package org.apache.flink.runtime.security;

import java.io.File;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import org.apache.commons.lang3.StringUtils;
import org.apache.flink.annotation.VisibleForTesting;
import org.apache.flink.api.java.hadoop.mapred.utils.HadoopUtils;
import org.apache.flink.configuration.IllegalConfigurationException;
import org.apache.flink.configuration.SecurityOptions;
import org.apache.flink.runtime.security.modules.HadoopModule;
import org.apache.flink.runtime.security.modules.JaasModule;
import org.apache.flink.runtime.security.modules.SecurityModule;
import org.apache.flink.runtime.security.modules.ZooKeeperModule;
import org.apache.flink.shaded.com.google.common.collect.Lists;
import org.apache.flink.util.Preconditions;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/flink/runtime/security/SecurityUtils.class */
public class SecurityUtils {
    private static final Logger LOG = LoggerFactory.getLogger(SecurityUtils.class);
    private static SecurityContext installedContext = new NoOpSecurityContext();
    private static List<SecurityModule> installedModules = null;

    /* loaded from: input_file:org/apache/flink/runtime/security/SecurityUtils$SecurityConfiguration.class */
    public static class SecurityConfiguration {
        private static final List<Class<? extends SecurityModule>> DEFAULT_MODULES = Collections.unmodifiableList(Arrays.asList(HadoopModule.class, JaasModule.class, ZooKeeperModule.class));
        private final List<Class<? extends SecurityModule>> securityModules;
        private final Configuration hadoopConf;
        private final boolean isZkSaslDisable;
        private final boolean useTicketCache;
        private final String keytab;
        private final String principal;
        private final List<String> loginContextNames;
        private final String zkServiceName;
        private final String zkLoginContextName;

        public SecurityConfiguration(org.apache.flink.configuration.Configuration configuration) {
            this(configuration, HadoopUtils.getHadoopConfiguration());
        }

        public SecurityConfiguration(org.apache.flink.configuration.Configuration configuration, Configuration configuration2) {
            this(configuration, configuration2, DEFAULT_MODULES);
        }

        public SecurityConfiguration(org.apache.flink.configuration.Configuration configuration, Configuration configuration2, List<? extends Class<? extends SecurityModule>> list) {
            this.hadoopConf = (Configuration) Preconditions.checkNotNull(configuration2);
            this.isZkSaslDisable = configuration.getBoolean(SecurityOptions.ZOOKEEPER_SASL_DISABLE);
            this.keytab = configuration.getString(SecurityOptions.KERBEROS_LOGIN_KEYTAB);
            this.principal = configuration.getString(SecurityOptions.KERBEROS_LOGIN_PRINCIPAL);
            this.useTicketCache = configuration.getBoolean(SecurityOptions.KERBEROS_LOGIN_USETICKETCACHE);
            this.loginContextNames = parseList(configuration.getString(SecurityOptions.KERBEROS_LOGIN_CONTEXTS));
            this.zkServiceName = configuration.getString(SecurityOptions.ZOOKEEPER_SASL_SERVICE_NAME);
            this.zkLoginContextName = configuration.getString(SecurityOptions.ZOOKEEPER_SASL_LOGIN_CONTEXT_NAME);
            this.securityModules = Collections.unmodifiableList(list);
            validate();
        }

        public boolean isZkSaslDisable() {
            return this.isZkSaslDisable;
        }

        public String getKeytab() {
            return this.keytab;
        }

        public String getPrincipal() {
            return this.principal;
        }

        public boolean useTicketCache() {
            return this.useTicketCache;
        }

        public Configuration getHadoopConfiguration() {
            return this.hadoopConf;
        }

        public List<Class<? extends SecurityModule>> getSecurityModules() {
            return this.securityModules;
        }

        public List<String> getLoginContextNames() {
            return this.loginContextNames;
        }

        public String getZooKeeperServiceName() {
            return this.zkServiceName;
        }

        public String getZooKeeperLoginContextName() {
            return this.zkLoginContextName;
        }

        private void validate() {
            if (StringUtils.isBlank(this.keytab)) {
                return;
            }
            if (StringUtils.isBlank(this.principal)) {
                throw new IllegalConfigurationException("Kerberos login configuration is invalid; keytab requires a principal.");
            }
            File file = new File(this.keytab);
            if (!file.exists() || !file.isFile() || !file.canRead()) {
                throw new IllegalConfigurationException("Kerberos login configuration is invalid; keytab is unreadable");
            }
        }

        private static List<String> parseList(String str) {
            return (str == null || str.isEmpty()) ? Collections.emptyList() : Arrays.asList(str.trim().replaceAll("(\\s*,+\\s*)+", ",").split(","));
        }
    }

    public static SecurityContext getInstalledContext() {
        return installedContext;
    }

    @VisibleForTesting
    static List<SecurityModule> getInstalledModules() {
        return installedModules;
    }

    public static void install(SecurityConfiguration securityConfiguration) throws Exception {
        ArrayList arrayList = new ArrayList();
        try {
            Iterator<Class<? extends SecurityModule>> it = securityConfiguration.getSecurityModules().iterator();
            while (it.hasNext()) {
                SecurityModule newInstance = it.next().newInstance();
                newInstance.install(securityConfiguration);
                arrayList.add(newInstance);
            }
            installedModules = arrayList;
            if (!(installedContext instanceof NoOpSecurityContext)) {
                LOG.warn("overriding previous security context");
            }
            installedContext = new HadoopSecurityContext(UserGroupInformation.getLoginUser());
        } catch (Exception e) {
            throw new Exception("unable to establish the security context", e);
        }
    }

    static void uninstall() {
        if (installedModules != null) {
            Iterator it = Lists.reverse(installedModules).iterator();
            while (it.hasNext()) {
                try {
                    ((SecurityModule) it.next()).uninstall();
                } catch (UnsupportedOperationException e) {
                } catch (SecurityModule.SecurityInstallException e2) {
                    LOG.warn("unable to uninstall a security module", e2);
                }
            }
            installedModules = null;
        }
        installedContext = new NoOpSecurityContext();
    }

    private SecurityUtils() {
    }
}
