package org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.client.jaas;

import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.net.InetAddress;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.interfaces.RSAPrivateKey;
import java.text.ParseException;
import java.util.Iterator;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import org.apache.hadoop.shaded.com.nimbusds.jwt.JWTParser;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.KrbRuntime;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.client.KrbClient;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.client.KrbConfig;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.client.KrbTokenClient;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.common.PrivateKeyReader;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.provider.TokenEncoder;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.base.AuthToken;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.base.KrbToken;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.base.TokenFormat;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.kdc.EncKdcRepPart;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.provider.token.JwtAuthToken;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.provider.token.JwtTokenEncoder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/shaded/org/apache/kerby/kerberos/kerb/client/jaas/TokenAuthLoginModule.class */
public class TokenAuthLoginModule implements LoginModule {
    public static final String PRINCIPAL = "principal";
    public static final String TOKEN = "token";
    public static final String TOKEN_CACHE = "tokenCache";
    public static final String ARMOR_CACHE = "armorCache";
    public static final String CREDENTIAL_CACHE = "credentialCache";
    public static final String SIGN_KEY_FILE = "signKeyFile";
    private static final Logger LOG = LoggerFactory.getLogger(TokenAuthLoginModule.class);
    private Subject subject;
    private String tokenCacheName = null;
    private boolean succeeded = false;
    private boolean commitSucceeded = false;
    private String princName = null;
    private String tokenStr = null;
    private AuthToken authToken = null;
    private KrbToken krbToken = null;
    private File armorCache;
    private File cCache;
    private File signKeyFile;
    private TgtTicket tgtTicket;

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        this.subject = subject;
        this.princName = (String) map2.get(PRINCIPAL);
        this.tokenStr = (String) map2.get(TOKEN);
        this.tokenCacheName = (String) map2.get(TOKEN_CACHE);
        if (((String) map2.get(ARMOR_CACHE)) != null) {
            this.armorCache = new File((String) map2.get(ARMOR_CACHE));
        }
        if (((String) map2.get(CREDENTIAL_CACHE)) != null) {
            this.cCache = new File((String) map2.get(CREDENTIAL_CACHE));
        }
        if (((String) map2.get(SIGN_KEY_FILE)) != null) {
            this.signKeyFile = new File((String) map2.get(SIGN_KEY_FILE));
        }
    }

    public boolean login() throws LoginException {
        validateConfiguration();
        this.succeeded = tokenLogin();
        return this.succeeded;
    }

    public boolean commit() throws LoginException {
        if (!this.succeeded) {
            return false;
        }
        KerberosTicket kerberosTicket = null;
        try {
            EncKdcRepPart encKdcRepPart = this.tgtTicket.getEncKdcRepPart();
            boolean[] zArr = new boolean[7];
            int flags = encKdcRepPart.getFlags().getFlags();
            for (int i = 6; i >= 0; i--) {
                zArr[i] = (flags & (1 << i)) != 0;
            }
            kerberosTicket = new KerberosTicket(this.tgtTicket.getTicket().encode(), new KerberosPrincipal(this.tgtTicket.getClientPrincipal().getName()), new KerberosPrincipal(this.tgtTicket.getEncKdcRepPart().getSname().getName()), encKdcRepPart.getKey().getKeyData(), encKdcRepPart.getKey().getKeyType().getValue(), zArr, encKdcRepPart.getAuthTime().getValue(), encKdcRepPart.getStartTime() != null ? encKdcRepPart.getStartTime().getValue() : null, encKdcRepPart.getEndTime().getValue(), encKdcRepPart.getRenewTill().getValue(), (InetAddress[]) null);
        } catch (IOException e) {
            LOG.error("Commit Failed. " + e.toString());
        }
        this.subject.getPrivateCredentials().add(kerberosTicket);
        if (this.princName != null) {
            this.subject.getPrincipals().add(new KerberosPrincipal(this.princName));
        }
        this.commitSucceeded = true;
        LOG.info("Commit Succeeded \n");
        return true;
    }

    public boolean abort() throws LoginException {
        if (!this.succeeded) {
            return false;
        }
        if (!this.succeeded || this.commitSucceeded) {
            logout();
            return true;
        }
        this.succeeded = false;
        return true;
    }

    public boolean logout() throws LoginException {
        LOG.info("\t\t[TokenAuthLoginModule]: Entering logout");
        if (this.subject.isReadOnly()) {
            throw new LoginException("Subject is Readonly");
        }
        for (Principal principal : this.subject.getPrincipals()) {
            if (principal.getName().equals(this.princName)) {
                this.subject.getPrincipals().remove(principal);
            }
        }
        Iterator<Object> it = this.subject.getPrivateCredentials().iterator();
        while (it.hasNext()) {
            if (it.next() instanceof KrbToken) {
                it.remove();
            }
        }
        cleanup();
        this.succeeded = false;
        this.commitSucceeded = false;
        LOG.info("\t\t[TokenAuthLoginModule]: logged out Subject");
        return true;
    }

    private void validateConfiguration() throws LoginException {
        if (this.armorCache == null) {
            throw new LoginException("An armor cache must be specified via the armorCache configuration option");
        }
        if (this.cCache == null) {
            LOG.info("No credential cache was specified via 'credentialCache'. The TGT will be stored internally instead");
        }
        String str = "";
        if (this.tokenStr == null && this.tokenCacheName == null) {
            str = "useToken is specified but no token or token cache is provided";
        } else if (this.tokenStr != null && this.tokenCacheName != null) {
            str = "either token or token cache should be provided but not both";
        }
        if (!str.isEmpty()) {
            throw new LoginException(str);
        }
    }

    private boolean tokenLogin() throws LoginException {
        if (this.tokenStr == null) {
            this.tokenStr = TokenCache.readToken(this.tokenCacheName);
            if (this.tokenStr == null) {
                throw new LoginException("No valid token was found in token cache: " + this.tokenCacheName);
            }
        }
        this.krbToken = new KrbToken();
        if (this.signKeyFile != null) {
            try {
                try {
                    this.authToken = KrbRuntime.getTokenProvider().createTokenDecoder().decodeFromString(this.tokenStr);
                } catch (IOException e) {
                    LOG.error("Token decode failed. " + e.toString());
                }
                TokenEncoder createTokenEncoder = KrbRuntime.getTokenProvider().createTokenEncoder();
                if (createTokenEncoder instanceof JwtTokenEncoder) {
                    PrivateKey privateKey = null;
                    try {
                        InputStream newInputStream = Files.newInputStream(this.signKeyFile.toPath(), new OpenOption[0]);
                        Throwable th = null;
                        try {
                            try {
                                privateKey = PrivateKeyReader.loadPrivateKey(newInputStream);
                                if (newInputStream != null) {
                                    if (0 != 0) {
                                        try {
                                            newInputStream.close();
                                        } catch (Throwable th2) {
                                            th.addSuppressed(th2);
                                        }
                                    } else {
                                        newInputStream.close();
                                    }
                                }
                            } catch (Throwable th3) {
                                th = th3;
                                throw th3;
                            }
                        } catch (Throwable th4) {
                            if (newInputStream != null) {
                                if (th != null) {
                                    try {
                                        newInputStream.close();
                                    } catch (Throwable th5) {
                                        th.addSuppressed(th5);
                                    }
                                } else {
                                    newInputStream.close();
                                }
                            }
                            throw th4;
                        }
                    } catch (IOException e2) {
                        LOG.error("Failed to load private key from file: " + this.signKeyFile.getName());
                    } catch (Exception e3) {
                        LOG.error(e3.toString());
                    }
                    ((JwtTokenEncoder) createTokenEncoder).setSignKey((RSAPrivateKey) privateKey);
                }
                this.krbToken.setTokenValue(createTokenEncoder.encodeAsBytes(this.authToken));
            } catch (KrbException e4) {
                throw new RuntimeException("Failed to encode AuthToken", e4);
            }
        } else {
            this.krbToken.setTokenValue(this.tokenStr.getBytes());
            if (this.authToken == null) {
                try {
                    this.authToken = new JwtAuthToken(JWTParser.parse(this.tokenStr).getJWTClaimsSet());
                } catch (ParseException e5) {
                    throw new RuntimeException("Failed to parse JWT token string", e5);
                }
            }
        }
        this.krbToken.setInnerToken(this.authToken);
        this.krbToken.setTokenType();
        this.krbToken.setTokenFormat(TokenFormat.JWT);
        KrbClient krbClient = null;
        try {
            File file = new File(System.getProperty("java.security.krb5.conf"));
            KrbConfig krbConfig = new KrbConfig();
            krbConfig.addKrb5Config(file);
            krbClient = new KrbClient(krbConfig);
            krbClient.init();
        } catch (IOException | KrbException e6) {
            LOG.error("KrbClient init failed. " + e6.toString());
        }
        try {
            this.tgtTicket = new KrbTokenClient(krbClient).requestTgt(this.krbToken, this.armorCache.getAbsolutePath());
            if (this.cCache == null) {
                return true;
            }
            try {
                this.cCache = makeTgtCache();
            } catch (IOException e7) {
                LOG.error("Failed to make tgtCache. " + e7.toString());
            }
            if (krbClient != null) {
                try {
                    krbClient.storeTicket(this.tgtTicket, this.cCache);
                } catch (KrbException e8) {
                    LOG.error("Failed to store tgtTicket to " + this.cCache.getName());
                    return true;
                }
            }
            return true;
        } catch (KrbException e9) {
            throwWith("Failed to do login with token: " + this.tokenStr, e9);
            return false;
        }
    }

    private File makeTgtCache() throws IOException {
        if (!this.cCache.exists() && !this.cCache.createNewFile()) {
            throw new IOException("Failed to create tgtcache file " + this.cCache.getAbsolutePath());
        }
        this.cCache.setExecutable(false);
        this.cCache.setReadable(true);
        this.cCache.setWritable(true);
        return this.cCache;
    }

    private void cleanup() {
        if (this.cCache != null && this.cCache.exists() && !this.cCache.delete()) {
            throw new RuntimeException("File delete error!");
        }
    }

    private void throwWith(String str, Exception exc) throws LoginException {
        LoginException loginException = new LoginException(str);
        loginException.initCause(exc);
        throw loginException;
    }
}
