package org.apache.kyuubi.client.auth;

import java.lang.reflect.Field;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import javax.security.auth.Subject;
import org.apache.kyuubi.client.exception.KyuubiRestException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/kyuubi/client/auth/SpnegoAuthHeaderGenerator.class */
public class SpnegoAuthHeaderGenerator implements AuthHeaderGenerator {
    private static final Logger LOG = LoggerFactory.getLogger(SpnegoAuthHeaderGenerator.class);
    private static final String UGI_CLASS = "org.apache.hadoop.security.UserGroupInformation";
    private final String spnegoHost;

    public SpnegoAuthHeaderGenerator(String str) {
        this.spnegoHost = str;
    }

    @Override // org.apache.kyuubi.client.auth.AuthHeaderGenerator
    public String generateAuthHeader() {
        try {
            return "NEGOTIATE " + generateToken(this.spnegoHost);
        } catch (KyuubiRestException e) {
            throw e;
        } catch (Exception e2) {
            throw new KyuubiRestException("Failed to generate spnego auth header for " + this.spnegoHost, e2);
        }
    }

    private String generateToken(String str) throws Exception {
        try {
            Object invoke = Class.forName(UGI_CLASS).getDeclaredMethod("getCurrentUser", new Class[0]).invoke(null, new Object[0]);
            LOG.debug("The user credential is {}", invoke);
            Field declaredField = invoke.getClass().getDeclaredField("subject");
            declaredField.setAccessible(true);
            return (String) Subject.doAs((Subject) declaredField.get(invoke), () -> {
                return doGenerateToken(str);
            });
        } catch (ClassNotFoundException e) {
            LOG.error("Hadoop UGI class {} is required for SPNEGO authentication.", UGI_CLASS);
            throw e;
        }
    }

    private String doGenerateToken(String str) throws GSSException {
        GSSManager gSSManager = GSSManager.getInstance();
        GSSName createName = gSSManager.createName("HTTP@" + str, GSSName.NT_HOSTBASED_SERVICE);
        GSSContext createContext = gSSManager.createContext(createName.canonicalize((Oid) null), (Oid) null, (GSSCredential) null, 0);
        createContext.requestMutualAuth(true);
        createContext.requestCredDeleg(true);
        byte[] bArr = new byte[0];
        byte[] initSecContext = createContext.initSecContext(bArr, 0, bArr.length);
        createContext.dispose();
        LOG.debug("Got valid challenge for host {}", createName);
        return new String(Base64.getEncoder().encode(initSecContext), StandardCharsets.US_ASCII);
    }
}
