package org.apache.storm.security.auth;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.URIParameter;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.SortedMap;
import java.util.TreeMap;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import org.apache.storm.Config;
import org.apache.storm.generated.WorkerToken;
import org.apache.storm.generated.WorkerTokenInfo;
import org.apache.storm.generated.WorkerTokenServiceType;
import org.apache.storm.security.INimbusCredentialPlugin;
import org.apache.storm.shade.org.apache.commons.codec.binary.Hex;
import org.apache.storm.utils.ObjectReader;
import org.apache.storm.utils.ReflectionUtils;
import org.apache.storm.utils.Utils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/storm/security/auth/ClientAuthUtils.class */
public class ClientAuthUtils {
    public static final String LOGIN_CONTEXT_SERVER = "StormServer";
    public static final String LOGIN_CONTEXT_CLIENT = "StormClient";
    public static final String LOGIN_CONTEXT_PACEMAKER_DIGEST = "PacemakerDigest";
    public static final String LOGIN_CONTEXT_PACEMAKER_SERVER = "PacemakerServer";
    public static final String LOGIN_CONTEXT_PACEMAKER_CLIENT = "PacemakerClient";
    public static final String SERVICE = "storm_thrift_server";
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) ClientAuthUtils.class);
    private static final String USERNAME = "username";
    private static final String PASSWORD = "password";

    public static Configuration getConfiguration(Map<String, Object> map) {
        Configuration configuration = null;
        String str = (String) map.get("java.security.auth.login.config");
        if (str != null && str.length() > 0) {
            File file = new File(str);
            if (!file.canRead()) {
                throw new RuntimeException("File " + str + " cannot be read.");
            }
            try {
                configuration = Configuration.getInstance("JavaLoginConfig", new URIParameter(file.toURI()));
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
        return configuration;
    }

    public static AppConfigurationEntry[] getEntries(Configuration configuration, String str) throws IOException {
        if (configuration == null) {
            return null;
        }
        AppConfigurationEntry[] appConfigurationEntry = configuration.getAppConfigurationEntry(str);
        if (appConfigurationEntry == null) {
            throw new IOException("Could not find a '" + str + "' entry in this configuration.");
        }
        return appConfigurationEntry;
    }

    public static SortedMap<String, ?> pullConfig(Configuration configuration, String str) throws IOException {
        AppConfigurationEntry[] entries = getEntries(configuration, str);
        if (entries == null) {
            return null;
        }
        TreeMap treeMap = new TreeMap();
        for (AppConfigurationEntry appConfigurationEntry : entries) {
            Map options = appConfigurationEntry.getOptions();
            for (String str2 : options.keySet()) {
                treeMap.put(str2, options.get(str2));
            }
        }
        return treeMap;
    }

    public static String get(Configuration configuration, String str, String str2) throws IOException {
        AppConfigurationEntry[] entries = getEntries(configuration, str);
        if (entries == null) {
            return null;
        }
        for (AppConfigurationEntry appConfigurationEntry : entries) {
            Object obj = appConfigurationEntry.getOptions().get(str2);
            if (obj != null) {
                return (String) obj;
            }
        }
        return null;
    }

    public static IPrincipalToLocal getPrincipalToLocalPlugin(Map<String, Object> map) {
        IPrincipalToLocal iPrincipalToLocal = null;
        try {
            String str = (String) map.get(Config.STORM_PRINCIPAL_TO_LOCAL_PLUGIN);
            if (str == null) {
                LOG.warn("No principal to local given {}", Config.STORM_PRINCIPAL_TO_LOCAL_PLUGIN);
            } else {
                iPrincipalToLocal = (IPrincipalToLocal) ReflectionUtils.newInstance(str);
                if (iPrincipalToLocal != null) {
                    iPrincipalToLocal.prepare(map);
                }
            }
            return iPrincipalToLocal;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public static IGroupMappingServiceProvider getGroupMappingServiceProviderPlugin(Map<String, Object> map) {
        IGroupMappingServiceProvider iGroupMappingServiceProvider = null;
        try {
            String str = (String) map.get(Config.STORM_GROUP_MAPPING_SERVICE_PROVIDER_PLUGIN);
            if (str == null) {
                LOG.warn("No group mapper given {}", Config.STORM_GROUP_MAPPING_SERVICE_PROVIDER_PLUGIN);
            } else {
                iGroupMappingServiceProvider = (IGroupMappingServiceProvider) ReflectionUtils.newInstance(str);
                if (iGroupMappingServiceProvider != null) {
                    iGroupMappingServiceProvider.prepare(map);
                }
            }
            return iGroupMappingServiceProvider;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public static Collection<ICredentialsRenewer> getCredentialRenewers(Map<String, Object> map) {
        try {
            HashSet hashSet = new HashSet();
            Collection collection = (Collection) map.get(Config.NIMBUS_CREDENTIAL_RENEWERS);
            if (collection != null) {
                Iterator it = collection.iterator();
                while (it.hasNext()) {
                    ICredentialsRenewer iCredentialsRenewer = (ICredentialsRenewer) ReflectionUtils.newInstance((String) it.next());
                    iCredentialsRenewer.prepare(map);
                    hashSet.add(iCredentialsRenewer);
                }
            }
            return hashSet;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public static Collection<INimbusCredentialPlugin> getNimbusAutoCredPlugins(Map<String, Object> map) {
        try {
            HashSet hashSet = new HashSet();
            Collection collection = (Collection) map.get(Config.NIMBUS_AUTO_CRED_PLUGINS);
            if (collection != null) {
                Iterator it = collection.iterator();
                while (it.hasNext()) {
                    INimbusCredentialPlugin iNimbusCredentialPlugin = (INimbusCredentialPlugin) ReflectionUtils.newInstance((String) it.next());
                    iNimbusCredentialPlugin.prepare(map);
                    hashSet.add(iNimbusCredentialPlugin);
                }
            }
            return hashSet;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public static Collection<IAutoCredentials> getAutoCredentials(Map<String, Object> map) {
        try {
            HashSet hashSet = new HashSet();
            Collection collection = (Collection) map.get(Config.TOPOLOGY_AUTO_CREDENTIALS);
            if (collection != null) {
                Iterator it = collection.iterator();
                while (it.hasNext()) {
                    IAutoCredentials iAutoCredentials = (IAutoCredentials) ReflectionUtils.newInstance((String) it.next());
                    iAutoCredentials.prepare(map);
                    hashSet.add(iAutoCredentials);
                }
            }
            LOG.info("Got AutoCreds " + hashSet);
            return hashSet;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public static String workerTokenCredentialsKey(WorkerTokenServiceType workerTokenServiceType) {
        return "STORM_WORKER_TOKEN_" + workerTokenServiceType.name();
    }

    public static WorkerToken readWorkerToken(Map<String, String> map, WorkerTokenServiceType workerTokenServiceType) {
        WorkerToken workerToken = null;
        String str = map.get(workerTokenCredentialsKey(workerTokenServiceType));
        if (str != null) {
            workerToken = (WorkerToken) Utils.deserializeFromString(str, WorkerToken.class);
        }
        return workerToken;
    }

    public static void setWorkerToken(Map<String, String> map, WorkerToken workerToken) {
        map.put(workerTokenCredentialsKey(workerToken.get_serviceType()), Utils.serializeToString(workerToken));
    }

    public static WorkerToken findWorkerToken(Subject subject, WorkerTokenServiceType workerTokenServiceType) {
        WorkerToken workerToken;
        Set privateCredentials = subject.getPrivateCredentials(WorkerToken.class);
        synchronized (privateCredentials) {
            workerToken = (WorkerToken) privateCredentials.stream().filter(workerToken2 -> {
                return workerToken2.get_serviceType() == workerTokenServiceType;
            }).findAny().orElse(null);
        }
        return workerToken;
    }

    private static boolean willWorkerTokensBeStoredSecurely(Map<String, Object> map) {
        boolean z = ObjectReader.getBoolean(map.get("TESTING.ONLY.ENABLE.INSECURE.WORKER.TOKENS"), false);
        if (Utils.isZkAuthenticationConfiguredStormServer(map)) {
            return true;
        }
        if (!z) {
            return false;
        }
        LOG.error("\n\n\t\tYOU HAVE ENABLED INSECURE WORKER TOKENS.  IF THIS IS NOT A UNIT TEST PLEASE STOP NOW!!!\n\n");
        return true;
    }

    public static boolean areWorkerTokensEnabledServer(ThriftServer thriftServer, Map<String, Object> map) {
        return thriftServer.supportsWorkerTokens() && willWorkerTokensBeStoredSecurely(map);
    }

    public static boolean areWorkerTokensEnabledServer(ThriftConnectionType thriftConnectionType, Map<String, Object> map) {
        return thriftConnectionType.getWtType() != null && willWorkerTokensBeStoredSecurely(map);
    }

    public static byte[] serializeWorkerTokenInfo(WorkerTokenInfo workerTokenInfo) {
        return Utils.serialize(workerTokenInfo);
    }

    public static WorkerTokenInfo getWorkerTokenInfo(WorkerToken workerToken) {
        return (WorkerTokenInfo) Utils.deserialize(workerToken.get_info(), WorkerTokenInfo.class);
    }

    private static Subject insertWorkerTokens(Subject subject, Map<String, String> map) {
        if (map == null) {
            return subject;
        }
        for (WorkerTokenServiceType workerTokenServiceType : WorkerTokenServiceType.values()) {
            WorkerToken readWorkerToken = readWorkerToken(map, workerTokenServiceType);
            if (readWorkerToken != null) {
                Set<Object> privateCredentials = subject.getPrivateCredentials();
                synchronized (privateCredentials) {
                    WorkerToken findWorkerToken = findWorkerToken(subject, workerTokenServiceType);
                    privateCredentials.add(readWorkerToken);
                    if (findWorkerToken != null) {
                        privateCredentials.remove(findWorkerToken);
                    }
                }
            }
        }
        return subject;
    }

    public static Subject populateSubject(Subject subject, Collection<IAutoCredentials> collection, Map<String, String> map) {
        if (subject == null) {
            try {
                subject = new Subject();
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
        Iterator<IAutoCredentials> it = collection.iterator();
        while (it.hasNext()) {
            it.next().populateSubject(subject, map);
        }
        return insertWorkerTokens(subject, map);
    }

    public static void updateSubject(Subject subject, Collection<IAutoCredentials> collection, Map<String, String> map) {
        if (subject == null || collection == null) {
            throw new RuntimeException("The subject or auto credentials cannot be null when updating a subject with credentials");
        }
        try {
            Iterator<IAutoCredentials> it = collection.iterator();
            while (it.hasNext()) {
                it.next().updateSubject(subject, map);
            }
            insertWorkerTokens(subject, map);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public static ITransportPlugin getTransportPlugin(ThriftConnectionType thriftConnectionType, Map<String, Object> map, Configuration configuration) {
        try {
            ITransportPlugin iTransportPlugin = (ITransportPlugin) ReflectionUtils.newInstance(thriftConnectionType.getTransportPlugin(map));
            iTransportPlugin.prepare(thriftConnectionType, map, configuration);
            return iTransportPlugin;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public static String makeDigestPayload(Configuration configuration, String str) {
        String str2 = null;
        String str3 = null;
        try {
            SortedMap<String, ?> pullConfig = pullConfig(configuration, str);
            str2 = (String) pullConfig.get(USERNAME);
            str3 = (String) pullConfig.get("password");
        } catch (Exception e) {
            LOG.error("Failed to pull username/password out of jaas conf", (Throwable) e);
        }
        if (str2 == null || str3 == null) {
            return null;
        }
        try {
            return Hex.encodeHexString(MessageDigest.getInstance("SHA-512").digest((str2 + ":" + str3).getBytes()));
        } catch (NoSuchAlgorithmException e2) {
            LOG.error("Cant run SHA-512 digest. Algorithm not available.", (Throwable) e2);
            throw new RuntimeException(e2);
        }
    }

    public static byte[] serializeKerberosTicket(KerberosTicket kerberosTicket) throws Exception {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        ObjectOutputStream objectOutputStream = new ObjectOutputStream(byteArrayOutputStream);
        objectOutputStream.writeObject(kerberosTicket);
        objectOutputStream.flush();
        objectOutputStream.close();
        return byteArrayOutputStream.toByteArray();
    }

    public static KerberosTicket deserializeKerberosTicket(byte[] bArr) {
        try {
            ObjectInputStream objectInputStream = new ObjectInputStream(new ByteArrayInputStream(bArr));
            KerberosTicket kerberosTicket = (KerberosTicket) objectInputStream.readObject();
            objectInputStream.close();
            return kerberosTicket;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public static KerberosTicket cloneKerberosTicket(KerberosTicket kerberosTicket) {
        if (kerberosTicket == null) {
            return null;
        }
        try {
            return deserializeKerberosTicket(serializeKerberosTicket(kerberosTicket));
        } catch (Exception e) {
            throw new RuntimeException("Failed to clone KerberosTicket TGT!!", e);
        }
    }
}
