package org.apache.hive.service.auth;

import java.io.IOException;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.UnknownHostException;
import java.text.MessageFormat;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.security.auth.login.LoginException;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.hive.shims.ShimLoader;
import org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hive.service.cli.HiveSQLException;
import org.apache.hive.service.cli.thrift.ThriftCLIService;
import org.apache.thrift.TProcessorFactory;
import org.apache.thrift.transport.TSSLTransportFactory;
import org.apache.thrift.transport.TServerSocket;
import org.apache.thrift.transport.TSocket;
import org.apache.thrift.transport.TTransport;
import org.apache.thrift.transport.TTransportException;
import org.apache.thrift.transport.TTransportFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hive/service/auth/HiveAuthFactory.class */
public class HiveAuthFactory {
    private static final Logger LOG = LoggerFactory.getLogger(HiveAuthFactory.class);
    private HadoopThriftAuthBridge.Server saslServer;
    private String authTypeStr;
    public static final String HS2_PROXY_USER = "hive.server2.proxy.user";
    public static final String HS2_CLIENT_TOKEN = "hiveserver2ClientToken";
    private final HiveConf conf = new HiveConf();
    private String transportMode = this.conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_TRANSPORT_MODE);
    private final int saslMessageLimit = this.conf.getIntVar(HiveConf.ConfVars.HIVE_THRIFT_SASL_MESSAGE_LIMIT);

    /* loaded from: input_file:org/apache/hive/service/auth/HiveAuthFactory$AuthTypes.class */
    public enum AuthTypes {
        NOSASL("NOSASL"),
        MAPRSASL("MAPRSASL"),
        NONE("NONE"),
        LDAP("LDAP"),
        KERBEROS("KERBEROS"),
        CUSTOM("CUSTOM"),
        PAM("PAM");

        private String authType;

        AuthTypes(String str) {
            this.authType = str;
        }

        public String getAuthName() {
            return this.authType;
        }
    }

    public HiveAuthFactory() throws TTransportException {
        this.saslServer = null;
        this.authTypeStr = this.conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_AUTHENTICATION);
        boolean z = "KERBEROS".equalsIgnoreCase(this.authTypeStr) || "MAPRSASL".equalsIgnoreCase(this.authTypeStr);
        if (this.transportMode.equalsIgnoreCase("http")) {
            if (this.authTypeStr == null) {
                this.authTypeStr = AuthTypes.NOSASL.getAuthName();
            }
        } else {
            if (this.authTypeStr == null) {
                this.authTypeStr = AuthTypes.NONE.getAuthName();
                return;
            }
            if (!z && (!"PAM".equalsIgnoreCase(this.authTypeStr) || !ShimLoader.getHadoopShims().isSecurityEnabled())) {
                this.saslServer = null;
                return;
            }
            this.saslServer = ShimLoader.getHadoopThriftAuthBridge().createServer(this.conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_KERBEROS_KEYTAB), this.conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL));
            if (this.authTypeStr.equalsIgnoreCase(AuthTypes.KERBEROS.getAuthName())) {
                try {
                    this.saslServer.startDelegationTokenSecretManager(this.conf, (Object) null);
                } catch (IOException e) {
                    throw new TTransportException("Failed to start token manager", e);
                }
            }
        }
    }

    public Map<String, String> getSaslProperties() {
        HashMap hashMap = new HashMap();
        SaslQOP fromString = SaslQOP.fromString(this.conf.getVar(HiveConf.ConfVars.HIVE_SERVER2_THRIFT_SASL_QOP));
        SaslQOP fromString2 = SaslQOP.fromString((String) ShimLoader.getHadoopThriftAuthBridge().getHadoopSaslProperties(this.conf).get("javax.security.sasl.qop"));
        if (fromString2.ordinal() > fromString.ordinal()) {
            LOG.warn(MessageFormat.format("\"hadoop.rpc.protection\" is set to higher security level {0} then {1} which is set to {2}", fromString2.toString(), HiveConf.ConfVars.HIVE_SERVER2_THRIFT_SASL_QOP.varname, fromString.toString()));
        }
        hashMap.put("javax.security.sasl.qop", fromString.toString());
        hashMap.put("javax.security.sasl.server.authentication", "true");
        return hashMap;
    }

    public TTransportFactory getAuthTransFactory() throws Exception {
        TTransportFactory createTransportFactory;
        if (this.authTypeStr.equalsIgnoreCase(AuthTypes.KERBEROS.getAuthName()) || this.authTypeStr.equalsIgnoreCase(AuthTypes.MAPRSASL.getAuthName())) {
            try {
                createTransportFactory = this.saslServer.createTransportFactory(getSaslProperties(), this.saslMessageLimit);
            } catch (TTransportException e) {
                throw new LoginException(e.getMessage());
            }
        } else if (this.authTypeStr.equalsIgnoreCase(AuthTypes.NONE.getAuthName())) {
            createTransportFactory = PlainSaslHelper.getPlainTransportFactory(this.authTypeStr, this.saslMessageLimit);
        } else if (this.authTypeStr.equalsIgnoreCase(AuthTypes.LDAP.getAuthName())) {
            createTransportFactory = PlainSaslHelper.getPlainTransportFactory(this.authTypeStr, this.saslMessageLimit);
        } else if (this.authTypeStr.equalsIgnoreCase(AuthTypes.PAM.getAuthName())) {
            if (ShimLoader.getHadoopShims().isSecurityEnabled()) {
                try {
                    createTransportFactory = this.saslServer.createTransportFactory(getSaslProperties(), this.saslMessageLimit);
                    PlainSaslHelper.addPlainDefinitionToFactory(this.authTypeStr, createTransportFactory, this.saslServer);
                } catch (TTransportException e2) {
                    throw new LoginException(e2.getMessage());
                }
            } else {
                createTransportFactory = PlainSaslHelper.getPlainTransportFactory(this.authTypeStr, this.saslMessageLimit);
            }
        } else if (this.authTypeStr.equalsIgnoreCase(AuthTypes.NOSASL.getAuthName())) {
            createTransportFactory = new TTransportFactory();
        } else {
            if (!this.authTypeStr.equalsIgnoreCase(AuthTypes.CUSTOM.getAuthName())) {
                throw new LoginException("Unsupported authentication type " + this.authTypeStr);
            }
            createTransportFactory = PlainSaslHelper.getPlainTransportFactory(this.authTypeStr, this.saslMessageLimit);
        }
        return createTransportFactory;
    }

    public TProcessorFactory getAuthProcFactory(ThriftCLIService thriftCLIService) throws LoginException {
        return this.transportMode.equalsIgnoreCase("http") ? HttpAuthUtils.getAuthProcFactory(thriftCLIService) : this.authTypeStr.equalsIgnoreCase(AuthTypes.KERBEROS.getAuthName()) ? KerberosSaslHelper.getKerberosProcessorFactory(this.saslServer, thriftCLIService) : this.authTypeStr.equalsIgnoreCase(AuthTypes.MAPRSASL.getAuthName()) ? MapRSecSaslHelper.getProcessorFactory(this.saslServer, thriftCLIService) : PlainSaslHelper.getPlainProcessorFactory(thriftCLIService);
    }

    public String getRemoteUser() {
        if (this.saslServer != null) {
            return this.saslServer.getRemoteUser();
        }
        return null;
    }

    public String getIpAddress() {
        if (this.saslServer != null) {
            return this.saslServer.getRemoteAddress().toString();
        }
        return null;
    }

    public static void loginFromKeytab(HiveConf hiveConf) throws IOException {
        String var = hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_KERBEROS_PRINCIPAL);
        String var2 = hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_KERBEROS_KEYTAB);
        if (var.isEmpty() || var2.isEmpty()) {
            throw new IOException("HiveServer2 kerberos principal or keytab is not correctly configured");
        }
        ShimLoader.getHadoopShims().loginUserFromKeytab(var, var2);
    }

    public static UserGroupInformation loginFromSpnegoKeytabAndReturnUGI(HiveConf hiveConf) throws IOException {
        String var = hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_SPNEGO_PRINCIPAL);
        String var2 = hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_SPNEGO_KEYTAB);
        if (var.isEmpty() || var2.isEmpty()) {
            throw new IOException("HiveServer2 SPNego principal or keytab is not correctly configured");
        }
        return ShimLoader.getHadoopShims().loginUserFromKeytabAndReturnUGI(var, var2);
    }

    public static TTransport getSocketTransport(String str, int i, int i2) throws TTransportException {
        return new TSocket(str, i, i2);
    }

    public static TTransport getSSLSocket(String str, int i, int i2) throws TTransportException {
        return TSSLTransportFactory.getClientSocket(str, i, i2);
    }

    public static TTransport getSSLSocket(String str, int i, int i2, String str2, String str3) throws TTransportException {
        TSSLTransportFactory.TSSLTransportParameters tSSLTransportParameters = new TSSLTransportFactory.TSSLTransportParameters();
        tSSLTransportParameters.setTrustStore(str2, str3);
        tSSLTransportParameters.requireClientAuth(true);
        return TSSLTransportFactory.getClientSocket(str, i, i2, tSSLTransportParameters);
    }

    public static TServerSocket getServerSocket(String str, int i) throws TTransportException {
        return new TServerSocket((str == null || str.isEmpty()) ? new InetSocketAddress(i) : new InetSocketAddress(str, i));
    }

    public static TServerSocket getServerSSLSocket(String str, int i, String str2, String str3) throws TTransportException, UnknownHostException {
        TSSLTransportFactory.TSSLTransportParameters tSSLTransportParameters = new TSSLTransportFactory.TSSLTransportParameters();
        tSSLTransportParameters.setKeyStore(str2, str3);
        return TSSLTransportFactory.getServerSocket(i, 0, (str == null || str.isEmpty()) ? InetAddress.getLocalHost() : InetAddress.getByName(str), tSSLTransportParameters);
    }

    public String getDelegationToken(String str, String str2) throws HiveSQLException {
        if (this.saslServer == null) {
            throw new HiveSQLException("Delegation token only supported over kerberos authentication");
        }
        try {
            String delegationTokenWithService = this.saslServer.getDelegationTokenWithService(str, str2, HS2_CLIENT_TOKEN);
            if (delegationTokenWithService == null || delegationTokenWithService.isEmpty()) {
                throw new HiveSQLException("Received empty retrieving delegation token for user " + str);
            }
            return delegationTokenWithService;
        } catch (IOException e) {
            throw new HiveSQLException("Error retrieving delegation token for user " + str, e);
        } catch (InterruptedException e2) {
            throw new HiveSQLException("delegation token retrieval interrupted", e2);
        }
    }

    public void cancelDelegationToken(String str) throws HiveSQLException {
        if (this.saslServer == null) {
            throw new HiveSQLException("Delegation token only supported over kerberos authentication");
        }
        try {
            this.saslServer.cancelDelegationToken(str);
        } catch (IOException e) {
            throw new HiveSQLException("Error canceling delegation token " + str, e);
        }
    }

    public void renewDelegationToken(String str) throws HiveSQLException {
        if (this.saslServer == null) {
            throw new HiveSQLException("Delegation token only supported over kerberos authentication");
        }
        try {
            this.saslServer.renewDelegationToken(str);
        } catch (IOException e) {
            throw new HiveSQLException("Error renewing delegation token " + str, e);
        }
    }

    public String getUserFromToken(String str) throws HiveSQLException {
        if (this.saslServer == null) {
            throw new HiveSQLException("Delegation token only supported over kerberos authentication");
        }
        try {
            return this.saslServer.getUserFromToken(str);
        } catch (IOException e) {
            throw new HiveSQLException("Error extracting user from delegation token " + str, e);
        }
    }

    public static void verifyProxyAccess(String str, String str2, String str3, HiveConf hiveConf) throws HiveSQLException {
        try {
            UserGroupInformation createProxyUser = ShimLoader.getHadoopShims().isSecurityEnabled() ? ShimLoader.getHadoopShims().createProxyUser(str) : ShimLoader.getHadoopShims().createRemoteUser(str, (List) null);
            if (!str2.equalsIgnoreCase(str)) {
                ShimLoader.getHadoopShims().authorizeProxyAccess(str2, createProxyUser, str3, hiveConf);
            }
        } catch (IOException e) {
            throw new HiveSQLException("Failed to validate proxy privilage of " + str + " for " + str2, e);
        }
    }
}
