package org.apache.ranger.raz.intg.token;

import com.cloudera.client.api.TokenProvider;
import com.cloudera.client.api.TokenProviderFactory;
import java.io.IOException;
import java.util.Objects;
import java.util.Optional;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/ranger/raz/intg/token/JwTokenRetrieverKnox.class */
public class JwTokenRetrieverKnox implements TokenRetriever<String> {
    private static final Logger LOG = LoggerFactory.getLogger(JwTokenRetrieverKnox.class);
    private static final String CONF_KNOX_GATEWAY = "knox.jwt.client.gateway.address";
    private static final String STR_REQUIRED_CONF_KNOX_GATEWAY_MISSING = "Required config 'knox.jwt.client.gateway.address' missing. This config is mandatory to initialize JwTokenRetrieverKnox.";
    private final TokenProvider tokenProvider;

    public JwTokenRetrieverKnox(Configuration configuration) {
        Objects.requireNonNull(configuration.get(CONF_KNOX_GATEWAY), STR_REQUIRED_CONF_KNOX_GATEWAY_MISSING);
        this.tokenProvider = TokenProviderFactory.getTokenProvider(configuration);
    }

    @Override // org.apache.ranger.raz.intg.token.TokenRetriever
    public Optional<String> retrieve() {
        if (LOG.isDebugEnabled()) {
            LOG.debug("==> JwTokenRetrieverKnox.retrieve()");
        }
        Optional<String> empty = Optional.empty();
        if (!Objects.nonNull(this.tokenProvider)) {
            LOG.warn("==>JwTokenRetrieverKnox.retrieve(): Failed to fetch JWT from knox. Proceeding with available credentials.");
        } else if (isKerberosAuthenticated()) {
            String bearerToken = this.tokenProvider.getBearerToken();
            if (StringUtils.isNotBlank(bearerToken)) {
                empty = Optional.of(bearerToken);
            }
        } else if (LOG.isDebugEnabled()) {
            LOG.debug("==>JwTokenRetrieverKnox.retrieve(): Skipping JWT fetch from knox, as required kerberos credentials are missing.");
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("<== JwTokenRetrieverKnox.retrieve(): isJwTokenPresent=" + empty.isPresent());
        }
        return empty;
    }

    private boolean isKerberosAuthenticated() {
        boolean z = false;
        try {
            UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
            z = UserGroupInformation.isSecurityEnabled() && loginUser.hasKerberosCredentials() && loginUser.getAuthenticationMethod().equals(UserGroupInformation.AuthenticationMethod.KERBEROS);
            if (z) {
                loginUser.checkTGTAndReloginFromKeytab();
            }
        } catch (IOException e) {
            LOG.error("Failed to get authentication details. Exception : {}", e);
        }
        return z;
    }
}
