package org.apache.kafka.common.security.authenticator;

import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.login.Configuration;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.apache.carbondata.core.constants.CarbonCommonConstants;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.config.SaslConfigs;
import org.apache.kafka.common.errors.AuthenticationException;
import org.apache.kafka.common.errors.IllegalSaslStateException;
import org.apache.kafka.common.errors.UnsupportedSaslMechanismException;
import org.apache.kafka.common.errors.UnsupportedVersionException;
import org.apache.kafka.common.network.Authenticator;
import org.apache.kafka.common.network.Mode;
import org.apache.kafka.common.network.NetworkReceive;
import org.apache.kafka.common.network.NetworkSend;
import org.apache.kafka.common.network.TransportLayer;
import org.apache.kafka.common.protocol.ApiKeys;
import org.apache.kafka.common.protocol.Errors;
import org.apache.kafka.common.protocol.Protocol;
import org.apache.kafka.common.protocol.types.SchemaException;
import org.apache.kafka.common.requests.AbstractRequest;
import org.apache.kafka.common.requests.AbstractRequestResponse;
import org.apache.kafka.common.requests.ApiVersionsRequest;
import org.apache.kafka.common.requests.ApiVersionsResponse;
import org.apache.kafka.common.requests.RequestHeader;
import org.apache.kafka.common.requests.ResponseHeader;
import org.apache.kafka.common.requests.ResponseSend;
import org.apache.kafka.common.requests.SaslHandshakeRequest;
import org.apache.kafka.common.requests.SaslHandshakeResponse;
import org.apache.kafka.common.security.auth.AuthCallbackHandler;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.security.auth.PrincipalBuilder;
import org.apache.kafka.common.security.kerberos.KerberosName;
import org.apache.kafka.common.security.kerberos.KerberosShortNamer;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/kafka/common/security/authenticator/SaslServerAuthenticator.class */
public class SaslServerAuthenticator implements Authenticator {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) SaslServerAuthenticator.class);
    private final String node;
    private final Subject subject;
    private final KerberosShortNamer kerberosNamer;
    private final int maxReceiveSize;
    private final String host;
    private SaslState saslState = SaslState.GSSAPI_OR_HANDSHAKE_REQUEST;
    private SaslState pendingSaslState = null;
    private SaslServer saslServer;
    private String saslMechanism;
    private AuthCallbackHandler callbackHandler;
    private TransportLayer transportLayer;
    private Set<String> enabledMechanisms;
    private Map<String, ?> configs;
    private NetworkReceive netInBuffer;
    private NetworkSend netOutBuffer;

    /* loaded from: input_file:org/apache/kafka/common/security/authenticator/SaslServerAuthenticator$SaslState.class */
    public enum SaslState {
        GSSAPI_OR_HANDSHAKE_REQUEST,
        HANDSHAKE_REQUEST,
        AUTHENTICATE,
        COMPLETE,
        FAILED
    }

    public SaslServerAuthenticator(String str, Subject subject, KerberosShortNamer kerberosShortNamer, String str2, int i) throws IOException {
        if (subject == null) {
            throw new IllegalArgumentException("subject cannot be null");
        }
        this.node = str;
        this.subject = subject;
        this.kerberosNamer = kerberosShortNamer;
        this.maxReceiveSize = i;
        this.host = str2;
    }

    @Override // org.apache.kafka.common.network.Authenticator
    public void configure(TransportLayer transportLayer, PrincipalBuilder principalBuilder, Map<String, ?> map) {
        this.transportLayer = transportLayer;
        this.configs = map;
        List list = (List) this.configs.get(SaslConfigs.SASL_ENABLED_MECHANISMS);
        if (list == null || list.isEmpty()) {
            throw new IllegalArgumentException("No SASL mechanisms are enabled");
        }
        this.enabledMechanisms = new HashSet(list);
    }

    private void createSaslServer(String str) throws IOException {
        this.saslMechanism = str;
        this.callbackHandler = new SaslServerCallbackHandler(Configuration.getConfiguration(), this.kerberosNamer);
        this.callbackHandler.configure(this.configs, Mode.SERVER, this.subject, this.saslMechanism);
        if (str.equals("GSSAPI")) {
            if (this.subject.getPrincipals().isEmpty()) {
                throw new IllegalArgumentException("subject must have at least one principal");
            }
            this.saslServer = createSaslKerberosServer(this.callbackHandler, this.configs);
        } else {
            try {
                this.saslServer = (SaslServer) Subject.doAs(this.subject, new PrivilegedExceptionAction<SaslServer>() { // from class: org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public SaslServer run() throws SaslException {
                        return Sasl.createSaslServer(SaslServerAuthenticator.this.saslMechanism, CarbonCommonConstants.CARBON_STREAMER_SOURCE_TYPE_DEFAULT, SaslServerAuthenticator.this.host, SaslServerAuthenticator.this.configs, SaslServerAuthenticator.this.callbackHandler);
                    }
                });
            } catch (PrivilegedActionException e) {
                throw new SaslException("Kafka Server failed to create a SaslServer to interact with a client during session authentication", e.getCause());
            }
        }
    }

    private SaslServer createSaslKerberosServer(final AuthCallbackHandler authCallbackHandler, final Map<String, ?> map) throws IOException {
        Principal next = this.subject.getPrincipals().iterator().next();
        try {
            KerberosName parse = KerberosName.parse(next.getName());
            final String serviceName = parse.serviceName();
            final String hostName = parse.hostName();
            LOG.debug("Creating SaslServer for {} with mechanism {}", parse, this.saslMechanism);
            if (Boolean.getBoolean("sun.security.jgss.native")) {
                try {
                    GSSManager gSSManager = GSSManager.getInstance();
                    this.subject.getPrivateCredentials().add(gSSManager.createCredential(gSSManager.createName(serviceName + "@" + hostName, GSSName.NT_HOSTBASED_SERVICE), Integer.MAX_VALUE, new Oid("1.2.840.113554.1.2.2"), 2));
                } catch (GSSException e) {
                    LOG.warn("Cannot add private credential to subject; clients authentication may fail", e);
                }
            }
            try {
                return (SaslServer) Subject.doAs(this.subject, new PrivilegedExceptionAction<SaslServer>() { // from class: org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.2
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public SaslServer run() throws SaslException {
                        return Sasl.createSaslServer(SaslServerAuthenticator.this.saslMechanism, serviceName, hostName, map, authCallbackHandler);
                    }
                });
            } catch (PrivilegedActionException e2) {
                throw new SaslException("Kafka Server failed to create a SaslServer to interact with a client during session authentication", e2.getCause());
            }
        } catch (IllegalArgumentException e3) {
            throw new KafkaException("Principal has name with unexpected format " + next);
        }
    }

    @Override // org.apache.kafka.common.network.Authenticator
    public void authenticate() throws IOException {
        if (this.netOutBuffer == null || flushNetOutBufferAndUpdateInterestOps()) {
            if (this.saslServer != null && this.saslServer.isComplete()) {
                setSaslState(SaslState.COMPLETE);
                return;
            }
            if (this.netInBuffer == null) {
                this.netInBuffer = new NetworkReceive(this.maxReceiveSize, this.node);
            }
            this.netInBuffer.readFrom(this.transportLayer);
            if (this.netInBuffer.complete()) {
                this.netInBuffer.payload().rewind();
                byte[] bArr = new byte[this.netInBuffer.payload().remaining()];
                this.netInBuffer.payload().get(bArr, 0, bArr.length);
                this.netInBuffer = null;
                try {
                    switch (this.saslState) {
                        case HANDSHAKE_REQUEST:
                            handleKafkaRequest(bArr);
                            break;
                        case GSSAPI_OR_HANDSHAKE_REQUEST:
                            if (handleKafkaRequest(bArr)) {
                                break;
                            }
                        case AUTHENTICATE:
                            byte[] evaluateResponse = this.saslServer.evaluateResponse(bArr);
                            if (evaluateResponse != null) {
                                this.netOutBuffer = new NetworkSend(this.node, ByteBuffer.wrap(evaluateResponse));
                                flushNetOutBufferAndUpdateInterestOps();
                            }
                            if (this.saslServer.isComplete()) {
                                setSaslState(SaslState.COMPLETE);
                                break;
                            }
                            break;
                    }
                } catch (Exception e) {
                    setSaslState(SaslState.FAILED);
                    throw new IOException(e);
                }
            }
        }
    }

    @Override // org.apache.kafka.common.network.Authenticator
    public Principal principal() {
        return new KafkaPrincipal(KafkaPrincipal.USER_TYPE, this.saslServer.getAuthorizationID());
    }

    @Override // org.apache.kafka.common.network.Authenticator
    public boolean complete() {
        return this.saslState == SaslState.COMPLETE;
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() throws IOException {
        if (this.saslServer != null) {
            this.saslServer.dispose();
        }
        if (this.callbackHandler != null) {
            this.callbackHandler.close();
        }
    }

    private void setSaslState(SaslState saslState) {
        if (this.netOutBuffer != null && !this.netOutBuffer.completed()) {
            this.pendingSaslState = saslState;
            return;
        }
        this.pendingSaslState = null;
        this.saslState = saslState;
        LOG.debug("Set SASL server state to {}", saslState);
    }

    private boolean flushNetOutBufferAndUpdateInterestOps() throws IOException {
        boolean flushNetOutBuffer = flushNetOutBuffer();
        if (flushNetOutBuffer) {
            this.transportLayer.removeInterestOps(4);
            if (this.pendingSaslState != null) {
                setSaslState(this.pendingSaslState);
            }
        } else {
            this.transportLayer.addInterestOps(4);
        }
        return flushNetOutBuffer;
    }

    private boolean flushNetOutBuffer() throws IOException {
        if (!this.netOutBuffer.completed()) {
            this.netOutBuffer.writeTo(this.transportLayer);
        }
        return this.netOutBuffer.completed();
    }

    private boolean handleKafkaRequest(byte[] bArr) throws IOException, AuthenticationException {
        boolean z = false;
        String str = null;
        try {
            ByteBuffer wrap = ByteBuffer.wrap(bArr);
            RequestHeader parse = RequestHeader.parse(wrap);
            ApiKeys forId = ApiKeys.forId(parse.apiKey());
            setSaslState(SaslState.HANDSHAKE_REQUEST);
            z = true;
            if (Protocol.apiVersionSupported(parse.apiKey(), parse.apiVersion())) {
                AbstractRequest request = AbstractRequest.getRequest(parse.apiKey(), parse.apiVersion(), wrap);
                LOG.debug("Handle Kafka request {}", forId);
                switch (forId) {
                    case API_VERSIONS:
                        handleApiVersionsRequest(parse, (ApiVersionsRequest) request);
                        break;
                    case SASL_HANDSHAKE:
                        str = handleHandshakeRequest(parse, (SaslHandshakeRequest) request);
                        break;
                    default:
                        throw new IllegalSaslStateException("Unexpected Kafka request of type " + forId + " during SASL handshake.");
                }
            } else {
                if (forId != ApiKeys.API_VERSIONS) {
                    throw new UnsupportedVersionException("Version " + ((int) parse.apiVersion()) + " is not supported for apiKey " + forId);
                }
                sendKafkaResponse(parse, ApiVersionsResponse.fromError(Errors.UNSUPPORTED_VERSION));
            }
        } catch (IllegalArgumentException | SchemaException e) {
            if (this.saslState != SaslState.GSSAPI_OR_HANDSHAKE_REQUEST) {
                throw e;
            }
            if (LOG.isDebugEnabled()) {
                StringBuilder sb = new StringBuilder();
                for (byte b : bArr) {
                    sb.append(String.format("%02x", Byte.valueOf(b)));
                    if (sb.length() >= 20) {
                        break;
                    }
                }
                LOG.debug("Received client packet of length {} starting with bytes 0x{}, process as GSSAPI packet", Integer.valueOf(bArr.length), sb);
            }
            if (!this.enabledMechanisms.contains("GSSAPI")) {
                throw new UnsupportedSaslMechanismException("Exception handling first SASL packet from client, GSSAPI is not supported by server", e);
            }
            LOG.debug("First client packet is not a SASL mechanism request, using default mechanism GSSAPI");
            str = "GSSAPI";
        }
        if (str != null) {
            createSaslServer(str);
            setSaslState(SaslState.AUTHENTICATE);
        }
        return z;
    }

    private String handleHandshakeRequest(RequestHeader requestHeader, SaslHandshakeRequest saslHandshakeRequest) throws IOException, UnsupportedSaslMechanismException {
        String mechanism = saslHandshakeRequest.mechanism();
        if (this.enabledMechanisms.contains(mechanism)) {
            LOG.debug("Using SASL mechanism '{}' provided by client", mechanism);
            sendKafkaResponse(requestHeader, new SaslHandshakeResponse((short) 0, this.enabledMechanisms));
            return mechanism;
        }
        LOG.debug("SASL mechanism '{}' requested by client is not supported", mechanism);
        sendKafkaResponse(requestHeader, new SaslHandshakeResponse(Errors.UNSUPPORTED_SASL_MECHANISM.code(), this.enabledMechanisms));
        throw new UnsupportedSaslMechanismException("Unsupported SASL mechanism " + mechanism);
    }

    private void handleApiVersionsRequest(RequestHeader requestHeader, ApiVersionsRequest apiVersionsRequest) throws IOException, UnsupportedSaslMechanismException {
        sendKafkaResponse(requestHeader, ApiVersionsResponse.apiVersionsResponse());
    }

    private void sendKafkaResponse(RequestHeader requestHeader, AbstractRequestResponse abstractRequestResponse) throws IOException {
        this.netOutBuffer = new NetworkSend(this.node, ResponseSend.serialize(new ResponseHeader(requestHeader.correlationId()), abstractRequestResponse.toStruct()));
        flushNetOutBufferAndUpdateInterestOps();
    }
}
