package org.apache.drill.exec.server.rest.auth;

import java.lang.reflect.Field;
import java.security.PrivilegedExceptionAction;
import javax.security.auth.Subject;
import org.apache.drill.common.exceptions.DrillException;
import org.apache.drill.exec.ExecConstants;
import org.apache.drill.exec.planner.physical.PlannerSettings;
import org.apache.drill.exec.server.DrillbitContext;
import org.apache.drill.exec.server.options.SystemOptionManager;
import org.apache.drill.exec.util.ImpersonationUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.eclipse.jetty.security.DefaultIdentityService;
import org.eclipse.jetty.security.SpnegoLoginService;
import org.eclipse.jetty.server.UserIdentity;
import org.eclipse.jetty.util.B64Code;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.Oid;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/drill/exec/server/rest/auth/DrillSpnegoLoginService.class */
public class DrillSpnegoLoginService extends SpnegoLoginService {
    private static final Logger logger = LoggerFactory.getLogger(DrillSpnegoLoginService.class);
    private static final String TARGET_NAME_FIELD_NAME = "_targetName";
    private final DrillbitContext drillContext;
    private final SpnegoConfig spnegoConfig;
    private final UserGroupInformation loggedInUgi;

    public DrillSpnegoLoginService(DrillbitContext drillbitContext) throws DrillException {
        super(DrillSpnegoLoginService.class.getName());
        setIdentityService(new DefaultIdentityService());
        this.drillContext = drillbitContext;
        this.spnegoConfig = new SpnegoConfig(drillbitContext.getConfig());
        this.spnegoConfig.validateSpnegoConfig();
        this.loggedInUgi = this.spnegoConfig.getLoggedInUgi();
    }

    protected void doStart() throws Exception {
        Field declaredField = SpnegoLoginService.class.getDeclaredField(TARGET_NAME_FIELD_NAME);
        declaredField.setAccessible(true);
        declaredField.set(this, this.spnegoConfig.getSpnegoPrincipal());
    }

    public UserIdentity login(String str, final Object obj) {
        UserIdentity userIdentity = null;
        try {
            userIdentity = (UserIdentity) this.loggedInUgi.doAs(new PrivilegedExceptionAction<UserIdentity>() { // from class: org.apache.drill.exec.server.rest.auth.DrillSpnegoLoginService.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public UserIdentity run() {
                    return DrillSpnegoLoginService.this.spnegoLogin(obj);
                }
            });
        } catch (Exception e) {
            logger.error("Failed to login using SPNEGO", e);
        }
        return userIdentity;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public UserIdentity spnegoLogin(Object obj) {
        byte[] decode = B64Code.decode((String) obj);
        GSSManager gSSManager = GSSManager.getInstance();
        try {
            GSSContext createContext = gSSManager.createContext(gSSManager.createCredential(gSSManager.createName(this.spnegoConfig.getSpnegoPrincipal(), (Oid) null), PlannerSettings.MAX_BROADCAST_THRESHOLD, new Oid[]{new Oid("1.3.6.1.5.5.2"), new Oid("1.2.840.113554.1.2.2")}, 2));
            if (createContext == null) {
                logger.debug("SPNEGOUserRealm: failed to establish GSSContext");
                return null;
            }
            while (!createContext.isEstablished()) {
                decode = createContext.acceptSecContext(decode, 0, decode.length);
            }
            if (!createContext.isEstablished()) {
                return null;
            }
            String gSSName = createContext.getSrcName().toString();
            String substring = gSSName.substring(gSSName.indexOf(64) + 1);
            SystemOptionManager optionManager = this.drillContext.getOptionManager();
            boolean hasAdminPrivileges = ImpersonationUtil.hasAdminPrivileges(substring, ExecConstants.ADMIN_USERS_VALIDATOR.getAdminUsers(optionManager), ExecConstants.ADMIN_USER_GROUPS_VALIDATOR.getAdminUserGroups(optionManager));
            DrillUserPrincipal drillUserPrincipal = new DrillUserPrincipal(gSSName, hasAdminPrivileges);
            Subject subject = new Subject();
            subject.getPrincipals().add(drillUserPrincipal);
            return hasAdminPrivileges ? this._identityService.newUserIdentity(subject, drillUserPrincipal, DrillUserPrincipal.ADMIN_USER_ROLES) : this._identityService.newUserIdentity(subject, drillUserPrincipal, DrillUserPrincipal.NON_ADMIN_USER_ROLES);
        } catch (GSSException e) {
            logger.warn("Caught GSSException trying to authenticate the client", e);
            return null;
        }
    }
}
