package org.infinispan.server.hotrod;

import io.netty.buffer.ByteBuf;
import io.netty.channel.Channel;
import io.netty.channel.ChannelFuture;
import io.netty.handler.ssl.SslHandler;
import java.net.InetSocketAddress;
import java.security.PrivilegedActionException;
import java.util.ArrayList;
import java.util.concurrent.Executor;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.security.auth.Subject;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.infinispan.commons.logging.LogFactory;
import org.infinispan.server.core.security.AuthorizingCallbackHandler;
import org.infinispan.server.core.security.InetAddressPrincipal;
import org.infinispan.server.core.security.external.ExternalSaslServerFactory;
import org.infinispan.server.core.security.simple.SimpleUserPrincipal;
import org.infinispan.server.core.transport.SaslQopHandler;
import org.infinispan.server.hotrod.configuration.AuthenticationConfiguration;
import org.infinispan.server.hotrod.configuration.HotRodServerConfiguration;
import org.infinispan.server.hotrod.logging.Log;

/* loaded from: input_file:org/infinispan/server/hotrod/Authentication.class */
public class Authentication extends BaseRequestProcessor {
    private static final String FORCE_QOP = "org.infinispan.server.sasl.force.qop";
    private final HotRodServerConfiguration serverConfig;
    private final AuthenticationConfiguration authenticationConfig;
    private final boolean enabled;
    private final boolean requireAuthentication;
    private SaslServer saslServer;
    private AuthorizingCallbackHandler callbackHandler;
    private Subject subject;
    private static final Log log = (Log) LogFactory.getLog(Authentication.class, Log.class);
    private static final Subject ANONYMOUS = new Subject();

    public Authentication(Channel channel, Executor executor, HotRodServer hotRodServer) {
        super(channel, executor, hotRodServer);
        this.subject = ANONYMOUS;
        this.serverConfig = (HotRodServerConfiguration) hotRodServer.getConfiguration();
        this.authenticationConfig = this.serverConfig.authentication();
        this.enabled = this.authenticationConfig.enabled();
        this.requireAuthentication = !this.authenticationConfig.mechProperties().containsKey("javax.security.sasl.policy.noanonymous") || this.authenticationConfig.mechProperties().get("javax.security.sasl.policy.noanonymous").equals("true");
    }

    public void authMechList(HotRodHeader hotRodHeader) {
        writeResponse(hotRodHeader, hotRodHeader.encoder().authMechListResponse(hotRodHeader, this.server, this.channel.alloc(), this.authenticationConfig.allowedMechs()));
    }

    public void auth(HotRodHeader hotRodHeader, String str, byte[] bArr) {
        if (this.enabled) {
            this.executor.execute(() -> {
                try {
                    authInternal(hotRodHeader, str, bArr);
                } catch (Throwable th) {
                    writeException(hotRodHeader, th);
                }
            });
            return;
        }
        UnsupportedOperationException invalidOperation = log.invalidOperation();
        ByteBuf errorResponse = hotRodHeader.encoder().errorResponse(hotRodHeader, this.server, this.channel.alloc(), invalidOperation.toString(), OperationStatus.ServerError);
        int readableBytes = errorResponse.readableBytes();
        ChannelFuture writeAndFlush = this.channel.writeAndFlush(errorResponse);
        if (hotRodHeader instanceof AccessLoggingHeader) {
            this.server.accessLogging().logException(writeAndFlush, (AccessLoggingHeader) hotRodHeader, invalidOperation.toString(), readableBytes);
        }
    }

    private void authInternal(HotRodHeader hotRodHeader, String str, byte[] bArr) {
        ExternalSaslServerFactory saslServerFactory;
        if (this.saslServer == null) {
            this.callbackHandler = this.authenticationConfig.serverAuthenticationProvider().getCallbackHandler(str, this.authenticationConfig.mechProperties());
            if ("EXTERNAL".equals(str)) {
                SslHandler sslHandler = this.channel.pipeline().get(SslHandler.class);
                try {
                    if (sslHandler == null) {
                        writeException(hotRodHeader, log.externalMechNotAllowedWithoutSSLClientCert());
                        return;
                    }
                    saslServerFactory = new ExternalSaslServerFactory(sslHandler.engine().getSession().getPeerPrincipal());
                } catch (SSLPeerUnverifiedException e) {
                    writeException(hotRodHeader, log.externalMechNotAllowedWithoutSSLClientCert());
                    return;
                }
            } else {
                saslServerFactory = this.server.getSaslServerFactory(str);
            }
            if (this.authenticationConfig.serverSubject() != null) {
                try {
                    ExternalSaslServerFactory externalSaslServerFactory = saslServerFactory;
                    this.saslServer = (SaslServer) Subject.doAs(this.authenticationConfig.serverSubject(), () -> {
                        return externalSaslServerFactory.createSaslServer(str, "hotrod", this.authenticationConfig.serverName(), this.authenticationConfig.mechProperties(), this.callbackHandler);
                    });
                } catch (PrivilegedActionException e2) {
                    writeException(hotRodHeader, e2.getCause());
                    return;
                }
            } else {
                try {
                    this.saslServer = saslServerFactory.createSaslServer(str, "hotrod", this.authenticationConfig.serverName(), this.authenticationConfig.mechProperties(), this.callbackHandler);
                } catch (SaslException e3) {
                    writeException(hotRodHeader, e3);
                    return;
                }
            }
        }
        try {
            byte[] evaluateResponse = this.saslServer.evaluateResponse(bArr);
            if (this.saslServer.isComplete()) {
                ArrayList arrayList = new ArrayList();
                arrayList.add(new SimpleUserPrincipal(normalizeAuthorizationId(this.saslServer.getAuthorizationID())));
                arrayList.add(new InetAddressPrincipal(((InetSocketAddress) this.channel.remoteAddress()).getAddress()));
                SslHandler sslHandler2 = this.channel.pipeline().get("ssl");
                if (sslHandler2 != null) {
                    try {
                        arrayList.add(sslHandler2.engine().getSession().getPeerPrincipal());
                    } catch (SSLPeerUnverifiedException e4) {
                    }
                }
                this.subject = this.callbackHandler.getSubjectUserInfo(arrayList).getSubject();
            }
            if (!this.saslServer.isComplete()) {
                writeResponse(hotRodHeader, hotRodHeader.encoder().authResponse(hotRodHeader, this.server, this.channel.alloc(), evaluateResponse));
                return;
            }
            String str2 = this.authenticationConfig.mechProperties().containsKey(FORCE_QOP) ? this.authenticationConfig.mechProperties().get(FORCE_QOP) : (String) this.saslServer.getNegotiatedProperty("javax.security.sasl.qop");
            if ("auth-int".equals(str2) || "auth-conf".equals(str2)) {
                this.channel.eventLoop().submit(() -> {
                    writeResponse(hotRodHeader, hotRodHeader.encoder().authResponse(hotRodHeader, this.server, this.channel.alloc(), evaluateResponse));
                    this.channel.pipeline().addBefore("decoder", "saslQop", new SaslQopHandler(this.saslServer));
                });
                return;
            }
            writeResponse(hotRodHeader, hotRodHeader.encoder().authResponse(hotRodHeader, this.server, this.channel.alloc(), evaluateResponse));
            dispose(this.saslServer);
            this.callbackHandler = null;
            this.saslServer = null;
        } catch (SaslException e5) {
            dispose(this.saslServer);
            writeException(hotRodHeader, e5);
        }
    }

    private void dispose(SaslServer saslServer) {
        try {
            saslServer.dispose();
        } catch (SaslException e) {
            log.debug("Exception while disposing SaslServer", e);
        }
    }

    public Subject getSubject(HotRodOperation hotRodOperation) {
        if (!this.enabled) {
            return null;
        }
        if (this.requireAuthentication && hotRodOperation.requiresAuthentication() && this.subject == ANONYMOUS) {
            throw log.unauthorizedOperation(hotRodOperation.name());
        }
        if (hotRodOperation.requiresAuthentication()) {
            return this.subject;
        }
        return null;
    }

    String normalizeAuthorizationId(String str) {
        int indexOf = str.indexOf(64);
        return indexOf >= 0 ? str.substring(0, indexOf) : str;
    }
}
