package org.apache.hadoop.hdfs.protocol.datatransfer.sasl;

import com.google.common.base.Charsets;
import com.google.common.collect.Lists;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.InetAddress;
import java.net.Socket;
import java.util.ArrayList;
import java.util.Map;
import java.util.concurrent.atomic.AtomicBoolean;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.RealmCallback;
import javax.security.sasl.RealmChoiceCallback;
import org.apache.commons.codec.binary.Base64;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.crypto.CipherOption;
import org.apache.hadoop.crypto.CipherSuite;
import org.apache.hadoop.hdfs.DFSConfigKeys;
import org.apache.hadoop.hdfs.net.EncryptedPeer;
import org.apache.hadoop.hdfs.net.Peer;
import org.apache.hadoop.hdfs.protocol.DatanodeID;
import org.apache.hadoop.hdfs.protocol.datatransfer.IOStreamPair;
import org.apache.hadoop.hdfs.protocol.datatransfer.TrustedChannelResolver;
import org.apache.hadoop.hdfs.security.token.block.BlockTokenIdentifier;
import org.apache.hadoop.hdfs.security.token.block.DataEncryptionKey;
import org.apache.hadoop.security.SaslPropertiesResolver;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
/* loaded from: input_file:WEB-INF/lib/hadoop-hdfs-2.6.0-cdh5.16.99.jar:org/apache/hadoop/hdfs/protocol/datatransfer/sasl/SaslDataTransferClient.class */
public class SaslDataTransferClient {
    private static final Logger LOG;
    private final Configuration conf;
    private final AtomicBoolean fallbackToSimpleAuth;
    private final SaslPropertiesResolver saslPropsResolver;
    private final TrustedChannelResolver trustedChannelResolver;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/hadoop-hdfs-2.6.0-cdh5.16.99.jar:org/apache/hadoop/hdfs/protocol/datatransfer/sasl/SaslDataTransferClient$SaslClientCallbackHandler.class */
    public static final class SaslClientCallbackHandler implements CallbackHandler {
        private final char[] password;
        private final String userName;

        public SaslClientCallbackHandler(String str, char[] cArr) {
            this.password = cArr;
            this.userName = str;
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            NameCallback nameCallback = null;
            PasswordCallback passwordCallback = null;
            RealmCallback realmCallback = null;
            for (Callback callback : callbackArr) {
                if (!(callback instanceof RealmChoiceCallback)) {
                    if (callback instanceof NameCallback) {
                        nameCallback = (NameCallback) callback;
                    } else if (callback instanceof PasswordCallback) {
                        passwordCallback = (PasswordCallback) callback;
                    } else {
                        if (!(callback instanceof RealmCallback)) {
                            throw new UnsupportedCallbackException(callback, "Unrecognized SASL client callback");
                        }
                        realmCallback = (RealmCallback) callback;
                    }
                }
            }
            if (nameCallback != null) {
                nameCallback.setName(this.userName);
            }
            if (passwordCallback != null) {
                passwordCallback.setPassword(this.password);
            }
            if (realmCallback != null) {
                realmCallback.setText(realmCallback.getDefaultText());
            }
        }
    }

    public SaslDataTransferClient(Configuration configuration, SaslPropertiesResolver saslPropertiesResolver, TrustedChannelResolver trustedChannelResolver) {
        this(configuration, saslPropertiesResolver, trustedChannelResolver, null);
    }

    public SaslDataTransferClient(Configuration configuration, SaslPropertiesResolver saslPropertiesResolver, TrustedChannelResolver trustedChannelResolver, AtomicBoolean atomicBoolean) {
        this.conf = configuration;
        this.fallbackToSimpleAuth = atomicBoolean;
        this.saslPropsResolver = saslPropertiesResolver;
        this.trustedChannelResolver = trustedChannelResolver;
    }

    public IOStreamPair newSocketSend(Socket socket, OutputStream outputStream, InputStream inputStream, DataEncryptionKeyFactory dataEncryptionKeyFactory, Token<BlockTokenIdentifier> token, DatanodeID datanodeID) throws IOException {
        IOStreamPair send = send(socket.getInetAddress(), outputStream, inputStream, !this.trustedChannelResolver.isTrusted() ? dataEncryptionKeyFactory.newDataEncryptionKey() : null, token, datanodeID);
        return send != null ? send : new IOStreamPair(inputStream, outputStream);
    }

    public Peer peerSend(Peer peer, DataEncryptionKeyFactory dataEncryptionKeyFactory, Token<BlockTokenIdentifier> token, DatanodeID datanodeID) throws IOException {
        IOStreamPair checkTrustAndSend = checkTrustAndSend(DataTransferSaslUtil.getPeerAddress(peer), peer.getOutputStream(), peer.getInputStream(), dataEncryptionKeyFactory, token, datanodeID);
        return checkTrustAndSend != null ? new EncryptedPeer(peer, checkTrustAndSend) : peer;
    }

    public IOStreamPair socketSend(Socket socket, OutputStream outputStream, InputStream inputStream, DataEncryptionKeyFactory dataEncryptionKeyFactory, Token<BlockTokenIdentifier> token, DatanodeID datanodeID) throws IOException {
        IOStreamPair checkTrustAndSend = checkTrustAndSend(socket.getInetAddress(), outputStream, inputStream, dataEncryptionKeyFactory, token, datanodeID);
        return checkTrustAndSend != null ? checkTrustAndSend : new IOStreamPair(inputStream, outputStream);
    }

    private IOStreamPair checkTrustAndSend(InetAddress inetAddress, OutputStream outputStream, InputStream inputStream, DataEncryptionKeyFactory dataEncryptionKeyFactory, Token<BlockTokenIdentifier> token, DatanodeID datanodeID) throws IOException {
        if (!this.trustedChannelResolver.isTrusted() && !this.trustedChannelResolver.isTrusted(inetAddress)) {
            return send(inetAddress, outputStream, inputStream, dataEncryptionKeyFactory.newDataEncryptionKey(), token, datanodeID);
        }
        LOG.debug("SASL client skipping handshake on trusted connection for addr = {}, datanodeId = {}", inetAddress, datanodeID);
        return null;
    }

    private IOStreamPair send(InetAddress inetAddress, OutputStream outputStream, InputStream inputStream, DataEncryptionKey dataEncryptionKey, Token<BlockTokenIdentifier> token, DatanodeID datanodeID) throws IOException {
        if (dataEncryptionKey != null) {
            LOG.debug("SASL client doing encrypted handshake for addr = {}, datanodeId = {}", inetAddress, datanodeID);
            return getEncryptedStreams(outputStream, inputStream, dataEncryptionKey);
        }
        if (!UserGroupInformation.isSecurityEnabled()) {
            LOG.debug("SASL client skipping handshake in unsecured configuration for addr = {}, datanodeId = {}", inetAddress, datanodeID);
            return null;
        }
        if (SecurityUtil.isPrivilegedPort(datanodeID.getXferPort())) {
            LOG.debug("SASL client skipping handshake in secured configuration with privileged port for addr = {}, datanodeId = {}", inetAddress, datanodeID);
            return null;
        }
        if (this.fallbackToSimpleAuth != null && this.fallbackToSimpleAuth.get()) {
            LOG.debug("SASL client skipping handshake in secured configuration with unsecured cluster for addr = {}, datanodeId = {}", inetAddress, datanodeID);
            return null;
        }
        if (this.saslPropsResolver != null) {
            LOG.debug("SASL client doing general handshake for addr = {}, datanodeId = {}", inetAddress, datanodeID);
            return getSaslStreams(inetAddress, outputStream, inputStream, token, datanodeID);
        }
        LOG.debug("SASL client skipping handshake in secured configuration with no SASL protection configured for addr = {}, datanodeId = {}", inetAddress, datanodeID);
        return null;
    }

    private IOStreamPair getEncryptedStreams(OutputStream outputStream, InputStream inputStream, DataEncryptionKey dataEncryptionKey) throws IOException {
        Map<String, String> createSaslPropertiesForEncryption = DataTransferSaslUtil.createSaslPropertiesForEncryption(dataEncryptionKey.encryptionAlgorithm);
        LOG.debug("Client using encryption algorithm {}", dataEncryptionKey.encryptionAlgorithm);
        String userNameFromEncryptionKey = getUserNameFromEncryptionKey(dataEncryptionKey);
        return doSaslHandshake(outputStream, inputStream, userNameFromEncryptionKey, createSaslPropertiesForEncryption, new SaslClientCallbackHandler(userNameFromEncryptionKey, DataTransferSaslUtil.encryptionKeyToPassword(dataEncryptionKey.encryptionKey)));
    }

    private static String getUserNameFromEncryptionKey(DataEncryptionKey dataEncryptionKey) {
        return dataEncryptionKey.keyId + " " + dataEncryptionKey.blockPoolId + " " + new String(Base64.encodeBase64(dataEncryptionKey.nonce, false), Charsets.UTF_8);
    }

    private IOStreamPair getSaslStreams(InetAddress inetAddress, OutputStream outputStream, InputStream inputStream, Token<BlockTokenIdentifier> token, DatanodeID datanodeID) throws IOException {
        Map<String, String> clientProperties = this.saslPropsResolver.getClientProperties(inetAddress);
        String buildUserName = buildUserName(token);
        return doSaslHandshake(outputStream, inputStream, buildUserName, clientProperties, new SaslClientCallbackHandler(buildUserName, buildClientPassword(token)));
    }

    private static String buildUserName(Token<BlockTokenIdentifier> token) {
        return new String(Base64.encodeBase64(token.getIdentifier(), false), Charsets.UTF_8);
    }

    private char[] buildClientPassword(Token<BlockTokenIdentifier> token) {
        return new String(Base64.encodeBase64(token.getPassword(), false), Charsets.UTF_8).toCharArray();
    }

    private IOStreamPair doSaslHandshake(OutputStream outputStream, InputStream inputStream, String str, Map<String, String> map, CallbackHandler callbackHandler) throws IOException {
        String str2;
        DataOutputStream dataOutputStream = new DataOutputStream(outputStream);
        DataInputStream dataInputStream = new DataInputStream(inputStream);
        SaslParticipant createClientSaslParticipant = SaslParticipant.createClientSaslParticipant(str, map, callbackHandler);
        dataOutputStream.writeInt(DataTransferSaslUtil.SASL_TRANSFER_MAGIC_NUMBER);
        dataOutputStream.flush();
        try {
            DataTransferSaslUtil.sendSaslMessage(dataOutputStream, new byte[0]);
            byte[] evaluateChallengeOrResponse = createClientSaslParticipant.evaluateChallengeOrResponse(DataTransferSaslUtil.readSaslMessage(dataInputStream));
            ArrayList arrayList = null;
            if (DataTransferSaslUtil.requestedQopContainsPrivacy(map) && (str2 = this.conf.get(DFSConfigKeys.DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY)) != null && !str2.isEmpty()) {
                if (!str2.equals(CipherSuite.AES_CTR_NOPADDING.getName())) {
                    throw new IOException(String.format("Invalid cipher suite, %s=%s", DFSConfigKeys.DFS_ENCRYPT_DATA_TRANSFER_CIPHER_SUITES_KEY, str2));
                }
                CipherOption cipherOption = new CipherOption(CipherSuite.AES_CTR_NOPADDING);
                arrayList = Lists.newArrayListWithCapacity(1);
                arrayList.add(cipherOption);
            }
            DataTransferSaslUtil.sendSaslMessageAndNegotiationCipherOptions(dataOutputStream, evaluateChallengeOrResponse, arrayList);
            SaslResponseWithNegotiatedCipherOption readSaslMessageAndNegotiatedCipherOption = DataTransferSaslUtil.readSaslMessageAndNegotiatedCipherOption(dataInputStream);
            byte[] evaluateChallengeOrResponse2 = createClientSaslParticipant.evaluateChallengeOrResponse(readSaslMessageAndNegotiatedCipherOption.payload);
            if (!$assertionsDisabled && evaluateChallengeOrResponse2 != null) {
                throw new AssertionError();
            }
            DataTransferSaslUtil.checkSaslComplete(createClientSaslParticipant, map);
            CipherOption cipherOption2 = null;
            if (createClientSaslParticipant.isNegotiatedQopPrivacy()) {
                cipherOption2 = DataTransferSaslUtil.unwrap(readSaslMessageAndNegotiatedCipherOption.cipherOption, createClientSaslParticipant);
            }
            return cipherOption2 != null ? DataTransferSaslUtil.createStreamPair(this.conf, cipherOption2, outputStream, inputStream, false) : createClientSaslParticipant.createStreamPair(dataOutputStream, dataInputStream);
        } catch (IOException e) {
            DataTransferSaslUtil.sendGenericSaslErrorMessage(dataOutputStream, e.getMessage());
            throw e;
        }
    }

    static {
        $assertionsDisabled = !SaslDataTransferClient.class.desiredAssertionStatus();
        LOG = LoggerFactory.getLogger(SaslDataTransferClient.class);
    }
}
