package org.apache.storm.zookeeper;

import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import org.apache.storm.blobstore.BlobStore;
import org.apache.storm.callback.DefaultWatcherCallBack;
import org.apache.storm.cluster.ClusterUtils;
import org.apache.storm.cluster.DaemonType;
import org.apache.storm.generated.KeyNotFoundException;
import org.apache.storm.generated.WorkerTokenServiceType;
import org.apache.storm.nimbus.NimbusInfo;
import org.apache.storm.security.auth.NimbusPrincipal;
import org.apache.storm.shade.org.apache.curator.framework.CuratorFramework;
import org.apache.storm.shade.org.apache.curator.framework.api.BackgroundPathAndBytesable;
import org.apache.storm.shade.org.apache.curator.framework.api.BackgroundPathable;
import org.apache.storm.shade.org.apache.zookeeper.KeeperException;
import org.apache.storm.shade.org.apache.zookeeper.data.ACL;
import org.apache.storm.shade.org.apache.zookeeper.data.Id;
import org.apache.storm.shade.org.apache.zookeeper.server.auth.DigestAuthenticationProvider;
import org.apache.storm.utils.ConfigUtils;
import org.apache.storm.utils.ObjectReader;
import org.apache.storm.utils.ServerUtils;
import org.apache.storm.utils.Utils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/storm/zookeeper/AclEnforcement.class */
public class AclEnforcement {
    private static final Logger LOG = LoggerFactory.getLogger(AclEnforcement.class);

    /* JADX WARN: Finally extract failed */
    public static void verifyAcls(Map<String, Object> map, boolean z) throws Exception {
        if (!Utils.isZkAuthenticationConfiguredStormServer(map)) {
            LOG.info("SECURITY IS DISABLED NO FURTHER CHECKS...");
            return;
        }
        ACL superUserAcl = Utils.getSuperUserAcl(map);
        ArrayList arrayList = new ArrayList(1);
        arrayList.add(superUserAcl);
        ArrayList arrayList2 = new ArrayList(2);
        arrayList2.add(superUserAcl);
        String str = (String) map.get("storm.zookeeper.drpcACL");
        if (str != null) {
            arrayList2.add(new ACL(1, Utils.parseZkId(str, "storm.zookeeper.drpcACL")));
        }
        List list = (List) map.get("storm.zookeeper.servers");
        int intValue = ObjectReader.getInt(map.get("storm.zookeeper.port")).intValue();
        String str2 = (String) map.get("storm.zookeeper.root");
        CuratorFramework mkClient = ClientZookeeper.mkClient(map, list, Integer.valueOf(intValue), "", new DefaultWatcherCallBack(), map, DaemonType.NIMBUS);
        try {
            if (mkClient.checkExists().forPath(str2) == null) {
                LOG.warn("{} does not exist no need to check any more...", str2);
                if (mkClient != null) {
                    mkClient.close();
                    return;
                }
                return;
            }
            verifyAclStrict(mkClient, arrayList, str2, z);
            if (mkClient != null) {
                mkClient.close();
            }
            mkClient = ClientZookeeper.mkClient(map, list, Integer.valueOf(intValue), str2, new DefaultWatcherCallBack(), map, DaemonType.NIMBUS);
            try {
                if (mkClient.checkExists().forPath("/blobstore") != null) {
                    verifyAclStrictRecursive(mkClient, arrayList, "/blobstore", z);
                }
                if (mkClient.checkExists().forPath("/blobstoremaxkeysequencenumber") != null) {
                    verifyAclStrict(mkClient, arrayList, "/blobstoremaxkeysequencenumber", z);
                }
                HashSet<String> hashSet = new HashSet();
                if (mkClient.checkExists().forPath("/storms") != null) {
                    hashSet.addAll((Collection) mkClient.getChildren().forPath("/storms"));
                }
                HashMap hashMap = new HashMap();
                BlobStore nimbusBlobStore = ServerUtils.getNimbusBlobStore(map, NimbusInfo.fromConf(map), null);
                try {
                    Subject subject = new Subject();
                    subject.getPrincipals().add(new NimbusPrincipal());
                    for (String str3 : hashSet) {
                        try {
                            try {
                                hashMap.put(str3, new Id("digest", DigestAuthenticationProvider.generateDigest((String) Utils.fromCompressedJsonConf(nimbusBlobStore.readBlob(str3 + "-stormconf.ser", subject)).get("storm.zookeeper.topology.auth.payload"))));
                            } catch (NoSuchAlgorithmException e) {
                                throw new RuntimeException(e);
                                break;
                            }
                        } catch (KeyNotFoundException e2) {
                            LOG.debug("topo removed {}", str3, e2);
                        }
                    }
                    if (nimbusBlobStore != null) {
                        nimbusBlobStore.shutdown();
                    }
                    verifyParentWithReadOnlyTopoChildren(mkClient, superUserAcl, "/storms", hashMap, z);
                    verifyParentWithReadOnlyTopoChildren(mkClient, superUserAcl, "/assignments", hashMap, z);
                    verifyParentWithReadOnlyTopoChildrenDeleteDead(mkClient, superUserAcl, "/credentials", hashMap, z);
                    verifyParentWithReadOnlyTopoChildrenDeleteDead(mkClient, superUserAcl, "/logconfigs", hashMap, z);
                    verifyParentWithReadWriteTopoChildrenDeleteDead(mkClient, superUserAcl, "/backpressure", hashMap, z);
                    if (mkClient.checkExists().forPath("/errors") != null) {
                        for (String str4 : hashMap.keySet()) {
                            String errorStormRoot = ClusterUtils.errorStormRoot(str4);
                            if (mkClient.checkExists().forPath(errorStormRoot) == null) {
                                LOG.warn("Creating missing errors location {}", errorStormRoot);
                                ((BackgroundPathAndBytesable) mkClient.create().withACL(getTopoReadWrite(errorStormRoot, str4, hashMap, superUserAcl, z))).forPath(errorStormRoot);
                            }
                        }
                    }
                    verifyParentWithReadWriteTopoChildrenDeleteDead(mkClient, superUserAcl, "/errors", hashMap, z);
                    if (mkClient.checkExists().forPath("/secretkeys") != null) {
                        verifyAclStrict(mkClient, arrayList, "/secretkeys", z);
                        verifyAclStrictRecursive(mkClient, arrayList, ClusterUtils.secretKeysPath(WorkerTokenServiceType.NIMBUS), z);
                        verifyAclStrictRecursive(mkClient, arrayList2, ClusterUtils.secretKeysPath(WorkerTokenServiceType.DRPC), z);
                    }
                    if (mkClient.checkExists().forPath("/nimbuses") != null) {
                        verifyAclStrictRecursive(mkClient, arrayList, "/nimbuses", z);
                    }
                    if (mkClient.checkExists().forPath("/leader-lock") != null) {
                        verifyAclStrictRecursive(mkClient, arrayList, "/leader-lock", z);
                    }
                    if (mkClient.checkExists().forPath("/profilerconfigs") != null) {
                        verifyAclStrictRecursive(mkClient, arrayList, "/profilerconfigs", z);
                    }
                    if (mkClient.checkExists().forPath("/supervisors") != null) {
                        verifyAclStrictRecursive(mkClient, arrayList, "/supervisors", z);
                    }
                    verifyParentWithReadWriteTopoChildrenDeleteDead(mkClient, superUserAcl, "/workerbeats", hashMap, z);
                    if (mkClient != null) {
                        mkClient.close();
                    }
                } catch (Throwable th) {
                    if (nimbusBlobStore != null) {
                        nimbusBlobStore.shutdown();
                    }
                    throw th;
                }
            } finally {
            }
        } finally {
        }
    }

    private static List<ACL> getTopoAcl(String str, String str2, Map<String, Id> map, ACL acl, boolean z, int i) {
        Id id = map.get(str2);
        if (id == null) {
            String str3 = "Could not find credentials for topology " + str2 + " at path " + str + ".";
            if (z) {
                str3 = str3 + " Don't know how to fix this automatically. Please add needed ACLs, or delete the path.";
            }
            throw new IllegalStateException(str3);
        }
        ArrayList arrayList = new ArrayList(2);
        arrayList.add(acl);
        arrayList.add(new ACL(i, id));
        return arrayList;
    }

    private static List<ACL> getTopoReadWrite(String str, String str2, Map<String, Id> map, ACL acl, boolean z) {
        return getTopoAcl(str, str2, map, acl, z, 31);
    }

    private static void verifyParentWithTopoChildrenDeleteDead(CuratorFramework curatorFramework, ACL acl, String str, Map<String, Id> map, boolean z, int i) throws Exception {
        if (curatorFramework.checkExists().forPath(str) != null) {
            verifyAclStrict(curatorFramework, Arrays.asList(acl), str, z);
            HashSet hashSet = new HashSet();
            for (String str2 : (List) curatorFramework.getChildren().forPath(str)) {
                String str3 = str + "/" + str2;
                if (map.containsKey(str2)) {
                    verifyAclStrictRecursive(curatorFramework, getTopoAcl(str, str2, map, acl, z, i), str3, z);
                } else {
                    hashSet.add(str2);
                }
            }
            if (hashSet.isEmpty()) {
                return;
            }
            hashSet.removeAll((Collection) curatorFramework.getChildren().forPath("/storms"));
            Iterator it = hashSet.iterator();
            while (it.hasNext()) {
                curatorFramework.delete().deletingChildrenIfNeeded().forPath(str + "/" + ((String) it.next()));
            }
        }
    }

    private static void verifyParentWithReadOnlyTopoChildrenDeleteDead(CuratorFramework curatorFramework, ACL acl, String str, Map<String, Id> map, boolean z) throws Exception {
        verifyParentWithTopoChildrenDeleteDead(curatorFramework, acl, str, map, z, 1);
    }

    private static void verifyParentWithReadWriteTopoChildrenDeleteDead(CuratorFramework curatorFramework, ACL acl, String str, Map<String, Id> map, boolean z) throws Exception {
        verifyParentWithTopoChildrenDeleteDead(curatorFramework, acl, str, map, z, 31);
    }

    private static void verifyParentWithTopoChildren(CuratorFramework curatorFramework, ACL acl, String str, Map<String, Id> map, boolean z, int i) throws Exception {
        if (curatorFramework.checkExists().forPath(str) != null) {
            verifyAclStrict(curatorFramework, Arrays.asList(acl), str, z);
            for (String str2 : (List) curatorFramework.getChildren().forPath(str)) {
                verifyAclStrictRecursive(curatorFramework, getTopoAcl(str, str2, map, acl, z, i), str + "/" + str2, z);
            }
        }
    }

    private static void verifyParentWithReadOnlyTopoChildren(CuratorFramework curatorFramework, ACL acl, String str, Map<String, Id> map, boolean z) throws Exception {
        verifyParentWithTopoChildren(curatorFramework, acl, str, map, z, 1);
    }

    private static void verifyParentWithReadWriteTopoChildren(CuratorFramework curatorFramework, ACL acl, String str, Map<String, Id> map, boolean z) throws Exception {
        verifyParentWithTopoChildren(curatorFramework, acl, str, map, z, 31);
    }

    private static void verifyAclStrictRecursive(CuratorFramework curatorFramework, List<ACL> list, String str, boolean z) throws Exception {
        verifyAclStrict(curatorFramework, list, str, z);
        Iterator it = ((List) curatorFramework.getChildren().forPath(str)).iterator();
        while (it.hasNext()) {
            verifyAclStrictRecursive(curatorFramework, list, str + "/" + ((String) it.next()), z);
        }
    }

    private static void verifyAclStrict(CuratorFramework curatorFramework, List<ACL> list, String str, boolean z) throws Exception {
        try {
            List list2 = (List) curatorFramework.getACL().forPath(str);
            if (!equivalent(list2, list)) {
                if (!z) {
                    throw new IllegalStateException(str + " did not have the correct ACL found " + list2 + " expected " + list);
                }
                LOG.warn("{} expected to have ACL {}, but has {}.  Fixing...", new Object[]{str, list, list2});
                ((BackgroundPathable) curatorFramework.setACL().withACL(list)).forPath(str);
            }
        } catch (KeeperException.NoNodeException e) {
            LOG.debug("{} removed in the middle of checking it", e);
        }
    }

    private static boolean equivalent(List<ACL> list, List<ACL> list2) {
        if (list.size() != list2.size()) {
            return false;
        }
        Iterator<ACL> it = list.iterator();
        while (it.hasNext()) {
            if (!list2.contains(it.next())) {
                return false;
            }
        }
        return true;
    }

    public static void main(String[] strArr) throws Exception {
        Map readStormConfig = ConfigUtils.readStormConfig();
        boolean z = false;
        for (String str : strArr) {
            String lowerCase = str.toLowerCase();
            if (!"-f".equals(lowerCase) && !"--fixup".equals(lowerCase)) {
                throw new IllegalArgumentException("Unsupported argument " + str + " only -f or --fixup is supported.");
            }
            z = true;
        }
        verifyAcls(readStormConfig, z);
    }
}
