package com.datastax.dse.driver.api.core.auth;

import com.datastax.oss.driver.api.core.auth.AuthProvider;
import com.datastax.oss.driver.api.core.auth.AuthenticationException;
import com.datastax.oss.driver.api.core.auth.Authenticator;
import com.datastax.oss.driver.api.core.metadata.EndPoint;
import com.datastax.oss.driver.shaded.guava.common.base.Charsets;
import com.datastax.oss.driver.shaded.guava.common.collect.ImmutableMap;
import com.datastax.oss.protocol.internal.util.Bytes;
import com.microsoft.azure.storage.Constants;
import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.Nullable;
import java.net.InetSocketAddress;
import java.nio.ByteBuffer;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import net.jcip.annotations.Immutable;
import net.jcip.annotations.NotThreadSafe;
import net.jcip.annotations.ThreadSafe;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ThreadSafe
/* loaded from: input_file:com/datastax/dse/driver/api/core/auth/DseGssApiAuthProviderBase.class */
public abstract class DseGssApiAuthProviderBase implements AuthProvider {
    public static final String DEFAULT_SASL_SERVICE_NAME = "dse";
    public static final String SASL_SERVICE_NAME_PROPERTY = "dse.sasl.service";
    private static final String LEGACY_SASL_PROTOCOL_PROPERTY = "dse.sasl.protocol";
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) DseGssApiAuthProviderBase.class);
    private final String logPrefix;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:com/datastax/dse/driver/api/core/auth/DseGssApiAuthProviderBase$GssApiAuthenticator.class */
    public static class GssApiAuthenticator extends BaseDseAuthenticator {
        private static final String JAAS_CONFIG_ENTRY = "DseClient";
        private Subject subject;
        private SaslClient saslClient;
        private EndPoint endPoint;
        private static final ByteBuffer MECHANISM = ByteBuffer.wrap("GSSAPI".getBytes(Charsets.UTF_8)).asReadOnlyBuffer();
        private static final ByteBuffer SERVER_INITIAL_CHALLENGE = ByteBuffer.wrap("GSSAPI-START".getBytes(Charsets.UTF_8)).asReadOnlyBuffer();
        private static final ByteBuffer EMPTY_BYTE_ARRAY = ByteBuffer.wrap(new byte[0]).asReadOnlyBuffer();
        private static final String[] SUPPORTED_MECHANISMS = {"GSSAPI"};

        protected GssApiAuthenticator(GssApiOptions gssApiOptions, EndPoint endPoint, String str) {
            super(str);
            try {
                if (gssApiOptions.getSubject() != null) {
                    this.subject = gssApiOptions.getSubject();
                } else {
                    Configuration loginConfiguration = gssApiOptions.getLoginConfiguration();
                    if (loginConfiguration == null) {
                        throw new IllegalArgumentException("Must provide one of subject or loginConfiguration");
                    }
                    LoginContext loginContext = new LoginContext(JAAS_CONFIG_ENTRY, (Subject) null, (CallbackHandler) null, loginConfiguration);
                    loginContext.login();
                    this.subject = loginContext.getSubject();
                }
                String saslProtocol = gssApiOptions.getSaslProtocol();
                this.saslClient = Sasl.createSaslClient(SUPPORTED_MECHANISMS, gssApiOptions.getAuthorizationId(), saslProtocol == null ? System.getProperty(DseGssApiAuthProviderBase.SASL_SERVICE_NAME_PROPERTY, System.getProperty(DseGssApiAuthProviderBase.LEGACY_SASL_PROTOCOL_PROPERTY, DseGssApiAuthProviderBase.DEFAULT_SASL_SERVICE_NAME)) : saslProtocol, ((InetSocketAddress) endPoint.resolve()).getAddress().getCanonicalHostName(), gssApiOptions.getSaslProperties(), (CallbackHandler) null);
                this.endPoint = endPoint;
            } catch (LoginException | SaslException e) {
                throw new AuthenticationException(endPoint, e.getMessage());
            }
        }

        @Override // com.datastax.dse.driver.api.core.auth.BaseDseAuthenticator
        @NonNull
        protected ByteBuffer getMechanism() {
            return MECHANISM;
        }

        @Override // com.datastax.dse.driver.api.core.auth.BaseDseAuthenticator
        @NonNull
        protected ByteBuffer getInitialServerChallenge() {
            return SERVER_INITIAL_CHALLENGE;
        }

        @Override // com.datastax.oss.driver.api.core.auth.SyncAuthenticator
        @Nullable
        public ByteBuffer evaluateChallengeSync(@Nullable ByteBuffer byteBuffer) {
            byte[] array;
            if (SERVER_INITIAL_CHALLENGE.equals(byteBuffer)) {
                if (!this.saslClient.hasInitialResponse()) {
                    return EMPTY_BYTE_ARRAY;
                }
                array = new byte[0];
            } else {
                if (byteBuffer == null) {
                    throw new AuthenticationException(this.endPoint, "Unexpected null challenge from server");
                }
                array = Bytes.getArray(byteBuffer);
            }
            try {
                final byte[] bArr = array;
                return ByteBuffer.wrap((byte[]) Subject.doAs(this.subject, new PrivilegedExceptionAction<byte[]>() { // from class: com.datastax.dse.driver.api.core.auth.DseGssApiAuthProviderBase.GssApiAuthenticator.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public byte[] run() throws SaslException {
                        return GssApiAuthenticator.this.saslClient.evaluateChallenge(bArr);
                    }
                }));
            } catch (PrivilegedActionException e) {
                throw new AuthenticationException(this.endPoint, e.getMessage(), e.getException());
            }
        }
    }

    @Immutable
    /* loaded from: input_file:com/datastax/dse/driver/api/core/auth/DseGssApiAuthProviderBase$GssApiOptions.class */
    public static class GssApiOptions {
        private final Configuration loginConfiguration;
        private final Subject subject;
        private final String saslProtocol;
        private final String authorizationId;
        private final Map<String, String> saslProperties;

        @NotThreadSafe
        /* loaded from: input_file:com/datastax/dse/driver/api/core/auth/DseGssApiAuthProviderBase$GssApiOptions$Builder.class */
        public static class Builder {
            private Configuration loginConfiguration;
            private Subject subject;
            private String saslProtocol;
            private String authorizationId;
            private final Map<String, String> saslProperties = new HashMap();

            public Builder() {
                this.saslProperties.put("javax.security.sasl.server.authentication", Constants.TRUE);
                this.saslProperties.put("javax.security.sasl.qop", "auth");
            }

            @NonNull
            public Builder withLoginConfiguration(@Nullable Configuration configuration) {
                this.loginConfiguration = configuration;
                return this;
            }

            @NonNull
            public Builder withSubject(@Nullable Subject subject) {
                this.subject = subject;
                return this;
            }

            @NonNull
            public Builder withSaslProtocol(@Nullable String str) {
                this.saslProtocol = str;
                return this;
            }

            @NonNull
            public Builder withAuthorizationId(@Nullable String str) {
                this.authorizationId = str;
                return this;
            }

            @NonNull
            public Builder addSaslProperty(@NonNull String str, @NonNull String str2) {
                this.saslProperties.put((String) Objects.requireNonNull(str), (String) Objects.requireNonNull(str2));
                return this;
            }

            @NonNull
            public GssApiOptions build() {
                return new GssApiOptions(this.loginConfiguration, this.subject, this.saslProtocol, this.authorizationId, ImmutableMap.copyOf((Map) this.saslProperties));
            }
        }

        @NonNull
        public static Builder builder() {
            return new Builder();
        }

        private GssApiOptions(@Nullable Configuration configuration, @Nullable Subject subject, @Nullable String str, @Nullable String str2, @NonNull Map<String, String> map) {
            this.loginConfiguration = configuration;
            this.subject = subject;
            this.saslProtocol = str;
            this.authorizationId = str2;
            this.saslProperties = map;
        }

        @Nullable
        public Configuration getLoginConfiguration() {
            return this.loginConfiguration;
        }

        @Nullable
        public Subject getSubject() {
            return this.subject;
        }

        @Nullable
        public String getSaslProtocol() {
            return this.saslProtocol;
        }

        @Nullable
        public String getAuthorizationId() {
            return this.authorizationId;
        }

        @NonNull
        public Map<String, String> getSaslProperties() {
            return this.saslProperties;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public DseGssApiAuthProviderBase(@NonNull String str) {
        this.logPrefix = (String) Objects.requireNonNull(str);
    }

    @NonNull
    protected abstract GssApiOptions getOptions(@NonNull EndPoint endPoint, @NonNull String str);

    @Override // com.datastax.oss.driver.api.core.auth.AuthProvider
    @NonNull
    public Authenticator newAuthenticator(@NonNull EndPoint endPoint, @NonNull String str) throws AuthenticationException {
        return new GssApiAuthenticator(getOptions(endPoint, str), endPoint, str);
    }

    @Override // com.datastax.oss.driver.api.core.auth.AuthProvider
    public void onMissingChallenge(@NonNull EndPoint endPoint) {
        LOG.warn("[{}] {} did not send an authentication challenge; This is suspicious because the driver expects authentication", this.logPrefix, endPoint);
    }

    @Override // java.lang.AutoCloseable
    public void close() {
    }
}
