package org.apache.hive.service.auth;

import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.ServerSocket;
import java.net.SocketException;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.net.ssl.SSLServerSocket;
import org.apache.hadoop.hive.common.StatsSetupConst;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.shims.ShimLoader;
import org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hive.service.cli.HiveSQLException;
import org.apache.hive.service.cli.thrift.ThriftCLIService;
import org.apache.thrift.TProcessorFactory;
import org.apache.thrift.transport.TSSLTransportFactory;
import org.apache.thrift.transport.TServerSocket;
import org.apache.thrift.transport.TSocket;
import org.apache.thrift.transport.TTransport;
import org.apache.thrift.transport.TTransportException;
import org.apache.thrift.transport.TTransportFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hive/service/auth/HiveAuthFactory.class */
public class HiveAuthFactory {
    private static final Logger LOG = LoggerFactory.getLogger(HiveAuthFactory.class);
    private final HadoopThriftAuthBridge.Server saslServer;
    private final AuthTypes authType;
    private final TransTypes transportType;
    private final int saslMessageLimit;
    private final HiveConf conf;
    public static final String HS2_PROXY_USER = "hive.server2.proxy.user";
    public static final String HS2_CLIENT_TOKEN = "hiveserver2ClientToken";

    /* loaded from: input_file:org/apache/hive/service/auth/HiveAuthFactory$AuthTypes.class */
    public enum AuthTypes {
        NOSASL,
        NONE,
        LDAP,
        KERBEROS,
        CUSTOM,
        PAM,
        MAPRSASL
    }

    /* loaded from: input_file:org/apache/hive/service/auth/HiveAuthFactory$TServerSocketKeepAlive.class */
    static class TServerSocketKeepAlive extends TServerSocket {
        public TServerSocketKeepAlive(ServerSocket serverSocket) throws TTransportException {
            super(serverSocket);
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.apache.thrift.transport.TServerSocket, org.apache.thrift.transport.TServerTransport
        public TSocket acceptImpl() throws TTransportException {
            TSocket acceptImpl = super.acceptImpl();
            try {
                acceptImpl.getSocket().setKeepAlive(true);
                return acceptImpl;
            } catch (SocketException e) {
                throw new TTransportException(e);
            }
        }
    }

    /* loaded from: input_file:org/apache/hive/service/auth/HiveAuthFactory$TransTypes.class */
    public enum TransTypes {
        HTTP { // from class: org.apache.hive.service.auth.HiveAuthFactory.TransTypes.1
            @Override // org.apache.hive.service.auth.HiveAuthFactory.TransTypes
            AuthTypes getDefaultAuthType() {
                return AuthTypes.NOSASL;
            }
        },
        BINARY { // from class: org.apache.hive.service.auth.HiveAuthFactory.TransTypes.2
            @Override // org.apache.hive.service.auth.HiveAuthFactory.TransTypes
            AuthTypes getDefaultAuthType() {
                return AuthTypes.NONE;
            }
        };

        abstract AuthTypes getDefaultAuthType();
    }

    public HiveAuthFactory(HiveConf hiveConf) throws TTransportException {
        this.conf = hiveConf;
        this.saslMessageLimit = hiveConf.getIntVar(HiveConf.ConfVars.HIVE_THRIFT_SASL_MESSAGE_LIMIT);
        String var = hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_TRANSPORT_MODE);
        String var2 = hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_AUTHENTICATION);
        this.transportType = TransTypes.valueOf(var.toUpperCase());
        this.authType = var2 == null ? this.transportType.getDefaultAuthType() : AuthTypes.valueOf(var2.toUpperCase());
        boolean z = this.authType == AuthTypes.KERBEROS || this.authType == AuthTypes.MAPRSASL;
        if (this.transportType != TransTypes.BINARY || ((!ShimLoader.getHadoopShims().isSecureShimImpl() || !z) && (this.authType != AuthTypes.PAM || !ShimLoader.getHadoopShims().isSecurityEnabled()))) {
            this.saslServer = null;
            return;
        }
        this.saslServer = ShimLoader.getHadoopThriftAuthBridge().createServer(hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_KERBEROS_KEYTAB), hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL));
        if (var2.equalsIgnoreCase(AuthTypes.KERBEROS.name())) {
            try {
                this.saslServer.startDelegationTokenSecretManager(hiveConf, null, HadoopThriftAuthBridge.Server.ServerMode.HIVESERVER2);
            } catch (Exception e) {
                throw new TTransportException("Failed to start token manager", e);
            }
        }
    }

    public Map<String, String> getSaslProperties() {
        HashMap hashMap = new HashMap();
        hashMap.put("javax.security.sasl.qop", SaslQOP.fromString(this.conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_THRIFT_SASL_QOP)).toString());
        hashMap.put("javax.security.sasl.server.authentication", StatsSetupConst.TRUE);
        return hashMap;
    }

    public TTransportFactory getAuthTransFactory() throws Exception {
        if (this.authType == AuthTypes.KERBEROS || this.authType == AuthTypes.MAPRSASL) {
            return this.saslServer.createTransportFactory(getSaslProperties(), this.saslMessageLimit);
        }
        if (this.authType != AuthTypes.PAM || !ShimLoader.getHadoopShims().isSecurityEnabled()) {
            return this.authType == AuthTypes.NOSASL ? new TTransportFactory() : PlainSaslHelper.getPlainTransportFactory(this.authType.name(), this.saslMessageLimit);
        }
        TTransportFactory createTransportFactory = this.saslServer.createTransportFactory(getSaslProperties(), this.saslMessageLimit);
        PlainSaslHelper.addPlainDefinitionToFactory(this.authType.name(), createTransportFactory, this.saslServer);
        return createTransportFactory;
    }

    public TProcessorFactory getAuthProcFactory(ThriftCLIService thriftCLIService) {
        return this.authType == AuthTypes.KERBEROS ? KerberosSaslHelper.getKerberosProcessorFactory(this.saslServer, thriftCLIService) : this.authType == AuthTypes.MAPRSASL ? MapRSecSaslHelper.getProcessorFactory(this.saslServer, thriftCLIService) : PlainSaslHelper.getPlainProcessorFactory(thriftCLIService);
    }

    public String getRemoteUser() {
        if (this.saslServer == null) {
            return null;
        }
        return this.saslServer.getRemoteUser();
    }

    public String getIpAddress() {
        if (this.saslServer != null) {
            return this.saslServer.getRemoteAddress().toString();
        }
        return null;
    }

    public static void loginFromKeytab(HiveConf hiveConf) throws IOException {
        String var = hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL);
        String var2 = hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_KERBEROS_KEYTAB);
        if (var.isEmpty() || var2.isEmpty()) {
            throw new IOException("HiveServer2 Kerberos principal or keytab is not correctly configured");
        }
        ShimLoader.getHadoopShims().loginUserFromKeytab(var, var2);
    }

    public static UserGroupInformation loginFromSpnegoKeytabAndReturnUGI(HiveConf hiveConf) throws IOException {
        String var = hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_SPNEGO_PRINCIPAL);
        String var2 = hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_SPNEGO_KEYTAB);
        if (var.isEmpty() || var2.isEmpty()) {
            throw new IOException("HiveServer2 SPNEGO principal or keytab is not correctly configured");
        }
        return ShimLoader.getHadoopShims().loginUserFromKeytabAndReturnUGI(var, var2);
    }

    public static TTransport getSocketTransport(String str, int i, int i2) {
        return new TSocket(str, i, i2);
    }

    public static TTransport getSSLSocket(String str, int i, int i2) throws TTransportException {
        return TSSLTransportFactory.getClientSocket(str, i, i2);
    }

    public static TTransport getSSLSocket(String str, int i, int i2, String str2, String str3) throws TTransportException {
        TSSLTransportFactory.TSSLTransportParameters tSSLTransportParameters = new TSSLTransportFactory.TSSLTransportParameters();
        tSSLTransportParameters.setTrustStore(str2, str3);
        tSSLTransportParameters.requireClientAuth(true);
        return TSSLTransportFactory.getClientSocket(str, i, i2, tSSLTransportParameters);
    }

    public static TServerSocket getServerSocket(String str, int i, int i2, boolean z) throws TTransportException {
        TServerSocket tServerSocket = new TServerSocket((str == null || str.isEmpty()) ? new InetSocketAddress(i) : new InetSocketAddress(str, i), i2);
        if (z) {
            tServerSocket = new TServerSocketKeepAlive(tServerSocket.getServerSocket());
        }
        return tServerSocket;
    }

    public static TServerSocket getServerSSLSocket(String str, int i, String str2, String str3, List<String> list, int i2, boolean z) throws TTransportException, UnknownHostException {
        TSSLTransportFactory.TSSLTransportParameters tSSLTransportParameters = new TSSLTransportFactory.TSSLTransportParameters();
        tSSLTransportParameters.setKeyStore(str2, str3);
        TServerSocket serverSocket = TSSLTransportFactory.getServerSocket(i, i2, ((str == null || str.isEmpty()) ? new InetSocketAddress(i) : new InetSocketAddress(str, i)).getAddress(), tSSLTransportParameters);
        if (serverSocket.getServerSocket() instanceof SSLServerSocket) {
            ArrayList arrayList = new ArrayList();
            Iterator<String> it = list.iterator();
            while (it.hasNext()) {
                arrayList.add(it.next().trim().toLowerCase());
            }
            SSLServerSocket sSLServerSocket = (SSLServerSocket) serverSocket.getServerSocket();
            ArrayList arrayList2 = new ArrayList();
            for (String str4 : sSLServerSocket.getEnabledProtocols()) {
                if (arrayList.contains(str4.toLowerCase())) {
                    LOG.debug("Disabling SSL Protocol: " + str4);
                } else {
                    arrayList2.add(str4);
                }
            }
            sSLServerSocket.setEnabledProtocols((String[]) arrayList2.toArray(new String[0]));
            LOG.info("SSL Server Socket Enabled Protocols: " + Arrays.toString(sSLServerSocket.getEnabledProtocols()));
        }
        if (z) {
            serverSocket = new TServerSocketKeepAlive(serverSocket.getServerSocket());
        }
        return serverSocket;
    }

    public String getDelegationToken(String str, String str2) throws HiveSQLException {
        if (this.saslServer == null) {
            throw new HiveSQLException("Delegation token only supported over kerberos authentication", "08S01");
        }
        try {
            String delegationTokenWithService = this.saslServer.getDelegationTokenWithService(str, str2, HS2_CLIENT_TOKEN);
            if (delegationTokenWithService == null || delegationTokenWithService.isEmpty()) {
                throw new HiveSQLException("Received empty retrieving delegation token for user " + str, "08S01");
            }
            return delegationTokenWithService;
        } catch (IOException e) {
            throw new HiveSQLException("Error retrieving delegation token for user " + str, "08S01", e);
        } catch (InterruptedException e2) {
            throw new HiveSQLException("delegation token retrieval interrupted", "08S01", e2);
        }
    }

    public void cancelDelegationToken(String str) throws HiveSQLException {
        if (this.saslServer == null) {
            throw new HiveSQLException("Delegation token only supported over kerberos authentication", "08S01");
        }
        try {
            this.saslServer.cancelDelegationToken(str);
        } catch (IOException e) {
            throw new HiveSQLException("Error canceling delegation token " + str, "08S01", e);
        }
    }

    public void renewDelegationToken(String str) throws HiveSQLException {
        if (this.saslServer == null) {
            throw new HiveSQLException("Delegation token only supported over kerberos authentication", "08S01");
        }
        try {
            this.saslServer.renewDelegationToken(str);
        } catch (IOException e) {
            throw new HiveSQLException("Error renewing delegation token " + str, "08S01", e);
        }
    }

    public String getUserFromToken(String str) throws HiveSQLException {
        if (this.saslServer == null) {
            throw new HiveSQLException("Delegation token only supported over kerberos authentication", "08S01");
        }
        try {
            return this.saslServer.getUserFromToken(str);
        } catch (IOException e) {
            throw new HiveSQLException("Error extracting user from delegation token " + str, "08S01", e);
        }
    }

    public static void verifyProxyAccess(String str, String str2, String str3, HiveConf hiveConf) throws HiveSQLException {
        UserGroupInformation createRemoteUser;
        try {
            if (ShimLoader.getHadoopShims().isSecurityEnabled()) {
                createRemoteUser = ShimLoader.getHadoopShims().createProxyUser(ShimLoader.getHadoopShims().getKerberosNameShim(str).getServiceName());
            } else {
                createRemoteUser = ShimLoader.getHadoopShims().createRemoteUser(str, null);
            }
            if (!str2.equalsIgnoreCase(str)) {
                ShimLoader.getHadoopShims().authorizeProxyAccess(str2, createRemoteUser, str3, hiveConf);
            }
        } catch (IOException e) {
            throw new HiveSQLException("Failed to validate proxy privilege of " + str + " for " + str2, "08S01", e);
        }
    }
}
