package org.opensearch.repositories.hdfs;

import java.io.IOException;
import java.io.UncheckedIOException;
import java.lang.reflect.ReflectPermission;
import java.net.SocketPermission;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.security.AccessController;
import java.security.Permission;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import javax.security.auth.AuthPermission;
import javax.security.auth.PrivateCredentialPermission;
import javax.security.auth.kerberos.ServicePermission;
import org.apache.hadoop.security.UserGroupInformation;
import org.opensearch.SpecialPermission;
import org.opensearch.env.Environment;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/opensearch/repositories/hdfs/HdfsSecurityContext.class */
public class HdfsSecurityContext {
    private static final Permission[] SIMPLE_AUTH_PERMISSIONS = {new SocketPermission("*", "connect"), new ReflectPermission("suppressAccessChecks"), new AuthPermission("modifyPrivateCredentials"), new PrivateCredentialPermission("org.apache.hadoop.security.Credentials * \"*\"", "read")};
    private static final Permission[] KERBEROS_AUTH_PERMISSIONS = {new SocketPermission("*", "connect"), new ReflectPermission("suppressAccessChecks"), new AuthPermission("modifyPrivateCredentials"), new AuthPermission("doAs"), new SocketPermission("localhost:0", "listen,resolve"), new RuntimePermission("getClassLoader"), new RuntimePermission("setContextClassLoader"), new AuthPermission("modifyPrincipals"), new PrivateCredentialPermission("org.apache.hadoop.security.Credentials * \"*\"", "read"), new PrivateCredentialPermission("javax.security.auth.kerberos.KerberosTicket * \"*\"", "read"), new PrivateCredentialPermission("javax.security.auth.kerberos.KeyTab * \"*\"", "read")};
    private final UserGroupInformation ugi;
    private final boolean restrictPermissions;
    private final Permission[] restrictedExecutionPermissions;

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Path locateKeytabFile(Environment environment) {
        Path resolve = environment.configFile().resolve("repository-hdfs").resolve("krb5.keytab");
        try {
            if (Files.exists(resolve, new LinkOption[0])) {
                return resolve;
            }
            throw new RuntimeException("Could not locate keytab at [" + resolve + "].");
        } catch (SecurityException e) {
            throw new RuntimeException("Could not locate keytab at [" + resolve + "]", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public HdfsSecurityContext(UserGroupInformation userGroupInformation, boolean z) {
        this.ugi = userGroupInformation;
        this.restrictPermissions = z;
        this.restrictedExecutionPermissions = renderPermissions(userGroupInformation);
    }

    private Permission[] renderPermissions(UserGroupInformation userGroupInformation) {
        Permission[] permissionArr;
        if (userGroupInformation.isFromKeytab()) {
            permissionArr = new Permission[KERBEROS_AUTH_PERMISSIONS.length + 1];
            System.arraycopy(KERBEROS_AUTH_PERMISSIONS, 0, permissionArr, 0, KERBEROS_AUTH_PERMISSIONS.length);
            permissionArr[permissionArr.length - 1] = new ServicePermission(userGroupInformation.getUserName(), "initiate");
        } else {
            permissionArr = (Permission[]) Arrays.copyOf(SIMPLE_AUTH_PERMISSIONS, SIMPLE_AUTH_PERMISSIONS.length);
        }
        return permissionArr;
    }

    private Permission[] getRestrictedExecutionPermissions() {
        return this.restrictedExecutionPermissions;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public <T> T doPrivilegedOrThrow(PrivilegedExceptionAction<T> privilegedExceptionAction) throws IOException {
        SpecialPermission.check();
        try {
            return this.restrictPermissions ? (T) AccessController.doPrivileged(privilegedExceptionAction, null, getRestrictedExecutionPermissions()) : (T) AccessController.doPrivileged(privilegedExceptionAction);
        } catch (PrivilegedActionException e) {
            throw ((IOException) e.getCause());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void ensureLogin() {
        if (this.ugi.isFromKeytab()) {
            try {
                this.ugi.checkTGTAndReloginFromKeytab();
            } catch (IOException e) {
                throw new UncheckedIOException("Could not re-authenticate", e);
            }
        }
    }
}
