package org.apache.zookeeper.util;

import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.apache.mina.proxy.handlers.socks.SocksProxyConstants;
import org.apache.zookeeper.SaslClientCallbackHandler;
import org.apache.zookeeper.client.ZKClientConfig;
import org.apache.zookeeper.common.ZKConfig;
import org.apache.zookeeper.server.auth.KerberosName;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.slf4j.Logger;

/* loaded from: input_file:META-INF/bundled-dependencies/zookeeper-3.6.0.jar:org/apache/zookeeper/util/SecurityUtils.class */
public final class SecurityUtils {
    public static final String QUORUM_HOSTNAME_PATTERN = "_HOST";

    public static SaslClient createSaslClient(Subject subject, String str, String str2, String str3, final Logger logger, final String str4) throws SaslException {
        if (subject.getPrincipals().isEmpty()) {
            logger.info("{} will use DIGEST-MD5 as SASL mechanism.", str4);
            return Sasl.createSaslClient(new String[]{"DIGEST-MD5"}, (String) subject.getPublicCredentials().toArray()[0], str2, str3, (Map) null, new SaslClientCallbackHandler((String) subject.getPrivateCredentials().toArray()[0], str4));
        }
        Principal principal = (Principal) subject.getPrincipals().toArray()[0];
        if (Boolean.getBoolean(ZKConfig.JGSS_NATIVE)) {
            try {
                subject.getPrivateCredentials().add(GSSManager.getInstance().createCredential((GSSName) null, 0, new Oid(SocksProxyConstants.KERBEROS_V5_OID), 1));
                logger.debug("Added private credential to {} principal name: '{}'", str4, principal);
            } catch (GSSException e) {
                logger.warn("Cannot add private credential to subject; authentication at the server may fail", e);
            }
        }
        KerberosName kerberosName = new KerberosName(principal.getName());
        String property = System.getProperty(ZKClientConfig.ZOOKEEPER_SERVER_REALM, kerberosName.getRealm());
        String str5 = str;
        if (!str5.contains("@")) {
            str5 = str5 + "@" + property;
        }
        KerberosName kerberosName2 = new KerberosName(str5);
        final String serviceName = kerberosName2.getServiceName();
        final String hostName = kerberosName2.getHostName();
        final String kerberosName3 = kerberosName.toString();
        try {
            return (SaslClient) Subject.doAs(subject, new PrivilegedExceptionAction<SaslClient>() { // from class: org.apache.zookeeper.util.SecurityUtils.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public SaslClient run() throws SaslException {
                    Logger.this.info("{} will use GSSAPI as SASL mechanism.", str4);
                    String[] strArr = {"GSSAPI"};
                    Logger.this.debug("creating sasl client: {}={};service={};serviceHostname={}", str4, kerberosName3, serviceName, hostName);
                    return Sasl.createSaslClient(strArr, kerberosName3, serviceName, hostName, (Map) null, new SaslClientCallbackHandler(null, str4));
                }
            });
        } catch (Exception e2) {
            logger.error("Exception while trying to create SASL client", e2);
            return null;
        }
    }

    public static SaslServer createSaslServer(Subject subject, String str, String str2, final CallbackHandler callbackHandler, final Logger logger) {
        if (subject == null) {
            return null;
        }
        if (subject.getPrincipals().size() <= 0) {
            try {
                return Sasl.createSaslServer("DIGEST-MD5", str, str2, (Map) null, callbackHandler);
            } catch (SaslException e) {
                logger.error("Zookeeper Quorum member failed to create a SaslServer to interact with a client during session initiation", e);
                return null;
            }
        }
        try {
            String name = ((Principal) subject.getPrincipals().toArray()[0]).getName();
            int indexOf = name.indexOf("/");
            final String substring = name.substring(0, indexOf);
            String substring2 = name.substring(indexOf + 1);
            final String substring3 = substring2.substring(0, substring2.indexOf("@"));
            logger.debug("serviceHostname is '{}'", substring3);
            logger.debug("servicePrincipalName is '{}'", substring);
            logger.debug("SASL mechanism(mech) is '{}'", "GSSAPI");
            if (Boolean.getBoolean(ZKConfig.JGSS_NATIVE)) {
                try {
                    GSSManager gSSManager = GSSManager.getInstance();
                    GSSCredential createCredential = gSSManager.createCredential(gSSManager.createName(substring + "@" + substring3, GSSName.NT_HOSTBASED_SERVICE), 0, new Oid(SocksProxyConstants.KERBEROS_V5_OID), 2);
                    subject.getPrivateCredentials().add(createCredential);
                    logger.debug("Added private credential to service principal name: '{}', GSSCredential name: {}", substring, createCredential.getName());
                } catch (GSSException e2) {
                    logger.warn("Cannot add private credential to subject; clients authentication may fail", e2);
                }
            }
            try {
                return (SaslServer) Subject.doAs(subject, new PrivilegedExceptionAction<SaslServer>() { // from class: org.apache.zookeeper.util.SecurityUtils.2
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public SaslServer run() {
                        try {
                            return Sasl.createSaslServer("GSSAPI", substring, substring3, (Map) null, callbackHandler);
                        } catch (SaslException e3) {
                            logger.error("Zookeeper Server failed to create a SaslServer to interact with a client during session initiation", e3);
                            return null;
                        }
                    }
                });
            } catch (PrivilegedActionException e3) {
                logger.error("Zookeeper Quorum member experienced a PrivilegedActionException exception while creating a SaslServer using a JAAS principal context", e3);
                return null;
            }
        } catch (IndexOutOfBoundsException e4) {
            logger.error("server principal name/hostname determination error", e4);
            return null;
        }
    }

    public static String getServerPrincipal(String str, String str2) {
        String[] components = getComponents(str);
        return (components != null && components.length == 2 && components[1].equals(QUORUM_HOSTNAME_PATTERN)) ? replacePattern(components, str2) : str;
    }

    private static String[] getComponents(String str) {
        if (str == null) {
            return null;
        }
        return str.split("[/]");
    }

    private static String replacePattern(String[] strArr, String str) {
        return strArr[0] + "/" + str.toLowerCase();
    }
}
