package org.apache.hadoop.security.authentication.util;

import java.util.Collections;
import java.util.List;
import javax.security.auth.login.Configuration;
import org.apache.hadoop.classification.VisibleForTesting;
import org.apache.hadoop.hdfs.web.resources.CreateParentParam;
import org.apache.hadoop.shaded.org.apache.curator.RetryPolicy;
import org.apache.hadoop.shaded.org.apache.curator.framework.CuratorFramework;
import org.apache.hadoop.shaded.org.apache.curator.framework.CuratorFrameworkFactory;
import org.apache.hadoop.shaded.org.apache.curator.framework.api.ACLProvider;
import org.apache.hadoop.shaded.org.apache.curator.framework.imps.DefaultACLProvider;
import org.apache.hadoop.shaded.org.apache.curator.retry.ExponentialBackoffRetry;
import org.apache.hadoop.shaded.org.apache.curator.utils.ConfigurableZookeeperFactory;
import org.apache.hadoop.shaded.org.apache.curator.utils.ZookeeperFactory;
import org.apache.hadoop.shaded.org.apache.zookeeper.client.ZKClientConfig;
import org.apache.hadoop.shaded.org.apache.zookeeper.common.ClientX509Util;
import org.apache.hadoop.shaded.org.apache.zookeeper.data.ACL;
import org.apache.hadoop.shaded.org.apache.zookeeper.data.Id;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/security/authentication/util/ZookeeperClient.class */
public class ZookeeperClient {
    private static final Logger LOG = LoggerFactory.getLogger(ZookeeperClient.class);
    private String connectionString;
    private String namespace;
    private String keytab;
    private String principal;
    private String jaasLoginEntryName;
    private boolean isSSLEnabled;
    private String keystoreLocation;
    private String keystorePassword;
    private String truststoreLocation;
    private String truststorePassword;
    private String authenticationType = "none";
    private int sessionTimeout = Integer.getInteger("curator-default-session-timeout", 60000).intValue();
    private int connectionTimeout = Integer.getInteger("curator-default-connection-timeout", 15000).intValue();
    private RetryPolicy retryPolicy = new ExponentialBackoffRetry(1000, 3);
    private ZookeeperFactory zkFactory = new ConfigurableZookeeperFactory();

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    /* loaded from: input_file:org/apache/hadoop/security/authentication/util/ZookeeperClient$SASLOwnerACLProvider.class */
    public static final class SASLOwnerACLProvider implements ACLProvider {
        private final List<ACL> saslACL;

        private SASLOwnerACLProvider(String str) {
            this.saslACL = Collections.singletonList(new ACL(31, new Id("sasl", str)));
        }

        public List<ACL> getDefaultAcl() {
            return this.saslACL;
        }

        public List<ACL> getAclForPath(String str) {
            return this.saslACL;
        }
    }

    public static ZookeeperClient configure() {
        return new ZookeeperClient();
    }

    public ZookeeperClient withConnectionString(String str) {
        this.connectionString = str;
        return this;
    }

    public ZookeeperClient withNamespace(String str) {
        this.namespace = str;
        return this;
    }

    public ZookeeperClient withAuthType(String str) {
        this.authenticationType = str;
        return this;
    }

    public ZookeeperClient withKeytab(String str) {
        this.keytab = str;
        return this;
    }

    public ZookeeperClient withPrincipal(String str) {
        this.principal = str;
        return this;
    }

    public ZookeeperClient withJaasLoginEntryName(String str) {
        this.jaasLoginEntryName = str;
        return this;
    }

    public ZookeeperClient withSessionTimeout(int i) {
        this.sessionTimeout = i;
        return this;
    }

    public ZookeeperClient withConnectionTimeout(int i) {
        this.connectionTimeout = i;
        return this;
    }

    public ZookeeperClient withRetryPolicy(RetryPolicy retryPolicy) {
        this.retryPolicy = retryPolicy;
        return this;
    }

    public ZookeeperClient withZookeeperFactory(ZookeeperFactory zookeeperFactory) {
        this.zkFactory = zookeeperFactory;
        return this;
    }

    public ZookeeperClient enableSSL(boolean z) {
        this.isSSLEnabled = z;
        return this;
    }

    public ZookeeperClient withKeystore(String str) {
        this.keystoreLocation = str;
        return this;
    }

    public ZookeeperClient withKeystorePassword(String str) {
        this.keystorePassword = str;
        return this;
    }

    public ZookeeperClient withTruststore(String str) {
        this.truststoreLocation = str;
        return this;
    }

    public ZookeeperClient withTruststorePassword(String str) {
        this.truststorePassword = str;
        return this;
    }

    public CuratorFramework create() {
        checkNotNull(this.connectionString, "Zookeeper connection string cannot be null!");
        checkNotNull(this.retryPolicy, "Zookeeper connection retry policy cannot be null!");
        return createFrameworkFactoryBuilder().connectString(this.connectionString).zookeeperFactory(this.zkFactory).namespace(this.namespace).sessionTimeoutMs(this.sessionTimeout).connectionTimeoutMs(this.connectionTimeout).retryPolicy(this.retryPolicy).aclProvider(aclProvider()).zkClientConfig(zkClientConfig()).build();
    }

    @VisibleForTesting
    CuratorFrameworkFactory.Builder createFrameworkFactoryBuilder() {
        return CuratorFrameworkFactory.builder();
    }

    private ACLProvider aclProvider() {
        SASLOwnerACLProvider defaultACLProvider;
        checkNotNull(this.authenticationType, "Zookeeper authType cannot be null!");
        checkArgument(this.authenticationType.equals("sasl") || this.authenticationType.equals("none"), "Zookeeper authType must be one of [none, sasl]!");
        if (this.authenticationType.equals("sasl")) {
            LOG.info("Connecting to ZooKeeper with SASL/Kerberos and using 'sasl' ACLs.");
            checkArgument(!isEmpty(this.keytab), "Zookeeper client's Kerberos Keytab must be specified!");
            checkArgument(!isEmpty(this.principal), "Zookeeper client's Kerberos Principal must be specified!");
            checkArgument(!isEmpty(this.jaasLoginEntryName), "JAAS Login Entry name must be specified!");
            Configuration.setConfiguration(new JaasConfiguration(this.jaasLoginEntryName, this.principal, this.keytab));
            System.setProperty("zookeeper.sasl.clientconfig", this.jaasLoginEntryName);
            System.setProperty("zookeeper.authProvider.1", "org.apache.hadoop.shaded.org.apache.zookeeper.server.auth.SASLAuthenticationProvider");
            defaultACLProvider = new SASLOwnerACLProvider(this.principal.split("[/@]")[0]);
        } else {
            LOG.info("Connecting to ZooKeeper without authentication.");
            defaultACLProvider = new DefaultACLProvider();
        }
        return defaultACLProvider;
    }

    private ZKClientConfig zkClientConfig() {
        ZKClientConfig zKClientConfig = new ZKClientConfig();
        if (this.isSSLEnabled) {
            LOG.info("Zookeeper client will use SSL connection. (keystore = {}; truststore = {};)", this.keystoreLocation, this.truststoreLocation);
            checkArgument(!isEmpty(this.keystoreLocation), "The keystore location parameter is empty for the ZooKeeper client connection.");
            checkArgument(!isEmpty(this.truststoreLocation), "The truststore location parameter is empty for the ZooKeeper client connection.");
            ClientX509Util clientX509Util = new ClientX509Util();
            Throwable th = null;
            try {
                try {
                    zKClientConfig.setProperty("zookeeper.client.secure", CreateParentParam.DEFAULT);
                    zKClientConfig.setProperty("zookeeper.clientCnxnSocket", "org.apache.hadoop.shaded.org.apache.zookeeper.ClientCnxnSocketNetty");
                    zKClientConfig.setProperty(clientX509Util.getSslKeystoreLocationProperty(), this.keystoreLocation);
                    zKClientConfig.setProperty(clientX509Util.getSslKeystorePasswdProperty(), this.keystorePassword);
                    zKClientConfig.setProperty(clientX509Util.getSslTruststoreLocationProperty(), this.truststoreLocation);
                    zKClientConfig.setProperty(clientX509Util.getSslTruststorePasswdProperty(), this.truststorePassword);
                    if (clientX509Util != null) {
                        if (0 != 0) {
                            try {
                                clientX509Util.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            clientX509Util.close();
                        }
                    }
                } finally {
                }
            } catch (Throwable th3) {
                if (clientX509Util != null) {
                    if (th != null) {
                        try {
                            clientX509Util.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        clientX509Util.close();
                    }
                }
                throw th3;
            }
        } else {
            LOG.info("Zookeeper client will use Plain connection.");
        }
        return zKClientConfig;
    }

    private boolean isEmpty(String str) {
        return str == null || str.length() == 0;
    }

    private void checkNotNull(Object obj, String str) {
        if (obj == null) {
            throw new NullPointerException(str);
        }
    }

    private void checkArgument(boolean z, String str) {
        if (!z) {
            throw new IllegalArgumentException(str);
        }
    }
}
