package org.apache.kafka.common.security.authenticator;

import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.login.Configuration;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.network.Authenticator;
import org.apache.kafka.common.network.NetworkReceive;
import org.apache.kafka.common.network.NetworkSend;
import org.apache.kafka.common.network.TransportLayer;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.security.auth.PrincipalBuilder;
import org.apache.kafka.common.security.kerberos.KerberosName;
import org.apache.kafka.common.security.kerberos.KerberosShortNamer;
import org.apache.mina.proxy.handlers.socks.SocksProxyConstants;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/kafka/common/security/authenticator/SaslServerAuthenticator.class */
public class SaslServerAuthenticator implements Authenticator {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) SaslServerAuthenticator.class);
    private final SaslServer saslServer;
    private final Subject subject;
    private final String node;
    private final KerberosShortNamer kerberosNamer;
    private TransportLayer transportLayer;
    private NetworkReceive netInBuffer;
    private NetworkSend netOutBuffer;

    public SaslServerAuthenticator(String str, Subject subject, KerberosShortNamer kerberosShortNamer) throws IOException {
        if (subject == null) {
            throw new IllegalArgumentException("subject cannot be null");
        }
        if (subject.getPrincipals().isEmpty()) {
            throw new IllegalArgumentException("subject must have at least one principal");
        }
        this.node = str;
        this.subject = subject;
        this.kerberosNamer = kerberosShortNamer;
        this.saslServer = createSaslServer();
    }

    @Override // org.apache.kafka.common.network.Authenticator
    public void configure(TransportLayer transportLayer, PrincipalBuilder principalBuilder, Map<String, ?> map) {
        this.transportLayer = transportLayer;
    }

    private SaslServer createSaslServer() throws IOException {
        final SaslServerCallbackHandler saslServerCallbackHandler = new SaslServerCallbackHandler(Configuration.getConfiguration(), this.kerberosNamer);
        Principal next = this.subject.getPrincipals().iterator().next();
        try {
            KerberosName parse = KerberosName.parse(next.getName());
            final String serviceName = parse.serviceName();
            final String hostName = parse.hostName();
            LOG.debug("Creating SaslServer for {} with mechanism {}", parse, "GSSAPI");
            if (Boolean.getBoolean("sun.security.jgss.native")) {
                try {
                    GSSManager gSSManager = GSSManager.getInstance();
                    this.subject.getPrivateCredentials().add(gSSManager.createCredential(gSSManager.createName(serviceName + "@" + hostName, GSSName.NT_HOSTBASED_SERVICE), Integer.MAX_VALUE, new Oid(SocksProxyConstants.KERBEROS_V5_OID), 2));
                } catch (GSSException e) {
                    LOG.warn("Cannot add private credential to subject; clients authentication may fail", e);
                }
            }
            try {
                return (SaslServer) Subject.doAs(this.subject, new PrivilegedExceptionAction<SaslServer>() { // from class: org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public SaslServer run() throws SaslException {
                        return Sasl.createSaslServer("GSSAPI", serviceName, hostName, (Map) null, saslServerCallbackHandler);
                    }
                });
            } catch (PrivilegedActionException e2) {
                throw new SaslException("Kafka Server failed to create a SaslServer to interact with a client during session authentication", e2.getCause());
            }
        } catch (IllegalArgumentException e3) {
            throw new KafkaException("Principal has name with unexpected format " + next);
        }
    }

    @Override // org.apache.kafka.common.network.Authenticator
    public void authenticate() throws IOException {
        if (this.netOutBuffer == null || flushNetOutBufferAndUpdateInterestOps()) {
            if (this.saslServer.isComplete()) {
                this.transportLayer.removeInterestOps(4);
                return;
            }
            if (this.netInBuffer == null) {
                this.netInBuffer = new NetworkReceive(this.node);
            }
            this.netInBuffer.readFrom(this.transportLayer);
            if (this.netInBuffer.complete()) {
                this.netInBuffer.payload().rewind();
                byte[] bArr = new byte[this.netInBuffer.payload().remaining()];
                this.netInBuffer.payload().get(bArr, 0, bArr.length);
                this.netInBuffer = null;
                try {
                    byte[] evaluateResponse = this.saslServer.evaluateResponse(bArr);
                    if (evaluateResponse != null) {
                        this.netOutBuffer = new NetworkSend(this.node, ByteBuffer.wrap(evaluateResponse));
                        flushNetOutBufferAndUpdateInterestOps();
                    }
                } catch (Exception e) {
                    throw new IOException(e);
                }
            }
        }
    }

    @Override // org.apache.kafka.common.network.Authenticator
    public Principal principal() {
        return new KafkaPrincipal(KafkaPrincipal.USER_TYPE, this.saslServer.getAuthorizationID());
    }

    @Override // org.apache.kafka.common.network.Authenticator
    public boolean complete() {
        return this.saslServer.isComplete();
    }

    @Override // org.apache.kafka.common.network.Authenticator
    public void close() throws IOException {
        this.saslServer.dispose();
    }

    private boolean flushNetOutBufferAndUpdateInterestOps() throws IOException {
        boolean flushNetOutBuffer = flushNetOutBuffer();
        if (flushNetOutBuffer) {
            this.transportLayer.removeInterestOps(4);
        } else {
            this.transportLayer.addInterestOps(4);
        }
        return flushNetOutBuffer;
    }

    private boolean flushNetOutBuffer() throws IOException {
        if (!this.netOutBuffer.completed()) {
            this.netOutBuffer.writeTo(this.transportLayer);
        }
        return this.netOutBuffer.completed();
    }
}
