package org.apache.storm.security.auth.kerberos;

import java.io.IOException;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Map;
import java.util.Set;
import java.util.SortedMap;
import java.util.TreeMap;
import java.util.concurrent.ConcurrentHashMap;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.LoginException;
import org.apache.storm.generated.WorkerToken;
import org.apache.storm.messaging.netty.Login;
import org.apache.storm.security.auth.ClientAuthUtils;
import org.apache.storm.security.auth.sasl.SaslTransportPlugin;
import org.apache.storm.security.auth.sasl.SimpleSaslServerCallbackHandler;
import org.apache.storm.security.auth.workertoken.WorkerTokenAuthorizer;
import org.apache.storm.security.auth.workertoken.WorkerTokenClientCallbackHandler;
import org.apache.storm.shade.org.apache.commons.lang.StringUtils;
import org.apache.storm.shade.org.apache.zookeeper.server.auth.KerberosName;
import org.apache.storm.thrift.transport.TSaslClientTransport;
import org.apache.storm.thrift.transport.TSaslServerTransport;
import org.apache.storm.thrift.transport.TTransport;
import org.apache.storm.thrift.transport.TTransportException;
import org.apache.storm.thrift.transport.TTransportFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/storm/security/auth/kerberos/KerberosSaslTransportPlugin.class */
public class KerberosSaslTransportPlugin extends SaslTransportPlugin {
    public static final String KERBEROS = "GSSAPI";
    private static final String DIGEST = "DIGEST-MD5";
    private static final String DISABLE_LOGIN_CACHE = "disableLoginCache";
    private WorkerTokenAuthorizer workerTokenAuthorizer;
    private static final Logger LOG = LoggerFactory.getLogger(KerberosSaslTransportPlugin.class);
    private static Map<LoginCacheKey, Login> loginCache = new ConcurrentHashMap();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/storm/security/auth/kerberos/KerberosSaslTransportPlugin$LoginCacheKey.class */
    public class LoginCacheKey {
        private String keyString;

        LoginCacheKey(SortedMap<String, ?> sortedMap) throws IOException {
            this.keyString = null;
            if (sortedMap == null) {
                throw new IllegalArgumentException("Configuration should not be null");
            }
            StringBuilder sb = new StringBuilder();
            for (String str : sortedMap.keySet()) {
                if (!str.equals(KerberosSaslTransportPlugin.DISABLE_LOGIN_CACHE)) {
                    String str2 = (String) sortedMap.get(str);
                    sb.append(str);
                    sb.append(str2);
                }
            }
            this.keyString = sb.toString();
        }

        public int hashCode() {
            return this.keyString.hashCode();
        }

        public boolean equals(Object obj) {
            return (obj instanceof LoginCacheKey) && this.keyString.equals(((LoginCacheKey) obj).keyString);
        }

        public String toString() {
            return this.keyString;
        }
    }

    /* loaded from: input_file:org/apache/storm/security/auth/kerberos/KerberosSaslTransportPlugin$TUGIAssumingTransportFactory.class */
    static class TUGIAssumingTransportFactory extends TTransportFactory {
        private final Subject subject;
        private final TTransportFactory wrapped;

        TUGIAssumingTransportFactory(TTransportFactory tTransportFactory, Subject subject) {
            this.wrapped = tTransportFactory;
            this.subject = subject;
            Set<Principal> principals = subject.getPrincipals();
            if (principals.size() > 0) {
                KerberosSaslTransportPlugin.LOG.info("Service principal:" + ((Principal) principals.toArray()[0]).getName());
            }
        }

        public TTransport getTransport(TTransport tTransport) {
            try {
                return (TTransport) Subject.doAs(this.subject, () -> {
                    try {
                        return this.wrapped.getTransport(tTransport);
                    } catch (Exception e) {
                        KerberosSaslTransportPlugin.LOG.debug("Storm server failed to open transport to interact with a client during session initiation: " + e, e);
                        return new NoOpTTrasport(null);
                    }
                });
            } catch (PrivilegedActionException e) {
                KerberosSaslTransportPlugin.LOG.error("Storm server experienced a PrivilegedActionException exception while creating a transport using a JAAS principal context:" + e, e);
                return null;
            }
        }
    }

    @Override // org.apache.storm.security.auth.sasl.SaslTransportPlugin
    public TTransportFactory getServerTransportFactory(boolean z) throws IOException {
        if (this.workerTokenAuthorizer == null) {
            this.workerTokenAuthorizer = new WorkerTokenAuthorizer(this.conf, this.type);
        }
        ServerCallbackHandler serverCallbackHandler = new ServerCallbackHandler(this.conf, z);
        String jaasConf = ClientAuthUtils.getJaasConf(this.conf);
        try {
            Login login = new Login(ClientAuthUtils.LOGIN_CONTEXT_SERVER, serverCallbackHandler, jaasConf);
            Subject subject = login.getSubject();
            login.startThreadIfNeeded();
            if (subject.getPrivateCredentials(KerberosTicket.class).isEmpty()) {
                throw new RuntimeException("Fail to verify user principal with section \"StormServer\" in login configuration file " + jaasConf);
            }
            String str = ClientAuthUtils.get(this.conf, ClientAuthUtils.LOGIN_CONTEXT_SERVER, "principal");
            LOG.debug("principal:" + str);
            KerberosName kerberosName = new KerberosName(str);
            String serviceName = kerberosName.getServiceName();
            String hostName = kerberosName.getHostName();
            TreeMap treeMap = new TreeMap();
            treeMap.put("javax.security.sasl.qop", "auth");
            treeMap.put("javax.security.sasl.server.authentication", "false");
            TSaslServerTransport.Factory factory = new TSaslServerTransport.Factory();
            factory.addServerDefinition("GSSAPI", serviceName, hostName, treeMap, serverCallbackHandler);
            factory.addServerDefinition("DIGEST-MD5", ClientAuthUtils.SERVICE, hostName, (Map) null, new SimpleSaslServerCallbackHandler(z, this.workerTokenAuthorizer));
            TUGIAssumingTransportFactory tUGIAssumingTransportFactory = new TUGIAssumingTransportFactory(factory, subject);
            LOG.info("SASL GSSAPI transport factory will be used");
            return tUGIAssumingTransportFactory;
        } catch (LoginException e) {
            LOG.error("Server failed to login in principal:" + e, e);
            throw new RuntimeException(e);
        }
    }

    private Login mkLogin() throws IOException {
        try {
            Login login = new Login(ClientAuthUtils.LOGIN_CONTEXT_CLIENT, new ClientCallbackHandler(this.conf), ClientAuthUtils.getJaasConf(this.conf));
            login.startThreadIfNeeded();
            return login;
        } catch (LoginException e) {
            LOG.error("Server failed to login in principal:" + e, e);
            throw new RuntimeException(e);
        }
    }

    @Override // org.apache.storm.security.auth.ITransportPlugin
    public TTransport connect(TTransport tTransport, String str, String str2) throws IOException, TTransportException {
        WorkerToken findWorkerTokenInSubject = WorkerTokenClientCallbackHandler.findWorkerTokenInSubject(this.type);
        if (findWorkerTokenInSubject == null) {
            return kerberosConnect(tTransport, str, str2);
        }
        TSaslClientTransport tSaslClientTransport = new TSaslClientTransport("DIGEST-MD5", (String) null, ClientAuthUtils.SERVICE, str, (Map) null, new WorkerTokenClientCallbackHandler(findWorkerTokenInSubject), tTransport);
        tSaslClientTransport.open();
        LOG.debug("SASL DIGEST-MD5 WorkerToken client transport has been established");
        return tSaslClientTransport;
    }

    private TTransport kerberosConnect(TTransport tTransport, String str, String str2) throws IOException {
        Login login;
        SortedMap<String, ?> pullConfig = ClientAuthUtils.pullConfig(this.conf, ClientAuthUtils.LOGIN_CONTEXT_CLIENT);
        if (pullConfig == null) {
            throw new RuntimeException("Error in parsing the kerberos login Configuration, returned null");
        }
        boolean z = false;
        if (pullConfig.containsKey(DISABLE_LOGIN_CACHE)) {
            z = Boolean.valueOf((String) pullConfig.get(DISABLE_LOGIN_CACHE)).booleanValue();
        }
        LoginCacheKey loginCacheKey = new LoginCacheKey(pullConfig);
        if (z) {
            LOG.debug("Kerberos Login Cache is disabled, attempting to contact the Kerberos Server");
            login = mkLogin();
            loginCache.remove(loginCacheKey);
        } else {
            LOG.debug("Trying to get the Kerberos Login from the Login Cache");
            login = loginCache.get(loginCacheKey);
            if (login == null) {
                synchronized (loginCache) {
                    login = loginCache.get(loginCacheKey);
                    if (login == null) {
                        LOG.debug("Kerberos Login was not found in the Login Cache, attempting to contact the Kerberos Server");
                        login = mkLogin();
                        loginCache.put(loginCacheKey, login);
                    }
                }
            }
        }
        Subject subject = login.getSubject();
        if (subject.getPrivateCredentials(KerberosTicket.class).isEmpty()) {
            throw new RuntimeException("Fail to verify user principal with section \"StormClient\" in login configuration file " + ClientAuthUtils.getJaasConf(this.conf));
        }
        final String principal = StringUtils.isBlank(str2) ? getPrincipal(subject) : str2;
        String str3 = ClientAuthUtils.get(this.conf, ClientAuthUtils.LOGIN_CONTEXT_CLIENT, "serviceName");
        if (str3 == null) {
            str3 = ClientAuthUtils.SERVICE;
        }
        TreeMap treeMap = new TreeMap();
        treeMap.put("javax.security.sasl.qop", "auth");
        treeMap.put("javax.security.sasl.server.authentication", "false");
        LOG.debug("SASL GSSAPI client transport is being established");
        final TSaslClientTransport tSaslClientTransport = new TSaslClientTransport("GSSAPI", principal, str3, str, treeMap, (CallbackHandler) null, tTransport);
        try {
            Subject.doAs(subject, new PrivilegedExceptionAction<Void>() { // from class: org.apache.storm.security.auth.kerberos.KerberosSaslTransportPlugin.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Void run() {
                    try {
                        KerberosSaslTransportPlugin.LOG.debug("do as:" + principal);
                        tSaslClientTransport.open();
                        return null;
                    } catch (Exception e) {
                        KerberosSaslTransportPlugin.LOG.error("Client failed to open SaslClientTransport to interact with a server during session initiation: " + e, e);
                        return null;
                    }
                }
            });
            return tSaslClientTransport;
        } catch (PrivilegedActionException e) {
            throw new RuntimeException(e);
        }
    }

    private String getPrincipal(Subject subject) {
        Set<Principal> principals = subject.getPrincipals();
        if (principals != null && principals.size() >= 1) {
            return ((Principal) principals.toArray()[0]).getName();
        }
        LOG.info("No principal found in login subject");
        return null;
    }

    @Override // org.apache.storm.security.auth.ITransportPlugin
    public boolean areWorkerTokensSupported() {
        return true;
    }

    @Override // org.apache.storm.security.auth.sasl.SaslTransportPlugin, java.io.Closeable, java.lang.AutoCloseable
    public void close() {
        this.workerTokenAuthorizer.close();
    }
}
