package org.apache.zookeeper.server.quorum.auth;

import java.io.BufferedOutputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.net.Socket;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import javax.security.auth.Subject;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginException;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import org.apache.jute.BinaryInputArchive;
import org.apache.jute.BinaryOutputArchive;
import org.apache.zookeeper.Login;
import org.apache.zookeeper.SaslClientCallbackHandler;
import org.apache.zookeeper.server.quorum.QuorumAuthPacket;
import org.apache.zookeeper.server.quorum.auth.QuorumAuth;
import org.apache.zookeeper.util.SecurityUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:lib/zookeeper-3.4.14.jar:org/apache/zookeeper/server/quorum/auth/SaslQuorumAuthLearner.class */
public class SaslQuorumAuthLearner implements QuorumAuthLearner {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) SaslQuorumAuthLearner.class);
    private final Login learnerLogin;
    private final boolean quorumRequireSasl;
    private final String quorumServicePrincipal;

    public SaslQuorumAuthLearner(boolean z, String str, String str2) throws SaslException {
        this.quorumRequireSasl = z;
        this.quorumServicePrincipal = str;
        try {
            AppConfigurationEntry[] appConfigurationEntry = Configuration.getConfiguration().getAppConfigurationEntry(str2);
            if (appConfigurationEntry == null || appConfigurationEntry.length == 0) {
                throw new LoginException("SASL-authentication failed because the specified JAAS configuration section '" + str2 + "' could not be found.");
            }
            this.learnerLogin = new Login(str2, new SaslClientCallbackHandler(null, QuorumAuth.QUORUM_LEARNER_SASL_LOGIN_CONTEXT_DFAULT_VALUE));
            this.learnerLogin.startThreadIfNeeded();
        } catch (LoginException e) {
            throw new SaslException("Failed to initialize authentication mechanism using SASL", e);
        }
    }

    @Override // org.apache.zookeeper.server.quorum.auth.QuorumAuthLearner
    public void authenticate(Socket socket, String str) throws IOException {
        if (!this.quorumRequireSasl) {
            LOG.info("Skipping SASL authentication as {}={}", QuorumAuth.QUORUM_LEARNER_SASL_AUTH_REQUIRED, Boolean.valueOf(this.quorumRequireSasl));
            return;
        }
        SaslClient saslClient = null;
        String serverPrincipal = SecurityUtils.getServerPrincipal(this.quorumServicePrincipal, str);
        try {
            DataOutputStream dataOutputStream = new DataOutputStream(socket.getOutputStream());
            DataInputStream dataInputStream = new DataInputStream(socket.getInputStream());
            byte[] bArr = new byte[0];
            SaslClient createSaslClient = SecurityUtils.createSaslClient(this.learnerLogin.getSubject(), serverPrincipal, "zookeeper-quorum", "zk-quorum-sasl-md5", LOG, QuorumAuth.QUORUM_LEARNER_SASL_LOGIN_CONTEXT_DFAULT_VALUE);
            if (createSaslClient.hasInitialResponse()) {
                bArr = createSaslToken(new byte[0], createSaslClient, this.learnerLogin);
            }
            send(dataOutputStream, bArr);
            QuorumAuthPacket receive = receive(dataInputStream);
            QuorumAuth.Status status = QuorumAuth.Status.getStatus(receive.getStatus());
            while (!createSaslClient.isComplete()) {
                switch (status) {
                    case SUCCESS:
                        if (createSaslToken(receive.getToken(), createSaslClient, this.learnerLogin) == null) {
                            break;
                        } else {
                            throw new SaslException("Protocol error: attempting to send response after completion. Server addr: " + socket.getRemoteSocketAddress());
                        }
                    case IN_PROGRESS:
                        send(dataOutputStream, createSaslToken(receive.getToken(), createSaslClient, this.learnerLogin));
                        receive = receive(dataInputStream);
                        status = QuorumAuth.Status.getStatus(receive.getStatus());
                        break;
                    case ERROR:
                        throw new SaslException("Authentication failed against server addr: " + socket.getRemoteSocketAddress());
                    default:
                        LOG.warn("Unknown status:{}!", status);
                        throw new SaslException("Authentication failed against server addr: " + socket.getRemoteSocketAddress());
                }
            }
            checkAuthStatus(socket, status);
            if (createSaslClient != null) {
                try {
                    createSaslClient.dispose();
                } catch (SaslException e) {
                    LOG.error("SaslClient dispose() failed", e);
                }
            }
        } catch (Throwable th) {
            if (0 != 0) {
                try {
                    saslClient.dispose();
                } catch (SaslException e2) {
                    LOG.error("SaslClient dispose() failed", e2);
                }
            }
            throw th;
        }
    }

    private void checkAuthStatus(Socket socket, QuorumAuth.Status status) throws SaslException {
        if (status != QuorumAuth.Status.SUCCESS) {
            throw new SaslException("Authentication failed against server addr: " + socket.getRemoteSocketAddress() + ", qpStatus: " + status);
        }
        LOG.info("Successfully completed the authentication using SASL. server addr: {}, status: {}", socket.getRemoteSocketAddress(), status);
    }

    private QuorumAuthPacket receive(DataInputStream dataInputStream) throws IOException {
        QuorumAuthPacket quorumAuthPacket = new QuorumAuthPacket();
        quorumAuthPacket.deserialize(BinaryInputArchive.getArchive(dataInputStream), "qpconnect");
        return quorumAuthPacket;
    }

    private void send(DataOutputStream dataOutputStream, byte[] bArr) throws IOException {
        BufferedOutputStream bufferedOutputStream = new BufferedOutputStream(dataOutputStream);
        BinaryOutputArchive.getArchive(bufferedOutputStream).writeRecord(QuorumAuth.createPacket(QuorumAuth.Status.IN_PROGRESS, bArr), "qpconnect");
        bufferedOutputStream.flush();
    }

    private byte[] createSaslToken(final byte[] bArr, final SaslClient saslClient, Login login) throws SaslException {
        byte[] bArr2;
        if (bArr == null) {
            throw new SaslException("Error in authenticating with a Zookeeper Quorum member: the quorum member's saslToken is null.");
        }
        if (login.getSubject() == null) {
            throw new SaslException("Cannot make SASL token without subject defined. For diagnosis, please look for WARNs and ERRORs in your log related to the Login class.");
        }
        synchronized (login) {
            try {
                bArr2 = (byte[]) Subject.doAs(login.getSubject(), new PrivilegedExceptionAction<byte[]>() { // from class: org.apache.zookeeper.server.quorum.auth.SaslQuorumAuthLearner.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public byte[] run() throws SaslException {
                        SaslQuorumAuthLearner.LOG.debug("saslClient.evaluateChallenge(len=" + bArr.length + ")");
                        return saslClient.evaluateChallenge(bArr);
                    }
                });
            } catch (PrivilegedActionException e) {
                String str = "An error: (" + e + ") occurred when evaluating Zookeeper Quorum Member's  received SASL token.";
                if (e.toString().indexOf("(Mechanism level: Server not found in Kerberos database (7) - UNKNOWN_SERVER)") > -1) {
                    str = str + " This may be caused by Java's being unable to resolve the Zookeeper Quorum Member's hostname correctly. You may want to try to adding '-Dsun.net.spi.nameservice.provider.1=dns,sun' to your server's JVMFLAGS environment.";
                }
                LOG.error(str);
                throw new SaslException(str);
            }
        }
        return bArr2;
    }
}
