package org.apache.flink.runtime.security.token;

import java.io.IOException;
import java.time.Clock;
import java.time.Duration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Optional;
import java.util.ServiceLoader;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit;
import java.util.stream.Stream;
import javax.annotation.Nullable;
import javax.annotation.concurrent.GuardedBy;
import org.apache.flink.annotation.VisibleForTesting;
import org.apache.flink.configuration.Configuration;
import org.apache.flink.configuration.SecurityOptions;
import org.apache.flink.runtime.security.SecurityConfiguration;
import org.apache.flink.util.Preconditions;
import org.apache.flink.util.concurrent.ScheduledExecutor;
import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.UserGroupInformation;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/flink/runtime/security/token/KerberosDelegationTokenManager.class */
public class KerberosDelegationTokenManager implements DelegationTokenManager {
    private static final Logger LOG = LoggerFactory.getLogger(KerberosDelegationTokenManager.class);
    private final Configuration configuration;
    private final double tokensRenewalTimeRatio;
    private final long renewalRetryBackoffPeriod;
    private final KerberosLoginProvider kerberosLoginProvider;

    @VisibleForTesting
    final Map<String, DelegationTokenProvider> delegationTokenProviders;

    @Nullable
    private final ScheduledExecutor scheduledExecutor;

    @Nullable
    private final ExecutorService ioExecutor;

    @Nullable
    private ScheduledFuture<?> tgtRenewalFuture;
    private final Object tokensUpdateFutureLock;

    @GuardedBy("tokensUpdateFutureLock")
    @Nullable
    private ScheduledFuture<?> tokensUpdateFuture;

    public KerberosDelegationTokenManager(Configuration configuration, @Nullable ScheduledExecutor scheduledExecutor, @Nullable ExecutorService executorService) {
        this(configuration, scheduledExecutor, executorService, new KerberosLoginProvider(configuration));
    }

    public KerberosDelegationTokenManager(Configuration configuration, @Nullable ScheduledExecutor scheduledExecutor, @Nullable ExecutorService executorService, KerberosLoginProvider kerberosLoginProvider) {
        this.tokensUpdateFutureLock = new Object();
        this.configuration = (Configuration) Preconditions.checkNotNull(configuration, "Flink configuration must not be null");
        new SecurityConfiguration(configuration);
        this.tokensRenewalTimeRatio = ((Double) configuration.get(SecurityOptions.KERBEROS_TOKENS_RENEWAL_TIME_RATIO)).doubleValue();
        this.renewalRetryBackoffPeriod = ((Duration) configuration.get(SecurityOptions.KERBEROS_TOKENS_RENEWAL_RETRY_BACKOFF)).toMillis();
        this.kerberosLoginProvider = kerberosLoginProvider;
        this.delegationTokenProviders = loadProviders();
        this.scheduledExecutor = scheduledExecutor;
        this.ioExecutor = executorService;
    }

    private Map<String, DelegationTokenProvider> loadProviders() {
        LOG.info("Loading delegation token providers");
        ServiceLoader load = ServiceLoader.load(DelegationTokenProvider.class);
        HashMap hashMap = new HashMap();
        Iterator it = load.iterator();
        while (it.hasNext()) {
            DelegationTokenProvider delegationTokenProvider = (DelegationTokenProvider) it.next();
            try {
                if (isProviderEnabled(delegationTokenProvider.serviceName())) {
                    delegationTokenProvider.init(this.configuration);
                    LOG.info("Delegation token provider {} loaded and initialized", delegationTokenProvider.serviceName());
                    hashMap.put(delegationTokenProvider.serviceName(), delegationTokenProvider);
                } else {
                    LOG.info("Delegation token provider {} is disabled so not loaded", delegationTokenProvider.serviceName());
                }
            } catch (Exception e) {
                LOG.error("Failed to initialize delegation token provider {}.", delegationTokenProvider.serviceName(), e);
                throw e;
            }
        }
        LOG.info("Delegation token providers loaded successfully");
        return hashMap;
    }

    @VisibleForTesting
    boolean isProviderEnabled(String str) {
        return this.configuration.getBoolean(String.format("security.kerberos.token.provider.%s.enabled", str), true);
    }

    @VisibleForTesting
    boolean isProviderLoaded(String str) {
        return this.delegationTokenProviders.containsKey(str);
    }

    @Override // org.apache.flink.runtime.security.token.DelegationTokenManager
    public void obtainDelegationTokens(Credentials credentials) throws Exception {
        LOG.info("Obtaining delegation tokens");
        if (!this.kerberosLoginProvider.isLoginPossible()) {
            LOG.info("Real user has no kerberos credentials so no tokens obtained");
        } else {
            this.kerberosLoginProvider.doLogin().doAs(() -> {
                obtainDelegationTokensAndGetNextRenewal(credentials);
                return null;
            });
            LOG.info("Delegation tokens obtained successfully");
        }
    }

    protected Optional<Long> obtainDelegationTokensAndGetNextRenewal(Credentials credentials) {
        Optional<Long> min = this.delegationTokenProviders.values().stream().map(delegationTokenProvider -> {
            Optional<Long> empty = Optional.empty();
            if (delegationTokenProvider.delegationTokensRequired()) {
                LOG.debug("Obtaining delegation token for service {}", delegationTokenProvider.serviceName());
                empty = delegationTokenProvider.obtainDelegationTokens(credentials);
                LOG.debug("Obtained delegation token for service {} successfully", delegationTokenProvider.serviceName());
            } else {
                LOG.debug("Service {} does not need to obtain delegation token", delegationTokenProvider.serviceName());
            }
            return empty;
        }).flatMap(optional -> {
            return (Stream) optional.map((v0) -> {
                return Stream.of(v0);
            }).orElseGet(Stream::empty);
        }).min((v0, v1) -> {
            return Long.compare(v0, v1);
        });
        credentials.getAllTokens().forEach(token -> {
            LOG.debug("Token Service:{} Identifier:{}", token.getService(), token.getIdentifier());
        });
        return min;
    }

    @Override // org.apache.flink.runtime.security.token.DelegationTokenManager
    public void start() throws Exception {
        Preconditions.checkNotNull(this.scheduledExecutor, "Scheduled executor must not be null");
        Preconditions.checkNotNull(this.ioExecutor, "IO executor must not be null");
        synchronized (this.tokensUpdateFutureLock) {
            Preconditions.checkState(this.tgtRenewalFuture == null && this.tokensUpdateFuture == null, "Manager is already started");
        }
        if (!this.kerberosLoginProvider.isLoginPossible()) {
            LOG.info("Renewal is NOT possible, skipping to start renewal task");
        } else {
            startTGTRenewal();
            startTokensUpdate();
        }
    }

    @VisibleForTesting
    void startTGTRenewal() throws IOException {
        LOG.info("Starting TGT renewal task");
        UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
        if (!currentUser.isFromKeytab()) {
            LOG.info("TGT renewal task not started");
            return;
        }
        long millis = ((Duration) this.configuration.get(SecurityOptions.KERBEROS_RELOGIN_PERIOD)).toMillis();
        this.tgtRenewalFuture = this.scheduledExecutor.scheduleAtFixedRate(() -> {
            this.ioExecutor.execute(() -> {
                try {
                    LOG.debug("Renewing TGT");
                    currentUser.checkTGTAndReloginFromKeytab();
                    LOG.debug("TGT renewed successfully");
                } catch (Exception e) {
                    LOG.warn("Error while renewing TGT", e);
                }
            });
        }, 0L, millis, TimeUnit.MILLISECONDS);
        LOG.info("TGT renewal task started and reoccur in {} ms", Long.valueOf(millis));
    }

    @VisibleForTesting
    void stopTGTRenewal() {
        if (this.tgtRenewalFuture != null) {
            this.tgtRenewalFuture.cancel(true);
            this.tgtRenewalFuture = null;
        }
    }

    @VisibleForTesting
    void startTokensUpdate() {
        try {
            LOG.info("Starting tokens update task");
            Credentials credentials = new Credentials();
            Optional optional = (Optional) this.kerberosLoginProvider.doLogin().doAs(() -> {
                return obtainDelegationTokensAndGetNextRenewal(credentials);
            });
            if (optional.isPresent()) {
                long calculateRenewalDelay = calculateRenewalDelay(Clock.systemDefaultZone(), ((Long) optional.get()).longValue());
                synchronized (this.tokensUpdateFutureLock) {
                    this.tokensUpdateFuture = this.scheduledExecutor.schedule(() -> {
                        this.ioExecutor.execute(this::startTokensUpdate);
                    }, calculateRenewalDelay, TimeUnit.MILLISECONDS);
                }
                LOG.info("Tokens update task started with {} ms delay", Long.valueOf(calculateRenewalDelay));
            } else {
                LOG.warn("Tokens update task not started because either no tokens obtained or none of the tokens specified its renewal date");
            }
        } catch (InterruptedException e) {
            LOG.debug("Interrupted", e);
        } catch (Exception e2) {
            synchronized (this.tokensUpdateFutureLock) {
                this.tokensUpdateFuture = this.scheduledExecutor.schedule(() -> {
                    this.ioExecutor.execute(this::startTokensUpdate);
                }, this.renewalRetryBackoffPeriod, TimeUnit.MILLISECONDS);
                LOG.warn("Failed to update tokens, will try again in {} ms", Long.valueOf(this.renewalRetryBackoffPeriod), e2);
            }
        }
    }

    @VisibleForTesting
    void stopTokensUpdate() {
        synchronized (this.tokensUpdateFutureLock) {
            if (this.tokensUpdateFuture != null) {
                this.tokensUpdateFuture.cancel(true);
                this.tokensUpdateFuture = null;
            }
        }
    }

    @VisibleForTesting
    long calculateRenewalDelay(Clock clock, long j) {
        long millis = clock.millis();
        long round = Math.round(this.tokensRenewalTimeRatio * (j - millis));
        LOG.debug("Calculated delay on renewal is {}, based on next renewal {} and the ratio {}, and current time {}", new Object[]{Long.valueOf(round), Long.valueOf(j), Double.valueOf(this.tokensRenewalTimeRatio), Long.valueOf(millis)});
        return round;
    }

    @Override // org.apache.flink.runtime.security.token.DelegationTokenManager
    public void stop() {
        LOG.info("Stopping credential renewal");
        stopTokensUpdate();
        stopTGTRenewal();
        LOG.info("Stopped credential renewal");
    }
}
