package com.facebook.presto.hive.authentication;

import com.facebook.presto.hive.ForHiveMetastore;
import com.google.common.base.Preconditions;
import com.google.common.base.Throwables;
import com.google.common.collect.ImmutableMap;
import java.io.IOException;
import java.util.Objects;
import javax.inject.Inject;
import org.apache.hadoop.fs.s3a.s3guard.S3GuardTool;
import org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport;
import org.apache.hadoop.security.SaslRpcServer;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.thrift.transport.TSaslClientTransport;
import org.apache.thrift.transport.TTransport;
import org.apache.thrift.transport.TTransportException;

/* loaded from: input_file:com/facebook/presto/hive/authentication/KerberosHiveMetastoreAuthentication.class */
public class KerberosHiveMetastoreAuthentication implements HiveMetastoreAuthentication {
    private final String hiveMetastoreServicePrincipal;
    private final HadoopAuthentication authentication;

    @Inject
    public KerberosHiveMetastoreAuthentication(MetastoreKerberosConfig metastoreKerberosConfig, @ForHiveMetastore HadoopAuthentication hadoopAuthentication) {
        this(metastoreKerberosConfig.getHiveMetastoreServicePrincipal(), hadoopAuthentication);
    }

    public KerberosHiveMetastoreAuthentication(String str, HadoopAuthentication hadoopAuthentication) {
        this.hiveMetastoreServicePrincipal = (String) Objects.requireNonNull(str, "hiveMetastoreServicePrincipal is null");
        this.authentication = (HadoopAuthentication) Objects.requireNonNull(hadoopAuthentication, "authentication is null");
    }

    @Override // com.facebook.presto.hive.authentication.HiveMetastoreAuthentication
    public TTransport authenticate(TTransport tTransport, String str) throws TTransportException {
        try {
            String serverPrincipal = SecurityUtil.getServerPrincipal(this.hiveMetastoreServicePrincipal, str);
            String[] splitKerberosName = SaslRpcServer.splitKerberosName(serverPrincipal);
            Preconditions.checkState(splitKerberosName.length == 3, "Kerberos principal name does NOT have the expected hostname part: %s", serverPrincipal);
            return new TUGIAssumingTransport(new TSaslClientTransport(SaslRpcServer.AuthMethod.KERBEROS.getMechanismName(), null, splitKerberosName[0], splitKerberosName[1], ImmutableMap.of("javax.security.sasl.qop", S3GuardTool.BucketInfo.AUTH_FLAG, "javax.security.sasl.server.authentication", "true"), null, tTransport), this.authentication.getUserGroupInformation());
        } catch (IOException e) {
            throw Throwables.propagate(e);
        }
    }
}
