package com.instaclustr.cassandra.driver.auth;

import com.datastax.driver.core.AuthProvider;
import com.datastax.driver.core.Authenticator;
import com.datastax.driver.core.exceptions.AuthenticationException;
import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableMap;
import java.net.InetSocketAddress;
import java.security.PrivilegedActionException;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/instaclustr/cassandra/driver/auth/KerberosAuthProvider.class */
public class KerberosAuthProvider implements AuthProvider {
    private static final String DEFAULT_SASL_PROTOCOL = "cassandra";
    private final String authorizationId;
    private final String saslProtocol;
    private final Map<String, ?> saslProperties;
    private static final Logger logger = LoggerFactory.getLogger(KerberosAuthProvider.class);
    private static final Map<String, String> DEFAULT_SASL_PROPERTIES = ImmutableMap.builder().put("javax.security.sasl.server.authentication", "true").put("javax.security.sasl.qop", "auth").build();

    /* loaded from: input_file:com/instaclustr/cassandra/driver/auth/KerberosAuthProvider$Builder.class */
    public static class Builder {
        private String authorizationId;
        private String saslProtocol;
        private Map<String, ?> saslProperties;

        private Builder() {
            this.authorizationId = null;
            this.saslProtocol = KerberosAuthProvider.DEFAULT_SASL_PROTOCOL;
            this.saslProperties = KerberosAuthProvider.DEFAULT_SASL_PROPERTIES;
        }

        public Builder withAuthorizationId(String str) {
            this.authorizationId = str;
            return this;
        }

        public Builder withSaslProtocol(String str) {
            this.saslProtocol = str;
            return this;
        }

        public Builder withSaslProperties(Map<String, ?> map) {
            this.saslProperties = map;
            return this;
        }

        public KerberosAuthProvider build() {
            return new KerberosAuthProvider(this.authorizationId, this.saslProtocol, this.saslProperties);
        }
    }

    /* loaded from: input_file:com/instaclustr/cassandra/driver/auth/KerberosAuthProvider$KerberosAuthenticator.class */
    public static class KerberosAuthenticator implements Authenticator {
        private static final String JAAS_CONFIG_ITEM_NAME = "CassandraJavaClient";
        private final Subject subject;
        private final SaslClient saslClient;
        private static final Logger logger = LoggerFactory.getLogger(KerberosAuthenticator.class);
        private static final String[] SASL_MECHANISMS = {"GSSAPI"};

        private KerberosAuthenticator(String str, String str2, InetSocketAddress inetSocketAddress, Map<String, ?> map) {
            Preconditions.checkNotNull(str2);
            this.subject = loginAsSubject();
            try {
                this.saslClient = Sasl.createSaslClient(SASL_MECHANISMS, str, str2, inetSocketAddress.getAddress().getCanonicalHostName(), map, (CallbackHandler) null);
            } catch (SaslException e) {
                throw new RuntimeException((Throwable) e);
            }
        }

        private static Subject loginAsSubject() {
            logger.debug("Logging in using login configuration entry named {}", JAAS_CONFIG_ITEM_NAME);
            try {
                LoginContext loginContext = new LoginContext(JAAS_CONFIG_ITEM_NAME, callbackArr -> {
                    throw new RuntimeException(new LoginException("Failed to establish a login context using login configuration entry named CassandraJavaClient. Check your JAAS config file."));
                });
                loginContext.login();
                logger.debug("Login context established");
                return loginContext.getSubject();
            } catch (LoginException e) {
                throw new RuntimeException("Failed to establish a login context", e);
            }
        }

        public byte[] initialResponse() {
            if (!this.saslClient.hasInitialResponse()) {
                return new byte[0];
            }
            try {
                return (byte[]) Subject.doAs(this.subject, () -> {
                    return this.saslClient.evaluateChallenge(new byte[0]);
                });
            } catch (PrivilegedActionException e) {
                throw new RuntimeException(e.getException());
            }
        }

        public byte[] evaluateChallenge(byte[] bArr) {
            try {
                return (byte[]) Subject.doAs(this.subject, () -> {
                    return this.saslClient.evaluateChallenge(bArr);
                });
            } catch (PrivilegedActionException e) {
                throw new RuntimeException(e.getException());
            }
        }

        public void onAuthenticationSuccess(byte[] bArr) {
            if (this.saslClient.isComplete()) {
                logger.debug("Authenticated with QOP: {}", this.saslClient.getNegotiatedProperty("javax.security.sasl.qop"));
            } else {
                logger.error("Cassandra reports authentication success, however SASL authentication is not yet complete.");
            }
        }
    }

    private KerberosAuthProvider(String str, String str2, Map<String, ?> map) {
        this.authorizationId = str;
        this.saslProtocol = str2;
        this.saslProperties = ImmutableMap.copyOf(map);
    }

    public static Builder builder() {
        return new Builder();
    }

    public Authenticator newAuthenticator(InetSocketAddress inetSocketAddress, String str) throws AuthenticationException {
        return new KerberosAuthenticator(this.authorizationId, this.saslProtocol, inetSocketAddress, this.saslProperties);
    }
}
