package com.twitter.finagle.http;

import com.twitter.util.Future;
import com.twitter.util.FuturePool;
import com.twitter.util.FuturePool$;
import com.twitter.util.Time$;
import java.security.PrivilegedAction;
import java.util.concurrent.locks.StampedLock;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import scala.MatchError;
import scala.None$;
import scala.Option;
import scala.Option$;
import scala.Some;
import scala.collection.IterableOnceOps;
import scala.collection.JavaConverters$;
import scala.runtime.BoxedUnit;
import scala.runtime.BoxesRunTime;
import scala.runtime.ScalaRunTime$;

/* compiled from: SpnegoAuthenticator.scala */
/* loaded from: input_file:com/twitter/finagle/http/SpnegoAuthenticator$Credentials$JAAS.class */
public interface SpnegoAuthenticator$Credentials$JAAS {
    void com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$_setter_$com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$$lock_$eq(StampedLock stampedLock);

    void com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$_setter_$com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$$createContextAction_$eq(PrivilegedAction<GSSContext> privilegedAction);

    Option<LoginContext> com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$$portalOption();

    void com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$$portalOption_$eq(Option<LoginContext> option);

    StampedLock com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$$lock();

    String loginContext();

    default Future<GSSContext> load() {
        return pool().apply(() -> {
            SpnegoAuthenticator$.MODULE$.com$twitter$finagle$http$SpnegoAuthenticator$$log().debug("Getting context: %s", ScalaRunTime$.MODULE$.genericWrapArray(new Object[]{this.loginContext()}));
            long readLock = this.com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$$lock().readLock();
            boolean z = false;
            while (!z) {
                try {
                    try {
                        if (this.isLoginValid(this.com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$$portalOption())) {
                            break;
                        }
                        long tryConvertToWriteLock = this.com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$$lock().tryConvertToWriteLock(readLock);
                        if (tryConvertToWriteLock != 0) {
                            readLock = tryConvertToWriteLock;
                            this.com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$$portalOption().foreach(loginContext -> {
                                loginContext.logout();
                                return BoxedUnit.UNIT;
                            });
                            this.com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$$portalOption_$eq(new Some(new LoginContext(this.loginContext())));
                            ((LoginContext) this.com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$$portalOption().get()).login();
                            z = true;
                        } else {
                            this.com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$$lock().unlockRead(readLock);
                            readLock = this.com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$$lock().writeLock();
                        }
                    } catch (LoginException e) {
                        SpnegoAuthenticator$.MODULE$.com$twitter$finagle$http$SpnegoAuthenticator$$log().debug(e, "Could not create LoginContext in JAAS.load().", ScalaRunTime$.MODULE$.genericWrapArray(new Object[0]));
                        throw e;
                    }
                } catch (Throwable th) {
                    this.com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$$lock().unlock(readLock);
                    throw th;
                }
            }
            this.com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$$lock().unlock(readLock);
            return (GSSContext) this.subjectDoAction(this.com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$$createContextAction());
        });
    }

    PrivilegedAction<GSSContext> com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$$createContextAction();

    default <T> T subjectDoAction(PrivilegedAction<T> privilegedAction) {
        long readLock = com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$$lock().readLock();
        try {
            return (T) Subject.doAs(getSubject(), privilegedAction);
        } finally {
            com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$$lock().unlockRead(readLock);
        }
    }

    default boolean isLoginValid(Option<LoginContext> option) {
        return option.exists(loginContext -> {
            return BoxesRunTime.boxToBoolean($anonfun$isLoginValid$1(this, loginContext));
        });
    }

    private default Option<KerberosTicket> getTicketGrantingTicket(LoginContext loginContext) {
        return Option$.MODULE$.apply(loginContext.getSubject()).flatMap(subject -> {
            return ((IterableOnceOps) JavaConverters$.MODULE$.asScalaSetConverter(subject.getPrivateCredentials(KerberosTicket.class)).asScala()).toSet().find(kerberosTicket -> {
                return BoxesRunTime.boxToBoolean($anonfun$getTicketGrantingTicket$2(kerberosTicket));
            });
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    default boolean withinValidTimeWindow(KerberosTicket kerberosTicket) {
        return Time$.MODULE$.now().$plus(SpnegoAuthenticator$Credentials$JAAS$.MODULE$.PortalLoginExpirationBuffer()).$less(Time$.MODULE$.apply(kerberosTicket.getEndTime()));
    }

    private default Subject getSubject() {
        Some com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$$portalOption = com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$$portalOption();
        if (com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$$portalOption instanceof Some) {
            return ((LoginContext) com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$$portalOption.value()).getSubject();
        }
        if (None$.MODULE$.equals(com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$$portalOption)) {
            throw new RuntimeException("Must call 'load' before 'getSubject'");
        }
        throw new MatchError(com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$$portalOption);
    }

    GSSContext createGSSContext();

    default Option<GSSName> selfPrincipal() {
        return None$.MODULE$;
    }

    default int lifetime() {
        return 0;
    }

    default Oid mechanism() {
        return SpnegoAuthenticator$Credentials$JAAS$.MODULE$.Krb5Mechanism();
    }

    default GSSManager manager() {
        return GSSManager.getInstance();
    }

    default FuturePool pool() {
        return FuturePool$.MODULE$.unboundedPool();
    }

    static /* synthetic */ boolean $anonfun$isLoginValid$1(SpnegoAuthenticator$Credentials$JAAS spnegoAuthenticator$Credentials$JAAS, LoginContext loginContext) {
        return spnegoAuthenticator$Credentials$JAAS.getTicketGrantingTicket(loginContext).exists(kerberosTicket -> {
            return BoxesRunTime.boxToBoolean(spnegoAuthenticator$Credentials$JAAS.withinValidTimeWindow(kerberosTicket));
        });
    }

    static /* synthetic */ boolean $anonfun$getTicketGrantingTicket$2(KerberosTicket kerberosTicket) {
        return kerberosTicket.getServer().getName().startsWith("krbtgt/");
    }

    static void $init$(final SpnegoAuthenticator$Credentials$JAAS spnegoAuthenticator$Credentials$JAAS) {
        spnegoAuthenticator$Credentials$JAAS.com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$$portalOption_$eq(None$.MODULE$);
        spnegoAuthenticator$Credentials$JAAS.com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$_setter_$com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$$lock_$eq(new StampedLock());
        spnegoAuthenticator$Credentials$JAAS.com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$_setter_$com$twitter$finagle$http$SpnegoAuthenticator$Credentials$JAAS$$createContextAction_$eq(new PrivilegedAction<GSSContext>(spnegoAuthenticator$Credentials$JAAS) { // from class: com.twitter.finagle.http.SpnegoAuthenticator$Credentials$JAAS$$anon$1
            private final /* synthetic */ SpnegoAuthenticator$Credentials$JAAS $outer;

            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public GSSContext run() {
                return this.$outer.createGSSContext();
            }

            {
                if (spnegoAuthenticator$Credentials$JAAS == null) {
                    throw null;
                }
                this.$outer = spnegoAuthenticator$Credentials$JAAS;
            }
        });
    }
}
