package io.trino.plugin.hive.metastore.thrift;

import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableMap;
import io.airlift.slice.BasicSliceInput;
import io.airlift.slice.Slices;
import io.trino.hdfs.authentication.HadoopAuthentication;
import io.trino.hive.formats.ReadWriteUtils;
import io.trino.plugin.hive.ForHiveMetastore;
import io.trino.plugin.hive.metastore.Database;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.util.Base64;
import java.util.Objects;
import java.util.Optional;
import javax.inject.Inject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.sasl.RealmCallback;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.thrift.transport.TSaslClientTransport;
import org.apache.thrift.transport.TTransport;
import org.apache.thrift.transport.TTransportException;

/* loaded from: input_file:io/trino/plugin/hive/metastore/thrift/KerberosHiveMetastoreAuthentication.class */
public class KerberosHiveMetastoreAuthentication implements HiveMetastoreAuthentication {
    private final String hiveMetastoreServicePrincipal;
    private final HadoopAuthentication authentication;

    /* loaded from: input_file:io/trino/plugin/hive/metastore/thrift/KerberosHiveMetastoreAuthentication$SaslClientCallbackHandler.class */
    private static class SaslClientCallbackHandler implements CallbackHandler {
        private final String username;
        private final String password;

        public SaslClientCallbackHandler(String str) {
            BasicSliceInput basicSliceInput = new BasicSliceInput(Slices.wrappedBuffer(Base64.getUrlDecoder().decode(str)));
            byte[] bArr = new byte[Math.toIntExact(ReadWriteUtils.readVInt(basicSliceInput))];
            basicSliceInput.readFully(bArr);
            byte[] bArr2 = new byte[Math.toIntExact(ReadWriteUtils.readVInt(basicSliceInput))];
            basicSliceInput.readFully(bArr2);
            this.username = Base64.getEncoder().encodeToString(bArr);
            this.password = Base64.getEncoder().encodeToString(bArr2);
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) {
            for (Callback callback : callbackArr) {
                if (callback instanceof NameCallback) {
                    ((NameCallback) callback).setName(this.username);
                }
                if (callback instanceof PasswordCallback) {
                    ((PasswordCallback) callback).setPassword(this.password.toCharArray());
                }
                if (callback instanceof RealmCallback) {
                    RealmCallback realmCallback = (RealmCallback) callback;
                    realmCallback.setText(realmCallback.getDefaultText());
                }
            }
        }
    }

    @Inject
    public KerberosHiveMetastoreAuthentication(MetastoreKerberosConfig metastoreKerberosConfig, @ForHiveMetastore HadoopAuthentication hadoopAuthentication) {
        this(metastoreKerberosConfig.getHiveMetastoreServicePrincipal(), hadoopAuthentication);
    }

    public KerberosHiveMetastoreAuthentication(String str, HadoopAuthentication hadoopAuthentication) {
        this.hiveMetastoreServicePrincipal = (String) Objects.requireNonNull(str, "hiveMetastoreServicePrincipal is null");
        this.authentication = (HadoopAuthentication) Objects.requireNonNull(hadoopAuthentication, "authentication is null");
    }

    @Override // io.trino.plugin.hive.metastore.thrift.HiveMetastoreAuthentication
    public TTransport authenticate(TTransport tTransport, String str, Optional<String> optional) {
        try {
            String serverPrincipal = SecurityUtil.getServerPrincipal(this.hiveMetastoreServicePrincipal, str);
            String[] split = serverPrincipal.split("[/@]");
            Preconditions.checkState(split.length == 3, "Kerberos principal name does NOT have the expected hostname part: %s", serverPrincipal);
            ImmutableMap of = ImmutableMap.of("javax.security.sasl.qop", "auth-conf,auth", "javax.security.sasl.server.authentication", "true");
            return new TUgiAssumingTransport(optional.isPresent() ? new TSaslClientTransport("DIGEST-MD5", (String) null, (String) null, Database.DEFAULT_DATABASE_NAME, of, new SaslClientCallbackHandler(optional.get()), tTransport) : new TSaslClientTransport("GSSAPI", (String) null, split[0], split[1], of, (CallbackHandler) null, tTransport), this.authentication.getUserGroupInformation());
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        } catch (TTransportException e2) {
            throw new RuntimeException((Throwable) e2);
        }
    }
}
