package com.thinkbiganalytics.nifi.security;

/*-
 * #%L
 * thinkbig-nifi-security-api
 * %%
 * Copyright (C) 2017 ThinkBig Analytics
 * %%
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 * 
 *     http://www.apache.org/licenses/LICENSE-2.0
 * 
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 * #L%
 */

import org.apache.hadoop.security.UserGroupInformation;
import org.apache.nifi.logging.ComponentLog;

import java.io.IOException;

/**
 * Periodically attempts to renew the Kerberos user's ticket for the given UGI.
 *
 * This class will attempt to call ugi.checkTGTAndReloginFromKeytab() which
 * will re-login the user if the ticket expired or is close to expiry. Between
 * relogin attempts this thread will sleep for the provided amount of time.
 */
public class KerberosTicketRenewer implements Runnable {

    private final UserGroupInformation ugi;
    private final long renewalPeriod;
    private final ComponentLog logger;

    private volatile boolean stopped = false;

    /**
     * @param ugi           the user to renew the ticket for
     * @param renewalPeriod the amount of time in milliseconds to wait between renewal attempts
     * @param logger        the logger from the component that started the renewer
     */
    public KerberosTicketRenewer(final UserGroupInformation ugi, final long renewalPeriod, final ComponentLog logger) {
        this.ugi = ugi;
        this.renewalPeriod = renewalPeriod;
        this.logger = logger;
    }

    @Override
    public void run() {
        stopped = false;
        while (!stopped) {
            try {
                logger.debug("Invoking renewal attempt for Kerberos ticket");
                // While we run this "frequently", the Hadoop implementation will only perform the login at 80% of ticket lifetime.
                ugi.checkTGTAndReloginFromKeytab();
            } catch (IOException e) {
                logger.error("Failed to renew Kerberos ticket", e);
            }

            // Wait for a bit before checking again.
            try {
                Thread.sleep(renewalPeriod);
            } catch (InterruptedException e) {
                logger.error("Renewal thread interrupted", e);
                Thread.currentThread().interrupt();
                return;
            }
        }
    }

    public void stop() {
        stopped = true;
    }

}