package com.huawei.airlift.http.client.spnego;

import com.huawei.hetu.highavailability.zookeeper.AuthConstant;
import com.sun.security.auth.module.Krb5LoginModule;
import io.prestosql.jdbc.$internal.airlift.http.client.KerberosNameType;
import io.prestosql.jdbc.$internal.airlift.log.Logger;
import io.prestosql.jdbc.$internal.airlift.units.Duration;
import io.prestosql.jdbc.$internal.guava.cache.Cache;
import io.prestosql.jdbc.$internal.guava.cache.CacheBuilder;
import io.prestosql.jdbc.$internal.guava.collect.ImmutableMap;
import io.prestosql.jdbc.$internal.javax.annotation.concurrent.GuardedBy;
import java.io.File;
import java.io.UncheckedIOException;
import java.net.InetAddress;
import java.net.URI;
import java.net.UnknownHostException;
import java.security.Principal;
import java.util.Locale;
import java.util.Objects;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:com/huawei/airlift/http/client/spnego/SPNEGOTokenHandler.class */
public class SPNEGOTokenHandler {
    private static final int CACHE_SIZE = 1000;
    private static final int CONCURRENCY_LEVEL = 16;
    private static final long MAX_LIFETIME = 300000;
    private static final Oid SPNEGO_OID;
    private static final Oid KERBEROS_OID;
    private final File keytab;
    private final File credentialCache;
    private final String servicePrincipalPattern;
    private final String principal;
    private final String remoteServiceName;
    private final boolean useCanonicalHostname;
    private final Oid nameType;
    private final boolean tokenCacheEnabled;
    private final Cache<URI, byte[]> tokenCache;

    @GuardedBy("this")
    private Session clientSession;
    private static final Logger LOG = Logger.get((Class<?>) SPNEGOTokenHandler.class);
    private static final Duration MIN_CREDENTIAL_LIFE_TIME = new Duration(60.0d, TimeUnit.SECONDS);
    private static final GSSManager GSS_MANAGER = GSSManager.getInstance();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/huawei/airlift/http/client/spnego/SPNEGOTokenHandler$GssSupplier.class */
    public interface GssSupplier<T> {
        T get() throws GSSException;
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/huawei/airlift/http/client/spnego/SPNEGOTokenHandler$Session.class */
    public static class Session {
        private final LoginContext loginContext;
        private final GSSCredential clientCredential;

        Session(LoginContext loginContext, GSSCredential gSSCredential) {
            Objects.requireNonNull(loginContext, "loginContext is null");
            Objects.requireNonNull(gSSCredential, "gssCredential is null");
            this.loginContext = loginContext;
            this.clientCredential = gSSCredential;
        }

        LoginContext getLoginContext() {
            return this.loginContext;
        }

        GSSCredential getClientCredential() {
            return this.clientCredential;
        }
    }

    public SPNEGOTokenHandler(File file, File file2, File file3, String str, String str2, String str3, KerberosNameType kerberosNameType, boolean z, long j) {
        Objects.requireNonNull(file2, "Kerberos config path is null");
        Objects.requireNonNull(str3, "Kerberos remote service name is null");
        Objects.requireNonNull(kerberosNameType, "GSS name type is null");
        this.keytab = file;
        this.credentialCache = file3;
        this.servicePrincipalPattern = str;
        this.principal = str2;
        this.remoteServiceName = str3;
        this.nameType = kerberosNameType.getOid();
        this.useCanonicalHostname = z;
        this.tokenCacheEnabled = j > 0;
        this.tokenCache = CacheBuilder.newBuilder().concurrencyLevel(16).maximumSize(1000L).expireAfterWrite(Math.min(j, MAX_LIFETIME), TimeUnit.MILLISECONDS).build();
        System.setProperty("java.security.krb5.conf", file2.getAbsolutePath());
    }

    public byte[] getToken(URI uri, byte[] bArr) {
        Objects.requireNonNull(uri, "normalizedUri is null");
        Objects.requireNonNull(bArr, "input is null");
        if (this.tokenCacheEnabled) {
            try {
                LOG.debug(String.format("Try to obtain token from cache for %s", uri));
                if (bArr.length > 0) {
                    this.tokenCache.invalidate(uri);
                    LOG.debug(String.format("Discard cached value for %s", uri));
                }
                return this.tokenCache.get(uri, () -> {
                    return generateToken(uri, bArr);
                });
            } catch (ExecutionException e) {
                LOG.debug(e.getCause(), "Failed to obtain token from cache, and fall back to default handle");
            }
        }
        return generateToken(uri, bArr);
    }

    private byte[] generateToken(URI uri, byte[] bArr) {
        GSSContext gSSContext = null;
        try {
            try {
                try {
                    String makeServicePrincipal = makeServicePrincipal(this.servicePrincipalPattern, this.remoteServiceName, uri.getHost(), this.useCanonicalHostname);
                    Session session = getSession();
                    GSSContext gSSContext2 = (GSSContext) doAs(session.getLoginContext().getSubject(), () -> {
                        GSSContext createContext = GSS_MANAGER.createContext(GSS_MANAGER.createName(makeServicePrincipal, this.nameType), SPNEGO_OID, session.getClientCredential(), Integer.MAX_VALUE);
                        createContext.requestMutualAuth(true);
                        createContext.requestConf(true);
                        createContext.requestInteg(true);
                        createContext.requestCredDeleg(false);
                        return createContext;
                    });
                    byte[] initSecContext = gSSContext2.initSecContext(bArr, 0, bArr.length);
                    if (initSecContext == null) {
                        throw new RuntimeException(String.format("No token generated from GSS context for %s", uri));
                    }
                    Logger logger = LOG;
                    Object[] objArr = new Object[2];
                    objArr[0] = gSSContext2.isEstablished() ? "Initialized" : "Initializing";
                    objArr[1] = gSSContext2;
                    logger.debug(String.format("%s %s", objArr));
                    if (gSSContext2 != null) {
                        try {
                            gSSContext2.dispose();
                        } catch (GSSException e) {
                        }
                    }
                    return initSecContext;
                } catch (GSSException e2) {
                    throw new RuntimeException(String.format("Failed to establish GSSContext for %s", uri), e2);
                }
            } catch (LoginException e3) {
                throw new RuntimeException(String.format("Failed to establish LoginContext for %s", uri), e3);
            }
        } catch (Throwable th) {
            if (0 != 0) {
                try {
                    gSSContext.dispose();
                } catch (GSSException e4) {
                    throw th;
                }
            }
            throw th;
        }
    }

    private synchronized Session getSession() throws LoginException, GSSException {
        if (this.clientSession == null || this.clientSession.getClientCredential().getRemainingLifetime() < MIN_CREDENTIAL_LIFE_TIME.getValue(TimeUnit.SECONDS)) {
            LoginContext loginContext = new LoginContext("", (Subject) null, (CallbackHandler) null, new Configuration() { // from class: com.huawei.airlift.http.client.spnego.SPNEGOTokenHandler.1
                public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
                    ImmutableMap.Builder builder = ImmutableMap.builder();
                    builder.put("refreshKrb5Config", "true");
                    builder.put("doNotPrompt", "true");
                    builder.put(AuthConstant.USE_KEYTAB_KEY, "true");
                    if (SPNEGOTokenHandler.LOG.isDebugEnabled()) {
                        builder.put("debug", "true");
                    }
                    if (SPNEGOTokenHandler.this.keytab != null) {
                        builder.put("keyTab", SPNEGOTokenHandler.this.keytab.getAbsolutePath());
                    }
                    if (SPNEGOTokenHandler.this.credentialCache != null) {
                        builder.put("ticketCache", SPNEGOTokenHandler.this.credentialCache.getAbsolutePath());
                        builder.put("useTicketCache", "true");
                        builder.put("renewTGT", "true");
                    }
                    if (SPNEGOTokenHandler.this.principal != null) {
                        builder.put("principal", SPNEGOTokenHandler.this.principal);
                    }
                    return new AppConfigurationEntry[]{new AppConfigurationEntry(Krb5LoginModule.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, builder.build())};
                }
            });
            loginContext.login();
            Subject subject = loginContext.getSubject();
            Principal next = subject.getPrincipals().iterator().next();
            this.clientSession = new Session(loginContext, (GSSCredential) doAs(subject, () -> {
                return GSS_MANAGER.createCredential(GSS_MANAGER.createName(next.getName(), GSSName.NT_USER_NAME), 0, KERBEROS_OID, 1);
            }));
        }
        return this.clientSession;
    }

    private static String makeServicePrincipal(String str, String str2, String str3, boolean z) {
        String str4 = str3;
        if (z) {
            str4 = canonicalizeServiceHostname(str3);
        }
        return str.replaceAll("\\$\\{SERVICE}", str2).replaceAll("\\$\\{HOST}", str4.toLowerCase(Locale.US));
    }

    private static String canonicalizeServiceHostname(String str) {
        try {
            InetAddress byName = InetAddress.getByName(str);
            return "localhost".equalsIgnoreCase(byName.getHostName()) ? InetAddress.getLocalHost().getCanonicalHostName() : byName.getCanonicalHostName();
        } catch (UnknownHostException e) {
            throw new UncheckedIOException(e);
        }
    }

    private static <T> T doAs(Subject subject, GssSupplier<T> gssSupplier) {
        return (T) Subject.doAs(subject, () -> {
            try {
                return gssSupplier.get();
            } catch (GSSException e) {
                throw new RuntimeException((Throwable) e);
            }
        });
    }

    static {
        try {
            SPNEGO_OID = new Oid("1.3.6.1.5.5.2");
            KERBEROS_OID = new Oid("1.2.840.113554.1.2.2");
        } catch (GSSException e) {
            throw new AssertionError(e);
        }
    }
}
