package co.cask.cdap.security.impersonation;

import co.cask.cdap.common.conf.CConfiguration;
import co.cask.cdap.proto.id.NamespaceId;
import co.cask.cdap.proto.id.NamespacedEntityId;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Throwables;
import com.google.inject.Inject;
import java.io.IOException;
import java.util.concurrent.Callable;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.util.KerberosName;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:co/cask/cdap/security/impersonation/DefaultImpersonator.class */
public class DefaultImpersonator implements Impersonator {
    private static final Logger LOG = LoggerFactory.getLogger(DefaultImpersonator.class);
    private final UGIProvider ugiProvider;
    private final boolean kerberosEnabled;
    private String masterShortUsername;

    @VisibleForTesting
    @Inject
    public DefaultImpersonator(CConfiguration cConfiguration, UGIProvider uGIProvider) {
        String shortName;
        this.ugiProvider = uGIProvider;
        this.kerberosEnabled = SecurityUtil.isKerberosEnabled(cConfiguration);
        String masterPrincipal = SecurityUtil.getMasterPrincipal(cConfiguration);
        if (masterPrincipal == null) {
            shortName = null;
        } else {
            try {
                shortName = new KerberosName(masterPrincipal).getShortName();
            } catch (IOException e) {
                Throwables.propagate(e);
                return;
            }
        }
        this.masterShortUsername = shortName;
    }

    @Override // co.cask.cdap.security.impersonation.Impersonator
    public <T> T doAs(NamespacedEntityId namespacedEntityId, Callable<T> callable) throws Exception {
        return (T) doAs(namespacedEntityId, callable, ImpersonatedOpType.OTHER);
    }

    @Override // co.cask.cdap.security.impersonation.Impersonator
    public <T> T doAs(NamespacedEntityId namespacedEntityId, Callable<T> callable, ImpersonatedOpType impersonatedOpType) throws Exception {
        UserGroupInformation ugi = getUGI(namespacedEntityId, impersonatedOpType);
        if (!UserGroupInformation.getCurrentUser().equals(ugi)) {
            LOG.debug("Performing doAs with UGI {} for entity {} and impersonation operation type {}", new Object[]{ugi, namespacedEntityId, impersonatedOpType});
        }
        return (T) ImpersonationUtils.doAs(ugi, callable);
    }

    @Override // co.cask.cdap.security.impersonation.Impersonator
    public UserGroupInformation getUGI(NamespacedEntityId namespacedEntityId) throws IOException {
        return getUGI(namespacedEntityId, ImpersonatedOpType.OTHER);
    }

    private UserGroupInformation getUGI(NamespacedEntityId namespacedEntityId, ImpersonatedOpType impersonatedOpType) throws IOException {
        if (!this.kerberosEnabled || NamespaceId.SYSTEM.equals(namespacedEntityId.getNamespaceId())) {
            return UserGroupInformation.getCurrentUser();
        }
        UserGroupInformation ugi = this.ugiProvider.getConfiguredUGI(new ImpersonationRequest(namespacedEntityId, impersonatedOpType)).getUGI();
        String shortUserName = UserGroupInformation.getCurrentUser().getShortUserName();
        if (shortUserName.equals(this.masterShortUsername) || shortUserName.equals(ugi.getShortUserName())) {
            return ugi;
        }
        throw new IllegalStateException(String.format("Invalid impersonation request made by the system. User %s is not allowed to impersonate user %s.", UserGroupInformation.getCurrentUser(), ugi));
    }
}
