package backtype.storm.security.auth.kerberos;

import backtype.storm.security.auth.AuthUtils;
import backtype.storm.security.auth.SaslTransportPlugin;
import java.io.IOException;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Set;
import java.util.TreeMap;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import shade.storm.org.apache.commons.lang.StringUtils;
import shade.storm.org.apache.thrift.transport.TSaslClientTransport;
import shade.storm.org.apache.thrift.transport.TSaslServerTransport;
import shade.storm.org.apache.thrift.transport.TTransport;
import shade.storm.org.apache.thrift.transport.TTransportException;
import shade.storm.org.apache.thrift.transport.TTransportFactory;
import shade.storm.org.apache.zookeeper.Login;
import shade.storm.org.apache.zookeeper.server.auth.KerberosName;

/* loaded from: input_file:backtype/storm/security/auth/kerberos/KerberosSaslTransportPlugin.class */
public class KerberosSaslTransportPlugin extends SaslTransportPlugin {
    public static final String KERBEROS = "GSSAPI";
    private static final Logger LOG = LoggerFactory.getLogger(KerberosSaslTransportPlugin.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:backtype/storm/security/auth/kerberos/KerberosSaslTransportPlugin$TUGIAssumingTransportFactory.class */
    public static class TUGIAssumingTransportFactory extends TTransportFactory {
        private final Subject subject;
        private final TTransportFactory wrapped;

        public TUGIAssumingTransportFactory(TTransportFactory tTransportFactory, Subject subject) {
            this.wrapped = tTransportFactory;
            this.subject = subject;
            Set<Principal> principals = subject.getPrincipals();
            if (principals.size() > 0) {
                KerberosSaslTransportPlugin.LOG.info("Service principal:" + ((Principal) principals.toArray()[0]).getName());
            }
        }

        @Override // shade.storm.org.apache.thrift.transport.TTransportFactory
        public TTransport getTransport(final TTransport tTransport) {
            try {
                return (TTransport) Subject.doAs(this.subject, new PrivilegedExceptionAction<TTransport>() { // from class: backtype.storm.security.auth.kerberos.KerberosSaslTransportPlugin.TUGIAssumingTransportFactory.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public TTransport run() {
                        try {
                            return TUGIAssumingTransportFactory.this.wrapped.getTransport(tTransport);
                        } catch (Exception e) {
                            KerberosSaslTransportPlugin.LOG.error("Storm server failed to open transport to interact with a client during session initiation: " + e, e);
                            return null;
                        }
                    }
                });
            } catch (PrivilegedActionException e) {
                KerberosSaslTransportPlugin.LOG.error("Storm server experienced a PrivilegedActionException exception while creating a transport using a JAAS principal context:" + e, e);
                return null;
            }
        }
    }

    @Override // backtype.storm.security.auth.SaslTransportPlugin
    public TTransportFactory getServerTransportFactory() throws IOException {
        ServerCallbackHandler serverCallbackHandler = new ServerCallbackHandler(this.login_conf, this.storm_conf);
        try {
            Configuration.setConfiguration(this.login_conf);
            Subject subject = new Login(AuthUtils.LOGIN_CONTEXT_SERVER, serverCallbackHandler).getSubject();
            if (subject.getPrivateCredentials(KerberosTicket.class).isEmpty()) {
                throw new RuntimeException("Fail to verify user principal with section \"StormServer\" in login configuration file " + this.login_conf);
            }
            String str = AuthUtils.get(this.login_conf, AuthUtils.LOGIN_CONTEXT_SERVER, "principal");
            LOG.debug("principal:" + str);
            KerberosName kerberosName = new KerberosName(str);
            String serviceName = kerberosName.getServiceName();
            String hostName = kerberosName.getHostName();
            TreeMap treeMap = new TreeMap();
            treeMap.put("javax.security.sasl.qop", "auth");
            treeMap.put("javax.security.sasl.server.authentication", "false");
            TSaslServerTransport.Factory factory = new TSaslServerTransport.Factory();
            factory.addServerDefinition(KERBEROS, serviceName, hostName, treeMap, serverCallbackHandler);
            TUGIAssumingTransportFactory tUGIAssumingTransportFactory = new TUGIAssumingTransportFactory(factory, subject);
            LOG.info("SASL GSSAPI transport factory will be used");
            return tUGIAssumingTransportFactory;
        } catch (LoginException e) {
            LOG.error("Server failed to login in principal:" + e, e);
            throw new RuntimeException(e);
        }
    }

    @Override // backtype.storm.security.auth.ITransportPlugin
    public TTransport connect(TTransport tTransport, String str, String str2) throws TTransportException, IOException {
        ClientCallbackHandler clientCallbackHandler = new ClientCallbackHandler(this.login_conf);
        try {
            Configuration.setConfiguration(this.login_conf);
            Subject subject = new Login(AuthUtils.LOGIN_CONTEXT_CLIENT, clientCallbackHandler).getSubject();
            if (subject.getPrivateCredentials(KerberosTicket.class).isEmpty()) {
                throw new RuntimeException("Fail to verify user principal with section \"StormClient\" in login configuration file " + this.login_conf);
            }
            final String principal = StringUtils.isBlank(str2) ? getPrincipal(subject) : str2;
            String str3 = AuthUtils.get(this.login_conf, AuthUtils.LOGIN_CONTEXT_CLIENT, "serviceName");
            if (str3 == null) {
                str3 = AuthUtils.SERVICE;
            }
            TreeMap treeMap = new TreeMap();
            treeMap.put("javax.security.sasl.qop", "auth");
            treeMap.put("javax.security.sasl.server.authentication", "false");
            LOG.debug("SASL GSSAPI client transport is being established");
            final TSaslClientTransport tSaslClientTransport = new TSaslClientTransport(KERBEROS, principal, str3, str, treeMap, null, tTransport);
            try {
                Subject.doAs(subject, new PrivilegedExceptionAction<Void>() { // from class: backtype.storm.security.auth.kerberos.KerberosSaslTransportPlugin.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() {
                        try {
                            KerberosSaslTransportPlugin.LOG.debug("do as:" + principal);
                            tSaslClientTransport.open();
                            return null;
                        } catch (Exception e) {
                            KerberosSaslTransportPlugin.LOG.error("Client failed to open SaslClientTransport to interact with a server during session initiation: " + e, e);
                            return null;
                        }
                    }
                });
                return tSaslClientTransport;
            } catch (PrivilegedActionException e) {
                throw new RuntimeException(e);
            }
        } catch (LoginException e2) {
            LOG.error("Server failed to login in principal:" + e2, e2);
            throw new RuntimeException(e2);
        }
    }

    private String getPrincipal(Subject subject) {
        Set<Principal> principals = subject.getPrincipals();
        if (principals != null && principals.size() >= 1) {
            return ((Principal) principals.toArray()[0]).getName();
        }
        LOG.info("No principal found in login subject");
        return null;
    }
}
