package org.apache.hadoop.has.client;

import com.sun.security.auth.module.Krb5LoginModule;
import java.io.IOException;
import java.net.InetAddress;
import java.security.Principal;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.security.auth.DestroyFailedException;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import org.apache.hadoop.has.common.HasException;
import org.apache.kerby.kerberos.kerb.ccache.Credential;
import org.apache.kerby.kerberos.kerb.client.jaas.TokenAuthLoginModule;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import sun.security.jgss.krb5.Krb5Util;
import sun.security.krb5.Config;
import sun.security.krb5.Credentials;
import sun.security.krb5.KrbException;
import sun.security.krb5.PrincipalName;

/* loaded from: input_file:org/apache/hadoop/has/client/HasLoginModule.class */
public class HasLoginModule implements LoginModule {
    public static final Logger LOG = LoggerFactory.getLogger((Class<?>) HasLoginModule.class);
    Krb5LoginModule krb5LoginModule;
    private Subject subject;
    private CallbackHandler callbackHandler;
    private Map<String, Object> sharedState;
    private Map<String, ?> options;
    private boolean debug = false;
    private boolean doNotPrompt = false;
    private boolean useTgtTicket = false;
    private String hadoopSecurityHas = null;
    private String princName = null;
    private boolean refreshKrb5Config = false;
    private boolean isInitiator = true;
    private boolean succeeded = false;
    private boolean commitSucceeded = false;
    private Credentials cred = null;
    private PrincipalName principal = null;
    private KerberosPrincipal kerbClientPrinc = null;
    private KerberosTicket kerbTicket = null;
    private StringBuffer krb5PrincName = null;
    private boolean unboundServer = false;

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        this.subject = subject;
        this.callbackHandler = callbackHandler;
        this.sharedState = map;
        this.options = map2;
        this.useTgtTicket = "true".equalsIgnoreCase((String) map2.get("useTgtTicket"));
        if (!this.useTgtTicket) {
            this.krb5LoginModule = new Krb5LoginModule();
            this.krb5LoginModule.initialize(subject, callbackHandler, map, map2);
            return;
        }
        this.debug = "true".equalsIgnoreCase((String) map2.get("debug"));
        this.doNotPrompt = "true".equalsIgnoreCase((String) map2.get("doNotPrompt"));
        this.useTgtTicket = "true".equalsIgnoreCase((String) map2.get("useTgtTicket"));
        this.hadoopSecurityHas = (String) map2.get("hadoopSecurityHas");
        this.princName = (String) map2.get(TokenAuthLoginModule.PRINCIPAL);
        this.refreshKrb5Config = "true".equalsIgnoreCase((String) map2.get("refreshKrb5Config"));
        String str = (String) map2.get("isInitiator");
        if (str != null) {
            this.isInitiator = "true".equalsIgnoreCase(str);
        }
        if (this.debug) {
            System.out.print("Debug is  " + this.debug + " doNotPrompt " + this.doNotPrompt + " isInitiator " + this.isInitiator + " refreshKrb5Config is " + this.refreshKrb5Config + " principal is " + this.princName + "\n");
        }
    }

    public boolean login() throws LoginException {
        if (!this.useTgtTicket) {
            this.succeeded = this.krb5LoginModule.login();
            return this.succeeded;
        }
        if (this.refreshKrb5Config) {
            try {
                if (this.debug) {
                    System.out.println("Refreshing Kerberos configuration");
                }
                Config.refresh();
            } catch (KrbException e) {
                LoginException loginException = new LoginException(e.getMessage());
                loginException.initCause(e);
                throw loginException;
            }
        }
        String property = System.getProperty("sun.security.krb5.principal");
        if (property != null) {
            this.krb5PrincName = new StringBuffer(property);
        } else if (this.princName != null) {
            this.krb5PrincName = new StringBuffer(this.princName);
        }
        validateConfiguration();
        if (this.krb5PrincName != null && this.krb5PrincName.toString().equals("*")) {
            this.unboundServer = true;
        }
        try {
            attemptAuthentication(false);
            this.succeeded = true;
            cleanState();
            return true;
        } catch (LoginException e2) {
            if (this.debug) {
                System.out.println("\t\t[HasLoginModule] authentication failed \n" + e2.getMessage());
            }
            this.succeeded = false;
            cleanState();
            throw e2;
        }
    }

    private void attemptAuthentication(boolean z) throws LoginException {
        if (this.krb5PrincName != null) {
            try {
                this.principal = new PrincipalName(this.krb5PrincName.toString(), 1);
            } catch (KrbException e) {
                LoginException loginException = new LoginException(e.getMessage());
                loginException.initCause(e);
                throw loginException;
            }
        }
        try {
            if (this.useTgtTicket) {
                if (this.debug) {
                    System.out.println("use tgt ticket to login, acquire TGT TICKET...");
                }
                try {
                    Credential credential = new Credential(new HasClient(this.hadoopSecurityHas).requestTgt());
                    boolean[] zArr = new boolean[7];
                    int flags = credential.getTicketFlags().getFlags();
                    for (int i = 6; i >= 0; i--) {
                        zArr[i] = (flags & (1 << i)) != 0;
                    }
                    this.cred = new Credentials(credential.getTicket().encode(), credential.getClientName().getName(), credential.getServerName().getName(), credential.getKey().getKeyData(), credential.getKey().getKeyType().getValue(), zArr, credential.getAuthTime().getValue(), credential.getStartTime() != null ? credential.getStartTime().getValue() : null, credential.getEndTime().getValue(), credential.getRenewTill().getValue(), (InetAddress[]) null);
                    if (this.cred != null && this.principal == null) {
                        this.principal = this.cred.getClient();
                    }
                    if (this.debug) {
                        System.out.println("Principal is " + this.principal);
                        if (this.cred == null) {
                            System.out.println("null credentials from TGT Ticket");
                        }
                    }
                } catch (HasException e2) {
                    LoginException loginException2 = new LoginException(e2.getMessage());
                    loginException2.initCause(e2);
                    throw loginException2;
                }
            }
        } catch (IOException e3) {
            LoginException loginException3 = new LoginException(e3.getMessage());
            loginException3.initCause(e3);
            throw loginException3;
        } catch (KrbException e4) {
            LoginException loginException4 = new LoginException(e4.getMessage());
            loginException4.initCause(e4);
            throw loginException4;
        }
    }

    private void validateConfiguration() throws LoginException {
        if (this.doNotPrompt && !this.useTgtTicket) {
            throw new LoginException("Configuration Error - either doNotPrompt should be  false or useTgtTicket should be true");
        }
        if (this.krb5PrincName != null && this.krb5PrincName.toString().equals("*") && this.isInitiator) {
            throw new LoginException("Configuration Error - principal cannot be * when isInitiator is true");
        }
    }

    public boolean commit() throws LoginException {
        if (this.debug) {
            System.out.println("Login success? " + this.succeeded);
        }
        if (!this.useTgtTicket) {
            return this.krb5LoginModule.commit();
        }
        if (!this.succeeded) {
            return false;
        }
        if (this.isInitiator && this.cred == null) {
            this.succeeded = false;
            throw new LoginException("Null Client Credential");
        }
        if (this.subject.isReadOnly()) {
            cleanKerberosCred();
            throw new LoginException("Subject is Readonly");
        }
        Set<Object> privateCredentials = this.subject.getPrivateCredentials();
        Set<Principal> principals = this.subject.getPrincipals();
        this.kerbClientPrinc = new KerberosPrincipal(this.principal.getName());
        if (this.isInitiator) {
            this.kerbTicket = Krb5Util.credsToTicket(this.cred);
        }
        if (!this.unboundServer && !principals.contains(this.kerbClientPrinc)) {
            principals.add(this.kerbClientPrinc);
        }
        if (this.kerbTicket != null && !privateCredentials.contains(this.kerbTicket)) {
            privateCredentials.add(this.kerbTicket);
        }
        this.commitSucceeded = true;
        if (!this.debug) {
            return true;
        }
        System.out.println("Commit Succeeded \n");
        return true;
    }

    public boolean abort() throws LoginException {
        if (!this.useTgtTicket) {
            return this.krb5LoginModule.abort();
        }
        if (!this.succeeded) {
            return false;
        }
        if (!this.succeeded || this.commitSucceeded) {
            logout();
            return true;
        }
        this.succeeded = false;
        cleanKerberosCred();
        return true;
    }

    public boolean logout() throws LoginException {
        if (!this.useTgtTicket) {
            return this.krb5LoginModule.logout();
        }
        if (this.debug) {
            System.out.println("\t\t[Krb5LoginModule]: Entering logout");
        }
        if (this.subject.isReadOnly()) {
            cleanKerberosCred();
            throw new LoginException("Subject is Readonly");
        }
        this.subject.getPrincipals().remove(this.kerbClientPrinc);
        Iterator<Object> it = this.subject.getPrivateCredentials().iterator();
        while (it.hasNext()) {
            if (it.next() instanceof KerberosTicket) {
                it.remove();
            }
        }
        cleanKerberosCred();
        this.succeeded = false;
        this.commitSucceeded = false;
        if (!this.debug) {
            return true;
        }
        System.out.println("\t\t[HasLoginModule]: logged out Subject");
        return true;
    }

    private void cleanKerberosCred() throws LoginException {
        try {
            if (this.kerbTicket != null) {
                this.kerbTicket.destroy();
            }
            this.kerbTicket = null;
            this.kerbClientPrinc = null;
        } catch (DestroyFailedException e) {
            throw new LoginException("Destroy Failed on Kerberos Private Credentials");
        }
    }

    private void cleanState() {
        if (!this.succeeded) {
            this.principal = null;
        }
        if (this.krb5PrincName != null && this.krb5PrincName.length() != 0) {
            this.krb5PrincName.delete(0, this.krb5PrincName.length());
        }
        this.krb5PrincName = null;
    }
}
