package org.apache.kerby.has.client;

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.ProtocolException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Date;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.text.CharacterPredicates;
import org.apache.commons.text.RandomStringGenerator;
import org.apache.hadoop.fs.CommonConfigurationKeys;
import org.apache.hadoop.metrics2.sink.ganglia.AbstractGangliaSink;
import org.apache.hadoop.security.KDiag;
import org.apache.hadoop.yarn.webapp.MimeType;
import org.apache.hadoop.yarn.webapp.util.WebAppUtils;
import org.apache.kerby.has.common.HasConfig;
import org.apache.kerby.has.common.HasConfigKey;
import org.apache.kerby.has.common.HasException;
import org.apache.kerby.has.common.util.HasUtil;
import org.apache.kerby.kerberos.kerb.KrbCodec;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.ccache.CredentialCache;
import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
import org.apache.kerby.kerberos.kerb.type.base.AuthToken;
import org.apache.kerby.kerberos.kerb.type.base.EncryptedData;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
import org.apache.kerby.kerberos.kerb.type.base.KeyUsage;
import org.apache.kerby.kerberos.kerb.type.base.KrbError;
import org.apache.kerby.kerberos.kerb.type.base.KrbMessage;
import org.apache.kerby.kerberos.kerb.type.base.KrbMessageType;
import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
import org.apache.kerby.kerberos.kerb.type.kdc.EncAsRepPart;
import org.apache.kerby.kerberos.kerb.type.kdc.KdcRep;
import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
import org.apache.kerby.util.IOUtil;
import org.apache.kerby.util.SysUtil;
import org.codehaus.jettison.json.JSONException;
import org.codehaus.jettison.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/kerby/has/client/HasClient.class */
public class HasClient {
    public static final Logger LOG = LoggerFactory.getLogger((Class<?>) HasClient.class);
    public static final String JAVA_SECURITY_KRB5_CONF = "java.security.krb5.conf";
    public static final String HAS_HTTP_PORT_DEFAULT = "9870";
    public static final String HAS_CONFIG_DEFAULT = "/etc/has/has-client.conf";
    public static final String CA_ROOT_DEFAULT = "/etc/has/ca-root.pem";
    private String hadoopSecurityHas;
    private String type;
    private File clientConfigFolder;

    public HasClient() {
        this.hadoopSecurityHas = null;
    }

    public HasClient(String str) {
        this.hadoopSecurityHas = null;
        this.hadoopSecurityHas = str;
    }

    public TgtTicket requestTgt() throws HasException {
        HasConfig hasConfig;
        if (this.hadoopSecurityHas == null) {
            String str = System.getenv("HAS_CLIENT_CONF");
            if (str == null) {
                str = HAS_CONFIG_DEFAULT;
            }
            LOG.debug("has-client conf path: " + str);
            File file = new File(str);
            if (!file.exists()) {
                LOG.warn("The HAS client config file: " + str + " does not exist.");
                throw new HasException("The HAS client config file: " + str + " does not exist.");
            }
            try {
                hasConfig = HasUtil.getHasConfig(file);
            } catch (HasException e) {
                LOG.error("Failed to get has client config: " + e.getMessage());
                throw new HasException("Failed to get has client config: " + e.getMessage());
            }
        } else {
            hasConfig = new HasConfig();
            String[] split = this.hadoopSecurityHas.split(CommonConfigurationKeys.NFS_EXPORTS_ALLOWED_HOSTS_SEPARATOR);
            StringBuilder sb = new StringBuilder();
            int i = 0;
            try {
                for (String str2 : split) {
                    URI uri = new URI(str2.trim());
                    sb.append(uri.getHost()).append(",");
                    if (i == 0) {
                        i = uri.getPort();
                    } else if (i != uri.getPort()) {
                        throw new HasException("Invalid port: not even.");
                    }
                    this.type = System.getenv("auth_type");
                    if (this.type == null) {
                        String[] split2 = uri.getQuery().split(AbstractGangliaSink.EQUAL);
                        if (split2[0].equals("auth_type")) {
                            this.type = split2[1];
                        } else {
                            LOG.warn("No auth type in conf.");
                        }
                    }
                }
                if (sb.length() == 0 || i == 0) {
                    throw new HasException("host is null.");
                }
                hasConfig.setString(HasConfigKey.HTTPS_HOST, sb.subSequence(0, sb.length() - 1).toString());
                hasConfig.setInt(HasConfigKey.HTTPS_PORT, Integer.valueOf(i));
                hasConfig.setString(HasConfigKey.AUTH_TYPE, this.type);
            } catch (URISyntaxException e2) {
                LOG.error("Errors occurred when getting web url. " + e2.getMessage());
                throw new HasException("Errors occurred when getting web url. " + e2.getMessage());
            }
        }
        if (hasConfig == null) {
            throw new HasException("Failed to get HAS client config.");
        }
        this.clientConfigFolder = new File("/etc/has/" + hasConfig.getHttpsHost());
        if (!this.clientConfigFolder.exists()) {
            this.clientConfigFolder.mkdirs();
        }
        String str3 = this.clientConfigFolder + "/ssl-client.conf";
        loadSslClientConf(hasConfig, str3);
        hasConfig.setString(HasConfigKey.SSL_CLIENT_CONF, str3);
        try {
            HasClientPlugin clientTokenPlugin = getClientTokenPlugin(hasConfig);
            try {
                AuthToken login = clientTokenPlugin.login(hasConfig);
                this.type = clientTokenPlugin.getLoginType();
                return requestTgt(login, this.type, hasConfig);
            } catch (HasLoginException e3) {
                LOG.error(e3.getMessage());
                throw new HasException(e3.getMessage());
            }
        } catch (HasException e4) {
            LOG.error("Failed to get client token plugin from config: " + e4.getMessage());
            throw new HasException("Failed to get client token plugin from config: " + e4.getMessage());
        }
    }

    private HasClientPlugin getClientTokenPlugin(HasConfig hasConfig) throws HasException {
        String pluginName = hasConfig.getPluginName();
        if (pluginName != null) {
            return HasClientPluginRegistry.createPlugin(pluginName);
        }
        LOG.debug("Please set the plugin name in has client conf");
        throw new HasException("Please set the plugin name in has client conf");
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:23:0x01c8. Please report as an issue. */
    /* JADX WARN: Removed duplicated region for block: B:40:0x0287  */
    /* JADX WARN: Removed duplicated region for block: B:43:0x02b2 A[EXC_TOP_SPLITTER, SYNTHETIC] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket requestTgt(org.apache.kerby.kerberos.kerb.type.base.AuthToken r7, java.lang.String r8, org.apache.kerby.has.common.HasConfig r9) throws org.apache.kerby.has.common.HasException {
        /*
            Method dump skipped, instructions count: 761
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.apache.kerby.has.client.HasClient.requestTgt(org.apache.kerby.kerberos.kerb.type.base.AuthToken, java.lang.String, org.apache.kerby.has.common.HasConfig):org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket");
    }

    private File loadSslClientConf(HasConfig hasConfig, String str) throws HasException {
        File file = new File(str);
        if (!file.exists()) {
            String httpHost = hasConfig.getHttpHost();
            String httpPort = hasConfig.getHttpPort();
            if (httpHost == null) {
                httpHost = hasConfig.getHttpsHost();
            }
            if (httpPort == null) {
                httpPort = HAS_HTTP_PORT_DEFAULT;
            }
            X509Certificate certificate = getCertificate(httpHost, httpPort);
            if (!verifyCertificate(certificate)) {
                throw new HasException("The certificate from HAS server is invalid.");
            }
            createClientSSLConfig(createTrustStore(hasConfig.getHttpsHost(), certificate));
        }
        return file;
    }

    public KrbMessage getKrbMessage(JSONObject jSONObject) throws HasException {
        try {
            if (!jSONObject.getBoolean("success")) {
                String string = jSONObject.getString("krbMessage");
                LOG.debug(string);
                throw new HasException(string);
            }
            try {
                String string2 = jSONObject.getString("type");
                if (string2 == null || !string2.equals(this.type)) {
                    throw new HasException("Can't get the right message from server.");
                }
                try {
                    try {
                        return KrbCodec.decodeMessage(ByteBuffer.wrap(new Base64(0).decode(jSONObject.getString("krbMessage"))));
                    } catch (IOException e) {
                        LOG.debug("Krb decoding message failed. " + e.getMessage());
                        throw new HasException("Krb decoding message failed. " + e.getMessage());
                    }
                } catch (JSONException e2) {
                    LOG.debug("Failed to get the krbMessage. " + e2.getMessage());
                    throw new HasException("Failed to get the krbMessage. " + e2.getMessage());
                }
            } catch (JSONException e3) {
                LOG.debug("Failed to get message." + e3.getMessage());
                throw new HasException("Failed to get message." + e3.getMessage());
            }
        } catch (JSONException e4) {
            LOG.debug("Failed to get message. " + e4.getMessage());
            throw new HasException("Failed to get message." + e4.getMessage());
        }
    }

    public TgtTicket handleResponse(JSONObject jSONObject, String str) throws HasException {
        KrbMessage krbMessage = getKrbMessage(jSONObject);
        KrbMessageType msgType = krbMessage.getMsgType();
        if (msgType == KrbMessageType.AS_REP) {
            return processResponse((KdcRep) krbMessage, str);
        }
        if (msgType != KrbMessageType.KRB_ERROR) {
            return null;
        }
        KrbError krbError = (KrbError) krbMessage;
        LOG.error("HAS server response with message: " + krbError.getErrorCode().getMessage());
        throw new HasException(krbError.getEtext());
    }

    public TgtTicket processResponse(KdcRep kdcRep, String str) throws HasException {
        PrincipalName cname = kdcRep.getCname();
        cname.setRealm(kdcRep.getCrealm());
        try {
            byte[] decryptWithClientKey = decryptWithClientKey(kdcRep.getEncryptedEncPart(), KeyUsage.AS_REP_ENCPART, HasUtil.getClientKey(cname.getName(), str, kdcRep.getEncryptedEncPart().getEType()));
            if ((decryptWithClientKey[0] & 31) == 26) {
                decryptWithClientKey[0] = (byte) (decryptWithClientKey[0] - 1);
            }
            EncAsRepPart encAsRepPart = new EncAsRepPart();
            try {
                encAsRepPart.decode(decryptWithClientKey);
                kdcRep.setEncPart(encAsRepPart);
                TgtTicket ticket = getTicket(kdcRep);
                LOG.debug("Ticket expire time: " + ticket.getEncKdcRepPart().getEndTime());
                storeTgtTicket(ticket);
                return ticket;
            } catch (IOException e) {
                throw new HasException("Failed to decode EncAsRepPart. " + e.getMessage());
            }
        } catch (KrbException e2) {
            throw new HasException("Could not generate key. " + e2.getMessage());
        }
    }

    private void storeTgtTicket(TgtTicket tgtTicket) throws HasException {
        File file = new File(getCcacheName());
        LOG.debug("Storing the tgt to the credential cache file.");
        if (!file.exists()) {
            createCacheFile(file);
        }
        if (!file.exists() || !file.canWrite()) {
            throw new IllegalArgumentException("Invalid ccache file, not exist or writable: " + file.getAbsolutePath());
        }
        try {
            new CredentialCache(tgtTicket).store(file);
        } catch (IOException e) {
            throw new HasException("Failed to store tgt. " + e.getMessage());
        }
    }

    private void createCacheFile(File file) throws HasException {
        try {
            if (!file.createNewFile()) {
                throw new HasException("Failed to create ccache file " + file.getAbsolutePath());
            }
            file.setReadable(true, true);
            if (!file.setWritable(true, true)) {
                throw new HasException("Cache file is not readable.");
            }
        } catch (IOException e) {
            throw new HasException("Failed to create ccache file " + file.getAbsolutePath() + ". " + e.getMessage());
        }
    }

    private String getCcacheName() {
        String str;
        String str2 = System.getenv(KDiag.KRB5_CCNAME);
        if (str2 != null) {
            str = str2;
        } else {
            StringBuilder sb = new StringBuilder();
            try {
                InputStream inputStream = Runtime.getRuntime().exec("id -u").getInputStream();
                while (true) {
                    int read = inputStream.read();
                    if (read == -1) {
                        break;
                    }
                    sb.append((char) read);
                }
                inputStream.close();
            } catch (IOException e) {
                System.err.println("Failed to get UID.");
                System.exit(1);
            }
            str = SysUtil.getTempDir().toString() + "/" + ("krb5cc_" + sb.toString().trim());
        }
        return str;
    }

    protected byte[] decryptWithClientKey(EncryptedData encryptedData, KeyUsage keyUsage, EncryptionKey encryptionKey) throws HasException {
        if (encryptionKey == null) {
            throw new HasException("Client key isn't available");
        }
        try {
            return EncryptionHandler.decrypt(encryptedData, encryptionKey, keyUsage);
        } catch (KrbException e) {
            throw new HasException("Errors occurred when decrypting the data." + e.getMessage());
        }
    }

    public TgtTicket getTicket(KdcRep kdcRep) {
        return new TgtTicket(kdcRep.getTicket(), (EncAsRepPart) kdcRep.getEncPart(), kdcRep.getCname());
    }

    private X509Certificate getCertificate(String str, String str2) throws HasException {
        HttpURLConnection httpURLConnection = null;
        try {
            try {
                httpURLConnection = (HttpURLConnection) new URL(WebAppUtils.HTTP_PREFIX + str + ":" + str2 + "/has/v1/conf/getcert").openConnection();
            } catch (IOException e) {
                e.printStackTrace();
            }
            httpURLConnection.setRequestProperty("Content-Type", MimeType.JSON);
            try {
                httpURLConnection.setRequestMethod("GET");
                try {
                    httpURLConnection.connect();
                    if (httpURLConnection.getResponseCode() != 200) {
                        throw new HasException(HasClientUtil.getResponse(httpURLConnection));
                    }
                    try {
                        return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(HasClientUtil.getInputStream(httpURLConnection));
                    } catch (CertificateException e2) {
                        throw new HasException("Failed to get certificate from HAS server. " + e2.getMessage());
                    }
                } catch (IOException e3) {
                    throw new HasException("IO error occurred. " + e3.getMessage());
                }
            } catch (ProtocolException e4) {
                LOG.error("Failed to add principal. " + e4);
                throw new HasException("Failed to set the method for URL request. " + e4.getMessage());
            }
        } catch (MalformedURLException e5) {
            throw new HasException("Failed to create a URL object." + e5.getMessage());
        }
    }

    private boolean verifyCertificate(X509Certificate x509Certificate) throws HasException {
        try {
            x509Certificate.checkValidity(new Date());
            try {
                String str = System.getenv("CA_ROOT");
                if (str == null) {
                    str = CA_ROOT_DEFAULT;
                }
                if (str == null) {
                    throw new HasException("Please set the CA_ROOT.");
                }
                File file = new File(str);
                if (!file.exists()) {
                    LOG.debug("CA_ROOT: " + str + " not exist.");
                    throw new HasException("CA_ROOT: " + str + " not exist.");
                }
                CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
                FileInputStream fileInputStream = new FileInputStream(file);
                Throwable th = null;
                try {
                    try {
                        X509Certificate x509Certificate2 = (X509Certificate) certificateFactory.generateCertificate(fileInputStream);
                        if (fileInputStream != null) {
                            if (0 != 0) {
                                try {
                                    fileInputStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                fileInputStream.close();
                            }
                        }
                        try {
                            PublicKey publicKey = x509Certificate2.getPublicKey();
                            if (publicKey == null) {
                                throw new HasException("Failed to get public key in ca root.");
                            }
                            x509Certificate.verify(publicKey);
                            return true;
                        } catch (GeneralSecurityException e) {
                            return false;
                        }
                    } finally {
                    }
                } finally {
                }
            } catch (IOException | CertificateException e2) {
                throw new HasException("Failed to get certificate from ca root file. " + e2.getMessage());
            }
        } catch (GeneralSecurityException e3) {
            return false;
        }
    }

    private String createTrustStore(String str, X509Certificate x509Certificate) throws HasException {
        String generate = new RandomStringGenerator.Builder().withinRange(97, 122).filteredBy(CharacterPredicates.LETTERS, CharacterPredicates.DIGITS).build().generate(15);
        File file = new File(this.clientConfigFolder + "/truststore.jks");
        try {
            KeyStore keyStore = KeyStore.getInstance("jks");
            keyStore.load(null, null);
            keyStore.setCertificateEntry(str, x509Certificate);
            FileOutputStream fileOutputStream = new FileOutputStream(file);
            Throwable th = null;
            try {
                try {
                    keyStore.store(fileOutputStream, generate.toCharArray());
                    if (fileOutputStream != null) {
                        if (0 != 0) {
                            try {
                                fileOutputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            fileOutputStream.close();
                        }
                    }
                    return generate;
                } finally {
                }
            } finally {
            }
        } catch (IOException | GeneralSecurityException e) {
            throw new HasException("Failed to create and save truststore file. " + e.getMessage());
        }
    }

    private void createClientSSLConfig(String str) throws HasException {
        try {
            InputStream resourceAsStream = getClass().getResourceAsStream("/ssl-client.conf.template");
            Throwable th = null;
            try {
                try {
                    IOUtil.writeFile(IOUtil.readInput(resourceAsStream).replaceAll("_location_", this.clientConfigFolder.getAbsolutePath() + "/truststore.jks").replaceAll("_password_", str), new File(this.clientConfigFolder + "/ssl-client.conf"));
                    if (resourceAsStream != null) {
                        if (0 != 0) {
                            try {
                                resourceAsStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            resourceAsStream.close();
                        }
                    }
                } finally {
                }
            } finally {
            }
        } catch (IOException e) {
            throw new HasException("Failed to create client ssl configuration file. " + e.getMessage());
        }
    }
}
