package org.trustedanalytics.hadoop.kerberos;

import com.google.common.base.Preconditions;
import com.google.common.collect.Maps;
import com.sun.security.auth.module.Krb5LoginModule;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Paths;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Stream;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.trustedanalytics.hadoop.config.client.oauth.JwtToken;
import org.trustedanalytics.hadoop.config.client.oauth.TapOauthToken;

/* loaded from: input_file:org/trustedanalytics/hadoop/kerberos/Oauth2KrbLoginModule.class */
public final class Oauth2KrbLoginModule implements LoginModule {
    private static final Logger LOGGER = LoggerFactory.getLogger(Oauth2KrbLoginModule.class);
    private LoginModule delegate = new Krb5LoginModule();
    private String ticketCache;
    private String ktinit;

    /* loaded from: input_file:org/trustedanalytics/hadoop/kerberos/Oauth2KrbLoginModule$ConfigOptions.class */
    public enum ConfigOptions {
        USE_TOKEN("useToken"),
        TOKEN_CACHE("tokenCache"),
        TICKET_CACHE("ticketCache"),
        KTINIT_COMMAND("ktinitCommand");

        private String name;

        ConfigOptions(String str) {
            this.name = str;
        }

        public Optional<String> asString(Map<String, ?> map) {
            return Optional.ofNullable((String) map.get(this.name));
        }

        public boolean asBoolean(Map<String, ?> map) {
            return Boolean.parseBoolean((String) map.get(this.name));
        }

        public String getName() {
            return this.name;
        }
    }

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        Map<String, ?> map3 = map2;
        if (ConfigOptions.USE_TOKEN.asBoolean(map2)) {
            try {
                JwtToken retrieveToken = retrieveToken(callbackHandler, map2);
                ConfigOptions.TICKET_CACHE.asString(map2).map(str -> {
                    this.ticketCache = str;
                    return str;
                }).orElseGet(() -> {
                    String ticketCacheLocation = HadoopKrbLoginManager.ticketCacheLocation(getPrincipalName(retrieveToken));
                    this.ticketCache = ticketCacheLocation;
                    return ticketCacheLocation;
                });
                this.ktinit = ConfigOptions.KTINIT_COMMAND.asString(map2).orElse(System.getProperty("user.dir") + "/krb5jwt/bin/ktinit");
                prepareKrbCCache(retrieveToken);
                map3 = prepareOptionsForDelegation(retrieveToken, map2);
            } catch (IOException | UnsupportedCallbackException | LoginException e) {
                throw new IllegalStateException("Can't initialize " + Oauth2KrbLoginModule.class.getName() + "!", e);
            }
        }
        this.delegate.initialize(subject, callbackHandler, map, map3);
    }

    public boolean login() throws LoginException {
        return this.delegate.login();
    }

    public boolean commit() throws LoginException {
        return this.delegate.commit();
    }

    public boolean abort() throws LoginException {
        return this.delegate.abort();
    }

    public boolean logout() throws LoginException {
        return this.delegate.logout();
    }

    synchronized void prepareKrbCCache(JwtToken jwtToken) throws LoginException {
        Preconditions.checkNotNull(this.ticketCache, "Ticket cache location not set!");
        try {
            Process exec = Runtime.getRuntime().exec(String.format("%s -t %s -c %s -P %s", this.ktinit, jwtToken.getRawToken(), this.ticketCache, getPrincipalName(jwtToken)));
            exec.waitFor();
            Stream<String> lines = new BufferedReader(new InputStreamReader(exec.getInputStream())).lines();
            Logger logger = LOGGER;
            logger.getClass();
            lines.forEach(logger::info);
            if (exec.exitValue() != 0) {
                StringBuilder sb = new StringBuilder("ktinit execution failed: \n");
                new BufferedReader(new InputStreamReader(exec.getErrorStream())).lines().forEach(str -> {
                    sb.append(str).append("\n");
                });
                throw new LoginException(sb.toString());
            }
            if (!Files.exists(Paths.get(this.ticketCache, new String[0]), new LinkOption[0])) {
                throw new LoginException("Failed to create krb credential cache in location: " + this.ticketCache);
            }
        } catch (IOException | InterruptedException e) {
            LoginException loginException = new LoginException(e.getMessage());
            loginException.initCause(e);
            throw loginException;
        }
    }

    Map<String, ?> prepareOptionsForDelegation(JwtToken jwtToken, Map map) {
        HashMap newHashMap = Maps.newHashMap(map);
        newHashMap.put("principal", jwtToken.getUserId());
        newHashMap.putIfAbsent("storeKey", "false");
        newHashMap.putIfAbsent("doNotPrompt", "true");
        newHashMap.putIfAbsent("useTicketCache", "true");
        newHashMap.putIfAbsent("renewTGT", "true");
        newHashMap.putIfAbsent("refreshKrb5Config", "true");
        newHashMap.putIfAbsent("isInitiator", "true");
        newHashMap.putIfAbsent("clearPass", "false");
        newHashMap.putIfAbsent("ticketCache", this.ticketCache);
        return newHashMap;
    }

    String getPrincipalName(JwtToken jwtToken) {
        Preconditions.checkNotNull(jwtToken);
        return jwtToken.getUserId() + "@" + System.getProperty("java.security.krb5.realm");
    }

    JwtToken retrieveToken(CallbackHandler callbackHandler, Map<String, ?> map) throws IOException, UnsupportedCallbackException {
        Preconditions.checkNotNull(callbackHandler, "CallbackHandler must be set in LoginContext! Try to set auth.login.defaultCallbackHandler security property.");
        Preconditions.checkNotNull(map);
        Callback[] callbackArr = new Callback[1];
        ConfigOptions.TOKEN_CACHE.asString(map).ifPresent(str -> {
            callbackArr[0] = new Oauth2TokenCallback(new FromFileTokenRetriver(str));
        });
        callbackHandler.handle(callbackArr);
        return new TapOauthToken(((Oauth2TokenCallback) callbackArr[0]).tokenRetriever().get());
    }
}
