package org.apache.kafka.common.security.kerberos;

import io.axual.client.proxy.header.serde.HeaderSerializerConfig;
import java.util.Arrays;
import java.util.Date;
import java.util.Map;
import java.util.Random;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.kafka.common.config.SaslConfigs;
import org.apache.kafka.common.security.JaasContext;
import org.apache.kafka.common.security.JaasUtils;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.authenticator.AbstractLogin;
import org.apache.kafka.common.utils.KafkaThread;
import org.apache.kafka.common.utils.Shell;
import org.apache.kafka.common.utils.Time;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/kafka/common/security/kerberos/KerberosLogin.class */
public class KerberosLogin extends AbstractLogin {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) KerberosLogin.class);
    private static final Random RNG = new Random();
    private final Time time = Time.SYSTEM;
    private Thread t;
    private boolean isKrbTicket;
    private boolean isUsingTicketCache;
    private String principal;
    private double ticketRenewWindowFactor;
    private double ticketRenewJitter;
    private long minTimeBeforeRelogin;
    private String kinitCmd;
    private volatile Subject subject;
    private LoginContext loginContext;
    private String serviceName;
    private long lastLogin;

    @Override // org.apache.kafka.common.security.authenticator.AbstractLogin, org.apache.kafka.common.security.auth.Login
    public void configure(Map<String, ?> map, String str, Configuration configuration, AuthenticateCallbackHandler authenticateCallbackHandler) {
        super.configure(map, str, configuration, authenticateCallbackHandler);
        this.ticketRenewWindowFactor = ((Double) map.get(SaslConfigs.SASL_KERBEROS_TICKET_RENEW_WINDOW_FACTOR)).doubleValue();
        this.ticketRenewJitter = ((Double) map.get(SaslConfigs.SASL_KERBEROS_TICKET_RENEW_JITTER)).doubleValue();
        this.minTimeBeforeRelogin = ((Long) map.get(SaslConfigs.SASL_KERBEROS_MIN_TIME_BEFORE_RELOGIN)).longValue();
        this.kinitCmd = (String) map.get(SaslConfigs.SASL_KERBEROS_KINIT_CMD);
        this.serviceName = getServiceName(map, str, configuration);
    }

    @Override // org.apache.kafka.common.security.authenticator.AbstractLogin, org.apache.kafka.common.security.auth.Login
    public LoginContext login() throws LoginException {
        this.lastLogin = currentElapsedTime();
        this.loginContext = super.login();
        this.subject = this.loginContext.getSubject();
        this.isKrbTicket = !this.subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
        AppConfigurationEntry[] appConfigurationEntry = configuration().getAppConfigurationEntry(contextName());
        if (appConfigurationEntry.length == 0) {
            this.isUsingTicketCache = false;
            this.principal = null;
        } else {
            AppConfigurationEntry appConfigurationEntry2 = appConfigurationEntry[0];
            if (appConfigurationEntry2.getOptions().get("useTicketCache") != null) {
                this.isUsingTicketCache = ((String) appConfigurationEntry2.getOptions().get("useTicketCache")).equals(HeaderSerializerConfig.ENABLE_VALUE_HEADERS_TRUE);
            } else {
                this.isUsingTicketCache = false;
            }
            if (appConfigurationEntry2.getOptions().get("principal") != null) {
                this.principal = (String) appConfigurationEntry2.getOptions().get("principal");
            } else {
                this.principal = null;
            }
        }
        if (!this.isKrbTicket) {
            log.debug("[Principal={}]: It is not a Kerberos ticket", this.principal);
            this.t = null;
            return this.loginContext;
        }
        log.debug("[Principal={}]: It is a Kerberos ticket", this.principal);
        this.t = KafkaThread.daemon(String.format("kafka-kerberos-refresh-thread-%s", this.principal), () -> {
            long j;
            Date date;
            log.info("[Principal={}]: TGT refresh thread started.", this.principal);
            while (true) {
                KerberosTicket tgt = getTGT();
                long currentWallTime = currentWallTime();
                if (tgt == null) {
                    j = currentWallTime + this.minTimeBeforeRelogin;
                    date = new Date(j);
                    log.warn("[Principal={}]: No TGT found: will try again at {}", this.principal, date);
                } else {
                    long refreshTime = getRefreshTime(tgt);
                    long time = tgt.getEndTime().getTime();
                    Date date2 = new Date(time);
                    if (this.isUsingTicketCache && tgt.getRenewTill() != null && tgt.getRenewTill().getTime() < time) {
                        log.warn("The TGT cannot be renewed beyond the next expiry date: {}.This process will not be able to authenticate new SASL connections after that time (for example, it will not be able to authenticate a new connection with a Kafka Broker).  Ask your system administrator to either increase the 'renew until' time by doing : 'modprinc -maxrenewlife {} ' within kadmin, or instead, to generate a keytab for {}. Because the TGT's expiry cannot be further extended by refreshing, exiting refresh thread now.", date2, this.principal, this.principal);
                        return;
                    }
                    if (refreshTime > time || currentWallTime + this.minTimeBeforeRelogin > time) {
                        log.info("[Principal={}]: Refreshing now because expiry is before next scheduled refresh time.", this.principal);
                        j = currentWallTime;
                    } else {
                        if (refreshTime < currentWallTime + this.minTimeBeforeRelogin) {
                            log.warn("[Principal={}]: TGT refresh thread time adjusted from {} to {} since the former is sooner than the minimum refresh interval ({} seconds) from now.", this.principal, new Date(refreshTime), new Date(currentWallTime + this.minTimeBeforeRelogin), Long.valueOf(this.minTimeBeforeRelogin / 1000));
                        }
                        j = Math.max(refreshTime, currentWallTime + this.minTimeBeforeRelogin);
                    }
                    date = new Date(j);
                    if (j > time) {
                        log.error("[Principal={}]: Next refresh: {} is later than expiry {}. This may indicate a clock skew problem.Check that this host and the KDC hosts' clocks are in sync. Exiting refresh thread.", this.principal, date, date2);
                        return;
                    }
                }
                if (currentWallTime >= j) {
                    log.error("[Principal={}]: NextRefresh: {} is in the past: exiting refresh thread. Check clock sync between this host and KDC - (KDC's clock is likely ahead of this host). Manual intervention will be required for this client to successfully authenticate. Exiting refresh thread.", this.principal, date);
                    return;
                }
                log.info("[Principal={}]: TGT refresh sleeping until: {}", this.principal, new Date(j));
                try {
                    Thread.sleep(j - currentWallTime);
                    if (this.isUsingTicketCache) {
                        int i = 1;
                        while (i >= 0) {
                            try {
                                log.debug("[Principal={}]: Running ticket cache refresh command: {} {}", this.principal, this.kinitCmd, "-R");
                                Shell.execCommand(this.kinitCmd, "-R");
                                break;
                            } catch (Exception e) {
                                if (i <= 0) {
                                    log.warn("[Principal={}]: Could not renew TGT due to problem running shell command: '{} {}'. Exiting refresh thread.", this.principal, this.kinitCmd, "-R", e);
                                    return;
                                }
                                log.warn("[Principal={}]: Error when trying to renew with TicketCache, but will retry ", this.principal, e);
                                i--;
                                try {
                                    Thread.sleep(10000L);
                                } catch (InterruptedException e2) {
                                    log.error("[Principal={}]: Interrupted while renewing TGT, exiting Login thread", this.principal);
                                    return;
                                }
                            }
                        }
                    }
                    int i2 = 1;
                    while (i2 >= 0) {
                        try {
                            try {
                                reLogin();
                                break;
                            } catch (LoginException e3) {
                                if (i2 > 0) {
                                    log.warn("[Principal={}]: Error when trying to re-Login, but will retry ", this.principal, e3);
                                    i2--;
                                    try {
                                        Thread.sleep(10000L);
                                    } catch (InterruptedException e4) {
                                        log.error("[Principal={}]: Interrupted during login retry after LoginException:", this.principal, e3);
                                        throw e3;
                                    }
                                } else {
                                    log.error("[Principal={}]: Could not refresh TGT.", this.principal, e3);
                                }
                            }
                        } catch (LoginException e5) {
                            log.error("[Principal={}]: Failed to refresh TGT: refresh thread exiting now.", this.principal, e5);
                            return;
                        }
                    }
                } catch (InterruptedException e6) {
                    log.warn("[Principal={}]: TGT renewal thread has been interrupted and will exit.", this.principal);
                    return;
                }
            }
        });
        this.t.start();
        return this.loginContext;
    }

    @Override // org.apache.kafka.common.security.auth.Login
    public void close() {
        if (this.t == null || !this.t.isAlive()) {
            return;
        }
        this.t.interrupt();
        try {
            this.t.join();
        } catch (InterruptedException e) {
            log.warn("[Principal={}]: Error while waiting for Login thread to shutdown.", this.principal, e);
            Thread.currentThread().interrupt();
        }
    }

    @Override // org.apache.kafka.common.security.authenticator.AbstractLogin, org.apache.kafka.common.security.auth.Login
    public Subject subject() {
        return this.subject;
    }

    @Override // org.apache.kafka.common.security.auth.Login
    public String serviceName() {
        return this.serviceName;
    }

    private static String getServiceName(Map<String, ?> map, String str, Configuration configuration) {
        String configEntryOption = JaasContext.configEntryOption(Arrays.asList(configuration.getAppConfigurationEntry(str)), JaasUtils.SERVICE_NAME, null);
        String str2 = (String) map.get(SaslConfigs.SASL_KERBEROS_SERVICE_NAME);
        if (configEntryOption != null && str2 != null && !configEntryOption.equals(str2)) {
            throw new IllegalArgumentException(String.format("Conflicting serviceName values found in JAAS and Kafka configs value in JAAS file %s, value in Kafka config %s", configEntryOption, str2));
        }
        if (configEntryOption != null) {
            return configEntryOption;
        }
        if (str2 != null) {
            return str2;
        }
        throw new IllegalArgumentException("No serviceName defined in either JAAS or Kafka config");
    }

    private long getRefreshTime(KerberosTicket kerberosTicket) {
        long time = kerberosTicket.getStartTime().getTime();
        long time2 = kerberosTicket.getEndTime().getTime();
        log.info("[Principal={}]: TGT valid starting at: {}", this.principal, kerberosTicket.getStartTime());
        log.info("[Principal={}]: TGT expires: {}", this.principal, kerberosTicket.getEndTime());
        long nextDouble = time + ((long) ((time2 - time) * (this.ticketRenewWindowFactor + (this.ticketRenewJitter * RNG.nextDouble()))));
        return nextDouble > time2 ? currentWallTime() : nextDouble;
    }

    private KerberosTicket getTGT() {
        for (KerberosTicket kerberosTicket : this.subject.getPrivateCredentials(KerberosTicket.class)) {
            KerberosPrincipal server = kerberosTicket.getServer();
            if (server.getName().equals("krbtgt/" + server.getRealm() + "@" + server.getRealm())) {
                log.debug("Found TGT with client principal '{}' and server principal '{}'.", kerberosTicket.getClient().getName(), kerberosTicket.getServer().getName());
                return kerberosTicket;
            }
        }
        return null;
    }

    private boolean hasSufficientTimeElapsed() {
        if (currentElapsedTime() - this.lastLogin >= this.minTimeBeforeRelogin) {
            return true;
        }
        log.warn("[Principal={}]: Not attempting to re-login since the last re-login was attempted less than {} seconds before.", this.principal, Long.valueOf(this.minTimeBeforeRelogin / 1000));
        return false;
    }

    private void reLogin() throws LoginException {
        if (this.isKrbTicket) {
            if (this.loginContext == null) {
                throw new LoginException("Login must be done first");
            }
            if (hasSufficientTimeElapsed()) {
                synchronized (KerberosLogin.class) {
                    log.info("Initiating logout for {}", this.principal);
                    this.lastLogin = currentElapsedTime();
                    this.loginContext.logout();
                    this.loginContext = new LoginContext(contextName(), this.subject, (CallbackHandler) null, configuration());
                    log.info("Initiating re-login for {}", this.principal);
                    this.loginContext.login();
                }
            }
        }
    }

    private long currentElapsedTime() {
        return this.time.hiResClockMs();
    }

    private long currentWallTime() {
        return this.time.milliseconds();
    }
}
