package org.apache.zookeeper.client;

import java.io.IOException;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.RealmCallback;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import org.apache.commons.configuration.tree.DefaultExpressionEngine;
import org.apache.solr.util.SystemIdResolver;
import org.apache.zookeeper.AsyncCallback;
import org.apache.zookeeper.ClientCnxn;
import org.apache.zookeeper.Environment;
import org.apache.zookeeper.Login;
import org.apache.zookeeper.Watcher;
import org.apache.zookeeper.data.Stat;
import org.apache.zookeeper.proto.GetSASLRequest;
import org.apache.zookeeper.proto.SetSASLResponse;
import org.apache.zookeeper.server.auth.KerberosName;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/zookeeper-3.4.5-cdh5.10.0.jar:org/apache/zookeeper/client/ZooKeeperSaslClient.class */
public class ZooKeeperSaslClient {
    public static final String LOGIN_CONTEXT_NAME_KEY = "zookeeper.sasl.clientconfig";
    public static final String ENABLE_CLIENT_SASL_KEY = "zookeeper.sasl.client";
    public static final String ENABLE_CLIENT_SASL_DEFAULT = "true";
    private static final Logger LOG = LoggerFactory.getLogger(ZooKeeperSaslClient.class);
    private static Login login = null;
    private SaslClient saslClient;
    private boolean isSASLConfigured;
    private SaslState saslState;
    private final String configStatus;
    private byte[] saslToken = new byte[0];
    private boolean gotLastPacket = false;

    /* loaded from: input_file:WEB-INF/lib/zookeeper-3.4.5-cdh5.10.0.jar:org/apache/zookeeper/client/ZooKeeperSaslClient$ClientCallbackHandler.class */
    public static class ClientCallbackHandler implements CallbackHandler {
        private String password;

        public ClientCallbackHandler(String str) {
            this.password = null;
            this.password = str;
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
            for (Callback callback : callbackArr) {
                if (callback instanceof NameCallback) {
                    NameCallback nameCallback = (NameCallback) callback;
                    nameCallback.setName(nameCallback.getDefaultName());
                } else if (callback instanceof PasswordCallback) {
                    PasswordCallback passwordCallback = (PasswordCallback) callback;
                    if (this.password != null) {
                        passwordCallback.setPassword(this.password.toCharArray());
                    } else {
                        ZooKeeperSaslClient.LOG.warn("Could not login: the client is being asked for a password, but the Zookeeper client code does not currently support obtaining a password from the user. Make sure that the client is configured to use a ticket cache (using the JAAS configuration setting 'useTicketCache=true)' and restart the client. If you still get this message after that, the TGT in the ticket cache has expired and must be manually refreshed. To do so, first determine if you are using a password or a keytab. If the former, run kinit in a Unix shell in the environment of the user who is running this Zookeeper client using the command 'kinit <princ>' (where <princ> is the name of the client's Kerberos principal). If the latter, do 'kinit -k -t <keytab> <princ>' (where <princ> is the name of the Kerberos principal, and <keytab> is the location of the keytab file). After manually refreshing your cache, restart this client. If you continue to see this message after manually refreshing your cache, ensure that your KDC host's clock is in sync with this host's clock.");
                    }
                } else if (callback instanceof RealmCallback) {
                    RealmCallback realmCallback = (RealmCallback) callback;
                    realmCallback.setText(realmCallback.getDefaultText());
                } else {
                    if (!(callback instanceof AuthorizeCallback)) {
                        throw new UnsupportedCallbackException(callback, "Unrecognized SASL ClientCallback");
                    }
                    AuthorizeCallback authorizeCallback = (AuthorizeCallback) callback;
                    String authenticationID = authorizeCallback.getAuthenticationID();
                    String authorizationID = authorizeCallback.getAuthorizationID();
                    if (authenticationID.equals(authorizationID)) {
                        authorizeCallback.setAuthorized(true);
                    } else {
                        authorizeCallback.setAuthorized(false);
                    }
                    if (authorizeCallback.isAuthorized()) {
                        authorizeCallback.setAuthorizedID(authorizationID);
                    }
                }
            }
        }
    }

    /* loaded from: input_file:WEB-INF/lib/zookeeper-3.4.5-cdh5.10.0.jar:org/apache/zookeeper/client/ZooKeeperSaslClient$SaslState.class */
    public enum SaslState {
        INITIAL,
        INTERMEDIATE,
        COMPLETE,
        FAILED
    }

    /* loaded from: input_file:WEB-INF/lib/zookeeper-3.4.5-cdh5.10.0.jar:org/apache/zookeeper/client/ZooKeeperSaslClient$ServerSaslResponseCallback.class */
    public static class ServerSaslResponseCallback implements AsyncCallback.DataCallback {
        @Override // org.apache.zookeeper.AsyncCallback.DataCallback
        public void processResult(int i, String str, Object obj, byte[] bArr, Stat stat) {
            ZooKeeperSaslClient zooKeeperSaslClient = ((ClientCnxn) obj).zooKeeperSaslClient;
            if (zooKeeperSaslClient == null) {
                ZooKeeperSaslClient.LOG.warn("sasl client was unexpectedly null: cannot respond to Zookeeper server.");
                return;
            }
            byte[] bArr2 = bArr;
            if (bArr != null) {
                ZooKeeperSaslClient.LOG.debug("ServerSaslResponseCallback(): saslToken server response: (length=" + bArr2.length + DefaultExpressionEngine.DEFAULT_INDEX_END);
            } else {
                bArr2 = new byte[0];
                ZooKeeperSaslClient.LOG.debug("ServerSaslResponseCallback(): using empty data[] as server response (length=" + bArr2.length + DefaultExpressionEngine.DEFAULT_INDEX_END);
            }
            zooKeeperSaslClient.respondToServer(bArr2, (ClientCnxn) obj);
        }
    }

    public static boolean isEnabled() {
        return Boolean.valueOf(System.getProperty(ENABLE_CLIENT_SASL_KEY, "true")).booleanValue();
    }

    public SaslState getSaslState() {
        return this.saslState;
    }

    public String getLoginContext() {
        if (login != null) {
            return login.getLoginContextName();
        }
        return null;
    }

    public ZooKeeperSaslClient(String str) throws LoginException {
        this.isSASLConfigured = true;
        this.saslState = SaslState.INITIAL;
        String property = System.getProperty(LOGIN_CONTEXT_NAME_KEY, "Client");
        AppConfigurationEntry[] appConfigurationEntryArr = null;
        Throwable th = null;
        try {
            appConfigurationEntryArr = Configuration.getConfiguration().getAppConfigurationEntry(property);
        } catch (IllegalArgumentException e) {
            th = e;
        } catch (SecurityException e2) {
            th = e2;
        }
        if (appConfigurationEntryArr != null) {
            this.configStatus = "Will attempt to SASL-authenticate using Login Context section '" + property + "'";
            this.saslClient = createSaslClient(str, property);
            return;
        }
        this.saslState = SaslState.FAILED;
        String property2 = System.getProperty(LOGIN_CONTEXT_NAME_KEY);
        if (property2 != null) {
            if (th == null) {
                throw new LoginException("Client cannot SASL-authenticate because the specified JAAS configuration section '" + property2 + "' could not be found.");
            }
            throw new LoginException("Zookeeper client cannot authenticate using the " + property2 + " section of the supplied JAAS configuration: '" + System.getProperty(Environment.JAAS_CONF_KEY) + "' because of a RuntimeException: " + th);
        }
        this.configStatus = th != null ? "Will not attempt to authenticate using SASL " + DefaultExpressionEngine.DEFAULT_INDEX_START + th + DefaultExpressionEngine.DEFAULT_INDEX_END : "Will not attempt to authenticate using SASL (unknown error)";
        this.isSASLConfigured = false;
        if (System.getProperty(Environment.JAAS_CONF_KEY) != null) {
            if (th == null) {
                throw new LoginException("No JAAS configuration section named '" + System.getProperty(LOGIN_CONTEXT_NAME_KEY, "Client") + "' was found in specified JAAS configuration file: '" + System.getProperty(Environment.JAAS_CONF_KEY) + "'.");
            }
            throw new LoginException("Zookeeper client cannot authenticate using the '" + System.getProperty(LOGIN_CONTEXT_NAME_KEY, "Client") + "' section of the supplied JAAS configuration: '" + System.getProperty(Environment.JAAS_CONF_KEY) + "' because of a RuntimeException: " + th);
        }
    }

    public String getConfigStatus() {
        return this.configStatus;
    }

    public boolean isComplete() {
        return this.saslState == SaslState.COMPLETE;
    }

    public boolean isFailed() {
        return this.saslState == SaslState.FAILED;
    }

    private synchronized SaslClient createSaslClient(String str, String str2) throws LoginException {
        try {
            if (login == null) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("JAAS loginContext is: " + str2);
                }
                login = new Login(str2, new ClientCallbackHandler(null));
                login.startThreadIfNeeded();
            }
            Subject subject = login.getSubject();
            if (subject.getPrincipals().isEmpty()) {
                LOG.info("Client will use DIGEST-MD5 as SASL mechanism.");
                return Sasl.createSaslClient(new String[]{"DIGEST-MD5"}, (String) subject.getPublicCredentials().toArray()[0], "zookeeper", "zk-sasl-md5", (Map) null, new ClientCallbackHandler((String) subject.getPrivateCredentials().toArray()[0]));
            }
            KerberosName kerberosName = new KerberosName(((Principal) subject.getPrincipals().toArray()[0]).getName());
            KerberosName kerberosName2 = new KerberosName(str + SystemIdResolver.RESOURCE_LOADER_AUTHORITY_ABSOLUTE + System.getProperty("zookeeper.server.realm", kerberosName.getRealm()));
            final String serviceName = kerberosName2.getServiceName();
            final String hostName = kerberosName2.getHostName();
            final String kerberosName3 = kerberosName.toString();
            try {
                return (SaslClient) Subject.doAs(subject, new PrivilegedExceptionAction<SaslClient>() { // from class: org.apache.zookeeper.client.ZooKeeperSaslClient.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public SaslClient run() throws SaslException {
                        ZooKeeperSaslClient.LOG.info("Client will use GSSAPI as SASL mechanism.");
                        String[] strArr = {"GSSAPI"};
                        ZooKeeperSaslClient.LOG.debug("creating sasl client: client=" + kerberosName3 + ";service=" + serviceName + ";serviceHostname=" + hostName);
                        return Sasl.createSaslClient(strArr, kerberosName3, serviceName, hostName, (Map) null, new ClientCallbackHandler(null));
                    }
                });
            } catch (Exception e) {
                LOG.error("Error creating SASL client:" + e);
                e.printStackTrace();
                return null;
            }
        } catch (LoginException e2) {
            throw e2;
        } catch (Exception e3) {
            LOG.error("Exception while trying to create SASL client: " + e3);
            return null;
        }
    }

    public void respondToServer(byte[] bArr, ClientCnxn clientCnxn) {
        if (this.saslClient == null) {
            LOG.error("saslClient is unexpectedly null. Cannot respond to server's SASL message; ignoring.");
            return;
        }
        if (!this.saslClient.isComplete()) {
            try {
                this.saslToken = createSaslToken(bArr);
                if (this.saslToken != null) {
                    sendSaslPacket(this.saslToken, clientCnxn);
                }
            } catch (SaslException e) {
                LOG.error("SASL authentication failed using login context '" + getLoginContext() + "'.");
                this.saslState = SaslState.FAILED;
                this.gotLastPacket = true;
            }
        }
        if (this.saslClient.isComplete()) {
            if (bArr == null && this.saslClient.getMechanismName().equals("GSSAPI")) {
                this.gotLastPacket = true;
            }
            if (!this.saslClient.getMechanismName().equals("GSSAPI")) {
                this.gotLastPacket = true;
            }
            clientCnxn.enableWrite();
        }
    }

    private byte[] createSaslToken() throws SaslException {
        this.saslState = SaslState.INTERMEDIATE;
        return createSaslToken(this.saslToken);
    }

    private byte[] createSaslToken(final byte[] bArr) throws SaslException {
        byte[] bArr2;
        if (bArr == null) {
            this.saslState = SaslState.FAILED;
            throw new SaslException("Error in authenticating with a Zookeeper Quorum member: the quorum member's saslToken is null.");
        }
        Subject subject = login.getSubject();
        if (subject == null) {
            throw new SaslException("Cannot make SASL token without subject defined. For diagnosis, please look for WARNs and ERRORs in your log related to the Login class.");
        }
        synchronized (login) {
            try {
                bArr2 = (byte[]) Subject.doAs(subject, new PrivilegedExceptionAction<byte[]>() { // from class: org.apache.zookeeper.client.ZooKeeperSaslClient.2
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public byte[] run() throws SaslException {
                        ZooKeeperSaslClient.LOG.debug("saslClient.evaluateChallenge(len=" + bArr.length + DefaultExpressionEngine.DEFAULT_INDEX_END);
                        return ZooKeeperSaslClient.this.saslClient.evaluateChallenge(bArr);
                    }
                });
            } catch (PrivilegedActionException e) {
                String str = "An error: (" + e + ") occurred when evaluating Zookeeper Quorum Member's  received SASL token.";
                if (e.toString().indexOf("(Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)") > -1) {
                    str = str + " This may be caused by Java's being unable to resolve the Zookeeper Quorum Member's hostname correctly. You may want to try to adding '-Dsun.net.spi.nameservice.provider.1=dns,sun' to your client's JVMFLAGS environment.";
                }
                String str2 = str + " Zookeeper Client will go to AUTH_FAILED state.";
                LOG.error(str2);
                this.saslState = SaslState.FAILED;
                throw new SaslException(str2);
            }
        }
        return bArr2;
    }

    private void sendSaslPacket(byte[] bArr, ClientCnxn clientCnxn) throws SaslException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("ClientCnxn:sendSaslPacket:length=" + bArr.length);
        }
        GetSASLRequest getSASLRequest = new GetSASLRequest();
        getSASLRequest.setToken(bArr);
        try {
            clientCnxn.sendPacket(getSASLRequest, new SetSASLResponse(), new ServerSaslResponseCallback(), 102);
        } catch (IOException e) {
            throw new SaslException("Failed to send SASL packet to server.", e);
        }
    }

    private void sendSaslPacket(ClientCnxn clientCnxn) throws SaslException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("ClientCnxn:sendSaslPacket:length=" + this.saslToken.length);
        }
        GetSASLRequest getSASLRequest = new GetSASLRequest();
        getSASLRequest.setToken(createSaslToken());
        try {
            clientCnxn.sendPacket(getSASLRequest, new SetSASLResponse(), new ServerSaslResponseCallback(), 102);
        } catch (IOException e) {
            throw new SaslException("Failed to send SASL packet to server due to IOException:", e);
        }
    }

    public Watcher.Event.KeeperState getKeeperState() {
        if (this.saslClient == null) {
            return null;
        }
        if (this.saslState == SaslState.FAILED) {
            return Watcher.Event.KeeperState.AuthFailed;
        }
        if (!this.saslClient.isComplete() || this.saslState != SaslState.INTERMEDIATE) {
            return null;
        }
        this.saslState = SaslState.COMPLETE;
        return Watcher.Event.KeeperState.SaslAuthenticated;
    }

    public void initialize(ClientCnxn clientCnxn) throws SaslException {
        if (this.saslClient == null) {
            this.saslState = SaslState.FAILED;
            throw new SaslException("saslClient failed to initialize properly: it's null.");
        }
        if (this.saslState == SaslState.INITIAL) {
            if (this.saslClient.hasInitialResponse()) {
                sendSaslPacket(clientCnxn);
            } else {
                sendSaslPacket(new byte[0], clientCnxn);
            }
            this.saslState = SaslState.INTERMEDIATE;
        }
    }

    public boolean clientTunneledAuthenticationInProgress() {
        if (!this.isSASLConfigured) {
            return false;
        }
        try {
            if (System.getProperty(Environment.JAAS_CONF_KEY) == null && (Configuration.getConfiguration() == null || Configuration.getConfiguration().getAppConfigurationEntry(System.getProperty(LOGIN_CONTEXT_NAME_KEY, "Client")) == null)) {
                return false;
            }
            if (!isComplete() && !isFailed()) {
                return true;
            }
            if (isComplete() || isFailed()) {
                return !this.gotLastPacket;
            }
            return false;
        } catch (SecurityException e) {
            if (!LOG.isDebugEnabled()) {
                return false;
            }
            LOG.debug("Could not retrieve login configuration: " + e);
            return false;
        }
    }
}
