package org.apache.zookeeper;

import java.util.Date;
import java.util.Random;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.hadoop.security.UGIExceptionMessages;
import org.apache.zookeeper.client.ZKClientConfig;
import org.apache.zookeeper.common.Time;
import org.apache.zookeeper.common.ZKConfig;
import org.apache.zookeeper.server.ZooKeeperSaslServer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  input_file:META-INF/bundled-dependencies/zookeeper-3.6.3.1.jar:org/apache/zookeeper/Login.class
 */
/* loaded from: input_file:META-INF/bundled-dependencies/zookeeper-3.5.7.jar:org/apache/zookeeper/Login.class */
public class Login {
    private static final String KINIT_COMMAND_DEFAULT = "/usr/bin/kinit";
    public CallbackHandler callbackHandler;
    private static final float TICKET_RENEW_WINDOW = 0.8f;
    private static final float TICKET_RENEW_JITTER = 0.05f;
    private static final long MIN_TIME_BEFORE_RELOGIN = 60000;
    private Subject subject;
    private Thread t;
    private boolean isKrbTicket;
    private boolean isUsingTicketCache;
    private LoginContext login;
    private String loginContextName;
    private String principal;
    private long lastLogin = Time.currentElapsedTime() - 60000;
    private final ZKConfig zkConfig;
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) Login.class);
    private static Random rng = new Random();

    public Login(String str, CallbackHandler callbackHandler, final ZKConfig zKConfig) throws LoginException {
        this.subject = null;
        this.t = null;
        this.isKrbTicket = false;
        this.isUsingTicketCache = false;
        this.login = null;
        this.loginContextName = null;
        this.principal = null;
        this.zkConfig = zKConfig;
        this.callbackHandler = callbackHandler;
        this.login = login(str);
        this.loginContextName = str;
        this.subject = this.login.getSubject();
        this.isKrbTicket = !this.subject.getPrivateCredentials(KerberosTicket.class).isEmpty();
        AppConfigurationEntry[] appConfigurationEntry = Configuration.getConfiguration().getAppConfigurationEntry(str);
        if (0 < appConfigurationEntry.length) {
            AppConfigurationEntry appConfigurationEntry2 = appConfigurationEntry[0];
            if (appConfigurationEntry2.getOptions().get("useTicketCache") != null && ((String) appConfigurationEntry2.getOptions().get("useTicketCache")).equals("true")) {
                this.isUsingTicketCache = true;
            }
            if (appConfigurationEntry2.getOptions().get("principal") != null) {
                this.principal = (String) appConfigurationEntry2.getOptions().get("principal");
            }
        }
        if (this.isKrbTicket) {
            this.t = new Thread(new Runnable() { // from class: org.apache.zookeeper.Login.1
                @Override // java.lang.Runnable
                public void run() {
                    long j;
                    Date date;
                    Login.LOG.info("TGT refresh thread started.");
                    while (true) {
                        KerberosTicket tgt = Login.this.getTGT();
                        long currentWallTime = Time.currentWallTime();
                        if (tgt == null) {
                            j = currentWallTime + 60000;
                            date = new Date(j);
                            Login.LOG.warn("No TGT found: will try again at {}", date);
                        } else {
                            long refreshTime = Login.this.getRefreshTime(tgt);
                            long time = tgt.getEndTime().getTime();
                            Date date2 = new Date(time);
                            if (Login.this.isUsingTicketCache && tgt.getEndTime().equals(tgt.getRenewTill())) {
                                Login.LOG.error("The TGT cannot be renewed beyond the next expiry date: {}.This process will not be able to authenticate new SASL connections after that time (for example, it will not be authenticate a new connection with a Zookeeper Quorum member).  Ask your system administrator to either increase the 'renew until' time by doing : 'modprinc -maxrenewlife {}' within kadmin, or instead, to generate a keytab for {}. Because the TGT's expiry cannot be further extended by refreshing, exiting refresh thread now.", date2, Login.this.principal, Login.this.principal);
                                return;
                            }
                            if (refreshTime > time || currentWallTime + 60000 > time) {
                                j = currentWallTime;
                            } else {
                                if (refreshTime < currentWallTime + 60000) {
                                    Login.LOG.warn("TGT refresh thread time adjusted from : {} to : {} since the former is sooner than the minimum refresh interval ({} seconds) from now.", new Date(refreshTime), new Date(currentWallTime + 60000), 60L);
                                }
                                j = Math.max(refreshTime, currentWallTime + 60000);
                            }
                            date = new Date(j);
                            if (j > time) {
                                Login.LOG.error("next refresh: {} is later than expiry {}. This may indicate a clock skew problem. Check that this host and the KDC's hosts' clocks are in sync. Exiting refresh thread.", date, date2);
                                return;
                            }
                        }
                        if (currentWallTime == j) {
                            Login.LOG.info("refreshing now because expiry is before next scheduled refresh time.");
                        } else {
                            if (currentWallTime >= j) {
                                Login.LOG.error("nextRefresh:{} is in the past: exiting refresh thread. Check clock sync between this host and KDC - (KDC's clock is likely ahead of this host). Manual intervention will be required for this client to successfully authenticate. Exiting refresh thread.", date);
                                return;
                            }
                            Login.LOG.info("TGT refresh sleeping until: {}", new Date(j).toString());
                            try {
                                Thread.sleep(j - currentWallTime);
                            } catch (InterruptedException e) {
                                Login.LOG.warn("TGT renewal thread has been interrupted and will exit.");
                                return;
                            }
                        }
                        if (Login.this.isUsingTicketCache) {
                            String property = zKConfig.getProperty(ZKConfig.KINIT_COMMAND, "/usr/bin/kinit");
                            int i = 1;
                            while (i >= 0) {
                                try {
                                    Login.LOG.debug("running ticket cache refresh command: {} {}", property, "-R");
                                    Shell.execCommand(property, "-R");
                                    break;
                                } catch (Exception e2) {
                                    if (i <= 0) {
                                        Login.LOG.warn("Could not renew TGT due to problem running shell command: '{} {}'; exception was:{}. Exiting refresh thread.", property, "-R", e2.toString(), e2);
                                        return;
                                    }
                                    i--;
                                    try {
                                        Thread.sleep(10000L);
                                    } catch (InterruptedException e3) {
                                        Login.LOG.error("Interrupted while renewing TGT, exiting Login thread");
                                        return;
                                    }
                                }
                            }
                        }
                        int i2 = 1;
                        while (i2 >= 0) {
                            try {
                                try {
                                    Login.this.reLogin();
                                    break;
                                } catch (LoginException e4) {
                                    if (i2 > 0) {
                                        i2--;
                                        try {
                                            Thread.sleep(10000L);
                                        } catch (InterruptedException e5) {
                                            Login.LOG.error("Interrupted during login retry after LoginException:", (Throwable) e4);
                                            throw e4;
                                        }
                                    } else {
                                        Login.LOG.error("Could not refresh TGT for principal: {}.", Login.this.principal, e4);
                                    }
                                }
                            } catch (LoginException e6) {
                                Login.LOG.error("Failed to refresh TGT: refresh thread exiting now.", (Throwable) e6);
                                return;
                            }
                        }
                    }
                }
            });
            this.t.setDaemon(true);
        }
    }

    public void startThreadIfNeeded() {
        if (this.t != null) {
            this.t.start();
        }
    }

    public void shutdown() {
        if (this.t == null || !this.t.isAlive()) {
            return;
        }
        this.t.interrupt();
        try {
            this.t.join();
        } catch (InterruptedException e) {
            LOG.warn("error while waiting for Login thread to shutdown: ", (Throwable) e);
        }
    }

    public Subject getSubject() {
        return this.subject;
    }

    public String getLoginContextName() {
        return this.loginContextName;
    }

    private synchronized LoginContext login(String str) throws LoginException {
        if (str == null) {
            throw new LoginException("loginContext name (JAAS file section header) was null. Please check your java.security.login.auth.config (=" + System.getProperty("java.security.login.auth.config") + ") and your " + getLoginContextMessage());
        }
        LoginContext loginContext = new LoginContext(str, this.callbackHandler);
        loginContext.login();
        LOG.info("{} successfully logged in.", str);
        return loginContext;
    }

    private String getLoginContextMessage() {
        return this.zkConfig instanceof ZKClientConfig ? "zookeeper.sasl.clientconfig(=" + this.zkConfig.getProperty("zookeeper.sasl.clientconfig", ZKClientConfig.LOGIN_CONTEXT_NAME_KEY_DEFAULT) + ")" : "zookeeper.sasl.serverconfig(=" + System.getProperty(ZooKeeperSaslServer.LOGIN_CONTEXT_NAME_KEY, "Server") + ")";
    }

    /* JADX INFO: Access modifiers changed from: private */
    public long getRefreshTime(KerberosTicket kerberosTicket) {
        long time = kerberosTicket.getStartTime().getTime();
        long time2 = kerberosTicket.getEndTime().getTime();
        LOG.info("TGT valid starting at:        {}", kerberosTicket.getStartTime().toString());
        LOG.info("TGT expires:                  {}", kerberosTicket.getEndTime().toString());
        long nextDouble = time + ((long) ((time2 - time) * (0.800000011920929d + (0.05000000074505806d * rng.nextDouble()))));
        return nextDouble > time2 ? Time.currentWallTime() : nextDouble;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public synchronized KerberosTicket getTGT() {
        for (KerberosTicket kerberosTicket : this.subject.getPrivateCredentials(KerberosTicket.class)) {
            KerberosPrincipal server = kerberosTicket.getServer();
            if (server.getName().equals("krbtgt/" + server.getRealm() + "@" + server.getRealm())) {
                LOG.debug("Client principal is \"" + kerberosTicket.getClient().getName() + "\".");
                LOG.debug("Server principal is \"" + kerberosTicket.getServer().getName() + "\".");
                return kerberosTicket;
            }
        }
        return null;
    }

    private boolean hasSufficientTimeElapsed() {
        long currentElapsedTime = Time.currentElapsedTime();
        if (currentElapsedTime - getLastLogin() < 60000) {
            LOG.warn("Not attempting to re-login since the last re-login was attempted less than {} seconds before.", (Object) 60L);
            return false;
        }
        setLastLogin(currentElapsedTime);
        return true;
    }

    private LoginContext getLogin() {
        return this.login;
    }

    private void setLogin(LoginContext loginContext) {
        this.login = loginContext;
    }

    private void setLastLogin(long j) {
        this.lastLogin = j;
    }

    private long getLastLogin() {
        return this.lastLogin;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public synchronized void reLogin() throws LoginException {
        if (this.isKrbTicket) {
            LoginContext login = getLogin();
            if (login == null) {
                throw new LoginException(UGIExceptionMessages.MUST_FIRST_LOGIN);
            }
            if (hasSufficientTimeElapsed()) {
                LOG.info("Initiating logout for {}", this.principal);
                synchronized (Login.class) {
                    login.logout();
                    LoginContext loginContext = new LoginContext(this.loginContextName, getSubject());
                    LOG.info("Initiating re-login for {}", this.principal);
                    loginContext.login();
                    setLogin(loginContext);
                }
            }
        }
    }
}
