package com.huawei.jredis.client.auth;

import com.huawei.jredis.client.KerberosUtil;
import java.security.PrivilegedActionException;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslClient;
import org.apache.commons.io.FilenameUtils;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import redis.clients.jedis.exceptions.JedisConnectionException;
import redis.clients.jedis.exceptions.JedisException;

/* loaded from: input_file:com/huawei/jredis/client/auth/JedisAuth.class */
public class JedisAuth {
    private static final String AUTH_SERVICE_NAME = "redis";
    private static final long updateLoginCacheTime = 36000000;
    private static String auth_host_name;
    private static final String OID = "1.2.840.113554.1.2.2";
    private static LoginContext loginCache;
    private SaslClient saslClient;
    private LoginContext login;
    private String krb5Conf;
    private String clientPrincipalName;
    private String serviceName;
    private String serviceHostname;
    private boolean cacheLogin;
    private FileConfiguration fileConfiguration;
    private AuthConfiguration authConfig;
    private Configuration configuration;
    private final String serverRealm;
    private final String localRealm;
    protected static final Logger LOGGER = LoggerFactory.getLogger(JedisAuth.class.getName());
    private static final String HOST_PREFIX = "hadoop.";
    private static final int HOST_PREFIX_LEN = HOST_PREFIX.length();
    private static Map<String, LoginContext> loginContextMap = new ConcurrentHashMap();
    private static Map<String, Long> loginTimeMap = new ConcurrentHashMap();

    public JedisAuth() {
        this.saslClient = null;
        this.cacheLogin = false;
        this.authConfig = null;
        this.configuration = null;
        this.fileConfiguration = new FileConfiguration("");
        setUserRealm(this.fileConfiguration.getServerRealm());
        this.serverRealm = this.fileConfiguration.getServerRealm();
        this.localRealm = this.fileConfiguration.getLocalRealm();
        this.krb5Conf = this.fileConfiguration.getKrbFilePath();
        this.cacheLogin = Boolean.parseBoolean(this.fileConfiguration.getCacheLogin());
    }

    public JedisAuth(String str) {
        this.saslClient = null;
        this.cacheLogin = false;
        this.authConfig = null;
        this.configuration = null;
        this.fileConfiguration = new FileConfiguration(str);
        setUserRealm(this.fileConfiguration.getServerRealm());
        this.serverRealm = this.fileConfiguration.getServerRealm();
        this.localRealm = this.fileConfiguration.getLocalRealm();
        this.krb5Conf = this.fileConfiguration.getKrbFilePath();
        this.cacheLogin = Boolean.parseBoolean(this.fileConfiguration.getCacheLogin());
    }

    public JedisAuth(AuthConfiguration authConfiguration) {
        this.saslClient = null;
        this.cacheLogin = false;
        this.authConfig = null;
        this.configuration = null;
        this.authConfig = authConfiguration;
        setUserRealm(authConfiguration.getServerRealm());
        this.serverRealm = authConfiguration.getServerRealm();
        this.localRealm = authConfiguration.getLocalRealm();
        this.krb5Conf = authConfiguration.getKrb5Conf();
        this.cacheLogin = authConfiguration.getCacheLogin();
    }

    public static void setUserRealm() {
        setUserRealm(null);
    }

    public static void setUserRealm(String str) {
        if (str != null && !"".equals(str)) {
            auth_host_name = HOST_PREFIX + str.toLowerCase();
            return;
        }
        String property = System.getProperty("SERVER_REALM");
        if (property != null && !"".equals(property)) {
            auth_host_name = HOST_PREFIX + property.toLowerCase();
            return;
        }
        String krb5DomainRealm = KerberosUtil.getKrb5DomainRealm();
        if (krb5DomainRealm == null || "".equals(krb5DomainRealm)) {
            auth_host_name = "hadoop";
        } else {
            auth_host_name = HOST_PREFIX + krb5DomainRealm.toLowerCase();
        }
    }

    public String getServerRealm() {
        return this.serverRealm;
    }

    public String getLocalRealm() {
        return this.localRealm;
    }

    public boolean getCacheLogin() {
        return this.cacheLogin;
    }

    private void initJedisAuth() throws Exception {
        if (this.authConfig != null) {
            this.configuration = this.authConfig;
            this.clientPrincipalName = this.authConfig.getUserName();
        } else {
            this.configuration = this.fileConfiguration.genConfiguration();
            this.clientPrincipalName = this.fileConfiguration.getUserName();
        }
        this.serviceName = AUTH_SERVICE_NAME;
        this.serviceHostname = auth_host_name;
        final CallbackHandler usernamePasswordHandler = getUsernamePasswordHandler(this.clientPrincipalName, "");
        if (this.cacheLogin) {
            String str = this.clientPrincipalName + "@" + FilenameUtils.getFullPath(this.krb5Conf);
            loginCache(str, this.krb5Conf, usernamePasswordHandler, this.configuration);
            this.login = loginContextMap.get(str);
        } else {
            Krb5CallBackUtil.call(this.krb5Conf, loginCache, new Krb5CallbackService<Object>() { // from class: com.huawei.jredis.client.auth.JedisAuth.1
                @Override // com.huawei.jredis.client.auth.Krb5CallbackService
                public void call() throws Exception {
                    JedisAuth.this.login = new LoginContext("", (Subject) null, usernamePasswordHandler, JedisAuth.this.configuration);
                    JedisAuth.this.login.login();
                }
            });
        }
        if (this.login.getSubject() == null) {
            throw new JedisConnectionException("login error : subject is null.");
        }
        createSaslClient();
    }

    private void createSaslClient() {
        if (Boolean.getBoolean("sun.security.jgss.native")) {
            try {
                this.login.getSubject().getPrivateCredentials().add(GSSManager.getInstance().createCredential((GSSName) null, 0, new Oid(OID), 1));
                LOGGER.debug("Added private credential, principal name:{}", this.clientPrincipalName);
            } catch (GSSException e) {
                throw new JedisException((Throwable) e);
            }
        }
        try {
            this.saslClient = (SaslClient) Krb5CallBackUtil.callBack(this.krb5Conf, this.login, new Krb5CallbackService<SaslClient>() { // from class: com.huawei.jredis.client.auth.JedisAuth.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // com.huawei.jredis.client.auth.Krb5CallbackService
                public SaslClient callback() throws PrivilegedActionException {
                    return (SaslClient) Subject.doAs(JedisAuth.this.login.getSubject(), () -> {
                        return Sasl.createSaslClient(new String[]{"GSSAPI"}, JedisAuth.this.clientPrincipalName, JedisAuth.this.serviceName, JedisAuth.this.serviceHostname, (Map) null, new SaslClientCallbackHandler(null));
                    });
                }
            });
        } catch (Exception e2) {
            throw new JedisException(e2);
        }
    }

    private static synchronized void loginCache(String str, String str2, final CallbackHandler callbackHandler, final Configuration configuration) throws Exception {
        long currentTimeMillis = System.currentTimeMillis();
        if (!loginTimeMap.containsKey(str)) {
            Krb5CallBackUtil.call(str2, loginCache, new Krb5CallbackService<Object>() { // from class: com.huawei.jredis.client.auth.JedisAuth.4
                @Override // com.huawei.jredis.client.auth.Krb5CallbackService
                public void call() throws Exception {
                    LoginContext unused = JedisAuth.loginCache = new LoginContext("", (Subject) null, callbackHandler, configuration);
                    JedisAuth.loginCache.login();
                }
            });
            loginTimeMap.put(str, Long.valueOf(currentTimeMillis));
            loginContextMap.put(str, loginCache);
        } else if (currentTimeMillis - loginTimeMap.get(str).longValue() >= updateLoginCacheTime) {
            loginCache = loginContextMap.get(str);
            try {
                loginCache.logout();
            } catch (Exception e) {
                LOGGER.warn("login logout failed");
            }
            loginTimeMap.remove(str);
            loginContextMap.remove(str);
            Krb5CallBackUtil.call(str2, loginCache, new Krb5CallbackService<Object>() { // from class: com.huawei.jredis.client.auth.JedisAuth.3
                @Override // com.huawei.jredis.client.auth.Krb5CallbackService
                public void call() throws Exception {
                    LoginContext unused = JedisAuth.loginCache = new LoginContext("", (Subject) null, callbackHandler, configuration);
                    JedisAuth.loginCache.login();
                }
            });
            loginTimeMap.put(str, Long.valueOf(currentTimeMillis));
            loginContextMap.put(str, loginCache);
            LOGGER.info("update Login Cache");
        }
    }

    public byte[] calculateResponse(byte[] bArr) throws Exception {
        byte[] bArr2;
        if (bArr == null || bArr.length <= 4) {
            bArr2 = new byte[0];
        } else {
            bArr2 = new byte[bArr.length - 4];
            System.arraycopy(bArr, 4, bArr2, 0, bArr.length - 4);
        }
        final Subject subject = this.login.getSubject();
        final byte[] bArr3 = bArr2;
        return (byte[]) Krb5CallBackUtil.callBack(this.krb5Conf, this.login, new Krb5CallbackService<byte[]>() { // from class: com.huawei.jredis.client.auth.JedisAuth.5
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // com.huawei.jredis.client.auth.Krb5CallbackService
            public byte[] callback() throws Exception {
                Subject subject2 = subject;
                byte[] bArr4 = bArr3;
                return (byte[]) Subject.doAs(subject2, () -> {
                    return JedisAuth.this.saslClient.evaluateChallenge(bArr4);
                });
            }
        });
    }

    public byte[] initAuth() throws Exception {
        initJedisAuth();
        final Subject subject = this.login.getSubject();
        if (subject == null || this.saslClient == null) {
            throw new JedisConnectionException("login error, cannot get subject.");
        }
        try {
            return (byte[]) Krb5CallBackUtil.callBack(this.krb5Conf, this.login, new Krb5CallbackService<byte[]>() { // from class: com.huawei.jredis.client.auth.JedisAuth.6
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // com.huawei.jredis.client.auth.Krb5CallbackService
                public byte[] callback() throws Exception {
                    return (byte[]) Subject.doAs(subject, () -> {
                        return JedisAuth.this.saslClient.evaluateChallenge(new byte[0]);
                    });
                }
            });
        } catch (Exception e) {
            if (this.cacheLogin) {
                removeLoginCache(this.clientPrincipalName + "@" + FilenameUtils.getFullPath(this.krb5Conf), this.login);
            }
            throw new JedisException(e);
        }
    }

    private static synchronized void removeLoginCache(String str, LoginContext loginContext) {
        loginTimeMap.remove(str);
        loginContextMap.remove(str);
        try {
            loginContext.logout();
        } catch (Exception e) {
            LOGGER.error("logout Exception:", e);
        }
    }

    private CallbackHandler getUsernamePasswordHandler(String str, String str2) {
        return callbackArr -> {
            for (Callback callback : callbackArr) {
                if (callback instanceof NameCallback) {
                    ((NameCallback) callback).setName(str);
                }
            }
        };
    }

    public void clearLogin() {
        removeLoginCache(this.clientPrincipalName + "@" + FilenameUtils.getFullPath(this.krb5Conf), this.login);
    }

    public void close() {
        try {
            if (this.login != null) {
                this.login.logout();
            }
        } catch (Exception e) {
        }
    }
}
