package org.apache.sentry.core.common.transport;

import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableMap;
import com.google.common.net.HostAndPort;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.security.PrivilegedExceptionAction;
import javax.annotation.concurrent.ThreadSafe;
import javax.security.auth.callback.CallbackHandler;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.SaslRpcServer;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.sentry.service.common.ServiceConstants;
import org.apache.thrift.transport.TSaslClientTransport;
import org.apache.thrift.transport.TSocket;
import org.apache.thrift.transport.TTransport;
import org.apache.thrift.transport.TTransportException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ThreadSafe
/* loaded from: input_file:org/apache/sentry/core/common/transport/SentryTransportFactory.class */
public final class SentryTransportFactory implements TransportFactory {
    private final boolean useUgi;
    private final String serverPrincipal;
    private final int connectionTimeout;
    private final boolean isKerberosEnabled;
    private static final Logger LOGGER = LoggerFactory.getLogger(SentryTransportFactory.class);
    private static final ImmutableMap<String, String> SASL_PROPERTIES = ImmutableMap.of("javax.security.sasl.server.authentication", ServiceConstants.ServerConfig.SENTRY_VERIFY_SCHEM_VERSION_DEFAULT, "javax.security.sasl.qop", "auth-conf");

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/sentry/core/common/transport/SentryTransportFactory$UgiSaslClientTransport.class */
    public static class UgiSaslClientTransport extends TSaslClientTransport {
        private UserGroupInformation ugi;

        UgiSaslClientTransport(String str, String str2, String str3, TTransport tTransport, boolean z) throws IOException {
            super(str, (String) null, str2, str3, SentryTransportFactory.SASL_PROPERTIES, (CallbackHandler) null, tTransport);
            this.ugi = null;
            if (z) {
                this.ugi = UserGroupInformation.getLoginUser();
            }
        }

        public void open() throws TTransportException {
            if (this.ugi == null) {
                baseOpen();
                return;
            }
            try {
                if (this.ugi.isFromKeytab()) {
                    this.ugi.checkTGTAndReloginFromKeytab();
                }
                this.ugi.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.sentry.core.common.transport.SentryTransportFactory.UgiSaslClientTransport.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws TTransportException {
                        UgiSaslClientTransport.this.baseOpen();
                        return null;
                    }
                });
            } catch (IOException e) {
                throw new TTransportException("Failed to open SASL transport: " + e.getMessage(), e);
            } catch (InterruptedException e2) {
                Thread.currentThread().interrupt();
                throw new TTransportException("Interrupted while opening underlying transport: " + e2.getMessage(), e2);
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void baseOpen() throws TTransportException {
            super.open();
        }
    }

    public SentryTransportFactory(Configuration configuration, SentryClientTransportConfigInterface sentryClientTransportConfigInterface) {
        Preconditions.checkNotNull(configuration, "Configuration object cannot be null");
        this.connectionTimeout = sentryClientTransportConfigInterface.getServerRpcConnTimeoutInMs(configuration);
        this.isKerberosEnabled = sentryClientTransportConfigInterface.isKerberosEnabled(configuration);
        if (this.isKerberosEnabled) {
            this.useUgi = sentryClientTransportConfigInterface.useUserGroupInformation(configuration);
            this.serverPrincipal = sentryClientTransportConfigInterface.getSentryPrincipal(configuration);
        } else {
            this.serverPrincipal = null;
            this.useUgi = false;
        }
    }

    @Override // org.apache.sentry.core.common.transport.TransportFactory
    public TTransportWrapper getTransport(HostAndPort hostAndPort) throws Exception {
        return new TTransportWrapper(connectToServer(new InetSocketAddress(hostAndPort.getHostText(), hostAndPort.getPort())), hostAndPort);
    }

    private TTransport connectToServer(InetSocketAddress inetSocketAddress) throws Exception {
        TTransport createTransport = createTransport(inetSocketAddress);
        createTransport.open();
        LOGGER.debug("Successfully opened transport {} to {}", createTransport, inetSocketAddress);
        return createTransport;
    }

    private TTransport createTransport(InetSocketAddress inetSocketAddress) throws IOException {
        String hostName = inetSocketAddress.getHostName();
        int port = inetSocketAddress.getPort();
        TSocket tSocket = new TSocket(hostName, port, this.connectionTimeout);
        if (!this.isKerberosEnabled) {
            LOGGER.debug("created unprotected connection to {}:{} ", hostName, Integer.valueOf(port));
            return tSocket;
        }
        String serverPrincipal = SecurityUtil.getServerPrincipal(this.serverPrincipal, inetSocketAddress.getAddress());
        String[] splitKerberosName = SaslRpcServer.splitKerberosName(serverPrincipal);
        if (splitKerberosName.length != 3) {
            throw new IOException("Kerberos principal should have 3 parts: " + serverPrincipal);
        }
        UgiSaslClientTransport ugiSaslClientTransport = new UgiSaslClientTransport(SaslRpcServer.AuthMethod.KERBEROS.getMechanismName(), splitKerberosName[0], splitKerberosName[1], tSocket, this.useUgi);
        LOGGER.debug("creating secured connection to {}:{} ", hostName, Integer.valueOf(port));
        return ugiSaslClientTransport;
    }
}
