package org.apache.storm.security.auth.workertoken;

import java.io.Closeable;
import java.util.Base64;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import javax.crypto.spec.SecretKeySpec;
import org.apache.storm.cluster.ClusterStateContext;
import org.apache.storm.cluster.ClusterUtils;
import org.apache.storm.cluster.DaemonType;
import org.apache.storm.cluster.IStormClusterState;
import org.apache.storm.generated.PrivateWorkerKey;
import org.apache.storm.generated.WorkerTokenInfo;
import org.apache.storm.generated.WorkerTokenServiceType;
import org.apache.storm.kafka.spout.internal.CommonKafkaSpoutConfig;
import org.apache.storm.security.auth.ClientAuthUtils;
import org.apache.storm.security.auth.ThriftConnectionType;
import org.apache.storm.security.auth.sasl.PasswordProvider;
import org.apache.storm.shade.com.google.common.annotations.VisibleForTesting;
import org.apache.storm.shade.com.google.common.cache.CacheBuilder;
import org.apache.storm.shade.com.google.common.cache.CacheLoader;
import org.apache.storm.shade.com.google.common.cache.LoadingCache;
import org.apache.storm.utils.Time;
import org.apache.storm.utils.Utils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/storm/security/auth/workertoken/WorkerTokenAuthorizer.class */
public class WorkerTokenAuthorizer implements PasswordProvider, Closeable {
    private static final Logger LOG;
    private final LoadingCache<WorkerTokenInfo, PrivateWorkerKey> keyCache;
    private final IStormClusterState state;
    static final /* synthetic */ boolean $assertionsDisabled;

    public WorkerTokenAuthorizer(Map<String, Object> map, ThriftConnectionType thriftConnectionType) {
        this(thriftConnectionType.getWtType(), buildStateIfNeeded(map, thriftConnectionType));
    }

    @VisibleForTesting
    WorkerTokenAuthorizer(final WorkerTokenServiceType workerTokenServiceType, final IStormClusterState iStormClusterState) {
        this.keyCache = iStormClusterState != null ? CacheBuilder.newBuilder().maximumSize(CommonKafkaSpoutConfig.DEFAULT_PARTITION_REFRESH_PERIOD_MS).expireAfterWrite(2L, TimeUnit.HOURS).build(new CacheLoader<WorkerTokenInfo, PrivateWorkerKey>() { // from class: org.apache.storm.security.auth.workertoken.WorkerTokenAuthorizer.1
            @Override // org.apache.storm.shade.com.google.common.cache.CacheLoader
            public PrivateWorkerKey load(WorkerTokenInfo workerTokenInfo) {
                return iStormClusterState.getPrivateWorkerKey(workerTokenServiceType, workerTokenInfo.get_topologyId(), workerTokenInfo.get_secretVersion());
            }
        }) : null;
        this.state = iStormClusterState;
    }

    private static IStormClusterState buildStateIfNeeded(Map<String, Object> map, ThriftConnectionType thriftConnectionType) {
        IStormClusterState iStormClusterState = null;
        if (ClientAuthUtils.areWorkerTokensEnabledServer(thriftConnectionType, map)) {
            try {
                iStormClusterState = ClusterUtils.mkStormClusterState(map, new ClusterStateContext(DaemonType.UNKNOWN, map));
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
        return iStormClusterState;
    }

    @VisibleForTesting
    byte[] getSignedPasswordFor(byte[] bArr, WorkerTokenInfo workerTokenInfo) {
        if (!$assertionsDisabled && this.keyCache == null) {
            throw new AssertionError();
        }
        if (workerTokenInfo.is_set_expirationTimeMillis() && workerTokenInfo.get_expirationTimeMillis() <= Time.currentTimeMillis()) {
            throw new IllegalArgumentException("Token is not valid, token has expired.");
        }
        try {
            PrivateWorkerKey unchecked = this.keyCache.getUnchecked(workerTokenInfo);
            if (!unchecked.is_set_expirationTimeMillis() || unchecked.get_expirationTimeMillis() > Time.currentTimeMillis()) {
                return WorkerTokenSigner.createPassword(bArr, new SecretKeySpec(unchecked.get_key(), "HmacSHA256"));
            }
            throw new IllegalArgumentException("Token is not valid, key has expired.");
        } catch (CacheLoader.InvalidCacheLoadException e) {
            throw new IllegalArgumentException("Token is not valid, private key not found.", e);
        }
    }

    @Override // org.apache.storm.security.auth.sasl.PasswordProvider
    public Optional<char[]> getPasswordFor(String str) {
        if (this.keyCache == null) {
            return Optional.empty();
        }
        try {
            byte[] decode = Base64.getDecoder().decode(str);
            WorkerTokenInfo workerTokenInfo = (WorkerTokenInfo) Utils.deserialize(decode, WorkerTokenInfo.class);
            try {
                return Optional.of(Base64.getEncoder().encodeToString(getSignedPasswordFor(decode, workerTokenInfo)).toCharArray());
            } catch (Exception e) {
                LOG.error("Could not get password for token {}/{}", workerTokenInfo.get_userName(), workerTokenInfo.get_topologyId(), e);
                return Optional.empty();
            }
        } catch (Exception e2) {
            LOG.info("Could not decode {}, might just be a plain digest request...", str, e2);
            return Optional.empty();
        }
    }

    @Override // org.apache.storm.security.auth.sasl.PasswordProvider
    public String userName(String str) {
        return ((WorkerTokenInfo) Utils.deserialize(Base64.getDecoder().decode(str), WorkerTokenInfo.class)).get_userName();
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        if (this.state != null) {
            this.state.disconnect();
        }
    }

    static {
        $assertionsDisabled = !WorkerTokenAuthorizer.class.desiredAssertionStatus();
        LOG = LoggerFactory.getLogger((Class<?>) WorkerTokenAuthorizer.class);
    }
}
