package org.apache.sentry.service.thrift;

import java.util.Arrays;
import java.util.Iterator;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.SaslRpcServer;
import org.apache.sentry.core.common.exception.ConnectionDeniedException;
import org.apache.sentry.service.thrift.ServiceConstants;

/* loaded from: input_file:org/apache/sentry/service/thrift/GSSCallback.class */
public class GSSCallback extends SaslRpcServer.SaslGssCallbackHandler {
    private final Configuration conf;

    public GSSCallback(Configuration configuration) {
        this.conf = configuration;
    }

    boolean comparePrincipals(String str, String str2) {
        String[] splitKerberosName = SaslRpcServer.splitKerberosName(str);
        String[] splitKerberosName2 = SaslRpcServer.splitKerberosName(str2);
        if (splitKerberosName.length == 0 || splitKerberosName2.length == 0 || splitKerberosName.length != splitKerberosName2.length) {
            return false;
        }
        for (int i = 0; i < splitKerberosName.length; i++) {
            if (!splitKerberosName[i].equals(splitKerberosName2[i])) {
                return false;
            }
        }
        return true;
    }

    boolean allowConnect(String str) {
        String str2 = this.conf.get(ServiceConstants.ServerConfig.ALLOW_CONNECT);
        if (str2 == null) {
            return false;
        }
        String shortName = getShortName(str);
        Iterator it = Arrays.asList(str2.split("\\s*,\\s*")).iterator();
        while (it.hasNext()) {
            if (comparePrincipals((String) it.next(), shortName)) {
                return true;
            }
        }
        return false;
    }

    private String getShortName(String str) {
        return SaslRpcServer.splitKerberosName(str)[0];
    }

    public void handle(Callback[] callbackArr) throws UnsupportedCallbackException, ConnectionDeniedException {
        AuthorizeCallback authorizeCallback = null;
        for (Callback callback : callbackArr) {
            if (!(callback instanceof AuthorizeCallback)) {
                throw new UnsupportedCallbackException(callback, "Unrecognized SASL GSSAPI Callback");
            }
            authorizeCallback = (AuthorizeCallback) callback;
        }
        if (authorizeCallback != null) {
            String authenticationID = authorizeCallback.getAuthenticationID();
            String authorizationID = authorizeCallback.getAuthorizationID();
            if (!allowConnect(authenticationID)) {
                throw new ConnectionDeniedException(authorizeCallback, "Connection to sentry service denied due to lack of client credentials", authenticationID);
            }
            if (authenticationID.equals(authorizationID)) {
                authorizeCallback.setAuthorized(true);
            } else {
                authorizeCallback.setAuthorized(false);
            }
            if (authorizeCallback.isAuthorized()) {
                authorizeCallback.setAuthorizedID(authorizationID);
            }
        }
    }
}
