package org.apache.pulsar.broker.authentication;

import java.io.IOException;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Map;
import java.util.regex.Pattern;
import javax.naming.AuthenticationException;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import lombok.Generated;
import org.apache.pulsar.common.api.AuthData;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/pulsar/broker/authentication/PulsarSaslServer.class */
public class PulsarSaslServer {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(PulsarSaslServer.class);
    private final SaslServer saslServer;
    private final Pattern allowedIdsPattern;
    private final Subject serverSubject;
    private static final String GSSAPI = "GSSAPI";

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/pulsar/broker/authentication/PulsarSaslServer$SaslServerCallbackHandler.class */
    public static class SaslServerCallbackHandler implements CallbackHandler {
        Pattern allowedIdsPattern;

        public SaslServerCallbackHandler(Pattern pattern) {
            this.allowedIdsPattern = pattern;
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
            for (Callback callback : callbackArr) {
                if (!(callback instanceof AuthorizeCallback)) {
                    throw new UnsupportedCallbackException(callback, "Unrecognized SASL GSSAPI Server Callback.");
                }
                handleAuthorizeCallback((AuthorizeCallback) callback);
            }
        }

        private void handleAuthorizeCallback(AuthorizeCallback authorizeCallback) {
            String authenticationID = authorizeCallback.getAuthenticationID();
            String authorizationID = authorizeCallback.getAuthorizationID();
            if (!authenticationID.equals(authorizationID)) {
                authorizeCallback.setAuthorized(false);
                PulsarSaslServer.log.info("Forbidden access to client: authenticationID: {} is different from authorizationID: {}", authenticationID, authorizationID);
            } else if (this.allowedIdsPattern.matcher(authenticationID).matches()) {
                authorizeCallback.setAuthorized(true);
                PulsarSaslServer.log.info("Successfully authenticated client: authenticationID: {};  authorizationID: {}.", authenticationID, authorizationID);
            } else {
                authorizeCallback.setAuthorized(false);
                PulsarSaslServer.log.info("Forbidden access to client: authenticationID {}, is not allowed (see {} property).", authenticationID, "saslJaasClientAllowedIds");
            }
        }
    }

    public PulsarSaslServer(Subject subject, Pattern pattern) throws IOException, LoginException {
        this.serverSubject = subject;
        this.allowedIdsPattern = pattern;
        this.saslServer = createSaslServer(this.serverSubject);
    }

    private SaslServer createSaslServer(Subject subject) throws IOException {
        String substring;
        String str;
        final SaslServerCallbackHandler saslServerCallbackHandler = new SaslServerCallbackHandler(this.allowedIdsPattern);
        if (subject.getPrincipals().size() <= 0) {
            log.error("Authentication use SASL/JAAS/GSSAPI but server not have Principals");
            throw new SaslException("Authentication use SASL/JAAS/GSSAPI but server not have Principals");
        }
        try {
            Principal principal = (Principal) subject.getPrincipals().toArray()[0];
            if (log.isDebugEnabled()) {
                log.debug("Authentication will use SASL/JAAS/Kerberos, servicePrincipal is {}", principal);
            }
            String name = principal.getName();
            int indexOf = name.indexOf("/");
            String substring2 = name.substring(indexOf + 1);
            int indexOf2 = substring2.indexOf("@");
            if (indexOf > 0) {
                substring = name.substring(0, indexOf);
                str = substring2.substring(0, indexOf2);
            } else {
                substring = name.substring(0, indexOf2);
                str = null;
            }
            if (log.isDebugEnabled()) {
                log.debug("serviceHostname is '{}', servicePrincipalName is '{}', SASL mechanism(mech) is '{}'.", new Object[]{str, substring, GSSAPI});
            }
            try {
                final String str2 = substring;
                final String str3 = str;
                return (SaslServer) Subject.doAs(subject, new PrivilegedExceptionAction<SaslServer>() { // from class: org.apache.pulsar.broker.authentication.PulsarSaslServer.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public SaslServer run() {
                        try {
                            return Sasl.createSaslServer(PulsarSaslServer.GSSAPI, str2, str3, (Map) null, saslServerCallbackHandler);
                        } catch (SaslException e) {
                            throw new RuntimeException((Throwable) e);
                        }
                    }
                });
            } catch (PrivilegedActionException e) {
                throw new SaslException("error on GSSAPI boot", e.getCause());
            }
        } catch (IndexOutOfBoundsException e2) {
            throw new SaslException("error on GSSAPI boot", e2);
        }
    }

    public boolean isComplete() {
        return this.saslServer.isComplete();
    }

    public String getAuthorizationID() throws IllegalStateException {
        return this.saslServer.getAuthorizationID();
    }

    public AuthData response(AuthData authData) throws AuthenticationException {
        try {
            return AuthData.of(this.saslServer.evaluateResponse(authData.getBytes()));
        } catch (SaslException e) {
            log.error("response: Failed to evaluate client token:", e);
            throw new AuthenticationException(e.getMessage());
        }
    }
}
