package com.facebook.presto.server.security;

import com.facebook.airlift.log.Logger;
import com.sun.security.auth.module.Krb5LoginModule;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.Principal;
import java.util.Base64;
import java.util.HashMap;
import java.util.Locale;
import java.util.Optional;
import javax.annotation.PreDestroy;
import javax.inject.Inject;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpServletRequest;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:com/facebook/presto/server/security/KerberosAuthenticator.class */
public class KerberosAuthenticator implements Authenticator {
    private static final Logger LOG = Logger.get(KerberosAuthenticator.class);
    private static final String NEGOTIATE_SCHEME = "Negotiate";
    private final GSSManager gssManager = GSSManager.getInstance();
    private final LoginContext loginContext;
    private final GSSCredential serverCredential;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/facebook/presto/server/security/KerberosAuthenticator$GssSupplier.class */
    public interface GssSupplier<T> {
        T get() throws GSSException;
    }

    @Inject
    public KerberosAuthenticator(final KerberosConfig kerberosConfig) {
        System.setProperty("java.security.krb5.conf", kerberosConfig.getKerberosConfig().getAbsolutePath());
        try {
            String lowerCase = ((String) Optional.ofNullable(kerberosConfig.getPrincipalHostname()).orElseGet(() -> {
                return getLocalHost().getCanonicalHostName();
            })).toLowerCase(Locale.US);
            final String str = kerberosConfig.getServiceName() + "/" + lowerCase;
            this.loginContext = new LoginContext("", (Subject) null, (CallbackHandler) null, new Configuration() { // from class: com.facebook.presto.server.security.KerberosAuthenticator.1
                public AppConfigurationEntry[] getAppConfigurationEntry(String str2) {
                    HashMap hashMap = new HashMap();
                    hashMap.put("refreshKrb5Config", "true");
                    hashMap.put("doNotPrompt", "true");
                    if (KerberosAuthenticator.LOG.isDebugEnabled()) {
                        hashMap.put("debug", "true");
                    }
                    if (kerberosConfig.getKeytab() != null) {
                        hashMap.put("keyTab", kerberosConfig.getKeytab().getAbsolutePath());
                    }
                    hashMap.put("isInitiator", "false");
                    hashMap.put("useKeyTab", "true");
                    hashMap.put("principal", str);
                    hashMap.put("storeKey", "true");
                    return new AppConfigurationEntry[]{new AppConfigurationEntry(Krb5LoginModule.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap)};
                }
            });
            this.loginContext.login();
            this.serverCredential = (GSSCredential) doAs(this.loginContext.getSubject(), () -> {
                return this.gssManager.createCredential(this.gssManager.createName(kerberosConfig.getServiceName() + "@" + lowerCase, GSSName.NT_HOSTBASED_SERVICE), Integer.MAX_VALUE, new Oid[]{new Oid("1.2.840.113554.1.2.2"), new Oid("1.3.6.1.5.5.2")}, 2);
            });
        } catch (LoginException e) {
            throw new RuntimeException(e);
        }
    }

    @PreDestroy
    public void shutdown() {
        try {
            this.loginContext.logout();
        } catch (LoginException e) {
            throw new RuntimeException(e);
        }
    }

    @Override // com.facebook.presto.server.security.Authenticator
    public Principal authenticate(HttpServletRequest httpServletRequest) throws AuthenticationException {
        String header = httpServletRequest.getHeader("Authorization");
        String str = null;
        if (header != null) {
            String[] split = header.split("\\s+");
            if (split.length == 2 && split[0].equals(NEGOTIATE_SCHEME)) {
                try {
                    str = split[1];
                    Optional<Principal> authenticate = authenticate(split[1]);
                    if (authenticate.isPresent()) {
                        return authenticate.get();
                    }
                } catch (RuntimeException e) {
                    throw new RuntimeException("Authentication error for token: " + split[1], e);
                }
            }
        }
        if (str != null) {
            throw new AuthenticationException("Authentication failed for token: " + str, NEGOTIATE_SCHEME);
        }
        throw new AuthenticationException(null, NEGOTIATE_SCHEME);
    }

    private Optional<Principal> authenticate(String str) {
        GSSContext gSSContext = (GSSContext) doAs(this.loginContext.getSubject(), () -> {
            return this.gssManager.createContext(this.serverCredential);
        });
        try {
            try {
                byte[] decode = Base64.getDecoder().decode(str);
                gSSContext.acceptSecContext(decode, 0, decode.length);
            } catch (Throwable th) {
                try {
                    gSSContext.dispose();
                } catch (GSSException e) {
                }
                throw th;
            }
        } catch (GSSException e2) {
            LOG.debug(e2, "Authentication failed for token %s", new Object[]{str});
            try {
                gSSContext.dispose();
            } catch (GSSException e3) {
            }
        }
        if (gSSContext.isEstablished()) {
            Optional<Principal> of = Optional.of(new KerberosPrincipal(gSSContext.getSrcName().toString()));
            try {
                gSSContext.dispose();
            } catch (GSSException e4) {
            }
            return of;
        }
        LOG.debug("Failed to establish GSS context for token %s", new Object[]{str});
        try {
            gSSContext.dispose();
        } catch (GSSException e5) {
        }
        return Optional.empty();
    }

    private static <T> T doAs(Subject subject, GssSupplier<T> gssSupplier) {
        return (T) Subject.doAs(subject, () -> {
            try {
                return gssSupplier.get();
            } catch (GSSException e) {
                throw new RuntimeException((Throwable) e);
            }
        });
    }

    private static InetAddress getLocalHost() {
        try {
            return InetAddress.getLocalHost();
        } catch (UnknownHostException e) {
            throw new RuntimeException(e);
        }
    }
}
