package org.apache.calcite.avatica.remote;

import java.io.File;
import java.lang.Thread;
import java.util.AbstractMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.atomic.AtomicBoolean;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.helix.model.Message;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/calcite/avatica/remote/KerberosConnection.class */
public class KerberosConnection {
    private static final String IBM_KRB5_LOGIN_MODULE = "com.ibm.security.auth.module.Krb5LoginModule";
    private static final String SUN_KRB5_LOGIN_MODULE = "com.sun.security.auth.module.Krb5LoginModule";
    private static final String JAAS_CONF_NAME = "AvaticaKeytabConf";
    private static final String RENEWAL_THREAD_NAME = "Avatica Kerberos Renewal Thread";
    public static final float PERCENT_OF_LIFETIME_TO_RENEW = 0.8f;
    public static final long RENEWAL_PERIOD = 30;
    private final String principal;
    private final Configuration jaasConf;
    private Subject subject;
    private RenewalTask renewalTask;
    private Thread renewalThread;
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) KerberosConnection.class);
    private static final String JAVA_VENDOR_NAME = System.getProperty("java.vendor");
    private static final boolean IS_IBM_JAVA = JAVA_VENDOR_NAME.contains("IBM");

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/calcite/avatica/remote/KerberosConnection$RenewalTask.class */
    public static class RenewalTask implements Runnable {
        private static final Logger RENEWAL_LOG = LoggerFactory.getLogger((Class<?>) RenewalTask.class);
        private LoginContext context;
        private Subject subject;
        private final KerberosConnection utilInstance;
        private final Configuration conf;
        private final long renewalPeriod;
        private final AtomicBoolean keepRunning = new AtomicBoolean(true);

        RenewalTask(KerberosConnection kerberosConnection, LoginContext loginContext, Subject subject, Configuration configuration, long j) {
            this.utilInstance = (KerberosConnection) Objects.requireNonNull(kerberosConnection);
            this.context = (LoginContext) Objects.requireNonNull(loginContext);
            this.subject = (Subject) Objects.requireNonNull(subject);
            this.conf = (Configuration) Objects.requireNonNull(configuration);
            this.renewalPeriod = j;
        }

        @Override // java.lang.Runnable
        public void run() {
            while (this.keepRunning.get() && !Thread.currentThread().isInterrupted()) {
                RENEWAL_LOG.debug("Checking if Kerberos ticket should be renewed");
                long currentTimeMillis = System.currentTimeMillis();
                KerberosTicket kerberosTicket = null;
                Iterator it = this.subject.getPrivateCredentials(KerberosTicket.class).iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    KerberosTicket kerberosTicket2 = (KerberosTicket) it.next();
                    if (KerberosConnection.isTGSPrincipal(kerberosTicket2.getServer())) {
                        kerberosTicket = kerberosTicket2;
                        break;
                    }
                }
                if (null == kerberosTicket) {
                    RENEWAL_LOG.debug("There is no active Kerberos ticket, renewing now");
                    renew();
                } else {
                    if (shouldRenew(kerberosTicket.getStartTime().getTime(), kerberosTicket.getEndTime().getTime(), currentTimeMillis)) {
                        RENEWAL_LOG.debug("The current ticket should be renewed now");
                        renew();
                    }
                    waitForNextCheck(this.renewalPeriod);
                }
            }
        }

        boolean shouldRenew(long j, long j2, long j3) {
            return j3 >= j + ((long) (((float) (j2 - j)) * 0.8f));
        }

        void renew() {
            try {
                synchronized (this.utilInstance) {
                    Map.Entry<LoginContext, Subject> login = this.utilInstance.login(this.context, this.conf, this.subject);
                    this.context = login.getKey();
                    this.subject = login.getValue();
                }
            } catch (Exception e) {
                throw new RuntimeException("Failed to perform kerberos login");
            }
        }

        void waitForNextCheck(long j) {
            try {
                Thread.sleep(j);
            } catch (InterruptedException e) {
                Thread.currentThread().interrupt();
            }
        }

        void asyncStop() {
            this.keepRunning.set(false);
        }
    }

    public KerberosConnection(String str, File file) {
        this.principal = (String) Objects.requireNonNull(str);
        this.jaasConf = new ClientKeytabJaasConf(str, ((File) Objects.requireNonNull(file)).getAbsolutePath());
    }

    public synchronized Subject getSubject() {
        return this.subject;
    }

    public synchronized void login() {
        Map.Entry<LoginContext, Subject> performKerberosLogin = performKerberosLogin();
        this.subject = performKerberosLogin.getValue();
        Map.Entry<RenewalTask, Thread> createRenewalThread = createRenewalThread(performKerberosLogin.getKey(), this.subject, 30L);
        this.renewalTask = createRenewalThread.getKey();
        this.renewalThread = createRenewalThread.getValue();
        this.renewalThread.start();
    }

    Map.Entry<LoginContext, Subject> performKerberosLogin() {
        HashSet hashSet = new HashSet();
        hashSet.add(new KerberosPrincipal(this.principal));
        try {
            return login(null, this.jaasConf, new Subject(false, hashSet, new HashSet(), new HashSet()));
        } catch (Exception e) {
            throw new RuntimeException("Failed to perform Kerberos login");
        }
    }

    Map.Entry<LoginContext, Subject> login(LoginContext loginContext, Configuration configuration, Subject subject) throws LoginException {
        if (null != loginContext) {
            loginContext.logout();
        }
        LoginContext createLoginContext = createLoginContext(configuration);
        createLoginContext.login();
        Subject subject2 = createLoginContext.getSubject();
        if (null == subject2) {
            throw new RuntimeException("Failed to perform Kerberos login");
        }
        return new AbstractMap.SimpleEntry(createLoginContext, subject2);
    }

    LoginContext createLoginContext(Configuration configuration) throws LoginException {
        return new LoginContext(JAAS_CONF_NAME, this.subject, (CallbackHandler) null, configuration);
    }

    Map.Entry<RenewalTask, Thread> createRenewalThread(LoginContext loginContext, Subject subject, long j) {
        RenewalTask renewalTask = new RenewalTask(this, loginContext, subject, this.jaasConf, j);
        Thread thread = new Thread(renewalTask);
        thread.setDaemon(true);
        thread.setUncaughtExceptionHandler(new Thread.UncaughtExceptionHandler() { // from class: org.apache.calcite.avatica.remote.KerberosConnection.1
            @Override // java.lang.Thread.UncaughtExceptionHandler
            public void uncaughtException(Thread thread2, Throwable th) {
                KerberosConnection.LOG.error("Uncaught exception from Kerberos credential renewal thread", th);
            }
        });
        thread.setName(RENEWAL_THREAD_NAME);
        return new AbstractMap.SimpleEntry(renewalTask, thread);
    }

    public void stopRenewalThread() {
        if (null == this.renewalTask || null == this.renewalThread) {
            LOG.warn("Renewal thread was never started or already stopped.");
            return;
        }
        LOG.debug("Informing RenewalTask to gracefully stop and interrupting the renewal thread.");
        this.renewalTask.asyncStop();
        long currentTimeMillis = System.currentTimeMillis();
        long j = currentTimeMillis + Message.RELAY_MESSAGE_DEFAULT_EXPIRY;
        while (currentTimeMillis < j && this.renewalThread.isAlive()) {
            try {
                Thread.sleep(500L);
                currentTimeMillis = System.currentTimeMillis();
            } catch (InterruptedException e) {
                Thread.currentThread().interrupt();
                return;
            }
        }
        if (this.renewalThread.isAlive()) {
            LOG.warn("Renewal thread failed to gracefully stop, interrupting it");
            this.renewalThread.interrupt();
            try {
                this.renewalThread.join(Message.RELAY_MESSAGE_DEFAULT_EXPIRY);
            } catch (InterruptedException e2) {
                Thread.currentThread().interrupt();
            }
        }
        if (this.renewalThread.isAlive()) {
            LOG.warn("Renewal thread failed to gracefully and ungracefully stop, proceeding.");
        }
        this.renewalTask = null;
        this.renewalThread = null;
    }

    static boolean isTGSPrincipal(KerberosPrincipal kerberosPrincipal) {
        return kerberosPrincipal != null && kerberosPrincipal.getName().equals(new StringBuilder().append("krbtgt/").append(kerberosPrincipal.getRealm()).append("@").append(kerberosPrincipal.getRealm()).toString());
    }

    public static boolean isIbmJava() {
        return IS_IBM_JAVA;
    }

    public static String getKrb5LoginModuleName() {
        return System.getProperty("java.vendor").contains("IBM") ? IBM_KRB5_LOGIN_MODULE : SUN_KRB5_LOGIN_MODULE;
    }
}
