package org.apache.sqoop.security.authentication;

import java.io.File;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.apache.log4j.Logger;

/* loaded from: input_file:org/apache/sqoop/security/authentication/LoginUtil.class */
public class LoginUtil {
    private static final Logger LOG = Logger.getLogger(LoginUtil.class);
    private static final String JAVA_SECURITY_KRB5_CONF_KEY = "java.security.krb5.conf";
    private static final String LOGIN_FAILED_CAUSE_PASSWORD_WRONG = "(wrong password) keytab file and user not match, you can kinit -k -t keytab user in client server to check";
    private static final String LOGIN_FAILED_CAUSE_TIME_WRONG = "(clock skew) time of local server and remote server not match, please check ntp to remote server";
    private static final String LOGIN_FAILED_CAUSE_AES256_WRONG = "(aes256 not support) aes256 not support by default jdk/jre, need copy local_policy.jar and US_export_policy.jar from remote server in path /opt/huawei/Bigdata/jdk/jre/lib/security";
    private static final String LOGIN_FAILED_CAUSE_PRINCIPAL_WRONG = "(no rule) principal format not support by default, need add property hadoop.security.auth_to_local(in core-site.xml) value RULE:[1:$1] RULE:[2:$1]";
    private static final String LOGIN_FAILED_CAUSE_TIME_OUT = "(time out) can not connect to kdc server or there is fire wall in the network";
    private static final boolean IS_IBM_JDK;

    /* loaded from: input_file:org/apache/sqoop/security/authentication/LoginUtil$JaasConfiguration.class */
    private static class JaasConfiguration extends Configuration {
        private static final Map<String, String> BASIC_JAAS_OPTIONS = new HashMap();
        private static final Map<String, String> KEYTAB_KERBEROS_OPTIONS;
        private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN;
        private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF;
        private Configuration baseConfig;
        private final String loginContextName;
        private final boolean useTicketCache;
        private final String keytabFile;
        private final String principal;

        public JaasConfiguration(String str, String str2, String str3) throws IOException {
            this(str, str2, str3, str3 == null || str3.length() == 0);
        }

        private JaasConfiguration(String str, String str2, String str3, boolean z) throws IOException {
            try {
                this.baseConfig = Configuration.getConfiguration();
            } catch (SecurityException e) {
                this.baseConfig = null;
            }
            this.loginContextName = str;
            this.useTicketCache = z;
            this.keytabFile = str3;
            this.principal = str2;
            initKerberosOption();
            LoginUtil.LOG.info("JaasConfiguration loginContextName=" + str + " principal=" + str2 + " useTicketCache=" + z + " keytabFile=" + str3);
        }

        private void initKerberosOption() throws IOException {
            if (!this.useTicketCache) {
                if (LoginUtil.IS_IBM_JDK) {
                    KEYTAB_KERBEROS_OPTIONS.put("useKeytab", this.keytabFile);
                } else {
                    KEYTAB_KERBEROS_OPTIONS.put("keyTab", this.keytabFile);
                    KEYTAB_KERBEROS_OPTIONS.put("useKeyTab", "true");
                    KEYTAB_KERBEROS_OPTIONS.put("useTicketCache", this.useTicketCache ? "true" : "false");
                }
            }
            KEYTAB_KERBEROS_OPTIONS.put("principal", this.principal);
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            if (this.loginContextName.equals(str)) {
                return KEYTAB_KERBEROS_CONF;
            }
            if (this.baseConfig != null) {
                return this.baseConfig.getAppConfigurationEntry(str);
            }
            return null;
        }

        static {
            String str = System.getenv("HBASE_JAAS_DEBUG");
            if (str != null && "true".equalsIgnoreCase(str)) {
                BASIC_JAAS_OPTIONS.put("debug", "true");
            }
            KEYTAB_KERBEROS_OPTIONS = new HashMap();
            if (LoginUtil.IS_IBM_JDK) {
                KEYTAB_KERBEROS_OPTIONS.put("credsType", "both");
            } else {
                KEYTAB_KERBEROS_OPTIONS.put("useKeyTab", "true");
                KEYTAB_KERBEROS_OPTIONS.put("useTicketCache", "false");
                KEYTAB_KERBEROS_OPTIONS.put("doNotPrompt", "true");
                KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true");
            }
            KEYTAB_KERBEROS_OPTIONS.putAll(BASIC_JAAS_OPTIONS);
            KEYTAB_KERBEROS_LOGIN = new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, KEYTAB_KERBEROS_OPTIONS);
            KEYTAB_KERBEROS_CONF = new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN};
        }
    }

    public static synchronized void login(String str, String str2, String str3, org.apache.hadoop.conf.Configuration configuration) throws IOException {
        if (str == null || str.length() <= 0) {
            LOG.error("input userPrincipal is invalid.");
            throw new IOException("input userPrincipal is invalid.");
        }
        if (str2 == null || str2.length() <= 0) {
            LOG.error("input userKeytabPath is invalid.");
            throw new IOException("input userKeytabPath is invalid.");
        }
        if (str3 == null || str3.length() <= 0) {
            LOG.error("input krb5ConfPath is invalid.");
            throw new IOException("input krb5ConfPath is invalid.");
        }
        if (configuration == null) {
            LOG.error("input conf is invalid.");
            throw new IOException("input conf is invalid.");
        }
        File file = new File(str2);
        if (!file.exists()) {
            LOG.error("userKeytabFile(" + file.getCanonicalPath() + ") does not exsit.");
            throw new IOException("userKeytabFile(" + file.getCanonicalPath() + ") does not exsit.");
        }
        if (!file.isFile()) {
            LOG.error("userKeytabFile(" + file.getCanonicalPath() + ") is not a file.");
            throw new IOException("userKeytabFile(" + file.getCanonicalPath() + ") is not a file.");
        }
        File file2 = new File(str3);
        if (!file2.exists()) {
            LOG.error("krb5ConfFile(" + file2.getCanonicalPath() + ") does not exsit.");
            throw new IOException("krb5ConfFile(" + file2.getCanonicalPath() + ") does not exsit.");
        }
        if (!file2.isFile()) {
            LOG.error("krb5ConfFile(" + file2.getCanonicalPath() + ") is not a file.");
            throw new IOException("krb5ConfFile(" + file2.getCanonicalPath() + ") is not a file.");
        }
        setKrb5Config(file2.getCanonicalPath());
        setConfiguration(configuration);
        loginHadoop(str, file.getCanonicalPath());
        LOG.info("Login success!!!!!!!!!!!!!!");
    }

    private static void setConfiguration(org.apache.hadoop.conf.Configuration configuration) throws IOException {
        UserGroupInformation.setConfiguration(configuration);
    }

    private static boolean checkNeedLogin(String str) throws IOException {
        if (!UserGroupInformation.isSecurityEnabled()) {
            LOG.error("UserGroupInformation is not SecurityEnabled, please check if core-site.xml exists in classpath.");
            throw new IOException("UserGroupInformation is not SecurityEnabled, please check if core-site.xml exists in classpath.");
        }
        UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
        if (currentUser == null || !currentUser.hasKerberosCredentials()) {
            return true;
        }
        if (!checkCurrentUserCorrect(str)) {
            LOG.error("current user is " + currentUser + "has logined. please check your enviroment , especially when it used IBM JDK or kerberos for OS count login!!");
            throw new IOException("current user is " + currentUser + " has logined. And please check your enviroment!!");
        }
        LOG.info("current user is " + currentUser + "has logined.");
        if (currentUser.isFromKeytab()) {
            return false;
        }
        LOG.error("current user is not from keytab.");
        throw new IOException("current user is not from keytab.");
    }

    private static void setKrb5Config(String str) throws IOException {
        System.setProperty(JAVA_SECURITY_KRB5_CONF_KEY, str);
        String property = System.getProperty(JAVA_SECURITY_KRB5_CONF_KEY);
        if (property == null) {
            LOG.error("java.security.krb5.conf is null.");
            throw new IOException("java.security.krb5.conf is null.");
        }
        if (property.equals(str)) {
            return;
        }
        LOG.error("java.security.krb5.conf is " + property + " is not " + str + ".");
        throw new IOException("java.security.krb5.conf is " + property + " is not " + str + ".");
    }

    public static void setJaasConf(String str, String str2, String str3) throws IOException {
        if (str == null || str.length() <= 0) {
            LOG.error("input loginContextName is invalid.");
            throw new IOException("input loginContextName is invalid.");
        }
        if (str2 == null || str2.length() <= 0) {
            LOG.error("input principal is invalid.");
            throw new IOException("input principal is invalid.");
        }
        if (str3 == null || str3.length() <= 0) {
            LOG.error("input keytabFile is invalid.");
            throw new IOException("input keytabFile is invalid.");
        }
        File file = new File(str3);
        if (!file.exists()) {
            LOG.error("userKeytabFile(" + file.getCanonicalPath() + ") does not exsit.");
            throw new IOException("userKeytabFile(" + file.getCanonicalPath() + ") does not exsit.");
        }
        Configuration.setConfiguration(new JaasConfiguration(str, str2, file.getCanonicalPath()));
        Configuration configuration = Configuration.getConfiguration();
        if (!(configuration instanceof JaasConfiguration)) {
            LOG.error("javax.security.auth.login.Configuration is not JaasConfiguration.");
            throw new IOException("javax.security.auth.login.Configuration is not JaasConfiguration.");
        }
        AppConfigurationEntry[] appConfigurationEntry = configuration.getAppConfigurationEntry(str);
        if (appConfigurationEntry == null) {
            LOG.error("javax.security.auth.login.Configuration has no AppConfigurationEntry named " + str + ".");
            throw new IOException("javax.security.auth.login.Configuration has no AppConfigurationEntry named " + str + ".");
        }
        boolean z = false;
        boolean z2 = false;
        for (int i = 0; i < appConfigurationEntry.length; i++) {
            if (appConfigurationEntry[i].getOptions().get("principal").equals(str2)) {
                z = true;
            }
            if (IS_IBM_JDK) {
                if (appConfigurationEntry[i].getOptions().get("useKeytab").equals(str3)) {
                    z2 = true;
                }
            } else if (appConfigurationEntry[i].getOptions().get("keyTab").equals(str3)) {
                z2 = true;
            }
        }
        if (!z) {
            LOG.error("AppConfigurationEntry named " + str + " does not have principal value of " + str2 + ".");
            throw new IOException("AppConfigurationEntry named " + str + " does not have principal value of " + str2 + ".");
        }
        if (z2) {
            return;
        }
        LOG.error("AppConfigurationEntry named " + str + " does not have keyTab value of " + str3 + ".");
        throw new IOException("AppConfigurationEntry named " + str + " does not have keyTab value of " + str3 + ".");
    }

    public static void setZookeeperServerPrincipal(String str, String str2) throws IOException {
        System.setProperty(str, str2);
        String property = System.getProperty(str);
        if (property == null) {
            LOG.error(str + " is null.");
            throw new IOException(str + " is null.");
        }
        if (property.equals(str2)) {
            return;
        }
        LOG.error(str + " is " + property + " is not " + str2 + ".");
        throw new IOException(str + " is " + property + " is not " + str2 + ".");
    }

    private static void loginHadoop(String str, String str2) throws IOException {
        try {
            UserGroupInformation.loginUserFromKeytab(str, str2);
        } catch (IOException e) {
            LOG.error("login failed with " + str + " and " + str2 + ".");
            LOG.error("perhaps cause 1 is (wrong password) keytab file and user not match, you can kinit -k -t keytab user in client server to check.");
            LOG.error("perhaps cause 2 is (clock skew) time of local server and remote server not match, please check ntp to remote server.");
            LOG.error("perhaps cause 3 is (aes256 not support) aes256 not support by default jdk/jre, need copy local_policy.jar and US_export_policy.jar from remote server in path /opt/huawei/Bigdata/jdk/jre/lib/security.");
            LOG.error("perhaps cause 4 is (no rule) principal format not support by default, need add property hadoop.security.auth_to_local(in core-site.xml) value RULE:[1:$1] RULE:[2:$1].");
            LOG.error("perhaps cause 5 is (time out) can not connect to kdc server or there is fire wall in the network.");
            throw e;
        }
    }

    private static void checkAuthenticateOverKrb() throws IOException {
        UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
        UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
        if (loginUser == null) {
            LOG.error("current user is " + currentUser + ", but loginUser is null.");
            throw new IOException("current user is " + currentUser + ", but loginUser is null.");
        }
        if (!loginUser.equals(currentUser)) {
            LOG.error("current user is " + currentUser + ", but loginUser is " + loginUser + ".");
            throw new IOException("current user is " + currentUser + ", but loginUser is " + loginUser + ".");
        }
        if (!loginUser.hasKerberosCredentials()) {
            LOG.error("current user is " + currentUser + " has no Kerberos Credentials.");
            throw new IOException("current user is " + currentUser + " has no Kerberos Credentials.");
        }
        if (UserGroupInformation.isLoginKeytabBased()) {
            return;
        }
        LOG.error("current user is " + currentUser + " is not Login Keytab Based.");
        throw new IOException("current user is " + currentUser + " is not Login Keytab Based.");
    }

    private static boolean checkCurrentUserCorrect(String str) throws IOException {
        UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
        if (currentUser == null) {
            LOG.error("current user still null.");
            throw new IOException("current user still null.");
        }
        try {
            String defaultRealm = KerberosUtil.getDefaultRealm();
            if (defaultRealm != null && defaultRealm.length() > 0) {
                StringBuilder sb = new StringBuilder();
                StringBuilder sb2 = new StringBuilder();
                sb.append("@").append(defaultRealm);
                if (!str.endsWith(sb.toString())) {
                    sb2.append(str).append((CharSequence) sb);
                    str = sb2.toString();
                }
            }
            return str.equals(currentUser.getUserName());
        } catch (Exception e) {
            LOG.warn("getDefaultRealm failed.");
            throw new IOException(e);
        }
    }

    static {
        IS_IBM_JDK = (System.getProperty("java.vendor") == null ? "" : System.getProperty("java.vendor")).contains("IBM");
    }
}
