package org.apache.accumulo.server.security.handler;

import com.google.common.collect.Sets;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.apache.accumulo.core.client.AccumuloSecurityException;
import org.apache.accumulo.core.client.impl.DelegationTokenImpl;
import org.apache.accumulo.core.client.impl.thrift.SecurityErrorCode;
import org.apache.accumulo.core.client.impl.thrift.ThriftSecurityException;
import org.apache.accumulo.core.client.security.tokens.AuthenticationToken;
import org.apache.accumulo.core.client.security.tokens.KerberosToken;
import org.apache.accumulo.core.conf.AccumuloConfiguration;
import org.apache.accumulo.core.conf.SiteConfiguration;
import org.apache.accumulo.core.security.thrift.TCredentials;
import org.apache.accumulo.core.util.Base64;
import org.apache.accumulo.fate.zookeeper.ZooUtil;
import org.apache.accumulo.server.rpc.UGIAssumingProcessor;
import org.apache.accumulo.server.security.SystemCredentials;
import org.apache.accumulo.server.security.UserImpersonation;
import org.apache.accumulo.server.zookeeper.ZooCache;
import org.apache.accumulo.server.zookeeper.ZooReaderWriter;
import org.apache.zookeeper.KeeperException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/accumulo/server/security/handler/KerberosAuthenticator.class */
public class KerberosAuthenticator implements Authenticator {
    private static final Logger log = LoggerFactory.getLogger(KerberosAuthenticator.class);
    private static final Set<Class<? extends AuthenticationToken>> SUPPORTED_TOKENS = Sets.newHashSet(Arrays.asList(KerberosToken.class, SystemCredentials.SystemToken.class));
    private static final Set<String> SUPPORTED_TOKEN_NAMES = Sets.newHashSet(new String[]{KerberosToken.class.getName(), SystemCredentials.SystemToken.class.getName()});
    private final ZKAuthenticator zkAuthenticator;
    private String zkUserPath;
    private final ZooCache zooCache;
    private final UserImpersonation impersonation;

    public KerberosAuthenticator() {
        this(new ZooCache(), SiteConfiguration.getInstance());
    }

    public KerberosAuthenticator(ZooCache zooCache, AccumuloConfiguration accumuloConfiguration) {
        this.zkAuthenticator = new ZKAuthenticator();
        this.zooCache = zooCache;
        this.impersonation = new UserImpersonation(accumuloConfiguration);
    }

    @Override // org.apache.accumulo.server.security.handler.Authenticator
    public void initialize(String str, boolean z) {
        this.zkAuthenticator.initialize(str, z);
        this.zkUserPath = "/accumulo/" + str + "/users";
    }

    @Override // org.apache.accumulo.server.security.handler.Authenticator
    public boolean validSecurityHandlers(Authorizor authorizor, PermissionHandler permissionHandler) {
        return true;
    }

    private void createUserNodeInZk(String str) throws KeeperException, InterruptedException {
        synchronized (this.zooCache) {
            this.zooCache.clear();
            ZooReaderWriter.getInstance().putPrivatePersistentData(this.zkUserPath + "/" + str, new byte[0], ZooUtil.NodeExistsPolicy.FAIL);
        }
    }

    @Override // org.apache.accumulo.server.security.handler.Authenticator
    public void initializeSecurity(TCredentials tCredentials, String str, byte[] bArr) throws AccumuloSecurityException, ThriftSecurityException {
        try {
            ZooReaderWriter zooReaderWriter = ZooReaderWriter.getInstance();
            synchronized (this.zooCache) {
                this.zooCache.clear();
                if (zooReaderWriter.exists(this.zkUserPath)) {
                    zooReaderWriter.recursiveDelete(this.zkUserPath, ZooUtil.NodeMissingPolicy.SKIP);
                    log.info("Removed " + this.zkUserPath + "/ from zookeeper");
                }
                byte[] bytes = str.getBytes(StandardCharsets.UTF_8);
                zooReaderWriter.putPersistentData(this.zkUserPath, bytes, ZooUtil.NodeExistsPolicy.FAIL);
                createUserNodeInZk(Base64.encodeBase64String(bytes));
            }
        } catch (KeeperException | InterruptedException e) {
            log.error("Failed to initialize security", e);
            throw new RuntimeException((Throwable) e);
        }
    }

    @Override // org.apache.accumulo.server.security.handler.Authenticator
    public boolean authenticateUser(String str, AuthenticationToken authenticationToken) throws AccumuloSecurityException {
        String rpcPrincipal = UGIAssumingProcessor.rpcPrincipal();
        if (!rpcPrincipal.equals(str)) {
            UserImpersonation.UsersWithHosts usersWithHosts = this.impersonation.get(rpcPrincipal);
            if (null == usersWithHosts) {
                throw new AccumuloSecurityException(str, SecurityErrorCode.AUTHENTICATOR_FAILED);
            }
            if (!usersWithHosts.getUsers().contains(str)) {
                throw new AccumuloSecurityException(str, SecurityErrorCode.AUTHENTICATOR_FAILED);
            }
            log.debug("Allowing impersonation of {} by {}", str, rpcPrincipal);
        }
        return (authenticationToken instanceof KerberosToken) || (authenticationToken instanceof DelegationTokenImpl);
    }

    @Override // org.apache.accumulo.server.security.handler.Authenticator
    public Set<String> listUsers() throws AccumuloSecurityException {
        Set<String> listUsers = this.zkAuthenticator.listUsers();
        HashSet hashSet = new HashSet();
        Iterator<String> it = listUsers.iterator();
        while (it.hasNext()) {
            hashSet.add(new String(Base64.decodeBase64(it.next()), StandardCharsets.UTF_8));
        }
        return hashSet;
    }

    @Override // org.apache.accumulo.server.security.handler.Authenticator
    public synchronized void createUser(String str, AuthenticationToken authenticationToken) throws AccumuloSecurityException {
        if (!(authenticationToken instanceof KerberosToken)) {
            throw new UnsupportedOperationException("Expected a KerberosToken but got a " + authenticationToken.getClass().getSimpleName());
        }
        try {
            createUserNodeInZk(Base64.encodeBase64String(str.getBytes(StandardCharsets.UTF_8)));
        } catch (InterruptedException e) {
            log.error("Interrupted trying to create node for user", e);
            throw new RuntimeException(e);
        } catch (KeeperException e2) {
            if (e2.code().equals(KeeperException.Code.NODEEXISTS)) {
                throw new AccumuloSecurityException(str, SecurityErrorCode.USER_EXISTS, e2);
            }
            log.error("Failed to create user in ZooKeeper", e2);
            throw new AccumuloSecurityException(str, SecurityErrorCode.CONNECTION_ERROR, e2);
        }
    }

    @Override // org.apache.accumulo.server.security.handler.Authenticator
    public synchronized void dropUser(String str) throws AccumuloSecurityException {
        try {
            this.zkAuthenticator.dropUser(Base64.encodeBase64String(str.getBytes(StandardCharsets.UTF_8)));
        } catch (AccumuloSecurityException e) {
            throw new AccumuloSecurityException(str, e.asThriftException().getCode(), e.getCause());
        }
    }

    @Override // org.apache.accumulo.server.security.handler.Authenticator
    public void changePassword(String str, AuthenticationToken authenticationToken) throws AccumuloSecurityException {
        throw new UnsupportedOperationException("Cannot change password with Kerberos authenticaton");
    }

    @Override // org.apache.accumulo.server.security.handler.Authenticator
    public synchronized boolean userExists(String str) throws AccumuloSecurityException {
        return this.zkAuthenticator.userExists(Base64.encodeBase64String(str.getBytes(StandardCharsets.UTF_8)));
    }

    @Override // org.apache.accumulo.server.security.handler.Authenticator
    public Set<Class<? extends AuthenticationToken>> getSupportedTokenTypes() {
        return SUPPORTED_TOKENS;
    }

    @Override // org.apache.accumulo.server.security.handler.Authenticator
    public boolean validTokenClass(String str) {
        return SUPPORTED_TOKEN_NAMES.contains(str);
    }
}
