package org.elasticsearch.client;

import com.sun.security.auth.login.ConfigFile;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.nio.charset.StandardCharsets;
import java.security.AccessController;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.ThreadFactory;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.http.Header;
import org.apache.http.HttpResponse;
import org.apache.http.auth.AuthSchemeProvider;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.Credentials;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.config.Lookup;
import org.apache.http.config.RegistryBuilder;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.TrustStrategy;
import org.apache.http.impl.auth.SPNegoSchemeFactory;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.impl.nio.client.CloseableHttpAsyncClient;
import org.apache.http.impl.nio.client.HttpAsyncClientBuilder;
import org.apache.http.ssl.SSLContextBuilder;
import org.elasticsearch.client.RestClient;
import org.elasticsearch.client.sniff.ShadeElasticsearchNodesSniffer;
import org.elasticsearch.client.sniff.ShadeSniffOnFailureListener;
import org.elasticsearch.client.sniff.ShadeSniffer;
import org.elasticsearch.hwclient.HwRestClient;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:org/elasticsearch/client/RestClientBuilder.class */
public final class RestClientBuilder {
    public static final int DEFAULT_CONNECT_TIMEOUT_MILLIS = 1000;
    public static final int DEFAULT_SOCKET_TIMEOUT_MILLIS = 30000;
    public static final int DEFAULT_MAX_CONN_PER_ROUTE = 10;
    public static final int DEFAULT_MAX_CONN_TOTAL = 30;
    private final List<Node> nodes;
    private RestClient.FailureListener failureListener;
    private HttpClientConfigCallback httpClientConfigCallback;
    private RequestConfigCallback requestConfigCallback;
    private String pathPrefix;
    private static boolean systemSecConfig;
    private boolean isSecureMode;
    private static String esJaasConfFile;
    private static final Map<String, String> KERBEROS_OPTIONS;
    private static final String AUTH_USE_SUBJECT_CREDS_ONLY = "javax.security.auth.useSubjectCredsOnly";
    private static final String JAVA_SECURITY_AUTH_CONFIG = "java.security.auth.login.config";
    private static final String SPNEGO_OID = "1.3.6.1.5.5.2";
    private static final String KERBEROS_V5_PRINCIPAL_NAME = "1.2.840.113554.1.2.2.1";
    private static final String JAAS_APP_NAME_VERSION_BEFORE_6 = "Client";
    private static String schemeHttps;
    private static final String ELASTICSEARCH_SERVERREALM_PATH;
    private static final String SERVER_REALM_PREFIX = "elasticsearch/hadoop.";
    private static final String REALM_SEP = "@";
    private static final Lookup<AuthSchemeProvider> AUTH_SCHEME_REGISTRY;
    private static final BasicCredentialsProvider CREDENTIALS_PROVIDER;
    private static final SSLContext SSL_CONTEXT;
    private static Subject subj;
    private static final Object SUBJECT_LOCK;
    private static final HostnameVerifier HOSTNAME_VERIFIER;
    public static final int RETRY_TIMES = 3;
    public static final double EXPIRE_LEFT_PERCENT = 0.25d;
    private static final long MIN_TIME_BEFORE_RELOGIN = 60000;
    private static final float TICKET_RENEW_WINDOW = 0.8f;
    private static final int TEN_SECONDS = 10000;
    private static final int RETRY_NUMBER = 3;
    private static GSSCredential credentials;
    private static final Log LOG = LogFactory.getLog(RestClientBuilder.class);
    private static final Header[] EMPTY_HEADERS = new Header[0];
    private static boolean esSecConfig = true;
    private Header[] defaultHeaders = EMPTY_HEADERS;
    private NodeSelector nodeSelector = NodeSelector.ANY;
    private boolean strictDeprecationMode = false;
    private boolean compressionEnabled = false;
    private SSLContext customSSLContext = null;
    private boolean sslEnabled = true;
    private String serverRealm = null;

    /* loaded from: input_file:org/elasticsearch/client/RestClientBuilder$HttpClientConfigCallback.class */
    public interface HttpClientConfigCallback {
        HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpAsyncClientBuilder);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/client/RestClientBuilder$RefreshTGTSingleton.class */
    public static class RefreshTGTSingleton {
        private static volatile ExecutorService esService;

        private RefreshTGTSingleton() {
        }

        public static void startRefreshThread() {
            if (esService == null) {
                synchronized (RefreshTGTSingleton.class) {
                    if (esService == null) {
                        esService = Executors.newFixedThreadPool(1, new ThreadFactory() { // from class: org.elasticsearch.client.RestClientBuilder.RefreshTGTSingleton.1
                            @Override // java.util.concurrent.ThreadFactory
                            public Thread newThread(Runnable runnable) {
                                Thread newThread = Executors.defaultThreadFactory().newThread(runnable);
                                newThread.setDaemon(true);
                                newThread.setName("RefreshTGTThread");
                                return newThread;
                            }
                        });
                    }
                    esService.submit(new RefreshTgtThread());
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/client/RestClientBuilder$RefreshTgtThread.class */
    public static class RefreshTgtThread implements Runnable {
        RefreshTgtThread() {
        }

        @Override // java.lang.Runnable
        public void run() {
            RestClientBuilder.LOG.info("TGT refresh thread started");
            while (true) {
                try {
                    long currentTimeMillis = System.currentTimeMillis();
                    long nextRefreshTime = RestClientBuilder.getNextRefreshTime(currentTimeMillis, RestClientBuilder.subj);
                    if (currentTimeMillis <= nextRefreshTime) {
                        RestClientBuilder.LOG.info("TGT refresh sleeping until: " + new Date(nextRefreshTime).toString());
                        Thread.sleep(nextRefreshTime - currentTimeMillis);
                    } else {
                        RestClientBuilder.LOG.warn("nextRefresh:" + new Date(nextRefreshTime) + " is in the past: exiting refresh thread. Check clock sync between this host and KDC - (KDC's clock is likely ahead of this host). Manual intervention will be required for this client to successfully authenticate. In case of TGT being expiring, try to refresh TGT right now.");
                    }
                    RestClientBuilder.getTGTwithRetry();
                } catch (Exception e) {
                    RestClientBuilder.LOG.error("Failed to refresh TGT: refresh thread exiting now.", e);
                }
            }
        }
    }

    /* loaded from: input_file:org/elasticsearch/client/RestClientBuilder$RequestConfigCallback.class */
    public interface RequestConfigCallback {
        RequestConfig.Builder customizeRequestConfig(RequestConfig.Builder builder);
    }

    public static void setCredentials(GSSCredential gSSCredential) {
        credentials = gSSCredential;
    }

    private static void refreshSecureMode() {
        if (System.getProperty("es.security.indication") != null) {
            esSecConfig = Boolean.parseBoolean(System.getProperty("es.security.indication"));
        }
        systemSecConfig = System.getProperty("java.security.krb5.conf") != null;
        LOG.info("esSecConfig is " + esSecConfig);
        LOG.info("systemSecConfig is " + systemSecConfig);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public RestClientBuilder(List<Node> list) {
        if (list == null || list.isEmpty()) {
            throw new IllegalArgumentException("nodes must not be null or empty");
        }
        Iterator<Node> it = list.iterator();
        while (it.hasNext()) {
            if (it.next() == null) {
                throw new IllegalArgumentException("node cannot be null");
            }
        }
        this.nodes = list;
        if (this.nodes.size() > 0) {
            schemeHttps = this.nodes.get(0).getHost().getSchemeName() + "://";
        }
        refreshSecureMode();
        this.isSecureMode = esSecConfig && systemSecConfig;
        LOG.info("isSecureMode is " + this.isSecureMode);
        if (this.isSecureMode) {
            System.setProperty(AUTH_USE_SUBJECT_CREDS_ONLY, System.getProperty(AUTH_USE_SUBJECT_CREDS_ONLY, "false"));
        }
    }

    public boolean isSecureMode() {
        return this.isSecureMode;
    }

    public void setSslEnabled(boolean z) {
        this.sslEnabled = z;
    }

    public boolean getSslEnabled() {
        return this.sslEnabled;
    }

    public String getServerRealm() {
        return this.serverRealm;
    }

    public static Subject getSubj() {
        return subj;
    }

    public static synchronized void setEsJaasConfFile(String str) {
        esJaasConfFile = str;
        initKerberosOptions();
    }

    public RestClientBuilder setDefaultHeaders(Header[] headerArr) {
        Objects.requireNonNull(headerArr, "defaultHeaders must not be null");
        for (Header header : headerArr) {
            Objects.requireNonNull(header, "default header must not be null");
        }
        this.defaultHeaders = headerArr;
        return this;
    }

    public RestClientBuilder setMaxConnTotal(int i) {
        if (i <= 0) {
            throw new IllegalArgumentException("maxConnPerToTal must be greater than 0");
        }
        return this;
    }

    public RestClientBuilder setMaxConnPerRoute(int i) {
        if (i <= 0) {
            throw new IllegalArgumentException("maxConnPerRoute must be greater than 0");
        }
        return this;
    }

    public RestClientBuilder setFailureListener(RestClient.FailureListener failureListener) {
        Objects.requireNonNull(failureListener, "failureListener must not be null");
        this.failureListener = failureListener;
        return this;
    }

    @Deprecated
    public RestClientBuilder setMaxRetryTimeoutMillis(int i) {
        return this;
    }

    public RestClientBuilder setHttpClientConfigCallback(HttpClientConfigCallback httpClientConfigCallback) {
        Objects.requireNonNull(httpClientConfigCallback, "httpClientConfigCallback must not be null");
        this.httpClientConfigCallback = httpClientConfigCallback;
        return this;
    }

    public RestClientBuilder setRequestConfigCallback(RequestConfigCallback requestConfigCallback) {
        Objects.requireNonNull(requestConfigCallback, "requestConfigCallback must not be null");
        this.requestConfigCallback = requestConfigCallback;
        return this;
    }

    public RestClientBuilder setPathPrefix(String str) {
        this.pathPrefix = cleanPathPrefix(str);
        return this;
    }

    public RestClientBuilder setSSLContext(SSLContext sSLContext) {
        this.customSSLContext = sSLContext;
        return this;
    }

    public static String cleanPathPrefix(String str) {
        Objects.requireNonNull(str, "pathPrefix must not be null");
        if (str.isEmpty()) {
            throw new IllegalArgumentException("pathPrefix must not be empty");
        }
        String str2 = str;
        if (!str2.startsWith("/")) {
            str2 = "/" + str2;
        }
        if (str2.endsWith("/") && str2.length() > 1) {
            str2 = str2.substring(0, str2.length() - 1);
            if (str2.endsWith("/")) {
                throw new IllegalArgumentException("pathPrefix is malformed. too many trailing slashes: [" + str + "]");
            }
        }
        return str2;
    }

    public RestClientBuilder setNodeSelector(NodeSelector nodeSelector) {
        Objects.requireNonNull(nodeSelector, "nodeSelector must not be null");
        this.nodeSelector = nodeSelector;
        return this;
    }

    public RestClientBuilder setStrictDeprecationMode(boolean z) {
        this.strictDeprecationMode = z;
        return this;
    }

    public RestClientBuilder setCompressionEnabled(boolean z) {
        this.compressionEnabled = z;
        return this;
    }

    public RestClient build() {
        refreshSecureMode();
        ShadeSniffOnFailureListener addSnifferListener = addSnifferListener();
        if (this.failureListener == null) {
            this.failureListener = new RestClient.FailureListener();
        }
        CloseableHttpAsyncClient closeableHttpAsyncClient = (CloseableHttpAsyncClient) AccessController.doPrivileged(this::createHttpClient);
        RestClient restClient = new RestClient(closeableHttpAsyncClient, this.defaultHeaders, this.nodes, this.pathPrefix, this.failureListener, this.nodeSelector, this.strictDeprecationMode, this.compressionEnabled, this);
        try {
            closeableHttpAsyncClient.start();
            if (this.isSecureMode) {
                authenticate(restClient);
            }
            setSnifferToRestClient(restClient, addSnifferListener);
            return restClient;
        } catch (Exception e) {
            LOG.error("Authenticate restClient failed.", e);
            try {
                restClient.close();
            } catch (IOException e2) {
                LOG.error("Close restClient failed while authenticate restClient.", e2);
            }
            throw new RuntimeException(e);
        }
    }

    private void setSnifferToRestClient(RestClient restClient, ShadeSniffOnFailureListener shadeSniffOnFailureListener) {
        if (null == restClient || null == shadeSniffOnFailureListener) {
            return;
        }
        ShadeElasticsearchNodesSniffer.Scheme scheme = (this.isSecureMode && this.sslEnabled) ? ShadeElasticsearchNodesSniffer.Scheme.HTTPS : ShadeElasticsearchNodesSniffer.Scheme.HTTP;
        if (HwRestClient.snifferEnable) {
            ShadeSniffer build = ShadeSniffer.builder(restClient).setSniffAfterFailureDelayMillis(DEFAULT_SOCKET_TIMEOUT_MILLIS).setNodesSniffer(new ShadeElasticsearchNodesSniffer(restClient, ShadeElasticsearchNodesSniffer.DEFAULT_SNIFF_REQUEST_TIMEOUT, scheme)).build();
            shadeSniffOnFailureListener.setSniffer(build);
            restClient.setSniffer(build);
        }
    }

    private ShadeSniffOnFailureListener addSnifferListener() {
        ShadeSniffOnFailureListener shadeSniffOnFailureListener = null;
        if (HwRestClient.snifferEnable) {
            shadeSniffOnFailureListener = new ShadeSniffOnFailureListener();
            setFailureListener(shadeSniffOnFailureListener);
        }
        return shadeSniffOnFailureListener;
    }

    private CloseableHttpAsyncClient createHttpClient() {
        RequestConfig.Builder socketTimeout = RequestConfig.custom().setConnectTimeout(DEFAULT_CONNECT_TIMEOUT_MILLIS).setSocketTimeout(DEFAULT_SOCKET_TIMEOUT_MILLIS);
        if (this.requestConfigCallback != null) {
            socketTimeout = this.requestConfigCallback.customizeRequestConfig(socketTimeout);
        }
        try {
            HttpAsyncClientBuilder targetAuthenticationStrategy = HttpAsyncClientBuilder.create().setDefaultRequestConfig(socketTimeout.build()).setMaxConnPerRoute(10).setMaxConnTotal(30).setSSLContext(SSLContext.getDefault()).setTargetAuthenticationStrategy(new PersistentCredentialsAuthenticationStrategy());
            if (this.httpClientConfigCallback != null) {
                targetAuthenticationStrategy = this.httpClientConfigCallback.customizeHttpClient(targetAuthenticationStrategy);
            }
            if (this.isSecureMode) {
                wrapSecureHttpAsyncClientBuilder(targetAuthenticationStrategy);
            }
            HttpAsyncClientBuilder httpAsyncClientBuilder = targetAuthenticationStrategy;
            Objects.requireNonNull(httpAsyncClientBuilder);
            return (CloseableHttpAsyncClient) AccessController.doPrivileged(httpAsyncClientBuilder::build);
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException("could not create the default ssl context", e);
        }
    }

    public static synchronized void getTGT() {
        String str;
        try {
            if (KERBEROS_OPTIONS.isEmpty()) {
                initKerberosOptions();
                if (KERBEROS_OPTIONS.isEmpty()) {
                    LOG.error("Please generate EsClient loginContext in jaas.conf file for ES to get TGT.");
                    throw new IllegalArgumentException("EsClient loginContext is not configured properly in jaas.conf file,please set the correct content.");
                }
            }
            Subject subject = new Subject();
            if (System.getProperty("java.vendor").contains("IBM")) {
                str = "com.ibm.security.auth.module.Krb5LoginModule";
                LOG.info("JDK version is IBM");
            } else {
                str = "com.sun.security.auth.module.Krb5LoginModule";
                LOG.info("JDK version is SUN");
            }
            Class<?> cls = Class.forName(str);
            Method declaredMethod = cls.getDeclaredMethod("initialize", Subject.class, CallbackHandler.class, Map.class, Map.class);
            Method declaredMethod2 = cls.getDeclaredMethod("login", new Class[0]);
            Method declaredMethod3 = cls.getDeclaredMethod("commit", new Class[0]);
            Object newInstance = cls.newInstance();
            declaredMethod.invoke(newInstance, subject, null, null, KERBEROS_OPTIONS);
            declaredMethod2.invoke(newInstance, new Object[0]);
            declaredMethod3.invoke(newInstance, new Object[0]);
            subj = subject;
            LOG.info("Get kerberos TGT successfully.");
        } catch (ClassNotFoundException | IllegalAccessException | InstantiationException | NoSuchMethodException | InvocationTargetException e) {
            LOG.error("Get kerberos TGT failed." + e);
            throw new RuntimeException(e);
        }
    }

    private static void initKerberosOptions() {
        KERBEROS_OPTIONS.clear();
        AppConfigurationEntry[] appConfigurationEntry = getAppConfigurationEntry();
        if (appConfigurationEntry == null || appConfigurationEntry.length <= 0) {
            LOG.error("Can not get ES app configuration entry from jaas conf file.");
            throw new IllegalArgumentException("Can not get ES app configuration entry from jaas conf file.");
        }
        for (AppConfigurationEntry appConfigurationEntry2 : appConfigurationEntry) {
            KERBEROS_OPTIONS.putAll(appConfigurationEntry2.getOptions());
        }
    }

    private static AppConfigurationEntry[] getAppConfigurationEntry() {
        String property = System.getProperty("elasticsearch.kerberos.jaas.appname", "EsClient");
        LOG.info(String.format(Locale.ENGLISH, "Get application configuration entry use by application name %s.", property));
        AppConfigurationEntry[] readAppConfigurationEntryByAppName = readAppConfigurationEntryByAppName(property);
        if (readAppConfigurationEntryByAppName == null || readAppConfigurationEntryByAppName.length <= 0) {
            readAppConfigurationEntryByAppName = readAppConfigurationEntryByAppName(JAAS_APP_NAME_VERSION_BEFORE_6);
        }
        return readAppConfigurationEntryByAppName;
    }

    private static AppConfigurationEntry[] readAppConfigurationEntryByAppName(String str) {
        LOG.info(String.format(Locale.ENGLISH, "Try to read the jaas configuration entry again, app name is %s.", str));
        AppConfigurationEntry[] appConfigurationEntryArr = null;
        LOG.info("Read application configuration entry from Es jaas conf file.");
        if (esJaasConfFile == null || esJaasConfFile.isEmpty()) {
            LOG.warn("Fail to get application configuration entry from from Es jaas conf file, because Es jaas conf file path is empty.");
        } else {
            appConfigurationEntryArr = readAppConfigurationEntryFromFile(esJaasConfFile, str);
            LOG.info(String.format(Locale.ENGLISH, " Complete to read from Es jaas conf file, app name is %s.", str));
        }
        if (appConfigurationEntryArr == null || appConfigurationEntryArr.length <= 0) {
            LOG.warn("Fail to get application configuration entry from esJaasConfFile.");
            LOG.info(String.format(Locale.ENGLISH, "Get application configuration entry use by application name %s from memory.", str));
            appConfigurationEntryArr = Configuration.getConfiguration().getAppConfigurationEntry(str);
        }
        String property = System.getProperty("java.security.auth.login.config");
        if ((appConfigurationEntryArr == null || appConfigurationEntryArr.length <= 0) && property != null && !property.isEmpty()) {
            LOG.info(String.format(Locale.ENGLISH, "Get application configuration entry from %s.", "java.security.auth.login.config"));
            appConfigurationEntryArr = readAppConfigurationEntryFromFile(property, str);
        }
        if (appConfigurationEntryArr == null || appConfigurationEntryArr.length <= 0) {
            LOG.error(String.format(Locale.ENGLISH, "Failed to read the jaas configuration entry user by application name %s.", str));
        }
        return appConfigurationEntryArr;
    }

    private static AppConfigurationEntry[] readAppConfigurationEntryFromFile(String str, String str2) {
        AppConfigurationEntry[] appConfigurationEntryArr = null;
        File file = new File(str);
        if (file.exists() && file.isFile()) {
            ConfigFile configFile = new ConfigFile(file.toURI());
            LOG.info(String.format(Locale.ENGLISH, "Get application configuration entry use by application name %s.", str2));
            appConfigurationEntryArr = configFile.getAppConfigurationEntry(str2);
            if (appConfigurationEntryArr == null || appConfigurationEntryArr.length <= 0) {
                LOG.info(String.format(Locale.ENGLISH, "Get application configuration entry use by application name %s.", JAAS_APP_NAME_VERSION_BEFORE_6));
            }
        }
        return appConfigurationEntryArr;
    }

    private static long getTgtValidityPeriod(KerberosTicket kerberosTicket) {
        Date endTime = kerberosTicket.getEndTime();
        Date startTime = kerberosTicket.getStartTime();
        if (null == endTime || null == startTime) {
            return -1L;
        }
        return endTime.getTime() - startTime.getTime();
    }

    private static synchronized KerberosTicket getKerberosTicket(Subject subject) {
        if (null == subject) {
            LOG.debug("The subject is invalid.");
            return null;
        }
        Set<Object> privateCredentials = subject.getPrivateCredentials();
        if (null == privateCredentials) {
            LOG.debug("The privateCredentials is null.");
            return null;
        }
        for (Object obj : privateCredentials) {
            if (obj instanceof KerberosTicket) {
                return (KerberosTicket) obj;
            }
        }
        return null;
    }

    public static synchronized boolean subjectWillExpire(Subject subject) {
        if (null == subject || null == subject.getPrincipals() || null == subject.getPrivateCredentials()) {
            LOG.debug("The subject is invalid.");
            return true;
        }
        KerberosTicket kerberosTicket = getKerberosTicket(subject);
        if (null == kerberosTicket) {
            LOG.debug("The kerberosTicket is null.");
            return true;
        }
        long time = null == kerberosTicket.getEndTime() ? -1L : kerberosTicket.getEndTime().getTime();
        long tgtValidityPeriod = getTgtValidityPeriod(kerberosTicket);
        if (time <= 0 || time < System.currentTimeMillis() || tgtValidityPeriod <= 0) {
            LOG.debug("TgtWillExpireTime is invalid.");
            return true;
        }
        boolean z = ((double) (time - System.currentTimeMillis())) < ((double) tgtValidityPeriod) * 0.25d;
        if (z) {
            LOG.debug("TGT will expire!");
        }
        return z;
    }

    private static long getRefreshTime(KerberosTicket kerberosTicket) {
        long time = kerberosTicket.getStartTime().getTime();
        long time2 = kerberosTicket.getEndTime().getTime();
        LOG.info("TGT valid starting at:        " + kerberosTicket.getStartTime().toString());
        LOG.info("TGT expires:                  " + kerberosTicket.getEndTime().toString());
        long j = time + (((float) (time2 - time)) * TICKET_RENEW_WINDOW);
        return j > time2 ? System.currentTimeMillis() : j;
    }

    private void authenticate(RestClient restClient) {
        synchronized (SUBJECT_LOCK) {
            for (int i = 0; subjectWillExpire(subj) && i < 3; i++) {
                LOG.debug("Subject is not ok ,retry get new TGT.");
                getTGT();
            }
        }
        RefreshTGTSingleton.startRefreshThread();
        int i2 = 0;
        String str = null;
        for (int i3 = 0; null == str && i3 < 3; i3++) {
            str = getRealm(this.nodes.get(i2).getHost().toHostString());
            i2 = i2 < this.nodes.size() - 1 ? i2 + 1 : 0;
        }
        if (str == null || str.isEmpty()) {
            throw new IllegalArgumentException("Get ServerRealm failed.");
        }
        if (str.toLowerCase(Locale.ENGLISH).startsWith(SERVER_REALM_PREFIX)) {
            this.serverRealm = str;
        } else {
            this.serverRealm = SERVER_REALM_PREFIX + str.toLowerCase(Locale.ENGLISH) + REALM_SEP + str.toUpperCase(Locale.ENGLISH);
        }
        LOG.info("Initialize the client successfully.");
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void getTGTwithRetry() throws InterruptedException {
        int i = 1;
        while (i <= 3) {
            try {
                getTGT();
                LOG.info("TGT refresh at: " + new Date(System.currentTimeMillis()));
                return;
            } catch (Exception e) {
                if (i < 3) {
                    i++;
                    Thread.sleep(10000L);
                } else {
                    LOG.error("Could not refresh TGT ", e);
                }
            }
        }
    }

    public static long getNextRefreshTime(long j, Subject subject) throws Exception {
        KerberosTicket kerberosTicket = getKerberosTicket(subject);
        if (kerberosTicket == null) {
            LOG.warn("No TGT found: will try again at {}" + new Date(j));
            return j;
        }
        long refreshTime = getRefreshTime(kerberosTicket);
        long time = kerberosTicket.getEndTime().getTime();
        Date date = new Date(time);
        if (kerberosTicket.getEndTime().equals(kerberosTicket.getRenewTill())) {
            LOG.error("The TGT cannot be renewed beyond the next expiry date: " + date + ".This process will not be able to authenticate new SASL connections after that time (for example, it will not be authenticate a new connection with a Zookeeper Quorum member).  Ask your system administrator to either increase the 'renew until' time by doing : 'modprinc -maxrenewlife username within kadmin, or instead, to generate a keytab for username. Because the TGT's expiry cannot be further extended by refreshing");
            throw new Exception("The TGT cannot be renewed beyond the next expiry date: " + date);
        }
        if (refreshTime < j + MIN_TIME_BEFORE_RELOGIN) {
            Date date2 = new Date(refreshTime);
            Date date3 = new Date(j + MIN_TIME_BEFORE_RELOGIN);
            refreshTime = j + MIN_TIME_BEFORE_RELOGIN;
            LOG.warn("TGT refresh thread time adjusted from : " + date2 + " to : " + date3 + " since the former is sooner than the minimum refresh interval (60 seconds) from now.");
        }
        if (refreshTime <= time) {
            return refreshTime;
        }
        LOG.info("refreshing now because expiry is before next scheduled refresh time.");
        return j;
    }

    public static synchronized byte[] initiateSecurityContext(Subject subject, final String str) {
        return (byte[]) Subject.doAs(subject, new PrivilegedAction<byte[]>() { // from class: org.elasticsearch.client.RestClientBuilder.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public byte[] run() {
                GSSContext gSSContext = null;
                try {
                    try {
                        gSSContext = RestClientBuilder.getGssContext(str);
                        gSSContext.requestMutualAuth(true);
                        gSSContext.requestCredDeleg(true);
                        byte[] bArr = new byte[0];
                        byte[] initSecContext = gSSContext.initSecContext(bArr, 0, bArr.length);
                        if (gSSContext != null) {
                            try {
                                gSSContext.dispose();
                            } catch (GSSException e) {
                                RestClientBuilder.LOG.error("Dispose secure context failed.", e);
                            }
                        }
                        return initSecContext;
                    } catch (GSSException e2) {
                        RestClientBuilder.LOG.error("Init secure context failed.", e2);
                        if (gSSContext != null) {
                            try {
                                gSSContext.dispose();
                            } catch (GSSException e3) {
                                RestClientBuilder.LOG.error("Dispose secure context failed.", e3);
                            }
                        }
                        return null;
                    }
                } catch (Throwable th) {
                    if (gSSContext != null) {
                        try {
                            gSSContext.dispose();
                        } catch (GSSException e4) {
                            RestClientBuilder.LOG.error("Dispose secure context failed.", e4);
                        }
                    }
                    throw th;
                }
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static GSSContext getGssContext(String str) throws GSSException {
        GSSManager gSSManager = GSSManager.getInstance();
        GSSName createName = gSSManager.createName(str, new Oid(KERBEROS_V5_PRINCIPAL_NAME));
        Oid oid = new Oid(SPNEGO_OID);
        return gSSManager.createContext(createName.canonicalize(oid), oid, credentials, 0);
    }

    private String getRealm(String str) {
        String str2 = null;
        InputStream inputStream = null;
        try {
            try {
                HttpClientBuilder create = HttpClientBuilder.create();
                create.setSSLHostnameVerifier(HOSTNAME_VERIFIER);
                if (this.customSSLContext != null) {
                    create.setSSLContext(this.customSSLContext);
                } else {
                    create.setSSLContext(SSL_CONTEXT);
                }
                HttpResponse execute = create.build().execute(new HttpGet(schemeHttps + str + ELASTICSEARCH_SERVERREALM_PATH));
                if (200 == execute.getStatusLine().getStatusCode()) {
                    inputStream = execute.getEntity().getContent();
                    ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                    byte[] bArr = new byte[64];
                    while (true) {
                        int read = inputStream.read(bArr);
                        if (-1 == read) {
                            break;
                        }
                        byteArrayOutputStream.write(bArr, 0, read);
                    }
                    str2 = byteArrayOutputStream.toString(StandardCharsets.UTF_8.displayName());
                    LOG.info("Success to get the service realm " + str2);
                } else {
                    LOG.error("Cannot get server realm at  " + str);
                }
                if (inputStream != null) {
                    try {
                        inputStream.close();
                    } catch (IOException e) {
                        LOG.error("Close http response input stream failed.", e);
                    }
                }
            } catch (Throwable th) {
                if (0 != 0) {
                    try {
                        inputStream.close();
                    } catch (IOException e2) {
                        LOG.error("Close http response input stream failed.", e2);
                    }
                }
                throw th;
            }
        } catch (Throwable th2) {
            LOG.error("Get server realm failed.", th2);
            if (0 != 0) {
                try {
                    inputStream.close();
                } catch (IOException e3) {
                    LOG.error("Close http response input stream failed.", e3);
                }
            }
        }
        return str2;
    }

    private void wrapSecureHttpAsyncClientBuilder(HttpAsyncClientBuilder httpAsyncClientBuilder) {
        if (this.customSSLContext != null) {
            httpAsyncClientBuilder.setSSLContext(this.customSSLContext);
        } else {
            httpAsyncClientBuilder.setSSLContext(SSL_CONTEXT);
        }
        httpAsyncClientBuilder.setDefaultAuthSchemeRegistry(AUTH_SCHEME_REGISTRY);
        httpAsyncClientBuilder.setDefaultCredentialsProvider(CREDENTIALS_PROVIDER);
        httpAsyncClientBuilder.setSSLHostnameVerifier(HOSTNAME_VERIFIER);
    }

    static {
        systemSecConfig = System.getProperty("java.security.krb5.conf") != null;
        KERBEROS_OPTIONS = new HashMap(6);
        schemeHttps = "https://";
        ELASTICSEARCH_SERVERREALM_PATH = System.getProperty("elasticsearch.server.realm.path", "/elasticsearch/serverrealm");
        AUTH_SCHEME_REGISTRY = RegistryBuilder.create().register("Negotiate", new SPNegoSchemeFactory(true)).build();
        subj = null;
        SUBJECT_LOCK = new Object();
        HOSTNAME_VERIFIER = new NoopHostnameVerifier();
        credentials = null;
        CREDENTIALS_PROVIDER = new BasicCredentialsProvider();
        CREDENTIALS_PROVIDER.setCredentials(AuthScope.ANY, new Credentials() { // from class: org.elasticsearch.client.RestClientBuilder.1
            @Override // org.apache.http.auth.Credentials
            public Principal getUserPrincipal() {
                return null;
            }

            @Override // org.apache.http.auth.Credentials
            public String getPassword() {
                return null;
            }
        });
        try {
            SSL_CONTEXT = new SSLContextBuilder().loadTrustMaterial((KeyStore) null, new TrustStrategy() { // from class: org.elasticsearch.client.RestClientBuilder.2
                public boolean isTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
                    return true;
                }
            }).build();
            refreshSecureMode();
        } catch (KeyManagementException | KeyStoreException | NoSuchAlgorithmException e) {
            LOG.error("Init ssl context failed.", e);
            throw new RuntimeException(e);
        }
    }
}
