package org.apache.hadoop.security;

import com.google.common.annotations.VisibleForTesting;
import java.io.IOException;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.URI;
import java.net.UnknownHostException;
import java.security.PrivilegedAction;
import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.ServiceLoader;
import java.util.concurrent.TimeUnit;
import javax.annotation.Nullable;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeys;
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.net.DNS;
import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenInfo;
import org.apache.hadoop.util.StopWatch;
import org.apache.hadoop.util.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import sun.net.dns.ResolverConfiguration;
import sun.net.util.IPAddressUtil;

@InterfaceAudience.Public
@InterfaceStability.Evolving
/* loaded from: input_file:org/apache/hadoop/security/SecurityUtil.class */
public final class SecurityUtil {
    public static final Logger LOG = LoggerFactory.getLogger((Class<?>) SecurityUtil.class);
    public static final String HOSTNAME_PATTERN = "_HOST";
    public static final String FAILED_TO_GET_UGI_MSG_HEADER = "Failed to obtain user group information:";

    @VisibleForTesting
    static boolean useIpForTokenService;

    @VisibleForTesting
    static HostResolver hostResolver;
    private static boolean logSlowLookups;
    private static int slowLookupThresholdMs;
    private static ServiceLoader<SecurityInfo> securityInfoProviders;
    private static SecurityInfo[] testProviders;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/hadoop/security/SecurityUtil$HostResolver.class */
    public interface HostResolver {
        InetAddress getByName(String str) throws UnknownHostException;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/apache/hadoop/security/SecurityUtil$QualifiedHostResolver.class */
    public static class QualifiedHostResolver implements HostResolver {
        private List<String> searchDomains = ResolverConfiguration.open().searchlist();

        protected QualifiedHostResolver() {
        }

        @Override // org.apache.hadoop.security.SecurityUtil.HostResolver
        public InetAddress getByName(String str) throws UnknownHostException {
            InetAddress byNameWithSearch;
            if (IPAddressUtil.isIPv4LiteralAddress(str)) {
                byNameWithSearch = InetAddress.getByAddress(str, IPAddressUtil.textToNumericFormatV4(str));
            } else if (IPAddressUtil.isIPv6LiteralAddress(str)) {
                byNameWithSearch = InetAddress.getByAddress(str, IPAddressUtil.textToNumericFormatV6(str));
            } else if (str.endsWith(".")) {
                byNameWithSearch = getByExactName(str);
            } else if (str.contains(".")) {
                byNameWithSearch = getByExactName(str);
                if (byNameWithSearch == null) {
                    byNameWithSearch = getByNameWithSearch(str);
                }
            } else {
                InetAddress byName = InetAddress.getByName(null);
                if (str.equalsIgnoreCase(byName.getHostName())) {
                    byNameWithSearch = InetAddress.getByAddress(str, byName.getAddress());
                } else {
                    byNameWithSearch = getByNameWithSearch(str);
                    if (byNameWithSearch == null) {
                        byNameWithSearch = getByExactName(str);
                    }
                }
            }
            if (byNameWithSearch == null) {
                throw new UnknownHostException(str);
            }
            return byNameWithSearch;
        }

        InetAddress getByExactName(String str) {
            InetAddress inetAddress = null;
            String str2 = str;
            if (!str2.endsWith(".")) {
                str2 = str2 + ".";
            }
            try {
                inetAddress = InetAddress.getByAddress(str, getInetAddressByName(str2).getAddress());
            } catch (UnknownHostException e) {
            }
            return inetAddress;
        }

        InetAddress getByNameWithSearch(String str) {
            InetAddress inetAddress = null;
            if (!str.endsWith(".")) {
                for (String str2 : this.searchDomains) {
                    inetAddress = getByExactName(str + (!str2.startsWith(".") ? "." : "") + str2);
                    if (inetAddress != null) {
                        break;
                    }
                }
            } else {
                inetAddress = getByExactName(str);
            }
            return inetAddress;
        }

        InetAddress getInetAddressByName(String str) throws UnknownHostException {
            return InetAddress.getByName(str);
        }

        void setSearchDomains(String... strArr) {
            this.searchDomains = Arrays.asList(strArr);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/hadoop/security/SecurityUtil$StandardHostResolver.class */
    public static class StandardHostResolver implements HostResolver {
        StandardHostResolver() {
        }

        @Override // org.apache.hadoop.security.SecurityUtil.HostResolver
        public InetAddress getByName(String str) throws UnknownHostException {
            return InetAddress.getByName(str);
        }
    }

    private SecurityUtil() {
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public static void setConfiguration(Configuration configuration) {
        LOG.info("Updating Configuration");
        setConfigurationInternal(configuration);
    }

    private static void setConfigurationInternal(Configuration configuration) {
        setTokenServiceUseIp(configuration.getBoolean(CommonConfigurationKeys.HADOOP_SECURITY_TOKEN_SERVICE_USE_IP, true));
        logSlowLookups = configuration.getBoolean(CommonConfigurationKeys.HADOOP_SECURITY_DNS_LOG_SLOW_LOOKUPS_ENABLED_KEY, false);
        slowLookupThresholdMs = configuration.getInt(CommonConfigurationKeys.HADOOP_SECURITY_DNS_LOG_SLOW_LOOKUPS_THRESHOLD_MS_KEY, 1000);
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    public static void setTokenServiceUseIp(boolean z) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Setting hadoop.security.token.service.use_ip to " + z);
        }
        useIpForTokenService = z;
        hostResolver = !useIpForTokenService ? new QualifiedHostResolver() : new StandardHostResolver();
    }

    static boolean isTGSPrincipal(KerberosPrincipal kerberosPrincipal) {
        return kerberosPrincipal != null && kerberosPrincipal.getName().equals(new StringBuilder().append("krbtgt/").append(kerberosPrincipal.getRealm()).append("@").append(kerberosPrincipal.getRealm()).toString());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static boolean isOriginalTGT(KerberosTicket kerberosTicket) {
        return isTGSPrincipal(kerberosTicket.getServer());
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public static String getServerPrincipal(String str, String str2) throws IOException {
        String[] components = getComponents(str);
        return (components != null && components.length == 3 && components[1].equals(HOSTNAME_PATTERN)) ? replacePattern(components, str2) : str;
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public static String getServerPrincipal(String str, InetAddress inetAddress) throws IOException {
        String[] components = getComponents(str);
        if (components == null || components.length != 3 || !components[1].equals(HOSTNAME_PATTERN)) {
            return str;
        }
        if (inetAddress == null) {
            throw new IOException("Can't replace _HOST pattern since client address is null");
        }
        return replacePattern(components, inetAddress.getCanonicalHostName());
    }

    private static String[] getComponents(String str) {
        if (str == null) {
            return null;
        }
        return str.split("[/@]");
    }

    private static String replacePattern(String[] strArr, String str) throws IOException {
        String str2 = str;
        if (str2 == null || str2.isEmpty() || str2.equals("0.0.0.0")) {
            str2 = getLocalHostName(null);
        }
        return strArr[0] + "/" + StringUtils.toLowerCase(str2) + "@" + strArr[2];
    }

    static String getLocalHostName(@Nullable Configuration configuration) throws UnknownHostException {
        if (configuration != null) {
            String str = configuration.get(CommonConfigurationKeysPublic.HADOOP_SECURITY_DNS_INTERFACE_KEY);
            String str2 = configuration.get(CommonConfigurationKeysPublic.HADOOP_SECURITY_DNS_NAMESERVER_KEY);
            if (str != null) {
                return DNS.getDefaultHost(str, str2, true);
            }
            if (str2 != null) {
                throw new IllegalArgumentException("hadoop.security.dns.nameserver requires hadoop.security.dns.interface. Check yourconfiguration.");
            }
        }
        return InetAddress.getLocalHost().getCanonicalHostName();
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public static void login(Configuration configuration, String str, String str2) throws IOException {
        login(configuration, str, str2, getLocalHostName(configuration));
    }

    @InterfaceAudience.Public
    @InterfaceStability.Evolving
    public static void login(Configuration configuration, String str, String str2, String str3) throws IOException {
        if (UserGroupInformation.isSecurityEnabled()) {
            String str4 = configuration.get(str);
            if (str4 == null || str4.length() == 0) {
                throw new IOException("Running in secure mode, but config doesn't have a keytab");
            }
            UserGroupInformation.loginUserFromKeytab(getServerPrincipal(configuration.get(str2, System.getProperty("user.name")), str3), str4);
        }
    }

    public static String buildDTServiceName(URI uri, int i) {
        String authority = uri.getAuthority();
        if (authority == null) {
            return null;
        }
        return buildTokenService(NetUtils.createSocketAddr(authority, i)).toString();
    }

    public static String getHostFromPrincipal(String str) {
        return new HadoopKerberosName(str).getHostName();
    }

    @InterfaceAudience.Private
    public static void setSecurityInfoProviders(SecurityInfo... securityInfoArr) {
        testProviders = securityInfoArr;
    }

    public static KerberosInfo getKerberosInfo(Class<?> cls, Configuration configuration) {
        for (SecurityInfo securityInfo : testProviders) {
            KerberosInfo kerberosInfo = securityInfo.getKerberosInfo(cls, configuration);
            if (kerberosInfo != null) {
                return kerberosInfo;
            }
        }
        synchronized (securityInfoProviders) {
            Iterator<SecurityInfo> it2 = securityInfoProviders.iterator();
            while (it2.hasNext()) {
                KerberosInfo kerberosInfo2 = it2.next().getKerberosInfo(cls, configuration);
                if (kerberosInfo2 != null) {
                    return kerberosInfo2;
                }
            }
            return null;
        }
    }

    public static TokenInfo getTokenInfo(Class<?> cls, Configuration configuration) {
        for (SecurityInfo securityInfo : testProviders) {
            TokenInfo tokenInfo = securityInfo.getTokenInfo(cls, configuration);
            if (tokenInfo != null) {
                return tokenInfo;
            }
        }
        synchronized (securityInfoProviders) {
            Iterator<SecurityInfo> it2 = securityInfoProviders.iterator();
            while (it2.hasNext()) {
                TokenInfo tokenInfo2 = it2.next().getTokenInfo(cls, configuration);
                if (tokenInfo2 != null) {
                    return tokenInfo2;
                }
            }
            return null;
        }
    }

    public static InetSocketAddress getTokenServiceAddr(Token<?> token) {
        return NetUtils.createSocketAddr(token.getService().toString());
    }

    public static void setTokenService(Token<?> token, InetSocketAddress inetSocketAddress) {
        Text buildTokenService = buildTokenService(inetSocketAddress);
        if (token == null) {
            LOG.warn("Failed to get token for service " + buildTokenService);
            return;
        }
        token.setService(buildTokenService);
        if (LOG.isDebugEnabled()) {
            LOG.debug("Acquired token " + token);
        }
    }

    public static Text buildTokenService(InetSocketAddress inetSocketAddress) {
        String lowerCase;
        if (!useIpForTokenService) {
            lowerCase = StringUtils.toLowerCase(inetSocketAddress.getHostName());
        } else {
            if (inetSocketAddress.isUnresolved()) {
                throw new IllegalArgumentException(new UnknownHostException(inetSocketAddress.getHostName()));
            }
            lowerCase = inetSocketAddress.getAddress().getHostAddress();
        }
        return new Text(lowerCase + ":" + inetSocketAddress.getPort());
    }

    public static Text buildTokenService(URI uri) {
        return buildTokenService(NetUtils.createSocketAddr(uri.getAuthority()));
    }

    public static <T> T doAsLoginUserOrFatal(PrivilegedAction<T> privilegedAction) {
        if (!UserGroupInformation.isSecurityEnabled()) {
            return privilegedAction.run();
        }
        UserGroupInformation userGroupInformation = null;
        try {
            userGroupInformation = UserGroupInformation.getLoginUser();
        } catch (IOException e) {
            LOG.error("Exception while getting login user", (Throwable) e);
            e.printStackTrace();
            Runtime.getRuntime().exit(-1);
        }
        return (T) userGroupInformation.doAs(privilegedAction);
    }

    public static <T> T doAsLoginUser(PrivilegedExceptionAction<T> privilegedExceptionAction) throws IOException {
        return (T) doAsUser(UserGroupInformation.getLoginUser(), privilegedExceptionAction);
    }

    public static <T> T doAsCurrentUser(PrivilegedExceptionAction<T> privilegedExceptionAction) throws IOException {
        return (T) doAsUser(UserGroupInformation.getCurrentUser(), privilegedExceptionAction);
    }

    private static <T> T doAsUser(UserGroupInformation userGroupInformation, PrivilegedExceptionAction<T> privilegedExceptionAction) throws IOException {
        try {
            return (T) userGroupInformation.doAs(privilegedExceptionAction);
        } catch (InterruptedException e) {
            throw new IOException(e);
        }
    }

    @InterfaceAudience.Private
    public static InetAddress getByName(String str) throws UnknownHostException {
        if (!logSlowLookups && !LOG.isTraceEnabled()) {
            return hostResolver.getByName(str);
        }
        StopWatch start = new StopWatch().start();
        InetAddress byName = hostResolver.getByName(str);
        long now = start.stop().now(TimeUnit.MILLISECONDS);
        if (now >= slowLookupThresholdMs) {
            LOG.warn("Slow name lookup for " + str + ". Took " + now + " ms.");
        } else if (LOG.isTraceEnabled()) {
            LOG.trace("Name lookup for " + str + " took " + now + " ms.");
        }
        return byName;
    }

    public static UserGroupInformation.AuthenticationMethod getAuthenticationMethod(Configuration configuration) {
        String str = configuration.get(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "simple");
        try {
            return (UserGroupInformation.AuthenticationMethod) Enum.valueOf(UserGroupInformation.AuthenticationMethod.class, StringUtils.toUpperCase(str));
        } catch (IllegalArgumentException e) {
            throw new IllegalArgumentException("Invalid attribute value for hadoop.security.authentication of " + str);
        }
    }

    public static void setAuthenticationMethod(UserGroupInformation.AuthenticationMethod authenticationMethod, Configuration configuration) {
        if (authenticationMethod == null) {
            authenticationMethod = UserGroupInformation.AuthenticationMethod.SIMPLE;
        }
        configuration.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, StringUtils.toLowerCase(authenticationMethod.toString()));
    }

    public static boolean isPrivilegedPort(int i) {
        return i < 1024;
    }

    static {
        setConfigurationInternal(new Configuration());
        securityInfoProviders = ServiceLoader.load(SecurityInfo.class);
        testProviders = new SecurityInfo[0];
    }
}
