package org.apache.flink.table.connector.security;

import java.io.File;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import org.apache.flink.annotation.VisibleForTesting;
import org.apache.flink.configuration.Configuration;
import org.apache.flink.configuration.SecurityOptions;
import org.apache.flink.core.fs.Path;
import org.apache.flink.runtime.security.KerberosUtils;
import org.apache.flink.runtime.security.SecurityConfiguration;
import org.apache.flink.runtime.security.SecurityUtils;
import org.apache.flink.runtime.security.modules.JaasModule;
import org.apache.flink.runtime.security.modules.SecurityModule;
import org.apache.flink.util.FileUtils;
import org.apache.flink.util.Preconditions;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import sun.security.krb5.Config;
import sun.security.krb5.KrbException;

/* loaded from: input_file:org/apache/flink/table/connector/security/ConnectorSecurityUtils.class */
public class ConnectorSecurityUtils {
    public static final String BASE_DIR = "auth-file";
    public static final String JAVA_SECURITY_KRB5_CONF = "java.security.krb5.conf";
    public static final String CONNECTOR_AUTH_OPEN = "connector.auth.open";
    public static final String CONNECTOR_KERBEROS_PRINCIPAL = "connector.kerberos.principal";
    public static final String CONNECTOR_KERBEROS_KEYTAB = "connector.kerberos.keytab";
    public static final String CONNECTOR_KERBEROS_KRB5 = "connector.kerberos.krb5";
    private static final Logger LOG = LoggerFactory.getLogger(ConnectorSecurityUtils.class);
    public static final Object AUTH_LOCK = new Object();

    public static String copyToLocal(String str, String str2) throws Exception {
        Preconditions.checkNotNull(str, "Parent directory must not be null.");
        Preconditions.checkNotNull(str2, "Source path must not be null");
        Path path = new Path(str2);
        if (isLocalFile(str2)) {
            LOG.info("Source file [{}] is local file and don't need to download.", path.getName());
            return new File(str2).getCanonicalPath();
        }
        Path path2 = new Path(genDestPath(str, path.getName()));
        LOG.info("Starting download auth file parentDir={}, srcFile={}.", str, path.getName());
        try {
            FileUtils.copy(path, path2, false);
            LOG.info("Finish download auth file parentDir={}, destFile={}.", str, path2.getName());
            return path2.getPath();
        } catch (IOException e) {
            String format = String.format("Download auth file [%s] error.", path.getName());
            LOG.error(format, e);
            throw new RuntimeException(format, e);
        }
    }

    @VisibleForTesting
    public static String genDestPath(String str, String str2) {
        String path = Thread.currentThread().getContextClassLoader().getResource("").getPath();
        if (path.endsWith(File.separator)) {
            path = System.getProperty("java.io.tmpdir");
        }
        return String.join(File.separator, path, BASE_DIR, str, str2);
    }

    private static boolean isLocalFile(String str) throws URISyntaxException, IOException {
        return "file".equalsIgnoreCase(resolveURI(str).getScheme());
    }

    private static URI resolveURI(String str) throws URISyntaxException, IOException {
        URI uri = new URI(str);
        return uri.getScheme() != null ? uri : new File(str).getCanonicalFile().toURI();
    }

    public static void setKRB5Path(String str) throws IOException, KrbException {
        Preconditions.checkNotNull(str, "Krb5 path must not be null");
        File file = new File(str);
        synchronized (AUTH_LOCK) {
            if (!file.exists() || !file.isFile()) {
                throw new IOException(String.format("The krb5 path [%s] doesn't exist or it's a directory.", str));
            }
            System.setProperty(JAVA_SECURITY_KRB5_CONF, file.getCanonicalPath());
            Config.refresh();
        }
    }

    public static SecurityConfiguration genSecurityConfiguration(String str, String str2, String str3, String str4, boolean z) {
        Preconditions.checkNotNull(str2, "Krb5 path must not be null");
        Preconditions.checkNotNull(str3, "Keytab path must not be null");
        Preconditions.checkNotNull(str4, "Principal must not be null");
        Configuration configuration = new Configuration();
        configuration.set(SecurityOptions.KERBEROS_LOGIN_CONTEXTS, str);
        configuration.set(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL, str4);
        configuration.set(SecurityOptions.KERBEROS_KRB5_PATH, str2);
        configuration.set(SecurityOptions.KERBEROS_LOGIN_KEYTAB, str3);
        configuration.set(SecurityOptions.KERBEROS_LOGIN_USETICKETCACHE, Boolean.valueOf(z));
        return new SecurityConfiguration(configuration);
    }

    public static void resolveJaasConfig(String str, String str2, String str3, String str4) throws SecurityModule.SecurityInstallException {
        SecurityConfiguration genSecurityConfiguration = genSecurityConfiguration(str, str2, str3, str4, false);
        if (SecurityUtils.getInstalledModules().stream().filter(securityModule -> {
            return securityModule instanceof JaasModule;
        }).findFirst().isPresent()) {
            LOG.info("Reuse JaasModule for authentication.");
            javax.security.auth.login.Configuration.getConfiguration().overwriteAppConfigurationEntry(str, KerberosUtils.keytabEntry(genSecurityConfiguration.getKeytab(), genSecurityConfiguration.getPrincipal()));
        } else {
            LOG.info("Create new JaasModule for authentication.");
            JaasModule jaasModule = new JaasModule(genSecurityConfiguration);
            jaasModule.install();
            SecurityUtils.addInstalledModule(jaasModule);
        }
    }
}
