package org.apache.storm.zookeeper;

import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import org.apache.storm.Config;
import org.apache.storm.blobstore.BlobStore;
import org.apache.storm.callback.DefaultWatcherCallBack;
import org.apache.storm.cluster.ClusterUtils;
import org.apache.storm.generated.KeyNotFoundException;
import org.apache.storm.nimbus.NimbusInfo;
import org.apache.storm.security.auth.NimbusPrincipal;
import org.apache.storm.shade.org.apache.curator.framework.CuratorFramework;
import org.apache.storm.shade.org.apache.zookeeper.KeeperException;
import org.apache.storm.shade.org.apache.zookeeper.data.ACL;
import org.apache.storm.shade.org.apache.zookeeper.data.Id;
import org.apache.storm.shade.org.apache.zookeeper.server.auth.DigestAuthenticationProvider;
import org.apache.storm.utils.Utils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/storm/zookeeper/AclEnforcement.class */
public class AclEnforcement {
    private static final Logger LOG = LoggerFactory.getLogger(AclEnforcement.class);

    /* JADX WARN: Finally extract failed */
    public static void verifyAcls(Map<String, Object> map, boolean z) throws Exception {
        if (!Utils.isZkAuthenticationConfiguredStormServer(map)) {
            LOG.info("SECURITY IS DISABLED NO FURTHER CHECKS...");
            return;
        }
        ACL superUserAcl = Utils.getSuperUserAcl(map);
        ArrayList arrayList = new ArrayList(1);
        arrayList.add(superUserAcl);
        List list = (List) map.get(Config.STORM_ZOOKEEPER_SERVERS);
        int intValue = Utils.getInt(map.get(Config.STORM_ZOOKEEPER_PORT)).intValue();
        String str = (String) map.get(Config.STORM_ZOOKEEPER_ROOT);
        CuratorFramework mkClient = Zookeeper.mkClient(map, list, Integer.valueOf(intValue), "", new DefaultWatcherCallBack(), map, arrayList);
        Throwable th = null;
        try {
            if (mkClient.checkExists().forPath(str) == null) {
                LOG.warn("{} does not exist no need to check any more...", str);
                if (mkClient != null) {
                    if (0 == 0) {
                        mkClient.close();
                        return;
                    }
                    try {
                        mkClient.close();
                        return;
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                        return;
                    }
                }
                return;
            }
            verifyAclStrict(mkClient, arrayList, str, z);
            CuratorFramework mkClient2 = Zookeeper.mkClient(map, list, Integer.valueOf(intValue), str, new DefaultWatcherCallBack(), map, arrayList);
            Throwable th3 = null;
            try {
                if (mkClient2.checkExists().forPath(ClusterUtils.BLOBSTORE_SUBTREE) != null) {
                    verifyAclStrictRecursive(mkClient2, arrayList, ClusterUtils.BLOBSTORE_SUBTREE, z);
                }
                if (mkClient2.checkExists().forPath(ClusterUtils.BLOBSTORE_MAX_KEY_SEQUENCE_NUMBER_SUBTREE) != null) {
                    verifyAclStrict(mkClient2, arrayList, ClusterUtils.BLOBSTORE_MAX_KEY_SEQUENCE_NUMBER_SUBTREE, z);
                }
                HashSet<String> hashSet = new HashSet();
                if (mkClient2.checkExists().forPath(ClusterUtils.STORMS_SUBTREE) != null) {
                    hashSet.addAll(mkClient2.getChildren().forPath(ClusterUtils.STORMS_SUBTREE));
                }
                HashMap hashMap = new HashMap();
                BlobStore nimbusBlobStore = Utils.getNimbusBlobStore(map, NimbusInfo.fromConf(map));
                try {
                    Subject subject = new Subject();
                    subject.getPrincipals().add(new NimbusPrincipal());
                    for (String str2 : hashSet) {
                        try {
                            try {
                                hashMap.put(str2, new Id("digest", DigestAuthenticationProvider.generateDigest((String) Utils.fromCompressedJsonConf(nimbusBlobStore.readBlob(str2 + "-stormconf.ser", subject)).get(Config.STORM_ZOOKEEPER_TOPOLOGY_AUTH_PAYLOAD))));
                            } catch (NoSuchAlgorithmException e) {
                                throw new RuntimeException(e);
                                break;
                            }
                        } catch (KeyNotFoundException e2) {
                            LOG.debug("topo removed {}", str2, e2);
                        }
                    }
                    if (nimbusBlobStore != null) {
                        nimbusBlobStore.shutdown();
                    }
                    verifyParentWithReadOnlyTopoChildren(mkClient2, superUserAcl, ClusterUtils.STORMS_SUBTREE, hashMap, z);
                    verifyParentWithReadOnlyTopoChildren(mkClient2, superUserAcl, ClusterUtils.ASSIGNMENTS_SUBTREE, hashMap, z);
                    verifyParentWithReadOnlyTopoChildrenDeleteDead(mkClient2, superUserAcl, ClusterUtils.CREDENTIALS_SUBTREE, hashMap, z);
                    verifyParentWithReadOnlyTopoChildrenDeleteDead(mkClient2, superUserAcl, ClusterUtils.LOGCONFIG_SUBTREE, hashMap, z);
                    verifyParentWithReadWriteTopoChildrenDeleteDead(mkClient2, superUserAcl, ClusterUtils.BACKPRESSURE_SUBTREE, hashMap, z);
                    if (mkClient2.checkExists().forPath(ClusterUtils.ERRORS_SUBTREE) != null) {
                        for (String str3 : hashMap.keySet()) {
                            String errorStormRoot = ClusterUtils.errorStormRoot(str3);
                            if (mkClient2.checkExists().forPath(errorStormRoot) == null) {
                                LOG.warn("Creating missing errors location {}", errorStormRoot);
                                mkClient2.create().withACL(getTopoReadWrite(errorStormRoot, str3, hashMap, superUserAcl, z)).forPath(errorStormRoot);
                            }
                        }
                    }
                    verifyParentWithReadWriteTopoChildrenDeleteDead(mkClient2, superUserAcl, ClusterUtils.ERRORS_SUBTREE, hashMap, z);
                    if (mkClient2.checkExists().forPath(ClusterUtils.NIMBUSES_SUBTREE) != null) {
                        verifyAclStrictRecursive(mkClient2, arrayList, ClusterUtils.NIMBUSES_SUBTREE, z);
                    }
                    if (mkClient2.checkExists().forPath("/leader-lock") != null) {
                        verifyAclStrictRecursive(mkClient2, arrayList, "/leader-lock", z);
                    }
                    if (mkClient2.checkExists().forPath(ClusterUtils.PROFILERCONFIG_SUBTREE) != null) {
                        verifyAclStrictRecursive(mkClient2, arrayList, ClusterUtils.PROFILERCONFIG_SUBTREE, z);
                    }
                    if (mkClient2.checkExists().forPath(ClusterUtils.SUPERVISORS_SUBTREE) != null) {
                        verifyAclStrictRecursive(mkClient2, arrayList, ClusterUtils.SUPERVISORS_SUBTREE, z);
                    }
                    verifyParentWithReadWriteTopoChildrenDeleteDead(mkClient2, superUserAcl, ClusterUtils.WORKERBEATS_SUBTREE, hashMap, z);
                    if (mkClient2 != null) {
                        if (0 == 0) {
                            mkClient2.close();
                            return;
                        }
                        try {
                            mkClient2.close();
                        } catch (Throwable th4) {
                            th3.addSuppressed(th4);
                        }
                    }
                } catch (Throwable th5) {
                    if (nimbusBlobStore != null) {
                        nimbusBlobStore.shutdown();
                    }
                    throw th5;
                }
            } catch (Throwable th6) {
                if (mkClient2 != null) {
                    if (0 != 0) {
                        try {
                            mkClient2.close();
                        } catch (Throwable th7) {
                            th3.addSuppressed(th7);
                        }
                    } else {
                        mkClient2.close();
                    }
                }
                throw th6;
            }
        } finally {
            if (mkClient != null) {
                if (0 != 0) {
                    try {
                        mkClient.close();
                    } catch (Throwable th8) {
                        th.addSuppressed(th8);
                    }
                } else {
                    mkClient.close();
                }
            }
        }
    }

    private static List<ACL> getTopoAcl(String str, String str2, Map<String, Id> map, ACL acl, boolean z, int i) {
        Id id = map.get(str2);
        if (id == null) {
            String str3 = "Could not find credentials for topology " + str2 + " at path " + str + ".";
            if (z) {
                str3 = str3 + " Don't know how to fix this automatically. Please add needed ACLs, or delete the path.";
            }
            throw new IllegalStateException(str3);
        }
        ArrayList arrayList = new ArrayList(2);
        arrayList.add(acl);
        arrayList.add(new ACL(i, id));
        return arrayList;
    }

    private static List<ACL> getTopoReadWrite(String str, String str2, Map<String, Id> map, ACL acl, boolean z) {
        return getTopoAcl(str, str2, map, acl, z, 31);
    }

    private static void verifyParentWithTopoChildrenDeleteDead(CuratorFramework curatorFramework, ACL acl, String str, Map<String, Id> map, boolean z, int i) throws Exception {
        if (curatorFramework.checkExists().forPath(str) != null) {
            verifyAclStrict(curatorFramework, Arrays.asList(acl), str, z);
            HashSet hashSet = new HashSet();
            for (String str2 : curatorFramework.getChildren().forPath(str)) {
                String str3 = str + "/" + str2;
                if (map.containsKey(str2)) {
                    verifyAclStrictRecursive(curatorFramework, getTopoAcl(str, str2, map, acl, z, i), str3, z);
                } else {
                    hashSet.add(str2);
                }
            }
            if (hashSet.isEmpty()) {
                return;
            }
            hashSet.removeAll(curatorFramework.getChildren().forPath(ClusterUtils.STORMS_SUBTREE));
            Iterator it = hashSet.iterator();
            while (it.hasNext()) {
                curatorFramework.delete().deletingChildrenIfNeeded().forPath(str + "/" + ((String) it.next()));
            }
        }
    }

    private static void verifyParentWithReadOnlyTopoChildrenDeleteDead(CuratorFramework curatorFramework, ACL acl, String str, Map<String, Id> map, boolean z) throws Exception {
        verifyParentWithTopoChildrenDeleteDead(curatorFramework, acl, str, map, z, 1);
    }

    private static void verifyParentWithReadWriteTopoChildrenDeleteDead(CuratorFramework curatorFramework, ACL acl, String str, Map<String, Id> map, boolean z) throws Exception {
        verifyParentWithTopoChildrenDeleteDead(curatorFramework, acl, str, map, z, 31);
    }

    private static void verifyParentWithTopoChildren(CuratorFramework curatorFramework, ACL acl, String str, Map<String, Id> map, boolean z, int i) throws Exception {
        if (curatorFramework.checkExists().forPath(str) != null) {
            verifyAclStrict(curatorFramework, Arrays.asList(acl), str, z);
            for (String str2 : curatorFramework.getChildren().forPath(str)) {
                verifyAclStrictRecursive(curatorFramework, getTopoAcl(str, str2, map, acl, z, i), str + "/" + str2, z);
            }
        }
    }

    private static void verifyParentWithReadOnlyTopoChildren(CuratorFramework curatorFramework, ACL acl, String str, Map<String, Id> map, boolean z) throws Exception {
        verifyParentWithTopoChildren(curatorFramework, acl, str, map, z, 1);
    }

    private static void verifyParentWithReadWriteTopoChildren(CuratorFramework curatorFramework, ACL acl, String str, Map<String, Id> map, boolean z) throws Exception {
        verifyParentWithTopoChildren(curatorFramework, acl, str, map, z, 31);
    }

    private static void verifyAclStrictRecursive(CuratorFramework curatorFramework, List<ACL> list, String str, boolean z) throws Exception {
        verifyAclStrict(curatorFramework, list, str, z);
        Iterator<String> it = curatorFramework.getChildren().forPath(str).iterator();
        while (it.hasNext()) {
            verifyAclStrictRecursive(curatorFramework, list, str + "/" + it.next(), z);
        }
    }

    private static void verifyAclStrict(CuratorFramework curatorFramework, List<ACL> list, String str, boolean z) throws Exception {
        try {
            List<ACL> forPath = curatorFramework.getACL().forPath(str);
            if (!equivalent(forPath, list)) {
                if (!z) {
                    throw new IllegalStateException(str + " did not have the correct ACL found " + forPath + " expected " + list);
                }
                LOG.warn("{} expected to have ACL {}, but has {}.  Fixing...", new Object[]{str, list, forPath});
                curatorFramework.setACL().withACL(list).forPath(str);
            }
        } catch (KeeperException.NoNodeException e) {
            LOG.debug("{} removed in the middle of checking it", e);
        }
    }

    private static boolean equivalent(List<ACL> list, List<ACL> list2) {
        if (list.size() != list2.size()) {
            return false;
        }
        Iterator<ACL> it = list.iterator();
        while (it.hasNext()) {
            if (!list2.contains(it.next())) {
                return false;
            }
        }
        return true;
    }

    public static void main(String[] strArr) throws Exception {
        Map<String, Object> readStormConfig = Utils.readStormConfig();
        boolean z = false;
        for (String str : strArr) {
            String lowerCase = str.toLowerCase();
            if (!"-f".equals(lowerCase) && !"--fixup".equals(lowerCase)) {
                throw new IllegalArgumentException("Unsupported argument " + str + " only -f or --fixup is supported.");
            }
            z = true;
        }
        verifyAcls(readStormConfig, z);
    }
}
