package org.graylog.shaded.org.apache.kafka09.common.security.authenticator;

import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.RealmCallback;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import org.graylog.shaded.org.apache.kafka09.common.KafkaException;
import org.graylog.shaded.org.apache.kafka09.common.network.Authenticator;
import org.graylog.shaded.org.apache.kafka09.common.network.NetworkReceive;
import org.graylog.shaded.org.apache.kafka09.common.network.NetworkSend;
import org.graylog.shaded.org.apache.kafka09.common.network.TransportLayer;
import org.graylog.shaded.org.apache.kafka09.common.security.auth.KafkaPrincipal;
import org.graylog.shaded.org.apache.kafka09.common.security.auth.PrincipalBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/graylog/shaded/org/apache/kafka09/common/security/authenticator/SaslClientAuthenticator.class */
public class SaslClientAuthenticator implements Authenticator {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) SaslClientAuthenticator.class);
    private final Subject subject;
    private final String servicePrincipal;
    private final String host;
    private final String node;
    private SaslClient saslClient;
    private String clientPrincipalName;
    private TransportLayer transportLayer;
    private NetworkReceive netInBuffer;
    private NetworkSend netOutBuffer;
    private SaslState saslState = SaslState.INITIAL;

    /* loaded from: input_file:org/graylog/shaded/org/apache/kafka09/common/security/authenticator/SaslClientAuthenticator$ClientCallbackHandler.class */
    public static class ClientCallbackHandler implements CallbackHandler {
        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
            for (Callback callback : callbackArr) {
                if (callback instanceof NameCallback) {
                    NameCallback nameCallback = (NameCallback) callback;
                    nameCallback.setName(nameCallback.getDefaultName());
                } else {
                    if (callback instanceof PasswordCallback) {
                        throw new UnsupportedCallbackException(callback, "Could not login: the client is being asked for a password, but the Kafka client code does not currently support obtaining a password from the user. Make sure -Djava.security.auth.login.config property passed to JVM and the client is configured to use a ticket cache (using the JAAS configuration setting 'useTicketCache=true)'. Make sure you are using FQDN of the Kafka broker you are trying to connect to.");
                    }
                    if (callback instanceof RealmCallback) {
                        RealmCallback realmCallback = (RealmCallback) callback;
                        realmCallback.setText(realmCallback.getDefaultText());
                    } else {
                        if (!(callback instanceof AuthorizeCallback)) {
                            throw new UnsupportedCallbackException(callback, "Unrecognized SASL ClientCallback");
                        }
                        AuthorizeCallback authorizeCallback = (AuthorizeCallback) callback;
                        String authenticationID = authorizeCallback.getAuthenticationID();
                        String authorizationID = authorizeCallback.getAuthorizationID();
                        authorizeCallback.setAuthorized(authenticationID.equals(authorizationID));
                        if (authorizeCallback.isAuthorized()) {
                            authorizeCallback.setAuthorizedID(authorizationID);
                        }
                    }
                }
            }
        }
    }

    /* loaded from: input_file:org/graylog/shaded/org/apache/kafka09/common/security/authenticator/SaslClientAuthenticator$SaslState.class */
    public enum SaslState {
        INITIAL,
        INTERMEDIATE,
        COMPLETE,
        FAILED
    }

    public SaslClientAuthenticator(String str, Subject subject, String str2, String str3) throws IOException {
        this.node = str;
        this.subject = subject;
        this.host = str3;
        this.servicePrincipal = str2;
    }

    @Override // org.graylog.shaded.org.apache.kafka09.common.network.Authenticator
    public void configure(TransportLayer transportLayer, PrincipalBuilder principalBuilder, Map<String, ?> map) throws KafkaException {
        try {
            this.transportLayer = transportLayer;
            this.clientPrincipalName = this.subject.getPrincipals().iterator().next().getName();
            this.saslClient = createSaslClient();
        } catch (Exception e) {
            throw new KafkaException("Failed to configure SaslClientAuthenticator", e);
        }
    }

    private SaslClient createSaslClient() {
        try {
            return (SaslClient) Subject.doAs(this.subject, new PrivilegedExceptionAction<SaslClient>() { // from class: org.graylog.shaded.org.apache.kafka09.common.security.authenticator.SaslClientAuthenticator.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public SaslClient run() throws SaslException {
                    String[] strArr = {"GSSAPI"};
                    SaslClientAuthenticator.LOG.debug("Creating SaslClient: client={};service={};serviceHostname={};mechs={}", SaslClientAuthenticator.this.clientPrincipalName, SaslClientAuthenticator.this.servicePrincipal, SaslClientAuthenticator.this.host, Arrays.toString(strArr));
                    return Sasl.createSaslClient(strArr, SaslClientAuthenticator.this.clientPrincipalName, SaslClientAuthenticator.this.servicePrincipal, SaslClientAuthenticator.this.host, (Map) null, new ClientCallbackHandler());
                }
            });
        } catch (PrivilegedActionException e) {
            throw new KafkaException("Failed to create SaslClient", e.getCause());
        }
    }

    @Override // org.graylog.shaded.org.apache.kafka09.common.network.Authenticator
    public void authenticate() throws IOException {
        if (this.netOutBuffer == null || flushNetOutBufferAndUpdateInterestOps()) {
            switch (this.saslState) {
                case INITIAL:
                    sendSaslToken(new byte[0]);
                    this.saslState = SaslState.INTERMEDIATE;
                    return;
                case INTERMEDIATE:
                    if (this.netInBuffer == null) {
                        this.netInBuffer = new NetworkReceive(this.node);
                    }
                    this.netInBuffer.readFrom(this.transportLayer);
                    if (this.netInBuffer.complete()) {
                        this.netInBuffer.payload().rewind();
                        byte[] bArr = new byte[this.netInBuffer.payload().remaining()];
                        this.netInBuffer.payload().get(bArr, 0, bArr.length);
                        this.netInBuffer = null;
                        sendSaslToken(bArr);
                    }
                    if (this.saslClient.isComplete()) {
                        this.saslState = SaslState.COMPLETE;
                        this.transportLayer.removeInterestOps(4);
                        return;
                    }
                    return;
                case COMPLETE:
                default:
                    return;
                case FAILED:
                    throw new IOException("SASL handshake failed");
            }
        }
    }

    private void sendSaslToken(byte[] bArr) throws IOException {
        if (this.saslClient.isComplete()) {
            return;
        }
        try {
            byte[] createSaslToken = createSaslToken(bArr);
            if (createSaslToken != null) {
                this.netOutBuffer = new NetworkSend(this.node, ByteBuffer.wrap(createSaslToken));
                flushNetOutBufferAndUpdateInterestOps();
            }
        } catch (IOException e) {
            this.saslState = SaslState.FAILED;
            throw e;
        }
    }

    private boolean flushNetOutBufferAndUpdateInterestOps() throws IOException {
        boolean flushNetOutBuffer = flushNetOutBuffer();
        if (flushNetOutBuffer) {
            this.transportLayer.removeInterestOps(4);
        } else {
            this.transportLayer.addInterestOps(4);
        }
        return flushNetOutBuffer;
    }

    @Override // org.graylog.shaded.org.apache.kafka09.common.network.Authenticator
    public Principal principal() {
        return new KafkaPrincipal("User", this.clientPrincipalName);
    }

    @Override // org.graylog.shaded.org.apache.kafka09.common.network.Authenticator
    public boolean complete() {
        return this.saslState == SaslState.COMPLETE;
    }

    @Override // org.graylog.shaded.org.apache.kafka09.common.network.Authenticator
    public void close() throws IOException {
        this.saslClient.dispose();
    }

    private byte[] createSaslToken(final byte[] bArr) throws SaslException {
        if (bArr == null) {
            throw new SaslException("Error authenticating with the Kafka Broker: received a `null` saslToken.");
        }
        try {
            return (byte[]) Subject.doAs(this.subject, new PrivilegedExceptionAction<byte[]>() { // from class: org.graylog.shaded.org.apache.kafka09.common.security.authenticator.SaslClientAuthenticator.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public byte[] run() throws SaslException {
                    return SaslClientAuthenticator.this.saslClient.evaluateChallenge(bArr);
                }
            });
        } catch (PrivilegedActionException e) {
            String str = "An error: (" + e + ") occurred when evaluating SASL token received from the Kafka Broker.";
            if (e.toString().indexOf("(Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)") > -1) {
                str = str + " This may be caused by Java's being unable to resolve the Kafka Broker's hostname correctly. You may want to try to adding '-Dsun.net.spi.nameservice.provider.1=dns,sun' to your client's JVMFLAGS environment. Users must configure FQDN of kafka brokers when authenticating using SASL and `socketChannel.socket().getInetAddress().getHostName()` must match the hostname in `principal/hostname@realm`";
            }
            throw new SaslException(str + " Kafka Client will go to AUTH_FAILED state.", e.getCause());
        }
    }

    private boolean flushNetOutBuffer() throws IOException {
        if (!this.netOutBuffer.completed()) {
            this.netOutBuffer.writeTo(this.transportLayer);
        }
        return this.netOutBuffer.completed();
    }
}
