package org.apache.hadoop.security.authentication.client;

import com.sun.security.auth.module.Krb5LoginModule;
import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.URL;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.commons.codec.binary.Base64;
import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSManager;
import sun.security.jgss.GSSUtil;

/* loaded from: input_file:hadoop-common-0.23.3/share/hadoop/common/lib/hadoop-auth-0.23.3.jar:org/apache/hadoop/security/authentication/client/KerberosAuthenticator.class */
public class KerberosAuthenticator implements Authenticator {
    public static final String WWW_AUTHENTICATE = "WWW-Authenticate";
    public static final String AUTHORIZATION = "Authorization";
    public static final String NEGOTIATE = "Negotiate";
    private static final String AUTH_HTTP_METHOD = "OPTIONS";
    private URL url;
    private HttpURLConnection conn;
    private Base64 base64;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:hadoop-common-0.23.3/share/hadoop/common/lib/hadoop-auth-0.23.3.jar:org/apache/hadoop/security/authentication/client/KerberosAuthenticator$KerberosConfiguration.class */
    public static class KerberosConfiguration extends Configuration {
        private static final String OS_LOGIN_MODULE_NAME;
        private static final boolean windows = System.getProperty("os.name").startsWith("Windows");
        private static final AppConfigurationEntry OS_SPECIFIC_LOGIN;
        private static final Map<String, String> USER_KERBEROS_OPTIONS;
        private static final AppConfigurationEntry USER_KERBEROS_LOGIN;
        private static final AppConfigurationEntry[] USER_KERBEROS_CONF;

        private KerberosConfiguration() {
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            return USER_KERBEROS_CONF;
        }

        static {
            if (windows) {
                OS_LOGIN_MODULE_NAME = "com.sun.security.auth.module.NTLoginModule";
            } else {
                OS_LOGIN_MODULE_NAME = "com.sun.security.auth.module.UnixLoginModule";
            }
            OS_SPECIFIC_LOGIN = new AppConfigurationEntry(OS_LOGIN_MODULE_NAME, AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, new HashMap());
            USER_KERBEROS_OPTIONS = new HashMap();
            USER_KERBEROS_OPTIONS.put("doNotPrompt", "true");
            USER_KERBEROS_OPTIONS.put("useTicketCache", "true");
            USER_KERBEROS_OPTIONS.put("renewTGT", "true");
            String str = System.getenv("KRB5CCNAME");
            if (str != null) {
                USER_KERBEROS_OPTIONS.put("ticketCache", str);
            }
            USER_KERBEROS_LOGIN = new AppConfigurationEntry(Krb5LoginModule.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.OPTIONAL, USER_KERBEROS_OPTIONS);
            USER_KERBEROS_CONF = new AppConfigurationEntry[]{OS_SPECIFIC_LOGIN, USER_KERBEROS_LOGIN};
        }
    }

    @Override // org.apache.hadoop.security.authentication.client.Authenticator
    public void authenticate(URL url, AuthenticatedURL.Token token) throws IOException, AuthenticationException {
        if (token.isSet()) {
            return;
        }
        this.url = url;
        this.base64 = new Base64(0);
        this.conn = (HttpURLConnection) url.openConnection();
        this.conn.setRequestMethod("OPTIONS");
        this.conn.connect();
        if (isNegotiate()) {
            doSpnegoSequence(token);
        } else {
            getFallBackAuthenticator().authenticate(url, token);
        }
    }

    protected Authenticator getFallBackAuthenticator() {
        return new PseudoAuthenticator();
    }

    private boolean isNegotiate() throws IOException {
        boolean z = false;
        if (this.conn.getResponseCode() == 401) {
            String headerField = this.conn.getHeaderField("WWW-Authenticate");
            z = headerField != null && headerField.trim().startsWith(NEGOTIATE);
        }
        return z;
    }

    private void doSpnegoSequence(AuthenticatedURL.Token token) throws IOException, AuthenticationException {
        try {
            Subject subject = Subject.getSubject(AccessController.getContext());
            if (subject == null) {
                subject = new Subject();
                new LoginContext("", subject, (CallbackHandler) null, new KerberosConfiguration()).login();
            }
            Subject.doAs(subject, new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.security.authentication.client.KerberosAuthenticator.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Void run() throws Exception {
                    GSSContext gSSContext = null;
                    try {
                        GSSManager gSSManager = GSSManager.getInstance();
                        gSSContext = gSSManager.createContext(gSSManager.createName("HTTP/" + KerberosAuthenticator.this.url.getHost(), GSSUtil.NT_GSS_KRB5_PRINCIPAL), GSSUtil.GSS_KRB5_MECH_OID, (GSSCredential) null, 0);
                        gSSContext.requestCredDeleg(true);
                        gSSContext.requestMutualAuth(true);
                        byte[] bArr = new byte[0];
                        boolean z = false;
                        while (!z) {
                            byte[] initSecContext = gSSContext.initSecContext(bArr, 0, bArr.length);
                            if (initSecContext != null) {
                                KerberosAuthenticator.this.sendToken(initSecContext);
                            }
                            if (gSSContext.isEstablished()) {
                                z = true;
                            } else {
                                bArr = KerberosAuthenticator.this.readToken();
                            }
                        }
                        if (gSSContext == null) {
                            return null;
                        }
                        gSSContext.dispose();
                        return null;
                    } catch (Throwable th) {
                        if (gSSContext != null) {
                            gSSContext.dispose();
                        }
                        throw th;
                    }
                }
            });
            AuthenticatedURL.extractToken(this.conn, token);
        } catch (PrivilegedActionException e) {
            throw new AuthenticationException(e.getException());
        } catch (LoginException e2) {
            throw new AuthenticationException(e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void sendToken(byte[] bArr) throws IOException, AuthenticationException {
        String encodeToString = this.base64.encodeToString(bArr);
        this.conn = (HttpURLConnection) this.url.openConnection();
        this.conn.setRequestMethod("OPTIONS");
        this.conn.setRequestProperty("Authorization", "Negotiate " + encodeToString);
        this.conn.connect();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public byte[] readToken() throws IOException, AuthenticationException {
        int responseCode = this.conn.getResponseCode();
        if (responseCode != 200 && responseCode != 401) {
            throw new AuthenticationException("Invalid SPNEGO sequence, status code: " + responseCode);
        }
        String headerField = this.conn.getHeaderField("WWW-Authenticate");
        if (headerField == null || !headerField.trim().startsWith(NEGOTIATE)) {
            throw new AuthenticationException("Invalid SPNEGO sequence, 'WWW-Authenticate' header incorrect: " + headerField);
        }
        return this.base64.decode(headerField.trim().substring("Negotiate ".length()).trim());
    }
}
