTransferEncryptorMessageProto.Builder newBuilder = DataTransferProtos.DataTransferEncryptorMessageProto.newBuilder();
        newBuilder.setStatus(dataTransferEncryptorStatus);
        if (bArr != null) {
            newBuilder.setPayload(ByteString.copyFrom(bArr));
        }
        if (str != null) {
            newBuilder.setMessage(str);
        }
        newBuilder.build().writeDelimitedTo(outputStream);
        outputStream.flush();
    }

    private DataTransferSaslUtil() {
    }

    static {
        $assertionsDisabled = !DataTransferSaslUtil.class.desiredAssertionStatus();
        LOG = LoggerFactory.getLogger(DataTransferSaslUtil.class);
    }
}
