package org.apache.kafka.common.network;

import hypertest.org.slf4j.Logger;
import java.io.IOException;
import java.net.Socket;
import java.nio.channels.SelectionKey;
import java.nio.channels.SocketChannel;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Supplier;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.config.SaslConfigs;
import org.apache.kafka.common.config.SslConfigs;
import org.apache.kafka.common.config.internals.BrokerSecurityConfigs;
import org.apache.kafka.common.memory.MemoryPool;
import org.apache.kafka.common.requests.ApiVersionsResponse;
import org.apache.kafka.common.security.JaasContext;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.auth.Login;
import org.apache.kafka.common.security.auth.SecurityProtocol;
import org.apache.kafka.common.security.authenticator.CredentialCache;
import org.apache.kafka.common.security.authenticator.DefaultLogin;
import org.apache.kafka.common.security.authenticator.LoginManager;
import org.apache.kafka.common.security.authenticator.SaslClientAuthenticator;
import org.apache.kafka.common.security.authenticator.SaslClientCallbackHandler;
import org.apache.kafka.common.security.authenticator.SaslServerAuthenticator;
import org.apache.kafka.common.security.authenticator.SaslServerCallbackHandler;
import org.apache.kafka.common.security.kerberos.KerberosClientCallbackHandler;
import org.apache.kafka.common.security.kerberos.KerberosLogin;
import org.apache.kafka.common.security.kerberos.KerberosName;
import org.apache.kafka.common.security.kerberos.KerberosShortNamer;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule;
import org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerRefreshingLogin;
import org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerSaslClientCallbackHandler;
import org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerUnsecuredValidatorCallbackHandler;
import org.apache.kafka.common.security.plain.internals.PlainSaslServer;
import org.apache.kafka.common.security.plain.internals.PlainServerCallbackHandler;
import org.apache.kafka.common.security.scram.ScramCredential;
import org.apache.kafka.common.security.scram.internals.ScramMechanism;
import org.apache.kafka.common.security.scram.internals.ScramServerCallbackHandler;
import org.apache.kafka.common.security.ssl.SslFactory;
import org.apache.kafka.common.security.token.delegation.internals.DelegationTokenCache;
import org.apache.kafka.common.utils.LogContext;
import org.apache.kafka.common.utils.Time;
import org.apache.kafka.common.utils.Utils;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:org/apache/kafka/common/network/SaslChannelBuilder.classdata */
public class SaslChannelBuilder implements ChannelBuilder, ListenerReconfigurable {
    static final String GSS_NATIVE_PROP = "sun.security.jgss.native";
    private final SecurityProtocol securityProtocol;
    private final ListenerName listenerName;
    private final boolean isInterBrokerListener;
    private final String clientSaslMechanism;
    private final Mode mode;
    private final Map<String, JaasContext> jaasContexts;
    private final boolean handshakeRequestEnable;
    private final CredentialCache credentialCache;
    private final DelegationTokenCache tokenCache;
    private final Map<String, LoginManager> loginManagers;
    private final Map<String, Subject> subjects;
    private final Supplier<ApiVersionsResponse> apiVersionSupplier;
    private SslFactory sslFactory;
    private Map<String, ?> configs;
    private final String sslClientAuthOverride;
    private KerberosShortNamer kerberosShortNamer;
    private Map<String, AuthenticateCallbackHandler> saslCallbackHandlers = new HashMap();
    private Map<String, Long> connectionsMaxReauthMsByMechanism = new HashMap();
    private final Time time;
    private final LogContext logContext;
    private final Logger log;

    public SaslChannelBuilder(Mode mode, Map<String, JaasContext> map, SecurityProtocol securityProtocol, ListenerName listenerName, boolean z, String str, boolean z2, CredentialCache credentialCache, DelegationTokenCache delegationTokenCache, String str2, Time time, LogContext logContext, Supplier<ApiVersionsResponse> supplier) {
        this.mode = mode;
        this.jaasContexts = map;
        this.loginManagers = new HashMap(map.size());
        this.subjects = new HashMap(map.size());
        this.securityProtocol = securityProtocol;
        this.listenerName = listenerName;
        this.isInterBrokerListener = z;
        this.handshakeRequestEnable = z2;
        this.clientSaslMechanism = str;
        this.credentialCache = credentialCache;
        this.tokenCache = delegationTokenCache;
        this.sslClientAuthOverride = str2;
        this.time = time;
        this.logContext = logContext;
        this.log = logContext.logger(getClass());
        this.apiVersionSupplier = supplier;
        if (mode == Mode.SERVER && supplier == null) {
            throw new IllegalArgumentException("Server channel builder must provide an ApiVersionResponse supplier");
        }
    }

    @Override // org.apache.kafka.common.Configurable
    public void configure(Map<String, ?> map) throws KafkaException {
        String str;
        try {
            this.configs = map;
            if (this.mode == Mode.SERVER) {
                createServerCallbackHandlers(map);
                createConnectionsMaxReauthMsMap(map);
            } else {
                createClientCallbackHandler(map);
            }
            for (Map.Entry<String, AuthenticateCallbackHandler> entry : this.saslCallbackHandlers.entrySet()) {
                String key = entry.getKey();
                entry.getValue().configure(map, key, this.jaasContexts.get(key).configurationEntries());
            }
            Class<? extends Login> defaultLoginClass = defaultLoginClass();
            if (this.mode == Mode.SERVER && this.jaasContexts.containsKey("GSSAPI")) {
                try {
                    str = defaultKerberosRealm();
                } catch (Exception e) {
                    str = "";
                }
                List list = (List) map.get(BrokerSecurityConfigs.SASL_KERBEROS_PRINCIPAL_TO_LOCAL_RULES_CONFIG);
                if (list != null) {
                    this.kerberosShortNamer = KerberosShortNamer.fromUnparsedRules(str, list);
                }
            }
            for (Map.Entry<String, JaasContext> entry2 : this.jaasContexts.entrySet()) {
                String key2 = entry2.getKey();
                LoginManager acquireLoginManager = LoginManager.acquireLoginManager(entry2.getValue(), key2, defaultLoginClass, map);
                this.loginManagers.put(key2, acquireLoginManager);
                Subject subject = acquireLoginManager.subject();
                this.subjects.put(key2, subject);
                if (this.mode == Mode.SERVER && key2.equals("GSSAPI")) {
                    maybeAddNativeGssapiCredentials(subject);
                }
            }
            if (this.securityProtocol == SecurityProtocol.SASL_SSL) {
                this.sslFactory = new SslFactory(this.mode, this.sslClientAuthOverride, this.isInterBrokerListener);
                this.sslFactory.configure(map);
            }
        } catch (Throwable th) {
            close();
            throw new KafkaException(th);
        }
    }

    @Override // org.apache.kafka.common.Reconfigurable
    public Set<String> reconfigurableConfigs() {
        return this.securityProtocol == SecurityProtocol.SASL_SSL ? SslConfigs.RECONFIGURABLE_CONFIGS : Collections.emptySet();
    }

    @Override // org.apache.kafka.common.Reconfigurable
    public void validateReconfiguration(Map<String, ?> map) {
        if (this.securityProtocol == SecurityProtocol.SASL_SSL) {
            this.sslFactory.validateReconfiguration(map);
        }
    }

    @Override // org.apache.kafka.common.Reconfigurable
    public void reconfigure(Map<String, ?> map) {
        if (this.securityProtocol == SecurityProtocol.SASL_SSL) {
            this.sslFactory.reconfigure(map);
        }
    }

    @Override // org.apache.kafka.common.network.ListenerReconfigurable
    public ListenerName listenerName() {
        return this.listenerName;
    }

    @Override // org.apache.kafka.common.network.ChannelBuilder
    public KafkaChannel buildChannel(String str, SelectionKey selectionKey, int i, MemoryPool memoryPool, ChannelMetadataRegistry channelMetadataRegistry) throws KafkaException {
        Supplier supplier;
        try {
            SocketChannel socketChannel = (SocketChannel) selectionKey.channel();
            Socket socket = socketChannel.socket();
            TransportLayer buildTransportLayer = buildTransportLayer(str, selectionKey, socketChannel, channelMetadataRegistry);
            if (this.mode == Mode.SERVER) {
                supplier = () -> {
                    return buildServerAuthenticator(this.configs, Collections.unmodifiableMap(this.saslCallbackHandlers), str, buildTransportLayer, Collections.unmodifiableMap(this.subjects), Collections.unmodifiableMap(this.connectionsMaxReauthMsByMechanism), channelMetadataRegistry);
                };
            } else {
                LoginManager loginManager = this.loginManagers.get(this.clientSaslMechanism);
                supplier = () -> {
                    return buildClientAuthenticator(this.configs, this.saslCallbackHandlers.get(this.clientSaslMechanism), str, socket.getInetAddress().getHostName(), loginManager.serviceName(), buildTransportLayer, this.subjects.get(this.clientSaslMechanism));
                };
            }
            return new KafkaChannel(str, buildTransportLayer, supplier, i, memoryPool != null ? memoryPool : MemoryPool.NONE, channelMetadataRegistry);
        } catch (Exception e) {
            this.log.info("Failed to create channel due to ", (Throwable) e);
            throw new KafkaException(e);
        }
    }

    @Override // org.apache.kafka.common.network.ChannelBuilder, java.lang.AutoCloseable
    public void close() {
        Iterator<LoginManager> it = this.loginManagers.values().iterator();
        while (it.hasNext()) {
            it.next().release();
        }
        this.loginManagers.clear();
        Iterator<AuthenticateCallbackHandler> it2 = this.saslCallbackHandlers.values().iterator();
        while (it2.hasNext()) {
            it2.next().close();
        }
        if (this.sslFactory != null) {
            this.sslFactory.close();
        }
    }

    protected TransportLayer buildTransportLayer(String str, SelectionKey selectionKey, SocketChannel socketChannel, ChannelMetadataRegistry channelMetadataRegistry) throws IOException {
        return this.securityProtocol == SecurityProtocol.SASL_SSL ? SslTransportLayer.create(str, selectionKey, this.sslFactory.createSslEngine(socketChannel.socket()), channelMetadataRegistry) : new PlaintextTransportLayer(selectionKey);
    }

    protected SaslServerAuthenticator buildServerAuthenticator(Map<String, ?> map, Map<String, AuthenticateCallbackHandler> map2, String str, TransportLayer transportLayer, Map<String, Subject> map3, Map<String, Long> map4, ChannelMetadataRegistry channelMetadataRegistry) {
        return new SaslServerAuthenticator(map, map2, str, map3, this.kerberosShortNamer, this.listenerName, this.securityProtocol, transportLayer, map4, channelMetadataRegistry, this.time, this.apiVersionSupplier);
    }

    protected SaslClientAuthenticator buildClientAuthenticator(Map<String, ?> map, AuthenticateCallbackHandler authenticateCallbackHandler, String str, String str2, String str3, TransportLayer transportLayer, Subject subject) {
        return new SaslClientAuthenticator(map, authenticateCallbackHandler, str, subject, str3, str2, this.clientSaslMechanism, this.handshakeRequestEnable, transportLayer, this.time, this.logContext);
    }

    Map<String, LoginManager> loginManagers() {
        return this.loginManagers;
    }

    private static String defaultKerberosRealm() {
        return new KerberosPrincipal("tmp", 1).getRealm();
    }

    private void createClientCallbackHandler(Map<String, ?> map) {
        Class<? extends AuthenticateCallbackHandler> cls = (Class) map.get(SaslConfigs.SASL_CLIENT_CALLBACK_HANDLER_CLASS);
        if (cls == null) {
            cls = clientCallbackHandlerClass();
        }
        this.saslCallbackHandlers.put(this.clientSaslMechanism, (AuthenticateCallbackHandler) Utils.newInstance(cls));
    }

    private void createServerCallbackHandlers(Map<String, ?> map) {
        for (String str : this.jaasContexts.keySet()) {
            Class cls = (Class) map.get(ListenerName.saslMechanismPrefix(str) + BrokerSecurityConfigs.SASL_SERVER_CALLBACK_HANDLER_CLASS);
            this.saslCallbackHandlers.put(str, cls != null ? (AuthenticateCallbackHandler) Utils.newInstance(cls) : str.equals(PlainSaslServer.PLAIN_MECHANISM) ? new PlainServerCallbackHandler() : ScramMechanism.isScram(str) ? new ScramServerCallbackHandler(this.credentialCache.cache(str, ScramCredential.class), this.tokenCache) : str.equals(OAuthBearerLoginModule.OAUTHBEARER_MECHANISM) ? new OAuthBearerUnsecuredValidatorCallbackHandler() : new SaslServerCallbackHandler());
        }
    }

    private void createConnectionsMaxReauthMsMap(Map<String, ?> map) {
        for (String str : this.jaasContexts.keySet()) {
            Long l = (Long) map.get(ListenerName.saslMechanismPrefix(str) + BrokerSecurityConfigs.CONNECTIONS_MAX_REAUTH_MS);
            if (l == null) {
                l = (Long) map.get(BrokerSecurityConfigs.CONNECTIONS_MAX_REAUTH_MS);
            }
            if (l != null) {
                this.connectionsMaxReauthMsByMechanism.put(str, l);
            }
        }
    }

    protected Class<? extends Login> defaultLoginClass() {
        return this.jaasContexts.containsKey("GSSAPI") ? KerberosLogin.class : OAuthBearerLoginModule.OAUTHBEARER_MECHANISM.equals(this.clientSaslMechanism) ? OAuthBearerRefreshingLogin.class : DefaultLogin.class;
    }

    private Class<? extends AuthenticateCallbackHandler> clientCallbackHandlerClass() {
        String str = this.clientSaslMechanism;
        boolean z = -1;
        switch (str.hashCode()) {
            case -1625286504:
                if (str.equals(OAuthBearerLoginModule.OAUTHBEARER_MECHANISM)) {
                    z = true;
                    break;
                }
                break;
            case 2111859635:
                if (str.equals("GSSAPI")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return KerberosClientCallbackHandler.class;
            case true:
                return OAuthBearerSaslClientCallbackHandler.class;
            default:
                return SaslClientCallbackHandler.class;
        }
    }

    private void maybeAddNativeGssapiCredentials(Subject subject) {
        if (Boolean.getBoolean(GSS_NATIVE_PROP) && subject.getPrivateCredentials(GSSCredential.class).isEmpty()) {
            String firstPrincipal = SaslClientAuthenticator.firstPrincipal(subject);
            try {
                KerberosName parse = KerberosName.parse(firstPrincipal);
                String serviceName = parse.serviceName();
                String hostName = parse.hostName();
                try {
                    GSSManager gssManager = gssManager();
                    subject.getPrivateCredentials().add(gssManager.createCredential(gssManager.createName(serviceName + "@" + hostName, GSSName.NT_HOSTBASED_SERVICE), Integer.MAX_VALUE, new Oid("1.2.840.113554.1.2.2"), 2));
                    this.log.info("Configured native GSSAPI private credentials for {}@{}", hostName, hostName);
                } catch (GSSException e) {
                    this.log.warn("Cannot add private credential to subject; clients authentication may fail", e);
                }
            } catch (IllegalArgumentException e2) {
                throw new KafkaException("Principal has name with unexpected format " + firstPrincipal);
            }
        }
    }

    protected GSSManager gssManager() {
        return GSSManager.getInstance();
    }

    protected Subject subject(String str) {
        return this.subjects.get(str);
    }
}
