package org.apache.hadoop.security;

import com.google.common.annotations.VisibleForTesting;
import com.google.protobuf.ByteString;
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.ByteArrayInputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.FilterInputStream;
import java.io.FilterOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.InetSocketAddress;
import java.nio.ByteBuffer;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.sasl.RealmCallback;
import javax.security.sasl.RealmChoiceCallback;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.GlobPattern;
import org.apache.hadoop.ipc.ProtobufRpcEngine;
import org.apache.hadoop.ipc.RPC;
import org.apache.hadoop.ipc.RemoteException;
import org.apache.hadoop.ipc.RpcConstants;
import org.apache.hadoop.ipc.Server;
import org.apache.hadoop.ipc.protobuf.RpcHeaderProtos;
import org.apache.hadoop.security.SaslRpcServer;
import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.hadoop.security.token.TokenInfo;
import org.apache.hadoop.util.ProtoUtil;
import org.apache.phoenix.shaded.org.apache.commons.configuration.tree.DefaultExpressionEngine;

@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
@InterfaceStability.Evolving
/* loaded from: input_file:org/apache/hadoop/security/SaslRpcClient.class */
public class SaslRpcClient {
    private final UserGroupInformation ugi;
    private final Class<?> protocol;
    private final InetSocketAddress serverAddr;
    private final Configuration conf;
    private SaslClient saslClient;
    private SaslPropertiesResolver saslPropsResolver;
    private SaslRpcServer.AuthMethod authMethod;
    public static final Log LOG = LogFactory.getLog(SaslRpcClient.class);
    private static final RpcHeaderProtos.RpcRequestHeaderProto saslHeader = ProtoUtil.makeRpcRequestHeader(RPC.RpcKind.RPC_PROTOCOL_BUFFER, RpcHeaderProtos.RpcRequestHeaderProto.OperationProto.RPC_FINAL_PACKET, Server.AuthProtocol.SASL.callId, -1, RpcConstants.DUMMY_CLIENT_ID);
    private static final RpcHeaderProtos.RpcSaslProto negotiateRequest = RpcHeaderProtos.RpcSaslProto.newBuilder().setState(RpcHeaderProtos.RpcSaslProto.SaslState.NEGOTIATE).build();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/security/SaslRpcClient$SaslClientCallbackHandler.class */
    public static class SaslClientCallbackHandler implements CallbackHandler {
        private final String userName;
        private final char[] userPassword;

        public SaslClientCallbackHandler(Token<? extends TokenIdentifier> token) {
            this.userName = SaslRpcServer.encodeIdentifier(token.getIdentifier());
            this.userPassword = SaslRpcServer.encodePassword(token.getPassword());
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
            NameCallback nameCallback = null;
            PasswordCallback passwordCallback = null;
            RealmCallback realmCallback = null;
            for (Callback callback : callbackArr) {
                if (!(callback instanceof RealmChoiceCallback)) {
                    if (callback instanceof NameCallback) {
                        nameCallback = (NameCallback) callback;
                    } else if (callback instanceof PasswordCallback) {
                        passwordCallback = (PasswordCallback) callback;
                    } else {
                        if (!(callback instanceof RealmCallback)) {
                            throw new UnsupportedCallbackException(callback, "Unrecognized SASL client callback");
                        }
                        realmCallback = (RealmCallback) callback;
                    }
                }
            }
            if (nameCallback != null) {
                if (SaslRpcClient.LOG.isDebugEnabled()) {
                    SaslRpcClient.LOG.debug("SASL client callback: setting username: " + this.userName);
                }
                nameCallback.setName(this.userName);
            }
            if (passwordCallback != null) {
                if (SaslRpcClient.LOG.isDebugEnabled()) {
                    SaslRpcClient.LOG.debug("SASL client callback: setting userPassword");
                }
                passwordCallback.setPassword(this.userPassword);
            }
            if (realmCallback != null) {
                if (SaslRpcClient.LOG.isDebugEnabled()) {
                    SaslRpcClient.LOG.debug("SASL client callback: setting realm: " + realmCallback.getDefaultText());
                }
                realmCallback.setText(realmCallback.getDefaultText());
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/hadoop/security/SaslRpcClient$WrappedInputStream.class */
    public class WrappedInputStream extends FilterInputStream {
        private ByteBuffer unwrappedRpcBuffer;

        public WrappedInputStream(InputStream inputStream) throws IOException {
            super(inputStream);
            this.unwrappedRpcBuffer = ByteBuffer.allocate(0);
        }

        @Override // java.io.FilterInputStream, java.io.InputStream
        public int read() throws IOException {
            byte[] bArr = new byte[1];
            if (read(bArr, 0, 1) != -1) {
                return bArr[0];
            }
            return -1;
        }

        @Override // java.io.FilterInputStream, java.io.InputStream
        public int read(byte[] bArr) throws IOException {
            return read(bArr, 0, bArr.length);
        }

        @Override // java.io.FilterInputStream, java.io.InputStream
        public synchronized int read(byte[] bArr, int i, int i2) throws IOException {
            if (this.unwrappedRpcBuffer.remaining() == 0) {
                readNextRpcPacket();
            }
            int min = Math.min(i2, this.unwrappedRpcBuffer.remaining());
            this.unwrappedRpcBuffer.get(bArr, i, min);
            return min;
        }

        private void readNextRpcPacket() throws IOException {
            SaslRpcClient.LOG.debug("reading next wrapped RPC packet");
            DataInputStream dataInputStream = new DataInputStream(this.in);
            byte[] bArr = new byte[dataInputStream.readInt()];
            dataInputStream.readFully(bArr);
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
            RpcHeaderProtos.RpcResponseHeaderProto.Builder newBuilder = RpcHeaderProtos.RpcResponseHeaderProto.newBuilder();
            newBuilder.mergeDelimitedFrom(byteArrayInputStream);
            boolean z = false;
            if (newBuilder.getCallId() == Server.AuthProtocol.SASL.callId) {
                RpcHeaderProtos.RpcSaslProto.Builder newBuilder2 = RpcHeaderProtos.RpcSaslProto.newBuilder();
                newBuilder2.mergeDelimitedFrom(byteArrayInputStream);
                if (newBuilder2.getState() == RpcHeaderProtos.RpcSaslProto.SaslState.WRAP) {
                    z = true;
                    byte[] byteArray = newBuilder2.getToken().toByteArray();
                    if (SaslRpcClient.LOG.isDebugEnabled()) {
                        SaslRpcClient.LOG.debug("unwrapping token of length:" + byteArray.length);
                    }
                    this.unwrappedRpcBuffer = ByteBuffer.wrap(SaslRpcClient.this.saslClient.unwrap(byteArray, 0, byteArray.length));
                }
            }
            if (!z) {
                throw new SaslException("Server sent non-wrapped response");
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/hadoop/security/SaslRpcClient$WrappedOutputStream.class */
    public class WrappedOutputStream extends FilterOutputStream {
        public WrappedOutputStream(OutputStream outputStream) throws IOException {
            super(outputStream);
        }

        @Override // java.io.FilterOutputStream, java.io.OutputStream
        public void write(byte[] bArr, int i, int i2) throws IOException {
            if (SaslRpcClient.LOG.isDebugEnabled()) {
                SaslRpcClient.LOG.debug("wrapping token of length:" + i2);
            }
            byte[] wrap = SaslRpcClient.this.saslClient.wrap(bArr, i, i2);
            ProtobufRpcEngine.RpcRequestMessageWrapper rpcRequestMessageWrapper = new ProtobufRpcEngine.RpcRequestMessageWrapper(SaslRpcClient.saslHeader, RpcHeaderProtos.RpcSaslProto.newBuilder().setState(RpcHeaderProtos.RpcSaslProto.SaslState.WRAP).setToken(ByteString.copyFrom(wrap, 0, wrap.length)).build());
            DataOutputStream dataOutputStream = new DataOutputStream(this.out);
            dataOutputStream.writeInt(rpcRequestMessageWrapper.getLength());
            rpcRequestMessageWrapper.write(dataOutputStream);
        }
    }

    public SaslRpcClient(UserGroupInformation userGroupInformation, Class<?> cls, InetSocketAddress inetSocketAddress, Configuration configuration) {
        this.ugi = userGroupInformation;
        this.protocol = cls;
        this.serverAddr = inetSocketAddress;
        this.conf = configuration;
        this.saslPropsResolver = SaslPropertiesResolver.getInstance(configuration);
    }

    @InterfaceAudience.Private
    @VisibleForTesting
    public Object getNegotiatedProperty(String str) {
        if (this.saslClient != null) {
            return this.saslClient.getNegotiatedProperty(str);
        }
        return null;
    }

    @InterfaceAudience.Private
    public SaslRpcServer.AuthMethod getAuthMethod() {
        return this.authMethod;
    }

    private RpcHeaderProtos.RpcSaslProto.SaslAuth selectSaslClient(List<RpcHeaderProtos.RpcSaslProto.SaslAuth> list) throws SaslException, AccessControlException, IOException {
        RpcHeaderProtos.RpcSaslProto.SaslAuth saslAuth = null;
        boolean z = false;
        for (RpcHeaderProtos.RpcSaslProto.SaslAuth saslAuth2 : list) {
            if (isValidAuthType(saslAuth2)) {
                if (SaslRpcServer.AuthMethod.valueOf(saslAuth2.getMethod()) == SaslRpcServer.AuthMethod.SIMPLE) {
                    z = true;
                } else {
                    this.saslClient = createSaslClient(saslAuth2);
                    if (this.saslClient == null) {
                    }
                }
                saslAuth = saslAuth2;
                break;
            }
        }
        if (this.saslClient != null || z) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Use " + saslAuth.getMethod() + " authentication for protocol " + this.protocol.getSimpleName());
            }
            return saslAuth;
        }
        ArrayList arrayList = new ArrayList();
        Iterator<RpcHeaderProtos.RpcSaslProto.SaslAuth> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(it.next().getMethod());
        }
        throw new AccessControlException("Client cannot authenticate via:" + arrayList);
    }

    private boolean isValidAuthType(RpcHeaderProtos.RpcSaslProto.SaslAuth saslAuth) {
        SaslRpcServer.AuthMethod authMethod;
        try {
            authMethod = SaslRpcServer.AuthMethod.valueOf(saslAuth.getMethod());
        } catch (IllegalArgumentException e) {
            authMethod = null;
        }
        return authMethod != null && authMethod.getMechanismName().equals(saslAuth.getMechanism());
    }

    private SaslClient createSaslClient(RpcHeaderProtos.RpcSaslProto.SaslAuth saslAuth) throws SaslException, IOException {
        String serverPrincipal;
        String protocol = saslAuth.getProtocol();
        String serverId = saslAuth.getServerId();
        Map<String, String> clientProperties = this.saslPropsResolver.getClientProperties(this.serverAddr.getAddress());
        SaslClientCallbackHandler saslClientCallbackHandler = null;
        SaslRpcServer.AuthMethod valueOf = SaslRpcServer.AuthMethod.valueOf(saslAuth.getMethod());
        switch (valueOf) {
            case TOKEN:
                Token<?> serverToken = getServerToken(saslAuth);
                if (serverToken != null) {
                    saslClientCallbackHandler = new SaslClientCallbackHandler(serverToken);
                    break;
                } else {
                    return null;
                }
            case KERBEROS:
                if (this.ugi.getRealAuthenticationMethod().getAuthMethod() != SaslRpcServer.AuthMethod.KERBEROS || (serverPrincipal = getServerPrincipal(saslAuth)) == null) {
                    return null;
                }
                if (LOG.isDebugEnabled()) {
                    LOG.debug("RPC Server's Kerberos principal name for protocol=" + this.protocol.getCanonicalName() + " is " + serverPrincipal);
                    break;
                }
                break;
            default:
                throw new IOException("Unknown authentication method " + valueOf);
        }
        String mechanismName = valueOf.getMechanismName();
        if (LOG.isDebugEnabled()) {
            LOG.debug("Creating SASL " + mechanismName + DefaultExpressionEngine.DEFAULT_INDEX_START + valueOf + ")  client to authenticate to service at " + serverId);
        }
        return Sasl.createSaslClient(new String[]{mechanismName}, (String) null, protocol, serverId, clientProperties, saslClientCallbackHandler);
    }

    private Token<?> getServerToken(RpcHeaderProtos.RpcSaslProto.SaslAuth saslAuth) throws IOException {
        TokenInfo tokenInfo = SecurityUtil.getTokenInfo(this.protocol, this.conf);
        LOG.debug("Get token info proto:" + this.protocol + " info:" + tokenInfo);
        if (tokenInfo == null) {
            return null;
        }
        try {
            return tokenInfo.value().newInstance().selectToken(SecurityUtil.buildTokenService(this.serverAddr), this.ugi.getTokens());
        } catch (IllegalAccessException e) {
            throw new IOException(e.toString());
        } catch (InstantiationException e2) {
            throw new IOException(e2.toString());
        }
    }

    @VisibleForTesting
    String getServerPrincipal(RpcHeaderProtos.RpcSaslProto.SaslAuth saslAuth) throws IOException {
        boolean equals;
        KerberosInfo kerberosInfo = SecurityUtil.getKerberosInfo(this.protocol, this.conf);
        LOG.debug("Get kerberos info proto:" + this.protocol + " info:" + kerberosInfo);
        if (kerberosInfo == null) {
            return null;
        }
        String serverPrincipal = kerberosInfo.serverPrincipal();
        if (serverPrincipal == null) {
            throw new IllegalArgumentException("Can't obtain server Kerberos config key from protocol=" + this.protocol.getCanonicalName());
        }
        String name = new KerberosPrincipal(saslAuth.getProtocol() + "/" + saslAuth.getServerId(), 3).getName();
        String str = this.conf.get(serverPrincipal + ".pattern");
        if (str == null || str.isEmpty()) {
            String serverPrincipal2 = SecurityUtil.getServerPrincipal(this.conf.get(serverPrincipal), this.serverAddr.getAddress());
            if (LOG.isDebugEnabled()) {
                LOG.debug("getting serverKey: " + serverPrincipal + " conf value: " + this.conf.get(serverPrincipal) + " principal: " + serverPrincipal2);
            }
            if (serverPrincipal2 == null || serverPrincipal2.isEmpty()) {
                throw new IllegalArgumentException("Failed to specify server's Kerberos principal name");
            }
            if (new KerberosName(serverPrincipal2).getHostName() == null) {
                throw new IllegalArgumentException("Kerberos principal name does NOT have the expected hostname part: " + serverPrincipal2);
            }
            equals = name.equals(serverPrincipal2);
        } else {
            equals = GlobPattern.compile(str).matcher(name).matches();
        }
        if (equals) {
            return name;
        }
        throw new IllegalArgumentException("Server has invalid Kerberos principal: " + name);
    }

    public SaslRpcServer.AuthMethod saslConnect(InputStream inputStream, OutputStream outputStream) throws IOException {
        DataInputStream dataInputStream = new DataInputStream(new BufferedInputStream(inputStream));
        DataOutputStream dataOutputStream = new DataOutputStream(new BufferedOutputStream(outputStream));
        this.authMethod = SaslRpcServer.AuthMethod.SIMPLE;
        sendSaslMessage(dataOutputStream, negotiateRequest);
        boolean z = false;
        do {
            int readInt = dataInputStream.readInt();
            ProtobufRpcEngine.RpcResponseMessageWrapper rpcResponseMessageWrapper = new ProtobufRpcEngine.RpcResponseMessageWrapper();
            rpcResponseMessageWrapper.readFields(dataInputStream);
            RpcHeaderProtos.RpcResponseHeaderProto messageHeader = rpcResponseMessageWrapper.getMessageHeader();
            switch (messageHeader.getStatus()) {
                case ERROR:
                case FATAL:
                    throw new RemoteException(messageHeader.getExceptionClassName(), messageHeader.getErrorMsg());
                default:
                    if (readInt == rpcResponseMessageWrapper.getLength()) {
                        if (messageHeader.getCallId() == Server.AuthProtocol.SASL.callId) {
                            RpcHeaderProtos.RpcSaslProto parseFrom = RpcHeaderProtos.RpcSaslProto.parseFrom(rpcResponseMessageWrapper.getMessageBytes());
                            if (LOG.isDebugEnabled()) {
                                LOG.debug("Received SASL message " + parseFrom);
                            }
                            RpcHeaderProtos.RpcSaslProto.Builder builder = null;
                            switch (parseFrom.getState()) {
                                case NEGOTIATE:
                                    RpcHeaderProtos.RpcSaslProto.SaslAuth selectSaslClient = selectSaslClient(parseFrom.getAuthsList());
                                    this.authMethod = SaslRpcServer.AuthMethod.valueOf(selectSaslClient.getMethod());
                                    byte[] bArr = null;
                                    if (this.authMethod == SaslRpcServer.AuthMethod.SIMPLE) {
                                        z = true;
                                    } else {
                                        byte[] bArr2 = null;
                                        if (selectSaslClient.hasChallenge()) {
                                            bArr2 = selectSaslClient.getChallenge().toByteArray();
                                            selectSaslClient = RpcHeaderProtos.RpcSaslProto.SaslAuth.newBuilder(selectSaslClient).clearChallenge().build();
                                        } else if (this.saslClient.hasInitialResponse()) {
                                            bArr2 = new byte[0];
                                        }
                                        bArr = bArr2 != null ? this.saslClient.evaluateChallenge(bArr2) : new byte[0];
                                    }
                                    builder = createSaslReply(RpcHeaderProtos.RpcSaslProto.SaslState.INITIATE, bArr);
                                    builder.addAuths(selectSaslClient);
                                    break;
                                case CHALLENGE:
                                    if (this.saslClient != null) {
                                        builder = createSaslReply(RpcHeaderProtos.RpcSaslProto.SaslState.RESPONSE, saslEvaluateToken(parseFrom, false));
                                        break;
                                    } else {
                                        throw new SaslException("Server sent unsolicited challenge");
                                    }
                                case SUCCESS:
                                    if (this.saslClient == null) {
                                        this.authMethod = SaslRpcServer.AuthMethod.SIMPLE;
                                    } else {
                                        saslEvaluateToken(parseFrom, true);
                                    }
                                    z = true;
                                    break;
                                default:
                                    throw new SaslException("RPC client doesn't support SASL " + parseFrom.getState());
                            }
                            if (builder != null) {
                                sendSaslMessage(dataOutputStream, builder.build());
                            }
                            break;
                        } else {
                            throw new SaslException("Non-SASL response during negotiation");
                        }
                    } else {
                        throw new SaslException("Received malformed response length");
                    }
            }
        } while (!z);
        return this.authMethod;
    }

    private void sendSaslMessage(DataOutputStream dataOutputStream, RpcHeaderProtos.RpcSaslProto rpcSaslProto) throws IOException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Sending sasl message " + rpcSaslProto);
        }
        ProtobufRpcEngine.RpcRequestMessageWrapper rpcRequestMessageWrapper = new ProtobufRpcEngine.RpcRequestMessageWrapper(saslHeader, rpcSaslProto);
        dataOutputStream.writeInt(rpcRequestMessageWrapper.getLength());
        rpcRequestMessageWrapper.write(dataOutputStream);
        dataOutputStream.flush();
    }

    private byte[] saslEvaluateToken(RpcHeaderProtos.RpcSaslProto rpcSaslProto, boolean z) throws SaslException {
        byte[] bArr = null;
        if (rpcSaslProto.hasToken()) {
            bArr = this.saslClient.evaluateChallenge(rpcSaslProto.getToken().toByteArray());
        } else if (!z) {
            throw new SaslException("Server challenge contains no token");
        }
        if (z) {
            if (!this.saslClient.isComplete()) {
                throw new SaslException("Client is out of sync with server");
            }
            if (bArr != null) {
                throw new SaslException("Client generated spurious response");
            }
        }
        return bArr;
    }

    private RpcHeaderProtos.RpcSaslProto.Builder createSaslReply(RpcHeaderProtos.RpcSaslProto.SaslState saslState, byte[] bArr) {
        RpcHeaderProtos.RpcSaslProto.Builder newBuilder = RpcHeaderProtos.RpcSaslProto.newBuilder();
        newBuilder.setState(saslState);
        if (bArr != null) {
            newBuilder.setToken(ByteString.copyFrom(bArr));
        }
        return newBuilder;
    }

    private boolean useWrap() {
        String str = (String) this.saslClient.getNegotiatedProperty("javax.security.sasl.qop");
        return (str == null || "auth".equalsIgnoreCase(str)) ? false : true;
    }

    public InputStream getInputStream(InputStream inputStream) throws IOException {
        if (useWrap()) {
            inputStream = new WrappedInputStream(inputStream);
        }
        return inputStream;
    }

    public OutputStream getOutputStream(OutputStream outputStream) throws IOException {
        if (useWrap()) {
            outputStream = new BufferedOutputStream(new WrappedOutputStream(outputStream), Integer.parseInt((String) this.saslClient.getNegotiatedProperty("javax.security.sasl.rawsendsize")));
        }
        return outputStream;
    }

    public void dispose() throws SaslException {
        if (this.saslClient != null) {
            this.saslClient.dispose();
            this.saslClient = null;
        }
    }
}
