package com.instaclustr.cassandra.driver.auth;

import com.datastax.oss.driver.api.core.auth.AuthProvider;
import com.datastax.oss.driver.api.core.auth.AuthenticationException;
import com.datastax.oss.driver.api.core.auth.Authenticator;
import com.datastax.oss.driver.api.core.config.DriverOption;
import com.datastax.oss.driver.api.core.metadata.EndPoint;
import com.datastax.oss.driver.shaded.guava.common.collect.ImmutableMap;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.Nullable;
import java.nio.ByteBuffer;
import java.security.PrivilegedActionException;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/instaclustr/cassandra/driver/auth/KerberosAuthProviderBase.class */
public abstract class KerberosAuthProviderBase implements AuthProvider {
    private static final Logger LOG = LoggerFactory.getLogger(KerberosAuthProviderBase.class);
    private final String logPrefix;

    /* loaded from: input_file:com/instaclustr/cassandra/driver/auth/KerberosAuthProviderBase$KerberosAuthOptions.class */
    public static class KerberosAuthOptions {
        private final String authorizationId;
        private final ServerNameResolver serverNameResolver;
        private final String saslProtocol;
        private final Map<String, ?> saslProperties;

        /* loaded from: input_file:com/instaclustr/cassandra/driver/auth/KerberosAuthProviderBase$KerberosAuthOptions$Builder.class */
        public static class Builder {
            private String authorizationId;
            private ServerNameResolver serverNameResolver;
            private String saslProtocol;
            private Map<String, ?> saslProperties;

            private Builder() {
                this.authorizationId = null;
                this.serverNameResolver = new ServerNameResolver() { // from class: com.instaclustr.cassandra.driver.auth.KerberosAuthProviderBase.KerberosAuthOptions.Builder.1
                };
                this.saslProtocol = KerberosOption.DEFAULT_SASL_PROTOCOL;
                this.saslProperties = KerberosOption.DEFAULT_SASL_PROPERTIES;
            }

            public Builder withAuthorizationId(String str) {
                this.authorizationId = str;
                return this;
            }

            public Builder withSaslProtocol(String str) {
                this.saslProtocol = str;
                return this;
            }

            public Builder withSaslProperties(Map<String, ?> map) {
                this.saslProperties = map;
                return this;
            }

            public Builder withServerNameResolver(ServerNameResolver serverNameResolver) {
                this.serverNameResolver = serverNameResolver;
                return this;
            }

            public KerberosAuthOptions build() {
                return new KerberosAuthOptions(this.authorizationId, this.serverNameResolver, this.saslProtocol, this.saslProperties);
            }
        }

        public static Builder builder() {
            return new Builder();
        }

        private KerberosAuthOptions(String str, ServerNameResolver serverNameResolver, String str2, Map<String, ?> map) {
            this.authorizationId = str;
            this.serverNameResolver = serverNameResolver;
            this.saslProtocol = str2;
            this.saslProperties = map;
        }

        public String getAuthorizationId() {
            return this.authorizationId;
        }

        public ServerNameResolver getServerNameResolver() {
            return this.serverNameResolver;
        }

        public String getSaslProtocol() {
            return this.saslProtocol;
        }

        public Map<String, ?> getSaslProperties() {
            return this.saslProperties;
        }
    }

    /* loaded from: input_file:com/instaclustr/cassandra/driver/auth/KerberosAuthProviderBase$KerberosAuthenticator.class */
    private static class KerberosAuthenticator implements Authenticator {
        private static final String JAAS_CONFIG_ITEM_NAME = "CassandraJavaClient";
        private final Subject subject;
        private final SaslClient saslClient;
        private static final Logger logger = LoggerFactory.getLogger(KerberosAuthenticator.class);
        private static final String[] SASL_MECHANISMS = {"GSSAPI"};

        private KerberosAuthenticator(KerberosAuthOptions kerberosAuthOptions, EndPoint endPoint) {
            Objects.requireNonNull(kerberosAuthOptions.getSaslProperties(), "No SASL Properties supplied, unable to perform Kerberos authentication");
            this.subject = loginAsSubject();
            String resolve = kerberosAuthOptions.getServerNameResolver().resolve(endPoint);
            logger.debug("Creating SaslClient for {} on Server {} with {} mechanism. SASL Protocol: {} SASL Properties: {}", new Object[]{kerberosAuthOptions.getAuthorizationId(), resolve, SASL_MECHANISMS, kerberosAuthOptions.getSaslProtocol(), kerberosAuthOptions.getSaslProperties()});
            try {
                this.saslClient = Sasl.createSaslClient(SASL_MECHANISMS, kerberosAuthOptions.getAuthorizationId(), kerberosAuthOptions.getSaslProtocol(), resolve, kerberosAuthOptions.getSaslProperties(), (CallbackHandler) null);
            } catch (SaslException e) {
                throw new RuntimeException((Throwable) e);
            }
        }

        private static Subject loginAsSubject() {
            logger.debug("Logging in using login configuration entry named {}", JAAS_CONFIG_ITEM_NAME);
            try {
                LoginContext loginContext = new LoginContext(JAAS_CONFIG_ITEM_NAME, callbackArr -> {
                    throw new RuntimeException(new LoginException(String.format("Failed to establish a login context using login configuration entry named %s Check your JAAS config file.", JAAS_CONFIG_ITEM_NAME)));
                });
                loginContext.login();
                logger.debug("Login context established");
                return loginContext.getSubject();
            } catch (LoginException e) {
                throw new RuntimeException("Failed to establish a login context", e);
            }
        }

        public CompletionStage<ByteBuffer> initialResponse() {
            if (!this.saslClient.hasInitialResponse()) {
                return CompletableFuture.completedFuture(ByteBuffer.wrap(new byte[0]));
            }
            try {
                return CompletableFuture.completedFuture(ByteBuffer.wrap((byte[]) Subject.doAs(this.subject, () -> {
                    return this.saslClient.evaluateChallenge(new byte[0]);
                })));
            } catch (PrivilegedActionException e) {
                throw new RuntimeException(e.getException());
            }
        }

        public CompletionStage<ByteBuffer> evaluateChallenge(@Nullable ByteBuffer byteBuffer) {
            try {
                byte[] bArr = new byte[byteBuffer.capacity()];
                byteBuffer.get(bArr, 0, bArr.length);
                return CompletableFuture.completedFuture(ByteBuffer.wrap((byte[]) Subject.doAs(this.subject, () -> {
                    return this.saslClient.evaluateChallenge(bArr);
                })));
            } catch (PrivilegedActionException e) {
                throw new RuntimeException(e.getException());
            }
        }

        public CompletionStage<Void> onAuthenticationSuccess(@Nullable ByteBuffer byteBuffer) {
            if (this.saslClient.isComplete()) {
                logger.debug("Authenticated with QOP: {}", this.saslClient.getNegotiatedProperty("javax.security.sasl.qop"));
            } else {
                logger.error("Cassandra reports authentication success, however SASL authentication is not yet complete.");
            }
            return CompletableFuture.completedFuture(null);
        }
    }

    /* loaded from: input_file:com/instaclustr/cassandra/driver/auth/KerberosAuthProviderBase$KerberosOption.class */
    public enum KerberosOption implements DriverOption {
        AUTH_PROVIDER_AUTHORIZATION_ID("advanced.auth-provider.authorization-id"),
        AUTH_PROVIDER_SASL_PROTOCOL("advanced.auth-provider.sasl-protocol"),
        AUTH_PROVIDER_SASL_PROPERTIES("advanced.auth-provider.sasl-properties"),
        AUTH_PROVIDER_SERVER_NAME_RESOLVER("advanced.auth-provider.server-name-resolver");

        public static final String DEFAULT_SASL_PROTOCOL = "cassandra";
        protected static final Map<String, String> DEFAULT_SASL_PROPERTIES = ImmutableMap.builder().put("javax.security.sasl.server.authentication", "true").put("javax.security.sasl.qop", "auth").build();
        private final String path;

        KerberosOption(String str) {
            this.path = str;
        }

        @NonNull
        public String getPath() {
            return this.path;
        }
    }

    public KerberosAuthProviderBase(String str) {
        this.logPrefix = str;
    }

    protected abstract KerberosAuthOptions getOptions(EndPoint endPoint);

    @NonNull
    public Authenticator newAuthenticator(@NonNull EndPoint endPoint, @NonNull String str) throws AuthenticationException {
        return new KerberosAuthenticator(getOptions(endPoint), endPoint);
    }

    public void onMissingChallenge(@NonNull EndPoint endPoint) throws AuthenticationException {
        LOG.warn("[{}] {} did not send an authentication challenge; This is suspicious because the driver expects authentication", this.logPrefix, endPoint);
    }

    public void close() throws Exception {
    }
}
