package org.apache.iotdb.db.security;

import java.security.Principal;
import java.util.Base64;
import java.util.Optional;
import javax.annotation.PreDestroy;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.iotdb.db.auth.AuthException;
import org.apache.iotdb.db.conf.IoTDBConfig;
import org.apache.iotdb.db.conf.IoTDBDescriptor;
import org.apache.iotdb.rpc.sasl.KerberosLogin;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/iotdb/db/security/KerberosAuthenticator.class */
public class KerberosAuthenticator implements Authenticator {
    private static final Logger LOG = LoggerFactory.getLogger(KerberosAuthenticator.class);
    private static final IoTDBConfig config = IoTDBDescriptor.getInstance().getConfig();
    private final LoginContext loginContext;
    private final GSSCredential serverCredential;
    private final GSSManager gssManager = GSSManager.getInstance();
    private final String principal = config.getServerKerberosPrincipal();
    private final String keytab = config.getServerKerberosKeytab();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/iotdb/db/security/KerberosAuthenticator$GssSupplier.class */
    public interface GssSupplier<T> {
        T get() throws GSSException;
    }

    public KerberosAuthenticator() throws AuthException {
        try {
            this.loginContext = KerberosLogin.loginFromKeytab(this.principal, this.keytab);
            LOG.info("Login context for kerberos authenticator successfully.");
            String[] splitKerberosName = KerberosLogin.splitKerberosName(this.principal);
            GSSName gSSName = KerberosNameType.HOSTBASED_SERVICE.getGSSName(this.gssManager, splitKerberosName[0], splitKerberosName[1]);
            this.serverCredential = (GSSCredential) doAs(this.loginContext.getSubject(), () -> {
                return this.gssManager.createCredential(gSSName, Integer.MAX_VALUE, new Oid[]{new Oid("1.2.840.113554.1.2.2"), new Oid("1.3.6.1.5.5.2")}, 2);
            });
            LOG.info("Obtaining an authentication credential successfully.");
        } catch (LoginException e) {
            throw new AuthException(e);
        }
    }

    @PreDestroy
    public void shutdown() {
        try {
            this.loginContext.logout();
        } catch (LoginException e) {
            throw new RuntimeException(e);
        }
    }

    @Override // org.apache.iotdb.db.security.Authenticator
    public boolean authenticate(String str, String str2) throws AuthException {
        Optional<Principal> authenticate = authenticate(str2);
        if (!authenticate.isPresent()) {
            return false;
        }
        if (str.equals(KerberosLogin.splitKerberosName(authenticate.get().getName())[0])) {
            return true;
        }
        LOG.error("The user name is inconsistent with the principal, username is {}", str);
        return false;
    }

    private Optional<Principal> authenticate(String str) throws AuthException {
        GSSContext gSSContext = (GSSContext) doAs(this.loginContext.getSubject(), () -> {
            return this.gssManager.createContext(this.serverCredential);
        });
        try {
            try {
                byte[] decode = Base64.getDecoder().decode(str);
                gSSContext.acceptSecContext(decode, 0, decode.length);
                if (gSSContext.isEstablished()) {
                    LOG.debug("Successfully establish GSS context for token.");
                    return Optional.of(new KerberosPrincipal(gSSContext.getSrcName().toString()));
                }
                LOG.debug("Failed to establish GSS context for token invaild.");
                try {
                    gSSContext.dispose();
                } catch (GSSException e) {
                    LOG.warn("Failed to dispose context", e);
                }
                return Optional.empty();
            } finally {
                try {
                    gSSContext.dispose();
                } catch (GSSException e2) {
                    LOG.warn("Failed to dispose context", e2);
                }
            }
        } catch (GSSException e3) {
            LOG.error("Authentication failed for token invaild.", e3);
            throw new AuthException((Throwable) e3);
        }
    }

    private static <T> T doAs(Subject subject, GssSupplier<T> gssSupplier) {
        return (T) Subject.doAs(subject, () -> {
            try {
                return gssSupplier.get();
            } catch (GSSException e) {
                throw new RuntimeException((Throwable) e);
            }
        });
    }
}
