package org.apache.kafka.common.security.authenticator;

import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import org.apache.kafka.clients.NetworkClient;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.errors.AuthenticationException;
import org.apache.kafka.common.errors.IllegalSaslStateException;
import org.apache.kafka.common.errors.UnsupportedSaslMechanismException;
import org.apache.kafka.common.network.Authenticator;
import org.apache.kafka.common.network.Mode;
import org.apache.kafka.common.network.NetworkReceive;
import org.apache.kafka.common.network.NetworkSend;
import org.apache.kafka.common.network.Send;
import org.apache.kafka.common.network.TransportLayer;
import org.apache.kafka.common.protocol.ApiKeys;
import org.apache.kafka.common.protocol.Errors;
import org.apache.kafka.common.protocol.types.SchemaException;
import org.apache.kafka.common.requests.AbstractResponse;
import org.apache.kafka.common.requests.RequestHeader;
import org.apache.kafka.common.requests.SaslHandshakeRequest;
import org.apache.kafka.common.requests.SaslHandshakeResponse;
import org.apache.kafka.common.security.auth.AuthCallbackHandler;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.security.auth.PrincipalBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-415.zip:modules/system/layers/fuse/org/apache/kafka/clients/main/kafka-clients-0.10.2.0.jar:org/apache/kafka/common/security/authenticator/SaslClientAuthenticator.class */
public class SaslClientAuthenticator implements Authenticator {
    private static final Logger LOG = LoggerFactory.getLogger(SaslClientAuthenticator.class);
    private final Subject subject;
    private final String servicePrincipal;
    private final String host;
    private final String node;
    private final String mechanism;
    private final boolean handshakeRequestEnable;
    private SaslClient saslClient;
    private Map<String, ?> configs;
    private String clientPrincipalName;
    private AuthCallbackHandler callbackHandler;
    private TransportLayer transportLayer;
    private NetworkReceive netInBuffer;
    private Send netOutBuffer;
    private SaslState saslState;
    private SaslState pendingSaslState;
    private int correlationId = -1;
    private RequestHeader currentRequestHeader;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.kafka.common.security.authenticator.SaslClientAuthenticator$3, reason: invalid class name */
    /* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-415.zip:modules/system/layers/fuse/org/apache/kafka/clients/main/kafka-clients-0.10.2.0.jar:org/apache/kafka/common/security/authenticator/SaslClientAuthenticator$3.class */
    public static /* synthetic */ class AnonymousClass3 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$kafka$common$protocol$Errors = new int[Errors.values().length];

        static {
            try {
                $SwitchMap$org$apache$kafka$common$protocol$Errors[Errors.NONE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$protocol$Errors[Errors.UNSUPPORTED_SASL_MECHANISM.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$protocol$Errors[Errors.ILLEGAL_SASL_STATE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            $SwitchMap$org$apache$kafka$common$protocol$ApiKeys = new int[ApiKeys.values().length];
            try {
                $SwitchMap$org$apache$kafka$common$protocol$ApiKeys[ApiKeys.SASL_HANDSHAKE.ordinal()] = 1;
            } catch (NoSuchFieldError e4) {
            }
            $SwitchMap$org$apache$kafka$common$security$authenticator$SaslClientAuthenticator$SaslState = new int[SaslState.values().length];
            try {
                $SwitchMap$org$apache$kafka$common$security$authenticator$SaslClientAuthenticator$SaslState[SaslState.SEND_HANDSHAKE_REQUEST.ordinal()] = 1;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$security$authenticator$SaslClientAuthenticator$SaslState[SaslState.RECEIVE_HANDSHAKE_RESPONSE.ordinal()] = 2;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$security$authenticator$SaslClientAuthenticator$SaslState[SaslState.INITIAL.ordinal()] = 3;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$security$authenticator$SaslClientAuthenticator$SaslState[SaslState.INTERMEDIATE.ordinal()] = 4;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$security$authenticator$SaslClientAuthenticator$SaslState[SaslState.COMPLETE.ordinal()] = 5;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$security$authenticator$SaslClientAuthenticator$SaslState[SaslState.FAILED.ordinal()] = 6;
            } catch (NoSuchFieldError e10) {
            }
        }
    }

    /* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-415.zip:modules/system/layers/fuse/org/apache/kafka/clients/main/kafka-clients-0.10.2.0.jar:org/apache/kafka/common/security/authenticator/SaslClientAuthenticator$SaslState.class */
    public enum SaslState {
        SEND_HANDSHAKE_REQUEST,
        RECEIVE_HANDSHAKE_RESPONSE,
        INITIAL,
        INTERMEDIATE,
        COMPLETE,
        FAILED
    }

    public SaslClientAuthenticator(String str, Subject subject, String str2, String str3, String str4, boolean z) throws IOException {
        this.node = str;
        this.subject = subject;
        this.host = str3;
        this.servicePrincipal = str2;
        this.mechanism = str4;
        this.handshakeRequestEnable = z;
    }

    @Override // org.apache.kafka.common.network.Authenticator
    public void configure(TransportLayer transportLayer, PrincipalBuilder principalBuilder, Map<String, ?> map) throws KafkaException {
        try {
            this.transportLayer = transportLayer;
            this.configs = map;
            setSaslState(this.handshakeRequestEnable ? SaslState.SEND_HANDSHAKE_REQUEST : SaslState.INITIAL);
            if (this.subject.getPrincipals().isEmpty()) {
                this.clientPrincipalName = null;
            } else {
                this.clientPrincipalName = this.subject.getPrincipals().iterator().next().getName();
            }
            this.callbackHandler = new SaslClientCallbackHandler();
            this.callbackHandler.configure(map, Mode.CLIENT, this.subject, this.mechanism);
            this.saslClient = createSaslClient();
        } catch (Exception e) {
            throw new KafkaException("Failed to configure SaslClientAuthenticator", e);
        }
    }

    private SaslClient createSaslClient() {
        try {
            return (SaslClient) Subject.doAs(this.subject, new PrivilegedExceptionAction<SaslClient>() { // from class: org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public SaslClient run() throws SaslException {
                    String[] strArr = {SaslClientAuthenticator.this.mechanism};
                    SaslClientAuthenticator.LOG.debug("Creating SaslClient: client={};service={};serviceHostname={};mechs={}", new Object[]{SaslClientAuthenticator.this.clientPrincipalName, SaslClientAuthenticator.this.servicePrincipal, SaslClientAuthenticator.this.host, Arrays.toString(strArr)});
                    return Sasl.createSaslClient(strArr, SaslClientAuthenticator.this.clientPrincipalName, SaslClientAuthenticator.this.servicePrincipal, SaslClientAuthenticator.this.host, SaslClientAuthenticator.this.configs, SaslClientAuthenticator.this.callbackHandler);
                }
            });
        } catch (PrivilegedActionException e) {
            throw new KafkaException("Failed to create SaslClient with mechanism " + this.mechanism, e.getCause());
        }
    }

    @Override // org.apache.kafka.common.network.Authenticator
    public void authenticate() throws IOException {
        if (this.netOutBuffer == null || flushNetOutBufferAndUpdateInterestOps()) {
            switch (this.saslState) {
                case SEND_HANDSHAKE_REQUEST:
                    String str = (String) this.configs.get("client.id");
                    SaslHandshakeRequest saslHandshakeRequest = new SaslHandshakeRequest(this.mechanism);
                    short s = ApiKeys.SASL_HANDSHAKE.id;
                    short version = saslHandshakeRequest.version();
                    int i = this.correlationId;
                    this.correlationId = i + 1;
                    this.currentRequestHeader = new RequestHeader(s, version, str, i);
                    send(saslHandshakeRequest.toSend(this.node, this.currentRequestHeader));
                    setSaslState(SaslState.RECEIVE_HANDSHAKE_RESPONSE);
                    return;
                case RECEIVE_HANDSHAKE_RESPONSE:
                    byte[] receiveResponseOrToken = receiveResponseOrToken();
                    if (receiveResponseOrToken == null) {
                        return;
                    }
                    try {
                        handleKafkaResponse(this.currentRequestHeader, receiveResponseOrToken);
                        this.currentRequestHeader = null;
                        setSaslState(SaslState.INITIAL);
                        break;
                    } catch (Exception e) {
                        setSaslState(SaslState.FAILED);
                        throw e;
                    }
                case INITIAL:
                    break;
                case INTERMEDIATE:
                    byte[] receiveResponseOrToken2 = receiveResponseOrToken();
                    if (receiveResponseOrToken2 != null) {
                        sendSaslToken(receiveResponseOrToken2, false);
                    }
                    if (this.saslClient.isComplete()) {
                        setSaslState(SaslState.COMPLETE);
                        this.transportLayer.removeInterestOps(4);
                        return;
                    }
                    return;
                case COMPLETE:
                default:
                    return;
                case FAILED:
                    throw new IOException("SASL handshake failed");
            }
            sendSaslToken(new byte[0], true);
            setSaslState(SaslState.INTERMEDIATE);
        }
    }

    private void setSaslState(SaslState saslState) {
        if (this.netOutBuffer != null && !this.netOutBuffer.completed()) {
            this.pendingSaslState = saslState;
            return;
        }
        this.pendingSaslState = null;
        this.saslState = saslState;
        LOG.debug("Set SASL client state to {}", saslState);
    }

    private void sendSaslToken(byte[] bArr, boolean z) throws IOException {
        byte[] createSaslToken;
        if (this.saslClient.isComplete() || (createSaslToken = createSaslToken(bArr, z)) == null) {
            return;
        }
        send(new NetworkSend(this.node, ByteBuffer.wrap(createSaslToken)));
    }

    private void send(Send send) throws IOException {
        try {
            this.netOutBuffer = send;
            flushNetOutBufferAndUpdateInterestOps();
        } catch (IOException e) {
            setSaslState(SaslState.FAILED);
            throw e;
        }
    }

    private boolean flushNetOutBufferAndUpdateInterestOps() throws IOException {
        boolean flushNetOutBuffer = flushNetOutBuffer();
        if (flushNetOutBuffer) {
            this.transportLayer.removeInterestOps(4);
            if (this.pendingSaslState != null) {
                setSaslState(this.pendingSaslState);
            }
        } else {
            this.transportLayer.addInterestOps(4);
        }
        return flushNetOutBuffer;
    }

    private byte[] receiveResponseOrToken() throws IOException {
        if (this.netInBuffer == null) {
            this.netInBuffer = new NetworkReceive(this.node);
        }
        this.netInBuffer.readFrom(this.transportLayer);
        byte[] bArr = null;
        if (this.netInBuffer.complete()) {
            this.netInBuffer.payload().rewind();
            bArr = new byte[this.netInBuffer.payload().remaining()];
            this.netInBuffer.payload().get(bArr, 0, bArr.length);
            this.netInBuffer = null;
        }
        return bArr;
    }

    @Override // org.apache.kafka.common.network.Authenticator
    public Principal principal() {
        return new KafkaPrincipal(KafkaPrincipal.USER_TYPE, this.clientPrincipalName);
    }

    @Override // org.apache.kafka.common.network.Authenticator
    public boolean complete() {
        return this.saslState == SaslState.COMPLETE;
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() throws IOException {
        if (this.saslClient != null) {
            this.saslClient.dispose();
        }
        if (this.callbackHandler != null) {
            this.callbackHandler.close();
        }
    }

    private byte[] createSaslToken(final byte[] bArr, boolean z) throws SaslException {
        if (bArr == null) {
            throw new SaslException("Error authenticating with the Kafka Broker: received a `null` saslToken.");
        }
        if (z) {
            try {
                if (!this.saslClient.hasInitialResponse()) {
                    return bArr;
                }
            } catch (PrivilegedActionException e) {
                String str = "An error: (" + e + ") occurred when evaluating SASL token received from the Kafka Broker.";
                if (e.toString().contains("(Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)")) {
                    str = str + " This may be caused by Java's being unable to resolve the Kafka Broker's hostname correctly. You may want to try to adding '-Dsun.net.spi.nameservice.provider.1=dns,sun' to your client's JVMFLAGS environment. Users must configure FQDN of kafka brokers when authenticating using SASL and `socketChannel.socket().getInetAddress().getHostName()` must match the hostname in `principal/hostname@realm`";
                }
                throw new SaslException(str + " Kafka Client will go to AUTH_FAILED state.", e.getCause());
            }
        }
        return (byte[]) Subject.doAs(this.subject, new PrivilegedExceptionAction<byte[]>() { // from class: org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public byte[] run() throws SaslException {
                return SaslClientAuthenticator.this.saslClient.evaluateChallenge(bArr);
            }
        });
    }

    private boolean flushNetOutBuffer() throws IOException {
        if (!this.netOutBuffer.completed()) {
            this.netOutBuffer.writeTo(this.transportLayer);
        }
        return this.netOutBuffer.completed();
    }

    private void handleKafkaResponse(RequestHeader requestHeader, byte[] bArr) {
        try {
            AbstractResponse parseResponse = NetworkClient.parseResponse(ByteBuffer.wrap(bArr), requestHeader);
            ApiKeys forId = ApiKeys.forId(requestHeader.apiKey());
            switch (forId) {
                case SASL_HANDSHAKE:
                    handleSaslHandshakeResponse((SaslHandshakeResponse) parseResponse);
                    return;
                default:
                    throw new IllegalStateException("Unexpected API key during handshake: " + forId);
            }
        } catch (IllegalArgumentException | SchemaException e) {
            LOG.debug("Invalid SASL mechanism response, server may be expecting only GSSAPI tokens");
            throw new AuthenticationException("Invalid SASL mechanism response", e);
        }
    }

    private void handleSaslHandshakeResponse(SaslHandshakeResponse saslHandshakeResponse) {
        switch (AnonymousClass3.$SwitchMap$org$apache$kafka$common$protocol$Errors[Errors.forCode(saslHandshakeResponse.errorCode()).ordinal()]) {
            case 1:
                return;
            case 2:
                throw new UnsupportedSaslMechanismException(String.format("Client SASL mechanism '%s' not enabled in the server, enabled mechanisms are %s", this.mechanism, saslHandshakeResponse.enabledMechanisms()));
            case 3:
                throw new IllegalSaslStateException(String.format("Unexpected handshake request with client mechanism %s, enabled mechanisms are %s", this.mechanism, saslHandshakeResponse.enabledMechanisms()));
            default:
                throw new AuthenticationException(String.format("Unknown error code %d, client mechanism is %s, enabled mechanisms are %s", Short.valueOf(saslHandshakeResponse.errorCode()), this.mechanism, saslHandshakeResponse.enabledMechanisms()));
        }
    }
}
