package org.hbase.async.auth;

import java.util.Date;
import java.util.Random;
import java.util.concurrent.TimeUnit;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.zookeeper.Shell;
import org.hbase.async.Config;
import org.jboss.netty.util.HashedWheelTimer;
import org.jboss.netty.util.Timeout;
import org.jboss.netty.util.TimerTask;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/hbase/async/auth/Login.class */
public class Login {
    private static final float TICKET_RENEW_WINDOW = 0.8f;
    private static final float TICKET_RENEW_JITTER = 0.05f;
    static final long MIN_TIME_BEFORE_RELOGIN = 60000;
    public static final String LOGIN_CONTEXT_NAME_KEY = "hbase.sasl.clientconfig";
    private static Login current_login;
    private final Config config;
    private final HashedWheelTimer timer;
    private final CallbackHandler callback_handler;
    private final String login_context_name;
    private final Subject subject;
    private final boolean is_kerberos_ticket;
    private LoginContext login_context;
    private boolean using_ticket_cache;
    private String principal;
    private static final Logger LOG = LoggerFactory.getLogger(Login.class);
    private static Random random = new Random(System.currentTimeMillis());

    /* loaded from: input_file:org/hbase/async/auth/Login$TicketRenewalTask.class */
    class TicketRenewalTask implements TimerTask {
        TicketRenewalTask() {
        }

        public void run(Timeout timeout) {
            long j = 60000;
            try {
                try {
                    try {
                        if (Login.this.using_ticket_cache) {
                            Login.this.refreshTicketCache();
                        }
                        Login.this.reLogin();
                        j = Login.this.getRefreshDelay(Login.this.getTGT());
                        Login.LOG.debug("Scheduling next next login attempt in " + j + " ms");
                        Login.this.timer.newTimeout(this, j, TimeUnit.MILLISECONDS);
                    } catch (Exception e) {
                        Login.LOG.error("Failed to renew ticket", e);
                        Login.LOG.debug("Scheduling next next login attempt in " + j + " ms");
                        Login.this.timer.newTimeout(this, j, TimeUnit.MILLISECONDS);
                    }
                } catch (LoginException e2) {
                    Login.LOG.error("Failed to renew ticket", e2);
                    Login.LOG.debug("Scheduling next next login attempt in " + j + " ms");
                    Login.this.timer.newTimeout(this, j, TimeUnit.MILLISECONDS);
                }
            } catch (Throwable th) {
                Login.LOG.debug("Scheduling next next login attempt in " + j + " ms");
                Login.this.timer.newTimeout(this, j, TimeUnit.MILLISECONDS);
                throw th;
            }
        }
    }

    public static synchronized void initUserIfNeeded(Config config, HashedWheelTimer hashedWheelTimer, String str, CallbackHandler callbackHandler) throws LoginException {
        if (current_login != null) {
            LOG.debug("Already logged in");
        } else {
            current_login = new Login(config, hashedWheelTimer, str, callbackHandler);
            LOG.info("Initialized kerberos login context");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Login getCurrentLogin() {
        return current_login;
    }

    Login(Config config, HashedWheelTimer hashedWheelTimer, String str, CallbackHandler callbackHandler) throws LoginException {
        this.config = config;
        this.timer = hashedWheelTimer;
        this.login_context_name = str;
        this.callback_handler = callbackHandler;
        this.login_context = login(str);
        this.subject = this.login_context.getSubject();
        this.is_kerberos_ticket = !this.subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
        AppConfigurationEntry[] appConfigurationEntry = Configuration.getConfiguration().getAppConfigurationEntry(str);
        if (0 < appConfigurationEntry.length) {
            AppConfigurationEntry appConfigurationEntry2 = appConfigurationEntry[0];
            if (appConfigurationEntry2.getOptions().get("useTicketCache") != null && ((String) appConfigurationEntry2.getOptions().get("useTicketCache")).toLowerCase().equals("true")) {
                this.using_ticket_cache = true;
            }
            if (appConfigurationEntry2.getOptions().get("keyTab") != null) {
            }
            if (appConfigurationEntry2.getOptions().get("principal") != null) {
                this.principal = (String) appConfigurationEntry2.getOptions().get("principal");
            }
        }
        if (this.is_kerberos_ticket) {
            long refreshDelay = getRefreshDelay(getTGT());
            hashedWheelTimer.newTimeout(new TicketRenewalTask(), refreshDelay, TimeUnit.MILLISECONDS);
            LOG.info("Scheduled ticket renewal in " + refreshDelay + " ms");
        }
    }

    public Subject getSubject() {
        return this.subject;
    }

    private synchronized LoginContext login(String str) throws LoginException {
        if (str == null || str.isEmpty()) {
            throw new LoginException("Login context name (JAAS file section header) was null or empty. Please check your java.security.login.auth.config (=" + System.getProperty("java.security.auth.login.config") + ") and your " + LOGIN_CONTEXT_NAME_KEY + "(=" + str + ")");
        }
        LOG.debug("Constructing login context with context: " + str);
        LoginContext loginContext = new LoginContext(str, this.callback_handler);
        loginContext.login();
        LOG.info("Successfully logged in.");
        return loginContext;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public long getRefreshDelay(KerberosTicket kerberosTicket) {
        long j;
        long currentTimeMillis = System.currentTimeMillis();
        if (kerberosTicket == null) {
            LOG.warn("No TGT found: will try again at " + new Date(MIN_TIME_BEFORE_RELOGIN));
            return MIN_TIME_BEFORE_RELOGIN;
        }
        long time = kerberosTicket.getStartTime().getTime();
        long time2 = kerberosTicket.getEndTime().getTime();
        LOG.info("TGT valid starting at:        " + kerberosTicket.getStartTime().toString());
        LOG.info("TGT expires:                  " + kerberosTicket.getEndTime().toString());
        long nextDouble = (long) ((time2 - time) * (0.800000011920929d + (0.05000000074505806d * random.nextDouble())));
        if (this.using_ticket_cache && kerberosTicket.getEndTime().equals(kerberosTicket.getRenewTill())) {
            LOG.error("The TGT cannot be renewed beyond the next expiration date: " + new Date(time2) + ". This process will not be able to authenticate new SASL connections after that time. Ask your system administrator to either increase the 'renew until' time by doing : 'modprinc -maxrenewlife " + this.principal + "' within kadmin, or instead, to generate a keytab for " + this.principal + ". Because the TGT's expiration cannot be further extended by refreshing, exiting refresh thread now.");
            return MIN_TIME_BEFORE_RELOGIN;
        }
        if (currentTimeMillis + nextDouble > time2 || currentTimeMillis + MIN_TIME_BEFORE_RELOGIN > time2) {
            LOG.info("Refreshing now because expiration " + new Date(time2) + " is before next scheduled refresh time " + new Date(currentTimeMillis + nextDouble) + " or we are within " + MIN_TIME_BEFORE_RELOGIN + "ms of expiring.");
            j = 0;
        } else {
            if (currentTimeMillis + nextDouble < currentTimeMillis + MIN_TIME_BEFORE_RELOGIN) {
                LOG.warn("TGT refresh thread time adjusted from : " + new Date(currentTimeMillis + nextDouble) + " to : " + new Date(currentTimeMillis + MIN_TIME_BEFORE_RELOGIN) + " since the former is sooner than the minimum refresh interval (60 seconds) from now.");
            }
            j = Math.max(nextDouble, MIN_TIME_BEFORE_RELOGIN);
        }
        if (currentTimeMillis + j > time2) {
            LOG.error("Next refresh: " + new Date(currentTimeMillis + j) + " is later than expiration " + new Date(time2) + ". This may indicate a clock skew problem. Check that this host and the KDC's hosts' clocks are in sync.");
            j = 60000;
        }
        return j;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public synchronized KerberosTicket getTGT() {
        for (KerberosTicket kerberosTicket : this.subject.getPrivateCredentials(KerberosTicket.class)) {
            KerberosPrincipal server = kerberosTicket.getServer();
            if (server.getName().equals("krbtgt/" + server.getRealm() + "@" + server.getRealm())) {
                LOG.debug("Found tgt " + kerberosTicket + ".");
                return kerberosTicket;
            }
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void refreshTicketCache() {
        String string = this.config.hasProperty("asynchbase.security.auth.kinit") ? this.config.getString("asynchbase.security.auth.kinit") : "/usr/bin/kinit";
        try {
            LOG.info("Executing kinit command: " + string + " -R");
            Shell.execCommand(new String[]{string, "-R"});
        } catch (Exception e) {
            throw new RuntimeException("Could not renew TGT due to problem running shell command: '" + string + " -R';", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void reLogin() throws LoginException {
        if (this.is_kerberos_ticket) {
            if (this.login_context == null) {
                throw new LoginException("Login must be done first");
            }
            LOG.info("Initiating logout for " + this.principal);
            synchronized (Login.class) {
                this.login_context.logout();
                this.login_context = new LoginContext(this.login_context_name, this.subject);
                LOG.info("Initiating re-login for " + this.principal);
                this.login_context.login();
                LOG.info("Relogin was successful for " + this.principal);
            }
        }
    }
}
