package org.apache.hadoop.hive.metastore.utils;

import com.google.common.base.Preconditions;
import java.io.FileInputStream;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.UnknownHostException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManagerFactory;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginException;
import org.apache.hadoop.hive.metastore.api.MetaException;
import org.apache.hadoop.hive.metastore.conf.MetastoreConf;
import org.apache.hadoop.hive.metastore.security.DBTokenStore;
import org.apache.hadoop.hive.metastore.security.DelegationTokenIdentifier;
import org.apache.hadoop.hive.metastore.security.DelegationTokenSelector;
import org.apache.hadoop.hive.metastore.security.MemoryTokenStore;
import org.apache.hadoop.hive.metastore.security.ZooKeeperTokenStore;
import org.apache.hadoop.hive.metastore.thrift.TCustomSSLTransportFactory;
import org.apache.hadoop.hive.metastore.thrift.TCustomServerSocket;
import org.apache.hadoop.hive.metastore.thrift.TCustomSocket;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.apache.hadoop.security.token.Token;
import org.apache.http.config.RegistryBuilder;
import org.apache.http.conn.ssl.DefaultHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.util.PublicSuffixMatcher;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.impl.conn.BasicHttpClientConnectionManager;
import org.apache.http.ssl.SSLContexts;
import org.apache.http.ssl.TrustStrategy;
import org.apache.thrift.transport.THttpClient;
import org.apache.thrift.transport.TTransport;
import org.apache.thrift.transport.TTransportException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hive/metastore/utils/SecurityUtils.class */
public class SecurityUtils {
    private static final Logger LOG = LoggerFactory.getLogger(SecurityUtils.class);
    private static final String DELEGATION_TOKEN_STORE_CLS = "hive.cluster.delegation.token.store.class";

    /* loaded from: input_file:org/apache/hadoop/hive/metastore/utils/SecurityUtils$JaasConfiguration.class */
    private static class JaasConfiguration extends Configuration {
        private static final boolean IBM_JAVA = System.getProperty("java.vendor").contains("IBM");
        private final Configuration baseConfig = Configuration.getConfiguration();
        private final String loginContextName;
        private final String principal;
        private final String keyTabFile;

        public JaasConfiguration(String str, String str2, String str3) {
            this.loginContextName = str;
            this.principal = str2;
            this.keyTabFile = str3;
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            if (!this.loginContextName.equals(str)) {
                if (this.baseConfig != null) {
                    return this.baseConfig.getAppConfigurationEntry(str);
                }
                return null;
            }
            HashMap hashMap = new HashMap();
            if (IBM_JAVA) {
                hashMap.put("credsType", "both");
                hashMap.put("useKeytab", this.keyTabFile);
            } else {
                hashMap.put("doNotPrompt", "true");
                hashMap.put("storeKey", "true");
                hashMap.put("useKeyTab", "true");
                hashMap.put("keyTab", this.keyTabFile);
            }
            hashMap.put("principal", this.principal);
            hashMap.put("refreshKrb5Config", "true");
            return new AppConfigurationEntry[]{new AppConfigurationEntry(KerberosUtil.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap)};
        }
    }

    public static UserGroupInformation getUGI() throws LoginException, IOException {
        String str = System.getenv("HADOOP_USER_NAME");
        return (str == null || str.length() <= 0) ? UserGroupInformation.getCurrentUser() : UserGroupInformation.createProxyUser(str, UserGroupInformation.getLoginUser());
    }

    public static void setZookeeperClientKerberosJaasConfig(String str, String str2) throws IOException {
        System.setProperty("zookeeper.sasl.clientconfig", "HiveZooKeeperClient");
        Configuration.setConfiguration(new JaasConfiguration("HiveZooKeeperClient", SecurityUtil.getServerPrincipal(str, "0.0.0.0"), str2));
    }

    public static String getTokenStrForm(String str) throws IOException {
        Token selectToken = new DelegationTokenSelector().selectToken(str == null ? new Text() : new Text(str), UserGroupInformation.getCurrentUser().getTokens());
        if (selectToken != null) {
            return selectToken.encodeToUrlString();
        }
        return null;
    }

    public static void setTokenStr(UserGroupInformation userGroupInformation, String str, String str2) throws IOException {
        userGroupInformation.addToken(createToken(str, str2));
    }

    private static Token<DelegationTokenIdentifier> createToken(String str, String str2) throws IOException {
        Token<DelegationTokenIdentifier> token = new Token<>();
        token.decodeFromUrlString(str);
        token.setService(new Text(str2));
        return token;
    }

    public static String getTokenStoreClassName(org.apache.hadoop.conf.Configuration configuration) {
        String str = configuration.get(DELEGATION_TOKEN_STORE_CLS, "");
        if (org.apache.commons.lang.StringUtils.isBlank(str)) {
            return MemoryTokenStore.class.getName();
        }
        boolean z = -1;
        switch (str.hashCode()) {
            case -953468048:
                if (str.equals("org.apache.hadoop.hive.thrift.DBTokenStore")) {
                    z = false;
                    break;
                }
                break;
            case -291275350:
                if (str.equals("org.apache.hadoop.hive.thrift.ZooKeeperTokenStore")) {
                    z = 2;
                    break;
                }
                break;
            case 1162192723:
                if (str.equals("org.apache.hadoop.hive.thrift.MemoryTokenStore")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return DBTokenStore.class.getName();
            case true:
                return MemoryTokenStore.class.getName();
            case true:
                return ZooKeeperTokenStore.class.getName();
            default:
                return str;
        }
    }

    public static String getUser() throws IOException {
        try {
            return getUGI().getUserName();
        } catch (LoginException e) {
            throw new IOException(e);
        }
    }

    public static TCustomServerSocket getServerSocket(org.apache.hadoop.conf.Configuration configuration, String str, int i) throws TTransportException {
        return new TCustomServerSocket((str == null || str.isEmpty()) ? new InetSocketAddress(i) : new InetSocketAddress(str, i), MetastoreConf.getIntVar(configuration, MetastoreConf.ConfVars.THRIFT_SOCKET_BUFFER_SIZE));
    }

    public static TCustomServerSocket getServerSSLSocket(org.apache.hadoop.conf.Configuration configuration, String str, int i, String str2, String str3, String str4, String str5, List<String> list) throws TTransportException, UnknownHostException {
        TCustomSSLTransportFactory.HiveTSSLTransportParameters hiveTSSLTransportParameters = new TCustomSSLTransportFactory.HiveTSSLTransportParameters();
        hiveTSSLTransportParameters.setKeyStore(str2, str3, str5.isEmpty() ? KeyManagerFactory.getDefaultAlgorithm() : str5, str4.isEmpty() ? KeyStore.getDefaultType() : str4);
        TCustomServerSocket serverSocket = TCustomSSLTransportFactory.getServerSocket(i, 0, ((str == null || str.isEmpty()) ? new InetSocketAddress(i) : new InetSocketAddress(str, i)).getAddress(), hiveTSSLTransportParameters, MetastoreConf.getIntVar(configuration, MetastoreConf.ConfVars.THRIFT_SOCKET_BUFFER_SIZE));
        if (serverSocket.getServerSocket() instanceof SSLServerSocket) {
            ArrayList arrayList = new ArrayList();
            Iterator<String> it = list.iterator();
            while (it.hasNext()) {
                arrayList.add(it.next().trim().toLowerCase());
            }
            SSLServerSocket sSLServerSocket = (SSLServerSocket) serverSocket.getServerSocket();
            ArrayList arrayList2 = new ArrayList();
            for (String str6 : sSLServerSocket.getEnabledProtocols()) {
                if (arrayList.contains(str6.toLowerCase())) {
                    LOG.debug("Disabling SSL Protocol: " + str6);
                } else {
                    arrayList2.add(str6);
                }
            }
            sSLServerSocket.setEnabledProtocols((String[]) arrayList2.toArray(new String[0]));
            LOG.info("SSL Server Socket Enabled Protocols: " + Arrays.toString(sSLServerSocket.getEnabledProtocols()));
        }
        return serverSocket;
    }

    public static TTransport getSSLSocket(org.apache.hadoop.conf.Configuration configuration, String str, int i, int i2, String str2, String str3, String str4, String str5) throws TTransportException {
        TCustomSSLTransportFactory.HiveTSSLTransportParameters hiveTSSLTransportParameters = new TCustomSSLTransportFactory.HiveTSSLTransportParameters();
        hiveTSSLTransportParameters.setTrustStore(str2, str3, str5.isEmpty() ? TrustManagerFactory.getDefaultAlgorithm() : str5, str4.isEmpty() ? KeyStore.getDefaultType() : str4);
        hiveTSSLTransportParameters.requireClientAuth(true);
        return getSSLSocketWithHttps(configuration, TCustomSSLTransportFactory.getClientSocket(str, i, i2, hiveTSSLTransportParameters, MetastoreConf.getIntVar(configuration, MetastoreConf.ConfVars.THRIFT_SOCKET_BUFFER_SIZE)));
    }

    private static TTransport getSSLSocketWithHttps(org.apache.hadoop.conf.Configuration configuration, TCustomSocket tCustomSocket) throws TTransportException {
        SSLSocket sSLSocket = (SSLSocket) tCustomSocket.getSocket();
        SSLParameters sSLParameters = sSLSocket.getSSLParameters();
        sSLParameters.setEndpointIdentificationAlgorithm("HTTPS");
        sSLSocket.setSSLParameters(sSLParameters);
        return new TCustomSocket(sSLSocket, MetastoreConf.getIntVar(configuration, MetastoreConf.ConfVars.THRIFT_SOCKET_BUFFER_SIZE));
    }

    public static THttpClient getThriftHttpsClient(String str, String str2, String str3, String str4, String str5, HttpClientBuilder httpClientBuilder) throws TTransportException, IOException, KeyStoreException, NoSuchAlgorithmException, CertificateException, KeyManagementException {
        Preconditions.checkNotNull(httpClientBuilder, "httpClientBuilder should not be null");
        if (str5 == null || str5.isEmpty()) {
            str5 = KeyStore.getDefaultType();
        }
        KeyStore keyStore = KeyStore.getInstance(str5);
        FileInputStream fileInputStream = new FileInputStream(str2);
        Throwable th = null;
        try {
            try {
                keyStore.load(fileInputStream, str3.toCharArray());
                if (fileInputStream != null) {
                    if (0 != 0) {
                        try {
                            fileInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        fileInputStream.close();
                    }
                }
                httpClientBuilder.setConnectionManager(new BasicHttpClientConnectionManager(RegistryBuilder.create().register("https", new SSLConnectionSocketFactory(SSLContexts.custom().setTrustManagerFactoryAlgorithm(str4).loadTrustMaterial(keyStore, (TrustStrategy) null).build(), new DefaultHostnameVerifier((PublicSuffixMatcher) null))).build()));
                return new THttpClient(str, httpClientBuilder.build());
            } finally {
            }
        } catch (Throwable th3) {
            if (fileInputStream != null) {
                if (th != null) {
                    try {
                        fileInputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    fileInputStream.close();
                }
            }
            throw th3;
        }
    }

    public static void reloginExpiringKeytabUser() throws MetaException {
        if (UserGroupInformation.isSecurityEnabled()) {
            try {
                UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
                if (loginUser.isFromKeytab()) {
                    loginUser.checkTGTAndReloginFromKeytab();
                }
            } catch (IOException e) {
                String str = "Error doing relogin using keytab " + e.getMessage();
                LOG.error(str, e);
                throw new MetaException(str);
            }
        }
    }
}
