package org.apache.flink.runtime.security.token.hadoop;

import java.io.IOException;
import java.util.Optional;
import javax.security.auth.Subject;
import org.apache.flink.annotation.Internal;
import org.apache.flink.configuration.Configuration;
import org.apache.flink.runtime.hadoop.HadoopUserUtils;
import org.apache.flink.runtime.security.SecurityConfiguration;
import org.apache.flink.util.Preconditions;
import org.apache.hadoop.security.UserGroupInformation;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Internal
/* loaded from: input_file:org/apache/flink/runtime/security/token/hadoop/KerberosLoginProvider.class */
public class KerberosLoginProvider {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) KerberosLoginProvider.class);
    private final String principal;
    private final String keytab;
    private final boolean useTicketCache;

    public KerberosLoginProvider(Configuration configuration) {
        Preconditions.checkNotNull(configuration, "Flink configuration must not be null");
        SecurityConfiguration securityConfiguration = new SecurityConfiguration(configuration);
        this.principal = securityConfiguration.getPrincipal();
        this.keytab = securityConfiguration.getKeytab();
        this.useTicketCache = securityConfiguration.useTicketCache();
    }

    public KerberosLoginProvider(SecurityConfiguration securityConfiguration) {
        Preconditions.checkNotNull(securityConfiguration, "Flink security configuration must not be null");
        this.principal = securityConfiguration.getPrincipal();
        this.keytab = securityConfiguration.getKeytab();
        this.useTicketCache = securityConfiguration.useTicketCache();
    }

    public boolean isLoginPossible(boolean z) throws IOException {
        if (!UserGroupInformation.isSecurityEnabled()) {
            LOG.debug("Security is NOT enabled");
            return false;
        }
        LOG.debug("Security is enabled");
        if (this.principal != null) {
            LOG.debug("Login from keytab is possible");
            return true;
        }
        if (HadoopUserUtils.isProxyUser(UserGroupInformation.getCurrentUser())) {
            if (z) {
                return true;
            }
            throwProxyUserNotSupported();
        } else if (this.useTicketCache && UserGroupInformation.getCurrentUser().hasKerberosCredentials()) {
            LOG.debug("Login from ticket cache is possible");
            return true;
        }
        LOG.debug("Login is NOT possible");
        return false;
    }

    public void doLogin(boolean z) throws IOException {
        if (this.principal != null) {
            LOG.info("Attempting to login to KDC using principal: {} keytab: {}", this.principal, this.keytab);
            UserGroupInformation.loginUserFromKeytab(this.principal, this.keytab);
            LOG.info("Successfully logged into KDC");
        } else if (!HadoopUserUtils.isProxyUser(UserGroupInformation.getCurrentUser())) {
            LOG.info("Attempting to load user's ticket cache");
            UserGroupInformation.loginUserFromSubject((Subject) null);
            LOG.info("Loaded user's ticket cache successfully");
        } else if (z) {
            LOG.info("Proxy user doesn't need login since it must have credentials already");
        } else {
            throwProxyUserNotSupported();
        }
    }

    public UserGroupInformation doLoginAndReturnUGI() throws IOException {
        UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
        if (this.principal != null) {
            LOG.info("Attempting to login to KDC using principal: {} keytab: {}", this.principal, this.keytab);
            UserGroupInformation loginUserFromKeytabAndReturnUGI = UserGroupInformation.loginUserFromKeytabAndReturnUGI(this.principal, this.keytab);
            LOG.info("Successfully logged into KDC");
            return loginUserFromKeytabAndReturnUGI;
        }
        if (HadoopUserUtils.isProxyUser(currentUser)) {
            throwProxyUserNotSupported();
            return currentUser;
        }
        LOG.info("Attempting to load user's ticket cache");
        UserGroupInformation uGIFromTicketCache = UserGroupInformation.getUGIFromTicketCache(System.getenv("KRB5CCNAME"), (String) Optional.ofNullable(System.getenv("KRB5PRINCIPAL")).orElse(currentUser.getUserName()));
        LOG.info("Loaded user's ticket cache successfully");
        return uGIFromTicketCache;
    }

    private void throwProxyUserNotSupported() {
        throw new UnsupportedOperationException("Proxy user is not supported");
    }
}
