package org.apache.storm.messaging.netty;

import java.io.IOException;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.TreeMap;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerClientInitialResponse;
import org.apache.storm.security.auth.ClientAuthUtils;
import org.apache.storm.security.auth.KerberosPrincipalToLocal;
import org.apache.storm.shade.org.apache.zookeeper.server.auth.KerberosName;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/apache/storm/messaging/netty/KerberosSaslNettyServer.class */
public class KerberosSaslNettyServer {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) KerberosSaslNettyServer.class);
    private SaslServer saslServer;
    private Subject subject;
    private List<String> authorizedUsers;

    /* loaded from: input_file:org/apache/storm/messaging/netty/KerberosSaslNettyServer$KerberosSaslCallbackHandler.class */
    public static class KerberosSaslCallbackHandler implements CallbackHandler {
        private List<String> authorizedUsers;

        public KerberosSaslCallbackHandler(List<String> list) {
            KerberosSaslNettyServer.LOG.debug("KerberosSaslCallback: Creating KerberosSaslCallback handler.");
            this.authorizedUsers = list;
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            for (Callback callback : callbackArr) {
                KerberosSaslNettyServer.LOG.info("Kerberos Callback Handler got callback: {}", callback.getClass());
                if (callback instanceof AuthorizeCallback) {
                    AuthorizeCallback authorizeCallback = (AuthorizeCallback) callback;
                    if (authorizeCallback.getAuthenticationID().equals(authorizeCallback.getAuthorizationID())) {
                        KerberosSaslNettyServer.LOG.debug("Authorized Users: {}", this.authorizedUsers);
                        KerberosSaslNettyServer.LOG.debug("Checking authorization for: {}", authorizeCallback.getAuthorizationID());
                        Iterator<String> it = this.authorizedUsers.iterator();
                        while (true) {
                            if (it.hasNext()) {
                                if (new KerberosPrincipalToLocal().toLocal(new KerberosPrincipal(authorizeCallback.getAuthorizationID())).equals(it.next())) {
                                    authorizeCallback.setAuthorized(true);
                                    break;
                                }
                            }
                        }
                    } else {
                        KerberosSaslNettyServer.LOG.debug("{} != {}", authorizeCallback.getAuthenticationID(), authorizeCallback.getAuthorizationID());
                    }
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public KerberosSaslNettyServer(Map<String, Object> map, String str, List<String> list) {
        this.authorizedUsers = list;
        LOG.debug("Getting Configuration.");
        try {
            Configuration configuration = ClientAuthUtils.getConfiguration(map);
            LOG.debug("KerberosSaslNettyServer: authmethod {}", "GSSAPI");
            final KerberosSaslCallbackHandler kerberosSaslCallbackHandler = new KerberosSaslCallbackHandler(list);
            this.subject = null;
            try {
                LOG.debug("Setting Configuration to login_config: {}", configuration);
                Configuration.setConfiguration(configuration);
                LOG.debug("Trying to login.");
                this.subject = new Login(str, kerberosSaslCallbackHandler).getSubject();
                LOG.debug("Got Subject: {}", this.subject.toString());
                if (this.subject.getPrivateCredentials(KerberosTicket.class).isEmpty()) {
                    LOG.error("Failed to verifyuser principal.");
                    throw new RuntimeException("Fail to verify user principal with section \"" + str + "\" in login configuration file " + configuration);
                }
                try {
                    LOG.info("Creating Kerberos Server.");
                    KerberosName kerberosName = new KerberosName(((Principal) this.subject.getPrincipals().toArray()[0]).getName());
                    final String hostName = kerberosName.getHostName();
                    final String serviceName = kerberosName.getServiceName();
                    LOG.debug("Server with host: {}", hostName);
                    this.saslServer = (SaslServer) Subject.doAs(this.subject, new PrivilegedExceptionAction<SaslServer>() { // from class: org.apache.storm.messaging.netty.KerberosSaslNettyServer.1
                        /* JADX WARN: Can't rename method to resolve collision */
                        @Override // java.security.PrivilegedExceptionAction
                        public SaslServer run() {
                            try {
                                TreeMap treeMap = new TreeMap();
                                treeMap.put("javax.security.sasl.qop", OAuthBearerClientInitialResponse.AUTH_KEY);
                                treeMap.put("javax.security.sasl.server.authentication", "false");
                                return Sasl.createSaslServer("GSSAPI", serviceName, hostName, treeMap, kerberosSaslCallbackHandler);
                            } catch (Exception e) {
                                KerberosSaslNettyServer.LOG.error("Subject failed to create sasl server.", (Throwable) e);
                                return null;
                            }
                        }
                    });
                    LOG.info("Got Server: {}", this.saslServer);
                } catch (PrivilegedActionException e) {
                    LOG.error("KerberosSaslNettyServer: Could not create SaslServer: ", (Throwable) e);
                    throw new RuntimeException(e);
                }
            } catch (LoginException e2) {
                LOG.error("Server failed to login in principal:", (Throwable) e2);
                throw new RuntimeException(e2);
            }
        } catch (Throwable th) {
            LOG.error("Failed to get loginConf: ", th);
            throw th;
        }
    }

    public boolean isComplete() {
        return this.saslServer.isComplete();
    }

    public String getUserName() {
        return this.saslServer.getAuthorizationID();
    }

    public byte[] response(final byte[] bArr) {
        try {
            return (byte[]) Subject.doAs(this.subject, new PrivilegedExceptionAction<byte[]>() { // from class: org.apache.storm.messaging.netty.KerberosSaslNettyServer.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public byte[] run() {
                    try {
                        KerberosSaslNettyServer.LOG.debug("response: Responding to input token of length: {}", Integer.valueOf(bArr.length));
                        return KerberosSaslNettyServer.this.saslServer.evaluateResponse(bArr);
                    } catch (SaslException e) {
                        KerberosSaslNettyServer.LOG.error("response: Failed to evaluate client token of length: {} : {}", Integer.valueOf(bArr.length), e);
                        throw new RuntimeException((Throwable) e);
                    }
                }
            });
        } catch (PrivilegedActionException e) {
            LOG.error("Failed to generate response for token: ", (Throwable) e);
            throw new RuntimeException(e);
        }
    }
}
