package com.instaclustr.cassandra.auth;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.security.PrivilegedActionException;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import java.util.function.Function;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslServer;
import org.apache.cassandra.auth.AuthenticatedUser;
import org.apache.cassandra.auth.DataResource;
import org.apache.cassandra.auth.IAuthenticator;
import org.apache.cassandra.auth.IResource;
import org.apache.cassandra.cql3.UntypedResultSet;
import org.apache.cassandra.cql3.statements.SelectStatement;
import org.apache.cassandra.exceptions.AuthenticationException;
import org.apache.cassandra.exceptions.ConfigurationException;
import org.apache.cassandra.exceptions.RequestExecutionException;
import org.apache.cassandra.transport.messages.ResultMessage;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/instaclustr/cassandra/auth/BaseKerberosAuthenticator.class */
public abstract class BaseKerberosAuthenticator implements IAuthenticator {
    private static final Logger logger = LoggerFactory.getLogger(BaseKerberosAuthenticator.class);
    public static final String SASL_MECHANISM = "GSSAPI";
    private static final String ROLE = "role";
    private Configuration config;
    private Subject subject;

    /* loaded from: input_file:com/instaclustr/cassandra/auth/BaseKerberosAuthenticator$Configuration.class */
    protected static class Configuration {
        private URL configUrl;
        private File keytab;
        private String qop;
        private KerberosPrincipal servicePrincipal;
        static final String DEFAULT_CONFIGURATION = "cassandra-krb5.properties";
        static final String CONFIGURATION_KEYTAB_PATH_NAME = "keytab";
        static final String CONFIGURATION_QOP_NAME = "qop";
        static final String CONFIGURATION_SERVICE_PRINCIPAL_NAME = "service_principal";
        private static final String DEFAULT_KEYTAB_PATH = "cassandra.keytab";
        private static final String DEFAULT_QOP = "auth";

        private Configuration() {
        }

        public File keytab() {
            return this.keytab;
        }

        public String qop() {
            return this.qop;
        }

        public KerberosPrincipal servicePrincipal() {
            return this.servicePrincipal;
        }

        public String getKerberosPrincipalServiceNameComponent() {
            Matcher matcher = Pattern.compile("([^/@]*)(/([^/@]*))?@([^/@]*)").matcher(this.servicePrincipal.toString());
            if (matcher.matches()) {
                return matcher.group(1);
            }
            throw new RuntimeException("Config value for service_principal in " + this.configUrl.toString() + " is not valid. Kerberos principal must be in KRB_NT_SRV_HST format");
        }

        private static URL getConfig(String str) throws ConfigurationException {
            URL resource;
            try {
                resource = new URL(str);
                resource.openStream().close();
            } catch (Exception e) {
                resource = BaseKerberosAuthenticator.class.getClassLoader().getResource(str);
                if (resource == null) {
                    throw new ConfigurationException("Cannot locate " + str + ".  If this is a local file, please confirm you've provided " + ("file:" + File.separator + File.separator) + File.separator + " as a URI prefix.");
                }
            }
            BaseKerberosAuthenticator.logger.debug("Kerberos configuration location: {}", resource);
            return resource;
        }

        private static File getKeytab(String str) throws ConfigurationException {
            File file = new File(str);
            if (!file.isFile()) {
                URL resource = BaseKerberosAuthenticator.class.getClassLoader().getResource(str);
                if (resource == null) {
                    throw new ConfigurationException("Cannot locate " + str + ".  If this is a local file, please confirm you've provided " + ("file:" + File.separator + File.separator) + File.separator + " as a URI prefix.");
                }
                file = new File(resource.getFile());
            }
            BaseKerberosAuthenticator.logger.debug("Kerberos keytab location: {}", file.getAbsolutePath());
            return file;
        }

        private void load() throws ConfigurationException {
            if (this.configUrl == null) {
                this.configUrl = getConfig(System.getProperty("cassandra.krb5.config", DEFAULT_CONFIGURATION));
            }
            Properties properties = new Properties();
            try {
                BaseKerberosAuthenticator.logger.debug("Loading Kerberos settings from {}", this.configUrl);
                InputStream openStream = this.configUrl.openStream();
                Throwable th = null;
                try {
                    try {
                        properties.load(openStream);
                        if (openStream != null) {
                            if (0 != 0) {
                                try {
                                    openStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                openStream.close();
                            }
                        }
                        this.keytab = getKeytab(properties.getProperty(CONFIGURATION_KEYTAB_PATH_NAME, DEFAULT_KEYTAB_PATH));
                        this.qop = properties.getProperty(CONFIGURATION_QOP_NAME, DEFAULT_QOP);
                        this.servicePrincipal = new KerberosPrincipal(properties.getProperty(CONFIGURATION_SERVICE_PRINCIPAL_NAME), 3);
                    } finally {
                    }
                } finally {
                }
            } catch (IOException e) {
                throw new RuntimeException(e);
            }
        }

        void validate() throws ConfigurationException {
            if (this.servicePrincipal == null) {
                throw new ConfigurationException("No value for service_principal found in " + this.configUrl.toString());
            }
            if (this.qop == null) {
                throw new ConfigurationException("No value for qop found in " + this.configUrl.toString());
            }
            ImmutableList build = ImmutableList.builder().add(DEFAULT_QOP).add("auth-conf").add("auth-int").build();
            if (!build.contains(this.qop)) {
                throw new ConfigurationException("Config value for qop in " + this.configUrl.toString() + " is not valid. Valid values are: " + build.toString());
            }
            if (!this.keytab.isFile() || !this.keytab.canRead()) {
                throw new ConfigurationException("Keytab file " + this.keytab.getAbsolutePath() + " specified in " + this.configUrl.toString() + " does not exist, is not a normal file, or cannot be read.");
            }
        }

        static Configuration loadConfig() {
            Configuration configuration = new Configuration();
            configuration.load();
            configuration.validate();
            return configuration;
        }
    }

    /* loaded from: input_file:com/instaclustr/cassandra/auth/BaseKerberosAuthenticator$KerberosSaslAuthenticator.class */
    public abstract class KerberosSaslAuthenticator implements IAuthenticator.SaslNegotiator {
        private final SaslServer saslServer;
        private AuthenticatedUser authenticatedUser = null;

        public KerberosSaslAuthenticator(String str, Map<String, ?> map) {
            BaseKerberosAuthenticator.logger.debug("Creating SaslServer for {} with {} mechanism. SASL Protocol: {} SASL Properties: {}", new Object[]{BaseKerberosAuthenticator.this.config.servicePrincipal, BaseKerberosAuthenticator.SASL_MECHANISM, str, map});
            try {
                this.saslServer = (SaslServer) Subject.doAs(BaseKerberosAuthenticator.this.subject, () -> {
                    return Sasl.createSaslServer(BaseKerberosAuthenticator.SASL_MECHANISM, str, serverName(), map, callbackArr -> {
                        for (Callback callback : callbackArr) {
                            if (callback instanceof AuthorizeCallback) {
                                handleAuthorizeCallback((AuthorizeCallback) callback);
                            }
                        }
                    });
                });
            } catch (PrivilegedActionException e) {
                throw new RuntimeException(e.getException());
            }
        }

        private void handleAuthorizeCallback(AuthorizeCallback authorizeCallback) throws AuthenticationException {
            authorizeCallback.setAuthorizedID((String) null);
            authorizeCallback.setAuthorized(false);
            if (authorizeCallback.getAuthenticationID() == null) {
                BaseKerberosAuthenticator.logger.debug("Kerberos authentication succeeded, but the authentication ID is null.");
                throw new AuthenticationException("Authentication ID must not be null");
            }
            AuthenticatedUser cassandraUser = getCassandraUser(authorizeCallback.getAuthenticationID().split("[@/]")[0]);
            if (authorizeCallback.getAuthorizationID() == null || authorizeCallback.getAuthorizationID().equals(authorizeCallback.getAuthenticationID())) {
                this.authenticatedUser = cassandraUser;
                authorizeCallback.setAuthorizedID(cassandraUser.getName());
                authorizeCallback.setAuthorized(true);
            } else {
                AuthenticatedUser cassandraUser2 = getCassandraUser(authorizeCallback.getAuthorizationID());
                if (!cassandraUser.getRoles().contains(cassandraUser2.getPrimaryRole())) {
                    BaseKerberosAuthenticator.logger.debug("Kerberos client principal \"{}\" authenticated, but the Cassandra user \"{}\" does not have permission to assume the role \"{}\" specified by the authorization ID.", new Object[]{authorizeCallback.getAuthenticationID(), cassandraUser.getName(), cassandraUser2.getName()});
                    throw new AuthenticationException(String.format("Cassandra user \"%s\" is unable to assume the role \"%s\"", cassandraUser.getName(), cassandraUser2.getName()));
                }
                this.authenticatedUser = cassandraUser2;
                authorizeCallback.setAuthorizedID(cassandraUser2.getName());
                authorizeCallback.setAuthorized(true);
            }
            if (authorizeCallback.isAuthorized()) {
                BaseKerberosAuthenticator.logger.debug("Kerberos client principal \"{}\" authorized as Cassandra user \"{}\"", authorizeCallback.getAuthenticationID(), authorizeCallback.getAuthorizedID());
            }
        }

        public byte[] evaluateResponse(byte[] bArr) throws AuthenticationException {
            try {
                return (byte[]) Subject.doAs(BaseKerberosAuthenticator.this.subject, () -> {
                    return this.saslServer.evaluateResponse(bArr);
                });
            } catch (PrivilegedActionException e) {
                BaseKerberosAuthenticator.logger.error(String.format("The SASL server could not evaluate the response sent by the client. Check that the authentication mechanism is configured correctly, and that the client is sending a valid SASL/%s response: %s", BaseKerberosAuthenticator.SASL_MECHANISM, e.getException().getMessage()));
                throw new AuthenticationException("The SASL server could not evaluate the response sent by the client. The server may not be configured correctly, or the response may be invalid: " + e.getException().getMessage());
            }
        }

        public boolean isComplete() {
            return this.saslServer.isComplete() && this.authenticatedUser != null;
        }

        public AuthenticatedUser getAuthenticatedUser() throws AuthenticationException {
            if (isComplete()) {
                return this.authenticatedUser;
            }
            throw new AuthenticationException("SASL negotiation is not complete");
        }

        private AuthenticatedUser getCassandraUser(String str) throws AuthenticationException {
            try {
                fetchUser(str);
                return new AuthenticatedUser(str);
            } catch (Exception e) {
                if (e.getCause() instanceof NoSuchRoleException) {
                    throw new AuthenticationException(String.format("Provided username %s is incorrect", str));
                }
                if (!(e.getCause() instanceof RequestExecutionException)) {
                    throw new RuntimeException(e);
                }
                BaseKerberosAuthenticator.logger.trace("Error performing internal authentication", e);
                throw new AuthenticationException(String.format("Error during authentication of user %s : %s", str, e.getMessage()));
            }
        }

        public abstract void fetchUser(String str);

        public abstract String serverName();
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/instaclustr/cassandra/auth/BaseKerberosAuthenticator$NoSuchRoleException.class */
    public static final class NoSuchRoleException extends RuntimeException {
        private NoSuchRoleException() {
        }
    }

    /* loaded from: input_file:com/instaclustr/cassandra/auth/BaseKerberosAuthenticator$QueryUserFunction.class */
    public static abstract class QueryUserFunction implements Function<String, String> {
        final String query = String.format("SELECT %s FROM %s.%s WHERE role = ?", BaseKerberosAuthenticator.ROLE, "system_auth", "roles");
        SelectStatement getRoleStatement = prepare(this.query);

        @Override // java.util.function.Function
        public String apply(String str) {
            try {
                BaseKerberosAuthenticator.logger.debug("Querying role {}", str);
                ResultMessage.Rows execute = execute(str);
                if (execute.result.isEmpty()) {
                    throw new NoSuchRoleException();
                }
                UntypedResultSet create = UntypedResultSet.create(execute.result);
                if (create.one().has(BaseKerberosAuthenticator.ROLE)) {
                    return create.one().getString(BaseKerberosAuthenticator.ROLE);
                }
                throw new NoSuchRoleException();
            } catch (RequestExecutionException e) {
                BaseKerberosAuthenticator.logger.trace("Error performing internal authentication", e);
                throw e;
            }
        }

        public abstract SelectStatement prepare(String str);

        public abstract ResultMessage.Rows execute(String str);
    }

    public boolean requireAuthentication() {
        return true;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Configuration getConfiguration() {
        return this.config;
    }

    public Set<? extends IResource> protectedResources() {
        return ImmutableSet.of(DataResource.table("system_auth", "roles"));
    }

    public void validateConfiguration() throws ConfigurationException {
        this.config = Configuration.loadConfig();
    }

    public void setup() {
        this.subject = loginAsSubject(this.config.servicePrincipal(), this.config.keytab());
        afterSetup();
    }

    public abstract void afterSetup();

    static String getKrb5LoginModuleName() {
        return System.getProperty("java.vendor").contains("IBM") ? "com.ibm.security.auth.module.Krb5LoginModule" : "com.sun.security.auth.module.Krb5LoginModule";
    }

    private static Subject loginAsSubject(final KerberosPrincipal kerberosPrincipal, final File file) {
        logger.debug("Logging in Kerberos service principal {} using keytab at {}", kerberosPrincipal, file.getAbsolutePath());
        try {
            LoginContext loginContext = new LoginContext("", (Subject) null, callbackArr -> {
                throw new RuntimeException(new LoginException(String.format("Failed to establish a login context for principal %s with keytab at %s.", kerberosPrincipal, file.getAbsolutePath())));
            }, new javax.security.auth.login.Configuration() { // from class: com.instaclustr.cassandra.auth.BaseKerberosAuthenticator.1
                public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
                    return new AppConfigurationEntry[]{new AppConfigurationEntry(BaseKerberosAuthenticator.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, ImmutableMap.builder().put("principal", kerberosPrincipal.toString()).put("useKeyTab", "true").put("keyTab", file.getAbsolutePath()).put("storeKey", "true").put("doNotPrompt", "true").put("isInitiator", "false").build())};
                }
            });
            loginContext.login();
            logger.debug("Login context established");
            return loginContext.getSubject();
        } catch (LoginException e) {
            throw new RuntimeException("Failed to establish a login context", e);
        }
    }

    public AuthenticatedUser legacyAuthenticate(Map<String, String> map) throws AuthenticationException {
        throw new UnsupportedOperationException("Legacy authentication is not supported");
    }
}
