package com.datastax.bdp.transport.client;

import com.datastax.bdp.config.ClientConfiguration;
import com.datastax.bdp.config.ClientConfigurationFactory;
import com.datastax.bdp.graph.impl.data.DDLQueryBuilder;
import com.datastax.bdp.transport.client.TDseClientTransportFactory;
import com.datastax.bdp.transport.common.OptionReader;
import com.datastax.bdp.transport.common.SaslProperties;
import com.datastax.bdp.transport.common.ServicePrincipal;
import com.datastax.dse.byos.shade.com.cryptsoft.kmip.TlsKmipConnection;
import com.datastax.dse.byos.shade.com.google.common.collect.Maps;
import com.datastax.dse.byos.shade.com.google.common.collect.Sets;
import com.sun.security.auth.module.Krb5LoginModule;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.PrivilegedAction;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import javax.security.auth.RefreshFailedException;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.thrift.transport.TFramedTransport;
import org.apache.thrift.transport.TSaslClientTransport;
import org.apache.thrift.transport.TSocket;
import org.apache.thrift.transport.TTransport;
import org.apache.thrift.transport.TTransportException;
import org.gridkit.jvmtool.cmd.AntPathMatcher;
import org.hyperic.sigar.NetFlags;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/datastax/bdp/transport/client/TKerberosClientTransportFactory.class */
public final class TKerberosClientTransportFactory implements TDseClientTransportFactory.TClientTransportFactory, Cloneable {
    private final TClientSocketFactory socketFactory;
    private final Map<String, String> saslProperties;
    private static final String USE_CONFIG_FILE_KEY = "kerberos.use.config.file";
    private static final String USE_KEYTAB_KEY = "kerberos.use.keytab";
    private static final String USE_TICKET_CACHE_KEY = "kerberos.use.ticket.cache";
    private static final String CONFIG_ENTRY_KEY = "kerberos.client.reference.name";
    private static final String KEYTAB_KEY = "kerberos.keytab";
    private static final String TICKET_CACHE_KEY = "kerberos.ticket.cache";
    private static final String CLIENT_PRINCIPAL_KEY = "kerberos.client.principal";
    private static final String SERVICE_NAME_KEY = "kerberos.service.name";
    private boolean useConfigFile;
    private boolean useKeytab;
    private boolean useTicketCache;
    private String configEntry;
    private String keytab;
    private String ticketCache;
    private String clientPrincipal;
    private String serviceName;
    private String serviceHost;
    private ClientConfiguration clientConf;
    static Logger logger = LoggerFactory.getLogger(TKerberosClientTransportFactory.class);
    private static final ConcurrentMap<String, Subject> authenticatedSubjects = new ConcurrentHashMap();
    private static final Object authenticationLock = new Object();

    /* loaded from: input_file:com/datastax/bdp/transport/client/TKerberosClientTransportFactory$KerberosUserConfiguration.class */
    public class KerberosUserConfiguration extends Configuration {
        private final Map<String, String> USER_KERBEROS_OPTIONS = Maps.newHashMap();
        private final AppConfigurationEntry USER_KERBEROS_LOGIN;

        public KerberosUserConfiguration() {
            this.USER_KERBEROS_OPTIONS.put("doNotPrompt", TlsKmipConnection.DEFAULT_SSL_VERIFY);
            this.USER_KERBEROS_OPTIONS.put("renewTGT", TlsKmipConnection.DEFAULT_SSL_VERIFY);
            this.USER_KERBEROS_OPTIONS.put("storeKey", DDLQueryBuilder.USE_JTS_MULTI_VALUE);
            this.USER_KERBEROS_OPTIONS.put("useKeyTab", "" + TKerberosClientTransportFactory.this.useKeytab);
            this.USER_KERBEROS_OPTIONS.put("useTicketCache", "" + TKerberosClientTransportFactory.this.useTicketCache);
            this.USER_KERBEROS_OPTIONS.put("principal", TKerberosClientTransportFactory.this.clientPrincipal);
            if (TKerberosClientTransportFactory.this.useTicketCache && TKerberosClientTransportFactory.this.ticketCache != null) {
                this.USER_KERBEROS_OPTIONS.put("ticketCache", TKerberosClientTransportFactory.this.ticketCache);
            }
            if (TKerberosClientTransportFactory.this.useKeytab && TKerberosClientTransportFactory.this.keytab != null) {
                this.USER_KERBEROS_OPTIONS.put("keyTab", TKerberosClientTransportFactory.this.keytab);
                this.USER_KERBEROS_OPTIONS.put("renewTGT", DDLQueryBuilder.USE_JTS_MULTI_VALUE);
            }
            this.USER_KERBEROS_LOGIN = new AppConfigurationEntry(Krb5LoginModule.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.OPTIONAL, this.USER_KERBEROS_OPTIONS);
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            return new AppConfigurationEntry[]{this.USER_KERBEROS_LOGIN};
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/datastax/bdp/transport/client/TKerberosClientTransportFactory$TgtRenewalThread.class */
    public static class TgtRenewalThread extends Thread {
        private static final float TICKET_RENEW_WINDOW = 0.8f;
        private final Subject subject;

        TgtRenewalThread(Subject subject) {
            this.subject = subject;
            setDaemon(true);
            setName("Kerberos-TGT-renewer for: " + getTGT().getClient().toString());
        }

        @Override // java.lang.Thread, java.lang.Runnable
        public void run() {
            while (true) {
                try {
                    KerberosTicket tgt = getTGT();
                    waitUntilOldEnough(tgt);
                    synchronized (this.subject) {
                        tgt.refresh();
                    }
                    TKerberosClientTransportFactory.logger.info("Successfully renewed Kerberos TGT. Valid until: " + tgt.getEndTime());
                } catch (InterruptedException e) {
                    TKerberosClientTransportFactory.logger.info("Interrupted. Kerberos TGT renewal thread exiting.");
                    return;
                } catch (RefreshFailedException e2) {
                    TKerberosClientTransportFactory.logger.error("Renewing Kerberos TGT failed. Ticket not renewable?", e2);
                    return;
                }
            }
        }

        private KerberosTicket getTGT() {
            for (KerberosTicket kerberosTicket : this.subject.getPrivateCredentials(KerberosTicket.class)) {
                KerberosPrincipal server = kerberosTicket.getServer();
                if (server.getName().equals("krbtgt/" + server.getRealm() + "@" + server.getRealm())) {
                    return kerberosTicket;
                }
            }
            throw new AssertionError("Kerberos TGT not found");
        }

        private void waitUntilOldEnough(KerberosTicket kerberosTicket) throws InterruptedException {
            long currentTimeMillis = System.currentTimeMillis();
            long nextRefreshTime = getNextRefreshTime(kerberosTicket);
            if (nextRefreshTime > currentTimeMillis) {
                Thread.sleep(nextRefreshTime - currentTimeMillis);
            }
        }

        private long getNextRefreshTime(KerberosTicket kerberosTicket) {
            return kerberosTicket.getStartTime().getTime() + (((float) (kerberosTicket.getEndTime().getTime() - r0)) * TICKET_RENEW_WINDOW);
        }
    }

    public TKerberosClientTransportFactory() {
        this(ClientConfigurationFactory.getClientConfiguration());
    }

    public TKerberosClientTransportFactory(ClientConfiguration clientConfiguration) {
        this.socketFactory = new TClientSocketFactory();
        this.useConfigFile = false;
        this.useKeytab = false;
        this.useTicketCache = true;
        this.configEntry = "Client";
        this.keytab = null;
        this.ticketCache = System.getenv("KRB5CCNAME");
        this.clientPrincipal = null;
        this.serviceName = null;
        this.serviceHost = null;
        this.clientConf = clientConfiguration;
        this.saslProperties = SaslProperties.defaultProperties(clientConfiguration);
    }

    @Override // org.apache.cassandra.thrift.ITransportFactory
    public TTransport openTransport(String str, int i) throws Exception {
        return openTransport(this.socketFactory.openSocket(str, i), getCanonicalHostName(str, this.clientConf));
    }

    @Override // com.datastax.bdp.transport.client.TDseClientTransportFactory.TClientTransportFactory
    public TTransport openTransport(TSocket tSocket) throws Exception {
        if (this.serviceHost == null) {
            throw new IllegalStateException("serviceHost must not be null here. Call withServicePrincipal to set serviceName and serviceHost");
        }
        return openTransport(tSocket, this.serviceHost);
    }

    public TTransport openTransport(TSocket tSocket, String str) throws Exception {
        try {
            if (!tSocket.isOpen()) {
                tSocket.open();
            }
            if (this.serviceName == null) {
                this.serviceName = getServiceName(this.clientConf);
            }
            if (logger.isDebugEnabled()) {
                logger.debug("Opening kerberos transport to: " + tSocket.getSocket().getInetAddress().getHostAddress() + ":" + tSocket.getSocket().getPort());
                logger.debug("Using config file: " + this.useConfigFile);
                logger.debug("Using ticket cache: " + this.useTicketCache);
                logger.debug("Using keytab: " + this.useKeytab);
                logger.debug("Ticket cache location: " + this.ticketCache);
                logger.debug("Keytab location: " + this.keytab);
                logger.debug("Client principal: " + this.clientPrincipal);
                logger.debug("Service name: " + this.serviceName);
                logger.debug("Service host: " + str);
            }
            TSaslClientTransport createTransport = createTransport(tSocket, this.serviceName, str);
            openTransport(createTransport, authenticate());
            Integer valueOf = Integer.valueOf(this.socketFactory.getThriftFramedTransportSizeMb().intValue() * 1024 * 1024);
            if (logger.isDebugEnabled()) {
                logger.debug("Kerberos transport to " + tSocket.getSocket().getInetAddress().getHostAddress() + ":" + tSocket.getSocket().getPort() + " opened successfully");
                logger.debug("Using thriftFramedTransportSize size of " + valueOf);
            }
            return new TFramedTransport(createTransport, valueOf.intValue());
        } catch (Exception e) {
            throw new TTransportException("Failed to open Kerberos transport to: " + str, e);
        }
    }

    public Subject authenticate() throws LoginException {
        String subjectKey = getSubjectKey();
        Subject subject = authenticatedSubjects.get(subjectKey);
        if (subject == null) {
            synchronized (authenticationLock) {
                subject = authenticatedSubjects.get(subjectKey);
                if (subject == null) {
                    subject = new Subject();
                    (this.useConfigFile ? new LoginContext(this.configEntry, subject) : new LoginContext("Client", subject, (CallbackHandler) null, new KerberosUserConfiguration())).login();
                    subject.setReadOnly();
                    new TgtRenewalThread(subject).start();
                    authenticatedSubjects.put(subjectKey, subject);
                }
            }
        }
        return subject;
    }

    private String getSubjectKey() {
        String property = System.getProperty("java.security.auth.login.config");
        return (property == null ? "" : property) + AntPathMatcher.DEFAULT_PATH_SEPARATOR + (this.configEntry == null ? "" : this.configEntry) + AntPathMatcher.DEFAULT_PATH_SEPARATOR + (this.clientPrincipal == null ? "default" : this.clientPrincipal);
    }

    private TSaslClientTransport createTransport(TSocket tSocket, String str, String str2) throws IOException {
        return new TSaslClientTransport("GSSAPI", (String) null, str, str2, this.saslProperties, (CallbackHandler) null, tSocket);
    }

    private void openTransport(final TSaslClientTransport tSaslClientTransport, final Subject subject) {
        Subject.doAs(subject, new PrivilegedAction<Void>() { // from class: com.datastax.bdp.transport.client.TKerberosClientTransportFactory.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public Void run() {
                try {
                    synchronized (subject) {
                        tSaslClientTransport.open();
                    }
                    return null;
                } catch (TTransportException e) {
                    throw new RuntimeException((Throwable) e);
                }
            }
        });
    }

    private static String getCanonicalHostName(String str, ClientConfiguration clientConfiguration) throws UnknownHostException {
        return (str.equals(NetFlags.LOOPBACK_ADDRESS) || str.equals("localhost")) ? getLocalHostName(clientConfiguration) : InetAddress.getByName(str).getCanonicalHostName();
    }

    public static String getServerPrincipal(String str, ClientConfiguration clientConfiguration) throws UnknownHostException {
        return getServiceName(clientConfiguration) + AntPathMatcher.DEFAULT_PATH_SEPARATOR + getCanonicalHostName(str, clientConfiguration);
    }

    public static String getServiceName(ClientConfiguration clientConfiguration) {
        if (!clientConfiguration.isKerberosEnabled()) {
            return "dse";
        }
        try {
            return clientConfiguration.getDseServicePrincipal().service;
        } catch (Throwable th) {
            if (!clientConfiguration.isKerberosDefaultScheme()) {
                return "dse";
            }
            logger.warn("Failed to get service name from service principal in dse.yaml: " + th.getMessage());
            return "dse";
        }
    }

    private static String getLocalHostName(ClientConfiguration clientConfiguration) throws UnknownHostException {
        try {
            return clientConfiguration.getCassandraHost().getHostName();
        } catch (Throwable th) {
            logger.warn("Failed to get hostname from service principal in dse.yaml: " + th.getMessage());
            return InetAddress.getLocalHost().getCanonicalHostName();
        }
    }

    @Override // org.apache.cassandra.thrift.ITransportFactory
    public void setOptions(Map<String, String> map) {
        this.socketFactory.setOptions(map);
        SaslProperties.copyProperties(map, this.saslProperties);
        OptionReader optionReader = new OptionReader(map);
        this.useConfigFile = optionReader.getBoolean(USE_CONFIG_FILE_KEY, this.useConfigFile);
        this.useKeytab = optionReader.getBoolean(USE_KEYTAB_KEY, this.useKeytab) && !this.useConfigFile;
        this.useTicketCache = optionReader.getBoolean(USE_TICKET_CACHE_KEY, this.useTicketCache) && !this.useConfigFile;
        this.configEntry = optionReader.getString(CONFIG_ENTRY_KEY, this.configEntry);
        this.keytab = optionReader.getString(KEYTAB_KEY, this.keytab);
        this.ticketCache = optionReader.getString(TICKET_CACHE_KEY, this.ticketCache);
        this.clientPrincipal = optionReader.getString(CLIENT_PRINCIPAL_KEY, this.clientPrincipal);
        this.serviceName = optionReader.getString(SERVICE_NAME_KEY, this.serviceName);
    }

    @Override // org.apache.cassandra.thrift.ITransportFactory
    public Set<String> supportedOptions() {
        return Sets.union(Sets.newHashSet(USE_CONFIG_FILE_KEY, USE_KEYTAB_KEY, USE_TICKET_CACHE_KEY, CONFIG_ENTRY_KEY, KEYTAB_KEY, TICKET_CACHE_KEY, CLIENT_PRINCIPAL_KEY, SERVICE_NAME_KEY), this.socketFactory.supportedOptions());
    }

    public TKerberosClientTransportFactory withServicePrincipal(String str) {
        ServicePrincipal servicePrincipal = new ServicePrincipal(str);
        TKerberosClientTransportFactory m1041clone = m1041clone();
        m1041clone.serviceName = servicePrincipal.service;
        m1041clone.serviceHost = servicePrincipal.host;
        return m1041clone;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* renamed from: clone, reason: merged with bridge method [inline-methods] */
    public final TKerberosClientTransportFactory m1041clone() {
        try {
            return (TKerberosClientTransportFactory) super.clone();
        } catch (CloneNotSupportedException e) {
            throw new RuntimeException(e);
        }
    }
}
