package org.apache.pulsar.client.impl.auth;

import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Map;
import javax.naming.AuthenticationException;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import org.apache.pulsar.common.api.AuthData;
import org.apache.pulsar.common.sasl.KerberosName;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/pulsar/client/impl/auth/PulsarSaslClient.class */
public class PulsarSaslClient {
    private static final Logger log = LoggerFactory.getLogger(PulsarSaslClient.class);
    private final SaslClient saslClient;
    private final Subject clientSubject;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/pulsar/client/impl/auth/PulsarSaslClient$ClientCallbackHandler.class */
    public static class ClientCallbackHandler implements CallbackHandler {
        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
            for (Callback callback : callbackArr) {
                if (!(callback instanceof AuthorizeCallback)) {
                    throw new UnsupportedCallbackException(callback, "Unrecognized SASL GSSAPI Client Callback.");
                }
                handleAuthorizeCallback((AuthorizeCallback) callback);
            }
        }

        private void handleAuthorizeCallback(AuthorizeCallback authorizeCallback) {
            String authenticationID = authorizeCallback.getAuthenticationID();
            String authorizationID = authorizeCallback.getAuthorizationID();
            if (authenticationID.equals(authorizationID)) {
                authorizeCallback.setAuthorized(true);
            } else {
                authorizeCallback.setAuthorized(false);
            }
            if (authorizeCallback.isAuthorized()) {
                authorizeCallback.setAuthorizedID(authorizationID);
            }
            PulsarSaslClient.log.info("Successfully authenticated. authenticationID: {};  authorizationID: {}.", authenticationID, authorizationID);
        }
    }

    public PulsarSaslClient(String str, String str2, Subject subject) throws SaslException {
        Preconditions.checkArgument(subject != null, "Cannot create SASL client with NULL JAAS subject");
        Preconditions.checkArgument(!Strings.isNullOrEmpty(str), "Cannot create SASL client with NUll server name");
        if (!str2.equals("broker") && !str2.equals("proxy")) {
            log.warn("The server type {} is not recommended", str2);
        }
        String str3 = str2.toLowerCase() + "/" + str;
        this.clientSubject = subject;
        if (this.clientSubject.getPrincipals().isEmpty()) {
            throw new SaslException("Cannot create SASL client with empty JAAS subject principal");
        }
        KerberosName kerberosName = new KerberosName(((Principal) this.clientSubject.getPrincipals().toArray()[0]).getName());
        KerberosName kerberosName2 = new KerberosName(str3 + "@" + kerberosName.getRealm());
        final String serviceName = kerberosName2.getServiceName();
        final String hostName = kerberosName2.getHostName();
        final String kerberosName3 = kerberosName.toString();
        log.info("Using JAAS/SASL/GSSAPI auth to connect to server Principal {},", str3);
        try {
            this.saslClient = (SaslClient) Subject.doAs(this.clientSubject, new PrivilegedExceptionAction<SaslClient>() { // from class: org.apache.pulsar.client.impl.auth.PulsarSaslClient.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public SaslClient run() throws SaslException {
                    return Sasl.createSaslClient(new String[]{"GSSAPI"}, kerberosName3, serviceName, hostName, (Map) null, new ClientCallbackHandler());
                }
            });
            if (this.saslClient == null) {
                throw new SaslException("Cannot create JVM SASL Client");
            }
        } catch (PrivilegedActionException e) {
            log.error("GSSAPI client error", e.getCause());
            throw new SaslException("error while booting GSSAPI client", e.getCause());
        }
    }

    public AuthData evaluateChallenge(final AuthData authData) throws AuthenticationException {
        if (authData == null) {
            throw new AuthenticationException("saslToken is null");
        }
        try {
            return this.clientSubject != null ? AuthData.of((byte[]) Subject.doAs(this.clientSubject, new PrivilegedExceptionAction<byte[]>() { // from class: org.apache.pulsar.client.impl.auth.PulsarSaslClient.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public byte[] run() throws SaslException {
                    return PulsarSaslClient.this.saslClient.evaluateChallenge(authData.getBytes());
                }
            })) : AuthData.of(this.saslClient.evaluateChallenge(authData.getBytes()));
        } catch (Exception e) {
            log.error("SASL error", e.getCause());
            throw new AuthenticationException("SASL/JAAS error" + e.getCause());
        }
    }

    public boolean hasInitialResponse() {
        return this.saslClient.hasInitialResponse();
    }

    public boolean isComplete() {
        return this.saslClient.isComplete();
    }
}
