package org.apache.nifi.hadoop;

import java.io.IOException;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Set;
import java.util.stream.Collectors;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import org.apache.commons.lang3.Validate;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.nifi.logging.ComponentLog;
import org.apache.nifi.security.krb.KerberosLoginException;
import org.apache.nifi.security.krb.KerberosUser;

/* loaded from: input_file:org/apache/nifi/hadoop/SecurityUtil.class */
public class SecurityUtil {
    public static final String HADOOP_SECURITY_AUTHENTICATION = "hadoop.security.authentication";
    public static final String KERBEROS = "kerberos";

    public static synchronized UserGroupInformation loginKerberos(Configuration configuration, String str, String str2) throws IOException {
        Validate.notNull(configuration);
        Validate.notNull(str);
        Validate.notNull(str2);
        UserGroupInformation.setConfiguration(configuration);
        UserGroupInformation.loginUserFromKeytab(str.trim(), str2.trim());
        return UserGroupInformation.getCurrentUser();
    }

    public static synchronized UserGroupInformation getUgiForKerberosUser(Configuration configuration, KerberosUser kerberosUser) throws IOException {
        UserGroupInformation.setConfiguration(configuration);
        try {
            if (kerberosUser.isLoggedIn()) {
                kerberosUser.checkTGTAndRelogin();
            } else {
                kerberosUser.login();
            }
            return (UserGroupInformation) kerberosUser.doAs(() -> {
                Subject subject = Subject.getSubject(AccessController.getContext());
                Validate.notEmpty((Set) subject.getPrincipals(KerberosPrincipal.class).stream().filter(kerberosPrincipal -> {
                    return kerberosPrincipal.getName().startsWith(kerberosUser.getPrincipal());
                }).collect(Collectors.toSet()), "No Subject was found matching the given principal", new Object[0]);
                UserGroupInformation uGIFromSubject = UserGroupInformation.getUGIFromSubject(subject);
                UserGroupInformation.setLoginUser(uGIFromSubject);
                return uGIFromSubject;
            });
        } catch (PrivilegedActionException e) {
            throw new IOException("Unable to acquire UGI for KerberosUser: " + e.getException().getLocalizedMessage(), e.getException());
        } catch (KerberosLoginException e2) {
            throw new IOException("Unable to acquire UGI for KerberosUser: " + e2.getLocalizedMessage(), e2);
        }
    }

    public static synchronized UserGroupInformation loginSimple(Configuration configuration) throws IOException {
        Validate.notNull(configuration);
        UserGroupInformation.setConfiguration(configuration);
        return UserGroupInformation.getLoginUser();
    }

    public static boolean isSecurityEnabled(Configuration configuration) {
        Validate.notNull(configuration);
        return KERBEROS.equalsIgnoreCase(configuration.get(HADOOP_SECURITY_AUTHENTICATION));
    }

    /* JADX WARN: Multi-variable type inference failed */
    public static <T> T callWithUgi(UserGroupInformation userGroupInformation, PrivilegedExceptionAction<T> privilegedExceptionAction) throws IOException {
        T run;
        try {
            if (userGroupInformation == null) {
                try {
                    try {
                        try {
                            run = privilegedExceptionAction.run();
                        } catch (RuntimeException e) {
                            throw e;
                        }
                    } catch (Exception e2) {
                        throw new RuntimeException(e2);
                    }
                } catch (IOException e3) {
                    throw e3;
                }
            } else {
                run = userGroupInformation.doAs(privilegedExceptionAction);
            }
            return run;
        } catch (InterruptedException e4) {
            throw new IOException(e4);
        }
    }

    public static void checkTGTAndRelogin(ComponentLog componentLog, KerberosUser kerberosUser) {
        if (kerberosUser == null) {
            componentLog.debug("kerberosUser was null, will not refresh TGT with KerberosUser");
        } else {
            componentLog.debug("checking TGT on kerberosUser {}", new Object[]{kerberosUser});
            kerberosUser.checkTGTAndRelogin();
        }
    }
}
