package com.walmartlabs.concord.plugins.ansible;

import com.walmartlabs.concord.sdk.MapUtils;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardCopyOption;
import java.util.Date;
import java.util.concurrent.TimeUnit;
import org.apache.kerby.KOptions;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.ccache.CredentialCache;
import org.apache.kerby.kerberos.kerb.client.ClientUtil;
import org.apache.kerby.kerberos.kerb.client.KrbClient;
import org.apache.kerby.kerberos.kerb.client.KrbKdcOption;
import org.apache.kerby.kerberos.kerb.client.KrbOption;
import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/walmartlabs/concord/plugins/ansible/KerberosAuth.class */
public class KerberosAuth implements AnsibleAuth {
    private static final Logger log = LoggerFactory.getLogger(KerberosAuth.class);
    private static final long ERROR_RETRY = TimeUnit.SECONDS.toMillis(30);
    private static final long RENEW = TimeUnit.MINUTES.toMillis(1);
    private final String username;
    private final String password;
    private final Path tgtCacheFile;
    private final Path tgtTmpCacheFile;
    private Thread renewThread;

    /* loaded from: input_file:com/walmartlabs/concord/plugins/ansible/KerberosAuth$TgtRenew.class */
    private class TgtRenew implements Runnable {
        private final Path tgtTmpCacheFile;
        private final Path tgtCacheFile;
        private long expiredAt;

        public TgtRenew(Path path, Path path2, long j) {
            this.tgtTmpCacheFile = path;
            this.tgtCacheFile = path2;
            this.expiredAt = j;
        }

        @Override // java.lang.Runnable
        public void run() {
            while (!Thread.currentThread().isInterrupted()) {
                try {
                    long currentTimeMillis = System.currentTimeMillis();
                    long j = this.expiredAt - KerberosAuth.RENEW;
                    if (j <= currentTimeMillis) {
                        this.expiredAt = KerberosAuth.this.storeTgt(this.tgtTmpCacheFile);
                        Files.move(this.tgtTmpCacheFile, this.tgtCacheFile, StandardCopyOption.ATOMIC_MOVE, StandardCopyOption.REPLACE_EXISTING);
                        KerberosAuth.log.info("TGT obtained, expires at '{}'", new Date(this.expiredAt));
                    } else {
                        long j2 = j - currentTimeMillis;
                        if (j2 > 0) {
                            KerberosAuth.log.info("TGT renew at {}", new Date(j));
                            sleep(j2);
                        }
                    }
                } catch (Exception e) {
                    KerberosAuth.log.error("TGT get error: {}, retry in {} ms", e.getMessage(), Long.valueOf(KerberosAuth.ERROR_RETRY));
                    sleep(KerberosAuth.ERROR_RETRY);
                }
            }
        }

        private void sleep(long j) {
            try {
                Thread.sleep(j);
            } catch (InterruptedException unused) {
                Thread.currentThread().interrupt();
            }
        }
    }

    public KerberosAuth(String str, String str2, Path path, boolean z) {
        this.username = str;
        this.password = str2;
        this.tgtCacheFile = path.resolve("tgt-ticket");
        this.tgtTmpCacheFile = path.resolve("tmp-tgt-ticket");
        if (z) {
            System.setProperty("sun.security.krb5.debug", "true");
        }
    }

    @Override // com.walmartlabs.concord.plugins.ansible.AnsibleAuth
    public KerberosAuth enrich(AnsibleEnv ansibleEnv, AnsibleContext ansibleContext) {
        if (MapUtils.getString(ansibleContext.args(), TaskParams.DOCKER_IMAGE_KEY.getKey()) != null) {
            ansibleEnv.put("KRB5CCNAME", Paths.get("/workspace", new String[0]).resolve(ansibleContext.workDir().relativize(this.tgtCacheFile)).toString());
        } else {
            ansibleEnv.put("KRB5CCNAME", this.tgtCacheFile.toString());
        }
        return this;
    }

    @Override // com.walmartlabs.concord.plugins.ansible.AnsibleAuth
    public KerberosAuth enrich(PlaybookScriptBuilder playbookScriptBuilder) {
        playbookScriptBuilder.withExtraSshArgs("-o GSSAPIAuthentication=yes").withUser(this.username);
        return this;
    }

    @Override // com.walmartlabs.concord.plugins.ansible.AnsibleAuth
    public void prepare() throws Exception {
        long storeTgt = storeTgt(this.tgtCacheFile);
        log.info("TGT obtained, expired at '{}'", new Date(storeTgt));
        this.renewThread = new Thread(new TgtRenew(this.tgtTmpCacheFile, this.tgtCacheFile, storeTgt), "tgt-renew");
        this.renewThread.start();
    }

    @Override // com.walmartlabs.concord.plugins.ansible.AnsibleAuth
    public void postProcess() {
        if (this.renewThread != null) {
            this.renewThread.interrupt();
            try {
                this.renewThread.join();
            } catch (Exception e) {
                log.warn("postProcess -> error", e);
            }
            this.renewThread = null;
        }
        try {
            Files.deleteIfExists(this.tgtCacheFile);
        } catch (Exception e2) {
            log.warn("postProcess -> error", e2);
        }
        try {
            Files.deleteIfExists(this.tgtTmpCacheFile);
        } catch (Exception e3) {
            log.warn("postProcess -> error", e3);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public long storeTgt(Path path) throws IOException, KrbException {
        Files.deleteIfExists(path);
        KOptions kOptions = new KOptions();
        kOptions.add(KrbOption.CLIENT_PRINCIPAL, this.username);
        kOptions.add(KrbOption.USE_PASSWD, true);
        kOptions.add(KrbOption.USER_PASSWD, this.password);
        kOptions.add(KrbOption.CONN_TIMEOUT, 30000);
        kOptions.add(KrbKdcOption.FORWARDABLE, false);
        kOptions.add(KrbKdcOption.PROXIABLE, false);
        KrbClient krbClient = new KrbClient(ClientUtil.getDefaultConfig());
        krbClient.init();
        TgtTicket requestTgt = krbClient.requestTgt(kOptions);
        try {
            new CredentialCache(requestTgt).store(path.toFile());
            return requestTgt.getEncKdcRepPart().getEndTime().getTime();
        } catch (IOException e) {
            throw new KrbException("Failed to store tgt", e);
        }
    }
}
