package org.apache.nifi.dbcp;

import java.io.File;
import java.io.IOException;
import java.lang.reflect.UndeclaredThrowableException;
import java.sql.Connection;
import java.sql.Driver;
import java.sql.DriverManager;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.atomic.AtomicReference;
import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.nifi.annotation.behavior.DynamicProperty;
import org.apache.nifi.annotation.behavior.RequiresInstanceClassLoading;
import org.apache.nifi.annotation.behavior.Restricted;
import org.apache.nifi.annotation.behavior.Restriction;
import org.apache.nifi.annotation.documentation.CapabilityDescription;
import org.apache.nifi.annotation.documentation.Tags;
import org.apache.nifi.annotation.lifecycle.OnDisabled;
import org.apache.nifi.annotation.lifecycle.OnEnabled;
import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.components.RequiredPermission;
import org.apache.nifi.components.ValidationContext;
import org.apache.nifi.components.ValidationResult;
import org.apache.nifi.components.resource.ResourceCardinality;
import org.apache.nifi.components.resource.ResourceType;
import org.apache.nifi.controller.ConfigurationContext;
import org.apache.nifi.controller.ControllerServiceInitializationContext;
import org.apache.nifi.dbcp.utils.DBCPProperties;
import org.apache.nifi.dbcp.utils.DataSourceConfiguration;
import org.apache.nifi.expression.ExpressionLanguageScope;
import org.apache.nifi.hadoop.KerberosProperties;
import org.apache.nifi.hadoop.SecurityUtil;
import org.apache.nifi.kerberos.KerberosCredentialsService;
import org.apache.nifi.kerberos.KerberosUserService;
import org.apache.nifi.processor.exception.ProcessException;
import org.apache.nifi.processor.util.StandardValidators;
import org.apache.nifi.security.krb.KerberosKeytabUser;
import org.apache.nifi.security.krb.KerberosLoginException;
import org.apache.nifi.security.krb.KerberosPasswordUser;

@CapabilityDescription("Provides a Database Connection Pooling Service for Hadoop related JDBC services. This service requires that the Database Driver Location(s) contains some version of a hadoop-common JAR, or a shaded JAR that shades hadoop-common.")
@DynamicProperty(name = "The name of a Hadoop configuration property.", value = "The value of the given Hadoop configuration property.", description = "These properties will be set on the Hadoop configuration after loading any provided configuration files.", expressionLanguageScope = ExpressionLanguageScope.VARIABLE_REGISTRY)
@RequiresInstanceClassLoading
@Restricted(restrictions = {@Restriction(requiredPermission = RequiredPermission.REFERENCE_REMOTE_RESOURCES, explanation = "Database Driver Location can reference resources over HTTP")})
@Tags({"dbcp", "jdbc", "database", "connection", "pooling", "store", "hadoop"})
/* loaded from: input_file:org/apache/nifi/dbcp/HadoopDBCPConnectionPool.class */
public class HadoopDBCPConnectionPool extends AbstractDBCPConnectionPool {
    private static final String ALLOW_EXPLICIT_KEYTAB = "NIFI_ALLOW_EXPLICIT_KEYTAB";
    private static final String HADOOP_CONFIGURATION_CLASS = "org.apache.hadoop.conf.Configuration";
    private static final String HADOOP_UGI_CLASS = "org.apache.hadoop.security.UserGroupInformation";
    public static final PropertyDescriptor DB_DRIVER_LOCATION = new PropertyDescriptor.Builder().fromPropertyDescriptor(DBCPProperties.DB_DRIVER_LOCATION).description("Comma-separated list of files/folders and/or URLs containing the driver JAR and its dependencies. For example '/var/tmp/phoenix-client.jar'. NOTE: It is required that the resources specified by this property provide the classes from hadoop-common, such as Configuration and UserGroupInformation.").required(true).build();
    static final PropertyDescriptor HADOOP_CONFIGURATION_RESOURCES = new PropertyDescriptor.Builder().name("hadoop-config-resources").displayName("Hadoop Configuration Resources").description("A file, or comma separated list of files, which contain the Hadoop configuration (core-site.xml, etc.). Without this, Hadoop will search the classpath, or will revert to a default configuration. Note that to enable authentication with Kerberos, the appropriate properties must be set in the configuration files.").required(false).identifiesExternalResource(ResourceCardinality.MULTIPLE, ResourceType.FILE, new ResourceType[0]).expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY).dynamicallyModifiesClasspath(true).build();
    public static final PropertyDescriptor KERBEROS_CREDENTIALS_SERVICE = new PropertyDescriptor.Builder().name("kerberos-credentials-service").displayName("Kerberos Credentials Service").description("Specifies the Kerberos Credentials Controller Service that should be used for authenticating with Kerberos").identifiesControllerService(KerberosCredentialsService.class).required(false).build();
    private KerberosProperties kerberosProperties;
    private List<PropertyDescriptor> properties;
    private volatile UserGroupInformation ugi;
    private volatile Boolean foundHadoopDependencies;
    private final AtomicReference<ValidationResources> validationResourceHolder = new AtomicReference<>(null);

    protected void init(ControllerServiceInitializationContext controllerServiceInitializationContext) {
        this.kerberosProperties = getKerberosProperties(controllerServiceInitializationContext.getKerberosConfigurationFile());
        this.properties = Arrays.asList(DBCPProperties.DATABASE_URL, DBCPProperties.DB_DRIVERNAME, DB_DRIVER_LOCATION, HADOOP_CONFIGURATION_RESOURCES, DBCPProperties.KERBEROS_USER_SERVICE, KERBEROS_CREDENTIALS_SERVICE, this.kerberosProperties.getKerberosPrincipal(), this.kerberosProperties.getKerberosKeytab(), this.kerberosProperties.getKerberosPassword(), DBCPProperties.DB_USER, DBCPProperties.DB_PASSWORD, DBCPProperties.MAX_WAIT_TIME, DBCPProperties.MAX_TOTAL_CONNECTIONS, DBCPProperties.VALIDATION_QUERY, DBCPProperties.MIN_IDLE, DBCPProperties.MAX_IDLE, DBCPProperties.MAX_CONN_LIFETIME, DBCPProperties.EVICTION_RUN_PERIOD, DBCPProperties.MIN_EVICTABLE_IDLE_TIME, DBCPProperties.SOFT_MIN_EVICTABLE_IDLE_TIME);
    }

    protected KerberosProperties getKerberosProperties(File file) {
        return new KerberosProperties(file);
    }

    protected List<PropertyDescriptor> getSupportedPropertyDescriptors() {
        return this.properties;
    }

    protected PropertyDescriptor getSupportedDynamicPropertyDescriptor(String str) {
        return new PropertyDescriptor.Builder().name(str).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).expressionLanguageSupported(ExpressionLanguageScope.VARIABLE_REGISTRY).dynamic(true).build();
    }

    protected Collection<ValidationResult> customValidate(ValidationContext validationContext) {
        String principal;
        String keytab;
        ArrayList arrayList = new ArrayList();
        if (this.foundHadoopDependencies == null) {
            ClassLoader classLoader = getClass().getClassLoader();
            try {
                Class.forName(HADOOP_CONFIGURATION_CLASS, true, classLoader);
                Class.forName(HADOOP_UGI_CLASS, true, classLoader);
                this.foundHadoopDependencies = true;
            } catch (ClassNotFoundException e) {
                getLogger().debug(e.getMessage(), e);
                this.foundHadoopDependencies = false;
            }
        }
        if (!this.foundHadoopDependencies.booleanValue()) {
            arrayList.add(new ValidationResult.Builder().subject(DB_DRIVER_LOCATION.getDisplayName()).valid(false).explanation("required Hadoop classes were not found in any of the specified resources, please ensure that hadoop-common is available").build());
            return arrayList;
        }
        String value = validationContext.getProperty(this.kerberosProperties.getKerberosPrincipal()).evaluateAttributeExpressions().getValue();
        String value2 = validationContext.getProperty(this.kerberosProperties.getKerberosKeytab()).evaluateAttributeExpressions().getValue();
        String value3 = validationContext.getProperty(this.kerberosProperties.getKerberosPassword()).getValue();
        KerberosCredentialsService asControllerService = validationContext.getProperty(KERBEROS_CREDENTIALS_SERVICE).asControllerService(KerberosCredentialsService.class);
        KerberosUserService asControllerService2 = validationContext.getProperty(DBCPProperties.KERBEROS_USER_SERVICE).asControllerService(KerberosUserService.class);
        if (asControllerService == null) {
            principal = value;
            keytab = value2;
        } else {
            principal = asControllerService.getPrincipal();
            keytab = asControllerService.getKeytab();
        }
        if (validationContext.getProperty(HADOOP_CONFIGURATION_RESOURCES).isSet()) {
            String value4 = validationContext.getProperty(HADOOP_CONFIGURATION_RESOURCES).evaluateAttributeExpressions().getValue();
            ValidationResources validationResources = this.validationResourceHolder.get();
            if (validationResources == null || !value4.equals(validationResources.getConfigResources())) {
                getLogger().debug("Reloading validation resources");
                validationResources = new ValidationResources(value4, getConfigurationFromFiles(value4));
                this.validationResourceHolder.set(validationResources);
            }
            Configuration configuration = validationResources.getConfiguration();
            if (asControllerService2 == null) {
                arrayList.addAll(KerberosProperties.validatePrincipalWithKeytabOrPassword(getClass().getSimpleName(), configuration, principal, keytab, value3, getLogger()));
            } else if (!SecurityUtil.isSecurityEnabled(configuration)) {
                getLogger().warn("Hadoop Configuration does not have security enabled, KerberosUserService will be ignored");
            }
        }
        if (asControllerService != null && (value != null || value2 != null || value3 != null)) {
            arrayList.add(new ValidationResult.Builder().subject("Kerberos Credentials").valid(false).explanation("Cannot specify a Kerberos Credentials Service while also specifying a Kerberos Principal, Kerberos Keytab, or Kerberos Password").build());
        }
        if (asControllerService2 != null && (value != null || value2 != null || value3 != null)) {
            arrayList.add(new ValidationResult.Builder().subject("Kerberos User").valid(false).explanation("Cannot specify a Kerberos User Service while also specifying a Kerberos Principal, Kerberos Keytab, or Kerberos Password").build());
        }
        if (asControllerService2 != null && asControllerService != null) {
            arrayList.add(new ValidationResult.Builder().subject("Kerberos User").valid(false).explanation("Cannot specify a Kerberos User Service while also specifying a Kerberos Credentials Service").build());
        }
        if (!isAllowExplicitKeytab() && value2 != null) {
            arrayList.add(new ValidationResult.Builder().subject("Kerberos Credentials").valid(false).explanation("The 'NIFI_ALLOW_EXPLICIT_KEYTAB' system environment variable is configured to forbid explicitly configuring Kerberos Keytab in processors. The Kerberos Credentials Service should be used instead of setting the Kerberos Keytab or Kerberos Principal property.").build());
        }
        return arrayList;
    }

    protected Configuration getConfigurationFromFiles(String str) {
        Configuration configuration = new Configuration();
        if (StringUtils.isNotBlank(str)) {
            for (String str2 : str.split(",")) {
                configuration.addResource(new Path(str2.trim()));
            }
        }
        return configuration;
    }

    @OnEnabled
    public void onEnabled(ConfigurationContext configurationContext) throws IOException {
        String str;
        String str2;
        Configuration configurationFromFiles = getConfigurationFromFiles(configurationContext.getProperty(HADOOP_CONFIGURATION_RESOURCES).evaluateAttributeExpressions().getValue());
        Iterator it = configurationContext.getProperties().entrySet().iterator();
        while (it.hasNext()) {
            PropertyDescriptor propertyDescriptor = (PropertyDescriptor) ((Map.Entry) it.next()).getKey();
            if (propertyDescriptor.isDynamic()) {
                configurationFromFiles.set(propertyDescriptor.getName(), configurationContext.getProperty(propertyDescriptor).evaluateAttributeExpressions().getValue());
            }
        }
        if (!SecurityUtil.isSecurityEnabled(configurationFromFiles)) {
            getLogger().info("Simple Authentication");
            return;
        }
        String value = configurationContext.getProperty(this.kerberosProperties.getKerberosPrincipal()).evaluateAttributeExpressions().getValue();
        String value2 = configurationContext.getProperty(this.kerberosProperties.getKerberosKeytab()).evaluateAttributeExpressions().getValue();
        String value3 = configurationContext.getProperty(this.kerberosProperties.getKerberosPassword()).getValue();
        KerberosCredentialsService asControllerService = configurationContext.getProperty(KERBEROS_CREDENTIALS_SERVICE).asControllerService(KerberosCredentialsService.class);
        if (asControllerService != null) {
            str = asControllerService.getPrincipal();
            str2 = asControllerService.getKeytab();
        } else {
            str = value;
            str2 = value2;
        }
        if (str2 != null) {
            this.kerberosUser = new KerberosKeytabUser(str, str2);
            getLogger().info("Security Enabled, logging in as principal {} with keytab {}", new Object[]{str, str2});
        } else {
            if (value3 == null) {
                throw new IOException("Unable to authenticate with Kerberos, no keytab or password was provided");
            }
            this.kerberosUser = new KerberosPasswordUser(str, value3);
            getLogger().info("Security Enabled, logging in as principal {} with password", new Object[]{str});
        }
        this.ugi = SecurityUtil.getUgiForKerberosUser(configurationFromFiles, this.kerberosUser);
        getLogger().info("Successfully logged in as principal " + str);
    }

    @OnDisabled
    public void shutdown() throws SQLException {
        try {
            if (this.kerberosUser != null) {
                this.kerberosUser.logout();
            }
            this.validationResourceHolder.set(null);
            this.foundHadoopDependencies = null;
            this.kerberosUser = null;
            this.ugi = null;
            try {
                if (this.dataSource != null) {
                    this.dataSource.close();
                }
            } finally {
            }
        } catch (Throwable th) {
            this.validationResourceHolder.set(null);
            this.foundHadoopDependencies = null;
            this.kerberosUser = null;
            this.ugi = null;
            try {
                if (this.dataSource != null) {
                    this.dataSource.close();
                }
                throw th;
            } finally {
            }
        }
    }

    protected Driver getDriver(String str, String str2) {
        try {
            try {
                return DriverManager.getDriver(str2);
            } catch (SQLException e) {
                try {
                    DriverManager.registerDriver((Driver) Class.forName(str).newInstance());
                    return DriverManager.getDriver(str2);
                } catch (IllegalAccessException | InstantiationException e2) {
                    throw new ProcessException("Creating driver instance is failed", e2);
                } catch (SQLException e3) {
                    throw new ProcessException("No suitable driver for the given Database Connection URL", e3);
                }
            }
        } catch (ClassNotFoundException e4) {
            throw new ProcessException("Driver class " + str + " is not found", e4);
        }
    }

    protected DataSourceConfiguration getDataSourceConfiguration(ConfigurationContext configurationContext) {
        String value = configurationContext.getProperty(DBCPProperties.DATABASE_URL).evaluateAttributeExpressions().getValue();
        String value2 = configurationContext.getProperty(DBCPProperties.DB_DRIVERNAME).evaluateAttributeExpressions().getValue();
        String value3 = configurationContext.getProperty(DBCPProperties.DB_USER).evaluateAttributeExpressions().getValue();
        String value4 = configurationContext.getProperty(DBCPProperties.DB_PASSWORD).evaluateAttributeExpressions().getValue();
        Integer asInteger = configurationContext.getProperty(DBCPProperties.MAX_TOTAL_CONNECTIONS).evaluateAttributeExpressions().asInteger();
        return new DataSourceConfiguration.Builder(value, value2, value3, value4).validationQuery(configurationContext.getProperty(DBCPProperties.VALIDATION_QUERY).evaluateAttributeExpressions().getValue()).maxWaitMillis(DBCPProperties.extractMillisWithInfinite(configurationContext.getProperty(DBCPProperties.MAX_WAIT_TIME).evaluateAttributeExpressions()).longValue()).maxTotal(asInteger.intValue()).minIdle(configurationContext.getProperty(DBCPProperties.MIN_IDLE).evaluateAttributeExpressions().asInteger().intValue()).maxIdle(configurationContext.getProperty(DBCPProperties.MAX_IDLE).evaluateAttributeExpressions().asInteger().intValue()).maxConnLifetimeMillis(DBCPProperties.extractMillisWithInfinite(configurationContext.getProperty(DBCPProperties.MAX_CONN_LIFETIME).evaluateAttributeExpressions()).longValue()).timeBetweenEvictionRunsMillis(DBCPProperties.extractMillisWithInfinite(configurationContext.getProperty(DBCPProperties.EVICTION_RUN_PERIOD).evaluateAttributeExpressions()).longValue()).minEvictableIdleTimeMillis(DBCPProperties.extractMillisWithInfinite(configurationContext.getProperty(DBCPProperties.MIN_EVICTABLE_IDLE_TIME).evaluateAttributeExpressions()).longValue()).softMinEvictableIdleTimeMillis(DBCPProperties.extractMillisWithInfinite(configurationContext.getProperty(DBCPProperties.SOFT_MIN_EVICTABLE_IDLE_TIME).evaluateAttributeExpressions()).longValue()).build();
    }

    public Connection getConnection() throws ProcessException {
        try {
            if (this.ugi == null) {
                getLogger().info("Simple Authentication");
                return this.dataSource.getConnection();
            }
            getLogger().trace("getting UGI instance");
            if (this.kerberosUser != null) {
                getLogger().debug("kerberosUser is {}", new Object[]{this.kerberosUser});
                try {
                    getLogger().debug("checking TGT on kerberosUser {}", new Object[]{this.kerberosUser});
                    this.kerberosUser.checkTGTAndRelogin();
                } catch (KerberosLoginException e) {
                    throw new ProcessException("Unable to relogin with kerberos credentials for " + this.kerberosUser.getPrincipal(), e);
                }
            } else {
                getLogger().debug("kerberosUser was null, will not refresh TGT with KerberosUser");
                this.ugi.checkTGTAndReloginFromKeytab();
            }
            try {
                return (Connection) this.ugi.doAs(() -> {
                    return this.dataSource.getConnection();
                });
            } catch (UndeclaredThrowableException e2) {
                Throwable cause = e2.getCause();
                if (cause instanceof SQLException) {
                    throw ((SQLException) cause);
                }
                throw e2;
            }
        } catch (IOException | InterruptedException | SQLException e3) {
            throw new ProcessException(e3);
        }
    }

    public String toString() {
        return "HadoopDBCPConnectionPool[id=" + getIdentifier() + "]";
    }

    boolean isAllowExplicitKeytab() {
        return Boolean.parseBoolean(System.getenv(ALLOW_EXPLICIT_KEYTAB));
    }
}
