package org.apache.storm.security.auth.kerberos;

import com.codahale.metrics.Gauge;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.atomic.AtomicReference;
import javax.security.auth.DestroyFailedException;
import javax.security.auth.RefreshFailedException;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.xml.bind.DatatypeConverter;
import org.apache.storm.metric.api.IMetricsRegistrant;
import org.apache.storm.security.auth.ClientAuthUtils;
import org.apache.storm.security.auth.IAutoCredentials;
import org.apache.storm.security.auth.ICredentialsRenewer;
import org.apache.storm.task.TopologyContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/storm/security/auth/kerberos/AutoTGT.class */
public class AutoTGT implements IAutoCredentials, ICredentialsRenewer, IMetricsRegistrant {
    protected static final AtomicReference<KerberosTicket> kerbTicket = new AtomicReference<>();
    private static final Logger LOG = LoggerFactory.getLogger(AutoTGT.class);
    private static final float TICKET_RENEW_WINDOW = 0.8f;
    private Map<String, Object> conf;
    private Map<String, String> credentials;

    private static KerberosTicket getTGT(Subject subject) {
        for (KerberosTicket kerberosTicket : subject.getPrivateCredentials(KerberosTicket.class)) {
            KerberosPrincipal server = kerberosTicket.getServer();
            if (server.getName().equals("krbtgt/" + server.getRealm() + "@" + server.getRealm())) {
                return kerberosTicket;
            }
        }
        return null;
    }

    public static KerberosTicket getTGT(Map<String, String> map) {
        KerberosTicket kerberosTicket = null;
        if (map != null && map.containsKey("TGT") && map.get("TGT") != null) {
            kerberosTicket = ClientAuthUtils.deserializeKerberosTicket(DatatypeConverter.parseBase64Binary(map.get("TGT")));
        }
        return kerberosTicket;
    }

    public static void saveTGT(KerberosTicket kerberosTicket, Map<String, String> map) {
        try {
            map.put("TGT", DatatypeConverter.printBase64Binary(ClientAuthUtils.serializeKerberosTicket(kerberosTicket)));
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public static void clearCredentials(Subject subject, KerberosTicket kerberosTicket) {
        Set<Object> privateCredentials = subject.getPrivateCredentials();
        synchronized (privateCredentials) {
            Iterator<Object> it = privateCredentials.iterator();
            while (it.hasNext()) {
                Object next = it.next();
                if (next instanceof KerberosTicket) {
                    KerberosTicket kerberosTicket2 = (KerberosTicket) next;
                    it.remove();
                    try {
                        kerberosTicket2.destroy();
                    } catch (DestroyFailedException e) {
                        LOG.warn("Failed to destory ticket ", e);
                    }
                }
            }
            if (kerberosTicket != null) {
                privateCredentials.add(kerberosTicket);
            }
        }
    }

    public static void main(String[] strArr) throws Exception {
        AutoTGT autoTGT = new AutoTGT();
        HashMap hashMap = new HashMap();
        hashMap.put("java.security.auth.login.config", strArr[0]);
        autoTGT.prepare(hashMap);
        HashMap hashMap2 = new HashMap();
        autoTGT.populateCredentials(hashMap2);
        Subject subject = new Subject();
        autoTGT.populateSubject(subject, hashMap2);
        LOG.info("Got a Subject " + subject);
    }

    @Override // org.apache.storm.security.auth.IAutoCredentials
    public void prepare(Map<String, Object> map) {
        this.conf = map;
    }

    @Override // org.apache.storm.security.auth.IAutoCredentials
    public void populateCredentials(Map<String, String> map) {
        this.credentials = map;
        try {
            Configuration configuration = ClientAuthUtils.getConfiguration(this.conf);
            LoginContext loginContext = new LoginContext(ClientAuthUtils.LOGIN_CONTEXT_CLIENT, (Subject) null, new ClientCallbackHandler(this.conf), configuration);
            try {
                loginContext.login();
                KerberosTicket tgt = getTGT(loginContext.getSubject());
                if (tgt == null) {
                    throw new RuntimeException("Fail to verify user principal with section \"StormClient\" in login configuration file " + configuration);
                }
                if (!tgt.isForwardable()) {
                    throw new RuntimeException("The TGT found is not forwardable. Please use -f option with 'kinit'.");
                }
                if (!tgt.isRenewable()) {
                    throw new RuntimeException("The TGT found is not renewable. Please use -r option with 'kinit'.");
                }
                if (tgt.getClientAddresses() != null) {
                    throw new RuntimeException("The TGT found is not address-less. Please use -A option with 'kinit'.");
                }
                LOG.info("Pushing TGT for " + tgt.getClient() + " to topology.");
                saveTGT(tgt, map);
                loginContext.logout();
            } catch (Throwable th) {
                loginContext.logout();
                throw th;
            }
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    @Override // org.apache.storm.security.auth.IAutoCredentials
    public void updateSubject(Subject subject, Map<String, String> map) {
        this.credentials = map;
        populateSubjectWithTGT(subject, map);
    }

    @Override // org.apache.storm.security.auth.IAutoCredentials
    public void populateSubject(Subject subject, Map<String, String> map) {
        this.credentials = map;
        populateSubjectWithTGT(subject, map);
        loginHadoopUser(subject);
    }

    private void populateSubjectWithTGT(Subject subject, Map<String, String> map) {
        LOG.info("Populating TGT from credentials");
        KerberosTicket tgt = getTGT(map);
        if (tgt == null) {
            LOG.info("No TGT found in credentials");
            return;
        }
        clearCredentials(subject, tgt);
        subject.getPrincipals().add(tgt.getClient());
        kerbTicket.set(tgt);
    }

    private void loginHadoopUser(Subject subject) {
        try {
            Class<?> cls = Class.forName("org.apache.hadoop.security.UserGroupInformation");
            try {
                if (!((Boolean) cls.getMethod("isSecurityEnabled", new Class[0]).invoke(null, new Object[0])).booleanValue()) {
                    LOG.warn("Hadoop is on the classpath but not configured for security, if you want security you need to be sure that hadoop.security.authentication=kerberos in core-site.xml in your jar");
                    return;
                }
                LOG.info("Invoking Hadoop UserGroupInformation.loginUserFromSubject.");
                cls.getMethod("loginUserFromSubject", Subject.class).invoke(null, subject);
                LOG.warn("UserGroupInformation.loginUserFromSubject will spawn a TGT renewal thread (\"TGT Renewer for <username>\") to execute \"kinit -R\" command some time before the current TGT expires. It will fail because TGT is not in the local TGT cache and the thread will eventually abort. Exceptions from this TGT renewal thread can be ignored. Note: TGT for the Worker is kept in memory. Please refer to STORM-3606 for detailed explanations");
            } catch (Exception e) {
                LOG.error("Something went wrong while trying to initialize Hadoop through reflection. This version of hadoop may not be compatible.", e);
            }
        } catch (ClassNotFoundException e2) {
            LOG.info("Hadoop was not found on the class path");
        }
    }

    private long getRefreshTime(KerberosTicket kerberosTicket) {
        return kerberosTicket.getStartTime().getTime() + (((float) (kerberosTicket.getEndTime().getTime() - r0)) * TICKET_RENEW_WINDOW);
    }

    @Override // org.apache.storm.security.auth.ICredentialsRenewer
    public void renew(Map<String, String> map, Map<String, Object> map2, String str) {
        this.credentials = map;
        KerberosTicket tgt = getTGT(map);
        if (tgt != null) {
            if (System.currentTimeMillis() >= getRefreshTime(tgt)) {
                try {
                    LOG.info("Renewing TGT for " + tgt.getClient());
                    tgt.refresh();
                    saveTGT(tgt, map);
                } catch (RefreshFailedException e) {
                    LOG.warn("Failed to refresh TGT", e);
                }
            }
        }
    }

    private Long getMsecsUntilExpiration() {
        KerberosTicket tgt = getTGT(this.credentials);
        if (tgt == null) {
            return null;
        }
        return Long.valueOf(tgt.getEndTime().getTime() - System.currentTimeMillis());
    }

    @Override // org.apache.storm.metric.api.IMetricsRegistrant
    public void registerMetrics(TopologyContext topologyContext, Map<String, Object> map) {
        topologyContext.registerGauge("TGT-TimeToExpiryMsecs", new Gauge<Long>() { // from class: org.apache.storm.security.auth.kerberos.AutoTGT.1
            /* renamed from: getValue, reason: merged with bridge method [inline-methods] */
            public Long m1785getValue() {
                return AutoTGT.this.getMsecsUntilExpiration();
            }
        });
    }
}
