package io.trino.client;

import com.google.common.base.CharMatcher;
import com.google.common.base.Preconditions;
import com.google.common.base.Splitter;
import com.google.common.base.Throwables;
import com.google.common.collect.ImmutableMap;
import com.sun.security.auth.module.Krb5LoginModule;
import io.airlift.units.Duration;
import java.io.File;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.util.Base64;
import java.util.Locale;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import javax.annotation.concurrent.GuardedBy;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import okhttp3.Authenticator;
import okhttp3.Interceptor;
import okhttp3.Request;
import okhttp3.Response;
import okhttp3.Route;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:lib/trino-client-352.jar:io/trino/client/SpnegoHandler.class */
public class SpnegoHandler implements Interceptor, Authenticator {
    private static final String NEGOTIATE = "Negotiate";
    private static final Duration MIN_CREDENTIAL_LIFETIME = new Duration(60.0d, TimeUnit.SECONDS);
    private static final GSSManager GSS_MANAGER = GSSManager.getInstance();
    private static final Oid SPNEGO_OID = createOid("1.3.6.1.5.5.2");
    private static final Oid KERBEROS_OID = createOid("1.2.840.113554.1.2.2");
    private final String servicePrincipalPattern;
    private final String remoteServiceName;
    private final boolean useCanonicalHostname;
    private final Optional<String> principal;
    private final Optional<File> keytab;
    private final Optional<File> credentialCache;

    @GuardedBy("this")
    private Session clientSession;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/trino-client-352.jar:io/trino/client/SpnegoHandler$GssSupplier.class */
    public interface GssSupplier<T> {
        T get() throws GSSException;
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/trino-client-352.jar:io/trino/client/SpnegoHandler$Session.class */
    public static class Session {
        private final LoginContext loginContext;
        private final GSSCredential clientCredential;

        public Session(LoginContext loginContext, GSSCredential gSSCredential) {
            Objects.requireNonNull(loginContext, "loginContext is null");
            Objects.requireNonNull(gSSCredential, "gssCredential is null");
            this.loginContext = loginContext;
            this.clientCredential = gSSCredential;
        }

        public LoginContext getLoginContext() {
            return this.loginContext;
        }

        public GSSCredential getClientCredential() {
            return this.clientCredential;
        }

        public boolean needsRefresh() throws GSSException {
            return ((double) this.clientCredential.getRemainingLifetime()) < SpnegoHandler.MIN_CREDENTIAL_LIFETIME.getValue(TimeUnit.SECONDS);
        }
    }

    public SpnegoHandler(String str, String str2, boolean z, Optional<String> optional, Optional<File> optional2, Optional<File> optional3, Optional<File> optional4) {
        this.servicePrincipalPattern = (String) Objects.requireNonNull(str, "servicePrincipalPattern is null");
        this.remoteServiceName = (String) Objects.requireNonNull(str2, "remoteServiceName is null");
        this.useCanonicalHostname = z;
        this.principal = (Optional) Objects.requireNonNull(optional, "principal is null");
        this.keytab = (Optional) Objects.requireNonNull(optional3, "keytab is null");
        this.credentialCache = (Optional) Objects.requireNonNull(optional4, "credentialCache is null");
        optional2.ifPresent(file -> {
            String absolutePath = file.getAbsolutePath();
            String property = System.getProperty("java.security.krb5.conf");
            Preconditions.checkState(property == null || Objects.equals(property, absolutePath), "Refusing to set system property 'java.security.krb5.conf' to '%s', it is already set to '%s'", absolutePath, property);
            System.setProperty("java.security.krb5.conf", absolutePath);
        });
    }

    @Override // okhttp3.Interceptor
    public Response intercept(Interceptor.Chain chain) throws IOException {
        try {
            return chain.proceed(authenticate(chain.request()));
        } catch (ClientException e) {
            return chain.proceed(chain.request());
        }
    }

    @Override // okhttp3.Authenticator
    public Request authenticate(Route route, Response response) {
        if (response.request().headers("Authorization").stream().anyMatch(SpnegoHandler::isNegotiate) || response.headers("WWW-Authenticate").stream().noneMatch(SpnegoHandler::isNegotiate)) {
            return null;
        }
        return authenticate(response.request());
    }

    private static boolean isNegotiate(String str) {
        return Splitter.on(CharMatcher.whitespace()).split(str).iterator().next().equalsIgnoreCase(NEGOTIATE);
    }

    private Request authenticate(Request request) {
        return request.newBuilder().header("Authorization", String.format("%s %s", NEGOTIATE, Base64.getEncoder().encodeToString(generateToken(makeServicePrincipal(this.servicePrincipalPattern, this.remoteServiceName, request.url().host(), this.useCanonicalHostname))))).build();
    }

    private byte[] generateToken(String str) {
        GSSContext gSSContext = null;
        try {
            try {
                Session session = getSession();
                gSSContext = (GSSContext) doAs(session.getLoginContext().getSubject(), () -> {
                    GSSContext createContext = GSS_MANAGER.createContext(GSS_MANAGER.createName(str, GSSName.NT_HOSTBASED_SERVICE), SPNEGO_OID, session.getClientCredential(), Integer.MAX_VALUE);
                    createContext.requestMutualAuth(true);
                    createContext.requestConf(true);
                    createContext.requestInteg(true);
                    createContext.requestCredDeleg(true);
                    return createContext;
                });
                byte[] initSecContext = gSSContext.initSecContext(new byte[0], 0, 0);
                if (initSecContext == null) {
                    throw new LoginException("No token generated from GSS context");
                }
                if (gSSContext != null) {
                    try {
                        gSSContext.dispose();
                    } catch (GSSException e) {
                    }
                }
                return initSecContext;
            } catch (GSSException | LoginException e2) {
                throw new ClientException(String.format("Kerberos error for [%s]: %s", str, e2.getMessage()), e2);
            }
        } catch (Throwable th) {
            if (gSSContext != null) {
                try {
                    gSSContext.dispose();
                } catch (GSSException e3) {
                    throw th;
                }
            }
            throw th;
        }
    }

    private synchronized Session getSession() throws LoginException, GSSException {
        if (this.clientSession == null || this.clientSession.needsRefresh()) {
            this.clientSession = createSession();
        }
        return this.clientSession;
    }

    private Session createSession() throws LoginException, GSSException {
        LoginContext loginContext = new LoginContext("", (Subject) null, (CallbackHandler) null, new Configuration() { // from class: io.trino.client.SpnegoHandler.1
            public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
                ImmutableMap.Builder builder = ImmutableMap.builder();
                builder.put("refreshKrb5Config", "true");
                builder.put("doNotPrompt", "true");
                builder.put("useKeyTab", "true");
                if (Boolean.getBoolean("trino.client.debugKerberos")) {
                    builder.put("debug", "true");
                }
                SpnegoHandler.this.keytab.ifPresent(file -> {
                    builder.put("keyTab", file.getAbsolutePath());
                });
                SpnegoHandler.this.credentialCache.ifPresent(file2 -> {
                    builder.put("ticketCache", file2.getAbsolutePath());
                    builder.put("useTicketCache", "true");
                    builder.put("renewTGT", "true");
                });
                SpnegoHandler.this.principal.ifPresent(str2 -> {
                    builder.put("principal", str2);
                });
                return new AppConfigurationEntry[]{new AppConfigurationEntry(Krb5LoginModule.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, builder.build())};
            }
        });
        loginContext.login();
        Subject subject = loginContext.getSubject();
        Principal next = subject.getPrincipals().iterator().next();
        return new Session(loginContext, (GSSCredential) doAs(subject, () -> {
            return GSS_MANAGER.createCredential(GSS_MANAGER.createName(next.getName(), GSSName.NT_USER_NAME), 0, KERBEROS_OID, 1);
        }));
    }

    private static String makeServicePrincipal(String str, String str2, String str3, boolean z) {
        String str4 = str3;
        if (z) {
            str4 = canonicalizeServiceHostName(str3);
        }
        return str.replaceAll("\\$\\{SERVICE}", str2).replaceAll("\\$\\{HOST}", str4.toLowerCase(Locale.US));
    }

    private static String canonicalizeServiceHostName(String str) {
        try {
            InetAddress byName = InetAddress.getByName(str);
            String canonicalHostName = "localhost".equalsIgnoreCase(byName.getHostName()) ? InetAddress.getLocalHost().getCanonicalHostName() : byName.getCanonicalHostName();
            if (canonicalHostName.equalsIgnoreCase("localhost")) {
                throw new ClientException("Fully qualified name of localhost should not resolve to 'localhost'. System configuration error?");
            }
            return canonicalHostName;
        } catch (UnknownHostException e) {
            throw new ClientException("Failed to resolve host: " + str, e);
        }
    }

    private static <T> T doAs(Subject subject, GssSupplier<T> gssSupplier) throws GSSException {
        try {
            Objects.requireNonNull(gssSupplier);
            return (T) Subject.doAs(subject, gssSupplier::get);
        } catch (PrivilegedActionException e) {
            Throwable cause = e.getCause();
            Throwables.throwIfInstanceOf(cause, GSSException.class);
            Throwables.throwIfUnchecked(cause);
            throw new RuntimeException(cause);
        }
    }

    private static Oid createOid(String str) {
        try {
            return new Oid(str);
        } catch (GSSException e) {
            throw new AssertionError(e);
        }
    }
}
