package org.apache.kylin.rest.security;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableSet;
import java.io.File;
import java.io.IOException;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.kylin.common.KapConfig;
import org.apache.kylin.common.KylinConfig;
import org.apache.kylin.common.Singletons;
import org.apache.kylin.common.exception.KylinException;
import org.apache.kylin.common.exception.ServerErrorCode;
import org.apache.kylin.common.msg.MsgPicker;
import org.apache.kylin.common.util.FileUtils;
import org.apache.kylin.metadata.model.NTableMetadataManager;
import org.apache.kylin.metadata.project.NProjectManager;
import org.apache.kylin.metadata.project.ProjectInstance;
import org.apache.kylin.source.SourceFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/kylin/rest/security/KerberosLoginManager.class */
public class KerberosLoginManager {
    public static final String KEYTAB_SUFFIX = ".keytab";
    public static final String TMP_KEYTAB_SUFFIX = "_tmp.keytab";
    private static final Logger logger = LoggerFactory.getLogger(KerberosLoginManager.class);

    public static KerberosLoginManager getInstance() {
        return (KerberosLoginManager) Singletons.getInstance(KerberosLoginManager.class);
    }

    public UserGroupInformation getProjectUGI(String str) {
        ProjectInstance project = NProjectManager.getInstance(KylinConfig.getInstanceFromEnv()).getProject(str);
        String principal = project.getPrincipal();
        try {
            return project.isProjectKerberosEnabled() ? UserGroupInformation.loginUserFromKeytabAndReturnUGI(principal, wrapAndDownloadKeytab(str)) : UserGroupInformation.getLoginUser();
        } catch (Exception e) {
            try {
                return UserGroupInformation.getLoginUser();
            } catch (Exception e2) {
                logger.error("Fetch login user error. project {}, principal {}", new Object[]{str, principal, e2});
                throw new KylinException(ServerErrorCode.INVALID_KERBEROS_FILE, MsgPicker.getMsg().getKerberosInfoError(), e);
            }
        }
    }

    private String wrapAndDownloadKeytab(String str) throws Exception {
        ProjectInstance project = NProjectManager.getInstance(KylinConfig.getInstanceFromEnv()).getProject(str);
        String principal = project.getPrincipal();
        String keytab = project.getKeytab();
        String str2 = null;
        if (project.isProjectKerberosEnabled()) {
            str2 = new Path(KapConfig.getKylinConfDirAtBestEffort(), principal + KEYTAB_SUFFIX).toString();
            if (!new File(str2).exists()) {
                FileUtils.decoderBase64File(keytab, str2);
            }
        }
        return str2;
    }

    public void checkKerberosInfo(String str, String str2) {
        try {
            UserGroupInformation.loginUserFromKeytabAndReturnUGI(str, str2);
        } catch (Exception e) {
            throw new KylinException(ServerErrorCode.INVALID_KERBEROS_FILE, MsgPicker.getMsg().getKerberosInfoError(), e);
        }
    }

    public void checkAndReplaceProjectKerberosInfo(String str, String str2) throws IOException {
        String path = new Path(KapConfig.getKylinConfDirAtBestEffort(), str2 + TMP_KEYTAB_SUFFIX).toString();
        checkKerberosInfo(str2, path);
        if (!checkExistsTablesAccess(UserGroupInformation.loginUserFromKeytabAndReturnUGI(str2, path), str)) {
            throw new KylinException(ServerErrorCode.PERMISSION_DENIED, MsgPicker.getMsg().getProjectHivePermissionError());
        }
    }

    @VisibleForTesting
    boolean checkExistsTablesAccess(UserGroupInformation userGroupInformation, String str) {
        NProjectManager nProjectManager = NProjectManager.getInstance(KapConfig.getInstanceFromEnv().getKylinConfig());
        return ((Boolean) userGroupInformation.doAs(() -> {
            ProjectInstance project = nProjectManager.getProject(str);
            ImmutableSet<String> tables = project.getTables();
            AtomicBoolean atomicBoolean = new AtomicBoolean(true);
            NTableMetadataManager nTableMetadataManager = NTableMetadataManager.getInstance(KylinConfig.getInstanceFromEnv(), str);
            Stream stream = tables.stream();
            nTableMetadataManager.getClass();
            ((Map) stream.map(nTableMetadataManager::getTableDesc).collect(Collectors.groupingBy((v0) -> {
                return v0.getSourceType();
            }))).forEach((num, list) -> {
                atomicBoolean.set(atomicBoolean.get() && SourceFactory.getSource(num.intValue(), project.mo215getConfig()).getSourceMetadataExplorer().checkTablesAccess((Set) list.stream().map((v0) -> {
                    return v0.getIdentity();
                }).collect(Collectors.toSet())));
            });
            return Boolean.valueOf(atomicBoolean.get());
        })).booleanValue();
    }
}
