package org.apache.kudu.util;

import java.security.MessageDigest;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.Locale;
import java.util.Set;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.kudu.shaded.com.google.common.base.Joiner;
import org.apache.kudu.shaded.com.google.common.base.Preconditions;
import org.apache.kudu.shaded.com.google.common.collect.ImmutableMap;
import org.apache.yetus.audience.InterfaceAudience;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/kudu/util/SecurityUtil.class */
public abstract class SecurityUtil {
    public static final String KUDU_TICKETCACHE_PROPERTY = "kudu.krb5ccname";
    private static final long REFRESH_BEFORE_EXPIRATION_SECS = 10;
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) SecurityUtil.class);
    private static final ImmutableMap<String, String> CERT_DIGEST_TO_MESSAGE_DIGEST = ImmutableMap.builder().put("MD5", "SHA-256").put("SHA1", "SHA-256").put("SHA224", "SHA-224").put("SHA256", "SHA-256").put("SHA384", "SHA-384").put("SHA512", "SHA-512").build();

    @Nullable
    public static Subject getSubjectFromTicketCacheOrNull() {
        try {
            LoginContext loginContext = new LoginContext("kudu", new Subject(), (CallbackHandler) null, new Configuration() { // from class: org.apache.kudu.util.SecurityUtil.1
                public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
                    HashMap hashMap = new HashMap();
                    hashMap.put("useTicketCache", "true");
                    hashMap.put("doNotPrompt", "true");
                    hashMap.put("refreshKrb5Config", "true");
                    hashMap.put("debug", Boolean.toString(Boolean.getBoolean("kudu.jaas.debug")));
                    String property = System.getProperty(SecurityUtil.KUDU_TICKETCACHE_PROPERTY, System.getenv("KRB5CCNAME"));
                    if (property != null) {
                        SecurityUtil.LOG.debug("Using ticketCache: {}", property);
                        hashMap.put("ticketCache", property);
                    }
                    hashMap.put("renewTGT", "true");
                    return new AppConfigurationEntry[]{new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap)};
                }
            });
            loginContext.login();
            Subject subject = loginContext.getSubject();
            LOG.debug("Logged in as subject: {}", Joiner.on(",").join(subject.getPrincipals()));
            return subject;
        } catch (LoginException e) {
            LOG.debug("Could not login via JAAS. Using no credentials: " + e.getMessage(), (Throwable) (LOG.isTraceEnabled() ? e : null));
            return null;
        }
    }

    public static byte[] getEndpointChannelBindings(Certificate certificate) {
        Preconditions.checkArgument(certificate instanceof X509Certificate, "can only handle X509 certs");
        String sigAlgName = ((X509Certificate) certificate).getSigAlgName();
        String str = CERT_DIGEST_TO_MESSAGE_DIGEST.get(sigAlgName.toUpperCase(Locale.ENGLISH).split("WITH", 2)[0]);
        if (str == null) {
            throw new RuntimeException("cert uses unknown signature algorithm: " + sigAlgName);
        }
        try {
            return MessageDigest.getInstance(str).digest(certificate.getEncoded());
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public static boolean needsRefresh(Subject subject) {
        return tgtExpiresBefore(subject, System.currentTimeMillis() + 10000);
    }

    public static boolean isTgtExpired(Subject subject) {
        return tgtExpiresBefore(subject, System.currentTimeMillis());
    }

    private static boolean tgtExpiresBefore(Subject subject, long j) {
        KerberosTicket findTgt = findTgt(subject);
        return findTgt == null || findTgt.getEndTime().getTime() < j;
    }

    private static KerberosTicket findTgt(Subject subject) {
        Set<KerberosTicket> privateCredentials = subject.getPrivateCredentials(KerberosTicket.class);
        synchronized (privateCredentials) {
            for (KerberosTicket kerberosTicket : privateCredentials) {
                if (isTGSPrincipal(kerberosTicket.getServer())) {
                    return kerberosTicket;
                }
            }
            return null;
        }
    }

    private static boolean isTGSPrincipal(KerberosPrincipal kerberosPrincipal) {
        return kerberosPrincipal != null && kerberosPrincipal.getName().equals(new StringBuilder().append("krbtgt/").append(kerberosPrincipal.getRealm()).append("@").append(kerberosPrincipal.getRealm()).toString());
    }

    public static KerberosPrincipal getKerberosPrincipalOrNull(Subject subject) {
        Set principals = subject.getPrincipals(KerberosPrincipal.class);
        if (principals.size() > 1) {
            LOG.warn("JAAS Subject unexpectedly includes more than one principal: {}", Joiner.on(", ").join(principals));
            return null;
        }
        if (principals.isEmpty()) {
            return null;
        }
        return (KerberosPrincipal) principals.iterator().next();
    }
}
