package io.trino.client.auth.kerberos;

import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableMap;
import com.sun.security.auth.module.Krb5LoginModule;
import java.io.File;
import java.util.Objects;
import java.util.Optional;
import javax.annotation.concurrent.GuardedBy;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSException;

/* loaded from: input_file:lib/trino-client-387.jar:io/trino/client/auth/kerberos/LoginBasedSubjectProvider.class */
public class LoginBasedSubjectProvider implements SubjectProvider {
    private final Optional<String> principal;
    private final Optional<File> keytab;
    private final Optional<File> credentialCache;

    @GuardedBy("this")
    private LoginContext loginContext;

    public LoginBasedSubjectProvider(Optional<String> optional, Optional<File> optional2, Optional<File> optional3, Optional<File> optional4) {
        this.principal = (Optional) Objects.requireNonNull(optional, "principal is null");
        this.keytab = (Optional) Objects.requireNonNull(optional3, "keytab is null");
        this.credentialCache = (Optional) Objects.requireNonNull(optional4, "credentialCache is null");
        optional2.ifPresent(file -> {
            String absolutePath = file.getAbsolutePath();
            String property = System.getProperty("java.security.krb5.conf");
            Preconditions.checkState(property == null || Objects.equals(property, absolutePath), "Refusing to set system property 'java.security.krb5.conf' to '%s', it is already set to '%s'", absolutePath, property);
            Preconditions.checkState(file.exists() && !file.isDirectory(), "Kerberos config file '%s' does not exist or is a directory", absolutePath);
            Preconditions.checkState(file.canRead(), "Kerberos config file '%s' is not readable", absolutePath);
            System.setProperty("java.security.krb5.conf", absolutePath);
        });
    }

    @Override // io.trino.client.auth.kerberos.SubjectProvider
    public Subject getSubject() {
        return this.loginContext.getSubject();
    }

    @Override // io.trino.client.auth.kerberos.SubjectProvider
    public void refresh() throws LoginException, GSSException {
        this.loginContext = new LoginContext("", (Subject) null, (CallbackHandler) null, new Configuration() { // from class: io.trino.client.auth.kerberos.LoginBasedSubjectProvider.1
            public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
                ImmutableMap.Builder builder = ImmutableMap.builder();
                builder.put("refreshKrb5Config", "true");
                builder.put("doNotPrompt", "true");
                builder.put("useKeyTab", "true");
                if (Boolean.getBoolean("trino.client.debugKerberos")) {
                    builder.put("debug", "true");
                }
                LoginBasedSubjectProvider.this.keytab.ifPresent(file -> {
                    builder.put("keyTab", file.getAbsolutePath());
                });
                LoginBasedSubjectProvider.this.credentialCache.ifPresent(file2 -> {
                    builder.put("ticketCache", file2.getAbsolutePath());
                    builder.put("renewTGT", "true");
                });
                if (!LoginBasedSubjectProvider.this.keytab.isPresent() || LoginBasedSubjectProvider.this.credentialCache.isPresent()) {
                    builder.put("useTicketCache", "true");
                }
                LoginBasedSubjectProvider.this.principal.ifPresent(str2 -> {
                    builder.put("principal", str2);
                });
                return new AppConfigurationEntry[]{new AppConfigurationEntry(Krb5LoginModule.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, builder.buildOrThrow())};
            }
        });
        this.loginContext.login();
    }
}
