package org.apache.uniffle.common.security;

import java.io.IOException;
import java.util.Map;
import java.util.concurrent.Callable;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.uniffle.com.google.common.annotations.VisibleForTesting;
import org.apache.uniffle.common.util.JavaUtils;
import org.apache.uniffle.common.util.ThreadUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/uniffle/common/security/HadoopSecurityContext.class */
public class HadoopSecurityContext implements SecurityContext {
    private static final Logger LOGGER = LoggerFactory.getLogger(HadoopSecurityContext.class);
    private static final String KRB5_CONF_KEY = "java.security.krb5.conf";
    private UserGroupInformation loginUgi;
    private ScheduledExecutorService refreshScheduledExecutor;
    private Map<String, UserGroupInformation> proxyUserUgiPool;

    public HadoopSecurityContext(String str, String str2, String str3, long j) throws Exception {
        if (StringUtils.isEmpty(str2)) {
            throw new IllegalArgumentException("KeytabFilePath must be not null or empty");
        }
        if (StringUtils.isEmpty(str3)) {
            throw new IllegalArgumentException("principal must be not null or empty");
        }
        if (j <= 0) {
            throw new IllegalArgumentException("refreshIntervalSec must be not negative");
        }
        if (StringUtils.isNotEmpty(str)) {
            System.setProperty(KRB5_CONF_KEY, str);
        }
        Configuration configuration = new Configuration(false);
        configuration.set("hadoop.security.authentication", "kerberos");
        UserGroupInformation.setConfiguration(configuration);
        this.loginUgi = UserGroupInformation.loginUserFromKeytabAndReturnUGI(str3, str2);
        LOGGER.info("Got Kerberos ticket, keytab [{}], principal [{}], user [{}]", new Object[]{str2, str3, this.loginUgi.getShortUserName()});
        this.refreshScheduledExecutor = ThreadUtils.getDaemonSingleThreadScheduledExecutor("Kerberos-refresh");
        this.refreshScheduledExecutor.scheduleAtFixedRate(this::authRefresh, j, j, TimeUnit.SECONDS);
        this.proxyUserUgiPool = JavaUtils.newConcurrentMap();
    }

    private void authRefresh() {
        try {
            LOGGER.info("Renewing kerberos token.");
            this.loginUgi.checkTGTAndReloginFromKeytab();
        } catch (Throwable th) {
            LOGGER.error("Error in token renewal task: ", th);
        }
    }

    @Override // org.apache.uniffle.common.security.SecurityContext
    public <T> T runSecured(String str, Callable<T> callable) throws Exception {
        if (StringUtils.isEmpty(str)) {
            throw new Exception("User must be not null or empty");
        }
        return !str.equals(this.loginUgi.getShortUserName()) ? (T) executeWithUgiWrapper(this.proxyUserUgiPool.computeIfAbsent(str, str2 -> {
            return UserGroupInformation.createProxyUser(str2, this.loginUgi);
        }), callable) : (T) executeWithUgiWrapper(this.loginUgi, callable);
    }

    @Override // org.apache.uniffle.common.security.SecurityContext
    public String getContextLoginUser() {
        return this.loginUgi.getShortUserName();
    }

    private <T> T executeWithUgiWrapper(UserGroupInformation userGroupInformation, Callable<T> callable) throws Exception {
        callable.getClass();
        return (T) userGroupInformation.doAs(callable::call);
    }

    @VisibleForTesting
    Map<String, UserGroupInformation> getProxyUserUgiPool() {
        return this.proxyUserUgiPool;
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() throws IOException {
        if (this.refreshScheduledExecutor != null) {
            this.refreshScheduledExecutor.shutdown();
        }
        if (this.proxyUserUgiPool != null) {
            this.proxyUserUgiPool.clear();
            this.proxyUserUgiPool = null;
        }
    }
}
