package _ss_com.streamsets.datacollector.security;

import _ss_com.com.google.common.annotations.VisibleForTesting;
import _ss_com.com.google.common.base.Joiner;
import _ss_com.streamsets.datacollector.main.RuntimeInfo;
import _ss_com.streamsets.pipeline.lib.util.SdcRecordConstants;
import com.streamsets.pipeline.api.impl.Utils;
import java.io.File;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Random;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:_ss_com/streamsets/datacollector/security/SecurityContext.class */
public class SecurityContext {
    private static final Logger LOG = LoggerFactory.getLogger(SecurityContext.class);
    private static final long THIRTY_SECONDS_MS = TimeUnit.SECONDS.toMillis(30);
    private final SecurityConfiguration securityConfiguration;
    private LoginContext loginContext;
    private volatile Subject subject;
    private Thread renewalThread;
    private double renewalWindow = computeRenewalWindow();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:_ss_com/streamsets/datacollector/security/SecurityContext$KeytabKerberosConfiguration.class */
    public static class KeytabKerberosConfiguration extends Configuration {
        private String principal;
        private String keytab;
        private boolean isInitiator;

        public KeytabKerberosConfiguration(String str, File file, boolean z) {
            this.principal = str;
            this.keytab = file.getAbsolutePath();
            this.isInitiator = z;
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            HashMap hashMap = new HashMap();
            hashMap.put("keyTab", this.keytab);
            hashMap.put("principal", this.principal);
            hashMap.put("useKeyTab", SdcRecordConstants.TRUE);
            hashMap.put("storeKey", SdcRecordConstants.TRUE);
            hashMap.put("doNotPrompt", SdcRecordConstants.TRUE);
            hashMap.put("refreshKrb5Config", SdcRecordConstants.TRUE);
            hashMap.put("isInitiator", Boolean.toString(this.isInitiator));
            hashMap.put("debug", System.getProperty("sun.security.krb5.debug", SdcRecordConstants.TRUE));
            return new AppConfigurationEntry[]{new AppConfigurationEntry(SecurityContext.access$400(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap)};
        }
    }

    public SecurityContext(RuntimeInfo runtimeInfo, _ss_com.streamsets.datacollector.util.Configuration configuration) {
        this.securityConfiguration = new SecurityConfiguration(runtimeInfo, configuration);
    }

    @VisibleForTesting
    double computeRenewalWindow() {
        return (50.0d + new Random().nextInt(20)) / 100.0d;
    }

    @VisibleForTesting
    double getRenewalWindow() {
        return this.renewalWindow;
    }

    @VisibleForTesting
    long getRenewalTime(long j, long j2) {
        return j + ((long) (getRenewalWindow() * (j2 - j)));
    }

    public SecurityConfiguration getSecurityConfiguration() {
        return this.securityConfiguration;
    }

    @VisibleForTesting
    long getTimeNow() {
        return System.currentTimeMillis();
    }

    @VisibleForTesting
    KerberosTicket getNewestTGT() {
        KerberosTicket kerberosTicket = null;
        for (KerberosTicket kerberosTicket2 : getSubject().getPrivateCredentials(KerberosTicket.class)) {
            KerberosPrincipal server = kerberosTicket2.getServer();
            if (Utils.format("krbtgt/{}@{}", new Object[]{server.getRealm(), server.getRealm()}).equals(server.getName())) {
                if (LOG.isTraceEnabled()) {
                    LOG.trace("Found ticket: \nTicket Server: " + kerberosTicket2.getServer().getName() + "\nAuth Time: " + kerberosTicket2.getAuthTime() + "\nExpiry Time: " + kerberosTicket2.getEndTime());
                } else {
                    LOG.debug("Found Kerberos ticket '{}'", kerberosTicket2.getServer().getName());
                }
                if (kerberosTicket == null || kerberosTicket2.getEndTime().after(kerberosTicket.getEndTime())) {
                    kerberosTicket = kerberosTicket2;
                }
            }
        }
        return kerberosTicket;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public synchronized long calculateRenewalTime(KerberosTicket kerberosTicket) {
        long time = kerberosTicket.getStartTime().getTime();
        long time2 = kerberosTicket.getEndTime().getTime();
        long renewalTime = getRenewalTime(time, time2);
        if (LOG.isDebugEnabled()) {
            LOG.trace("Ticket: {}, numPrivateCredentials: {}, ticketStartTime: {}, ticketEndTime: {}, now: {}, renewalTime: {}", new Object[]{Integer.valueOf(System.identityHashCode(kerberosTicket)), Integer.valueOf(getSubject().getPrivateCredentials(KerberosTicket.class).size()), new Date(time), new Date(time2), new Date(), new Date(renewalTime)});
        }
        return Math.max(1L, renewalTime - System.currentTimeMillis());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public synchronized void relogin() {
        LOG.info("Attempting re-login");
        try {
            this.loginContext = createLoginContext();
        } catch (Exception e) {
            throw new RuntimeException(Utils.format("Could not get Kerberos credentials: {}", new Object[]{e.toString()}), e);
        }
    }

    @VisibleForTesting
    boolean sleep(long j) {
        try {
            Thread.sleep(j);
            return true;
        } catch (InterruptedException e) {
            return false;
        }
    }

    public synchronized void login() {
        if (this.subject != null) {
            throw new IllegalStateException(Utils.format("Service already login, Principal '{}'", new Object[]{this.subject.getPrincipals()}));
        }
        if (this.securityConfiguration.isKerberosEnabled()) {
            try {
                this.loginContext = createLoginContext();
                this.subject = this.loginContext.getSubject();
                if (this.renewalThread == null) {
                    this.renewalThread = new Thread() { // from class: _ss_com.streamsets.datacollector.security.SecurityContext.1
                        @Override // java.lang.Thread, java.lang.Runnable
                        public void run() {
                            SecurityContext.LOG.debug("Starting renewal thread");
                            if (!SecurityContext.this.sleep(SecurityContext.THIRTY_SECONDS_MS)) {
                                SecurityContext.LOG.info("Interrupted, exiting renewal thread");
                                return;
                            }
                            while (true) {
                                SecurityContext.LOG.trace("Renewal check starts");
                                try {
                                    KerberosTicket newestTGT = SecurityContext.this.getNewestTGT();
                                    if (newestTGT == null) {
                                        SecurityContext.LOG.warn("Could not obtain kerberos ticket, it may have expired already or it was logged out, will wait30 secs to attempt a relogin");
                                        SecurityContext.LOG.trace("Ticket not found, sleeping 30 secs and trying to login");
                                        if (!SecurityContext.this.sleep(SecurityContext.THIRTY_SECONDS_MS)) {
                                            SecurityContext.LOG.info("Interrupted, exiting renewal thread");
                                            return;
                                        }
                                    } else {
                                        long calculateRenewalTime = SecurityContext.this.calculateRenewalTime(newestTGT) - SecurityContext.THIRTY_SECONDS_MS;
                                        SecurityContext.LOG.trace("Ticket found time to renewal '{}ms', sleeping that time", Long.valueOf(calculateRenewalTime));
                                        if (calculateRenewalTime > 0 && !SecurityContext.this.sleep(calculateRenewalTime)) {
                                            SecurityContext.LOG.info("Interrupted, exiting renewal thread");
                                            return;
                                        }
                                    }
                                    SecurityContext.LOG.debug("Triggering relogin");
                                    Set privateCredentials = SecurityContext.this.getSubject().getPrivateCredentials(KerberosTicket.class);
                                    SecurityContext.this.relogin();
                                    SecurityContext.this.getSubject().getPrivateCredentials().removeAll(privateCredentials);
                                } catch (Exception e) {
                                    SecurityContext.LOG.error("Stopping renewal thread because of exception: " + e, e);
                                    return;
                                } catch (Throwable th) {
                                    SecurityContext.LOG.error("Error in renewal thread: " + th, th);
                                    return;
                                }
                            }
                        }
                    };
                    ArrayList arrayList = new ArrayList();
                    Iterator<Principal> it = this.subject.getPrincipals().iterator();
                    while (it.hasNext()) {
                        arrayList.add(it.next().getName());
                    }
                    this.renewalThread.setName("Kerberos-Renewal-Thread-" + Joiner.on(",").join(arrayList));
                    this.renewalThread.setContextClassLoader(Thread.currentThread().getContextClassLoader());
                    this.renewalThread.setDaemon(true);
                    this.renewalThread.start();
                }
            } catch (Exception e) {
                throw new RuntimeException(Utils.format("Could not get Kerberos credentials: {}", new Object[]{e.toString()}), e);
            }
        } else {
            this.subject = new Subject();
        }
        LOG.debug("Login. Kerberos enabled '{}', Principal '{}'", Boolean.valueOf(this.securityConfiguration.isKerberosEnabled()), this.subject.getPrincipals());
    }

    public synchronized void logout() {
        if (this.subject != null) {
            LOG.debug("Logout. Kerberos enabled '{}', Principal '{}'", Boolean.valueOf(this.securityConfiguration.isKerberosEnabled()), this.subject.getPrincipals());
            try {
            } catch (LoginException e) {
                LOG.warn("Error while doing logout from Kerberos: {}", e.toString(), e);
            } finally {
                this.loginContext = null;
            }
            if (this.loginContext != null) {
                this.loginContext.logout();
            }
            this.subject = null;
        }
    }

    public synchronized Subject getSubject() {
        return this.subject;
    }

    private LoginContext createLoginContext() throws Exception {
        String kerberosPrincipal = this.securityConfiguration.getKerberosPrincipal();
        if (this.subject == null) {
            HashSet hashSet = new HashSet();
            hashSet.add(new KerberosPrincipal(kerberosPrincipal));
            this.subject = new Subject(false, hashSet, new HashSet(), new HashSet());
        }
        LoginContext loginContext = new LoginContext("", this.subject, (CallbackHandler) null, new KeytabKerberosConfiguration(kerberosPrincipal, new File(this.securityConfiguration.getKerberosKeytab()), true));
        loginContext.login();
        LOG.info("Login, principal '{}'", kerberosPrincipal);
        return loginContext;
    }

    private static String getJvmKrb5LoginModuleName() {
        return System.getProperty("java.vendor").contains("IBM") ? "com.ibm.security.auth.module.Krb5LoginModule" : "com.sun.security.auth.module.Krb5LoginModule";
    }

    static /* synthetic */ String access$400() {
        return getJvmKrb5LoginModuleName();
    }
}
