package io.hetu.core.security.authentication.kerberos;

import com.hazelcast.logging.ILogger;
import com.hazelcast.logging.Logger;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Base64;
import java.util.Iterator;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:io/hetu/core/security/authentication/kerberos/KerberosAuthenticator.class */
public class KerberosAuthenticator {
    private static final ILogger LOGGER = Logger.getLogger(KerberosAuthenticator.class);
    private static final String KRB5_CONFIG_FILE = "java.security.krb5.conf";
    private static final String JAAS_CONFIG_FILE = "java.security.auth.login.config";
    private static final int DEFAULT_CREDENTIAL_REFRESH_TIME_SEC = 60;
    private LoginContext loginContext;
    private Subject subject;
    private Principal principal;
    private GSSCredential currentCredential;
    private String servicePrincipalName;
    private GSSManager gssManager = GSSManager.getInstance();
    private String loginContextName = KerberosConfig.getLoginContextName();

    public KerberosAuthenticator() {
        if (this.loginContextName == null || this.loginContextName.isEmpty()) {
            throw new KerberosException("Enable hazelcast authentication, login context name should be set.");
        }
        this.servicePrincipalName = KerberosConfig.getServicePrincipalName();
        if (this.servicePrincipalName == null || this.servicePrincipalName.isEmpty()) {
            throw new KerberosException("Enable hazelcast authentication, service principal name should be set.");
        }
        String property = System.getProperty(KRB5_CONFIG_FILE);
        if (property == null || property.isEmpty()) {
            throw new KerberosException("Enable hazelcast authentication, krb5 config file should be set.");
        }
        String property2 = System.getProperty(JAAS_CONFIG_FILE);
        if (property2 == null || property2.isEmpty()) {
            throw new KerberosException("Enable hazelcast authentication, jaas config file should be set.");
        }
    }

    public void login() throws LoginException, GSSException {
        this.loginContext = new LoginContext(this.loginContextName);
        this.loginContext.login();
        this.subject = this.loginContext.getSubject();
        if (this.subject.getPrincipals().isEmpty()) {
            throw new LoginException("Empty principals in login subject");
        }
        Iterator<Principal> it = this.subject.getPrincipals().iterator();
        if (it.hasNext()) {
            this.principal = it.next();
        }
        final GSSName createName = this.gssManager.createName(getPrincipalShortName(), GSSName.NT_USER_NAME);
        this.currentCredential = (GSSCredential) doAs(new PrivilegedExceptionAction<GSSCredential>() { // from class: io.hetu.core.security.authentication.kerberos.KerberosAuthenticator.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public GSSCredential run() throws Exception {
                return KerberosAuthenticator.this.gssManager.createCredential(createName, Integer.MAX_VALUE, new Oid[]{new Oid(KerberosConstant.KERBEROS_OID)}, 0);
            }
        });
        LOGGER.info("Hazelcast kerberos login success.");
    }

    public String getPrincipalFullName() {
        if (this.principal == null) {
            return null;
        }
        return this.principal.getName();
    }

    public String getPrincipalShortName() {
        if (this.principal == null) {
            return null;
        }
        return this.principal.getName().split("@")[0];
    }

    public Principal doAuthenticateFilter(KerberosTokenCredentials kerberosTokenCredentials) throws GSSException {
        checkCredentialAndRelogin();
        GSSContext gSSContext = (GSSContext) doAs(new PrivilegedExceptionAction<GSSContext>() { // from class: io.hetu.core.security.authentication.kerberos.KerberosAuthenticator.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public GSSContext run() throws Exception {
                return KerberosAuthenticator.this.gssManager.createContext(KerberosAuthenticator.this.currentCredential);
            }
        });
        try {
            byte[] decode = Base64.getDecoder().decode(kerberosTokenCredentials.getToken());
            gSSContext.acceptSecContext(decode, 0, decode.length);
            if (gSSContext.isEstablished()) {
                return new KerberosPrincipal(gSSContext.getSrcName().toString());
            }
            gSSContext.dispose();
            return null;
        } finally {
            gSSContext.dispose();
        }
    }

    public KerberosTokenCredentials generateServiceToken() throws GSSException {
        checkCredentialAndRelogin();
        byte[] bArr = new byte[0];
        return new KerberosTokenCredentials(Base64.getEncoder().encode(((GSSContext) doAs(new PrivilegedExceptionAction<GSSContext>() { // from class: io.hetu.core.security.authentication.kerberos.KerberosAuthenticator.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public GSSContext run() throws Exception {
                return KerberosAuthenticator.this.gssManager.createContext(KerberosAuthenticator.this.gssManager.createName(KerberosAuthenticator.this.servicePrincipalName, GSSName.NT_USER_NAME), new Oid(KerberosConstant.KERBEROS_OID), KerberosAuthenticator.this.currentCredential, Integer.MAX_VALUE);
            }
        })).initSecContext(bArr, 0, bArr.length)));
    }

    private void checkCredentialAndRelogin() {
        try {
            if (this.currentCredential.getRemainingLifetime() <= 60) {
                LOGGER.info("Hazelcast kerberos relogin ...");
                login();
            }
        } catch (LoginException | GSSException e) {
            LOGGER.severe("Hazelcast kerberos relogin failed.", e);
        }
    }

    private <T> T doAs(PrivilegedExceptionAction<T> privilegedExceptionAction) {
        try {
            return (T) Subject.doAs(this.loginContext.getSubject(), privilegedExceptionAction);
        } catch (PrivilegedActionException e) {
            LOGGER.severe("Failed to do as action.", e);
            throw new KerberosException(e.getMessage());
        }
    }
}
