package io.lettuce.core.auth.kerberos;

import io.lettuce.core.auth.AuthenticatedClientOptions;
import io.lettuce.core.auth.AuthenticationClient;
import io.lettuce.core.auth.RedisAuthException;
import io.lettuce.core.auth.handshake.SaslHandshakeHandler;
import io.lettuce.core.command.AuthCommandBuilder;
import io.lettuce.core.protocol.AsyncCommand;
import io.netty.channel.Channel;
import java.security.Principal;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.concurrent.ExecutionException;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslClient;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/lettuce/core/auth/kerberos/KerberosAuthenticationClient.class */
public class KerberosAuthenticationClient implements AuthenticationClient {
    private static final Logger LOG = LoggerFactory.getLogger(KerberosAuthenticationClient.class);
    private static final String KERBEROS_OID = "1.2.840.113554.1.2.2";
    private static final String AUTH_HANDSHAKE_SUCCESS_RESPONSE = "authok";
    private final AuthenticatedClientOptions authOptions;
    private final SaslHandshakeHandler handshakeHandler;
    private Subject subject;
    private SaslClient saslClient;

    public KerberosAuthenticationClient(AuthenticatedClientOptions authenticatedClientOptions) {
        this.authOptions = authenticatedClientOptions;
        initSubject();
        initSaslClient();
        this.handshakeHandler = new SaslHandshakeHandler(this.saslClient);
    }

    @Override // io.lettuce.core.auth.AuthenticationClient
    public CompletionStage<Void> authenticateAsync(Channel channel) {
        return CompletableFuture.runAsync(() -> {
            runAuthHandshake(channel);
        });
    }

    private void initSubject() {
        try {
            LoginContext loginContext = new LoginContext(this.authOptions.getLoginContextName(), (Subject) null, (CallbackHandler) null, Configuration.getConfiguration());
            loginContext.login();
            this.subject = loginContext.getSubject();
            LOG.info("Kerberos authentication success");
        } catch (LoginException e) {
            raiseAuthError("Error during Kerberos authentication", e);
        }
    }

    private void initSaslClient() {
        Principal clientPrincipal = getClientPrincipal();
        try {
            if (this.authOptions.useNativeJgss()) {
                addGssPrivateCredentials(clientPrincipal);
            }
            KerberosName serviceKerberosName = this.authOptions.getServiceKerberosName();
            this.saslClient = (SaslClient) Subject.doAs(this.subject, () -> {
                return Sasl.createSaslClient(new String[]{"GSSAPI"}, clientPrincipal.getName(), serviceKerberosName.getServiceName(), serviceKerberosName.getHostName(), (Map) null, (CallbackHandler) null);
            });
            LOG.info("SASL Client init success for {}", clientPrincipal.getName());
        } catch (Exception e) {
            raiseAuthError("Error initializing SASL Client", e);
        }
    }

    private void runAuthHandshake(Channel channel) {
        byte[] bArr = null;
        while (!isAuthenticated(bArr)) {
            try {
                bArr = authext(channel, this.handshakeHandler.evaluateChallenge(this.subject, bArr));
            } catch (Exception e) {
                raiseAuthError("Error during server authentication handshake", e);
                return;
            }
        }
    }

    private byte[] authext(Channel channel, byte[] bArr) throws ExecutionException, InterruptedException {
        AsyncCommand<String, String, byte[]> authextAsync = AuthCommandBuilder.authextAsync(bArr);
        channel.writeAndFlush(authextAsync);
        return (byte[]) Optional.ofNullable((byte[]) authextAsync.get()).orElseGet(() -> {
            return new byte[0];
        });
    }

    private boolean isAuthenticated(byte[] bArr) {
        Optional map = Optional.ofNullable(bArr).map(String::new);
        String str = AUTH_HANDSHAKE_SUCCESS_RESPONSE;
        return map.filter((v1) -> {
            return r1.equals(v1);
        }).isPresent();
    }

    private void addGssPrivateCredentials(Principal principal) {
        try {
            this.subject.getPrivateCredentials().add(GSSManager.getInstance().createCredential((GSSName) null, 0, new Oid(KERBEROS_OID), 1));
            LOG.info("Added private GSS credential , principal name:" + principal + "\n");
        } catch (GSSException e) {
            LOG.error("Error adding GSS creds to subject", e);
        }
    }

    private void raiseAuthError(String str, Exception exc) {
        LOG.error(str, exc);
        throw new RedisAuthException(str, exc);
    }

    private Principal getClientPrincipal() {
        return this.subject.getPrincipals().stream().findFirst().orElseThrow(() -> {
            return new IllegalArgumentException("Principal not found");
        });
    }
}
