package org.apache.hadoop.hive.om.utils;

import java.io.IOException;
import java.net.InetAddress;
import java.net.URISyntaxException;
import java.net.URL;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosKey;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.commons.codec.binary.Base64;
import org.apache.hadoop.security.HadoopKerberosName;
import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.client.Authenticator;
import org.apache.hadoop.security.authentication.client.PseudoAuthenticator;
import org.apache.hadoop.security.authentication.util.AuthToken;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.apache.http.Header;
import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpOptions;
import org.apache.http.util.EntityUtils;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hive/om/utils/WebHCatAuthenticator.class */
public class WebHCatAuthenticator {
    private static final Logger LOG = LoggerFactory.getLogger(WebHCatAuthenticator.class);
    public static final String WWW_AUTHENTICATE = "WWW-Authenticate";
    public static final String AUTHORIZATION = "Authorization";
    public static final String NEGOTIATE = "Negotiate";
    private static final String HADOOP_LOGIN_MODULE = "hive-keytab-kerberos";
    private static final String HADOOP_SECURITY_AUTHENTICATION = "hadoop.security.authentication";
    private URL url;
    private HttpClient httpClient;
    private Base64 base64;
    private HttpResponse response;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/hive/om/utils/WebHCatAuthenticator$HadoopConfiguration.class */
    public static class HadoopConfiguration extends Configuration {
        private final Map<String, String> HIVE_KERBEROS_OPTION;
        private final AppConfigurationEntry HIVE_KERBEROS_CONF;

        private HadoopConfiguration() {
            this.HIVE_KERBEROS_OPTION = new HashMap();
            this.HIVE_KERBEROS_CONF = new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, this.HIVE_KERBEROS_OPTION);
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            if (!WebHCatAuthenticator.HADOOP_LOGIN_MODULE.equals(str)) {
                return new AppConfigurationEntry[0];
            }
            this.HIVE_KERBEROS_OPTION.put("debug", "false");
            this.HIVE_KERBEROS_OPTION.put("doNotPrompt", "true");
            this.HIVE_KERBEROS_OPTION.put("useKeyTab", "true");
            this.HIVE_KERBEROS_OPTION.put("storeKey", "true");
            this.HIVE_KERBEROS_OPTION.put("refreshKrb5Config", "true");
            String property = System.getProperty("java.security.krb5.keytab");
            String property2 = System.getProperty("java.security.krb5.principal");
            this.HIVE_KERBEROS_OPTION.put("keyTab", property);
            this.HIVE_KERBEROS_OPTION.put("principal", property2);
            return new AppConfigurationEntry[]{this.HIVE_KERBEROS_CONF};
        }
    }

    public WebHCatAuthenticator(HttpClient httpClient) {
        this.httpClient = httpClient;
    }

    public AuthenticatedURL.Token authenticate(URL url) throws IOException, AuthenticationException {
        if (url == null) {
            return null;
        }
        AuthenticatedURL.Token token = null;
        this.url = url;
        this.base64 = new Base64(0);
        try {
            HttpOptions httpOptions = new HttpOptions(url.toURI());
            if (this.httpClient == null) {
                return null;
            }
            HttpResponse execute = this.httpClient.execute(httpOptions);
            if (execute == null) {
                return null;
            }
            boolean z = false;
            if (execute.getStatusLine().getStatusCode() == 200) {
                LOG.debug("JDK performed authentication on our behalf.");
                token = extractToken(execute);
                if (token == null) {
                    return null;
                }
                if (isTokenKerberos(token)) {
                    return token;
                }
                z = true;
            }
            if (z || !isNegotiate(execute)) {
                LOG.debug("Using fallback authenticator sequence.");
                Authenticator fallBackAuthenticator = getFallBackAuthenticator();
                if (token == null) {
                    return null;
                }
                fallBackAuthenticator.authenticate(url, token);
            } else {
                LOG.debug("Performing our own SPNEGO sequence.");
                token = doSpnegoSequence();
            }
            EntityUtils.consume(execute.getEntity());
            return token;
        } catch (URISyntaxException e) {
            LOG.error("httpClient execute url failed." + e);
            return null;
        }
    }

    private AuthenticatedURL.Token extractToken(HttpResponse httpResponse) {
        AuthenticatedURL.Token token = null;
        for (Header header : httpResponse.getHeaders("Set-Cookie")) {
            String value = header.getValue();
            if (value.startsWith("hadoop.auth=")) {
                String substring = value.substring("hadoop.auth=".length());
                int indexOf = substring.indexOf(";");
                if (indexOf > -1) {
                    substring = substring.substring(0, indexOf);
                }
                if (substring.length() > 0) {
                    token = new AuthenticatedURL.Token(substring);
                }
            }
        }
        return token;
    }

    protected Authenticator getFallBackAuthenticator() {
        return new PseudoAuthenticator();
    }

    private boolean isTokenKerberos(AuthenticatedURL.Token token) throws AuthenticationException {
        if (!token.isSet()) {
            return false;
        }
        AuthToken parse = AuthToken.parse(token.toString());
        return parse.getType().equals("kerberos") || parse.getType().equals("kerberos-dt");
    }

    private boolean isNegotiate(HttpResponse httpResponse) throws IOException {
        boolean z = false;
        if (httpResponse.getStatusLine().getStatusCode() == 401) {
            String value = httpResponse.getFirstHeader(WWW_AUTHENTICATE).getValue();
            z = value != null && value.trim().startsWith(NEGOTIATE);
        }
        return z;
    }

    private AuthenticatedURL.Token doSpnegoSequence() throws IOException, AuthenticationException {
        try {
            Subject subject = Subject.getSubject(AccessController.getContext());
            if (subject == null || (subject.getPrivateCredentials(KerberosKey.class).isEmpty() && subject.getPrivateCredentials(KerberosTicket.class).isEmpty())) {
                org.apache.hadoop.conf.Configuration configuration = new org.apache.hadoop.conf.Configuration();
                configuration.set(HADOOP_SECURITY_AUTHENTICATION, "kerberos");
                subject = new Subject();
                new LoginContext(HADOOP_LOGIN_MODULE, subject, (CallbackHandler) null, new HadoopConfiguration()).login();
                HadoopKerberosName.setConfiguration(configuration);
            }
            Subject.doAs(subject, new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.hive.om.utils.WebHCatAuthenticator.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Void run() throws Exception {
                    GSSContext gSSContext = null;
                    try {
                        GSSManager gSSManager = GSSManager.getInstance();
                        gSSContext = gSSManager.createContext(gSSManager.createName(KerberosUtil.getServicePrincipal("HTTP", InetAddress.getByName(WebHCatAuthenticator.this.url.getHost()).getHostName()), KerberosUtil.getOidInstance("NT_GSS_KRB5_PRINCIPAL")), KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID"), (GSSCredential) null, 0);
                        gSSContext.requestCredDeleg(true);
                        gSSContext.requestMutualAuth(true);
                        byte[] bArr = new byte[0];
                        boolean z = false;
                        while (!z) {
                            byte[] initSecContext = gSSContext.initSecContext(bArr, 0, bArr.length);
                            if (initSecContext != null) {
                                WebHCatAuthenticator.this.sendToken(initSecContext);
                            }
                            if (gSSContext.isEstablished()) {
                                z = true;
                            } else {
                                bArr = WebHCatAuthenticator.this.readToken();
                            }
                        }
                        if (gSSContext == null) {
                            return null;
                        }
                        try {
                            gSSContext.dispose();
                        } catch (GSSException e) {
                        }
                        return null;
                    } catch (Throwable th) {
                        if (gSSContext != null) {
                            try {
                                gSSContext.dispose();
                            } catch (GSSException e2) {
                            }
                        }
                        throw th;
                    }
                }
            });
            AuthenticatedURL.Token extractToken = extractToken(this.response);
            EntityUtils.consume(this.response.getEntity());
            return extractToken;
        } catch (PrivilegedActionException e) {
            throw new AuthenticationException(e.getException());
        } catch (LoginException e2) {
            throw new AuthenticationException(e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void sendToken(byte[] bArr) throws IOException {
        String encodeToString = this.base64.encodeToString(bArr);
        try {
            HttpOptions httpOptions = new HttpOptions(this.url.toURI());
            httpOptions.setHeader(AUTHORIZATION, "Negotiate " + encodeToString);
            this.response = this.httpClient.execute(httpOptions);
        } catch (URISyntaxException e) {
            LOG.error("httpClient execute url failed." + e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public byte[] readToken() throws IOException, AuthenticationException {
        int statusCode = this.response.getStatusLine().getStatusCode();
        if (statusCode != 200 && statusCode != 401) {
            throw new AuthenticationException("Invalid SPNEGO sequence, status code: " + statusCode);
        }
        String value = this.response.getFirstHeader(WWW_AUTHENTICATE).getValue();
        if (value == null || !value.trim().startsWith(NEGOTIATE)) {
            throw new AuthenticationException("Invalid SPNEGO sequence, 'WWW-Authenticate' header incorrect: " + value);
        }
        return this.base64.decode(value.trim().substring("Negotiate ".length()).trim());
    }
}
