package me.prettyprint.cassandra.connection.client;

import com.sun.security.auth.module.Krb5LoginModule;
import java.io.IOException;
import java.net.SocketException;
import java.security.PrivilegedAction;
import java.util.HashMap;
import java.util.Map;
import java.util.TreeMap;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import me.prettyprint.cassandra.service.CassandraHost;
import me.prettyprint.hector.api.exceptions.HectorTransportException;
import org.apache.thrift.transport.TSSLTransportFactory;
import org.apache.thrift.transport.TSaslClientTransport;
import org.apache.thrift.transport.TSocket;
import org.apache.thrift.transport.TTransport;
import org.apache.thrift.transport.TTransportException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:me/prettyprint/cassandra/connection/client/HSaslThriftClient.class */
public class HSaslThriftClient extends HThriftClient implements HClient {
    private String servicePrincipalName;
    private TSSLTransportFactory.TSSLTransportParameters params;
    private static Logger log = LoggerFactory.getLogger(HSaslThriftClient.class);
    public static final Map<String, String> SASL_PROPS = new TreeMap<String, String>() { // from class: me.prettyprint.cassandra.connection.client.HSaslThriftClient.2
        {
            put("javax.security.sasl.qop", "auth");
            put("javax.security.sasl.server.authentication", "true");
        }
    };

    /* loaded from: input_file:me/prettyprint/cassandra/connection/client/HSaslThriftClient$KerberosUserConfiguration.class */
    public static class KerberosUserConfiguration extends Configuration {
        private static final HashMap<String, String> DEFAULT_KERBEROS_OPTIONS = new HashMap<>();
        private static final String[] recognizedOptions;
        private HashMap<String, String> options = new HashMap<>(DEFAULT_KERBEROS_OPTIONS);

        public KerberosUserConfiguration() {
            HSaslThriftClient.log.debug("Setting Kerberos options:");
            for (int i = 0; i < recognizedOptions.length; i++) {
                String str = recognizedOptions[i];
                String property = System.getProperty("kerberos." + str);
                if (property != null) {
                    HSaslThriftClient.log.debug("  " + str + ": " + property);
                    this.options.put(str, property);
                }
            }
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            return new AppConfigurationEntry[]{new AppConfigurationEntry(Krb5LoginModule.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.OPTIONAL, this.options)};
        }

        static {
            DEFAULT_KERBEROS_OPTIONS.put("doNotPrompt", "true");
            DEFAULT_KERBEROS_OPTIONS.put("useTicketCache", "true");
            DEFAULT_KERBEROS_OPTIONS.put("renewTGT", "true");
            DEFAULT_KERBEROS_OPTIONS.put("useKeyTab", "true");
            recognizedOptions = new String[]{"debug", "useTicketCache", "ticketCache", "renewTGT", "useKeyTab", "keyTab", "principal"};
        }
    }

    public HSaslThriftClient(CassandraHost cassandraHost, String str) {
        super(cassandraHost);
        this.servicePrincipalName = str;
    }

    public HSaslThriftClient(CassandraHost cassandraHost, String str, TSSLTransportFactory.TSSLTransportParameters tSSLTransportParameters) {
        super(cassandraHost);
        this.servicePrincipalName = str;
        this.params = tSSLTransportParameters;
    }

    @Override // me.prettyprint.cassandra.connection.client.HThriftClient, me.prettyprint.cassandra.connection.client.HClient
    public HSaslThriftClient open() {
        if (isOpen()) {
            throw new IllegalStateException("Open called on already open SASL connection. You should not have gotten here.");
        }
        if (log.isDebugEnabled()) {
            log.debug("Creating a new SASL thrift connection to {}", this.cassandraHost);
        }
        try {
            TSocket tSocket = this.params == null ? new TSocket(this.cassandraHost.getHost(), this.cassandraHost.getPort(), this.timeout) : TSSLTransportFactory.getClientSocket(this.cassandraHost.getHost(), this.cassandraHost.getPort(), this.timeout, this.params);
            if (this.cassandraHost.getUseSocketKeepalive()) {
                try {
                    tSocket.getSocket().setKeepAlive(true);
                } catch (SocketException e) {
                    throw new HectorTransportException("Could not set SO_KEEPALIVE on socket: ", e);
                }
            }
            try {
                this.transport = openKerberosTransport(tSocket, this.servicePrincipalName);
                this.transport = maybeWrapWithTFramedTransport(this.transport);
                return this;
            } catch (LoginException e2) {
                log.error("Kerberos login failed: ", e2);
                close();
                throw new HectorTransportException("Kerberos context couldn't be established with client: ", e2);
            } catch (TTransportException e3) {
                log.error("Failed to open Kerberos transport.", e3);
                close();
                throw new HectorTransportException("Kerberos context couldn't be established with client: ", e3);
            }
        } catch (TTransportException e4) {
            throw new HectorTransportException("Could not get client socket: ", e4);
        }
    }

    public static TTransport openKerberosTransport(TTransport tTransport, String str) throws LoginException, TTransportException {
        try {
            log.debug("Opening kerberos transport...");
            Subject subject = new Subject();
            new LoginContext("Client", subject, (CallbackHandler) null, new KerberosUserConfiguration()).login();
            String[] split = str.split("@")[0].split("[/]");
            if (split.length != 2) {
                throw new IOException("Kerberos principal name does NOT have the expected hostname part: " + str);
            }
            final TSaslClientTransport tSaslClientTransport = new TSaslClientTransport("GSSAPI", (String) null, split[0], split[1], SASL_PROPS, (CallbackHandler) null, tTransport);
            Subject.doAs(subject, new PrivilegedAction<Void>() { // from class: me.prettyprint.cassandra.connection.client.HSaslThriftClient.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedAction
                public Void run() {
                    try {
                        tSaslClientTransport.open();
                        return null;
                    } catch (TTransportException e) {
                        throw new RuntimeException("Unable to connect to dse server:", e);
                    }
                }
            });
            log.debug("Kerberos transport opened successfully");
            return tSaslClientTransport;
        } catch (IOException e) {
            throw new TTransportException("Failed to open secure transport using KERBEROS", e);
        }
    }
}
