package org.apache.knox.gateway.cloud.idbroker.s3a;

import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.URI;
import java.nio.file.AccessDeniedException;
import java.util.Arrays;
import java.util.Locale;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.s3a.S3AFileSystem;
import org.apache.hadoop.fs.s3a.S3AUtils;
import org.apache.hadoop.fs.s3a.auth.MarshalledCredentials;
import org.apache.hadoop.fs.s3a.auth.delegation.DelegationTokenIOException;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.knox.gateway.cloud.idbroker.AbstractIDBClient;
import org.apache.knox.gateway.cloud.idbroker.common.DefaultEndpointManager;
import org.apache.knox.gateway.cloud.idbroker.common.DefaultRequestExecutor;
import org.apache.knox.gateway.cloud.idbroker.s3a.AuthResponseAWSMessage;
import org.apache.knox.gateway.shell.BasicResponse;
import org.apache.knox.gateway.shell.ErrorResponse;
import org.apache.knox.gateway.shell.KnoxShellException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/knox/gateway/cloud/idbroker/s3a/S3AIDBClient.class */
public class S3AIDBClient extends AbstractIDBClient<MarshalledCredentials> {
    private static final Logger LOG = LoggerFactory.getLogger(S3AIDBClient.class);
    private final String bucket;

    public static S3AIDBClient createFullIDBClient(Configuration configuration, UserGroupInformation userGroupInformation, S3AFileSystem s3AFileSystem) throws IOException {
        return createFullIDBClient(configuration, userGroupInformation, s3AFileSystem.getBucket());
    }

    public static S3AIDBClient createFullIDBClient(Configuration configuration, UserGroupInformation userGroupInformation) throws IOException {
        return new S3AIDBClient(configuration, userGroupInformation, null);
    }

    public static S3AIDBClient createFullIDBClient(Configuration configuration, UserGroupInformation userGroupInformation, String str) throws IOException {
        return new S3AIDBClient(configuration, userGroupInformation, str);
    }

    public static S3AIDBClient createLightIDBClient(Configuration configuration, S3AFileSystem s3AFileSystem) throws IOException {
        S3AIDBClient s3AIDBClient = new S3AIDBClient(configuration, s3AFileSystem.getOwner(), s3AFileSystem.getBucket());
        s3AIDBClient.requestExecutor = new DefaultRequestExecutor(new DefaultEndpointManager(Arrays.asList(configuration.get(S3AIDBProperty.IDBROKER_GATEWAY.getPropertyName(), S3AIDBProperty.IDBROKER_GATEWAY.getDefaultValue()))));
        return s3AIDBClient;
    }

    S3AIDBClient(Configuration configuration, UserGroupInformation userGroupInformation, String str) throws IOException {
        super(configuration, userGroupInformation);
        this.bucket = str;
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.AbstractIDBClient
    protected boolean getOnlyUser(Configuration configuration) {
        return getPropertyValueAsBoolean(configuration, S3AIDBProperty.IDBROKER_ONLY_USER_METHOD).booleanValue();
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.AbstractIDBClient
    protected boolean getOnlyGroups(Configuration configuration) {
        return getPropertyValueAsBoolean(configuration, S3AIDBProperty.IDBROKER_ONLY_GROUPS_METHOD).booleanValue();
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.AbstractIDBClient
    protected String getSpecificRole(Configuration configuration) {
        return getPropertyValue(configuration, S3AIDBProperty.IDBROKER_SPECIFIC_ROLE_METHOD);
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.AbstractIDBClient
    protected String getSpecificGroup(Configuration configuration) {
        return getPropertyValue(configuration, S3AIDBProperty.IDBROKER_SPECIFIC_GROUP_METHOD);
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.AbstractIDBClient
    protected String getTruststorePath(Configuration configuration) {
        return getPropertyValue(configuration, S3AIDBProperty.IDBROKER_TRUSTSTORE_LOCATION);
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.AbstractIDBClient
    protected boolean getUseCertificateFromDT(Configuration configuration) {
        return getPropertyValueAsBoolean(configuration, S3AIDBProperty.IDBROKER_USE_DT_CERT).booleanValue();
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.AbstractIDBClient
    protected char[] getTruststorePassword(Configuration configuration) throws IOException {
        char[] password = configuration.getPassword(S3AIDBProperty.IDBROKER_TRUSTSTORE_PASS.getPropertyName());
        if (password == null) {
            password = configuration.getPassword(S3AIDBProperty.IDBROKER_TRUSTSTORE_PASSWORD.getPropertyName());
        }
        return password;
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.AbstractIDBClient
    protected String getDelegationTokensURL(Configuration configuration) {
        return buildUrl(getGatewayAddress(), getPropertyValue(configuration, S3AIDBProperty.IDBROKER_DT_PATH));
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.AbstractIDBClient
    protected String getCredentialsURL(Configuration configuration) {
        return buildUrl(getGatewayAddress(), getPropertyValue(configuration, S3AIDBProperty.IDBROKER_PATH));
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.AbstractIDBClient
    protected String getCredentialsType(Configuration configuration) {
        return getPropertyValue(configuration, S3AIDBProperty.IDBROKER_CREDENTIALS_TYPE);
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.AbstractIDBClient
    protected String[] getGatewayAddress(Configuration configuration) {
        return configuration.getStrings(S3AIDBProperty.IDBROKER_GATEWAY.getPropertyName(), new String[]{S3AIDBProperty.IDBROKER_GATEWAY.getDefaultValue()});
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.AbstractIDBClient
    protected String getUsername(Configuration configuration) {
        try {
            return S3AUtils.lookupPassword(this.bucket, configuration, S3AIDBProperty.IDBROKER_USERNAME.getPropertyName());
        } catch (IOException e) {
            LOG.warn("Failed to get the username from S3A, falling back to the configuration", e);
            return getPropertyValue(configuration, S3AIDBProperty.IDBROKER_USERNAME);
        }
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.AbstractIDBClient
    protected String getUsernamePropertyName() {
        return S3AIDBProperty.IDBROKER_USERNAME.getPropertyName();
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.AbstractIDBClient
    protected String getPassword(Configuration configuration) {
        try {
            return S3AUtils.lookupPassword(this.bucket, configuration, S3AIDBProperty.IDBROKER_PASSWORD.getPropertyName());
        } catch (IOException e) {
            LOG.warn("Failed to get the password from S3A, falling back to the configuration", e);
            return getPropertyValue(configuration, S3AIDBProperty.IDBROKER_PASSWORD);
        }
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.AbstractIDBClient
    protected String getPasswordPropertyName() {
        return S3AIDBProperty.IDBROKER_PASSWORD.getPropertyName();
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.IDBClient
    public MarshalledCredentials extractCloudCredentialsFromResponse(BasicResponse basicResponse) throws IOException {
        return responseToMarshalledCredentials((AuthResponseAWSMessage) processGet(AuthResponseAWSMessage.class, null, basicResponse));
    }

    @Override // org.apache.knox.gateway.cloud.idbroker.AbstractIDBClient
    protected IOException translateException(URI uri, String str, KnoxShellException knoxShellException) {
        IOException delegationTokenIOException;
        String uri2 = uri.toString();
        ErrorResponse cause = knoxShellException.getCause();
        if (cause instanceof ErrorResponse) {
            int statusCode = cause.getResponse().getStatusLine().getStatusCode();
            String format = String.format(Locale.ROOT, "Error %03d from %s", Integer.valueOf(statusCode), uri2);
            if (!str.isEmpty()) {
                format = format + " " + str;
            }
            switch (statusCode) {
                case 401:
                case 403:
                    delegationTokenIOException = new AccessDeniedException(uri2, null, format);
                    delegationTokenIOException.initCause(knoxShellException);
                    break;
                case 402:
                case 405:
                case 406:
                case 407:
                case 408:
                case 409:
                default:
                    delegationTokenIOException = new DelegationTokenIOException(format + "  " + knoxShellException, knoxShellException);
                    break;
                case 404:
                case 410:
                    delegationTokenIOException = new FileNotFoundException(format);
                    delegationTokenIOException.initCause(knoxShellException);
                    break;
            }
        } else {
            String knoxShellException2 = knoxShellException.toString();
            if (knoxShellException2.contains("Unable to obtain Principal Name for authentication")) {
                knoxShellException2 = knoxShellException2 + " - Trying to request full IDBroker session but not logged in with Kerberos.";
            }
            delegationTokenIOException = new DelegationTokenIOException("From " + uri2 + " " + knoxShellException2 + (str.isEmpty() ? "" : " " + str), knoxShellException);
        }
        return delegationTokenIOException;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public MarshalledCredentials responseToMarshalledCredentials(AuthResponseAWSMessage authResponseAWSMessage) throws IOException {
        AuthResponseAWSMessage.CredentialsStruct credentialsStruct = authResponseAWSMessage.Credentials;
        MarshalledCredentials marshalledCredentials = new MarshalledCredentials(credentialsStruct.AccessKeyId, credentialsStruct.SecretAccessKey, credentialsStruct.SessionToken);
        marshalledCredentials.setExpiration(credentialsStruct.Expiration);
        marshalledCredentials.setRoleARN(authResponseAWSMessage.AssumedRoleUser.Arn);
        marshalledCredentials.validate(getGatewayAddress() + " ", MarshalledCredentials.CredentialTypeRequired.SessionOnly);
        return marshalledCredentials;
    }
}
