package org.apache.hadoop.hive.llap.daemon.impl;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.hive.llap.security.LlapTokenIdentifier;
import org.apache.hadoop.security.UserGroupInformation;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hive/llap/daemon/impl/LlapTokenChecker.class */
public final class LlapTokenChecker {
    private static final Logger LOG;
    private static final LlapTokenInfo NO_SECURITY;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:org/apache/hadoop/hive/llap/daemon/impl/LlapTokenChecker$LlapTokenInfo.class */
    public static final class LlapTokenInfo {
        public final String userName;
        public final String appId;
        public final boolean isSigningRequired;

        public LlapTokenInfo(String str, String str2, boolean z) {
            this.userName = str;
            this.appId = str2;
            this.isSigningRequired = z;
        }
    }

    public static LlapTokenInfo getTokenInfo(String str) throws IOException {
        if (!UserGroupInformation.isSecurityEnabled()) {
            return NO_SECURITY;
        }
        UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
        String shortUserName = currentUser.hasKerberosCredentials() ? currentUser.getShortUserName() : null;
        List<LlapTokenIdentifier> llapTokens = getLlapTokens(currentUser, str);
        if ((llapTokens == null || llapTokens.isEmpty()) && shortUserName == null) {
            throw new SecurityException("No tokens or kerberos for " + currentUser);
        }
        warnMultipleTokens(llapTokens);
        return getTokenInfoInternal(shortUserName, llapTokens);
    }

    public static void warnMultipleTokens(List<LlapTokenIdentifier> list) {
        if (list == null || list.size() <= 1) {
            return;
        }
        StringBuilder sb = new StringBuilder("Found multiple LLAP tokens: [");
        boolean z = true;
        for (LlapTokenIdentifier llapTokenIdentifier : list) {
            if (!z) {
                sb.append(", ");
            }
            z = false;
            sb.append(llapTokenIdentifier);
        }
        LOG.warn(sb.append("]").toString());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static List<LlapTokenIdentifier> getLlapTokens(UserGroupInformation userGroupInformation, String str) {
        ArrayList arrayList = null;
        for (LlapTokenIdentifier llapTokenIdentifier : userGroupInformation.getTokenIdentifiers()) {
            if (LlapTokenIdentifier.KIND_NAME.equals(llapTokenIdentifier.getKind())) {
                LOG.debug("Token {}", llapTokenIdentifier);
                LlapTokenIdentifier llapTokenIdentifier2 = llapTokenIdentifier;
                if (str == null || str.equals(llapTokenIdentifier2.getClusterId())) {
                    if (arrayList == null) {
                        arrayList = new ArrayList();
                    }
                    arrayList.add(llapTokenIdentifier);
                }
            }
        }
        return arrayList;
    }

    @VisibleForTesting
    static LlapTokenInfo getTokenInfoInternal(String str, List<LlapTokenIdentifier> list) {
        if (!$assertionsDisabled && ((list == null || list.isEmpty()) && str == null)) {
            throw new AssertionError();
        }
        if (list == null) {
            return new LlapTokenInfo(str, null, true);
        }
        String str2 = str;
        String str3 = null;
        boolean z = false;
        for (LlapTokenIdentifier llapTokenIdentifier : list) {
            String text = llapTokenIdentifier.getOwner().toString();
            if (str2 != null && !str2.equals(text)) {
                throw new SecurityException("Ambiguous user name from credentials - " + str2 + " and " + text + " from " + llapTokenIdentifier + (str == null ? "; has kerberos credentials for " + str : ""));
            }
            str2 = text;
            String appId = llapTokenIdentifier.getAppId();
            if (!StringUtils.isEmpty(appId)) {
                if (!StringUtils.isEmpty(str3) && !str3.equals(appId)) {
                    throw new SecurityException("Ambiguous app ID from credentials - " + str3 + " and " + appId + " from " + llapTokenIdentifier);
                }
                str3 = appId;
            }
            z = z || llapTokenIdentifier.isSigningRequired();
        }
        if ($assertionsDisabled || str2 != null) {
            return new LlapTokenInfo(str2, str3, z);
        }
        throw new AssertionError();
    }

    public static void checkPermissions(String str, String str2, String str3, Object obj) throws IOException {
        if (UserGroupInformation.isSecurityEnabled()) {
            Preconditions.checkNotNull(str2);
            UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
            checkPermissionsInternal(currentUser.hasKerberosCredentials() ? currentUser.getShortUserName() : null, getLlapTokens(currentUser, str), str2, str3, obj);
        }
    }

    @VisibleForTesting
    static void checkPermissionsInternal(String str, List<LlapTokenIdentifier> list, String str2, String str3, Object obj) {
        if (str3 == null) {
            str3 = "";
        }
        if (str != null && StringUtils.isBlank(str3) && str.equals(str2)) {
            return;
        }
        if (list != null) {
            for (LlapTokenIdentifier llapTokenIdentifier : list) {
                if (checkTokenPermissions(str2, str3, llapTokenIdentifier.getOwner().toString(), llapTokenIdentifier.getAppId())) {
                    return;
                }
            }
        }
        throw new SecurityException("Unauthorized to access " + str2 + ", " + str3 + " (" + obj + ")");
    }

    public static void checkPermissions(LlapTokenInfo llapTokenInfo, String str, String str2, Object obj) {
        if (str != null) {
            if (!checkTokenPermissions(str, str2, llapTokenInfo.userName, llapTokenInfo.appId)) {
                throw new SecurityException("Unauthorized to access " + str + ", " + str2 + " (" + obj + ")");
            }
        } else if (!$assertionsDisabled && !StringUtils.isEmpty(str2)) {
            throw new AssertionError();
        }
    }

    private static boolean checkTokenPermissions(String str, String str2, String str3, String str4) {
        return str.equals(str3) && (StringUtils.isBlank(str2) || str2.equals(str4));
    }

    static {
        $assertionsDisabled = !LlapTokenChecker.class.desiredAssertionStatus();
        LOG = LoggerFactory.getLogger(LlapTokenChecker.class);
        NO_SECURITY = new LlapTokenInfo(null, null, false);
    }
}
