package org.elasticsearch.storm.security;

import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.Map;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.storm.security.INimbusCredentialPlugin;
import org.apache.storm.security.auth.IAutoCredentials;
import org.apache.storm.security.auth.ICredentialsRenewer;
import org.elasticsearch.hadoop.EsHadoopException;
import org.elasticsearch.hadoop.EsHadoopIllegalArgumentException;
import org.elasticsearch.hadoop.cfg.CompositeSettings;
import org.elasticsearch.hadoop.mr.security.TokenUtil;
import org.elasticsearch.hadoop.rest.InitializationUtils;
import org.elasticsearch.hadoop.rest.RestClient;
import org.elasticsearch.hadoop.security.AuthenticationMethod;
import org.elasticsearch.hadoop.security.EsToken;
import org.elasticsearch.hadoop.security.JdkUser;
import org.elasticsearch.hadoop.security.JdkUserProvider;
import org.elasticsearch.hadoop.security.LoginUtil;
import org.elasticsearch.hadoop.util.FastByteArrayInputStream;
import org.elasticsearch.hadoop.util.FastByteArrayOutputStream;
import org.elasticsearch.hadoop.util.StringUtils;
import org.elasticsearch.storm.cfg.StormSettings;

/* loaded from: input_file:org/elasticsearch/storm/security/AutoElasticsearch.class */
public class AutoElasticsearch implements IAutoCredentials, ICredentialsRenewer, INimbusCredentialPlugin {
    private static final Log LOG = LogFactory.getLog(AutoElasticsearch.class);
    private static final String ELASTICSEARCH_CREDENTIALS = "ELASTICSEARCH_CREDENTIALS";
    public static final String USER_PRINCIPAL = "es.storm.autocredentials.user.principal";
    public static final String USER_KEYTAB = "es.storm.autocredentials.user.keytab";
    private StormSettings clusterSettings;

    public void prepare(Map map) {
        LOG.debug("Receiving cluster configuration");
        this.clusterSettings = new StormSettings(map);
    }

    public void populateCredentials(Map<String, String> map, Map map2) {
        populateCredentials(map, map2, null);
    }

    public void populateCredentials(Map<String, String> map, Map<String, Object> map2, String str) {
        LOG.debug("Populating credentials...");
        final CompositeSettings compositeSettings = new CompositeSettings(Arrays.asList(new StormSettings(map2), this.clusterSettings));
        if (!AuthenticationMethod.KERBEROS.equals(compositeSettings.getSecurityAuthenticationMethod())) {
            throw new EsHadoopIllegalArgumentException("Configured Elasticsearch autocredential plugin but did not enable ES Kerberos [es.security.authentication]. Bailing out...");
        }
        String property = compositeSettings.getProperty(USER_PRINCIPAL);
        if (property == null) {
            throw new EsHadoopIllegalArgumentException("Configured Elasticsearch autocredential plugin but did not provide [es.storm.autocredentials.user.principal] setting. Bailing out...");
        }
        String property2 = compositeSettings.getProperty(USER_KEYTAB);
        if (property2 == null) {
            throw new EsHadoopIllegalArgumentException("Configured Elasticsearch autocredential plugin but did not provide [es.storm.autocredentials.user.keytab] setting. Bailing out...");
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug(String.format("Performing login for [%s] using [%s]", property, property2));
        }
        try {
            LoginContext keytabLogin = LoginUtil.keytabLogin(property, property2);
            InitializationUtils.setUserProviderIfNotSet(compositeSettings, JdkUserProvider.class, LOG);
            if (LOG.isDebugEnabled()) {
                LOG.debug(String.format("Obtaining token for [%s]", property));
            }
            try {
                try {
                    EsToken esToken = (EsToken) Subject.doAs(keytabLogin.getSubject(), new PrivilegedExceptionAction<EsToken>() { // from class: org.elasticsearch.storm.security.AutoElasticsearch.1
                        /* JADX WARN: Can't rename method to resolve collision */
                        @Override // java.security.PrivilegedExceptionAction
                        public EsToken run() throws Exception {
                            RestClient restClient = new RestClient(compositeSettings);
                            try {
                                return restClient.createNewApiToken(TokenUtil.KEY_NAME_PREFIX + UUID.randomUUID().toString());
                            } finally {
                                restClient.close();
                            }
                        }
                    });
                    if (LOG.isDebugEnabled()) {
                        LOG.debug(String.format("Obtained token [%s] for principal [%s]", esToken.getName(), property));
                    }
                    putCred(ELASTICSEARCH_CREDENTIALS, esToken, map);
                } finally {
                    try {
                        keytabLogin.logout();
                    } catch (LoginException e) {
                        LOG.warn("Could not complete logout operation", e);
                    }
                }
            } catch (PrivilegedActionException e2) {
                throw new EsHadoopException("Could not retrieve delegation token", e2);
            }
        } catch (LoginException e3) {
            throw new EsHadoopException("Could not perform keytab login", e3);
        }
    }

    public void shutdown() {
    }

    public void renew(Map<String, String> map, Map map2) {
        renew(map, map2, null);
    }

    public void renew(Map<String, String> map, Map<String, Object> map2, String str) {
        LOG.debug("Checking for credential renewal");
        EsToken cred = getCred(ELASTICSEARCH_CREDENTIALS, map);
        if (cred == null) {
            LOG.debug("Could not locate token to refresh!");
            return;
        }
        LOG.debug("Checking token lifetime to see if refresh is required...");
        long currentTimeMillis = System.currentTimeMillis();
        long expirationTime = cred.getExpirationTime();
        if (currentTimeMillis > expirationTime) {
            LOG.debug("ES Token expired. Renewing token...");
            populateCredentials(map, map2, str);
            return;
        }
        int nimbusCredentialRenewersFrequencySeconds = this.clusterSettings.getNimbusCredentialRenewersFrequencySeconds();
        if (nimbusCredentialRenewersFrequencySeconds < 0) {
            LOG.debug("Invalid renewal window configured. Renewing token...");
            populateCredentials(map, map2, str);
        } else if (currentTimeMillis + TimeUnit.SECONDS.convert(nimbusCredentialRenewersFrequencySeconds, TimeUnit.MILLISECONDS) <= expirationTime) {
            LOG.debug("Token expiration is longer than renewal window. Token will be renewed at a later time.");
        } else {
            LOG.debug("ES Token will expire before next renewal window. Renewing token...");
            populateCredentials(map, map2, str);
        }
    }

    public void populateCredentials(Map<String, String> map) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Auto Credential Class Loaded on submission client");
        }
        map.put(ELASTICSEARCH_CREDENTIALS, "placeholder");
    }

    public void populateSubject(Subject subject, Map<String, String> map) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Loading credentials to subject on worker side");
        }
        EsToken cred = getCred(ELASTICSEARCH_CREDENTIALS, map);
        if (cred != null) {
            if (LOG.isDebugEnabled()) {
                LOG.debug(String.format("Loaded token [%s]. Adding to subject...", cred.getName()));
            }
            new JdkUser(subject, this.clusterSettings).addEsToken(cred);
        } else if (LOG.isDebugEnabled()) {
            LOG.debug("Found no credentials to load");
        }
    }

    public void updateSubject(Subject subject, Map<String, String> map) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Performing subject update");
        }
        populateSubject(subject, map);
    }

    private void putCred(String str, EsToken esToken, Map<String, String> map) {
        FastByteArrayOutputStream fastByteArrayOutputStream = new FastByteArrayOutputStream();
        try {
            esToken.writeOut(new DataOutputStream(fastByteArrayOutputStream));
            map.put(str, new String(Base64.encodeBase64(fastByteArrayOutputStream.bytes().bytes()), StringUtils.UTF_8));
        } catch (IOException e) {
            throw new EsHadoopException("Could not serialize EsToken", e);
        }
    }

    private EsToken getCred(String str, Map<String, String> map) {
        EsToken esToken = null;
        String str2 = map.get(str);
        if (str2 != null && !str2.equals("placeholder")) {
            try {
                esToken = new EsToken(new DataInputStream(new FastByteArrayInputStream(Base64.decodeBase64(str2))));
            } catch (IOException e) {
                throw new EsHadoopException("Could not deserialize EsToken", e);
            }
        }
        return esToken;
    }
}
