package org.apache.kyuubi.jdbc.hive.auth;

import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.net.InetAddress;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.Collections;
import java.util.Objects;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.commons.lang3.StringUtils;
import org.apache.kyuubi.jdbc.hive.JdbcConnectionParams;
import org.apache.kyuubi.jdbc.hive.Utils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/kyuubi/jdbc/hive/auth/KerberosAuthentication.class */
public class KerberosAuthentication {
    private static final Logger LOG = LoggerFactory.getLogger(KerberosAuthentication.class);
    private static final String KERBEROS_LOGIN_MODULE = "com.sun.security.auth.module.Krb5LoginModule";
    private KerberosPrincipal principal;
    private final Configuration configuration;

    /* JADX INFO: Access modifiers changed from: package-private */
    public KerberosAuthentication(String str) {
        this.principal = null;
        this.configuration = createLoginFromTgtCacheConfiguration(str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public KerberosAuthentication(String str, String str2) {
        this.principal = null;
        Objects.requireNonNull(str, "principal is null");
        Objects.requireNonNull(str2, "keytabLocation is null");
        Path path = Paths.get(str2, new String[0]);
        Preconditions.checkArgument(Files.exists(path, new LinkOption[0]), "keytab does not exist: %s", str2);
        Preconditions.checkArgument(Files.isReadable(path), "keytab is not readable: %s", str2);
        this.principal = createKerberosPrincipal(str);
        this.configuration = createLoginFromKeytabConfiguration(this.principal.getName(), str2);
    }

    public Subject getSubject() {
        try {
            LoginContext loginContext = new LoginContext("", this.principal == null ? null : new Subject(false, ImmutableSet.of(this.principal), Collections.emptySet(), Collections.emptySet()), (CallbackHandler) null, this.configuration);
            loginContext.login();
            return loginContext.getSubject();
        } catch (LoginException e) {
            throw new RuntimeException(e);
        }
    }

    public void attemptLogin(Subject subject) {
        try {
            new LoginContext("", subject, (CallbackHandler) null, this.configuration).login();
        } catch (LoginException e) {
            throw new RuntimeException(e);
        }
    }

    private static KerberosPrincipal createKerberosPrincipal(String str) {
        try {
            return new KerberosPrincipal(KerberosUtils.canonicalClientPrincipal(str, InetAddress.getLocalHost().getCanonicalHostName()));
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }

    private static Configuration createLoginFromTgtCacheConfiguration(String str) {
        ImmutableMap.Builder put = ImmutableMap.builder().put("useTicketCache", Utils.HIVE_SERVER2_RETRY_TRUE).put("renewTGT", Utils.HIVE_SERVER2_RETRY_TRUE);
        if (StringUtils.isBlank(str)) {
            str = System.getenv("KRB5CCNAME");
        }
        if (StringUtils.isNotBlank(str)) {
            put.put("ticketCache", str);
        }
        return createConfiguration(put);
    }

    private static Configuration createLoginFromKeytabConfiguration(String str, String str2) {
        return createConfiguration(ImmutableMap.builder().put("useKeyTab", Utils.HIVE_SERVER2_RETRY_TRUE).put("storeKey", Utils.HIVE_SERVER2_RETRY_TRUE).put("refreshKrb5Config", Utils.HIVE_SERVER2_RETRY_TRUE).put(JdbcConnectionParams.AUTH_PRINCIPAL, str).put("keyTab", str2));
    }

    private static Configuration createConfiguration(ImmutableMap.Builder<String, String> builder) {
        if (LOG.isDebugEnabled()) {
            builder.put("debug", Utils.HIVE_SERVER2_RETRY_TRUE);
        }
        final ImmutableMap build = builder.put("doNotPrompt", Utils.HIVE_SERVER2_RETRY_TRUE).build();
        return new Configuration() { // from class: org.apache.kyuubi.jdbc.hive.auth.KerberosAuthentication.1
            public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
                return new AppConfigurationEntry[]{new AppConfigurationEntry(KerberosAuthentication.KERBEROS_LOGIN_MODULE, AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, build)};
            }
        };
    }
}
