package org.apache.hive.service.auth;

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.util.Map;
import java.util.concurrent.Callable;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.SSLContext;
import javax.security.auth.callback.CallbackHandler;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import javax.security.sasl.SaslServerFactory;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hive.service.auth.AuthenticationProviderFactory;
import org.apache.http.HttpHost;
import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.conn.scheme.PlainSocketFactory;
import org.apache.http.conn.scheme.Scheme;
import org.apache.http.conn.scheme.SchemeRegistry;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.impl.conn.PoolingClientConnectionManager;
import org.apache.http.params.BasicHttpParams;
import org.apache.http.params.CoreConnectionPNames;
import org.apache.http.util.EntityUtils;
import org.json.JSONException;
import org.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hive/service/auth/GuardianTokenSaslServer.class */
public class GuardianTokenSaslServer implements SaslServer {
    public static final Logger logger = LoggerFactory.getLogger(GuardianTokenSaslServer.class.getName());
    private static final Long CONN_MANAGER_TIMEOUT = 500L;
    private static HiveConf conf = new HiveConf();
    private static Cache<String, String> tokenCache;
    private String user;
    private final String guardianUrl;
    private final String validateApi;
    private String[] guardianServers;
    HttpClient httpClient;
    int connectionTimeout;
    int socketTimeout;
    int maxPerRoute;
    int maxTotal;

    /* loaded from: input_file:org/apache/hive/service/auth/GuardianTokenSaslServer$SaslGuardianTokenServerFactory.class */
    public static class SaslGuardianTokenServerFactory implements SaslServerFactory {
        public SaslServer createSaslServer(String str, String str2, String str3, Map<String, ?> map, CallbackHandler callbackHandler) throws SaslException {
            if (!GuardianTokenSaslHelper.GUARDIAN_TOKEN_METHOD.equals(str)) {
                return null;
            }
            try {
                return new GuardianTokenSaslServer(callbackHandler, str2);
            } catch (SaslException e) {
                return null;
            }
        }

        public String[] getMechanismNames(Map<String, ?> map) {
            return new String[]{GuardianTokenSaslHelper.GUARDIAN_TOKEN_METHOD};
        }
    }

    /* loaded from: input_file:org/apache/hive/service/auth/GuardianTokenSaslServer$SaslGuardianTokenServerProvider.class */
    public static class SaslGuardianTokenServerProvider extends Provider {
        public SaslGuardianTokenServerProvider() {
            super("HiveSaslGuardianTokenServer", 1.0d, "Hive Guardian Token SASL server provider");
            put("SaslServerFactory.GUARDIAN_TOKEN", SaslGuardianTokenServerFactory.class.getName());
        }
    }

    GuardianTokenSaslServer(CallbackHandler callbackHandler, String str) throws SaslException {
        AuthenticationProviderFactory.AuthMethods.getValidAuthMethod(str);
        this.guardianUrl = conf.getVar(HiveConf.ConfVars.HIVE_SERVER_GUARDIAN_URL);
        this.validateApi = conf.getVar(HiveConf.ConfVars.HIVE_SERVER_GUARDIAN_TOKEN_API);
        if (this.guardianUrl != null && !this.guardianUrl.isEmpty()) {
            this.guardianServers = this.guardianUrl.split("\\s+|[,;]");
            for (int i = 0; i < this.guardianServers.length; i++) {
                if (!this.guardianServers[i].startsWith("http://") && !this.guardianServers[i].startsWith("https://")) {
                    this.guardianServers[i] = "http://" + this.guardianServers[i];
                }
            }
        }
        this.connectionTimeout = conf.getIntVar(HiveConf.ConfVars.HIVE_SERVER_TOKEN_REST_CLIENT_CONNECTION_TIMEOUT);
        this.socketTimeout = conf.getIntVar(HiveConf.ConfVars.HIVE_SERVER_TOKEN_REST_CLIENT_SOCKET_TIMEOUT);
        this.maxPerRoute = conf.getIntVar(HiveConf.ConfVars.HIVE_SERVER_TOKEN_REST_CLIENT_MAX_CONNS_PER_ROUTE);
        this.maxTotal = conf.getIntVar(HiveConf.ConfVars.HIVE_SERVER_TOKEN_REST_CLIENT_MAX_CONNS_TOTAL);
        BasicHttpParams basicHttpParams = new BasicHttpParams();
        basicHttpParams.setParameter(CoreConnectionPNames.CONNECTION_TIMEOUT, Integer.valueOf(this.connectionTimeout));
        basicHttpParams.setParameter(CoreConnectionPNames.SO_TIMEOUT, Integer.valueOf(this.socketTimeout));
        basicHttpParams.setParameter("http.conn-manager.timeout", CONN_MANAGER_TIMEOUT);
        SchemeRegistry schemeRegistry = new SchemeRegistry();
        schemeRegistry.register(new Scheme(HttpHost.DEFAULT_SCHEME_NAME, 80, PlainSocketFactory.getSocketFactory()));
        try {
            SSLContext sSLContext = SSLContext.getInstance("SSL");
            sSLContext.init(null, null, null);
            schemeRegistry.register(new Scheme("https", 443, new SSLSocketFactory(sSLContext, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER)));
        } catch (KeyManagementException | NoSuchAlgorithmException e) {
            logger.error("Failed to register https scheme. Https requests will not work: {}", e.getMessage());
        }
        PoolingClientConnectionManager poolingClientConnectionManager = new PoolingClientConnectionManager(schemeRegistry);
        poolingClientConnectionManager.setDefaultMaxPerRoute(this.maxPerRoute);
        poolingClientConnectionManager.setMaxTotal(this.maxTotal);
        this.httpClient = new DefaultHttpClient(poolingClientConnectionManager, basicHttpParams);
    }

    public String getMechanismName() {
        return GuardianTokenSaslHelper.GUARDIAN_TOKEN_METHOD;
    }

    public byte[] evaluateResponse(byte[] bArr) throws SaslException {
        if (this.guardianServers == null || this.guardianServers.length == 0) {
            throw new SaslException("Guardian address is emtpy");
        }
        this.user = validateToken(new String(bArr));
        return null;
    }

    private String validateToken(final String str) throws SaslException {
        if (!conf.getBoolVar(HiveConf.ConfVars.HIVE_SERVER_TOKEN_CACHE_ENABLED)) {
            return validateTokenInternal(str);
        }
        try {
            return tokenCache.get(str, new Callable<String>() { // from class: org.apache.hive.service.auth.GuardianTokenSaslServer.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.util.concurrent.Callable
                public String call() throws Exception {
                    return GuardianTokenSaslServer.this.validateTokenInternal(str);
                }
            });
        } catch (Exception e) {
            if (e.getCause() instanceof SaslException) {
                throw e.getCause();
            }
            throw new SaslException(e.getMessage(), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String validateTokenInternal(String str) throws SaslException {
        HttpResponse execute;
        String entityUtils;
        JSONObject jSONObject = new JSONObject();
        Exception exc = new Exception("Error validate Guardian access token");
        String str2 = null;
        try {
            jSONObject.put("content", str);
            for (String str3 : this.guardianServers) {
                try {
                    HttpPost httpPost = new HttpPost(str3 + this.validateApi);
                    httpPost.setEntity(new StringEntity(jSONObject.toString()));
                    execute = this.httpClient.execute(httpPost);
                    entityUtils = EntityUtils.toString(execute.getEntity());
                } catch (Exception e) {
                    exc.addSuppressed(e);
                }
                if (execute.getStatusLine().getStatusCode() == 200) {
                    str2 = new JSONObject(entityUtils).getString("owner");
                    break;
                }
                exc.addSuppressed(new Exception("Token validate Error: " + entityUtils));
            }
            if (str2 == null) {
                throw new SaslException("Cannot validate the Guardian token", exc);
            }
            return str2;
        } catch (JSONException e2) {
            throw new SaslException("Invalid token format.");
        }
    }

    public boolean isComplete() {
        return this.user != null;
    }

    public String getAuthorizationID() {
        return this.user;
    }

    public byte[] unwrap(byte[] bArr, int i, int i2) throws SaslException {
        throw new UnsupportedOperationException();
    }

    public byte[] wrap(byte[] bArr, int i, int i2) throws SaslException {
        throw new UnsupportedOperationException();
    }

    public Object getNegotiatedProperty(String str) {
        return null;
    }

    public void dispose() throws SaslException {
    }

    static {
        if (conf.getBoolVar(HiveConf.ConfVars.HIVE_SERVER_TOKEN_CACHE_ENABLED)) {
            tokenCache = CacheBuilder.newBuilder().maximumSize(conf.getIntVar(HiveConf.ConfVars.HIVE_SERVER_TOKEN_CACHE_MAX_SIZE)).expireAfterWrite(conf.getIntVar(HiveConf.ConfVars.HIVE_SERVER_TOKEN_CACHE_EXPIRE_TIME), TimeUnit.MILLISECONDS).build();
        }
    }
}
