package com.facebook.presto.hive.authentication;

import com.facebook.presto.hive.ForHiveMetastore;
import com.facebook.presto.hive.HiveClientConfig;
import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableMap;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.util.Base64;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import javax.inject.Inject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.RealmCallback;
import javax.security.sasl.RealmChoiceCallback;
import org.apache.hadoop.fs.s3a.s3guard.S3GuardTool;
import org.apache.hadoop.hive.thrift.client.TUGIAssumingTransport;
import org.apache.hadoop.security.SaslRpcServer;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.thrift.transport.TSaslClientTransport;
import org.apache.thrift.transport.TTransport;

/* loaded from: input_file:com/facebook/presto/hive/authentication/KerberosHiveMetastoreAuthentication.class */
public class KerberosHiveMetastoreAuthentication implements HiveMetastoreAuthentication {
    private static final Map<String, String> SASL_PROPERTIES = ImmutableMap.of("javax.security.sasl.qop", S3GuardTool.BucketInfo.AUTH_FLAG, "javax.security.sasl.server.authentication", "true");
    private final String hiveMetastoreServicePrincipal;
    private final HadoopAuthentication authentication;
    private final boolean hdfsWireEncryptionEnabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/facebook/presto/hive/authentication/KerberosHiveMetastoreAuthentication$SaslClientCallbackHandler.class */
    public static class SaslClientCallbackHandler implements CallbackHandler {
        private final String userName;
        private final char[] userPassword;

        public SaslClientCallbackHandler(Token<? extends TokenIdentifier> token) {
            this.userName = encodeIdentifier(token.getIdentifier());
            this.userPassword = encodePassword(token.getPassword());
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
            for (Callback callback : callbackArr) {
                if (!(callback instanceof RealmChoiceCallback)) {
                    if (callback instanceof NameCallback) {
                        ((NameCallback) callback).setName(this.userName);
                    } else if (callback instanceof PasswordCallback) {
                        ((PasswordCallback) callback).setPassword(this.userPassword);
                    } else {
                        if (!(callback instanceof RealmCallback)) {
                            throw new UnsupportedCallbackException(callback, "Unrecognized SASL client callback");
                        }
                        RealmCallback realmCallback = (RealmCallback) callback;
                        realmCallback.setText(realmCallback.getDefaultText());
                    }
                }
            }
        }

        private static String encodeIdentifier(byte[] bArr) {
            return Base64.getEncoder().encodeToString(bArr);
        }

        private static char[] encodePassword(byte[] bArr) {
            return Base64.getEncoder().encodeToString(bArr).toCharArray();
        }
    }

    @Inject
    public KerberosHiveMetastoreAuthentication(MetastoreKerberosConfig metastoreKerberosConfig, @ForHiveMetastore HadoopAuthentication hadoopAuthentication, HiveClientConfig hiveClientConfig) {
        this(metastoreKerberosConfig.getHiveMetastoreServicePrincipal(), hadoopAuthentication, hiveClientConfig.isHdfsWireEncryptionEnabled());
    }

    public KerberosHiveMetastoreAuthentication(String str, HadoopAuthentication hadoopAuthentication, boolean z) {
        this.hiveMetastoreServicePrincipal = (String) Objects.requireNonNull(str, "hiveMetastoreServicePrincipal is null");
        this.authentication = (HadoopAuthentication) Objects.requireNonNull(hadoopAuthentication, "authentication is null");
        this.hdfsWireEncryptionEnabled = z;
    }

    @Override // com.facebook.presto.hive.authentication.HiveMetastoreAuthentication
    public TTransport authenticate(TTransport tTransport, String str, Optional<String> optional) {
        return (TTransport) optional.map(str2 -> {
            return authenticateWithToken(tTransport, str2);
        }).orElseGet(() -> {
            return authenticateWithHost(tTransport, str);
        });
    }

    private TTransport authenticateWithToken(TTransport tTransport, String str) {
        try {
            Token token = new Token();
            token.decodeFromUrlString(str);
            return new TUGIAssumingTransport(new TSaslClientTransport(SaslRpcServer.AuthMethod.TOKEN.getMechanismName(), (String) null, (String) null, "default", SASL_PROPERTIES, new SaslClientCallbackHandler(token), tTransport), UserGroupInformation.getCurrentUser());
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }

    private TTransport authenticateWithHost(TTransport tTransport, String str) {
        try {
            String serverPrincipal = SecurityUtil.getServerPrincipal(this.hiveMetastoreServicePrincipal, str);
            String[] splitKerberosName = SaslRpcServer.splitKerberosName(serverPrincipal);
            Preconditions.checkState(splitKerberosName.length == 3, "Kerberos principal name does NOT have the expected hostname part: %s", serverPrincipal);
            return new TUGIAssumingTransport(new TSaslClientTransport(SaslRpcServer.AuthMethod.KERBEROS.getMechanismName(), (String) null, splitKerberosName[0], splitKerberosName[1], ImmutableMap.of("javax.security.sasl.qop", this.hdfsWireEncryptionEnabled ? "auth-conf" : S3GuardTool.BucketInfo.AUTH_FLAG, "javax.security.sasl.server.authentication", "true"), (CallbackHandler) null, tTransport), this.authentication.getUserGroupInformation());
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        }
    }
}
