package org.apache.flink.streaming.connectors.kafka.security;

import java.util.Locale;
import java.util.Properties;
import java.util.UUID;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import org.apache.flink.annotation.VisibleForTesting;
import org.apache.flink.table.connector.security.ConnectorSecurityUtils;
import org.apache.flink.util.StringUtils;
import org.apache.kafka.common.security.auth.SecurityProtocol;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import sun.security.krb5.Config;
import sun.security.krb5.KrbException;

/* loaded from: input_file:org/apache/flink/streaming/connectors/kafka/security/KafkaSecurityModule.class */
public class KafkaSecurityModule {
    private static final Logger LOG = LoggerFactory.getLogger(KafkaSecurityModule.class);
    public static final String KAFKA_GSSAPI = "GSSAPI";
    public static final String KAFKA_LOGIN_CONTEXT_NAME = "KafkaClient";
    public static final String KAFKA_KERBEROS_DOMAIN_NAME = "kerberos.domain.name";
    public static final String PRINCIPAL = "principal";

    public static void resolveSecurityConfig(Properties properties) {
        if (!"true".equalsIgnoreCase(properties.getProperty("connector.auth.open"))) {
            LOG.info("Skip authenticating connector by self.");
            return;
        }
        LOG.info("Resolving kafka security config.");
        String uuid = UUID.randomUUID().toString();
        SecurityProtocol forName = SecurityProtocol.forName(properties.getProperty("security.protocol"));
        try {
            synchronized (ConnectorSecurityUtils.AUTH_LOCK) {
                if (forName == SecurityProtocol.SASL_SSL || forName == SecurityProtocol.SSL) {
                    String property = properties.getProperty("ssl.truststore.location");
                    if (!StringUtils.isNullOrWhitespaceOnly(property)) {
                        properties.put("ssl.truststore.location", ConnectorSecurityUtils.copyToLocal(uuid, property));
                    }
                    String property2 = properties.getProperty("ssl.keystore.location");
                    if (!StringUtils.isNullOrWhitespaceOnly(property2)) {
                        properties.put("ssl.keystore.location", ConnectorSecurityUtils.copyToLocal(uuid, property2));
                    }
                }
                if (KAFKA_GSSAPI.equalsIgnoreCase(properties.getProperty("sasl.mechanism")) && (forName == SecurityProtocol.SASL_PLAINTEXT || forName == SecurityProtocol.SASL_SSL)) {
                    String property3 = properties.getProperty("connector.kerberos.principal");
                    if (ifPrincipalExists(KAFKA_LOGIN_CONTEXT_NAME, property3)) {
                        LOG.info("The jaasConfig of principal [{}] already exists.", property3);
                        setKafkaKerberosDomainName(properties);
                        return;
                    }
                    String property4 = properties.getProperty("connector.kerberos.krb5");
                    String property5 = properties.getProperty("connector.kerberos.keytab");
                    String copyToLocal = ConnectorSecurityUtils.copyToLocal(uuid, property4);
                    String copyToLocal2 = ConnectorSecurityUtils.copyToLocal(uuid, property5);
                    ConnectorSecurityUtils.setKRB5Path(copyToLocal);
                    setKafkaKerberosDomainName(properties);
                    ConnectorSecurityUtils.resolveJaasConfig(KAFKA_LOGIN_CONTEXT_NAME, copyToLocal, copyToLocal2, property3);
                }
            }
        } catch (Exception e) {
            LOG.error("Exception while resolving security config.", e);
            throw new RuntimeException("Resolve security config error.", e);
        }
    }

    @VisibleForTesting
    public static boolean ifPrincipalExists(String str, String str2) {
        AppConfigurationEntry[] appConfigurationEntry = Configuration.getConfiguration().getAppConfigurationEntry(str);
        if (appConfigurationEntry == null) {
            return false;
        }
        for (AppConfigurationEntry appConfigurationEntry2 : appConfigurationEntry) {
            if (str2.equalsIgnoreCase((String) appConfigurationEntry2.getOptions().get(PRINCIPAL))) {
                return true;
            }
        }
        return false;
    }

    private static void setKafkaKerberosDomainName(Properties properties) throws KrbException {
        properties.setProperty(KAFKA_KERBEROS_DOMAIN_NAME, String.format("hadoop.%s", Config.getInstance().getDefaultRealm().toLowerCase(Locale.US)));
    }
}
