package org.apache.accumulo.server.security.handler;

import java.nio.charset.StandardCharsets;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.Set;
import java.util.TreeSet;
import org.apache.accumulo.core.client.AccumuloException;
import org.apache.accumulo.core.client.AccumuloSecurityException;
import org.apache.accumulo.core.client.security.tokens.AuthenticationToken;
import org.apache.accumulo.core.client.security.tokens.PasswordToken;
import org.apache.accumulo.core.clientImpl.thrift.SecurityErrorCode;
import org.apache.accumulo.core.fate.zookeeper.ZooCache;
import org.apache.accumulo.core.fate.zookeeper.ZooReaderWriter;
import org.apache.accumulo.core.fate.zookeeper.ZooUtil;
import org.apache.accumulo.server.ServerContext;
import org.apache.zookeeper.KeeperException;
import org.apache.zookeeper.Watcher;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/accumulo/server/security/handler/ZKAuthenticator.class */
public final class ZKAuthenticator implements Authenticator {
    private static final Logger log = LoggerFactory.getLogger(ZKAuthenticator.class);
    private ServerContext context;
    private String ZKUserPath;
    private ZooCache zooCache;

    @Override // org.apache.accumulo.server.security.handler.Authenticator
    public void initialize(ServerContext serverContext) {
        this.context = serverContext;
        this.zooCache = new ZooCache(serverContext.getZooReader(), (Watcher) null);
        this.ZKUserPath = "/accumulo/" + serverContext.getInstanceID() + "/users";
    }

    public boolean hasOutdatedHashes() {
        LinkedList linkedList = new LinkedList();
        try {
            listUsers().forEach(str -> {
                if (ZKSecurityTool.isOutdatedPass(this.zooCache.get(this.ZKUserPath + "/" + str))) {
                    linkedList.add(str);
                }
            });
        } catch (NullPointerException e) {
            log.debug("initializeSecurity was not called yet, there could be no outdated passwords stored");
        }
        if (linkedList.isEmpty()) {
            return false;
        }
        log.warn("Found {} user(s) with outdated password hash. These will be re-hashed on successful authentication. The user(s) : {}", Integer.valueOf(linkedList.size()), String.join(", ", linkedList));
        return true;
    }

    @Override // org.apache.accumulo.server.security.handler.Authenticator
    public void initializeSecurity(String str, byte[] bArr) {
        try {
            ZooReaderWriter zooReaderWriter = this.context.getZooReaderWriter();
            synchronized (this.zooCache) {
                this.zooCache.clear();
                if (zooReaderWriter.exists(this.ZKUserPath)) {
                    zooReaderWriter.recursiveDelete(this.ZKUserPath, ZooUtil.NodeMissingPolicy.SKIP);
                    log.info("Removed {}/ from zookeeper", this.ZKUserPath);
                }
                zooReaderWriter.putPersistentData(this.ZKUserPath, str.getBytes(StandardCharsets.UTF_8), ZooUtil.NodeExistsPolicy.FAIL);
                constructUser(str, ZKSecurityTool.createPass(bArr));
            }
        } catch (KeeperException | AccumuloException | InterruptedException e) {
            log.error("{}", e.getMessage(), e);
            throw new RuntimeException((Throwable) e);
        }
    }

    private void constructUser(String str, byte[] bArr) throws KeeperException, InterruptedException {
        synchronized (this.zooCache) {
            this.zooCache.clear();
            this.context.getZooReaderWriter().putPrivatePersistentData(this.ZKUserPath + "/" + str, bArr, ZooUtil.NodeExistsPolicy.FAIL);
        }
    }

    @Override // org.apache.accumulo.server.security.handler.Authenticator
    public Set<String> listUsers() {
        return new TreeSet(this.zooCache.getChildren(this.ZKUserPath));
    }

    @Override // org.apache.accumulo.server.security.handler.Authenticator
    public void createUser(String str, AuthenticationToken authenticationToken) throws AccumuloSecurityException {
        try {
            if (!(authenticationToken instanceof PasswordToken)) {
                throw new AccumuloSecurityException(str, SecurityErrorCode.INVALID_TOKEN);
            }
            constructUser(str, ZKSecurityTool.createPass(((PasswordToken) authenticationToken).getPassword()));
        } catch (AccumuloException e) {
            log.error("{}", e.getMessage(), e);
            throw new AccumuloSecurityException(str, SecurityErrorCode.DEFAULT_SECURITY_ERROR, e);
        } catch (InterruptedException e2) {
            log.error("{}", e2.getMessage(), e2);
            throw new RuntimeException(e2);
        } catch (KeeperException e3) {
            if (!e3.code().equals(KeeperException.Code.NODEEXISTS)) {
                throw new AccumuloSecurityException(str, SecurityErrorCode.CONNECTION_ERROR, e3);
            }
            throw new AccumuloSecurityException(str, SecurityErrorCode.USER_EXISTS, e3);
        }
    }

    @Override // org.apache.accumulo.server.security.handler.Authenticator
    public void dropUser(String str) throws AccumuloSecurityException {
        try {
            synchronized (this.zooCache) {
                this.zooCache.clear();
                this.context.getZooReaderWriter().recursiveDelete(this.ZKUserPath + "/" + str, ZooUtil.NodeMissingPolicy.FAIL);
            }
        } catch (KeeperException e) {
            if (e.code().equals(KeeperException.Code.NONODE)) {
                throw new AccumuloSecurityException(str, SecurityErrorCode.USER_DOESNT_EXIST, e);
            }
            log.error("{}", e.getMessage(), e);
            throw new AccumuloSecurityException(str, SecurityErrorCode.CONNECTION_ERROR, e);
        } catch (InterruptedException e2) {
            log.error("{}", e2.getMessage(), e2);
            throw new RuntimeException(e2);
        }
    }

    @Override // org.apache.accumulo.server.security.handler.Authenticator
    public void changePassword(String str, AuthenticationToken authenticationToken) throws AccumuloSecurityException {
        if (!(authenticationToken instanceof PasswordToken)) {
            throw new AccumuloSecurityException(str, SecurityErrorCode.INVALID_TOKEN);
        }
        PasswordToken passwordToken = (PasswordToken) authenticationToken;
        if (!userExists(str)) {
            throw new AccumuloSecurityException(str, SecurityErrorCode.USER_DOESNT_EXIST);
        }
        try {
            synchronized (this.zooCache) {
                this.zooCache.clear(this.ZKUserPath + "/" + str);
                this.context.getZooReaderWriter().putPrivatePersistentData(this.ZKUserPath + "/" + str, ZKSecurityTool.createPass(passwordToken.getPassword()), ZooUtil.NodeExistsPolicy.OVERWRITE);
            }
        } catch (AccumuloException e) {
            log.error("{}", e.getMessage(), e);
            throw new AccumuloSecurityException(str, SecurityErrorCode.DEFAULT_SECURITY_ERROR, e);
        } catch (KeeperException e2) {
            log.error("{}", e2.getMessage(), e2);
            throw new AccumuloSecurityException(str, SecurityErrorCode.CONNECTION_ERROR, e2);
        } catch (InterruptedException e3) {
            log.error("{}", e3.getMessage(), e3);
            throw new RuntimeException(e3);
        }
    }

    @Override // org.apache.accumulo.server.security.handler.Authenticator
    public boolean userExists(String str) {
        return this.zooCache.get(this.ZKUserPath + "/" + str) != null;
    }

    @Override // org.apache.accumulo.server.security.handler.Authenticator
    public boolean validSecurityHandlers() {
        return true;
    }

    @Override // org.apache.accumulo.server.security.handler.Authenticator
    public boolean authenticateUser(String str, AuthenticationToken authenticationToken) throws AccumuloSecurityException {
        if (!(authenticationToken instanceof PasswordToken)) {
            throw new AccumuloSecurityException(str, SecurityErrorCode.INVALID_TOKEN);
        }
        PasswordToken passwordToken = (PasswordToken) authenticationToken;
        String str2 = this.ZKUserPath + "/" + str;
        boolean authenticateUser = authenticateUser(str, passwordToken, this.zooCache.get(str2));
        if (!authenticateUser) {
            this.zooCache.clear(str2);
            authenticateUser = authenticateUser(str, passwordToken, this.zooCache.get(str2));
        }
        return authenticateUser;
    }

    private boolean authenticateUser(String str, PasswordToken passwordToken, byte[] bArr) {
        if (bArr == null) {
            return false;
        }
        if (!ZKSecurityTool.isOutdatedPass(bArr)) {
            return ZKSecurityTool.checkCryptPass(passwordToken.getPassword(), bArr);
        }
        if (!ZKSecurityTool.checkPass(passwordToken.getPassword(), bArr)) {
            return false;
        }
        try {
            log.debug("Upgrading hashed password for {} to new format", str);
            changePassword(str, passwordToken);
            return true;
        } catch (AccumuloSecurityException e) {
            log.error("Failed to upgrade hashed password for {} to new format", str, e);
            return false;
        }
    }

    @Override // org.apache.accumulo.server.security.handler.Authenticator
    public Set<Class<? extends AuthenticationToken>> getSupportedTokenTypes() {
        HashSet hashSet = new HashSet();
        hashSet.add(PasswordToken.class);
        return hashSet;
    }

    @Override // org.apache.accumulo.server.security.handler.Authenticator
    public boolean validTokenClass(String str) {
        return str.equals(PasswordToken.class.getName());
    }
}
