package com.hortonworks.registries.auth;

import com.hortonworks.registries.auth.util.Shell;
import com.hortonworks.registries.auth.util.Utils;
import java.util.Date;
import java.util.Map;
import java.util.Random;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/hortonworks/registries/auth/KerberosLogin.class */
public class KerberosLogin extends AbstractLogin {
    private static final Logger log = LoggerFactory.getLogger(KerberosLogin.class);
    private static final Random RNG = new Random();
    public static final String KINIT_CMD = "kinit.cmd";
    public static final String TICKET_RENEW_WINDOW_FACTOR = "ticket.renew.window.factor";
    public static final String TICKET_RENEW_JITTER = "ticket.renew.jitter";
    public static final String MIN_TIME_BEFORE_RELOGIN = "min.time.before.relogin";
    private Thread t;
    private boolean isKrbTicket;
    private boolean isUsingTicketCache;
    private String principal;
    private double ticketRenewWindowFactor = 0.8d;
    private double ticketRenewJitter = 0.05d;
    private long minTimeBeforeRelogin = 60000;
    private String kinitCmd = "/usr/bin/kinit";

    @Override // com.hortonworks.registries.auth.AbstractLogin, com.hortonworks.registries.auth.Login
    public void configure(Map<String, ?> map, String str) {
        super.configure(map, str);
        if (map.get(TICKET_RENEW_WINDOW_FACTOR) != null) {
            this.ticketRenewWindowFactor = Double.parseDouble((String) map.get(TICKET_RENEW_WINDOW_FACTOR));
        }
        if (map.get(TICKET_RENEW_JITTER) != null) {
            this.ticketRenewJitter = Double.parseDouble((String) map.get(TICKET_RENEW_JITTER));
        }
        if (map.get(MIN_TIME_BEFORE_RELOGIN) != null) {
            this.minTimeBeforeRelogin = Long.parseLong((String) map.get(MIN_TIME_BEFORE_RELOGIN));
        }
        if (map.get(KINIT_CMD) != null) {
            this.kinitCmd = (String) map.get(KINIT_CMD);
        }
    }

    @Override // com.hortonworks.registries.auth.AbstractLogin, com.hortonworks.registries.auth.Login
    public LoginContext login() throws LoginException {
        super.login();
        this.isKrbTicket = !this.loginContext.getSubject().getPrivateCredentials(KerberosTicket.class).isEmpty();
        if (!this.isKrbTicket) {
            log.info("It is not a Kerberos ticket");
            this.t = null;
            return this.loginContext;
        }
        log.info("It is a Kerberos ticket");
        AppConfigurationEntry[] appConfigurationEntry = Configuration.getConfiguration().getAppConfigurationEntry(this.loginContextName);
        if (appConfigurationEntry.length == 0) {
            this.isUsingTicketCache = false;
            this.principal = null;
        } else {
            AppConfigurationEntry appConfigurationEntry2 = appConfigurationEntry[0];
            if (appConfigurationEntry2.getOptions().get("useTicketCache") != null) {
                this.isUsingTicketCache = ((String) appConfigurationEntry2.getOptions().get("useTicketCache")).equals("true");
            } else {
                this.isUsingTicketCache = false;
            }
            if (appConfigurationEntry2.getOptions().get("principal") != null) {
                this.principal = (String) appConfigurationEntry2.getOptions().get("principal");
            } else {
                this.principal = null;
            }
        }
        KerberosTicket tgt = getTGT();
        if (tgt == null) {
            log.warn("No tgt found for principal {}. Hence not spawning auto relogin thread.", this.principal);
        } else if (!this.isUsingTicketCache || tgt.getRenewTill() == null || tgt.getRenewTill().getTime() >= tgt.getEndTime().getTime()) {
            spawnReloginThread();
        } else {
            log.warn("The TGT cannot be renewed beyond the next expiry date: {}. This process will not be able to authenticate new clients after that time. Ask your system administrator to either increase the 'renew until' time by doing : 'modprinc -maxrenewlife {} ' within kadmin, or instead, to generate a keytab for {}. Because the TGT's expiry cannot be further extended by refreshing, exiting refresh thread now.", new Object[]{new Date(tgt.getEndTime().getTime()), this.principal, this.principal});
        }
        return this.loginContext;
    }

    @Override // com.hortonworks.registries.auth.Login
    public void close() {
        if (this.t == null || !this.t.isAlive()) {
            return;
        }
        this.t.interrupt();
        try {
            this.t.join();
        } catch (InterruptedException e) {
            log.warn("Error while waiting for Login thread to shutdown: " + e, e);
        }
    }

    private void spawnReloginThread() {
        this.t = Utils.newThread("kerberos-refresh-thread", new Runnable() { // from class: com.hortonworks.registries.auth.KerberosLogin.1
            @Override // java.lang.Runnable
            public void run() {
                KerberosLogin.log.info("TGT refresh thread started.");
                while (true) {
                    KerberosTicket tgt = KerberosLogin.this.getTGT();
                    long currentTimeMillis = System.currentTimeMillis();
                    long refreshTime = KerberosLogin.this.getRefreshTime(tgt);
                    long time = tgt.getEndTime().getTime();
                    if (currentTimeMillis + KerberosLogin.this.minTimeBeforeRelogin <= time) {
                        if (refreshTime < currentTimeMillis + KerberosLogin.this.minTimeBeforeRelogin) {
                            KerberosLogin.log.warn("TGT refresh thread time adjusted from {} to {} since the former is sooner than the minimum refresh interval ({} seconds) from now.", new Object[]{new Date(refreshTime), new Date(currentTimeMillis + KerberosLogin.this.minTimeBeforeRelogin), Long.valueOf(KerberosLogin.this.minTimeBeforeRelogin / 1000)});
                        }
                        refreshTime = Math.max(refreshTime, currentTimeMillis + KerberosLogin.this.minTimeBeforeRelogin);
                    }
                    Date date = new Date(refreshTime);
                    if (refreshTime > time) {
                        KerberosLogin.log.error("Next refresh: {} is later than expiry {}. This may indicate a clock skew problem.Check that this host and the KDC hosts' clocks are in sync. Exiting refresh thread.", date, new Date(time));
                        return;
                    }
                    if (currentTimeMillis >= refreshTime) {
                        KerberosLogin.log.error("NextRefresh: {} is in the past: exiting refresh thread. Check clock sync between this host and KDC - (KDC's clock is likely ahead of this host). Manual intervention will be required for this client to successfully authenticate. Exiting refresh thread.", date);
                        return;
                    }
                    KerberosLogin.log.info("TGT refresh sleeping until: {}", date);
                    try {
                        Thread.sleep(refreshTime - currentTimeMillis);
                        if (KerberosLogin.this.isUsingTicketCache) {
                            try {
                                KerberosLogin.log.debug("Running ticket cache refresh command: {} {}", KerberosLogin.this.kinitCmd, "-R");
                                Shell.execCommand(KerberosLogin.this.kinitCmd, "-R");
                            } catch (Exception e) {
                                KerberosLogin.log.warn("Could not renew TGT due to problem running shell command: '" + KerberosLogin.this.kinitCmd + " -R'; exception was: " + e + ". Exiting refresh thread.", e);
                                return;
                            }
                        }
                        try {
                            KerberosLogin.this.reLogin();
                        } catch (LoginException e2) {
                            KerberosLogin.log.error("Failed to refresh TGT: refresh thread exiting now.", e2);
                            return;
                        }
                    } catch (InterruptedException e3) {
                        KerberosLogin.log.warn("TGT renewal thread has been interrupted and will exit.");
                        return;
                    }
                }
            }
        }, true);
        this.t.start();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public long getRefreshTime(KerberosTicket kerberosTicket) {
        long time = kerberosTicket.getStartTime().getTime();
        long time2 = kerberosTicket.getEndTime().getTime();
        log.info("TGT valid starting at: {}", kerberosTicket.getStartTime());
        log.info("TGT expires: {}", kerberosTicket.getEndTime());
        long nextDouble = time + ((long) ((time2 - time) * (this.ticketRenewWindowFactor + (this.ticketRenewJitter * RNG.nextDouble()))));
        return nextDouble > time2 ? System.currentTimeMillis() : nextDouble;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public KerberosTicket getTGT() {
        for (KerberosTicket kerberosTicket : this.loginContext.getSubject().getPrivateCredentials(KerberosTicket.class)) {
            KerberosPrincipal server = kerberosTicket.getServer();
            if (server.getName().equals("krbtgt/" + server.getRealm() + "@" + server.getRealm())) {
                log.debug("Found TGT with client principal '{}' and server principal '{}'.", kerberosTicket.getClient().getName(), kerberosTicket.getServer().getName());
                return kerberosTicket;
            }
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void reLogin() throws LoginException {
        log.info("Initiating logout for {}", this.principal);
        this.loginContext.logout();
        this.loginContext = new LoginContext(this.loginContextName, this.loginContext.getSubject());
        log.info("Initiating re-login for {}", this.principal);
        this.loginContext.login();
        log.info("Successfully logged in from auto relogin thread");
    }
}
