package com.huawei.fusioninsight.elasticsearch.transport.common;

import com.huawei.fusioninsight.elasticsearch.transport.client.ClientFactory;
import com.huawei.fusioninsight.elasticsearch.transport.client.PreBuiltHWTransportClient;
import com.sun.security.auth.login.ConfigFile;
import com.sun.security.auth.module.Krb5LoginModule;
import java.io.File;
import java.security.PrivilegedAction;
import java.util.Date;
import java.util.HashMap;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.LoginException;
import org.apache.commons.codec.binary.Base64;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:com/huawei/fusioninsight/elasticsearch/transport/common/KerberosAuthentication.class */
public class KerberosAuthentication {
    private static Subject subject;
    private static final String KERBEROS_V5_PRINCIPAL_NAME = "1.2.840.113554.1.2.2.1";
    private static final String JAVA_SECURITY_AUTH_CONFIG = "java.security.auth.login.config";
    private static final String SPNEGO_OID = "1.3.6.1.5.5.2";
    private static final String NEGOTIATE = "Negotiate";
    private static final long MIN_TIME_BEFORE_RELOGIN = 60000;
    private static final float TICKET_RENEW_WINDOW = 0.8f;
    private static final int TEN_SECONDS = 10000;
    private static final int RETRY_NUMBER = 3;
    private static String esJaasConfFile;
    private static final Logger LOG = LogManager.getLogger(KerberosAuthentication.class);
    private static final Map<String, String> KERBEROS_OPTIONS = new HashMap(6);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/huawei/fusioninsight/elasticsearch/transport/common/KerberosAuthentication$RefreshTgtSingleton.class */
    public static class RefreshTgtSingleton {
        private static volatile ExecutorService esService;

        private RefreshTgtSingleton() {
        }

        public static void startRefreshThread() {
            if (esService == null) {
                synchronized (RefreshTgtSingleton.class) {
                    if (esService == null) {
                        esService = Executors.newFixedThreadPool(1, runnable -> {
                            Thread newThread = Executors.defaultThreadFactory().newThread(runnable);
                            newThread.setName("RefreshTGTThread");
                            newThread.setDaemon(true);
                            return newThread;
                        });
                    }
                    esService.submit(new RefreshTgtThread());
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/huawei/fusioninsight/elasticsearch/transport/common/KerberosAuthentication$RefreshTgtThread.class */
    public static class RefreshTgtThread implements Runnable {
        RefreshTgtThread() {
        }

        @Override // java.lang.Runnable
        public void run() {
            KerberosAuthentication.LOG.info("TGT refresh thread statrted");
            while (true) {
                try {
                    long currentTimeMillis = System.currentTimeMillis();
                    long nextRefreshTime = KerberosAuthentication.getNextRefreshTime(currentTimeMillis, KerberosAuthentication.subject);
                    if (currentTimeMillis <= nextRefreshTime) {
                        KerberosAuthentication.LOG.info("TGT refresh sleeping until: {}.", new Date(nextRefreshTime).toString());
                        Thread.sleep(nextRefreshTime - currentTimeMillis);
                    } else {
                        KerberosAuthentication.LOG.warn("nextRefresh:{} is in the past: exiting refresh thread. Check clock sync between this host and KDC - (KDC's clock is likely ahead of this host). Manual intervention will be required for this client to successfully authenticate. In case of TGT being expiring, try to refresh TGT right now.", new Date(nextRefreshTime));
                    }
                    KerberosAuthentication.getTgtwithRetry();
                } catch (Exception e) {
                    KerberosAuthentication.LOG.error("Failed to refresh TGT: refresh thread exiting now.", e);
                }
            }
        }
    }

    private static synchronized void getTGT() {
        try {
            if (KERBEROS_OPTIONS.isEmpty()) {
                initKerberosOptions();
                if (KERBEROS_OPTIONS.isEmpty()) {
                    LOG.error("Please confirm that keytab and principal in jass.conf are correct.");
                    throw new IllegalArgumentException("Please confirm that keytab and principal in jass.conf are correct.");
                }
            }
            Subject subject2 = new Subject();
            Krb5LoginModule krb5LoginModule = new Krb5LoginModule();
            krb5LoginModule.initialize(subject2, (CallbackHandler) null, (Map) null, KERBEROS_OPTIONS);
            krb5LoginModule.login();
            krb5LoginModule.commit();
            subject = subject2;
            LOG.info("Get kerberos TGT successfully.");
        } catch (LoginException e) {
            LOG.error("LoginException : {}.", e.getMessage());
            LOG.error("Please confirm that keytab and principal in jass.conf are correct.");
        }
    }

    private static void initKerberosOptions() {
        KERBEROS_OPTIONS.clear();
        AppConfigurationEntry[] appConfigurationEntry = getAppConfigurationEntry();
        if (appConfigurationEntry == null || appConfigurationEntry.length <= 0) {
            LOG.error("Can not get ES app configuration entry from jaas conf file.");
            throw new IllegalArgumentException("Can not get ES app configuration entry from jaas conf file.");
        }
        for (AppConfigurationEntry appConfigurationEntry2 : appConfigurationEntry) {
            KERBEROS_OPTIONS.putAll(appConfigurationEntry2.getOptions());
        }
    }

    private static AppConfigurationEntry[] getAppConfigurationEntry() {
        String property = System.getProperty("elasticsearch.kerberos.jaas.appname", "EsClient");
        LOG.info(String.format(Locale.ENGLISH, "Get application configuration entry use by application name %s from jaas conf file.", property));
        return readAppConfigurationEntryByAppName(property);
    }

    private static AppConfigurationEntry[] readAppConfigurationEntryByAppName(String str) {
        LOG.info(String.format(Locale.ENGLISH, "Try to read the jaas configuration entry again, app name is %s.", str));
        AppConfigurationEntry[] appConfigurationEntryArr = null;
        LOG.info("Read application configuration entry from Es jaas conf file.");
        if (esJaasConfFile == null || esJaasConfFile.isEmpty()) {
            LOG.warn("Fail to get application configuration entry from from Es jaas conf file, because Es jaas conf file path is empty.");
        } else {
            appConfigurationEntryArr = readAppConfigurationEntryFromFile(esJaasConfFile, str);
            LOG.info(String.format(Locale.ENGLISH, " Complete to read from Es jaas conf file, app name is %s.", str));
        }
        if (appConfigurationEntryArr == null || appConfigurationEntryArr.length <= 0) {
            LOG.warn("Fail to get application configuration entry from esJaasConfFile.");
            LOG.info(String.format(Locale.ENGLISH, "Get application configuration entry use by application name %s from memory.", str));
            appConfigurationEntryArr = javax.security.auth.login.Configuration.getConfiguration().getAppConfigurationEntry(str);
        }
        String property = System.getProperty(JAVA_SECURITY_AUTH_CONFIG);
        if ((appConfigurationEntryArr == null || appConfigurationEntryArr.length <= 0) && property != null && !property.isEmpty()) {
            LOG.info(String.format(Locale.ENGLISH, "Get application configuration entry from %s.", JAVA_SECURITY_AUTH_CONFIG));
            appConfigurationEntryArr = readAppConfigurationEntryFromFile(property, str);
        }
        if (appConfigurationEntryArr == null || appConfigurationEntryArr.length <= 0) {
            LOG.error(String.format(Locale.ENGLISH, "Failed to read the jaas configuration entry user by application name %s.", str));
        }
        return appConfigurationEntryArr;
    }

    private static AppConfigurationEntry[] readAppConfigurationEntryFromFile(String str, String str2) {
        AppConfigurationEntry[] appConfigurationEntryArr = null;
        File file = new File(str);
        if (file.exists() && file.isFile()) {
            ConfigFile configFile = new ConfigFile(file.toURI());
            LOG.info(String.format(Locale.ENGLISH, "Get application configuration entry use by application name %s.", str2));
            appConfigurationEntryArr = configFile.getAppConfigurationEntry(str2);
        }
        return appConfigurationEntryArr;
    }

    private static byte[] initiateSecurityContext(Subject subject2, final String str) {
        return (byte[]) Subject.doAs(subject2, new PrivilegedAction<byte[]>() { // from class: com.huawei.fusioninsight.elasticsearch.transport.common.KerberosAuthentication.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public byte[] run() {
                GSSContext gSSContext = null;
                try {
                    try {
                        gSSContext = KerberosAuthentication.getGssContext(str);
                        gSSContext.requestMutualAuth(true);
                        gSSContext.requestCredDeleg(true);
                        byte[] bArr = new byte[0];
                        byte[] initSecContext = gSSContext.initSecContext(bArr, 0, bArr.length);
                        if (gSSContext != null) {
                            try {
                                gSSContext.dispose();
                            } catch (GSSException e) {
                                KerberosAuthentication.LOG.error("GSSException :" + e.getMessage());
                            }
                        }
                        return initSecContext;
                    } catch (Throwable th) {
                        if (gSSContext != null) {
                            try {
                                gSSContext.dispose();
                            } catch (GSSException e2) {
                                KerberosAuthentication.LOG.error("GSSException :" + e2.getMessage());
                            }
                        }
                        throw th;
                    }
                } catch (GSSException e3) {
                    KerberosAuthentication.LOG.error("GSSException :" + e3.getMessage());
                    if (gSSContext != null) {
                        try {
                            gSSContext.dispose();
                        } catch (GSSException e4) {
                            KerberosAuthentication.LOG.error("GSSException :" + e4.getMessage());
                        }
                    }
                    return null;
                }
            }
        });
    }

    private static byte[] initiateSecurityContextWithRetry(Subject subject2, String str) {
        byte[] initiateSecurityContext = initiateSecurityContext(subject2, str);
        for (int i = 0; null == initiateSecurityContext && i < 3; i++) {
            initiateSecurityContext(subject2, str);
        }
        return initiateSecurityContext;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static GSSContext getGssContext(String str) throws GSSException {
        GSSManager gSSManager = GSSManager.getInstance();
        GSSName createName = gSSManager.createName(str, new Oid(KERBEROS_V5_PRINCIPAL_NAME));
        Oid oid = new Oid(SPNEGO_OID);
        return gSSManager.createContext(createName.canonicalize(oid), oid, (GSSCredential) null, 0);
    }

    private String getServerTicket() {
        if (isSubjectWillExpire(subject)) {
            getTGT();
        }
        byte[] initiateSecurityContextWithRetry = initiateSecurityContextWithRetry(subject, ClientFactory.getServerRealm());
        if (null != initiateSecurityContextWithRetry) {
            return "Negotiate " + new Base64(0).encodeToString(initiateSecurityContextWithRetry);
        }
        throw new IllegalArgumentException("Get security token failed.");
    }

    private static long getTgtValidityPeriod(KerberosTicket kerberosTicket) {
        Date endTime = kerberosTicket.getEndTime();
        Date startTime = kerberosTicket.getStartTime();
        if (null == endTime || null == startTime) {
            return -1L;
        }
        return endTime.getTime() - startTime.getTime();
    }

    private static KerberosTicket getKerberosTicket(Subject subject2) {
        Set<Object> privateCredentials;
        KerberosTicket kerberosTicket = null;
        if (null == subject2 || null == (privateCredentials = subject2.getPrivateCredentials())) {
            return null;
        }
        for (Object obj : privateCredentials) {
            if (obj instanceof KerberosTicket) {
                kerberosTicket = (KerberosTicket) obj;
            }
        }
        return kerberosTicket;
    }

    public static void getNewToken(PreBuiltHWTransportClient preBuiltHWTransportClient) {
        String serverTicket = new KerberosAuthentication().getServerTicket();
        ThreadContext.StoredContext stashContext = preBuiltHWTransportClient.threadPool().getThreadContext().stashContext();
        try {
            preBuiltHWTransportClient.threadPool().getThreadContext().putHeader(SecurityConstant.CUSTOMISED_MODE, SecurityConstant.CLIENT);
            preBuiltHWTransportClient.threadPool().getThreadContext().putHeader(SecurityConstant.CUSTOMISED_AUTHORIZATION, serverTicket);
            preBuiltHWTransportClient.prepareAuthenticate().execute().actionGet();
            if (stashContext != null) {
                stashContext.close();
            }
        } catch (Throwable th) {
            if (stashContext != null) {
                try {
                    stashContext.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static boolean isSubjectWillExpire(Subject subject2) {
        if (null == subject2 || null == subject2.getPrincipals() || null == subject2.getPrivateCredentials()) {
            LOG.debug("The subject is invalid.");
            return true;
        }
        KerberosTicket kerberosTicket = getKerberosTicket(subject2);
        if (null == kerberosTicket) {
            return true;
        }
        long time = kerberosTicket.getEndTime() == null ? -1L : kerberosTicket.getEndTime().getTime();
        long tgtValidityPeriod = getTgtValidityPeriod(kerberosTicket);
        if (time <= 0 || time <= System.currentTimeMillis() || tgtValidityPeriod <= 0) {
            return true;
        }
        boolean z = ((double) (time - System.currentTimeMillis())) < ((double) tgtValidityPeriod) * 0.25d;
        if (z) {
            LOG.debug("TGT will expire!");
        }
        return z;
    }

    public static boolean isTokenExpire() {
        if (PreBuiltHWTransportClient.getTokenValidityPeriod() < 0) {
            return true;
        }
        long tokenWillExpireAt = PreBuiltHWTransportClient.getTokenWillExpireAt();
        return tokenWillExpireAt < 0 || tokenWillExpireAt < System.currentTimeMillis() || ((double) (tokenWillExpireAt - System.currentTimeMillis())) < ((double) PreBuiltHWTransportClient.getTokenValidityPeriod()) * 0.25d;
    }

    public static long tokenWillExpireAt(String str) {
        long j = -1;
        if (str == null) {
            LOG.warn("cookie is null.");
            return -1L;
        }
        String[] split = str.split("&e=");
        if (split.length < 2) {
            LOG.warn("cookie format is wrong.");
            return -1L;
        }
        try {
            j = Long.parseLong(split[1].split("&s")[0]);
        } catch (NumberFormatException e) {
            LOG.warn("cookie format is wrong," + e.getMessage());
        }
        return j;
    }

    public static synchronized void setEsJaasConfFile(String str) {
        esJaasConfFile = str;
        initKerberosOptions();
    }

    public static void startDaemonThread() {
        RefreshTgtSingleton.startRefreshThread();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void getTgtwithRetry() throws InterruptedException {
        int i = 1;
        while (i <= 3) {
            try {
                getTGT();
                LOG.info("TGT refresh at: {}", new Date(System.currentTimeMillis()));
                return;
            } catch (Exception e) {
                if (i < 3) {
                    i++;
                    Thread.sleep(10000L);
                } else {
                    LOG.error("Could not refresh TGT ", e);
                }
            }
        }
    }

    public static long getNextRefreshTime(long j, Subject subject2) {
        KerberosTicket kerberosTicket = getKerberosTicket(subject2);
        if (kerberosTicket == null) {
            LOG.warn("No TGT found: will try again at {}", new Date(j));
            return j;
        }
        long refreshTime = getRefreshTime(kerberosTicket);
        long time = kerberosTicket.getEndTime().getTime();
        Date date = new Date(time);
        if (kerberosTicket.getEndTime().equals(kerberosTicket.getRenewTill())) {
            LOG.error("The TGT cannot be renewed beyond the next expiry date: {}.This process will not be able to authenticate new SASL connections after that time (for example, it will not be authenticate a new connection with a Zookeeper Quorum member).  Ask your system administrator to either increase the 'renew until' time by doing : 'modprinc -maxrenewlife username within kadmin, or instead, to generate a keytab for username. Because the TGT's expiry cannot be further extended by refreshing", date);
            throw new IllegalArgumentException(String.format(Locale.ENGLISH, "The TGT cannot be renewed beyond the next expiry date: %s.", date));
        }
        if (refreshTime < j + MIN_TIME_BEFORE_RELOGIN) {
            Date date2 = new Date(refreshTime);
            Date date3 = new Date(j + MIN_TIME_BEFORE_RELOGIN);
            refreshTime = j + MIN_TIME_BEFORE_RELOGIN;
            LOG.warn("TGT refresh thread time adjusted from : {} to : {} since the former is sooner than the minimum refresh interval ({} seconds) from now.", date2, date3, 60L);
        }
        if (refreshTime <= time) {
            return refreshTime;
        }
        LOG.info("refreshing now because expiry is before next scheduled refresh time.");
        return j;
    }

    private static long getRefreshTime(KerberosTicket kerberosTicket) {
        long time = kerberosTicket.getStartTime().getTime();
        long time2 = kerberosTicket.getEndTime().getTime();
        LOG.info("TGT valid starting at:        {}", kerberosTicket.getStartTime().toString());
        LOG.info("TGT expires:                  {}", kerberosTicket.getEndTime().toString());
        long j = time + (((float) (time2 - time)) * TICKET_RENEW_WINDOW);
        return j > time2 ? System.currentTimeMillis() : j;
    }
}
