package co.cask.cdap.security.impersonation;

import co.cask.cdap.common.FeatureDisabledException;
import co.cask.cdap.common.conf.CConfiguration;
import co.cask.cdap.common.kerberos.ImpersonatedOpType;
import co.cask.cdap.common.kerberos.ImpersonationInfo;
import co.cask.cdap.common.kerberos.ImpersonationRequest;
import co.cask.cdap.common.kerberos.OwnerAdmin;
import co.cask.cdap.common.kerberos.SecurityUtil;
import co.cask.cdap.common.kerberos.UGIWithPrincipal;
import co.cask.cdap.common.namespace.NamespaceQueryAdmin;
import co.cask.cdap.common.utils.DirUtils;
import co.cask.cdap.common.utils.FileUtils;
import co.cask.cdap.proto.NamespaceConfig;
import co.cask.cdap.proto.element.EntityType;
import com.google.inject.Inject;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.net.URI;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.StandardCopyOption;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.twill.filesystem.Location;
import org.apache.twill.filesystem.LocationFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:co/cask/cdap/security/impersonation/DefaultUGIProvider.class */
public class DefaultUGIProvider extends AbstractCachedUGIProvider {
    private static final Logger LOG = LoggerFactory.getLogger(DefaultUGIProvider.class);
    private final LocationFactory locationFactory;
    private final File tempDir;
    private final OwnerAdmin ownerAdmin;
    private final NamespaceQueryAdmin namespaceQueryAdmin;

    @Inject
    DefaultUGIProvider(CConfiguration cConfiguration, LocationFactory locationFactory, OwnerAdmin ownerAdmin, NamespaceQueryAdmin namespaceQueryAdmin) {
        super(cConfiguration);
        this.locationFactory = locationFactory;
        this.tempDir = new File(cConfiguration.get("local.data.dir"), cConfiguration.get("app.temp.dir")).getAbsoluteFile();
        this.ownerAdmin = ownerAdmin;
        this.namespaceQueryAdmin = namespaceQueryAdmin;
    }

    @Override // co.cask.cdap.security.impersonation.AbstractCachedUGIProvider
    protected UGIWithPrincipal createUGI(ImpersonationRequest impersonationRequest) throws IOException {
        if (impersonationRequest.getEntityId().getEntityType().equals(EntityType.NAMESPACE) && impersonationRequest.getImpersonatedOpType().equals(ImpersonatedOpType.EXPLORE)) {
            try {
                if (!this.namespaceQueryAdmin.get(impersonationRequest.getEntityId().getNamespaceId()).getConfig().isExploreAsPrincipal().booleanValue()) {
                    throw new FeatureDisabledException(FeatureDisabledException.Feature.EXPLORE, NamespaceConfig.class.getSimpleName() + " of " + impersonationRequest.getEntityId(), "explore.as.principal", String.valueOf(true));
                }
            } catch (IOException e) {
                throw e;
            } catch (Exception e2) {
                throw new IOException(e2);
            }
        }
        ImpersonationInfo createImpersonationInfo = SecurityUtil.createImpersonationInfo(this.ownerAdmin, this.cConf, impersonationRequest.getEntityId());
        LOG.debug("Obtained impersonation info: {} for entity {}", createImpersonationInfo, impersonationRequest.getEntityId());
        if (UserGroupInformation.getCurrentUser().getShortUserName().equals(new KerberosName(createImpersonationInfo.getPrincipal()).getShortName())) {
            return new UGIWithPrincipal(createImpersonationInfo.getPrincipal(), UserGroupInformation.getCurrentUser());
        }
        URI create = URI.create(createImpersonationInfo.getKeytabURI());
        boolean z = create.getScheme() == null || "file".equals(create.getScheme());
        File file = z ? new File(create.getPath()) : localizeKeytab(this.locationFactory.create(create));
        try {
            String expandPrincipal = SecurityUtil.expandPrincipal(createImpersonationInfo.getPrincipal());
            LOG.debug("Logging in as: principal={}, keytab={}", expandPrincipal, file);
            if (!Files.isReadable(file.toPath())) {
                throw new IOException(String.format("Keytab file is not a readable file: %s", file));
            }
            UGIWithPrincipal uGIWithPrincipal = new UGIWithPrincipal(createImpersonationInfo.getPrincipal(), UserGroupInformation.loginUserFromKeytabAndReturnUGI(expandPrincipal, file.getAbsolutePath()));
            if (!z && !file.delete()) {
                LOG.warn("Failed to delete file: {}", file);
            }
            return uGIWithPrincipal;
        } catch (Throwable th) {
            if (!z && !file.delete()) {
                LOG.warn("Failed to delete file: {}", file);
            }
            throw th;
        }
    }

    private File localizeKeytab(Location location) throws IOException {
        if (!DirUtils.mkdirs(this.tempDir)) {
            throw new IOException(String.format("Could not create temporary directory at %s, while localizing keytab", this.tempDir));
        }
        Path createTempFile = Files.createTempFile(this.tempDir.toPath(), null, "keytab.localized", FileUtils.OWNER_ONLY_RW);
        LOG.debug("Copying keytab file from {} to {}", location, createTempFile);
        InputStream inputStream = location.getInputStream();
        Throwable th = null;
        try {
            try {
                Files.copy(inputStream, createTempFile, StandardCopyOption.REPLACE_EXISTING);
                if (inputStream != null) {
                    if (0 != 0) {
                        try {
                            inputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        inputStream.close();
                    }
                }
                return createTempFile.toFile();
            } finally {
            }
        } catch (Throwable th3) {
            if (inputStream != null) {
                if (th != null) {
                    try {
                        inputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    inputStream.close();
                }
            }
            throw th3;
        }
    }
}
