package org.apache.pulsar.common.sasl;

import java.util.Date;
import java.util.Random;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/bundled-dependencies/pulsar-common-2.7.4.5.jar:org/apache/pulsar/common/sasl/TGTRefreshThread.class */
public class TGTRefreshThread extends Thread {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) TGTRefreshThread.class);
    private static final Random rng = new Random();
    private long lastLogin = System.currentTimeMillis() - 60000;
    private final JAASCredentialsContainer container;
    private static final float TICKET_RENEW_WINDOW = 0.8f;
    private static final float TICKET_RENEW_JITTER = 0.05f;
    private static final long MIN_TIME_BEFORE_RELOGIN = 60000;

    public long getLastLogin() {
        return this.lastLogin;
    }

    public void setLastLogin(long j) {
        this.lastLogin = j;
    }

    public TGTRefreshThread(JAASCredentialsContainer jAASCredentialsContainer) {
        this.container = jAASCredentialsContainer;
        setDaemon(true);
        setName("pulsar-tgt-refresh-thread");
    }

    private synchronized KerberosTicket getTGT() {
        for (KerberosTicket kerberosTicket : this.container.getSubject().getPrivateCredentials(KerberosTicket.class)) {
            KerberosPrincipal server = kerberosTicket.getServer();
            if (server.getName().equals("krbtgt/" + server.getRealm() + "@" + server.getRealm())) {
                log.info("Client principal is \"" + kerberosTicket.getClient().getName() + "\".");
                log.info("Server principal is \"" + kerberosTicket.getServer().getName() + "\".");
                return kerberosTicket;
            }
        }
        return null;
    }

    private long getRefreshTime(KerberosTicket kerberosTicket) {
        long time = kerberosTicket.getStartTime().getTime();
        long time2 = kerberosTicket.getEndTime().getTime();
        log.info("TGT valid starting at:        {}", kerberosTicket.getStartTime().toString());
        log.info("TGT expires:                  {}", kerberosTicket.getEndTime().toString());
        long nextDouble = time + ((long) ((time2 - time) * (0.800000011920929d + (0.05000000074505806d * rng.nextDouble()))));
        return nextDouble > time2 ? System.currentTimeMillis() : nextDouble;
    }

    @Override // java.lang.Thread, java.lang.Runnable
    public void run() {
        long j;
        Date date;
        log.info("TGT refresh thread started.");
        while (true) {
            KerberosTicket tgt = getTGT();
            long currentTimeMillis = System.currentTimeMillis();
            if (tgt == null) {
                j = currentTimeMillis + 60000;
                date = new Date(j);
                log.warn("No TGT found: will try again at {}", date);
            } else {
                long refreshTime = getRefreshTime(tgt);
                long time = tgt.getEndTime().getTime();
                Date date2 = new Date(time);
                if (this.container.isUsingTicketCache() && tgt.getEndTime().equals(tgt.getRenewTill())) {
                    log.error("The TGT cannot be renewed beyond the next expiry date: {}.This process will not be able to authenticate new SASL connections after that time (for example, it will not be authenticate a new connection with a Broker ).  Ask your system administrator to either increase the 'renew until' time by doing : 'modprinc -maxrenewlife {}' within kadmin, or instead, to generate a keytab for {}. Because the TGT's expiry cannot be further extended by refreshing, exiting refresh thread now.", date2, this.container.getPrincipal(), this.container.getPrincipal());
                    return;
                }
                if (refreshTime > time || currentTimeMillis + 60000 > time) {
                    j = currentTimeMillis;
                } else {
                    if (refreshTime < currentTimeMillis + 60000) {
                        log.warn("TGT refresh thread time adjusted from : {} to : {} since the former is sooner than the minimum refresh interval ({} seconds) from now.", new Date(refreshTime), new Date(currentTimeMillis + 60000), 60L);
                    }
                    j = Math.max(refreshTime, currentTimeMillis + 60000);
                }
                date = new Date(j);
                if (j > time) {
                    log.error("next refresh: {} is later than expiry {}. This may indicate a clock skew problem.Check that this host and the KDC's hosts' clocks are in sync. Exiting refresh thread.", date, date2);
                    return;
                }
            }
            if (currentTimeMillis == j) {
                log.info("refreshing now because expiry is before next scheduled refresh time.");
            } else {
                if (currentTimeMillis >= j) {
                    log.error("nextRefresh:{} is in the past: exiting refresh thread. Check clock sync between this host and KDC - (KDC's clock is likely ahead of this host). Manual intervention will be required for this client to successfully authenticate. Exiting refresh thread.", date);
                    return;
                }
                log.info("TGT refresh sleeping until: {}", new Date(j).toString());
                try {
                    Thread.sleep(j - currentTimeMillis);
                } catch (InterruptedException e) {
                    Thread.currentThread().interrupt();
                    log.warn("TGT renewal thread has been interrupted and will exit.");
                    return;
                }
            }
            if (this.container.isUsingTicketCache()) {
                String orDefault = this.container.getConfiguration().getOrDefault(SaslConstants.KINIT_COMMAND, "/usr/bin/kinit");
                int i = 1;
                while (i >= 0) {
                    try {
                        log.info("running ticket cache refresh command: {} {}", orDefault, "-R");
                        new ProcessBuilder(new String[0]).command("bash", "-c", orDefault, "-R");
                        break;
                    } catch (Exception e2) {
                        if (i <= 0) {
                            log.warn("Could not renew TGT due to problem running shell command: '{} {}'; exception was:{}. Exiting refresh thread.", orDefault, "-R", e2.toString(), e2);
                            return;
                        }
                        i--;
                        try {
                            Thread.sleep(10000L);
                        } catch (InterruptedException e3) {
                            Thread.currentThread().interrupt();
                            log.error("Interrupted while renewing TGT, exiting Login thread");
                            return;
                        }
                    }
                }
            }
            int i2 = 1;
            while (i2 >= 0) {
                try {
                    try {
                        reLogin();
                        break;
                    } catch (LoginException e4) {
                        if (i2 > 0) {
                            i2--;
                            try {
                                Thread.sleep(10000L);
                            } catch (InterruptedException e5) {
                                Thread.currentThread().interrupt();
                                log.error("Interrupted during login retry after LoginException:", (Throwable) e4);
                                throw e4;
                            }
                        } else {
                            log.error("Could not refresh TGT for principal: {}.", this.container.getPrincipal(), e4);
                        }
                    }
                } catch (LoginException e6) {
                    log.error("Failed to refresh TGT: refresh thread exiting now.", (Throwable) e6);
                    return;
                }
            }
        }
    }

    private synchronized void reLogin() throws LoginException {
        LoginContext loginContext = this.container.getLoginContext();
        if (loginContext == null) {
            throw new LoginException("login must be done first");
        }
        if (hasSufficientTimeElapsed()) {
            log.info("Initiating logout for {}", this.container.getPrincipal());
            synchronized (this) {
                loginContext.logout();
                LoginContext loginContext2 = new LoginContext(this.container.getLoginContextName(), this.container.getSubject());
                log.info("Initiating re-login for {}", this.container.getPrincipal());
                loginContext2.login();
                this.container.setLoginContext(loginContext2);
            }
        }
    }

    private boolean hasSufficientTimeElapsed() {
        long currentTimeMillis = System.currentTimeMillis();
        if (currentTimeMillis - getLastLogin() < 60000) {
            log.warn("Not attempting to re-login since the last re-login was attempted less than {} seconds before.", (Object) 60L);
            return false;
        }
        setLastLogin(currentTimeMillis);
        return true;
    }
}
