package org.infinispan.server.hotrod;

import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelInboundHandlerAdapter;
import io.netty.handler.ssl.SslHandler;
import java.net.InetSocketAddress;
import java.util.ArrayList;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.security.auth.Subject;
import javax.security.sasl.SaslServer;
import org.infinispan.commons.logging.LogFactory;
import org.infinispan.server.core.security.AuthorizingCallbackHandler;
import org.infinispan.server.core.security.InetAddressPrincipal;
import org.infinispan.server.core.security.ServerAuthenticationProvider;
import org.infinispan.server.core.security.external.ExternalSaslServerFactory;
import org.infinispan.server.core.security.simple.SimpleUserPrincipal;
import org.infinispan.server.core.transport.SaslQopHandler;
import org.infinispan.server.hotrod.configuration.AuthenticationConfiguration;
import org.infinispan.server.hotrod.configuration.HotRodServerConfiguration;
import org.infinispan.server.hotrod.logging.Log;
import org.infinispan.util.KeyValuePair;

/* loaded from: input_file:org/infinispan/server/hotrod/AuthenticationHandler.class */
public class AuthenticationHandler extends ChannelInboundHandlerAdapter {
    private final HotRodServer server;
    private final HotRodServerConfiguration serverConfig;
    private final AuthenticationConfiguration authenticationConfig;
    private final boolean requireAuthentication;
    private SaslServer saslServer;
    private AuthorizingCallbackHandler callbackHandler;
    private Subject subject = ANONYMOUS;
    private static final Log log = (Log) LogFactory.getLog(AuthenticationHandler.class, Log.class);
    private static final Subject ANONYMOUS = new Subject();

    public AuthenticationHandler(HotRodServer hotRodServer) {
        this.server = hotRodServer;
        this.serverConfig = (HotRodServerConfiguration) hotRodServer.getConfiguration();
        this.authenticationConfig = ((HotRodServerConfiguration) hotRodServer.getConfiguration()).authentication();
        this.requireAuthentication = this.authenticationConfig.mechProperties().containsKey("javax.security.sasl.policy.noanonymous") && this.authenticationConfig.mechProperties().get("javax.security.sasl.policy.noanonymous").equals("true");
    }

    public void channelRead(ChannelHandlerContext channelHandlerContext, Object obj) throws Exception {
        ExternalSaslServerFactory saslServerFactory;
        if (!(obj instanceof CacheDecodeContext)) {
            super.channelRead(channelHandlerContext, obj);
            return;
        }
        CacheDecodeContext cacheDecodeContext = (CacheDecodeContext) obj;
        HotRodHeader hotRodHeader = cacheDecodeContext.header;
        HotRodOperation hotRodOperation = hotRodHeader.op;
        switch (hotRodOperation) {
            case AUTH_MECH_LIST:
                ResponseWriting.writeResponse(cacheDecodeContext, channelHandlerContext.channel(), new AuthMechListResponse(hotRodHeader.version, hotRodHeader.messageId, hotRodHeader.cacheName, hotRodHeader.clientIntel, this.authenticationConfig.allowedMechs(), hotRodHeader.topologyId));
                return;
            case AUTH:
                if (!this.serverConfig.authentication().enabled()) {
                    cacheDecodeContext.decoder.createErrorResponse(hotRodHeader, log.invalidOperation());
                    return;
                }
                KeyValuePair keyValuePair = (KeyValuePair) cacheDecodeContext.operationDecodeContext;
                if (this.saslServer == null) {
                    ServerAuthenticationProvider serverAuthenticationProvider = this.authenticationConfig.serverAuthenticationProvider();
                    String str = (String) keyValuePair.getKey();
                    this.callbackHandler = serverAuthenticationProvider.getCallbackHandler(str, this.authenticationConfig.mechProperties());
                    if ("EXTERNAL".equals(str)) {
                        SslHandler sslHandler = channelHandlerContext.pipeline().get(SslHandler.class);
                        try {
                            if (sslHandler == null) {
                                throw log.externalMechNotAllowedWithoutSSLClientCert();
                            }
                            saslServerFactory = new ExternalSaslServerFactory(sslHandler.engine().getSession().getPeerPrincipal());
                        } catch (SSLPeerUnverifiedException e) {
                            throw log.externalMechNotAllowedWithoutSSLClientCert();
                        }
                    } else {
                        saslServerFactory = this.server.getSaslServerFactory(str);
                    }
                    if (this.authenticationConfig.serverSubject() != null) {
                        ExternalSaslServerFactory externalSaslServerFactory = saslServerFactory;
                        this.saslServer = (SaslServer) Subject.doAs(this.authenticationConfig.serverSubject(), () -> {
                            return externalSaslServerFactory.createSaslServer(str, "hotrod", this.authenticationConfig.serverName(), this.authenticationConfig.mechProperties(), this.callbackHandler);
                        });
                    } else {
                        this.saslServer = saslServerFactory.createSaslServer(str, "hotrod", this.authenticationConfig.serverName(), this.authenticationConfig.mechProperties(), this.callbackHandler);
                    }
                }
                ResponseWriting.writeResponse(cacheDecodeContext, channelHandlerContext.channel(), new AuthResponse(hotRodHeader.version, hotRodHeader.messageId, hotRodHeader.cacheName, hotRodHeader.clientIntel, this.saslServer.evaluateResponse((byte[]) keyValuePair.getValue()), hotRodHeader.topologyId));
                if (this.saslServer.isComplete()) {
                    ArrayList arrayList = new ArrayList();
                    arrayList.add(new SimpleUserPrincipal(normalizeAuthorizationId(this.saslServer.getAuthorizationID())));
                    arrayList.add(new InetAddressPrincipal(((InetSocketAddress) channelHandlerContext.channel().remoteAddress()).getAddress()));
                    SslHandler sslHandler2 = channelHandlerContext.pipeline().get("ssl");
                    if (sslHandler2 != null) {
                        try {
                            arrayList.add(sslHandler2.engine().getSession().getPeerPrincipal());
                        } catch (SSLPeerUnverifiedException e2) {
                        }
                    }
                    this.subject = this.callbackHandler.getSubjectUserInfo(arrayList).getSubject();
                    String str2 = (String) this.saslServer.getNegotiatedProperty("javax.security.sasl.qop");
                    if (str2 != null && (str2.equalsIgnoreCase("auth-int") || str2.equalsIgnoreCase("auth-conf"))) {
                        channelHandlerContext.pipeline().addBefore("decoder", "saslQop", new SaslQopHandler(this.saslServer));
                        return;
                    } else {
                        this.saslServer.dispose();
                        this.callbackHandler = null;
                        this.saslServer = null;
                        return;
                    }
                }
                return;
            default:
                if (this.requireAuthentication && hotRodOperation.requiresAuthentication() && this.subject == ANONYMOUS) {
                    throw log.unauthorizedOperation();
                }
                if (hotRodOperation.requiresAuthentication()) {
                    ((CacheDecodeContext) obj).subject = this.subject;
                }
                super.channelRead(channelHandlerContext, obj);
                return;
        }
    }

    String normalizeAuthorizationId(String str) {
        int indexOf = str.indexOf(64);
        return indexOf >= 0 ? str.substring(0, indexOf) : str;
    }
}
