package dlshade.org.apache.bookkeeper.sasl;

import dlshade.org.apache.bookkeeper.conf.ServerConfiguration;
import dlshade.org.apache.bookkeeper.net.NodeBase;
import dlshade.org.apache.zookeeper.server.auth.KerberosName;
import java.io.IOException;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.Map;
import java.util.regex.Pattern;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.RealmCallback;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.apache.commons.configuration.tree.DefaultExpressionEngine;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:dlshade/org/apache/bookkeeper/sasl/SaslServerState.class */
public class SaslServerState {
    private static final Logger LOG = LoggerFactory.getLogger(SaslServerState.class);
    private final SaslServer saslServer;
    private final Pattern allowedIdsPattern;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:dlshade/org/apache/bookkeeper/sasl/SaslServerState$SaslServerCallbackHandler.class */
    public class SaslServerCallbackHandler implements CallbackHandler {
        private static final String USER_PREFIX = "user_";
        private String userName;
        private final Map<String, String> credentials = new HashMap();

        public SaslServerCallbackHandler(Configuration configuration, ServerConfiguration serverConfiguration) throws IOException {
            String string = serverConfiguration.getString(SaslConstants.JAAS_BOOKIE_SECTION_NAME, SaslConstants.JAAS_DEFAULT_BOOKIE_SECTION_NAME);
            AppConfigurationEntry[] appConfigurationEntry = configuration.getAppConfigurationEntry(string);
            if (appConfigurationEntry == null) {
                throw new IOException("Could not find a '" + string + "' entry in this configuration: Server cannot start.");
            }
            this.credentials.clear();
            for (AppConfigurationEntry appConfigurationEntry2 : appConfigurationEntry) {
                for (Map.Entry entry : appConfigurationEntry2.getOptions().entrySet()) {
                    String str = (String) entry.getKey();
                    if (str.startsWith(USER_PREFIX)) {
                        this.credentials.put(str.substring(USER_PREFIX.length()), (String) entry.getValue());
                    }
                }
            }
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
            for (Callback callback : callbackArr) {
                if (callback instanceof NameCallback) {
                    handleNameCallback((NameCallback) callback);
                } else if (callback instanceof PasswordCallback) {
                    handlePasswordCallback((PasswordCallback) callback);
                } else if (callback instanceof RealmCallback) {
                    handleRealmCallback((RealmCallback) callback);
                } else if (callback instanceof AuthorizeCallback) {
                    handleAuthorizeCallback((AuthorizeCallback) callback);
                }
            }
        }

        private void handleNameCallback(NameCallback nameCallback) {
            if (this.credentials.get(nameCallback.getDefaultName()) == null) {
                SaslServerState.LOG.error("User '" + nameCallback.getDefaultName() + "' not found in list of JAAS DIGEST-MD5 users.");
            } else {
                nameCallback.setName(nameCallback.getDefaultName());
                this.userName = nameCallback.getDefaultName();
            }
        }

        private void handlePasswordCallback(PasswordCallback passwordCallback) {
            if (this.credentials.containsKey(this.userName)) {
                passwordCallback.setPassword(this.credentials.get(this.userName).toCharArray());
            } else {
                SaslServerState.LOG.info("No password found for user: " + this.userName);
            }
        }

        private void handleRealmCallback(RealmCallback realmCallback) {
            if (SaslServerState.LOG.isDebugEnabled()) {
                SaslServerState.LOG.debug("client supplied realm: " + realmCallback.getDefaultText());
            }
            realmCallback.setText(realmCallback.getDefaultText());
        }

        private void handleAuthorizeCallback(AuthorizeCallback authorizeCallback) {
            String authenticationID = authorizeCallback.getAuthenticationID();
            String authorizationID = authorizeCallback.getAuthorizationID();
            if (!authenticationID.equals(authorizationID)) {
                authorizeCallback.setAuthorized(false);
                SaslServerState.LOG.info("Forbidden access to client: authenticationID=" + authenticationID + " is different from authorizationID=" + authorizationID + DefaultExpressionEngine.DEFAULT_PROPERTY_DELIMITER);
                return;
            }
            if (!SaslServerState.this.allowedIdsPattern.matcher(authenticationID).matches()) {
                authorizeCallback.setAuthorized(false);
                SaslServerState.LOG.info("Forbidden access to client: authenticationID=" + authenticationID + " is not allowed (see " + SaslConstants.JAAS_CLIENT_ALLOWED_IDS + " property)");
                return;
            }
            authorizeCallback.setAuthorized(true);
            if (SaslServerState.LOG.isDebugEnabled()) {
                SaslServerState.LOG.debug("Successfully authenticated client: authenticationID=" + authenticationID + ";  authorizationID=" + authorizationID + DefaultExpressionEngine.DEFAULT_PROPERTY_DELIMITER);
            }
            KerberosName kerberosName = new KerberosName(authenticationID);
            try {
                StringBuilder sb = new StringBuilder(kerberosName.getShortName());
                sb.append(NodeBase.PATH_SEPARATOR_STR).append(kerberosName.getHostName());
                sb.append("@").append(kerberosName.getRealm());
                if (SaslServerState.LOG.isDebugEnabled()) {
                    SaslServerState.LOG.debug("Setting authorizedID: " + ((Object) sb));
                }
                authorizeCallback.setAuthorizedID(sb.toString());
            } catch (IOException e) {
                SaslServerState.LOG.error("Failed to set name based on Kerberos authentication rules.");
            }
        }
    }

    public SaslServerState(ServerConfiguration serverConfiguration, Subject subject, Pattern pattern) throws IOException, SaslException, LoginException {
        this.allowedIdsPattern = pattern;
        this.saslServer = createSaslServer(subject, serverConfiguration);
    }

    private SaslServer createSaslServer(Subject subject, ServerConfiguration serverConfiguration) throws SaslException, IOException {
        String substring;
        String str;
        final SaslServerCallbackHandler saslServerCallbackHandler = new SaslServerCallbackHandler(Configuration.getConfiguration(), serverConfiguration);
        if (subject.getPrincipals().size() <= 0) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Authentication will use SASL/JAAS/DIGEST-MD5");
            }
            return Sasl.createSaslServer("DIGEST-MD5", "bookkeeper", "bookkeeper", (Map) null, saslServerCallbackHandler);
        }
        try {
            Principal principal = (Principal) subject.getPrincipals().toArray()[0];
            if (LOG.isDebugEnabled()) {
                LOG.debug("Authentication will use SASL/JAAS/Kerberos, servicePrincipal is {}", principal);
            }
            String name = principal.getName();
            int indexOf = name.indexOf(NodeBase.PATH_SEPARATOR_STR);
            String substring2 = name.substring(indexOf + 1, name.length());
            int indexOf2 = substring2.indexOf("@");
            if (indexOf > 0) {
                substring = name.substring(0, indexOf);
                str = substring2.substring(0, indexOf2);
            } else {
                substring = name.substring(0, indexOf2);
                str = null;
            }
            try {
                final String str2 = substring;
                final String str3 = str;
                return (SaslServer) Subject.doAs(subject, new PrivilegedExceptionAction<SaslServer>() { // from class: dlshade.org.apache.bookkeeper.sasl.SaslServerState.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public SaslServer run() {
                        try {
                            return Sasl.createSaslServer("GSSAPI", str2, str3, (Map) null, saslServerCallbackHandler);
                        } catch (SaslException e) {
                            throw new RuntimeException((Throwable) e);
                        }
                    }
                });
            } catch (PrivilegedActionException e) {
                throw new SaslException("error on GSSAPI boot", e.getCause());
            }
        } catch (IndexOutOfBoundsException e2) {
            throw new SaslException("error on GSSAPI boot", e2);
        }
    }

    public boolean isComplete() {
        return this.saslServer.isComplete();
    }

    public String getUserName() {
        return this.saslServer.getAuthorizationID();
    }

    public byte[] response(byte[] bArr) throws SaslException {
        try {
            return this.saslServer.evaluateResponse(bArr);
        } catch (SaslException e) {
            LOG.error("response: Failed to evaluate client token", e);
            throw e;
        }
    }
}
