package oadd.org.apache.drill.exec.rpc.security.kerberos;

import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.UndeclaredThrowableException;
import java.security.AccessController;
import java.security.PrivilegedExceptionAction;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import oadd.org.apache.drill.common.KerberosUtil;
import oadd.org.apache.drill.common.config.DrillProperties;
import oadd.org.apache.drill.exec.rpc.security.AuthenticatorFactory;
import oadd.org.apache.drill.exec.rpc.security.FastSaslClientFactory;
import oadd.org.apache.drill.exec.rpc.security.FastSaslServerFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.HadoopKerberosName;
import org.apache.hadoop.security.UserGroupInformation;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:oadd/org/apache/drill/exec/rpc/security/kerberos/KerberosFactory.class */
public class KerberosFactory implements AuthenticatorFactory {
    private static final Logger logger = LoggerFactory.getLogger(KerberosFactory.class);
    private static final String DRILL_SERVICE_NAME = System.getProperty("drill.principal.primary", "drill");

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:oadd/org/apache/drill/exec/rpc/security/kerberos/KerberosFactory$KerberosServerCallbackHandler.class */
    public static class KerberosServerCallbackHandler implements CallbackHandler {
        private KerberosServerCallbackHandler() {
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            for (Callback callback : callbackArr) {
                if (!(callback instanceof AuthorizeCallback)) {
                    throw new UnsupportedCallbackException(callback);
                }
                AuthorizeCallback authorizeCallback = (AuthorizeCallback) callback;
                if (!authorizeCallback.getAuthenticationID().equals(authorizeCallback.getAuthorizationID())) {
                    throw new SaslException("Drill expects authorization ID and authentication ID to match. Use inbound impersonation feature so one entity can act on behalf of another.");
                }
                authorizeCallback.setAuthorized(true);
            }
        }
    }

    @Override // oadd.org.apache.drill.exec.rpc.security.AuthenticatorFactory
    public String getSimpleName() {
        return KerberosUtil.KERBEROS_SIMPLE_NAME;
    }

    @Override // oadd.org.apache.drill.exec.rpc.security.AuthenticatorFactory
    public UserGroupInformation createAndLoginUser(Map<String, ?> map) throws IOException {
        UserGroupInformation currentUser;
        Configuration configuration = new Configuration();
        configuration.set("hadoop.security.authentication", UserGroupInformation.AuthenticationMethod.KERBEROS.toString());
        UserGroupInformation.setConfiguration(configuration);
        String str = (String) map.get(DrillProperties.KEYTAB);
        try {
            if (map.containsKey(DrillProperties.KERBEROS_FROM_SUBJECT) && Boolean.parseBoolean((String) map.get(DrillProperties.KERBEROS_FROM_SUBJECT))) {
                currentUser = UserGroupInformation.getUGIFromSubject(Subject.getSubject(AccessController.getContext()));
                logger.debug("Assuming subject for {}.", currentUser.getShortUserName());
            } else if (str != null) {
                currentUser = UserGroupInformation.loginUserFromKeytabAndReturnUGI((String) map.get("user"), str);
                logger.debug("Logged in {} using keytab.", currentUser.getShortUserName());
            } else {
                currentUser = UserGroupInformation.getCurrentUser();
                logger.debug("Logged in {} using ticket.", currentUser.getShortUserName());
            }
            return currentUser;
        } catch (IOException e) {
            logger.debug("Login failed.", (Throwable) e);
            Throwable cause = e.getCause();
            if (cause instanceof LoginException) {
                throw new SaslException("Failed to login.", cause);
            }
            throw new SaslException("Unexpected failure trying to login.", cause);
        }
    }

    @Override // oadd.org.apache.drill.exec.rpc.security.AuthenticatorFactory
    public SaslServer createSaslServer(UserGroupInformation userGroupInformation, final Map<String, ?> map) throws SaslException {
        try {
            final String shortUserName = userGroupInformation.getShortUserName();
            final String hostName = new HadoopKerberosName(userGroupInformation.getUserName()).getHostName();
            SaslServer saslServer = (SaslServer) userGroupInformation.doAs(new PrivilegedExceptionAction<SaslServer>() { // from class: oadd.org.apache.drill.exec.rpc.security.kerberos.KerberosFactory.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public SaslServer run() throws Exception {
                    return FastSaslServerFactory.getInstance().createSaslServer(KerberosUtil.KERBEROS_SASL_NAME, shortUserName, hostName, map, new KerberosServerCallbackHandler());
                }
            });
            logger.trace("GSSAPI SaslServer created.");
            return saslServer;
        } catch (IOException | InterruptedException e) {
            logger.debug("Authentication failed.", e);
            throw new SaslException("Unexpected failure trying to authenticate using Kerberos", e);
        } catch (UndeclaredThrowableException e2) {
            SaslException cause = e2.getCause();
            logger.debug("Authentication failed.", (Throwable) cause);
            if (cause instanceof SaslException) {
                throw cause;
            }
            throw new SaslException("Unexpected failure trying to authenticate using Kerberos", cause);
        }
    }

    @Override // oadd.org.apache.drill.exec.rpc.security.AuthenticatorFactory
    public SaslClient createSaslClient(UserGroupInformation userGroupInformation, final Map<String, ?> map) throws SaslException {
        String[] splitPrincipalIntoParts = KerberosUtil.splitPrincipalIntoParts(getServicePrincipal(map));
        final String str = splitPrincipalIntoParts[0];
        final String str2 = splitPrincipalIntoParts[1];
        try {
            SaslClient saslClient = (SaslClient) userGroupInformation.doAs(new PrivilegedExceptionAction<SaslClient>() { // from class: oadd.org.apache.drill.exec.rpc.security.kerberos.KerberosFactory.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public SaslClient run() throws Exception {
                    return FastSaslClientFactory.getInstance().createSaslClient(new String[]{KerberosUtil.KERBEROS_SASL_NAME}, null, str, str2, map, new CallbackHandler() { // from class: oadd.org.apache.drill.exec.rpc.security.kerberos.KerberosFactory.2.1
                        @Override // javax.security.auth.callback.CallbackHandler
                        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                            throw new UnsupportedCallbackException(callbackArr[0]);
                        }
                    });
                }
            });
            logger.debug("GSSAPI SaslClient created to authenticate to {} running on {}", str, str2);
            return saslClient;
        } catch (IOException | InterruptedException e) {
            logger.debug("Authentication failed.", (Throwable) e);
            if (e instanceof SaslException) {
                throw e;
            }
            throw new SaslException(String.format("Unexpected failure trying to authenticate to %s using GSSAPI", str2), e);
        } catch (UndeclaredThrowableException e2) {
            logger.debug("Authentication failed.", (Throwable) e2);
            throw new SaslException(String.format("Unexpected failure trying to authenticate to %s using GSSAPI", str2), e2.getCause());
        }
    }

    @Override // java.lang.AutoCloseable
    public void close() throws Exception {
    }

    private static String getServicePrincipal(Map<String, ?> map) throws SaslException {
        String str;
        String str2 = (String) map.get(DrillProperties.SERVICE_PRINCIPAL);
        if (str2 != null) {
            return str2;
        }
        String str3 = (String) map.get(DrillProperties.SERVICE_HOST);
        if (str3 == null) {
            throw new SaslException("Unknown Drillbit hostname. Check connection parameters?");
        }
        String str4 = (String) map.get(DrillProperties.SERVICE_NAME);
        String str5 = (String) map.get(DrillProperties.REALM);
        if (str4 == null) {
            try {
                str = DRILL_SERVICE_NAME;
            } catch (ClassNotFoundException | IllegalAccessException | NoSuchMethodException | InvocationTargetException e) {
                throw new SaslException("Could not resolve realm information. Please set explicitly in connection parameters.");
            }
        } else {
            str = str4;
        }
        return KerberosUtil.getPrincipalFromParts(str, str3.toLowerCase(), str5 == null ? KerberosUtil.getDefaultRealm() : str5);
    }
}
