package org.apache.hadoop.security.authentication.server;

import java.io.File;
import java.io.IOException;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Properties;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.client.KerberosAuthenticator;
import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.apache.hadoop.util.PlatformName;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  input_file:classes/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.class
 */
/* loaded from: input_file:hadoop-auth-2.4.0.jar:org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.class */
public class KerberosAuthenticationHandler implements AuthenticationHandler {
    private static Logger LOG = LoggerFactory.getLogger(KerberosAuthenticationHandler.class);
    public static final String TYPE = "kerberos";
    public static final String PRINCIPAL = "kerberos.principal";
    public static final String KEYTAB = "kerberos.keytab";
    public static final String NAME_RULES = "kerberos.name.rules";
    private String principal;
    private String keytab;
    private GSSManager gssManager;
    private LoginContext loginContext;

    /* JADX WARN: Classes with same name are omitted:
      input_file:classes/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler$KerberosConfiguration.class
     */
    /* loaded from: input_file:hadoop-auth-2.4.0.jar:org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler$KerberosConfiguration.class */
    private static class KerberosConfiguration extends Configuration {
        private String keytab;
        private String principal;

        public KerberosConfiguration(String str, String str2) {
            this.keytab = str;
            this.principal = str2;
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            HashMap hashMap = new HashMap();
            if (PlatformName.IBM_JAVA) {
                hashMap.put("useKeytab", this.keytab.startsWith("file://") ? this.keytab : "file://" + this.keytab);
                hashMap.put("principal", this.principal);
                hashMap.put("credsType", "acceptor");
            } else {
                hashMap.put("keyTab", this.keytab);
                hashMap.put("principal", this.principal);
                hashMap.put("useKeyTab", "true");
                hashMap.put("storeKey", "true");
                hashMap.put("doNotPrompt", "true");
                hashMap.put("useTicketCache", "true");
                hashMap.put("renewTGT", "true");
                hashMap.put("isInitiator", "false");
            }
            hashMap.put("refreshKrb5Config", "true");
            String str2 = System.getenv("KRB5CCNAME");
            if (str2 != null) {
                if (PlatformName.IBM_JAVA) {
                    hashMap.put("useDefaultCcache", "true");
                    System.setProperty("KRB5CCNAME", str2);
                    hashMap.put("renewTGT", "true");
                    hashMap.put("credsType", "both");
                } else {
                    hashMap.put("ticketCache", str2);
                }
            }
            if (KerberosAuthenticationHandler.LOG.isDebugEnabled()) {
                hashMap.put("debug", "true");
            }
            return new AppConfigurationEntry[]{new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap)};
        }
    }

    @Override // org.apache.hadoop.security.authentication.server.AuthenticationHandler
    public void init(Properties properties) throws ServletException {
        try {
            this.principal = properties.getProperty(PRINCIPAL, this.principal);
            if (this.principal == null || this.principal.trim().length() == 0) {
                throw new ServletException("Principal not defined in configuration");
            }
            this.keytab = properties.getProperty(KEYTAB, this.keytab);
            if (this.keytab == null || this.keytab.trim().length() == 0) {
                throw new ServletException("Keytab not defined in configuration");
            }
            if (!new File(this.keytab).exists()) {
                throw new ServletException("Keytab does not exist: " + this.keytab);
            }
            String property = properties.getProperty(NAME_RULES, null);
            if (property != null) {
                KerberosName.setRules(property);
            }
            HashSet hashSet = new HashSet();
            hashSet.add(new KerberosPrincipal(this.principal));
            Subject subject = new Subject(false, hashSet, new HashSet(), new HashSet());
            KerberosConfiguration kerberosConfiguration = new KerberosConfiguration(this.keytab, this.principal);
            LOG.info("Login using keytab " + this.keytab + ", for principal " + this.principal);
            this.loginContext = new LoginContext("", subject, (CallbackHandler) null, kerberosConfiguration);
            this.loginContext.login();
            try {
                this.gssManager = (GSSManager) Subject.doAs(this.loginContext.getSubject(), new PrivilegedExceptionAction<GSSManager>() { // from class: org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public GSSManager run() throws Exception {
                        return GSSManager.getInstance();
                    }
                });
                LOG.info("Initialized, principal [{}] from keytab [{}]", this.principal, this.keytab);
            } catch (PrivilegedActionException e) {
                throw e.getException();
            }
        } catch (Exception e2) {
            throw new ServletException(e2);
        }
    }

    @Override // org.apache.hadoop.security.authentication.server.AuthenticationHandler
    public void destroy() {
        try {
            if (this.loginContext != null) {
                this.loginContext.logout();
                this.loginContext = null;
            }
        } catch (LoginException e) {
            LOG.warn(e.getMessage(), e);
        }
    }

    @Override // org.apache.hadoop.security.authentication.server.AuthenticationHandler
    public String getType() {
        return TYPE;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getPrincipal() {
        return this.principal;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getKeytab() {
        return this.keytab;
    }

    @Override // org.apache.hadoop.security.authentication.server.AuthenticationHandler
    public boolean managementOperation(AuthenticationToken authenticationToken, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, AuthenticationException {
        return true;
    }

    @Override // org.apache.hadoop.security.authentication.server.AuthenticationHandler
    public AuthenticationToken authenticate(HttpServletRequest httpServletRequest, final HttpServletResponse httpServletResponse) throws IOException, AuthenticationException {
        AuthenticationToken authenticationToken = null;
        String header = httpServletRequest.getHeader(KerberosAuthenticator.AUTHORIZATION);
        if (header == null || !header.startsWith(KerberosAuthenticator.NEGOTIATE)) {
            httpServletResponse.setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, KerberosAuthenticator.NEGOTIATE);
            httpServletResponse.setStatus(401);
            if (header == null) {
                LOG.trace("SPNEGO starting");
            } else {
                LOG.warn("'Authorization' does not start with 'Negotiate' :  {}", header);
            }
        } else {
            String trim = header.substring(KerberosAuthenticator.NEGOTIATE.length()).trim();
            final Base64 base64 = new Base64(0);
            final byte[] decode = base64.decode(trim);
            try {
                authenticationToken = (AuthenticationToken) Subject.doAs(this.loginContext.getSubject(), new PrivilegedExceptionAction<AuthenticationToken>() { // from class: org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.2
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public AuthenticationToken run() throws Exception {
                        AuthenticationToken authenticationToken2 = null;
                        GSSContext gSSContext = null;
                        GSSCredential gSSCredential = null;
                        try {
                            if (PlatformName.IBM_JAVA) {
                                gSSCredential = KerberosAuthenticationHandler.this.gssManager.createCredential((GSSName) null, Integer.MAX_VALUE, new Oid[]{KerberosUtil.getOidInstance("GSS_SPNEGO_MECH_OID"), KerberosUtil.getOidInstance("GSS_KRB5_MECH_OID")}, 2);
                            }
                            GSSContext createContext = KerberosAuthenticationHandler.this.gssManager.createContext(gSSCredential);
                            byte[] acceptSecContext = createContext.acceptSecContext(decode, 0, decode.length);
                            if (acceptSecContext != null && acceptSecContext.length > 0) {
                                httpServletResponse.setHeader(KerberosAuthenticator.WWW_AUTHENTICATE, "Negotiate " + base64.encodeToString(acceptSecContext));
                            }
                            if (createContext.isEstablished()) {
                                String obj = createContext.getSrcName().toString();
                                authenticationToken2 = new AuthenticationToken(new KerberosName(obj).getShortName(), obj, KerberosAuthenticationHandler.this.getType());
                                httpServletResponse.setStatus(200);
                                KerberosAuthenticationHandler.LOG.trace("SPNEGO completed for principal [{}]", obj);
                            } else {
                                httpServletResponse.setStatus(401);
                                KerberosAuthenticationHandler.LOG.trace("SPNEGO in progress");
                            }
                            if (createContext != null) {
                                createContext.dispose();
                            }
                            if (gSSCredential != null) {
                                gSSCredential.dispose();
                            }
                            return authenticationToken2;
                        } catch (Throwable th) {
                            if (0 != 0) {
                                gSSContext.dispose();
                            }
                            if (0 != 0) {
                                gSSCredential.dispose();
                            }
                            throw th;
                        }
                    }
                });
            } catch (PrivilegedActionException e) {
                if (e.getException() instanceof IOException) {
                    throw ((IOException) e.getException());
                }
                throw new AuthenticationException(e.getException());
            }
        }
        return authenticationToken;
    }
}
