package io.prestosql.server.security;

import com.google.common.base.Splitter;
import com.google.common.base.Strings;
import com.huawei.hetu.security.LoginManager;
import io.airlift.log.Logger;
import io.prestosql.server.security.Authenticator;
import java.nio.charset.StandardCharsets;
import java.security.Principal;
import java.util.Base64;
import java.util.List;
import java.util.Optional;
import javax.inject.Inject;
import javax.security.auth.login.LoginContext;
import javax.servlet.http.HttpServletRequest;

/* loaded from: input_file:io/prestosql/server/security/HetuPassWordAuthenticator.class */
public class HetuPassWordAuthenticator implements Authenticator {
    private static final Logger LOG = Logger.get(HetuPassWordAuthenticator.class);
    private LoginManager loginManager;

    @Inject
    public HetuPassWordAuthenticator(LoginManager loginManager) {
        this.loginManager = loginManager;
    }

    @Override // io.prestosql.server.security.Authenticator
    public Authenticator.AuthenticatedPrincipal authenticate(HttpServletRequest httpServletRequest) throws AuthenticationException {
        String nullToEmpty = Strings.nullToEmpty(httpServletRequest.getHeader("Authorization"));
        int indexOf = nullToEmpty.indexOf(32);
        if (indexOf < 0 || !nullToEmpty.substring(0, indexOf).equalsIgnoreCase("basic")) {
            throw needAuthentication(null);
        }
        List splitToList = Splitter.on(':').limit(2).splitToList(decodeCredentials(nullToEmpty.substring(indexOf + 1).trim()));
        if (splitToList.size() != 2 || splitToList.stream().anyMatch((v0) -> {
            return v0.isEmpty();
        })) {
            throw new AuthenticationException("Malformed decoded credentials");
        }
        String str = (String) splitToList.get(0);
        String str2 = (String) splitToList.get(1);
        if (this.loginManager.isUserLockUp(str)) {
            throw new AuthenticationException("user has been lockup due to too many failed");
        }
        try {
            Optional<Principal> principalIfPresent = this.loginManager.getPrincipalIfPresent(str, str2);
            Principal kdcLogin = principalIfPresent.isPresent() ? principalIfPresent.get() : toKdcLogin(str, str2);
            LOG.debug("principal " + kdcLogin.toString() + " login successfully.");
            this.loginManager.addUserToCacheQuietly(str, str2, kdcLogin);
            return new Authenticator.AuthenticatedPrincipal(str, kdcLogin);
        } catch (AuthenticationException e) {
            this.loginManager.recordFailQuietly(str);
            throw needAuthentication(e.getMessage());
        }
    }

    private static String decodeCredentials(String str) throws AuthenticationException {
        try {
            return new String(Base64.getDecoder().decode(str), StandardCharsets.ISO_8859_1);
        } catch (IllegalArgumentException e) {
            throw new AuthenticationException("Invalid base64 encoded credentials");
        }
    }

    private static AuthenticationException needAuthentication(String str) {
        return new AuthenticationException(str, "Basic realm=\"Presto\"");
    }

    private Principal toKdcLogin(String str, String str2) throws AuthenticationException {
        LoginContext loginFromPwd = KerberosLoginUtil.loginFromPwd(str, str2);
        if (loginFromPwd == null) {
            throw new AuthenticationException("login Failed, user or password incorrect.");
        }
        return loginFromPwd.getSubject().getPrincipals().iterator().next();
    }
}
