package org.apache.hadoop.security;

import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.RealmCallback;
import javax.security.sasl.RealmChoiceCallback;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.io.WritableUtils;
import org.apache.hadoop.ipc.RemoteException;
import org.apache.hadoop.security.SaslRpcServer;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;

@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
@InterfaceStability.Evolving
/* loaded from: input_file:lib/hadoop-common-2.0.0-cdh4.1.3.jar:org/apache/hadoop/security/SaslRpcClient.class */
public class SaslRpcClient {
    public static final Log LOG = LogFactory.getLog(SaslRpcClient.class);
    private final SaslClient saslClient;

    /* loaded from: input_file:lib/hadoop-common-2.0.0-cdh4.1.3.jar:org/apache/hadoop/security/SaslRpcClient$SaslClientCallbackHandler.class */
    private static class SaslClientCallbackHandler implements CallbackHandler {
        private final String userName;
        private final char[] userPassword;

        public SaslClientCallbackHandler(Token<? extends TokenIdentifier> token) {
            this.userName = SaslRpcServer.encodeIdentifier(token.getIdentifier());
            this.userPassword = SaslRpcServer.encodePassword(token.getPassword());
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
            NameCallback nameCallback = null;
            PasswordCallback passwordCallback = null;
            RealmCallback realmCallback = null;
            for (Callback callback : callbackArr) {
                if (!(callback instanceof RealmChoiceCallback)) {
                    if (callback instanceof NameCallback) {
                        nameCallback = (NameCallback) callback;
                    } else if (callback instanceof PasswordCallback) {
                        passwordCallback = (PasswordCallback) callback;
                    } else {
                        if (!(callback instanceof RealmCallback)) {
                            throw new UnsupportedCallbackException(callback, "Unrecognized SASL client callback");
                        }
                        realmCallback = (RealmCallback) callback;
                    }
                }
            }
            if (nameCallback != null) {
                if (SaslRpcClient.LOG.isDebugEnabled()) {
                    SaslRpcClient.LOG.debug("SASL client callback: setting username: " + this.userName);
                }
                nameCallback.setName(this.userName);
            }
            if (passwordCallback != null) {
                if (SaslRpcClient.LOG.isDebugEnabled()) {
                    SaslRpcClient.LOG.debug("SASL client callback: setting userPassword");
                }
                passwordCallback.setPassword(this.userPassword);
            }
            if (realmCallback != null) {
                if (SaslRpcClient.LOG.isDebugEnabled()) {
                    SaslRpcClient.LOG.debug("SASL client callback: setting realm: " + realmCallback.getDefaultText());
                }
                realmCallback.setText(realmCallback.getDefaultText());
            }
        }
    }

    public SaslRpcClient(SaslRpcServer.AuthMethod authMethod, Token<? extends TokenIdentifier> token, String str) throws IOException {
        switch (authMethod) {
            case DIGEST:
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Creating SASL " + SaslRpcServer.AuthMethod.DIGEST.getMechanismName() + " client to authenticate to service at " + token.getService());
                }
                this.saslClient = Sasl.createSaslClient(new String[]{SaslRpcServer.AuthMethod.DIGEST.getMechanismName()}, (String) null, (String) null, "default", SaslRpcServer.SASL_PROPS, new SaslClientCallbackHandler(token));
                break;
            case KERBEROS:
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Creating SASL " + SaslRpcServer.AuthMethod.KERBEROS.getMechanismName() + " client. Server's Kerberos principal name is " + str);
                }
                if (str != null && str.length() != 0) {
                    String[] splitKerberosName = SaslRpcServer.splitKerberosName(str);
                    if (splitKerberosName.length == 3) {
                        this.saslClient = Sasl.createSaslClient(new String[]{SaslRpcServer.AuthMethod.KERBEROS.getMechanismName()}, (String) null, splitKerberosName[0], splitKerberosName[1], SaslRpcServer.SASL_PROPS, (CallbackHandler) null);
                        break;
                    } else {
                        throw new IOException("Kerberos principal name does NOT have the expected hostname part: " + str);
                    }
                } else {
                    throw new IOException("Failed to specify server's Kerberos principal name");
                }
            default:
                throw new IOException("Unknown authentication method " + authMethod);
        }
        if (this.saslClient == null) {
            throw new IOException("Unable to find SASL client implementation");
        }
    }

    private static void readStatus(DataInputStream dataInputStream) throws IOException {
        if (dataInputStream.readInt() != SaslRpcServer.SaslStatus.SUCCESS.state) {
            throw new RemoteException(WritableUtils.readString(dataInputStream), WritableUtils.readString(dataInputStream));
        }
    }

    public boolean saslConnect(InputStream inputStream, OutputStream outputStream) throws IOException {
        DataInputStream dataInputStream = new DataInputStream(new BufferedInputStream(inputStream));
        DataOutputStream dataOutputStream = new DataOutputStream(new BufferedOutputStream(outputStream));
        try {
            byte[] bArr = new byte[0];
            if (this.saslClient.hasInitialResponse()) {
                bArr = this.saslClient.evaluateChallenge(bArr);
            }
            if (bArr != null) {
                dataOutputStream.writeInt(bArr.length);
                dataOutputStream.write(bArr, 0, bArr.length);
                dataOutputStream.flush();
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Have sent token of size " + bArr.length + " from initSASLContext.");
                }
            }
            if (!this.saslClient.isComplete()) {
                readStatus(dataInputStream);
                int readInt = dataInputStream.readInt();
                if (readInt == -88) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Server asks us to fall back to simple auth.");
                    }
                    this.saslClient.dispose();
                    return false;
                }
                bArr = new byte[readInt];
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Will read input token of size " + bArr.length + " for processing by initSASLContext");
                }
                dataInputStream.readFully(bArr);
            }
            while (!this.saslClient.isComplete()) {
                bArr = this.saslClient.evaluateChallenge(bArr);
                if (bArr != null) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Will send token of size " + bArr.length + " from initSASLContext.");
                    }
                    dataOutputStream.writeInt(bArr.length);
                    dataOutputStream.write(bArr, 0, bArr.length);
                    dataOutputStream.flush();
                }
                if (!this.saslClient.isComplete()) {
                    readStatus(dataInputStream);
                    bArr = new byte[dataInputStream.readInt()];
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Will read input token of size " + bArr.length + " for processing by initSASLContext");
                    }
                    dataInputStream.readFully(bArr);
                }
            }
            if (!LOG.isDebugEnabled()) {
                return true;
            }
            LOG.debug("SASL client context established. Negotiated QoP: " + this.saslClient.getNegotiatedProperty("javax.security.sasl.qop"));
            return true;
        } catch (IOException e) {
            try {
                this.saslClient.dispose();
            } catch (SaslException e2) {
            }
            throw e;
        }
    }

    public InputStream getInputStream(InputStream inputStream) throws IOException {
        if (this.saslClient.isComplete()) {
            return new SaslInputStream(inputStream, this.saslClient);
        }
        throw new IOException("Sasl authentication exchange hasn't completed yet");
    }

    public OutputStream getOutputStream(OutputStream outputStream) throws IOException {
        if (this.saslClient.isComplete()) {
            return new SaslOutputStream(outputStream, this.saslClient);
        }
        throw new IOException("Sasl authentication exchange hasn't completed yet");
    }

    public void dispose() throws SaslException {
        this.saslClient.dispose();
    }
}
