package org.apache.hadoop.security.rpcauth;

import java.io.IOException;
import java.security.PrivilegedExceptionAction;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.ipc.Server;
import org.apache.hadoop.ipc.protobuf.IpcConnectionContextProtos;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.SaslRpcServer;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.util.KerberosUtil;

/* loaded from: input_file:org/apache/hadoop/security/rpcauth/KerberosAuthMethod.class */
public final class KerberosAuthMethod extends RpcAuthMethod {
    public static final Log LOG = LogFactory.getLog(KerberosAuthMethod.class);
    static final RpcAuthMethod INSTANCE = new KerberosAuthMethod();
    private static final String[] LOGIN_MODULES = {KerberosUtil.getKrb5LoginModuleName(), "com.sun.security.auth.module.Krb5LoginModule"};

    /* loaded from: input_file:org/apache/hadoop/security/rpcauth/KerberosAuthMethod$SaslGssCallbackHandler.class */
    public static class SaslGssCallbackHandler implements CallbackHandler {
        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
            AuthorizeCallback authorizeCallback = null;
            for (Callback callback : callbackArr) {
                if (!(callback instanceof AuthorizeCallback)) {
                    throw new UnsupportedCallbackException(callback, "Unrecognized SASL GSSAPI Callback");
                }
                authorizeCallback = (AuthorizeCallback) callback;
            }
            if (authorizeCallback != null) {
                String authenticationID = authorizeCallback.getAuthenticationID();
                String authorizationID = authorizeCallback.getAuthorizationID();
                if (authenticationID.equals(authorizationID)) {
                    authorizeCallback.setAuthorized(true);
                } else {
                    authorizeCallback.setAuthorized(false);
                }
                if (authorizeCallback.isAuthorized()) {
                    if (SaslRpcServer.LOG.isDebugEnabled()) {
                        SaslRpcServer.LOG.debug("SASL server GSSAPI callback: setting canonicalized client ID: " + authorizationID);
                    }
                    authorizeCallback.setAuthorizedID(authorizationID);
                }
            }
        }
    }

    private KerberosAuthMethod() {
        super((byte) 81, "kerberos", "GSSAPI", UserGroupInformation.AuthenticationMethod.KERBEROS);
    }

    @Override // org.apache.hadoop.security.rpcauth.RpcAuthMethod
    public String[] loginModules() {
        return LOGIN_MODULES;
    }

    @Override // org.apache.hadoop.security.rpcauth.RpcAuthMethod
    public UserGroupInformation getUser(UserGroupInformation userGroupInformation) {
        return userGroupInformation.getRealUser() != null ? userGroupInformation.getRealUser() : userGroupInformation;
    }

    @Override // org.apache.hadoop.security.rpcauth.RpcAuthMethod
    public void writeUGI(UserGroupInformation userGroupInformation, IpcConnectionContextProtos.UserInformationProto.Builder builder) {
        builder.setEffectiveUser(userGroupInformation.getUserName());
    }

    @Override // org.apache.hadoop.security.rpcauth.RpcAuthMethod
    public boolean isSasl() {
        return true;
    }

    @Override // org.apache.hadoop.security.rpcauth.RpcAuthMethod
    public boolean isNegotiable() {
        return true;
    }

    @Override // org.apache.hadoop.security.rpcauth.RpcAuthMethod
    public String getProtocol() throws IOException {
        String userName = UserGroupInformation.getCurrentUser().getUserName();
        if (LOG.isDebugEnabled()) {
            LOG.debug("Kerberos principal name is " + userName);
        }
        String[] split = userName.split("[/@]", 3);
        return split.length > 1 ? split[0] : "";
    }

    @Override // org.apache.hadoop.security.rpcauth.RpcAuthMethod
    public String getServerId() throws IOException {
        String userName = UserGroupInformation.getCurrentUser().getUserName();
        if (LOG.isDebugEnabled()) {
            LOG.debug("Kerberos principal name is " + userName);
        }
        String[] split = userName.split("[/@]", 3);
        return split.length < 2 ? "" : split[1];
    }

    @Override // org.apache.hadoop.security.rpcauth.RpcAuthMethod
    public SaslClient createSaslClient(Map<String, Object> map) throws IOException {
        String str = (String) map.get(SaslRpcServer.SASL_KERBEROS_PRINCIPAL);
        if (LOG.isDebugEnabled()) {
            LOG.debug("Creating SASL " + this.mechanismName + " client. Server's Kerberos principal name is " + str);
        }
        if (str == null || str.length() == 0) {
            throw new IOException("Failed to specify server's Kerberos principal name");
        }
        String[] splitKerberosName = splitKerberosName(str);
        if (splitKerberosName.length != 3) {
            throw new IOException("Kerberos principal name does NOT have the expected hostname part: " + str);
        }
        return Sasl.createSaslClient(new String[]{this.mechanismName}, (String) null, splitKerberosName[0], splitKerberosName[1], map, (CallbackHandler) null);
    }

    @Override // org.apache.hadoop.security.rpcauth.RpcAuthMethod
    public SaslServer createSaslServer(Server.Connection connection, final Map<String, Object> map) throws IOException, InterruptedException {
        UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
        String userName = currentUser.getUserName();
        if (LOG.isDebugEnabled()) {
            LOG.debug("Kerberos principal name is " + userName);
        }
        final String[] splitKerberosName = splitKerberosName(userName);
        if (splitKerberosName.length != 3) {
            throw new AccessControlException("Kerberos principal name does NOT have the expected hostname part: " + userName);
        }
        return (SaslServer) currentUser.doAs(new PrivilegedExceptionAction<SaslServer>() { // from class: org.apache.hadoop.security.rpcauth.KerberosAuthMethod.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public SaslServer run() throws SaslException {
                return Sasl.createSaslServer(KerberosAuthMethod.this.mechanismName, splitKerberosName[0], splitKerberosName[1], map, new SaslGssCallbackHandler());
            }
        });
    }

    @Override // org.apache.hadoop.security.rpcauth.RpcAuthMethod
    public synchronized boolean shouldReLogin() throws IOException {
        UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
        UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
        UserGroupInformation realUser = currentUser.getRealUser();
        if (loginUser == null || !loginUser.hasKerberosCredentials()) {
            return false;
        }
        return loginUser.equals(currentUser) || loginUser.equals(realUser);
    }

    @Override // org.apache.hadoop.security.rpcauth.RpcAuthMethod
    public void reLogin() throws IOException {
        if (UserGroupInformation.isLoginKeytabBased()) {
            UserGroupInformation.getLoginUser().reloginFromKeytab();
        } else if (UserGroupInformation.isLoginTicketBased()) {
            UserGroupInformation.getLoginUser().reloginFromTicketCache();
        }
    }

    public static String[] splitKerberosName(String str) {
        return str.split("[/@]");
    }
}
