package org.apache.druid.security.kerberos;

import com.google.common.base.Strings;
import java.io.IOException;
import java.net.CookieStore;
import java.net.HttpCookie;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.util.concurrent.locks.ReentrantLock;
import org.apache.druid.java.util.common.ISE;
import org.apache.druid.java.util.common.StringUtils;
import org.apache.druid.java.util.common.logger.Logger;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:org/apache/druid/security/kerberos/DruidKerberosUtil.class */
public class DruidKerberosUtil {
    private static final Logger log = new Logger(DruidKerberosUtil.class);
    private static ReentrantLock kerberosLock = new ReentrantLock(true);

    public static String kerberosChallenge(String str) throws AuthenticationException {
        kerberosLock.lock();
        try {
            try {
                Oid oidInstance = KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID");
                GSSManager gSSManager = GSSManager.getInstance();
                GSSContext createContext = gSSManager.createContext(gSSManager.createName("HTTP@" + str, GSSName.NT_HOSTBASED_SERVICE).canonicalize(oidInstance), oidInstance, (GSSCredential) null, 0);
                createContext.requestMutualAuth(true);
                createContext.requestCredDeleg(true);
                byte[] bArr = new byte[0];
                byte[] initSecContext = createContext.initSecContext(bArr, 0, bArr.length);
                createContext.dispose();
                String str2 = new String(StringUtils.encodeBase64(initSecContext), StandardCharsets.US_ASCII);
                kerberosLock.unlock();
                return str2;
            } catch (GSSException | ClassNotFoundException | IllegalAccessException | NoSuchFieldException e) {
                throw new AuthenticationException(e);
            }
        } catch (Throwable th) {
            kerberosLock.unlock();
            throw th;
        }
    }

    public static void authenticateIfRequired(String str, String str2) {
        if (Strings.isNullOrEmpty(str) || Strings.isNullOrEmpty(str2)) {
            return;
        }
        Configuration configuration = new Configuration();
        configuration.setClassLoader(DruidKerberosModule.class.getClassLoader());
        configuration.set("hadoop.security.authentication", "kerberos");
        UserGroupInformation.setConfiguration(configuration);
        try {
            if (!UserGroupInformation.getCurrentUser().hasKerberosCredentials() || !UserGroupInformation.getCurrentUser().getUserName().equals(str)) {
                log.info("trying to authenticate user [%s] with keytab [%s]", new Object[]{str, str2});
                UserGroupInformation.loginUserFromKeytab(str, str2);
            } else if (UserGroupInformation.isLoginKeytabBased()) {
                log.info("Re-Login from key tab [%s] with principal [%s]", new Object[]{str2, str});
                UserGroupInformation.getLoginUser().checkTGTAndReloginFromKeytab();
            } else if (UserGroupInformation.isLoginTicketBased()) {
                log.info("Re-Login from Ticket cache", new Object[0]);
                UserGroupInformation.getLoginUser().reloginFromTicketCache();
            }
        } catch (IOException e) {
            throw new ISE(e, "Failed to authenticate user principal [%s] with keytab [%s]", new Object[]{str, str2});
        }
    }

    public static boolean needToSendCredentials(CookieStore cookieStore, URI uri) {
        return getAuthCookie(cookieStore, uri) == null;
    }

    public static HttpCookie getAuthCookie(CookieStore cookieStore, URI uri) {
        if (cookieStore == null) {
            return null;
        }
        boolean equals = "https".equals(uri.getScheme());
        for (HttpCookie httpCookie : cookieStore.get(uri)) {
            if (!httpCookie.getSecure() || equals) {
                if (httpCookie.getName().equals("hadoop.auth")) {
                    return httpCookie;
                }
            }
        }
        return null;
    }

    public static void removeAuthCookie(CookieStore cookieStore, URI uri) {
        HttpCookie authCookie = getAuthCookie(cookieStore, uri);
        if (authCookie != null) {
            cookieStore.remove(uri, authCookie);
        }
    }
}
