package com.facebook.presto.jdbc.internal.airlift.http.client.spnego;

import com.facebook.presto.jdbc.internal.airlift.log.Logger;
import com.facebook.presto.jdbc.internal.guava.base.Preconditions;
import com.facebook.presto.jdbc.internal.guava.base.Throwables;
import com.facebook.presto.jdbc.internal.guava.collect.ImmutableMap;
import com.facebook.presto.jdbc.internal.jackson.annotation.JsonProperty;
import com.facebook.presto.jdbc.internal.jetty.client.api.Authentication;
import com.facebook.presto.jdbc.internal.jetty.client.api.ContentResponse;
import com.facebook.presto.jdbc.internal.jetty.client.api.Request;
import com.facebook.presto.jdbc.internal.jetty.http.HttpHeader;
import com.facebook.presto.jdbc.internal.jetty.util.Attributes;
import com.sun.security.auth.module.Krb5LoginModule;
import java.io.File;
import java.net.InetAddress;
import java.net.URI;
import java.net.UnknownHostException;
import java.security.Principal;
import java.util.Base64;
import java.util.Locale;
import java.util.Objects;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:com/facebook/presto/jdbc/internal/airlift/http/client/spnego/SpnegoAuthentication.class */
public class SpnegoAuthentication implements Authentication {
    private static final String NEGOTIATE = HttpHeader.NEGOTIATE.asString();
    private static final Logger LOG = Logger.get((Class<?>) SpnegoAuthentication.class);
    private static final GSSManager GSS_MANAGER = GSSManager.getInstance();
    private static final Oid SPNEGO_OID;
    private static final Oid KERBEROS_OID;
    private final LoginContext loginContext;
    private final GSSCredential clientCredential;
    private final String remoteServiceName;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/facebook/presto/jdbc/internal/airlift/http/client/spnego/SpnegoAuthentication$GssSupplier.class */
    public interface GssSupplier<T> {
        T get() throws GSSException;
    }

    public SpnegoAuthentication(final File file, File file2, final File file3, final String str, String str2) {
        Objects.requireNonNull(file2, "kerberosConfig is null");
        Objects.requireNonNull(str2, "remoteServiceName is null");
        this.remoteServiceName = str2;
        System.setProperty("java.security.krb5.conf", file2.getAbsolutePath());
        try {
            this.loginContext = new LoginContext(JsonProperty.USE_DEFAULT_NAME, (Subject) null, (CallbackHandler) null, new Configuration() { // from class: com.facebook.presto.jdbc.internal.airlift.http.client.spnego.SpnegoAuthentication.1
                public AppConfigurationEntry[] getAppConfigurationEntry(String str3) {
                    ImmutableMap.Builder builder = ImmutableMap.builder();
                    builder.put("refreshKrb5Config", "true");
                    builder.put("doNotPrompt", "true");
                    builder.put("useKeyTab", "true");
                    if (SpnegoAuthentication.LOG.isDebugEnabled()) {
                        builder.put("debug", "true");
                    }
                    if (file != null) {
                        builder.put("keytab", file.getAbsolutePath());
                    }
                    if (file3 != null) {
                        builder.put("ticketCache", file3.getAbsolutePath());
                        builder.put("useTicketCache", "true");
                        builder.put("renewTGT", "true");
                    }
                    if (str != null) {
                        builder.put("principal", str);
                    }
                    return new AppConfigurationEntry[]{new AppConfigurationEntry(Krb5LoginModule.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, builder.build())};
                }
            });
            this.loginContext.login();
            Subject subject = this.loginContext.getSubject();
            Principal next = subject.getPrincipals().iterator().next();
            this.clientCredential = (GSSCredential) doAs(subject, () -> {
                return GSS_MANAGER.createCredential(GSS_MANAGER.createName(next.getName(), GSSName.NT_USER_NAME), 0, KERBEROS_OID, 1);
            });
        } catch (LoginException e) {
            throw Throwables.propagate(e);
        }
    }

    public void shutdown() {
        try {
            this.loginContext.logout();
        } catch (LoginException e) {
            Throwables.propagate(e);
        }
    }

    @Override // com.facebook.presto.jdbc.internal.jetty.client.api.Authentication
    public Authentication.Result authenticate(Request request, ContentResponse contentResponse, final Authentication.HeaderInfo headerInfo, Attributes attributes) {
        final URI normalizedUri = UriUtil.normalizedUri(request.getURI());
        return new Authentication.Result() { // from class: com.facebook.presto.jdbc.internal.airlift.http.client.spnego.SpnegoAuthentication.2
            @Override // com.facebook.presto.jdbc.internal.jetty.client.api.Authentication.Result
            public URI getURI() {
                return normalizedUri;
            }

            @Override // com.facebook.presto.jdbc.internal.jetty.client.api.Authentication.Result
            public void apply(Request request2) {
                String makeServicePrincipal = SpnegoAuthentication.makeServicePrincipal(SpnegoAuthentication.this.remoteServiceName, normalizedUri.getHost());
                GSSContext gSSContext = (GSSContext) SpnegoAuthentication.doAs(SpnegoAuthentication.this.loginContext.getSubject(), () -> {
                    GSSContext createContext = SpnegoAuthentication.GSS_MANAGER.createContext(SpnegoAuthentication.GSS_MANAGER.createName(makeServicePrincipal, GSSName.NT_HOSTBASED_SERVICE), SpnegoAuthentication.SPNEGO_OID, SpnegoAuthentication.this.clientCredential, Integer.MAX_VALUE);
                    createContext.requestMutualAuth(true);
                    createContext.requestConf(true);
                    createContext.requestInteg(true);
                    createContext.requestCredDeleg(false);
                    return createContext;
                });
                try {
                    try {
                        byte[] initSecContext = gSSContext.initSecContext(new byte[0], 0, 0);
                        if (initSecContext != null) {
                            request2.header(headerInfo.getHeader(), String.format("%s %s", SpnegoAuthentication.NEGOTIATE, Base64.getEncoder().encodeToString(initSecContext)));
                        } else {
                            SpnegoAuthentication.LOG.debug("No token generated from GSS context for %s", request2.getURI());
                        }
                    } catch (GSSException e) {
                        SpnegoAuthentication.LOG.debug(e, "Failed to establish GSSContext for request %s", request2.getURI());
                        try {
                            gSSContext.dispose();
                        } catch (GSSException e2) {
                        }
                    }
                } finally {
                    try {
                        gSSContext.dispose();
                    } catch (GSSException e3) {
                    }
                }
            }
        };
    }

    @Override // com.facebook.presto.jdbc.internal.jetty.client.api.Authentication
    public boolean matches(String str, URI uri, String str2) {
        return NEGOTIATE.equalsIgnoreCase(str);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String makeServicePrincipal(String str, String str2) {
        try {
            InetAddress byName = InetAddress.getByName(str2);
            String canonicalHostName = "localhost".equalsIgnoreCase(byName.getHostName()) ? InetAddress.getLocalHost().getCanonicalHostName() : byName.getCanonicalHostName();
            Preconditions.checkState(!canonicalHostName.equalsIgnoreCase("localhost"), "Fully qualified name of localhost should not resolve to 'localhost'. System configuration error?");
            return String.format("%s@%s", str, canonicalHostName.toLowerCase(Locale.US));
        } catch (UnknownHostException e) {
            throw Throwables.propagate(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static <T> T doAs(Subject subject, GssSupplier<T> gssSupplier) {
        return (T) Subject.doAs(subject, () -> {
            try {
                return gssSupplier.get();
            } catch (GSSException e) {
                throw Throwables.propagate(e);
            }
        });
    }

    static {
        try {
            SPNEGO_OID = new Oid("1.3.6.1.5.5.2");
            KERBEROS_OID = new Oid("1.2.840.113554.1.2.2");
        } catch (GSSException e) {
            throw new AssertionError(e);
        }
    }
}
