package co.cask.cdap.common.kerberos;

import co.cask.cdap.common.conf.CConfiguration;
import co.cask.cdap.common.conf.Constants;
import co.cask.cdap.proto.id.KerberosPrincipalId;
import co.cask.cdap.proto.id.NamespacedEntityId;
import co.cask.cdap.security.spi.authorization.UnauthorizedException;
import com.google.common.base.Preconditions;
import java.io.File;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.HashMap;
import java.util.Objects;
import java.util.concurrent.Executors;
import java.util.concurrent.TimeUnit;
import javax.annotation.Nullable;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginException;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.apache.twill.common.Threads;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:co/cask/cdap/common/kerberos/SecurityUtil.class */
public final class SecurityUtil {
    private static final Logger LOG = LoggerFactory.getLogger(SecurityUtil.class);

    private SecurityUtil() {
    }

    public static void enableKerberosLogin(CConfiguration cConfiguration) throws IOException {
        if (System.getProperty(Constants.External.JavaSecurity.ENV_AUTH_LOGIN_CONFIG) != null) {
            LOG.warn("Environment variable '{}' was already set to {}. Not generating JAAS configuration.", Constants.External.JavaSecurity.ENV_AUTH_LOGIN_CONFIG, System.getProperty(Constants.External.JavaSecurity.ENV_AUTH_LOGIN_CONFIG));
            return;
        }
        if (!isKerberosEnabled(cConfiguration)) {
            LOG.info("Kerberos login is not enabled. To enable Kerberos login, enable {} and configure {} and {}", new Object[]{Constants.Security.KERBEROS_ENABLED, Constants.Security.CFG_CDAP_MASTER_KRB_PRINCIPAL, Constants.Security.CFG_CDAP_MASTER_KRB_KEYTAB_PATH});
            return;
        }
        Preconditions.checkArgument(cConfiguration.get(Constants.Security.CFG_CDAP_MASTER_KRB_PRINCIPAL) != null, "Kerberos authentication is enabled, but cdap.master.kerberos.principal is not configured");
        String expandPrincipal = expandPrincipal(cConfiguration.get(Constants.Security.CFG_CDAP_MASTER_KRB_PRINCIPAL));
        Preconditions.checkArgument(cConfiguration.get(Constants.Security.CFG_CDAP_MASTER_KRB_KEYTAB_PATH) != null, "Kerberos authentication is enabled, but cdap.master.kerberos.keytab is not configured");
        File file = new File(cConfiguration.get(Constants.Security.CFG_CDAP_MASTER_KRB_KEYTAB_PATH));
        Preconditions.checkArgument(Files.isReadable(file.toPath()), "Keytab file is not a readable file: %s", new Object[]{file});
        LOG.info("Using Kerberos principal {} and keytab {}", expandPrincipal, file.getAbsolutePath());
        System.setProperty(Constants.External.Zookeeper.ENV_AUTH_PROVIDER_1, "org.apache.zookeeper.server.auth.SASLAuthenticationProvider");
        System.setProperty(Constants.External.Zookeeper.ENV_ALLOW_SASL_FAILED_CLIENTS, "true");
        System.setProperty("zookeeper.sasl.clientconfig", "Client");
        HashMap hashMap = new HashMap();
        hashMap.put("doNotPrompt", "true");
        hashMap.put("useKeyTab", "true");
        hashMap.put("useTicketCache", "false");
        hashMap.put(Constants.Security.PRINCIPAL, expandPrincipal);
        hashMap.put("keyTab", file.getAbsolutePath());
        final AppConfigurationEntry appConfigurationEntry = new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap);
        Configuration.setConfiguration(new Configuration() { // from class: co.cask.cdap.common.kerberos.SecurityUtil.1
            public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
                return new AppConfigurationEntry[]{appConfigurationEntry};
            }
        });
    }

    @Nullable
    public static String expandPrincipal(@Nullable String str) throws UnknownHostException {
        if (str == null) {
            return str;
        }
        return str.replace("/_HOST@", "/" + InetAddress.getLocalHost().getCanonicalHostName() + "@");
    }

    public static boolean isKerberosEnabled(CConfiguration cConfiguration) {
        return cConfiguration.getBoolean(Constants.Security.KERBEROS_ENABLED, cConfiguration.getBoolean(Constants.Security.ENABLED));
    }

    public static String getMasterPrincipal(CConfiguration cConfiguration) {
        return cConfiguration.get(Constants.Security.CFG_CDAP_MASTER_KRB_PRINCIPAL);
    }

    public static String getMasterKeytabURI(CConfiguration cConfiguration) {
        return cConfiguration.get(Constants.Security.CFG_CDAP_MASTER_KRB_KEYTAB_PATH);
    }

    public static void loginForMasterService(CConfiguration cConfiguration) throws IOException, LoginException {
        String masterPrincipal = getMasterPrincipal(cConfiguration);
        String masterKeytabURI = getMasterKeytabURI(cConfiguration);
        if (UserGroupInformation.isSecurityEnabled()) {
            Path path = Paths.get(masterKeytabURI, new String[0]);
            Preconditions.checkArgument(Files.isReadable(path), "Keytab file is not a readable file: %s", new Object[]{path});
            String expandPrincipal = expandPrincipal(masterPrincipal);
            LOG.info("Logging in as: principal={}, keytab={}", masterPrincipal, masterKeytabURI);
            UserGroupInformation.loginUserFromKeytab(expandPrincipal, masterKeytabURI);
            long j = cConfiguration.getLong(Constants.Security.KERBEROS_KEYTAB_RELOGIN_INTERVAL);
            Executors.newSingleThreadScheduledExecutor(Threads.createDaemonThreadFactory("Kerberos keytab renewal")).scheduleWithFixedDelay(new Runnable() { // from class: co.cask.cdap.common.kerberos.SecurityUtil.2
                @Override // java.lang.Runnable
                public void run() {
                    try {
                        UserGroupInformation.getLoginUser().checkTGTAndReloginFromKeytab();
                    } catch (IOException e) {
                        SecurityUtil.LOG.error("Failed to relogin from keytab", e);
                    }
                }
            }, j, j, TimeUnit.SECONDS);
        }
    }

    public static KerberosName getKerberosName(KerberosPrincipalId kerberosPrincipalId) {
        return new KerberosName(kerberosPrincipalId.getPrincipal());
    }

    public static void validateKerberosPrincipal(KerberosPrincipalId kerberosPrincipalId) {
        getKerberosName(kerberosPrincipalId);
    }

    public static void validateKerberosPrincipal(String str) {
        validateKerberosPrincipal(new KerberosPrincipalId(str));
    }

    static String getKeytabURIforPrincipal(String str, CConfiguration cConfiguration) throws IOException {
        String raw = cConfiguration.getRaw(Constants.Security.KEYTAB_PATH);
        Preconditions.checkNotNull(raw, String.format("Failed to get a valid keytab path. Please ensure that you have specified %s in cdap-site.xml", Constants.Security.KEYTAB_PATH));
        return raw.replace(Constants.USER_NAME_SPECIFIER, new KerberosName(str).getShortName());
    }

    public static ImpersonationInfo createImpersonationInfo(OwnerAdmin ownerAdmin, CConfiguration cConfiguration, NamespacedEntityId namespacedEntityId) throws IOException {
        ImpersonationInfo impersonationInfo = ownerAdmin.getImpersonationInfo(namespacedEntityId);
        return impersonationInfo == null ? new ImpersonationInfo(getMasterPrincipal(cConfiguration), getMasterKeytabURI(cConfiguration)) : impersonationInfo;
    }

    public static void verifyOwnerPrincipal(NamespacedEntityId namespacedEntityId, @Nullable String str, OwnerAdmin ownerAdmin) throws IOException, UnauthorizedException {
        if ((str != null || ownerAdmin.getOwnerPrincipal(namespacedEntityId) != null) && !Objects.equals(str, ownerAdmin.getImpersonationPrincipal(namespacedEntityId))) {
            throw new UnauthorizedException(String.format("%s '%s' already exists and the specified %s '%s' is not the same as the existing one. The %s of an entity cannot be changed.", namespacedEntityId.getEntityType(), namespacedEntityId.getEntityName(), Constants.Security.PRINCIPAL, str, Constants.Security.PRINCIPAL));
        }
    }
}
