package org.apache.hadoop.security.authentication.client;

import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.URL;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang3.SystemProperties;
import org.apache.hadoop.classification.VisibleForTesting;
import org.apache.hadoop.security.KDiag;
import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
import org.apache.hadoop.security.authentication.util.AuthToken;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.apache.hadoop.util.PlatformName;
import org.apache.pinot.shaded.org.apache.http.HttpVersion;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/security/authentication/client/KerberosAuthenticator.class */
public class KerberosAuthenticator implements Authenticator {
    private static Logger LOG = LoggerFactory.getLogger((Class<?>) KerberosAuthenticator.class);
    public static final String WWW_AUTHENTICATE = "WWW-Authenticate";
    public static final String AUTHORIZATION = "Authorization";
    public static final String NEGOTIATE = "Negotiate";
    private static final String AUTH_HTTP_METHOD = "OPTIONS";
    private URL url;
    private Base64 base64;
    private ConnectionConfigurator connConfigurator;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/security/authentication/client/KerberosAuthenticator$KerberosConfiguration.class */
    public static class KerberosConfiguration extends Configuration {
        private static final AppConfigurationEntry USER_KERBEROS_LOGIN;
        private static final AppConfigurationEntry[] USER_KERBEROS_CONF;
        private static final boolean windows = System.getProperty(SystemProperties.OS_NAME).startsWith("Windows");
        private static final boolean is64Bit = System.getProperty(SystemProperties.OS_ARCH).contains("64");
        private static final boolean aix = System.getProperty(SystemProperties.OS_NAME).equals("AIX");
        private static final String OS_LOGIN_MODULE_NAME = getOSLoginModuleName();
        private static final AppConfigurationEntry OS_SPECIFIC_LOGIN = new AppConfigurationEntry(OS_LOGIN_MODULE_NAME, AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, new HashMap());
        private static final Map<String, String> USER_KERBEROS_OPTIONS = new HashMap();

        private KerberosConfiguration() {
        }

        private static String getOSLoginModuleName() {
            return PlatformName.IBM_JAVA ? windows ? is64Bit ? "com.ibm.security.auth.module.Win64LoginModule" : "com.ibm.security.auth.module.NTLoginModule" : aix ? is64Bit ? "com.ibm.security.auth.module.AIX64LoginModule" : "com.ibm.security.auth.module.AIXLoginModule" : "com.ibm.security.auth.module.LinuxLoginModule" : windows ? "com.sun.security.auth.module.NTLoginModule" : "com.sun.security.auth.module.UnixLoginModule";
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            return USER_KERBEROS_CONF;
        }

        static {
            String str = System.getenv(KDiag.KRB5_CCNAME);
            if (PlatformName.IBM_JAVA) {
                USER_KERBEROS_OPTIONS.put("useDefaultCcache", "true");
            } else {
                USER_KERBEROS_OPTIONS.put("doNotPrompt", "true");
                USER_KERBEROS_OPTIONS.put("useTicketCache", "true");
            }
            if (str != null) {
                if (PlatformName.IBM_JAVA) {
                    System.setProperty(KDiag.KRB5_CCNAME, str);
                } else {
                    USER_KERBEROS_OPTIONS.put("ticketCache", str);
                }
            }
            USER_KERBEROS_OPTIONS.put("renewTGT", "true");
            USER_KERBEROS_LOGIN = new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.OPTIONAL, USER_KERBEROS_OPTIONS);
            USER_KERBEROS_CONF = new AppConfigurationEntry[]{OS_SPECIFIC_LOGIN, USER_KERBEROS_LOGIN};
        }
    }

    @Override // org.apache.hadoop.security.authentication.client.Authenticator
    public void setConnectionConfigurator(ConnectionConfigurator connectionConfigurator) {
        this.connConfigurator = connectionConfigurator;
    }

    @Override // org.apache.hadoop.security.authentication.client.Authenticator
    public void authenticate(URL url, AuthenticatedURL.Token token) throws IOException, AuthenticationException {
        if (token.isSet()) {
            return;
        }
        this.url = url;
        this.base64 = new Base64(0);
        HttpURLConnection httpURLConnection = null;
        try {
            try {
                try {
                    HttpURLConnection openConnection = token.openConnection(url, this.connConfigurator);
                    openConnection.setRequestMethod("OPTIONS");
                    openConnection.connect();
                    boolean z = false;
                    if (openConnection.getResponseCode() == 200) {
                        LOG.debug("JDK performed authentication on our behalf.");
                        AuthenticatedURL.extractToken(openConnection, token);
                        if (isTokenKerberos(token)) {
                            if (openConnection != null) {
                                openConnection.disconnect();
                                return;
                            }
                            return;
                        }
                        z = true;
                    }
                    if (z || !isNegotiate(openConnection)) {
                        LOG.debug("Using fallback authenticator sequence.");
                        Authenticator fallBackAuthenticator = getFallBackAuthenticator();
                        fallBackAuthenticator.setConnectionConfigurator(this.connConfigurator);
                        fallBackAuthenticator.authenticate(url, token);
                    } else {
                        LOG.debug("Performing our own SPNEGO sequence.");
                        doSpnegoSequence(token);
                    }
                    if (openConnection != null) {
                        openConnection.disconnect();
                    }
                } catch (AuthenticationException e) {
                    throw ((AuthenticationException) wrapExceptionWithMessage(e, "Error while authenticating with endpoint: " + url));
                }
            } catch (IOException e2) {
                throw ((IOException) wrapExceptionWithMessage(e2, "Error while authenticating with endpoint: " + url));
            }
        } catch (Throwable th) {
            if (0 != 0) {
                httpURLConnection.disconnect();
            }
            throw th;
        }
    }

    @VisibleForTesting
    static <T extends Exception> T wrapExceptionWithMessage(T t, String str) {
        Class<?> cls = t.getClass();
        try {
            return (T) ((Exception) ((Throwable) cls.getConstructor(String.class).newInstance(str)).initCause(t));
        } catch (Throwable th) {
            LOG.debug("Unable to wrap exception of type {}, it has no (String) constructor.", cls, th);
            return t;
        }
    }

    protected Authenticator getFallBackAuthenticator() {
        PseudoAuthenticator pseudoAuthenticator = new PseudoAuthenticator();
        if (this.connConfigurator != null) {
            pseudoAuthenticator.setConnectionConfigurator(this.connConfigurator);
        }
        return pseudoAuthenticator;
    }

    private boolean isTokenKerberos(AuthenticatedURL.Token token) throws AuthenticationException {
        if (!token.isSet()) {
            return false;
        }
        AuthToken parse = AuthToken.parse(token.toString());
        return parse.getType().equals(KerberosAuthenticationHandler.TYPE) || parse.getType().equals("kerberos-dt");
    }

    private boolean isNegotiate(HttpURLConnection httpURLConnection) throws IOException {
        boolean z = false;
        if (httpURLConnection.getResponseCode() == 401) {
            String headerField = httpURLConnection.getHeaderField("WWW-Authenticate");
            if (headerField == null) {
                headerField = httpURLConnection.getHeaderField("WWW-Authenticate".toLowerCase());
            }
            z = headerField != null && headerField.trim().startsWith("Negotiate");
        }
        return z;
    }

    private void doSpnegoSequence(final AuthenticatedURL.Token token) throws IOException, AuthenticationException {
        try {
            Subject subject = Subject.getSubject(AccessController.getContext());
            if (subject == null || (!KerberosUtil.hasKerberosKeyTab(subject) && !KerberosUtil.hasKerberosTicket(subject))) {
                LOG.debug("No subject in context, logging in");
                subject = new Subject();
                new LoginContext("", subject, (CallbackHandler) null, new KerberosConfiguration()).login();
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("Using subject: " + subject);
            }
            Subject.doAs(subject, new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.security.authentication.client.KerberosAuthenticator.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Void run() throws Exception {
                    GSSContext gSSContext = null;
                    try {
                        GSSManager gSSManager = GSSManager.getInstance();
                        gSSContext = gSSManager.createContext(gSSManager.createName(KerberosUtil.getServicePrincipal(HttpVersion.HTTP, KerberosAuthenticator.this.url.getHost()), KerberosUtil.NT_GSS_KRB5_PRINCIPAL_OID), KerberosUtil.GSS_KRB5_MECH_OID, (GSSCredential) null, 0);
                        gSSContext.requestCredDeleg(true);
                        gSSContext.requestMutualAuth(true);
                        byte[] bArr = new byte[0];
                        boolean z = false;
                        while (!z) {
                            HttpURLConnection openConnection = token.openConnection(KerberosAuthenticator.this.url, KerberosAuthenticator.this.connConfigurator);
                            byte[] initSecContext = gSSContext.initSecContext(bArr, 0, bArr.length);
                            if (initSecContext != null) {
                                KerberosAuthenticator.this.sendToken(openConnection, initSecContext);
                            }
                            if (gSSContext.isEstablished()) {
                                z = true;
                            } else {
                                bArr = KerberosAuthenticator.this.readToken(openConnection);
                            }
                        }
                        if (gSSContext == null) {
                            return null;
                        }
                        gSSContext.dispose();
                        return null;
                    } catch (Throwable th) {
                        if (gSSContext != null) {
                            gSSContext.dispose();
                        }
                        throw th;
                    }
                }
            });
        } catch (PrivilegedActionException e) {
            if (!(e.getException() instanceof IOException)) {
                throw new AuthenticationException(e.getException());
            }
            throw ((IOException) e.getException());
        } catch (LoginException e2) {
            throw new AuthenticationException(e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void sendToken(HttpURLConnection httpURLConnection, byte[] bArr) throws IOException {
        String encodeToString = this.base64.encodeToString(bArr);
        httpURLConnection.setRequestMethod("OPTIONS");
        httpURLConnection.setRequestProperty("Authorization", "Negotiate " + encodeToString);
        httpURLConnection.connect();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public byte[] readToken(HttpURLConnection httpURLConnection) throws IOException, AuthenticationException {
        int responseCode = httpURLConnection.getResponseCode();
        if (responseCode != 200 && responseCode != 401) {
            throw new AuthenticationException("Invalid SPNEGO sequence, status code: " + responseCode);
        }
        String headerField = httpURLConnection.getHeaderField("WWW-Authenticate");
        if (headerField == null) {
            headerField = httpURLConnection.getHeaderField("WWW-Authenticate".toLowerCase());
        }
        if (headerField == null || !headerField.trim().startsWith("Negotiate")) {
            throw new AuthenticationException("Invalid SPNEGO sequence, 'WWW-Authenticate' header incorrect: " + headerField);
        }
        return this.base64.decode(headerField.trim().substring("Negotiate ".length()).trim());
    }
}
