package org.trustedanalytics.hadoop.kerberos;

import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import java.io.File;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.kerberos.KeyTab;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.jaas.memory.InMemoryConfiguration;
import sun.security.krb5.KrbAsReqBuilder;
import sun.security.krb5.KrbException;
import sun.security.krb5.PrincipalName;
import sun.security.krb5.internal.KDCOptions;
import sun.security.krb5.internal.ccache.Credentials;
import sun.security.krb5.internal.ccache.CredentialsCache;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/trustedanalytics/hadoop/kerberos/HadoopKrbLoginManager.class */
public final class HadoopKrbLoginManager implements KrbLoginManager {
    private static final Logger LOGGER = LoggerFactory.getLogger(HadoopKrbLoginManager.class);
    static final String KRB5_KDC = "java.security.krb5.kdc";
    static final String KRB5_REALM = "java.security.krb5.realm";
    static final String KRB5_KINIT_CMD_PROP_NAME = "hadoop.kerberos.kinit.command";
    static final String KRB5_USE_SUBJECT_CREDS_LIMITATION = "javax.security.auth.useSubjectCredsOnly";
    static final String KRB5_CONF = "java.security.krb5.conf";
    static final String KRB5_TGT_PRINCIPAL_NAME = "krbtgt";
    private static final String KERB_MODULE = "com.sun.security.auth.module.Krb5LoginModule";
    private static final String KRB5_CREDENTIALS_CACHE_DIR = "/tmp/";
    private FactoryHelper helper;

    /* loaded from: input_file:org/trustedanalytics/hadoop/kerberos/HadoopKrbLoginManager$FactoryHelper.class */
    static class FactoryHelper {
        FactoryHelper() {
        }

        LoginContext getLoginContext(String str, CallbackHandler callbackHandler) throws LoginException {
            return new LoginContext(str, callbackHandler);
        }

        LoginContext getLoginContext(String str) throws LoginException {
            return new LoginContext(str);
        }

        synchronized void cacheKrbCredentials(String str, char[] cArr) throws LoginException {
            try {
                PrincipalName principalName = new PrincipalName(str, 1);
                getTgt(principalName, prepareTgtReq(principalName, cArr));
            } catch (KrbException | IOException e) {
                LoginException loginException = new LoginException(e.getMessage());
                loginException.initCause(e);
                throw loginException;
            }
        }

        synchronized void cacheKrbCredentials(String str, String str2) throws LoginException {
            try {
                PrincipalName principalName = new PrincipalName(str, 1);
                getTgt(principalName, prepareTgtReq(principalName, str2));
            } catch (KrbException | IOException e) {
                LoginException loginException = new LoginException(e.getMessage());
                loginException.initCause(e);
                throw loginException;
            }
        }

        private KrbAsReqBuilder prepareTgtReq(PrincipalName principalName, char[] cArr) throws KrbException {
            return new KrbAsReqBuilder(principalName, cArr);
        }

        private KrbAsReqBuilder prepareTgtReq(PrincipalName principalName, String str) throws KrbException {
            return new KrbAsReqBuilder(principalName, KeyTab.getInstance(new File(str)));
        }

        private void getTgt(PrincipalName principalName, KrbAsReqBuilder krbAsReqBuilder) throws KrbException, IOException {
            PrincipalName principalName2 = new PrincipalName("krbtgt/" + System.getProperty(HadoopKrbLoginManager.KRB5_REALM), 2);
            String str = "FILE:/tmp/" + principalName.getName();
            KDCOptions kDCOptions = new KDCOptions();
            kDCOptions.set(1, true);
            kDCOptions.set(3, true);
            kDCOptions.set(8, true);
            krbAsReqBuilder.setOptions(kDCOptions);
            krbAsReqBuilder.setTarget(principalName2);
            krbAsReqBuilder.action();
            Credentials cCreds = krbAsReqBuilder.getCCreds();
            krbAsReqBuilder.destroy();
            CredentialsCache credentialsCache = CredentialsCache.getInstance(principalName, str);
            if (credentialsCache == null) {
                HadoopKrbLoginManager.LOGGER.debug("Creating new credentials cache file: " + str);
                credentialsCache = CredentialsCache.create(principalName, str);
            }
            credentialsCache.update(cCreds);
            credentialsCache.save();
        }
    }

    /* loaded from: input_file:org/trustedanalytics/hadoop/kerberos/HadoopKrbLoginManager$FixedPasswordHandler.class */
    static final class FixedPasswordHandler implements CallbackHandler {
        private char[] password;

        public FixedPasswordHandler(char[] cArr) {
            this.password = cArr;
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            for (Callback callback : callbackArr) {
                if (!(callback instanceof PasswordCallback)) {
                    throw new UnsupportedCallbackException(callback);
                }
                ((PasswordCallback) callback).setPassword(this.password);
            }
        }
    }

    HadoopKrbLoginManager(String str, String str2, FactoryHelper factoryHelper) {
        validateParams(str, str2);
        initKerberos(str, str2);
        this.helper = factoryHelper;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public HadoopKrbLoginManager(String str, String str2) {
        this(str, str2, new FactoryHelper());
    }

    static void validateParams(String str, String str2) {
        Preconditions.checkArgument(!Strings.isNullOrEmpty(str), "KDC address cannot be empty");
        Preconditions.checkArgument(!Strings.isNullOrEmpty(str2), "Default realm cannot be empty");
    }

    @Override // org.trustedanalytics.hadoop.kerberos.KrbLoginManager
    public Subject loginWithJWTtoken(String str) throws LoginException {
        return null;
    }

    @Override // org.trustedanalytics.hadoop.kerberos.KrbLoginManager
    public Subject loginWithCredentials(String str, char[] cArr) throws LoginException {
        setKerbConfigFromOpts(getDefaultOptionsForPrincipal(str));
        LoginContext loginContext = this.helper.getLoginContext(KERB_MODULE, new FixedPasswordHandler(cArr));
        this.helper.cacheKrbCredentials(str, cArr);
        return login(loginContext);
    }

    @Override // org.trustedanalytics.hadoop.kerberos.KrbLoginManager
    public Subject loginWithKeyTab(String str, String str2) throws LoginException {
        setKerbConfigFromOpts(getKeyTabOptionsForPrincipal(str, str2));
        LoginContext loginContext = this.helper.getLoginContext(KERB_MODULE);
        this.helper.cacheKrbCredentials(str, str2);
        return login(loginContext);
    }

    @Override // org.trustedanalytics.hadoop.kerberos.KrbLoginManager
    public void loginInHadoop(Subject subject, Configuration configuration) throws IOException {
        Preconditions.checkNotNull(subject, "Subject can't be null!");
        Preconditions.checkNotNull(configuration, "Hadoop configuration can't be null!");
        String ticketCacheLocation = ticketCacheLocation(subject);
        configuration.set("hadoop.security.kerberos.ticket.cache.path", ticketCacheLocation);
        configuration.set(KRB5_KINIT_CMD_PROP_NAME, "kinit -c " + ticketCacheLocation);
        getUGI(subject);
        UserGroupInformation.setConfiguration(configuration);
    }

    @Override // org.trustedanalytics.hadoop.kerberos.KrbLoginManager
    public UserGroupInformation getUGI(Subject subject) throws IOException {
        Preconditions.checkNotNull(subject, "Subject can't be null!");
        return UserGroupInformation.getBestUGI(ticketCacheLocation(subject), getUserName(subject));
    }

    String getUserName(Subject subject) {
        Preconditions.checkNotNull(subject, "Subject can't be null!");
        Preconditions.checkArgument(!subject.getPrincipals().isEmpty(), "Can't find any principal in given Subject!");
        return subject.getPrincipals().iterator().next().getName();
    }

    private String ticketCacheLocation(Subject subject) {
        return KRB5_CREDENTIALS_CACHE_DIR + getUserName(subject);
    }

    private void initKerberos(String str, String str2) {
        System.setProperty(KRB5_KDC, str);
        System.setProperty(KRB5_REALM, str2);
        System.setProperty(KRB5_USE_SUBJECT_CREDS_LIMITATION, "false");
    }

    private static Map<String, String> getKeyTabOptionsForPrincipal(String str, String str2) {
        Map<String, String> defaultOptionsForPrincipal = getDefaultOptionsForPrincipal(str);
        defaultOptionsForPrincipal.put("keyTab", str2);
        defaultOptionsForPrincipal.put("useKeyTab", "true");
        return defaultOptionsForPrincipal;
    }

    private Subject login(LoginContext loginContext) throws LoginException {
        loginContext.login();
        return loginContext.getSubject();
    }

    public void setKerbConfigFromOpts(Map<String, String> map) {
        javax.security.auth.login.Configuration.setConfiguration(new InMemoryConfiguration(new AppConfigurationEntry[]{new AppConfigurationEntry(KERB_MODULE, AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, map)}));
    }

    private static Map<String, String> getDefaultOptionsForPrincipal(String str) {
        HashMap hashMap = new HashMap();
        LOGGER.debug("Using principal name : " + str);
        hashMap.put("principal", str);
        hashMap.put("storeKey", "false");
        hashMap.put("doNotPrompt", "false");
        hashMap.put("useTicketCache", "true");
        hashMap.put("renewTGT", "true");
        hashMap.put("refreshKrb5Config", "true");
        hashMap.put("isInitiator", "true");
        hashMap.put("clearPass", "false");
        hashMap.put("ticketCache", KRB5_CREDENTIALS_CACHE_DIR + str + "@" + System.getProperty(KRB5_REALM));
        hashMap.put("debug", "true");
        return hashMap;
    }
}
