package co.cask.cdap.security.impersonation;

import co.cask.cdap.common.conf.CConfiguration;
import co.cask.cdap.common.http.DefaultHttpRequestConfig;
import co.cask.cdap.common.internal.remote.RemoteClient;
import co.cask.cdap.proto.codec.EntityIdTypeAdapter;
import co.cask.cdap.proto.element.EntityType;
import co.cask.cdap.proto.id.NamespacedEntityId;
import co.cask.common.http.HttpMethod;
import co.cask.common.http.HttpRequest;
import co.cask.common.http.HttpResponse;
import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
import com.google.inject.Inject;
import java.io.BufferedInputStream;
import java.io.DataInputStream;
import java.io.IOException;
import java.net.URI;
import java.net.URL;
import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.twill.discovery.DiscoveryServiceClient;
import org.apache.twill.filesystem.Location;
import org.apache.twill.filesystem.LocationFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:co/cask/cdap/security/impersonation/RemoteUGIProvider.class */
public class RemoteUGIProvider extends AbstractCachedUGIProvider {
    private static final Logger LOG = LoggerFactory.getLogger(RemoteUGIProvider.class);
    private static final Gson GSON = new GsonBuilder().registerTypeAdapter(NamespacedEntityId.class, new EntityIdTypeAdapter()).create();
    private final RemoteClient remoteClient;
    private final LocationFactory locationFactory;

    @Inject
    RemoteUGIProvider(CConfiguration cConfiguration, DiscoveryServiceClient discoveryServiceClient, LocationFactory locationFactory, OwnerAdmin ownerAdmin) {
        super(cConfiguration, ownerAdmin);
        this.remoteClient = new RemoteClient(discoveryServiceClient, "appfabric", new DefaultHttpRequestConfig(false), "/v1/");
        this.locationFactory = locationFactory;
    }

    @Override // co.cask.cdap.security.impersonation.AbstractCachedUGIProvider
    protected UGIWithPrincipal createUGI(ImpersonationRequest impersonationRequest) throws IOException {
        PrincipalCredentials principalCredentials = (PrincipalCredentials) GSON.fromJson(executeRequest(new ImpersonationRequest(impersonationRequest.getEntityId(), impersonationRequest.getImpersonatedOpType(), impersonationRequest.getPrincipal())).getResponseBodyAsString(), PrincipalCredentials.class);
        LOG.debug("Received response: {}", principalCredentials);
        Location create = this.locationFactory.create(URI.create(principalCredentials.getCredentialsPath()));
        try {
            String principal = principalCredentials.getPrincipal();
            if (impersonationRequest.getImpersonatedOpType() == ImpersonatedOpType.EXPLORE) {
                principal = new KerberosName(principal).getShortName();
            }
            UserGroupInformation createRemoteUser = UserGroupInformation.createRemoteUser(principal);
            createRemoteUser.addCredentials(readCredentials(create));
            return new UGIWithPrincipal(principalCredentials.getPrincipal(), createRemoteUser);
        } finally {
            try {
                if (!create.delete()) {
                    LOG.warn("Failed to delete location: {}", create);
                }
            } catch (IOException e) {
                LOG.warn("Exception raised when deleting location {}", create, e);
            }
        }
    }

    @Override // co.cask.cdap.security.impersonation.AbstractCachedUGIProvider
    protected boolean checkExploreAndDetermineCache(ImpersonationRequest impersonationRequest) throws IOException {
        return (impersonationRequest.getEntityId().getEntityType().equals(EntityType.NAMESPACE) && impersonationRequest.getImpersonatedOpType().equals(ImpersonatedOpType.EXPLORE)) ? false : true;
    }

    private HttpResponse executeRequest(ImpersonationRequest impersonationRequest) throws IOException {
        HttpRequest build = this.remoteClient.requestBuilder(HttpMethod.POST, "impersonation/credentials").withBody(GSON.toJson(impersonationRequest)).build();
        HttpResponse execute = this.remoteClient.execute(build);
        if (execute.getResponseCode() == 200) {
            return execute;
        }
        throw new IOException(String.format("%s Response: %s.", createErrorMessage(build.getURL()), execute));
    }

    private static String createErrorMessage(URL url) {
        return String.format("Error making request to AppFabric Service at %s.", url);
    }

    private static Credentials readCredentials(Location location) throws IOException {
        Credentials credentials = new Credentials();
        DataInputStream dataInputStream = new DataInputStream(new BufferedInputStream(location.getInputStream()));
        Throwable th = null;
        try {
            try {
                credentials.readTokenStorageStream(dataInputStream);
                if (dataInputStream != null) {
                    if (0 != 0) {
                        try {
                            dataInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        dataInputStream.close();
                    }
                }
                LOG.debug("Read credentials from {}", location);
                return credentials;
            } finally {
            }
        } catch (Throwable th3) {
            if (dataInputStream != null) {
                if (th != null) {
                    try {
                        dataInputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    dataInputStream.close();
                }
            }
            throw th3;
        }
    }
}
