package org.apache.nifi.security.krb;

import com.bazaarvoice.jolt.modifier.TemplatrSpecBuilder;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.concurrent.atomic.AtomicBoolean;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.commons.lang3.Validate;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/nifi-security-utils-1.8.0.jar:org/apache/nifi/security/krb/StandardKeytabUser.class */
public class StandardKeytabUser implements KeytabUser {
    private static final Logger LOGGER = LoggerFactory.getLogger(StandardKeytabUser.class);
    static final String DATE_FORMAT = "yyyy-MM-dd'T'HH:mm:ss'Z'";
    static final float TICKET_RENEW_WINDOW = 0.8f;
    private final String principal;
    private final String keytabFile;
    private final AtomicBoolean loggedIn = new AtomicBoolean(false);
    private Subject subject;
    private LoginContext loginContext;

    public StandardKeytabUser(String str, String str2) {
        this.principal = str;
        this.keytabFile = str2;
        Validate.notBlank(str);
        Validate.notBlank(str2);
    }

    @Override // org.apache.nifi.security.krb.KeytabUser
    public synchronized void login() throws LoginException {
        if (isLoggedIn()) {
            return;
        }
        try {
            if (this.loginContext == null) {
                LOGGER.debug("Initializing new login context...");
                this.subject = new Subject();
                this.loginContext = new LoginContext("KeytabConf", this.subject, (CallbackHandler) null, new KeytabConfiguration(this.principal, this.keytabFile));
            }
            this.loginContext.login();
            this.loggedIn.set(true);
            LOGGER.debug("Successful login for {}", new Object[]{this.principal});
        } catch (LoginException e) {
            throw new LoginException("Unable to login with " + this.principal + " and " + this.keytabFile + " due to: " + e.getMessage());
        }
    }

    @Override // org.apache.nifi.security.krb.KeytabUser
    public synchronized void logout() throws LoginException {
        if (isLoggedIn()) {
            try {
                this.loginContext.logout();
                this.loggedIn.set(false);
                LOGGER.debug("Successful logout for {}", new Object[]{this.principal});
                this.subject = null;
                this.loginContext = null;
            } catch (LoginException e) {
                throw new LoginException("Logout failed due to: " + e.getMessage());
            }
        }
    }

    @Override // org.apache.nifi.security.krb.KeytabUser
    public <T> T doAs(PrivilegedAction<T> privilegedAction) throws IllegalStateException {
        if (isLoggedIn()) {
            return (T) Subject.doAs(this.subject, privilegedAction);
        }
        throw new IllegalStateException("Must login before executing actions");
    }

    @Override // org.apache.nifi.security.krb.KeytabUser
    public <T> T doAs(PrivilegedExceptionAction<T> privilegedExceptionAction) throws IllegalStateException, PrivilegedActionException {
        if (isLoggedIn()) {
            return (T) Subject.doAs(this.subject, privilegedExceptionAction);
        }
        throw new IllegalStateException("Must login before executing actions");
    }

    @Override // org.apache.nifi.security.krb.KeytabUser
    public synchronized boolean checkTGTAndRelogin() throws LoginException {
        KerberosTicket tgt = getTGT();
        if (tgt == null) {
            LOGGER.debug("TGT was not found");
        }
        if (tgt != null && System.currentTimeMillis() < getRefreshTime(tgt)) {
            LOGGER.debug("TGT was found, but has not reached expiration window");
            return false;
        }
        LOGGER.debug("Performing relogin for {}", new Object[]{this.principal});
        logout();
        login();
        return true;
    }

    private synchronized KerberosTicket getTGT() {
        for (KerberosTicket kerberosTicket : this.subject.getPrivateCredentials(KerberosTicket.class)) {
            if (isTGSPrincipal(kerberosTicket.getServer())) {
                return kerberosTicket;
            }
        }
        return null;
    }

    private boolean isTGSPrincipal(KerberosPrincipal kerberosPrincipal) {
        if (kerberosPrincipal == null || !kerberosPrincipal.getName().equals("krbtgt/" + kerberosPrincipal.getRealm() + TemplatrSpecBuilder.AT + kerberosPrincipal.getRealm())) {
            return false;
        }
        if (!LOGGER.isTraceEnabled()) {
            return true;
        }
        LOGGER.trace("Found TGT principal: " + kerberosPrincipal.getName());
        return true;
    }

    private long getRefreshTime(KerberosTicket kerberosTicket) {
        long time = kerberosTicket.getStartTime().getTime();
        long time2 = kerberosTicket.getEndTime().getTime();
        if (LOGGER.isTraceEnabled()) {
            SimpleDateFormat simpleDateFormat = new SimpleDateFormat(DATE_FORMAT);
            String format = simpleDateFormat.format(new Date(time));
            String format2 = simpleDateFormat.format(new Date(time2));
            LOGGER.trace("TGT valid starting at: " + format);
            LOGGER.trace("TGT expires at: " + format2);
        }
        return time + (((float) (time2 - time)) * TICKET_RENEW_WINDOW);
    }

    @Override // org.apache.nifi.security.krb.KeytabUser
    public boolean isLoggedIn() {
        return this.loggedIn.get();
    }

    @Override // org.apache.nifi.security.krb.KeytabUser
    public String getPrincipal() {
        return this.principal;
    }

    @Override // org.apache.nifi.security.krb.KeytabUser
    public String getKeytabFile() {
        return this.keytabFile;
    }

    Subject getSubject() {
        return this.subject;
    }
}
