package org.apache.hadoop.security;

import com.google.common.annotations.VisibleForTesting;
import java.io.Closeable;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.PrintWriter;
import java.lang.reflect.InvocationTargetException;
import java.net.InetAddress;
import java.security.NoSuchAlgorithmException;
import java.util.Collection;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Pattern;
import javax.crypto.Cipher;
import org.apache.commons.io.IOUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.util.ExitUtil;
import org.apache.hadoop.util.Shell;
import org.apache.hadoop.util.StringUtils;
import org.apache.slider.common.Constants;
import org.apache.slider.common.SliderKeys;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/security/KerberosDiags.class */
public class KerberosDiags implements Closeable {
    private static final Logger LOG = LoggerFactory.getLogger(KerberosDiags.class);
    public static final String KRB5_CCNAME = "KRB5CCNAME";
    public static final String JAVA_SECURITY_KRB5_CONF = "java.security.krb5.conf";
    public static final String JAVA_SECURITY_KRB5_REALM = "java.security.krb5.realm";
    public static final String SUN_SECURITY_KRB5_DEBUG = "sun.security.krb5.debug";
    public static final String SUN_SECURITY_SPNEGO_DEBUG = "sun.security.spnego.debug";
    public static final String SUN_SECURITY_JAAS_FILE = "java.security.auth.login.config";
    public static final String KERBEROS_KINIT_COMMAND = "hadoop.kerberos.kinit.command";
    public static final String HADOOP_AUTHENTICATION_IS_DISABLED = "Hadoop authentication is disabled";
    public static final String UNSET = "(unset)";
    public static final String NO_DEFAULT_REALM = "Cannot locate default realm";
    private final Configuration conf;
    private final List<String> services;
    private final PrintWriter out;
    private final File keytab;
    private final String principal;
    private final long minKeyLength;
    private final boolean securityRequired;
    public static final String CAT_JVM = "JVM";
    public static final String CAT_JAAS = "JAAS";
    public static final String CAT_CONFIG = "CONFIG";
    public static final String CAT_LOGIN = "LOGIN";
    public static final String CAT_KERBEROS = "KERBEROS";
    public static final String CAT_SASL = "SASL";

    /* loaded from: input_file:org/apache/hadoop/security/KerberosDiags$KerberosDiagsFailure.class */
    public static class KerberosDiagsFailure extends ExitUtil.ExitException {
        private final String category;

        public KerberosDiagsFailure(String str, String str2) {
            super(41, String.valueOf(str) + ": " + str2);
            this.category = str;
        }

        public KerberosDiagsFailure(String str, String str2, Object... objArr) {
            this(str, KerberosDiags.format(str2, objArr));
        }

        public KerberosDiagsFailure(String str, Throwable th, String str2, Object... objArr) {
            this(str, str2, objArr);
            initCause(th);
        }

        public String getCategory() {
            return this.category;
        }
    }

    public KerberosDiags(Configuration configuration, PrintWriter printWriter, List<String> list, File file, String str, long j, boolean z) {
        this.conf = configuration;
        this.services = list;
        this.keytab = file;
        this.principal = str;
        this.out = printWriter;
        this.minKeyLength = j;
        this.securityRequired = z;
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() throws IOException {
        flush();
    }

    public boolean execute() throws Exception {
        title("Kerberos Diagnostics scan at %s", new Date(System.currentTimeMillis()));
        println("Hostname: %s", InetAddress.getLocalHost().getCanonicalHostName());
        validateKeyLength();
        println("JVM Kerberos Login Module = %s", KerberosUtil.getKrb5LoginModuleName());
        printDefaultRealm();
        title("System Properties", new Object[0]);
        for (String str : new String[]{"java.security.krb5.conf", "java.security.krb5.realm", "sun.security.krb5.debug", "sun.security.spnego.debug", SUN_SECURITY_JAAS_FILE}) {
            printSysprop(str);
        }
        title("Environment Variables", new Object[0]);
        for (String str2 : new String[]{Constants.HADOOP_JAAS_DEBUG, "KRB5CCNAME", SliderKeys.HADOOP_USER_NAME, SliderKeys.HADOOP_PROXY_USER, "HADOOP_TOKEN_FILE_LOCATION"}) {
            printEnv(str2);
        }
        for (String str3 : new String[]{KERBEROS_KINIT_COMMAND, "hadoop.security.authentication", "hadoop.security.authorization", "hadoop.kerberos.min.seconds.before.relogin", "hadoop.security.dns.interface", "hadoop.security.dns.nameserver", "hadoop.rpc.protection", "hadoop.security.saslproperties.resolver.class", "hadoop.security.crypto.codec.classes", "hadoop.security.group.mapping", "hadoop.security.impersonation.provider.class", "dfs.data.transfer.protection"}) {
            printConfOpt(str3);
        }
        if (SecurityUtil.getAuthenticationMethod(this.conf).equals(UserGroupInformation.AuthenticationMethod.SIMPLE)) {
            println(HADOOP_AUTHENTICATION_IS_DISABLED);
            failif(this.securityRequired, CAT_CONFIG, HADOOP_AUTHENTICATION_IS_DISABLED, new Object[0]);
            return false;
        }
        validateKrb5File();
        validateSasl("hadoop.security.saslproperties.resolver.class");
        validateSasl("dfs.data.transfer.saslproperties.resolver.class");
        validateKinitExecutable();
        validateJAAS();
        boolean andSet = getAndSet("sun.security.krb5.debug");
        boolean andSet2 = getAndSet("sun.security.spnego.debug");
        try {
            title("Logging in", new Object[0]);
            if (this.keytab != null) {
                dumpKeytab(this.keytab);
                loginFromKeytab();
            } else {
                UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
                dumpUGI("Log in user", loginUser);
                validateUGI("Login user", loginUser);
                println("Ticket based login: %b", Boolean.valueOf(UserGroupInformation.isLoginTicketBased()));
                println("Keytab based login: %b", Boolean.valueOf(UserGroupInformation.isLoginKeytabBased()));
            }
            System.setProperty("sun.security.krb5.debug", Boolean.toString(andSet));
            System.setProperty("sun.security.spnego.debug", Boolean.toString(andSet2));
            return true;
        } catch (Throwable th) {
            System.setProperty("sun.security.krb5.debug", Boolean.toString(andSet));
            System.setProperty("sun.security.spnego.debug", Boolean.toString(andSet2));
            throw th;
        }
    }

    protected void validateKeyLength() throws NoSuchAlgorithmException {
        int maxAllowedKeyLength = Cipher.getMaxAllowedKeyLength("AES");
        println("Maximum AES encryption key length %d bits", Integer.valueOf(maxAllowedKeyLength));
        failif(((long) maxAllowedKeyLength) < this.minKeyLength, CAT_JVM, "Java Cryptography Extensions are not installed on this JVM. Maximum supported key length %s - minimum required %d", Integer.valueOf(maxAllowedKeyLength), Long.valueOf(this.minKeyLength));
    }

    protected void printDefaultRealm() {
        try {
            println("Default Realm = %s", KerberosUtil.getDefaultRealm());
        } catch (ClassNotFoundException | IllegalAccessException | NoSuchMethodException e) {
            throw new KerberosDiagsFailure(CAT_JVM, e, "Failed to invoke krb5.Config.getDefaultRealm: %s", e);
        } catch (InvocationTargetException e2) {
            Throwable cause = e2.getCause() != null ? e2.getCause() : e2;
            if (!cause.toString().contains(NO_DEFAULT_REALM)) {
                println("Kerberos.getDefaultRealm() failed: %s\n%s", cause, StringUtils.stringifyException(cause));
            } else {
                println("Host has no default realm");
                LOG.debug(cause.toString(), cause);
            }
        }
    }

    private void validateKrb5File() throws IOException {
        if (Shell.WINDOWS) {
            return;
        }
        title("Locating Kerberos configuration file", new Object[0]);
        String str = "/etc/krb5.conf";
        String property = System.getProperty("java.security.krb5.conf");
        if (property != null) {
            println("Setting kerberos path from sysprop %s: %s", "java.security.krb5.conf", property);
            str = property;
        }
        String str2 = System.getenv("KRB5CCNAME");
        if (str2 != null) {
            println("Setting kerberos path from environment variable %s: %s", "KRB5CCNAME", str2);
            str = str2;
            if (property != null) {
                println("Warning - both %s and %s were set - %s takes priority", "java.security.krb5.conf", "KRB5CCNAME", "KRB5CCNAME");
            }
        }
        File file = new File(str);
        println("Kerberos configuration file = %s", file);
        failif(!file.exists(), CAT_KERBEROS, "Kerberos configuration file %s not found", file);
        dump(file);
    }

    public void dumpKeytab(File file) throws IOException {
        title("Examining keytab %s", file);
        File canonicalFile = file.getCanonicalFile();
        failif(!canonicalFile.exists(), CAT_CONFIG, "Keytab not found: %s", canonicalFile);
        failif(!canonicalFile.isFile(), CAT_CONFIG, "Keytab is not a valid file: %s", canonicalFile);
        String[] principalNames = KerberosUtil.getPrincipalNames(file.getCanonicalPath(), Pattern.compile(".*"));
        println("keytab entry count: %d", Integer.valueOf(principalNames.length));
        for (String str : principalNames) {
            println("    %s", str);
        }
        println("-----");
    }

    private void loginFromKeytab() throws IOException {
        if (this.keytab == null) {
            println("No keytab: logging is as current user");
            return;
        }
        File canonicalFile = this.keytab.getCanonicalFile();
        println("Using keytab %s principal %s", canonicalFile, this.principal);
        String str = this.principal;
        failif(org.apache.commons.lang.StringUtils.isEmpty(this.principal), CAT_KERBEROS, "No principal defined", new Object[0]);
        UserGroupInformation loginUserFromKeytabAndReturnUGI = UserGroupInformation.loginUserFromKeytabAndReturnUGI(this.principal, canonicalFile.getPath());
        dumpUGI(str, loginUserFromKeytabAndReturnUGI);
        validateUGI(this.principal, loginUserFromKeytabAndReturnUGI);
        title("Attempting to log in from keytab again", new Object[0]);
        UserGroupInformation.setShouldRenewImmediatelyForTests(true);
        loginUserFromKeytabAndReturnUGI.reloginFromKeytab();
    }

    private void dumpUGI(String str, UserGroupInformation userGroupInformation) throws IOException {
        title(str, new Object[0]);
        println("UGI instance = %s", userGroupInformation);
        println("Has kerberos credentials: %b", Boolean.valueOf(userGroupInformation.hasKerberosCredentials()));
        println("Authentication method: %s", userGroupInformation.getAuthenticationMethod());
        println("Real Authentication method: %s", userGroupInformation.getRealAuthenticationMethod());
        title("Group names", new Object[0]);
        for (String str2 : userGroupInformation.getGroupNames()) {
            println(str2);
        }
        title("Credentials", new Object[0]);
        List allSecretKeys = userGroupInformation.getCredentials().getAllSecretKeys();
        title("Secret keys", new Object[0]);
        if (allSecretKeys.isEmpty()) {
            println("(none)");
        } else {
            Iterator it = allSecretKeys.iterator();
            while (it.hasNext()) {
                println("%s", (Text) it.next());
            }
        }
        dumpTokens(userGroupInformation);
    }

    private void validateUGI(String str, UserGroupInformation userGroupInformation) {
        failif(!userGroupInformation.hasKerberosCredentials(), CAT_LOGIN, "%s: No kerberos credentials for %s", str, userGroupInformation);
        failif(userGroupInformation.getAuthenticationMethod() == null, CAT_LOGIN, "%s: Null AuthenticationMethod for %s", str, userGroupInformation);
    }

    private void validateKinitExecutable() {
        String trimmed = this.conf.getTrimmed(KERBEROS_KINIT_COMMAND, SliderKeys.DEFAULT_GC_OPTS);
        if (trimmed.isEmpty()) {
            return;
        }
        File file = new File(trimmed);
        println("%s = %s", KERBEROS_KINIT_COMMAND, file);
        if (!file.isAbsolute()) {
            println("Executable %s is relative -must be on the PATH", trimmed);
            printEnv("PATH");
        } else {
            failif(!file.exists(), CAT_KERBEROS, "%s executable does not exist: %s", KERBEROS_KINIT_COMMAND, file);
            failif(!file.isFile(), CAT_KERBEROS, "%s path does not refer to a file: %s", KERBEROS_KINIT_COMMAND, file);
            failif(file.length() == 0, CAT_KERBEROS, "%s file is empty: %s", KERBEROS_KINIT_COMMAND, file);
        }
    }

    private void validateSasl(String str) {
        title("Resolving SASL property %s", str);
        String trimmed = this.conf.getTrimmed(str);
        try {
            println("Resolver is %s", this.conf.getClass(str, SaslPropertiesResolver.class, SaslPropertiesResolver.class));
        } catch (RuntimeException e) {
            throw new KerberosDiagsFailure(CAT_SASL, e, "Failed to load %s class %s", str, trimmed);
        }
    }

    private void validateJAAS() {
        String property = System.getProperty(SUN_SECURITY_JAAS_FILE);
        if (property != null) {
            title(CAT_JAAS, new Object[0]);
            File file = new File(property);
            println("JAAS file is defined in %s: %s", SUN_SECURITY_JAAS_FILE, file);
            failif(!file.exists(), CAT_JAAS, "JAAS file does not exist: %s", file);
            failif(!file.isFile(), CAT_JAAS, "Specified JAAS file is not a file: %s", file);
        }
    }

    public void dumpTokens(UserGroupInformation userGroupInformation) {
        Collection allTokens = userGroupInformation.getCredentials().getAllTokens();
        title("Token Count: %d", Integer.valueOf(allTokens.size()));
        Iterator it = allTokens.iterator();
        while (it.hasNext()) {
            println("Token %s", ((Token) it.next()).getKind());
        }
    }

    private boolean getAndSet(String str) {
        boolean z = Boolean.getBoolean(str);
        System.setProperty(str, "true");
        return z;
    }

    private void flush() {
        if (this.out != null) {
            this.out.flush();
        } else {
            System.out.flush();
        }
        System.err.flush();
    }

    @VisibleForTesting
    public void println(String str, Object... objArr) {
        println(format(str, objArr));
    }

    @VisibleForTesting
    private void println(String str) {
        flush();
        if (this.out != null) {
            this.out.println(str);
        } else {
            LOG.info(str);
        }
        flush();
    }

    private void title(String str, Object... objArr) {
        println(SliderKeys.DEFAULT_GC_OPTS);
        println(SliderKeys.DEFAULT_GC_OPTS);
        println("== " + format(str, objArr) + " ==");
        println(SliderKeys.DEFAULT_GC_OPTS);
    }

    private void printSysprop(String str) {
        println("%s = \"%s\"", str, System.getProperty(str, UNSET));
    }

    private void printConfOpt(String str) {
        println("%s = \"%s\"", str, this.conf.get(str, UNSET));
    }

    private void printEnv(String str) {
        String str2 = System.getenv(str);
        Object[] objArr = new Object[2];
        objArr[0] = str;
        objArr[1] = str2 != null ? str2 : UNSET;
        println("%s = \"%s\"", objArr);
    }

    /* JADX WARN: Finally extract failed */
    public void dump(File file) throws IOException {
        Throwable th = null;
        try {
            FileInputStream fileInputStream = new FileInputStream(file);
            try {
                Iterator it = IOUtils.readLines(fileInputStream).iterator();
                while (it.hasNext()) {
                    println("%s", (String) it.next());
                }
                if (fileInputStream != null) {
                    fileInputStream.close();
                }
                println(SliderKeys.DEFAULT_GC_OPTS);
            } catch (Throwable th2) {
                if (fileInputStream != null) {
                    fileInputStream.close();
                }
                throw th2;
            }
        } catch (Throwable th3) {
            if (0 == 0) {
                th = th3;
            } else if (null != th3) {
                th.addSuppressed(th3);
            }
            throw th;
        }
    }

    private void fail(String str, String str2, Object... objArr) throws KerberosDiagsFailure {
        throw new KerberosDiagsFailure(str, str2, objArr);
    }

    private void failif(boolean z, String str, String str2, Object... objArr) throws KerberosDiagsFailure {
        if (z) {
            fail(str, str2, objArr);
        }
    }

    public static String format(String str, Object... objArr) {
        return objArr.length == 0 ? str : String.format(str, objArr);
    }
}
