package org.apache.nifi.atlas.security;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Properties;
import org.apache.atlas.AtlasClientV2;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.nifi.atlas.reporting.ReportLineageToAtlas;
import org.apache.nifi.components.ValidationContext;
import org.apache.nifi.components.ValidationResult;
import org.apache.nifi.context.PropertyContext;
import org.apache.nifi.kerberos.KerberosCredentialsService;

/* loaded from: input_file:org/apache/nifi/atlas/security/Kerberos.class */
public class Kerberos implements AtlasAuthN {
    private static final String ALLOW_EXPLICIT_KEYTAB = "NIFI_ALLOW_EXPLICIT_KEYTAB";
    private String principal;
    private String keytab;

    @Override // org.apache.nifi.atlas.security.AtlasAuthN
    public Collection<ValidationResult> validate(ValidationContext validationContext) {
        String principal;
        String keytab;
        ArrayList arrayList = new ArrayList();
        String value = validationContext.getProperty(ReportLineageToAtlas.KERBEROS_PRINCIPAL).evaluateAttributeExpressions().getValue();
        String value2 = validationContext.getProperty(ReportLineageToAtlas.KERBEROS_KEYTAB).evaluateAttributeExpressions().getValue();
        KerberosCredentialsService asControllerService = validationContext.getProperty(ReportLineageToAtlas.KERBEROS_CREDENTIALS_SERVICE).asControllerService(KerberosCredentialsService.class);
        if (asControllerService == null || validationContext.getControllerServiceLookup().isControllerServiceEnabled(asControllerService)) {
            if (asControllerService == null) {
                principal = value;
                keytab = value2;
            } else {
                principal = asControllerService.getPrincipal();
                keytab = asControllerService.getKeytab();
            }
            if (principal == null || keytab == null) {
                arrayList.add(new ValidationResult.Builder().subject("Kerberos Credentials").valid(false).explanation("Both the Principal and the Keytab must be specified when using Kerberos authentication, either via the explicit properties or the Kerberos Credentials Service.").build());
            }
        }
        if (asControllerService != null && (value != null || value2 != null)) {
            arrayList.add(new ValidationResult.Builder().subject("Kerberos Credentials").valid(false).explanation("Cannot specify both a Kerberos Credentials Service and a principal/keytab").build());
        }
        if ("false".equalsIgnoreCase(System.getenv(ALLOW_EXPLICIT_KEYTAB)) && (value != null || value2 != null)) {
            arrayList.add(new ValidationResult.Builder().subject("Kerberos Credentials").valid(false).explanation("The 'NIFI_ALLOW_EXPLICIT_KEYTAB' system environment variable is configured to forbid explicitly configuring principal/keytab in processors. The Kerberos Credentials Service should be used instead of setting the Kerberos Keytab or Kerberos Principal property.").build());
        }
        return arrayList;
    }

    @Override // org.apache.nifi.atlas.security.AtlasAuthN
    public void populateProperties(Properties properties) {
        properties.put("atlas.authentication.method.kerberos", "true");
    }

    @Override // org.apache.nifi.atlas.security.AtlasAuthN
    public void configure(PropertyContext propertyContext) {
        String value = propertyContext.getProperty(ReportLineageToAtlas.KERBEROS_PRINCIPAL).evaluateAttributeExpressions().getValue();
        String value2 = propertyContext.getProperty(ReportLineageToAtlas.KERBEROS_KEYTAB).evaluateAttributeExpressions().getValue();
        KerberosCredentialsService asControllerService = propertyContext.getProperty(ReportLineageToAtlas.KERBEROS_CREDENTIALS_SERVICE).asControllerService(KerberosCredentialsService.class);
        if (asControllerService == null) {
            this.principal = value;
            this.keytab = value2;
        } else {
            this.principal = asControllerService.getPrincipal();
            this.keytab = asControllerService.getKeytab();
        }
    }

    @Override // org.apache.nifi.atlas.security.AtlasAuthN
    public AtlasClientV2 createClient(String[] strArr) {
        Configuration configuration = new Configuration();
        configuration.set("hadoop.security.authentication", "kerberos");
        UserGroupInformation.setConfiguration(configuration);
        try {
            UserGroupInformation.loginUserFromKeytab(this.principal, this.keytab);
            return new AtlasClientV2(UserGroupInformation.getCurrentUser(), (String) null, strArr);
        } catch (IOException e) {
            throw new RuntimeException("Failed to login with Kerberos due to: " + e, e);
        }
    }
}
