package org.apache.flink.table.security.token;

import java.io.IOException;
import java.time.Clock;
import java.util.Optional;
import org.apache.flink.annotation.Internal;
import org.apache.flink.annotation.VisibleForTesting;
import org.apache.flink.core.security.token.DelegationTokenProvider;
import org.apache.flink.hive.shaded.util.HadoopUtils;
import org.apache.flink.runtime.hadoop.HadoopUserUtils;
import org.apache.flink.runtime.security.token.hadoop.HadoopDelegationTokenConverter;
import org.apache.flink.runtime.security.token.hadoop.KerberosLoginProvider;
import org.apache.flink.util.FlinkRuntimeException;
import org.apache.flink.util.Preconditions;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.ql.metadata.Hive;
import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Internal
/* loaded from: input_file:org/apache/flink/table/security/token/HiveServer2DelegationTokenProvider.class */
public class HiveServer2DelegationTokenProvider implements DelegationTokenProvider {
    private static final Logger LOG = LoggerFactory.getLogger(HiveServer2DelegationTokenProvider.class);
    Configuration hiveConf;
    private KerberosLoginProvider kerberosLoginProvider;
    private Long tokenRenewalInterval;

    public String serviceName() {
        return "HiveServer2";
    }

    public void init(org.apache.flink.configuration.Configuration configuration) throws Exception {
        this.hiveConf = getHiveConfiguration(configuration);
        this.kerberosLoginProvider = new KerberosLoginProvider(configuration);
    }

    private Configuration getHiveConfiguration(org.apache.flink.configuration.Configuration configuration) {
        try {
            this.hiveConf = new HiveConf(HadoopUtils.getHadoopConfiguration(configuration), HiveConf.class);
        } catch (Exception | NoClassDefFoundError e) {
            LOG.warn("Fail to create HiveServer2 Configuration", e);
        }
        return this.hiveConf;
    }

    public boolean delegationTokensRequired() throws Exception {
        if (this.hiveConf == null) {
            LOG.debug("HiveServer2 is not available (not packaged with this application), hence no hiveServer2 tokens will be acquired.");
            return false;
        }
        try {
            if (!HadoopUtils.isKerberosSecurityEnabled(UserGroupInformation.getCurrentUser())) {
                LOG.debug("Hadoop Kerberos is not enabled,hence no hiveServer2 tokens will be acquired.");
                return false;
            }
            if (this.hiveConf.getTrimmed("hive.metastore.uris", "").isEmpty()) {
                LOG.debug("The hive.metastore.uris item is empty,hence no hiveServer2 tokens will be acquired.");
                return false;
            }
            if (this.kerberosLoginProvider.isLoginPossible(false)) {
                return true;
            }
            LOG.debug("Login is NOT possible,hence no hiveServer2 tokens will be acquired.");
            return false;
        } catch (IOException e) {
            LOG.debug("Hadoop Kerberos is not enabled,hence no hiveServer2 tokens will be acquired.", e);
            return false;
        }
    }

    public DelegationTokenProvider.ObtainedDelegationTokens obtainDelegationTokens() throws Exception {
        return (DelegationTokenProvider.ObtainedDelegationTokens) this.kerberosLoginProvider.doLoginAndReturnUGI().doAs(() -> {
            Preconditions.checkNotNull(this.hiveConf);
            Hive hive = Hive.get((HiveConf) this.hiveConf);
            Clock systemDefaultZone = Clock.systemDefaultZone();
            try {
                try {
                    LOG.info("Obtaining Kerberos security token for HiveServer2");
                    String userName = UserGroupInformation.getCurrentUser().getUserName();
                    String delegationToken = hive.getDelegationToken(userName, userName);
                    Token token = new Token();
                    token.decodeFromUrlString(delegationToken);
                    Credentials credentials = new Credentials();
                    credentials.addToken(token.getKind(), token);
                    HiveServer2DelegationTokenIdentifier hiveServer2DelegationTokenIdentifier = (HiveServer2DelegationTokenIdentifier) token.decodeIdentifier();
                    if (this.tokenRenewalInterval == null) {
                        this.tokenRenewalInterval = getTokenRenewalInterval(systemDefaultZone, hiveServer2DelegationTokenIdentifier, hive, delegationToken);
                    }
                    DelegationTokenProvider.ObtainedDelegationTokens obtainedDelegationTokens = new DelegationTokenProvider.ObtainedDelegationTokens(HadoopDelegationTokenConverter.serialize(credentials), getTokenRenewalDate(systemDefaultZone, hiveServer2DelegationTokenIdentifier, this.tokenRenewalInterval));
                    Hive.closeCurrent();
                    return obtainedDelegationTokens;
                } catch (Exception e) {
                    LOG.error("Failed to obtain delegation token for {}", serviceName(), e);
                    throw new FlinkRuntimeException(e);
                }
            } catch (Throwable th) {
                Hive.closeCurrent();
                throw th;
            }
        });
    }

    @VisibleForTesting
    Long getTokenRenewalInterval(Clock clock, HiveServer2DelegationTokenIdentifier hiveServer2DelegationTokenIdentifier, Hive hive, String str) {
        LOG.debug("Got Delegation token is {} ", hiveServer2DelegationTokenIdentifier);
        long newExpiration = getNewExpiration(hive, str);
        String text = hiveServer2DelegationTokenIdentifier.getKind().toString();
        Long valueOf = Long.valueOf(newExpiration - HadoopUserUtils.getIssueDate(clock, text, hiveServer2DelegationTokenIdentifier));
        LOG.info("Renewal interval is {} for token {}", valueOf, text);
        return valueOf;
    }

    @VisibleForTesting
    long getNewExpiration(Hive hive, String str) {
        try {
            return hive.getMSC().renewDelegationToken(str);
        } catch (Exception e) {
            LOG.error("renew Delegation Token failed", e);
            throw new FlinkRuntimeException(e);
        }
    }

    @VisibleForTesting
    Optional<Long> getTokenRenewalDate(Clock clock, HiveServer2DelegationTokenIdentifier hiveServer2DelegationTokenIdentifier, Long l) {
        if (l.longValue() < 0) {
            LOG.debug("Negative renewal interval so no renewal date is calculated");
            return Optional.empty();
        }
        try {
            String text = hiveServer2DelegationTokenIdentifier.getKind().toString();
            long issueDate = HadoopUserUtils.getIssueDate(clock, text, hiveServer2DelegationTokenIdentifier) + l.longValue();
            LOG.debug("Renewal date is {} for token {}", Long.valueOf(issueDate), text);
            return Optional.of(Long.valueOf(issueDate));
        } catch (Exception e) {
            throw new FlinkRuntimeException(e);
        }
    }
}
