package com.hazelcast.client.impl.protocol.task;

import com.hazelcast.client.impl.protocol.AuthenticationStatus;
import com.hazelcast.client.impl.protocol.ClientMessage;
import com.hazelcast.cluster.Address;
import com.hazelcast.config.WanBatchPublisherConfig;
import com.hazelcast.core.HazelcastInstanceNotActiveException;
import com.hazelcast.instance.impl.Node;
import com.hazelcast.internal.nio.Connection;
import com.hazelcast.map.impl.MapDataSerializerHook;
import com.hazelcast.security.Credentials;
import com.hazelcast.security.PasswordCredentials;
import com.hazelcast.security.SecurityContext;
import com.hazelcast.security.SimpleTokenCredentials;
import com.hazelcast.security.UsernamePasswordCredentials;
import io.hetu.core.security.authentication.AuthenticationBaseMessageTaskAspect;
import io.hetu.core.security.authentication.kerberos.KerberosAuthenticator;
import io.hetu.core.security.authentication.kerberos.KerberosException;
import io.hetu.core.security.authentication.kerberos.KerberosSecurityContext;
import io.hetu.core.security.authentication.kerberos.KerberosTokenCredentials;
import java.lang.reflect.Field;
import java.security.Permission;
import java.util.Set;
import java.util.UUID;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.aspectj.lang.JoinPoint;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.runtime.reflect.Factory;
import org.ietf.jgss.GSSException;

/* loaded from: input_file:com/hazelcast/client/impl/protocol/task/AuthenticationBaseMessageTask.class */
public abstract class AuthenticationBaseMessageTask<P> extends AbstractMessageTask<P> implements BlockingMessageTask, UrgentMessageTask {
    protected transient UUID clientUuid;
    protected transient String clusterName;
    protected transient String clientName;
    protected transient Set<String> labels;
    protected transient Credentials credentials;
    transient byte clientSerializationVersion;
    transient String clientVersion;
    private static /* synthetic */ JoinPoint.StaticPart ajc$tjp_0;

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthenticationBaseMessageTask(ClientMessage clientMessage, Node node, Connection connection) {
        super(clientMessage, node, connection);
    }

    @Override // com.hazelcast.spi.impl.PartitionSpecificRunnable
    public int getPartitionId() {
        return -1;
    }

    @Override // com.hazelcast.client.impl.protocol.task.AbstractMessageTask
    protected boolean requiresAuthentication() {
        return false;
    }

    @Override // com.hazelcast.client.impl.protocol.task.AbstractMessageTask
    protected boolean acceptOnIncompleteStart() {
        return true;
    }

    @Override // com.hazelcast.client.impl.protocol.task.AbstractMessageTask
    protected boolean validateNodeStartBeforeDecode() {
        return false;
    }

    @Override // com.hazelcast.client.impl.protocol.task.AbstractMessageTask
    public void processMessage() {
        switch (authenticate()) {
            case SERIALIZATION_VERSION_MISMATCH:
                sendClientMessage(prepareSerializationVersionMismatchClientMessage());
                return;
            case NOT_ALLOWED_IN_CLUSTER:
                sendClientMessage(prepareNotAllowedInCluster());
                return;
            case CREDENTIALS_FAILED:
                sendClientMessage(prepareUnauthenticatedClientMessage());
                return;
            case AUTHENTICATED:
                if (this.logger.isFineEnabled()) {
                    this.logger.fine("Processing authentication with clientUuid " + this.clientUuid);
                }
                sendClientMessage(prepareAuthenticatedClientMessage());
                return;
            default:
                throw new IllegalStateException("Unhandled authentication result");
        }
    }

    private AuthenticationStatus authenticate() {
        if (this.endpoint.isAuthenticated()) {
            return AuthenticationStatus.AUTHENTICATED;
        }
        if (this.clientSerializationVersion != this.serializationService.getVersion()) {
            return AuthenticationStatus.SERIALIZATION_VERSION_MISMATCH;
        }
        if (this.credentials == null) {
            this.logger.severe("Could not retrieve Credentials object!");
            return AuthenticationStatus.CREDENTIALS_FAILED;
        }
        if (this.clientEngine.getSecurityContext() != null) {
            return authenticate(this.clientEngine.getSecurityContext());
        }
        if (this.credentials instanceof UsernamePasswordCredentials) {
            return verifyEmptyCredentialsAndClusterName((PasswordCredentials) this.credentials);
        }
        this.logger.severe("Hazelcast security is disabled.\nNull username and password values are expected.\nOnly the cluster name is verified in this case!\nCurrent credentials type is: " + this.credentials.getClass().getName());
        return AuthenticationStatus.CREDENTIALS_FAILED;
    }

    private AuthenticationStatus authenticate(SecurityContext securityContext) {
        ProceedingJoinPoint makeJP = Factory.makeJP(ajc$tjp_0, this, this, securityContext);
        return authenticate_aroundBody1$advice(this, securityContext, makeJP, AuthenticationBaseMessageTaskAspect.aspectOf(), makeJP, securityContext);
    }

    private AuthenticationStatus verifyEmptyCredentialsAndClusterName(PasswordCredentials passwordCredentials) {
        if (passwordCredentials.getName() == null && passwordCredentials.getPassword() == null) {
            return this.nodeEngine.getConfig().getClusterName().equals(this.clusterName) ? AuthenticationStatus.AUTHENTICATED : AuthenticationStatus.CREDENTIALS_FAILED;
        }
        this.logger.warning("Received auth from " + this.connection + " with clientUuid " + this.clientUuid + ",  authentication rejected because security is disabled on the member, and client sends not-null username or password.");
        return AuthenticationStatus.CREDENTIALS_FAILED;
    }

    private ClientMessage prepareUnauthenticatedClientMessage() {
        boolean isClientFailoverSupported = this.nodeEngine.getNode().getNodeExtension().isClientFailoverSupported();
        this.logger.warning("Received auth from " + this.endpoint.getConnection() + " with clientUuid " + this.clientUuid + ", authentication failed");
        return encodeAuth(AuthenticationStatus.CREDENTIALS_FAILED.getId(), null, null, this.serializationService.getVersion(), this.clientEngine.getPartitionService().getPartitionCount(), this.clientEngine.getClusterService().getClusterId(), isClientFailoverSupported);
    }

    private ClientMessage prepareNotAllowedInCluster() {
        return encodeAuth(AuthenticationStatus.NOT_ALLOWED_IN_CLUSTER.getId(), null, null, this.serializationService.getVersion(), this.clientEngine.getPartitionService().getPartitionCount(), this.clientEngine.getClusterService().getClusterId(), this.nodeEngine.getNode().getNodeExtension().isClientFailoverSupported());
    }

    private ClientMessage prepareSerializationVersionMismatchClientMessage() {
        return encodeAuth(AuthenticationStatus.SERIALIZATION_VERSION_MISMATCH.getId(), null, null, this.serializationService.getVersion(), this.clientEngine.getPartitionService().getPartitionCount(), this.clientEngine.getClusterService().getClusterId(), this.nodeEngine.getNode().getNodeExtension().isClientFailoverSupported());
    }

    private ClientMessage prepareAuthenticatedClientMessage() {
        Connection connection = this.endpoint.getConnection();
        this.endpoint.authenticated(this.clientUuid, this.credentials, this.clientVersion, this.clientMessage.getCorrelationId(), this.clientName, this.labels);
        setConnectionType();
        validateNodeStart();
        UUID clusterId = this.clientEngine.getClusterService().getClusterId();
        if (clusterId == null) {
            throw new HazelcastInstanceNotActiveException("Hazelcast instance is not ready yet!");
        }
        if (!this.clientEngine.bind(this.endpoint)) {
            return prepareNotAllowedInCluster();
        }
        this.logger.info("Received auth from " + connection + ", successfully authenticated, clientUuid: " + this.clientUuid + ", client version: " + this.clientVersion);
        return encodeAuth(AuthenticationStatus.AUTHENTICATED.getId(), this.clientEngine.getThisAddress(), this.clientEngine.getClusterService().getLocalMember().getUuid(), this.serializationService.getVersion(), this.clientEngine.getPartitionService().getPartitionCount(), clusterId, this.nodeEngine.getNode().getNodeExtension().isClientFailoverSupported());
    }

    private void setConnectionType() {
        this.connection.setConnectionType(getClientType());
    }

    protected abstract ClientMessage encodeAuth(byte b, Address address, UUID uuid, byte b2, int i, UUID uuid2, boolean z);

    protected abstract String getClientType();

    @Override // com.hazelcast.client.impl.client.SecureRequest
    public Permission getRequiredPermission() {
        return null;
    }

    static {
        ajc$preClinit();
    }

    private static final /* synthetic */ AuthenticationStatus authenticate_aroundBody0(AuthenticationBaseMessageTask authenticationBaseMessageTask, SecurityContext securityContext, JoinPoint joinPoint) {
        try {
            LoginContext createClientLoginContext = securityContext.createClientLoginContext(authenticationBaseMessageTask.clusterName, authenticationBaseMessageTask.credentials, authenticationBaseMessageTask.endpoint.getConnection());
            createClientLoginContext.login();
            authenticationBaseMessageTask.endpoint.setLoginContext(createClientLoginContext);
            return AuthenticationStatus.AUTHENTICATED;
        } catch (LoginException e) {
            authenticationBaseMessageTask.logger.warning(e);
            return AuthenticationStatus.CREDENTIALS_FAILED;
        }
    }

    private static final /* synthetic */ AuthenticationStatus authenticate_aroundBody1$advice(AuthenticationBaseMessageTask authenticationBaseMessageTask, SecurityContext securityContext, JoinPoint joinPoint, AuthenticationBaseMessageTaskAspect authenticationBaseMessageTaskAspect, ProceedingJoinPoint proceedingJoinPoint, SecurityContext securityContext2) {
        Field field = null;
        try {
            try {
                try {
                    Field declaredField = proceedingJoinPoint.getTarget().getClass().getSuperclass().getDeclaredField("credentials");
                    declaredField.setAccessible(true);
                    Credentials credentials = (Credentials) declaredField.get(proceedingJoinPoint.getTarget());
                    KerberosAuthenticator kerberosAuthenticator = ((KerberosSecurityContext) securityContext2).getKerberosAuthenticator();
                    if (kerberosAuthenticator.getPrincipalFullName().equals(kerberosAuthenticator.doAuthenticateFilter(new KerberosTokenCredentials(((SimpleTokenCredentials) credentials).getToken())).getName())) {
                        AuthenticationStatus authenticationStatus = AuthenticationStatus.AUTHENTICATED;
                        if (declaredField != null) {
                            declaredField.setAccessible(false);
                        }
                        return authenticationStatus;
                    }
                    AuthenticationStatus authenticationStatus2 = AuthenticationStatus.NOT_ALLOWED_IN_CLUSTER;
                    if (declaredField != null) {
                        declaredField.setAccessible(false);
                    }
                    return authenticationStatus2;
                } catch (KerberosException | GSSException unused) {
                    AuthenticationStatus authenticationStatus3 = AuthenticationStatus.CREDENTIALS_FAILED;
                    if (0 != 0) {
                        field.setAccessible(false);
                    }
                    return authenticationStatus3;
                }
            } catch (IllegalAccessException | NoSuchFieldException unused2) {
                throw new RuntimeException(String.format("Cann't get class[%s] field.", proceedingJoinPoint.getTarget().getClass().getSuperclass().getName()));
            }
        } catch (Throwable th) {
            if (0 != 0) {
                field.setAccessible(false);
            }
            throw th;
        }
    }

    private static /* synthetic */ void ajc$preClinit() {
        Factory factory = new Factory("AuthenticationBaseMessageTask.java", AuthenticationBaseMessageTask.class);
        ajc$tjp_0 = factory.makeSJP("method-execution", factory.makeMethodSig("2", "authenticate", "com.hazelcast.client.impl.protocol.task.AuthenticationBaseMessageTask", "com.hazelcast.security.SecurityContext", "securityContext", WanBatchPublisherConfig.DEFAULT_TARGET_ENDPOINTS, "com.hazelcast.client.impl.protocol.AuthenticationStatus"), MapDataSerializerHook.FETCH_WITH_QUERY);
    }
}
