package org.apache.nifi.processors.kafka.pubsub;

import java.util.Arrays;
import java.util.Map;
import javax.security.auth.RefreshFailedException;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.kafka.common.security.JaasContext;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.authenticator.AbstractLogin;
import org.apache.kafka.common.security.kerberos.KerberosLogin;
import org.apache.kafka.common.utils.KafkaThread;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/nifi/processors/kafka/pubsub/CustomKerberosLogin.class */
public class CustomKerberosLogin extends AbstractLogin {
    private static final Logger log = LoggerFactory.getLogger(CustomKerberosLogin.class);
    private Thread refreshThread;
    private boolean isKrbTicket;
    private String principal;
    private double ticketRenewWindowFactor;
    private long minTimeBeforeRelogin;
    private volatile Subject subject;
    private LoginContext loginContext;
    private String serviceName;

    public void configure(Map<String, ?> map, String str, Configuration configuration, AuthenticateCallbackHandler authenticateCallbackHandler) {
        super.configure(map, str, configuration, authenticateCallbackHandler);
        this.ticketRenewWindowFactor = ((Double) map.get("sasl.kerberos.ticket.renew.window.factor")).doubleValue();
        this.minTimeBeforeRelogin = ((Long) map.get("sasl.kerberos.min.time.before.relogin")).longValue();
        this.serviceName = getServiceName(map, str, configuration);
    }

    public LoginContext login() throws LoginException {
        this.loginContext = super.login();
        this.subject = this.loginContext.getSubject();
        this.isKrbTicket = !this.subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
        AppConfigurationEntry[] appConfigurationEntry = configuration().getAppConfigurationEntry(contextName());
        if (appConfigurationEntry.length == 0) {
            this.principal = null;
        } else {
            AppConfigurationEntry appConfigurationEntry2 = appConfigurationEntry[0];
            if (appConfigurationEntry2.getOptions().get("principal") != null) {
                this.principal = (String) appConfigurationEntry2.getOptions().get("principal");
            } else {
                this.principal = null;
            }
        }
        if (!this.isKrbTicket) {
            log.debug("[Principal={}]: It is not a Kerberos ticket", this.principal);
            this.refreshThread = null;
            return this.loginContext;
        }
        log.debug("[Principal={}]: It is a Kerberos ticket", this.principal);
        this.refreshThread = KafkaThread.daemon(String.format("kafka-kerberos-refresh-thread-%s", this.principal), () -> {
            log.info("[Principal={}]: TGT refresh thread started, minTimeBeforeRelogin = {}", this.principal, Long.valueOf(this.minTimeBeforeRelogin));
            while (true) {
                try {
                    Thread.sleep(this.minTimeBeforeRelogin);
                    try {
                        checkTGTAndReLogin();
                    } catch (Throwable th) {
                        log.error("[Principal={}]: Error from TGT refresh thread", this.principal, th);
                    }
                } catch (InterruptedException e) {
                    log.warn("[Principal={}]: TGT renewal thread has been interrupted and will exit.", this.principal);
                    return;
                }
            }
        });
        this.refreshThread.start();
        return this.loginContext;
    }

    public void close() {
        if (this.refreshThread == null || !this.refreshThread.isAlive()) {
            return;
        }
        this.refreshThread.interrupt();
        try {
            this.refreshThread.join();
        } catch (InterruptedException e) {
            log.warn("[Principal={}]: Error while waiting for Login thread to shutdown.", this.principal, e);
            Thread.currentThread().interrupt();
        }
    }

    public Subject subject() {
        return this.subject;
    }

    public String serviceName() {
        return this.serviceName;
    }

    private synchronized void checkTGTAndReLogin() throws LoginException {
        KerberosTicket tgt = getTGT();
        if (tgt == null) {
            log.info("[Principal={}]: TGT was not found, performing login", this.principal);
            reLogin();
            return;
        }
        if (System.currentTimeMillis() < getRefreshTime(tgt)) {
            log.debug("[Principal={}]: TGT was found, but has not reached expiration window", this.principal);
            return;
        }
        try {
            tgt.refresh();
            log.info("[Principal={}]: TGT refreshed", this.principal);
            getRefreshTime(tgt);
        } catch (RefreshFailedException e) {
            log.warn("[Principal={}]: TGT refresh failed, will attempt relogin", this.principal);
            log.debug("", e);
            reLogin();
        }
    }

    private static String getServiceName(Map<String, ?> map, String str, Configuration configuration) {
        String configEntryOption = JaasContext.configEntryOption(Arrays.asList(configuration.getAppConfigurationEntry(str)), "serviceName", (String) null);
        String str2 = (String) map.get("sasl.kerberos.service.name");
        if (configEntryOption != null && str2 != null && !configEntryOption.equals(str2)) {
            throw new IllegalArgumentException(String.format("Conflicting serviceName values found in JAAS and Kafka configs value in JAAS file %s, value in Kafka config %s", configEntryOption, str2));
        }
        if (configEntryOption != null) {
            return configEntryOption;
        }
        if (str2 != null) {
            return str2;
        }
        throw new IllegalArgumentException("No serviceName defined in either JAAS or Kafka config");
    }

    private long getRefreshTime(KerberosTicket kerberosTicket) {
        long time = kerberosTicket.getStartTime().getTime();
        long time2 = kerberosTicket.getEndTime().getTime();
        log.debug("[Principal={}]: TGT valid starting at: {}", this.principal, kerberosTicket.getStartTime());
        log.debug("[Principal={}]: TGT expires: {}", this.principal, kerberosTicket.getEndTime());
        log.debug("[Principal={}]: TGT renew until: {}", this.principal, kerberosTicket.getRenewTill());
        return time + ((long) ((time2 - time) * this.ticketRenewWindowFactor));
    }

    private KerberosTicket getTGT() {
        for (KerberosTicket kerberosTicket : this.subject.getPrivateCredentials(KerberosTicket.class)) {
            KerberosPrincipal server = kerberosTicket.getServer();
            if (server.getName().equals(String.format("krbtgt/%s@%s", server.getRealm(), server.getRealm()))) {
                log.debug("Found TGT with client principal '{}' and server principal '{}'.", kerberosTicket.getClient().getName(), kerberosTicket.getServer().getName());
                return kerberosTicket;
            }
        }
        return null;
    }

    private void reLogin() throws LoginException {
        if (this.isKrbTicket) {
            if (this.loginContext == null) {
                throw new LoginException("Login must be done first");
            }
            synchronized (KerberosLogin.class) {
                log.info("Initiating logout for {}", this.principal);
                this.loginContext.logout();
                this.loginContext = new LoginContext(contextName(), this.subject, (CallbackHandler) null, configuration());
                log.info("Initiating re-login for {}", this.principal);
                this.loginContext.login();
                log.info("Successful re-login for {}", this.principal);
            }
        }
    }
}
