package org.apache.kafka.controller;

import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Base64;
import java.util.List;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.apache.kafka.common.Uuid;
import org.apache.kafka.common.message.CreateDelegationTokenRequestData;
import org.apache.kafka.common.message.CreateDelegationTokenResponseData;
import org.apache.kafka.common.message.ExpireDelegationTokenRequestData;
import org.apache.kafka.common.message.ExpireDelegationTokenResponseData;
import org.apache.kafka.common.message.RenewDelegationTokenRequestData;
import org.apache.kafka.common.message.RenewDelegationTokenResponseData;
import org.apache.kafka.common.metadata.DelegationTokenRecord;
import org.apache.kafka.common.metadata.RemoveDelegationTokenRecord;
import org.apache.kafka.common.protocol.Errors;
import org.apache.kafka.common.requests.ApiError;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.security.token.delegation.TokenInformation;
import org.apache.kafka.common.security.token.delegation.internals.DelegationTokenCache;
import org.apache.kafka.common.utils.LogContext;
import org.apache.kafka.common.utils.Time;
import org.apache.kafka.metadata.DelegationTokenData;
import org.apache.kafka.server.common.ApiMessageAndVersion;
import org.apache.kafka.server.common.MetadataVersion;
import org.jose4j.mac.MacUtil;
import org.slf4j.Logger;

/* loaded from: input_file:org/apache/kafka/controller/DelegationTokenControlManager.class */
public class DelegationTokenControlManager {
    private final Time time;
    private final Logger log;
    private final DelegationTokenCache tokenCache;
    private final String tokenSecretKeyString;
    private final long tokenDefaultMaxLifetimeMs;
    private final long tokenDefaultRenewLifetimeMs;

    /* loaded from: input_file:org/apache/kafka/controller/DelegationTokenControlManager$Builder.class */
    static class Builder {
        private LogContext logContext = null;
        private DelegationTokenCache tokenCache = null;
        private String tokenSecretKeyString = null;
        private long tokenDefaultMaxLifetimeMs = 0;
        private long tokenDefaultRenewLifetimeMs = 0;

        /* JADX INFO: Access modifiers changed from: package-private */
        public Builder setLogContext(LogContext logContext) {
            this.logContext = logContext;
            return this;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public Builder setTokenCache(DelegationTokenCache delegationTokenCache) {
            this.tokenCache = delegationTokenCache;
            return this;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public Builder setDelegationTokenSecretKey(String str) {
            this.tokenSecretKeyString = str;
            return this;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public Builder setDelegationTokenMaxLifeMs(long j) {
            this.tokenDefaultMaxLifetimeMs = j;
            return this;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public Builder setDelegationTokenExpiryTimeMs(long j) {
            this.tokenDefaultRenewLifetimeMs = j;
            return this;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public DelegationTokenControlManager build() {
            if (this.logContext == null) {
                this.logContext = new LogContext();
            }
            return new DelegationTokenControlManager(this.logContext, this.tokenCache, this.tokenSecretKeyString, this.tokenDefaultMaxLifetimeMs, this.tokenDefaultRenewLifetimeMs);
        }
    }

    private DelegationTokenControlManager(LogContext logContext, DelegationTokenCache delegationTokenCache, String str, long j, long j2) {
        this.time = Time.SYSTEM;
        this.log = logContext.logger(DelegationTokenControlManager.class);
        this.tokenCache = delegationTokenCache;
        this.tokenSecretKeyString = str;
        this.tokenDefaultMaxLifetimeMs = j;
        this.tokenDefaultRenewLifetimeMs = j2;
    }

    private static byte[] toBytes(String str) {
        return str.getBytes(StandardCharsets.UTF_8);
    }

    private byte[] createHmac(String str) throws Exception {
        Mac mac = Mac.getInstance(MacUtil.HMAC_SHA512);
        mac.init(new SecretKeySpec(toBytes(this.tokenSecretKeyString), mac.getAlgorithm()));
        return mac.doFinal(toBytes(str));
    }

    private TokenInformation getToken(byte[] bArr) {
        return this.tokenCache.tokenForHmac(Base64.getEncoder().encodeToString(bArr));
    }

    private boolean allowedToRenew(TokenInformation tokenInformation, KafkaPrincipal kafkaPrincipal) {
        return tokenInformation.owner().equals(kafkaPrincipal) || tokenInformation.renewers().contains(kafkaPrincipal);
    }

    public boolean isEnabled() {
        return this.tokenSecretKeyString != null;
    }

    public ControllerResult<CreateDelegationTokenResponseData> createDelegationToken(ControllerRequestContext controllerRequestContext, CreateDelegationTokenRequestData createDelegationTokenRequestData, MetadataVersion metadataVersion) {
        long milliseconds = this.time.milliseconds();
        KafkaPrincipal principal = controllerRequestContext.principal();
        if (createDelegationTokenRequestData.ownerPrincipalName() != null && !createDelegationTokenRequestData.ownerPrincipalName().isEmpty()) {
            principal = new KafkaPrincipal(createDelegationTokenRequestData.ownerPrincipalType(), createDelegationTokenRequestData.ownerPrincipalName());
        }
        CreateDelegationTokenResponseData tokenRequesterPrincipalType = new CreateDelegationTokenResponseData().setPrincipalName(principal.getName()).setPrincipalType(principal.getPrincipalType()).setTokenRequesterPrincipalName(controllerRequestContext.principal().getName()).setTokenRequesterPrincipalType(controllerRequestContext.principal().getPrincipalType());
        ArrayList arrayList = new ArrayList();
        if (!isEnabled()) {
            return ControllerResult.atomicOf(arrayList, tokenRequesterPrincipalType.setErrorCode(Errors.DELEGATION_TOKEN_AUTH_DISABLED.code()));
        }
        if (!metadataVersion.isDelegationTokenSupported()) {
            return ControllerResult.atomicOf(arrayList, tokenRequesterPrincipalType.setErrorCode(Errors.UNSUPPORTED_VERSION.code()));
        }
        long j = this.tokenDefaultMaxLifetimeMs;
        if (createDelegationTokenRequestData.maxLifetimeMs() > 0) {
            j = Math.min(j, createDelegationTokenRequestData.maxLifetimeMs());
        }
        long j2 = milliseconds + j;
        long min = Math.min(j2, milliseconds + this.tokenDefaultRenewLifetimeMs);
        String uuid = Uuid.randomUuid().toString();
        ArrayList arrayList2 = new ArrayList();
        for (CreateDelegationTokenRequestData.CreatableRenewers creatableRenewers : createDelegationTokenRequestData.renewers()) {
            if (!creatableRenewers.principalType().equals(KafkaPrincipal.USER_TYPE)) {
                return ControllerResult.atomicOf(arrayList, tokenRequesterPrincipalType.setErrorCode(Errors.INVALID_PRINCIPAL_TYPE.code()));
            }
            arrayList2.add(new KafkaPrincipal(creatableRenewers.principalType(), creatableRenewers.principalName()));
        }
        try {
            byte[] createHmac = createHmac(uuid);
            DelegationTokenData delegationTokenData = new DelegationTokenData(new TokenInformation(uuid, principal, controllerRequestContext.principal(), arrayList2, milliseconds, j2, min));
            tokenRequesterPrincipalType.setErrorCode(Errors.NONE.code()).setIssueTimestampMs(milliseconds).setExpiryTimestampMs(min).setMaxTimestampMs(j2).setTokenId(uuid).setHmac(createHmac);
            arrayList.add(new ApiMessageAndVersion(delegationTokenData.toRecord(), (short) 0));
            return ControllerResult.atomicOf(arrayList, tokenRequesterPrincipalType);
        } catch (Throwable th) {
            return ControllerResult.atomicOf(arrayList, tokenRequesterPrincipalType.setErrorCode(ApiError.fromThrowable(th).error().code()));
        }
    }

    public ControllerResult<RenewDelegationTokenResponseData> renewDelegationToken(ControllerRequestContext controllerRequestContext, RenewDelegationTokenRequestData renewDelegationTokenRequestData, MetadataVersion metadataVersion) {
        long milliseconds = this.time.milliseconds();
        ArrayList arrayList = new ArrayList();
        RenewDelegationTokenResponseData renewDelegationTokenResponseData = new RenewDelegationTokenResponseData();
        if (!isEnabled()) {
            return ControllerResult.atomicOf(arrayList, renewDelegationTokenResponseData.setErrorCode(Errors.DELEGATION_TOKEN_AUTH_DISABLED.code()));
        }
        if (!metadataVersion.isDelegationTokenSupported()) {
            return ControllerResult.atomicOf(arrayList, renewDelegationTokenResponseData.setErrorCode(Errors.UNSUPPORTED_VERSION.code()));
        }
        TokenInformation token = getToken(renewDelegationTokenRequestData.hmac());
        if (token == null) {
            return ControllerResult.atomicOf(arrayList, renewDelegationTokenResponseData.setErrorCode(Errors.DELEGATION_TOKEN_NOT_FOUND.code()));
        }
        if (token.maxTimestamp() < milliseconds || token.expiryTimestamp() < milliseconds) {
            return ControllerResult.atomicOf(arrayList, renewDelegationTokenResponseData.setErrorCode(Errors.DELEGATION_TOKEN_EXPIRED.code()));
        }
        if (!allowedToRenew(token, controllerRequestContext.principal())) {
            return ControllerResult.atomicOf(arrayList, renewDelegationTokenResponseData.setErrorCode(Errors.DELEGATION_TOKEN_OWNER_MISMATCH.code()));
        }
        long j = this.tokenDefaultRenewLifetimeMs;
        if (renewDelegationTokenRequestData.renewPeriodMs() > 0) {
            j = Math.min(j, renewDelegationTokenRequestData.renewPeriodMs());
        }
        long min = Math.min(token.maxTimestamp(), milliseconds + j);
        DelegationTokenData delegationTokenData = new DelegationTokenData(token);
        renewDelegationTokenResponseData.setErrorCode(Errors.NONE.code()).setExpiryTimestampMs(min);
        arrayList.add(new ApiMessageAndVersion(delegationTokenData.toRecord().setExpirationTimestamp(min), (short) 0));
        return ControllerResult.atomicOf(arrayList, renewDelegationTokenResponseData);
    }

    public ControllerResult<ExpireDelegationTokenResponseData> expireDelegationToken(ControllerRequestContext controllerRequestContext, ExpireDelegationTokenRequestData expireDelegationTokenRequestData, MetadataVersion metadataVersion) {
        long milliseconds = this.time.milliseconds();
        ArrayList arrayList = new ArrayList();
        ExpireDelegationTokenResponseData expireDelegationTokenResponseData = new ExpireDelegationTokenResponseData();
        if (!isEnabled()) {
            return ControllerResult.atomicOf(arrayList, expireDelegationTokenResponseData.setErrorCode(Errors.DELEGATION_TOKEN_AUTH_DISABLED.code()));
        }
        if (!metadataVersion.isDelegationTokenSupported()) {
            return ControllerResult.atomicOf(arrayList, expireDelegationTokenResponseData.setErrorCode(Errors.UNSUPPORTED_VERSION.code()));
        }
        TokenInformation token = getToken(expireDelegationTokenRequestData.hmac());
        if (token == null) {
            return ControllerResult.atomicOf(arrayList, expireDelegationTokenResponseData.setErrorCode(Errors.DELEGATION_TOKEN_NOT_FOUND.code()));
        }
        if (!allowedToRenew(token, controllerRequestContext.principal())) {
            return ControllerResult.atomicOf(arrayList, expireDelegationTokenResponseData.setErrorCode(Errors.DELEGATION_TOKEN_OWNER_MISMATCH.code()));
        }
        if (expireDelegationTokenRequestData.expiryTimePeriodMs() < 0) {
            expireDelegationTokenResponseData.setErrorCode(Errors.NONE.code()).setExpiryTimestampMs(milliseconds);
            arrayList.add(new ApiMessageAndVersion(new RemoveDelegationTokenRecord().setTokenId(token.tokenId()), (short) 0));
        } else if (token.maxTimestamp() < milliseconds || token.expiryTimestamp() < milliseconds) {
            expireDelegationTokenResponseData.setErrorCode(Errors.DELEGATION_TOKEN_EXPIRED.code());
        } else {
            long min = Math.min(token.maxTimestamp(), milliseconds + expireDelegationTokenRequestData.expiryTimePeriodMs());
            expireDelegationTokenResponseData.setErrorCode(Errors.NONE.code()).setExpiryTimestampMs(min);
            arrayList.add(new ApiMessageAndVersion(new DelegationTokenData(token).toRecord().setExpirationTimestamp(min), (short) 0));
        }
        return ControllerResult.atomicOf(arrayList, expireDelegationTokenResponseData);
    }

    public List<ApiMessageAndVersion> sweepExpiredDelegationTokens() {
        long milliseconds = this.time.milliseconds();
        ArrayList arrayList = new ArrayList();
        for (TokenInformation tokenInformation : this.tokenCache.tokens()) {
            if (tokenInformation.maxTimestamp() < milliseconds || tokenInformation.expiryTimestamp() < milliseconds) {
                this.log.info("Delegation token expired for token: {} for owner: {}", tokenInformation.tokenId(), tokenInformation.ownerAsString());
                arrayList.add(new ApiMessageAndVersion(new RemoveDelegationTokenRecord().setTokenId(tokenInformation.tokenId()), (short) 0));
            }
        }
        return arrayList;
    }

    public void replay(DelegationTokenRecord delegationTokenRecord) {
        this.log.info("Replayed DelegationTokenRecord for {}.", delegationTokenRecord.tokenId());
    }

    public void replay(RemoveDelegationTokenRecord removeDelegationTokenRecord) {
        this.log.info("Replayed RemoveDelegationTokenRecord for {}.", removeDelegationTokenRecord.tokenId());
    }
}
