package com.huawei.hetu.elasticsearch;

import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import javax.net.ssl.SSLContext;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.Credentials;
import org.apache.http.auth.KerberosCredentials;
import org.apache.http.client.CredentialsProvider;
import org.apache.http.config.Registry;
import org.apache.http.config.RegistryBuilder;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.impl.auth.SPNegoSchemeFactory;
import org.apache.http.impl.nio.client.HttpAsyncClientBuilder;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.client.RestClientBuilder;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:com/huawei/hetu/elasticsearch/SpnegoHttpClientConfigCallbackHandler.class */
public class SpnegoHttpClientConfigCallbackHandler implements RestClientBuilder.HttpClientConfigCallback {
    private static final String SUN_KRB5_LOGIN_MODULE = "com.sun.security.auth.module.Krb5LoginModule";
    private static final String CRED_CONF_NAME = "ESClientLoginConf";
    private static final Oid SPNEGO_OID = getSpnegoOid();
    private static final String DEFAULT_SPNEGOID = "1.3.6.1.5.5.2";
    private final String userPrincipalName;
    private final String keytabPath;
    private final boolean enableDebugLogs;
    private LoginContext loginContext;
    private final Optional<SSLContext> sslContext;
    private final boolean isVerifyHostnames;

    /* loaded from: input_file:com/huawei/hetu/elasticsearch/SpnegoHttpClientConfigCallbackHandler$AbstractJaasConf.class */
    private static abstract class AbstractJaasConf extends Configuration {
        private final String userPrincipalName;
        private final boolean enableDebugLogs;

        AbstractJaasConf(String str, boolean z) {
            this.userPrincipalName = str;
            this.enableDebugLogs = z;
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            HashMap hashMap = new HashMap();
            hashMap.put("principal", this.userPrincipalName);
            hashMap.put("isInitiator", Boolean.TRUE.toString());
            hashMap.put("storeKey", Boolean.TRUE.toString());
            hashMap.put("debug", Boolean.toString(this.enableDebugLogs));
            addOptions(hashMap);
            return new AppConfigurationEntry[]{new AppConfigurationEntry(SpnegoHttpClientConfigCallbackHandler.SUN_KRB5_LOGIN_MODULE, AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, Collections.unmodifiableMap(hashMap))};
        }

        abstract void addOptions(Map<String, String> map);
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/huawei/hetu/elasticsearch/SpnegoHttpClientConfigCallbackHandler$KerberosCredentialsProvider.class */
    public static class KerberosCredentialsProvider implements CredentialsProvider {
        private AuthScope authScope;
        private Credentials credentials;

        private KerberosCredentialsProvider() {
        }

        @Override // org.apache.http.client.CredentialsProvider
        public void setCredentials(AuthScope authScope, Credentials credentials) {
            if (!authScope.getScheme().regionMatches(true, 0, "Negotiate", 0, "Negotiate".length())) {
                throw new IllegalArgumentException("Only Negotiate auth scheme is supported in AuthScope");
            }
            this.authScope = authScope;
            this.credentials = credentials;
        }

        @Override // org.apache.http.client.CredentialsProvider
        public Credentials getCredentials(AuthScope authScope) {
            if (authScope.match(this.authScope) > -1) {
                return this.credentials;
            }
            return null;
        }

        @Override // org.apache.http.client.CredentialsProvider
        public void clear() {
            this.authScope = null;
            this.credentials = null;
        }
    }

    /* loaded from: input_file:com/huawei/hetu/elasticsearch/SpnegoHttpClientConfigCallbackHandler$KeytabJaasConf.class */
    private static class KeytabJaasConf extends AbstractJaasConf {
        private final String keytabFilePath;

        KeytabJaasConf(String str, String str2, boolean z) {
            super(str, z);
            this.keytabFilePath = str2;
        }

        @Override // com.huawei.hetu.elasticsearch.SpnegoHttpClientConfigCallbackHandler.AbstractJaasConf
        public void addOptions(Map<String, String> map) {
            map.put("useKeyTab", Boolean.TRUE.toString());
            map.put("keyTab", this.keytabFilePath);
            map.put("doNotPrompt", Boolean.TRUE.toString());
        }
    }

    private static Oid getSpnegoOid() {
        try {
            return new Oid(DEFAULT_SPNEGOID);
        } catch (GSSException e) {
            throw ExceptionsHelper.convertToRuntime(e);
        }
    }

    public SpnegoHttpClientConfigCallbackHandler(String str, String str2, boolean z, Optional<SSLContext> optional, boolean z2) {
        this.userPrincipalName = str;
        this.keytabPath = str2;
        this.enableDebugLogs = z;
        this.sslContext = optional;
        this.isVerifyHostnames = z2;
    }

    public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpAsyncClientBuilder) {
        setupSpnegoAuthSchemeSupport(httpAsyncClientBuilder);
        if (this.sslContext.isPresent()) {
            httpAsyncClientBuilder.setSSLContext(this.sslContext.get());
            if (this.isVerifyHostnames) {
                httpAsyncClientBuilder.setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE);
            }
        }
        return httpAsyncClientBuilder;
    }

    private void setupSpnegoAuthSchemeSupport(HttpAsyncClientBuilder httpAsyncClientBuilder) {
        Registry build = RegistryBuilder.create().register("Negotiate", new SPNegoSchemeFactory()).build();
        GSSManager gSSManager = GSSManager.getInstance();
        try {
            GSSName createName = gSSManager.createName(this.userPrincipalName, GSSName.NT_USER_NAME);
            login();
            GSSCredential gSSCredential = (GSSCredential) doAsPrivilegedWrapper(this.loginContext.getSubject(), () -> {
                return gSSManager.createCredential(createName, 0, SPNEGO_OID, 1);
            }, AccessController.getContext());
            KerberosCredentialsProvider kerberosCredentialsProvider = new KerberosCredentialsProvider();
            kerberosCredentialsProvider.setCredentials(new AuthScope(AuthScope.ANY_HOST, -1, AuthScope.ANY_REALM, "Negotiate"), new KerberosCredentials(gSSCredential));
            httpAsyncClientBuilder.setDefaultCredentialsProvider(kerberosCredentialsProvider);
            httpAsyncClientBuilder.setDefaultAuthSchemeRegistry(build);
        } catch (GSSException e) {
            throw new RuntimeException((Throwable) e);
        } catch (PrivilegedActionException e2) {
            throw new RuntimeException(e2.getCause());
        }
    }

    public synchronized LoginContext login() throws PrivilegedActionException {
        if (this.loginContext == null) {
            AccessController.doPrivileged(() -> {
                this.loginContext = new LoginContext(CRED_CONF_NAME, new Subject(false, Collections.singleton(new KerberosPrincipal(this.userPrincipalName)), Collections.emptySet(), Collections.emptySet()), (CallbackHandler) null, new KeytabJaasConf(this.userPrincipalName, this.keytabPath, this.enableDebugLogs));
                this.loginContext.login();
                return null;
            });
        }
        return this.loginContext;
    }

    static <T> T doAsPrivilegedWrapper(Subject subject, PrivilegedExceptionAction<T> privilegedExceptionAction, AccessControlContext accessControlContext) throws PrivilegedActionException {
        try {
            return (T) AccessController.doPrivileged(() -> {
                return Subject.doAsPrivileged(subject, privilegedExceptionAction, accessControlContext);
            });
        } catch (PrivilegedActionException e) {
            if (e.getCause() instanceof PrivilegedActionException) {
                throw ((PrivilegedActionException) e.getCause());
            }
            throw e;
        }
    }
}
