package org.apache.nifi.accumulo.controllerservices;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Properties;
import org.apache.accumulo.core.client.Accumulo;
import org.apache.accumulo.core.client.AccumuloClient;
import org.apache.accumulo.core.client.security.tokens.KerberosToken;
import org.apache.accumulo.core.client.security.tokens.PasswordToken;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.nifi.annotation.behavior.RequiresInstanceClassLoading;
import org.apache.nifi.annotation.documentation.CapabilityDescription;
import org.apache.nifi.annotation.documentation.Tags;
import org.apache.nifi.annotation.lifecycle.OnDisabled;
import org.apache.nifi.annotation.lifecycle.OnEnabled;
import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.components.ValidationContext;
import org.apache.nifi.components.ValidationResult;
import org.apache.nifi.controller.AbstractControllerService;
import org.apache.nifi.controller.ConfigurationContext;
import org.apache.nifi.controller.ControllerServiceInitializationContext;
import org.apache.nifi.expression.ExpressionLanguageScope;
import org.apache.nifi.hadoop.SecurityUtil;
import org.apache.nifi.kerberos.KerberosCredentialsService;
import org.apache.nifi.processor.util.StandardValidators;
import org.apache.nifi.reporting.InitializationException;
import org.apache.nifi.security.krb.KerberosKeytabUser;
import org.apache.nifi.security.krb.KerberosPasswordUser;
import org.apache.nifi.security.krb.KerberosUser;

@CapabilityDescription("A controller service for accessing an Accumulo Client.")
@Tags({"accumulo", "client", "service"})
@RequiresInstanceClassLoading
/* loaded from: input_file:org/apache/nifi/accumulo/controllerservices/AccumuloService.class */
public class AccumuloService extends AbstractControllerService implements BaseAccumuloService {
    protected static final PropertyDescriptor ZOOKEEPER_QUORUM = new PropertyDescriptor.Builder().name("ZooKeeper Quorum").displayName("ZooKeeper Quorum").description("Comma-separated list of ZooKeeper hosts for Accumulo.").addValidator(StandardValidators.NON_EMPTY_VALIDATOR).expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY).build();
    protected static final PropertyDescriptor INSTANCE_NAME = new PropertyDescriptor.Builder().name("Instance Name").displayName("Instance Name").description("Instance name of the Accumulo cluster").addValidator(StandardValidators.NON_EMPTY_VALIDATOR).expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY).build();
    protected static final PropertyDescriptor AUTHENTICATION_TYPE = new PropertyDescriptor.Builder().name("accumulo-authentication-type").displayName("Authentication Type").description("Authentication Type").allowableValues(AuthenticationType.values()).defaultValue(AuthenticationType.PASSWORD.toString()).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).build();
    protected static final PropertyDescriptor ACCUMULO_USER = new PropertyDescriptor.Builder().name("Accumulo User").displayName("Accumulo User").description("Connecting user for Accumulo").addValidator(StandardValidators.NON_EMPTY_VALIDATOR).expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY).dependsOn(AUTHENTICATION_TYPE, AuthenticationType.PASSWORD.toString(), new String[0]).build();
    protected static final PropertyDescriptor ACCUMULO_PASSWORD = new PropertyDescriptor.Builder().name("Accumulo Password").displayName("Accumulo Password").description("Connecting user's password").sensitive(true).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY).dependsOn(AUTHENTICATION_TYPE, AuthenticationType.PASSWORD.toString(), new String[0]).build();
    protected static final PropertyDescriptor KERBEROS_CREDENTIALS_SERVICE = new PropertyDescriptor.Builder().name("kerberos-credentials-service").displayName("Kerberos Credentials Service").description("Specifies the Kerberos Credentials Controller Service that should be used for principal + keytab Kerberos authentication").identifiesControllerService(KerberosCredentialsService.class).dependsOn(AUTHENTICATION_TYPE, AuthenticationType.KERBEROS.toString(), new String[0]).build();
    protected static final PropertyDescriptor KERBEROS_PRINCIPAL = new PropertyDescriptor.Builder().name("kerberos-principal").displayName("Kerberos Principal").description("Kerberos Principal").addValidator(StandardValidators.NON_EMPTY_VALIDATOR).expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY).dependsOn(AUTHENTICATION_TYPE, AuthenticationType.KERBEROS.toString(), new String[0]).build();
    protected static final PropertyDescriptor KERBEROS_PASSWORD = new PropertyDescriptor.Builder().name("kerberos-password").displayName("Kerberos Password").description("Kerberos Password").sensitive(true).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY).dependsOn(AUTHENTICATION_TYPE, AuthenticationType.KERBEROS.toString(), new String[0]).build();
    protected static final PropertyDescriptor ACCUMULO_SASL_QOP = new PropertyDescriptor.Builder().name("accumulo-sasl-qop").displayName("Accumulo SASL quality of protection").description("Accumulo SASL quality of protection for KERBEROS Authentication type").allowableValues(new String[]{"auth", "auth-int", "auth-conf"}).defaultValue("auth-conf").addValidator(StandardValidators.NON_EMPTY_VALIDATOR).dependsOn(AUTHENTICATION_TYPE, AuthenticationType.KERBEROS.toString(), new String[0]).build();
    AccumuloClient client;
    private List<PropertyDescriptor> properties;
    private KerberosUser kerberosUser;
    private AuthenticationType authType;

    /* loaded from: input_file:org/apache/nifi/accumulo/controllerservices/AccumuloService$AuthenticationType.class */
    private enum AuthenticationType {
        PASSWORD,
        KERBEROS,
        NONE
    }

    protected void init(ControllerServiceInitializationContext controllerServiceInitializationContext) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(ZOOKEEPER_QUORUM);
        arrayList.add(INSTANCE_NAME);
        arrayList.add(AUTHENTICATION_TYPE);
        arrayList.add(ACCUMULO_USER);
        arrayList.add(ACCUMULO_PASSWORD);
        arrayList.add(KERBEROS_CREDENTIALS_SERVICE);
        arrayList.add(KERBEROS_PRINCIPAL);
        arrayList.add(KERBEROS_PASSWORD);
        arrayList.add(ACCUMULO_SASL_QOP);
        this.properties = Collections.unmodifiableList(arrayList);
    }

    public final List<PropertyDescriptor> getSupportedPropertyDescriptors() {
        return this.properties;
    }

    protected Collection<ValidationResult> customValidate(ValidationContext validationContext) {
        ArrayList arrayList = new ArrayList();
        if (!validationContext.getProperty(INSTANCE_NAME).isSet()) {
            arrayList.add(new ValidationResult.Builder().valid(false).subject(INSTANCE_NAME.getName()).explanation("Instance name must be supplied").build());
        }
        if (!validationContext.getProperty(ZOOKEEPER_QUORUM).isSet()) {
            arrayList.add(new ValidationResult.Builder().valid(false).subject(ZOOKEEPER_QUORUM.getName()).explanation("Zookeepers must be supplied").build());
        }
        switch (validationContext.getProperty(AUTHENTICATION_TYPE).isSet() ? AuthenticationType.valueOf(validationContext.getProperty(AUTHENTICATION_TYPE).getValue()) : AuthenticationType.NONE) {
            case PASSWORD:
                if (!validationContext.getProperty(ACCUMULO_USER).isSet()) {
                    arrayList.add(new ValidationResult.Builder().valid(false).subject(ACCUMULO_USER.getName()).explanation("Accumulo user must be supplied for the Password Authentication type").build());
                }
                if (!validationContext.getProperty(ACCUMULO_PASSWORD).isSet()) {
                    arrayList.add(new ValidationResult.Builder().valid(false).subject(ACCUMULO_PASSWORD.getName()).explanation("Password must be supplied for the Password Authentication type").build());
                    break;
                }
                break;
            case KERBEROS:
                if (!validationContext.getProperty(KERBEROS_CREDENTIALS_SERVICE).isSet() && !validationContext.getProperty(KERBEROS_PASSWORD).isSet()) {
                    arrayList.add(new ValidationResult.Builder().valid(false).subject(AUTHENTICATION_TYPE.getName()).explanation("Either Kerberos Password or Kerberos Credential Service must be set").build());
                    break;
                } else if (!validationContext.getProperty(KERBEROS_CREDENTIALS_SERVICE).isSet() || !validationContext.getProperty(KERBEROS_PASSWORD).isSet()) {
                    if (validationContext.getProperty(KERBEROS_PASSWORD).isSet() && !validationContext.getProperty(KERBEROS_PRINCIPAL).isSet()) {
                        arrayList.add(new ValidationResult.Builder().valid(false).subject(KERBEROS_PRINCIPAL.getName()).explanation("Kerberos Principal must be supplied when principal + password Kerberos authentication is used").build());
                        break;
                    } else if (validationContext.getProperty(KERBEROS_CREDENTIALS_SERVICE).isSet() && validationContext.getProperty(KERBEROS_PRINCIPAL).isSet()) {
                        arrayList.add(new ValidationResult.Builder().valid(false).subject(KERBEROS_PRINCIPAL.getName()).explanation("Kerberos Principal (for password) should not be filled out when principal + keytab Kerberos authentication is used").build());
                        break;
                    }
                } else {
                    arrayList.add(new ValidationResult.Builder().valid(false).subject(AUTHENTICATION_TYPE.getName()).explanation("Kerberos Password and Kerberos Credential Service should not be filled out at the same time").build());
                    break;
                }
                break;
            default:
                arrayList.add(new ValidationResult.Builder().valid(false).subject(AUTHENTICATION_TYPE.getName()).explanation("Non supported Authentication type").build());
                break;
        }
        return arrayList;
    }

    @OnEnabled
    public void onEnabled(ConfigurationContext configurationContext) throws InitializationException, IOException, InterruptedException {
        String principal;
        if (!configurationContext.getProperty(INSTANCE_NAME).isSet() || !configurationContext.getProperty(ZOOKEEPER_QUORUM).isSet()) {
            throw new InitializationException("Instance name and Zookeeper Quorum must be specified");
        }
        KerberosCredentialsService asControllerService = configurationContext.getProperty(KERBEROS_CREDENTIALS_SERVICE).asControllerService(KerberosCredentialsService.class);
        String value = configurationContext.getProperty(INSTANCE_NAME).evaluateAttributeExpressions().getValue();
        String value2 = configurationContext.getProperty(ZOOKEEPER_QUORUM).evaluateAttributeExpressions().getValue();
        this.authType = AuthenticationType.valueOf(configurationContext.getProperty(AUTHENTICATION_TYPE).getValue());
        Properties properties = new Properties();
        properties.setProperty("instance.zookeepers", value2);
        properties.setProperty("instance.name", value);
        switch (this.authType) {
            case PASSWORD:
                this.client = (AccumuloClient) Accumulo.newClient().from(properties).as(configurationContext.getProperty(ACCUMULO_USER).evaluateAttributeExpressions().getValue(), new PasswordToken(configurationContext.getProperty(ACCUMULO_PASSWORD).getValue())).build();
                return;
            case KERBEROS:
                if (asControllerService == null) {
                    principal = configurationContext.getProperty(KERBEROS_PRINCIPAL).getValue();
                    this.kerberosUser = new KerberosPasswordUser(principal, configurationContext.getProperty(KERBEROS_PASSWORD).getValue());
                } else {
                    principal = asControllerService.getPrincipal();
                    this.kerberosUser = new KerberosKeytabUser(principal, asControllerService.getKeytab());
                }
                properties.setProperty("sasl.enabled", "true");
                properties.setProperty("sasl.qop", configurationContext.getProperty(ACCUMULO_SASL_QOP).getValue());
                Configuration configuration = new Configuration();
                configuration.set("hadoop.security.authentication", "kerberos");
                UserGroupInformation.setConfiguration(configuration);
                String str = principal;
                this.client = (AccumuloClient) SecurityUtil.getUgiForKerberosUser(configuration, this.kerberosUser).doAs(() -> {
                    return (AccumuloClient) Accumulo.newClient().from(properties).as(str, new KerberosToken()).build();
                });
                return;
            default:
                throw new InitializationException("Not supported authentication type.");
        }
    }

    public AccumuloClient getClient() {
        return this.client;
    }

    public void renewTgtIfNecessary() {
        if (this.authType.equals(AuthenticationType.KERBEROS)) {
            SecurityUtil.checkTGTAndRelogin(getLogger(), this.kerberosUser);
        }
    }

    @OnDisabled
    public void shutdown() {
        if (this.client != null) {
            this.client.close();
        }
    }
}
