package org.apache.ranger.authorization.credutils;

import java.math.BigDecimal;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Collections;
import java.util.Date;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.LoginContext;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.KerberosCredentials;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.client.CredentialsProvider;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.apache.ranger.authorization.credutils.kerberos.KerberosCredentialsProvider;
import org.apache.ranger.authorization.credutils.kerberos.KeytabJaasConf;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/ranger/authorization/credutils/CredentialsProviderUtil.class */
public class CredentialsProviderUtil {
    private static final Logger logger = LoggerFactory.getLogger(CredentialsProviderUtil.class);
    private static final Oid SPNEGO_OID = getSpnegoOid();
    private static final String CRED_CONF_NAME = "ESClientLoginConf";
    public static long ticketExpireTime80;

    private CredentialsProviderUtil() {
    }

    public static KerberosCredentialsProvider getKerberosCredentials(String str, String str2) {
        KerberosCredentialsProvider kerberosCredentialsProvider = new KerberosCredentialsProvider();
        GSSManager gSSManager = GSSManager.getInstance();
        try {
            GSSName createName = gSSManager.createName(str, GSSName.NT_USER_NAME);
            kerberosCredentialsProvider.setCredentials(new AuthScope(AuthScope.ANY_HOST, -1, AuthScope.ANY_REALM, "Negotiate"), new KerberosCredentials((GSSCredential) doAsPrivilegedWrapper(login(str, str2), () -> {
                return gSSManager.createCredential(createName, 0, SPNEGO_OID, 1);
            }, AccessController.getContext())));
            return kerberosCredentialsProvider;
        } catch (PrivilegedActionException e) {
            logger.error("PrivilegedActionException:", e);
            throw new RuntimeException(e);
        } catch (GSSException e2) {
            logger.error("GSSException:", e2);
            throw new RuntimeException((Throwable) e2);
        }
    }

    public static synchronized KerberosTicket getTGT(Subject subject) {
        for (KerberosTicket kerberosTicket : subject.getPrivateCredentials(KerberosTicket.class)) {
            KerberosPrincipal server = kerberosTicket.getServer();
            if (server.getName().equals("krbtgt/" + server.getRealm() + "@" + server.getRealm())) {
                logger.debug("Client principal is \"{}\".", kerberosTicket.getClient().getName());
                logger.debug("Server principal is \"{}\".", kerberosTicket.getServer().getName());
                return kerberosTicket;
            }
        }
        return null;
    }

    public static Boolean ticketWillExpire(KerberosTicket kerberosTicket) {
        long time = kerberosTicket.getEndTime().getTime();
        long time2 = new Date().getTime();
        logger.debug("TicketExpireTime is:{}", Long.valueOf(time));
        logger.debug("currrentTime is:{}", Long.valueOf(time2));
        if (ticketExpireTime80 == 0) {
            ticketExpireTime80 = time - Math.round(Float.parseFloat(BigDecimal.valueOf((time - time2) * 0.2d).toPlainString()));
        }
        logger.debug("ticketExpireTime80 is:{}", Long.valueOf(ticketExpireTime80));
        if (time2 <= ticketExpireTime80) {
            return false;
        }
        logger.debug("Current time is more than 80% of Ticket Expire Time!!");
        ticketExpireTime80 = 0L;
        return true;
    }

    public static synchronized Subject login(String str, String str2) throws PrivilegedActionException {
        return (Subject) AccessController.doPrivileged(() -> {
            LoginContext loginContext = new LoginContext(CRED_CONF_NAME, new Subject(false, Collections.singleton(new KerberosPrincipal(str)), Collections.emptySet(), Collections.emptySet()), (CallbackHandler) null, new KeytabJaasConf(str, str2, false));
            loginContext.login();
            return loginContext.getSubject();
        });
    }

    public static CredentialsProvider getBasicCredentials(String str, String str2) {
        BasicCredentialsProvider basicCredentialsProvider = new BasicCredentialsProvider();
        basicCredentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(str, str2));
        return basicCredentialsProvider;
    }

    static <T> T doAsPrivilegedWrapper(Subject subject, PrivilegedExceptionAction<T> privilegedExceptionAction, AccessControlContext accessControlContext) throws PrivilegedActionException {
        try {
            return (T) AccessController.doPrivileged(() -> {
                return Subject.doAsPrivileged(subject, privilegedExceptionAction, accessControlContext);
            });
        } catch (PrivilegedActionException e) {
            if (e.getCause() instanceof PrivilegedActionException) {
                throw ((PrivilegedActionException) e.getCause());
            }
            throw e;
        }
    }

    private static Oid getSpnegoOid() {
        try {
            return new Oid("1.3.6.1.5.5.2");
        } catch (GSSException e) {
            throw new RuntimeException((Throwable) e);
        }
    }
}
