package org.apache.kylin.tool.kerberos;

import com.sun.jna.platform.win32.LMErr;
import java.io.IOException;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.security.InvalidParameterException;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenIdentifier;
import org.apache.hadoop.util.Shell;
import org.apache.kylin.common.KapConfig;
import org.apache.kylin.common.util.Unsafe;
import org.apache.kylin.engine.spark.utils.ThreadUtils;
import org.apache.kylin.guava30.shaded.common.base.Preconditions;
import org.apache.kylin.guava30.shaded.common.collect.Maps;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.xml.BeanDefinitionParserDelegate;
import org.springframework.util.ReflectionUtils;

/* loaded from: input_file:org/apache/kylin/tool/kerberos/DelegationTokenManager.class */
public class DelegationTokenManager {
    private String principal;
    private String keytab;
    private ScheduledExecutorService renewalExecutor;
    private final KapConfig kapConf;
    private static final String CONTEXT_NAME = "Client";
    private static final Configuration CONFIGURATION = new Configuration();
    private static final Logger logger = LoggerFactory.getLogger(DelegationTokenManager.class);

    public DelegationTokenManager() {
        this(KapConfig.getInstanceFromEnv());
    }

    public DelegationTokenManager(KapConfig kapConfig) {
        this.kapConf = kapConfig;
    }

    public void start() {
        if (Boolean.FALSE.equals(Boolean.valueOf(this.kapConf.isKerberosEnabled()))) {
            logger.info("Kerberos is not enabled.");
            return;
        }
        this.principal = this.kapConf.getKerberosPrincipal();
        this.keytab = this.kapConf.getKerberosKeytabPath();
        preCheck();
        this.renewalExecutor = ThreadUtils.newDaemonSingleThreadScheduledExecutor("Kylin Credential Renewal Thread");
        Runtime.getRuntime().addShutdownHook(new Thread(this::stop));
        tryLogin();
        scheduleTGTRenewal();
        scheduleTGTCacheRenewal();
    }

    private void tryLogin() {
        try {
            doLogin();
        } catch (IOException e) {
            long longValue = this.kapConf.getKerberosTGTRetryInterval().longValue();
            logger.error("Failed to login kerberos from principal: {}, keytab: {}, will try again in {} minutes. If this happens too often tasks will fail.", new Object[]{this.principal, this.keytab, Long.valueOf(longValue), e});
            this.renewalExecutor.schedule(this::tryLogin, Math.max(0L, longValue), TimeUnit.MINUTES);
        }
    }

    private void scheduleTGTRenewal() {
        Runnable runnable = () -> {
            try {
                updateCredentials();
            } catch (Exception e) {
                logger.error("Failed to update UGI credentials.", e);
            }
        };
        long longValue = this.kapConf.getKerberosTGTRenewalInterval().longValue();
        this.renewalExecutor.scheduleWithFixedDelay(runnable, longValue, longValue, TimeUnit.MINUTES);
    }

    private void scheduleTGTCacheRenewal() {
        Runnable runnable = () -> {
            try {
                doRenewTGTCache();
            } catch (IOException e) {
                logger.error("Failed to renew kerberos tgt cache at KRB5CCNAME.", e);
            }
        };
        long longValue = this.kapConf.getKerberosTicketRefreshInterval().longValue();
        this.renewalExecutor.scheduleWithFixedDelay(runnable, longValue, longValue, TimeUnit.MINUTES);
    }

    private void updateCredentials() throws IOException, NoSuchFieldException {
        UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
        currentUser.checkTGTAndReloginFromKeytab();
        Object fileSystemCache = getFileSystemCache();
        if (Objects.isNull(fileSystemCache)) {
            return;
        }
        Collection<Object> cacheKeys = getCacheKeys(fileSystemCache);
        Credentials credentials = currentUser.getCredentials();
        Collection<Token<? extends TokenIdentifier>> tokens = getTokens(credentials);
        Iterator<Object> it2 = cacheKeys.iterator();
        while (it2.hasNext()) {
            UserGroupInformation ugi = getUGI(it2.next());
            if (updatable(ugi, currentUser)) {
                try {
                    updateTokens(ugi, tokens);
                } catch (Exception e) {
                    logger.debug("Failed to update private tokens, hadoop version not supported.", e);
                }
                ugi.addCredentials(credentials);
            }
        }
    }

    private Collection<Token<? extends TokenIdentifier>> getTokens(Credentials credentials) {
        return (Collection) credentials.getAllTokens().stream().filter(token -> {
            return Objects.nonNull(token.getKind()) && Objects.nonNull(token.getService());
        }).collect(Collectors.collectingAndThen(Collectors.toList(), (v0) -> {
            return Collections.unmodifiableCollection(v0);
        }));
    }

    private Object getFileSystemCache() throws NoSuchFieldException {
        Field declaredField = FileSystem.class.getDeclaredField("CACHE");
        ReflectionUtils.makeAccessible(declaredField);
        return ReflectionUtils.getField(declaredField, null);
    }

    private Collection<Object> getCacheKeys(Object obj) throws NoSuchFieldException {
        Field declaredField = obj.getClass().getDeclaredField(BeanDefinitionParserDelegate.MAP_ELEMENT);
        ReflectionUtils.makeAccessible(declaredField);
        Map map = (Map) ReflectionUtils.getField(declaredField, obj);
        return (Objects.isNull(map) || map.isEmpty()) ? Collections.emptyList() : Collections.unmodifiableSet(map.keySet());
    }

    private UserGroupInformation getUGI(Object obj) throws NoSuchFieldException {
        Field declaredField = obj.getClass().getDeclaredField("ugi");
        ReflectionUtils.makeAccessible(declaredField);
        return (UserGroupInformation) ReflectionUtils.getField(declaredField, obj);
    }

    private boolean updatable(UserGroupInformation userGroupInformation, UserGroupInformation userGroupInformation2) {
        if (Objects.isNull(userGroupInformation) || Objects.equals(userGroupInformation, userGroupInformation2) || !Objects.equals(userGroupInformation.getUserName(), userGroupInformation2.getUserName())) {
            return false;
        }
        return getTokens(userGroupInformation2.getCredentials()).stream().anyMatch(token -> {
            return getDelegationTokenIdentifier(token).map((v0) -> {
                return v0.getSequenceNumber();
            }).filter(num -> {
                return getTokens(userGroupInformation.getCredentials()).stream().filter(token -> {
                    return Objects.equals(token.getKind(), token.getKind()) && Objects.equals(token.getService(), token.getService());
                }).anyMatch(token2 -> {
                    return getDelegationTokenIdentifier(token2).map((v0) -> {
                        return v0.getSequenceNumber();
                    }).filter(num -> {
                        return num.intValue() < num.intValue();
                    }).isPresent();
                });
            }).isPresent();
        });
    }

    private Optional<AbstractDelegationTokenIdentifier> getDelegationTokenIdentifier(Token<? extends TokenIdentifier> token) {
        try {
            AbstractDelegationTokenIdentifier decodeIdentifier = token.decodeIdentifier();
            if (decodeIdentifier instanceof AbstractDelegationTokenIdentifier) {
                return Optional.of(decodeIdentifier);
            }
        } catch (IOException e) {
            logger.debug("Failed to decode token {}", token, e);
        }
        return Optional.empty();
    }

    private void updateTokens(UserGroupInformation userGroupInformation, Collection<Token<? extends TokenIdentifier>> collection) throws NoSuchMethodException, NoSuchFieldException {
        Credentials credentialsInternal = getCredentialsInternal(userGroupInformation);
        if (Objects.isNull(credentialsInternal)) {
            return;
        }
        Map<Text, Token<? extends TokenIdentifier>> tokenMapInternal = getTokenMapInternal(credentialsInternal);
        collection.forEach(token -> {
            updateTokensInternal(token, userGroupInformation, tokenMapInternal);
        });
    }

    private void updateTokensInternal(Token<? extends TokenIdentifier> token, UserGroupInformation userGroupInformation, Map<Text, Token<? extends TokenIdentifier>> map) {
        getDelegationTokenIdentifier(token).map((v0) -> {
            return v0.getSequenceNumber();
        }).ifPresent(num -> {
            map.forEach((text, token2) -> {
                if (Objects.equals(token.getKind(), token2.getKind())) {
                    getDelegationTokenIdentifier(token2).map((v0) -> {
                        return v0.getSequenceNumber();
                    }).ifPresent(num -> {
                        if (num.intValue() >= num.intValue() || !isPrivateCloneOf(token2, token.getService())) {
                            return;
                        }
                        privateClone(token, token2.getService()).ifPresent(token2 -> {
                            userGroupInformation.addToken(text, token2);
                        });
                    });
                }
            });
        });
    }

    private boolean isPrivateCloneOf(Token<? extends TokenIdentifier> token, Text text) {
        try {
            Method declaredMethod = token.getClass().getDeclaredMethod("isPrivateCloneOf", new Class[0]);
            ReflectionUtils.makeAccessible(declaredMethod);
            Object invokeMethod = ReflectionUtils.invokeMethod(declaredMethod, token, text);
            if (Objects.isNull(invokeMethod)) {
                return false;
            }
            return ((Boolean) invokeMethod).booleanValue();
        } catch (NoSuchMethodException e) {
            logger.debug("Failed to get method 'isPrivateCloneOf', hadoop version not supported (since 2.8.2).");
            return false;
        }
    }

    private Optional<Token<? extends TokenIdentifier>> privateClone(Token<? extends TokenIdentifier> token, Text text) {
        try {
            Method declaredMethod = token.getClass().getDeclaredMethod("privateClone", new Class[0]);
            ReflectionUtils.makeAccessible(declaredMethod);
            Object invokeMethod = ReflectionUtils.invokeMethod(declaredMethod, token, text);
            return Objects.isNull(invokeMethod) ? Optional.empty() : Optional.of((Token) invokeMethod);
        } catch (NoSuchMethodException e) {
            logger.debug("Failed to get method 'privateClone', hadoop version not supported (since 2.8.2).");
            return Optional.empty();
        }
    }

    private Credentials getCredentialsInternal(UserGroupInformation userGroupInformation) throws NoSuchMethodException {
        Method declaredMethod = UserGroupInformation.class.getDeclaredMethod("getCredentialsInternal", new Class[0]);
        ReflectionUtils.makeAccessible(declaredMethod);
        return (Credentials) ReflectionUtils.invokeMethod(declaredMethod, userGroupInformation);
    }

    private Map<Text, Token<? extends TokenIdentifier>> getTokenMapInternal(Credentials credentials) throws NoSuchFieldException {
        Field declaredField = Credentials.class.getDeclaredField("tokenMap");
        ReflectionUtils.makeAccessible(declaredField);
        Map map = (Map) ReflectionUtils.getField(declaredField, credentials);
        return Objects.isNull(map) ? Collections.emptyMap() : Collections.unmodifiableMap(Maps.newHashMap(map));
    }

    private void doRenewTGTCache() throws IOException {
        logger.info("Prepare credential cache by 'kinit -kt {} {}' at KRB5CCNAME: {}", new Object[]{this.keytab, this.principal, System.getenv("KRB5CCNAME")});
        Shell.execCommand(new String[]{"kinit", "-kt", this.keytab, this.principal});
    }

    private void doLogin() throws IOException {
        doRenewTGTCache();
        logger.info("Login kerberos from principal: {}, keytab: {}.", this.principal, this.keytab);
        String kerberosPlatform = this.kapConf.getKerberosPlatform();
        boolean z = -1;
        switch (kerberosPlatform.hashCode()) {
            case LMErr.NERR_PasswordCantChange /* 2243 */:
                if (kerberosPlatform.equals(KapConfig.FI_PLATFORM)) {
                    z = true;
                    break;
                }
                break;
            case 82904:
                if (kerberosPlatform.equals(KapConfig.TDH_PLATFORM)) {
                    z = 2;
                    break;
                }
                break;
            case 1377272541:
                if (kerberosPlatform.equals("Standard")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                loginStandardPlatform();
                return;
            case true:
            case true:
                loginNonStandardPlatform();
                return;
            default:
                throw new InvalidParameterException("Unknown platform: " + kerberosPlatform + ", please check 'kylin.kerberos.platform'.");
        }
    }

    private void loginNonStandardPlatform() throws IOException {
        Unsafe.setProperty("zookeeper.sasl.client", "true");
        Unsafe.setProperty("java.security.auth.login.config", this.kapConf.getKerberosJaasConfPath());
        Unsafe.setProperty("java.security.krb5.conf", this.kapConf.getKerberosKrb5ConfPath());
        KerberosLoginUtil.setJaasConf("Client", this.principal, this.keytab);
        KerberosLoginUtil.setZookeeperServerPrincipal(this.kapConf.getKerberosZKPrincipal());
        KerberosLoginUtil.login(this.principal, this.keytab, this.kapConf.getKerberosKrb5ConfPath(), CONFIGURATION);
    }

    private void loginStandardPlatform() throws IOException {
        UserGroupInformation.loginUserFromKeytab(this.principal, this.keytab);
        logger.info("Login kerberos success.");
    }

    private void preCheck() {
        Preconditions.checkState(KerberosLoginUtil.checkKeyTabIsExist(this.keytab), "The key tab is not exist : %s", this.keytab);
        Preconditions.checkState(KerberosLoginUtil.checkKeyTabIsValid(this.keytab), "The key tab is invalid : %s", this.keytab);
    }

    private void stop() {
        if (this.renewalExecutor != null) {
            this.renewalExecutor.shutdownNow();
        }
    }
}
