package org.apache.flink.hbase.shaded.org.apache.hadoop.hbase.security;

import java.io.IOException;
import java.net.InetAddress;
import java.security.PrivilegedExceptionAction;
import org.apache.flink.hbase.shaded.org.apache.hadoop.hbase.exceptions.ConnectionClosedException;
import org.apache.flink.hbase.shaded.org.apache.hadoop.hbase.ipc.FallbackDisallowedException;
import org.apache.flink.hbase.shaded.org.apache.hadoop.hbase.security.SaslUtil;
import org.apache.flink.hbase.shaded.org.apache.hadoop.hbase.security.provider.SaslClientAuthenticationProvider;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.hbase.thirdparty.io.netty.buffer.ByteBuf;
import org.apache.hbase.thirdparty.io.netty.channel.ChannelHandlerContext;
import org.apache.hbase.thirdparty.io.netty.channel.SimpleChannelInboundHandler;
import org.apache.hbase.thirdparty.io.netty.util.concurrent.Promise;
import org.apache.yetus.audience.InterfaceAudience;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/flink/hbase/shaded/org/apache/hadoop/hbase/security/NettyHBaseSaslRpcClientHandler.class */
public class NettyHBaseSaslRpcClientHandler extends SimpleChannelInboundHandler<ByteBuf> {
    private static final Logger LOG;
    private final Promise<Boolean> saslPromise;
    private final UserGroupInformation ugi;
    private final NettyHBaseSaslRpcClient saslRpcClient;
    private final Configuration conf;
    private final SaslClientAuthenticationProvider provider;
    private boolean needProcessConnectionHeader = false;
    static final /* synthetic */ boolean $assertionsDisabled;

    public NettyHBaseSaslRpcClientHandler(Promise<Boolean> promise, UserGroupInformation userGroupInformation, SaslClientAuthenticationProvider saslClientAuthenticationProvider, Token<? extends TokenIdentifier> token, InetAddress inetAddress, SecurityInfo securityInfo, boolean z, Configuration configuration) throws IOException {
        this.saslPromise = promise;
        this.ugi = userGroupInformation;
        this.conf = configuration;
        this.provider = saslClientAuthenticationProvider;
        this.saslRpcClient = new NettyHBaseSaslRpcClient(configuration, saslClientAuthenticationProvider, token, inetAddress, securityInfo, z, configuration.get("hbase.rpc.protection", SaslUtil.QualityOfProtection.AUTHENTICATION.name().toLowerCase()));
    }

    private void writeResponse(ChannelHandlerContext channelHandlerContext, byte[] bArr) {
        LOG.trace("Sending token size={} from initSASLContext.", Integer.valueOf(bArr.length));
        channelHandlerContext.writeAndFlush(channelHandlerContext.alloc().buffer(4 + bArr.length).writeInt(bArr.length).writeBytes(bArr));
    }

    private void tryComplete(ChannelHandlerContext channelHandlerContext) {
        if (this.saslRpcClient.isComplete()) {
            if (LOG.isTraceEnabled()) {
                LOG.trace("SASL negotiation for {} is complete", this.provider.getSaslAuthMethod().getName());
            }
            this.saslRpcClient.setupSaslHandler(channelHandlerContext.pipeline());
            setCryptoAESOption();
            this.saslPromise.setSuccess(true);
        }
    }

    private void setCryptoAESOption() {
        this.needProcessConnectionHeader = SaslUtil.QualityOfProtection.PRIVACY.getSaslQop().equalsIgnoreCase(this.saslRpcClient.getSaslQOP()) && this.conf.getBoolean("hbase.rpc.crypto.encryption.aes.enabled", false);
    }

    public boolean isNeedProcessConnectionHeader() {
        return this.needProcessConnectionHeader;
    }

    @Override // org.apache.hbase.thirdparty.io.netty.channel.ChannelHandlerAdapter, org.apache.hbase.thirdparty.io.netty.channel.ChannelHandler
    public void handlerAdded(ChannelHandlerContext channelHandlerContext) {
        try {
            byte[] bArr = (byte[]) this.ugi.doAs(new PrivilegedExceptionAction<byte[]>() { // from class: org.apache.flink.hbase.shaded.org.apache.hadoop.hbase.security.NettyHBaseSaslRpcClientHandler.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public byte[] run() throws Exception {
                    return NettyHBaseSaslRpcClientHandler.this.saslRpcClient.getInitialResponse();
                }
            });
            if (!$assertionsDisabled && bArr == null) {
                throw new AssertionError();
            }
            writeResponse(channelHandlerContext, bArr);
            tryComplete(channelHandlerContext);
        } catch (Exception e) {
            exceptionCaught(channelHandlerContext, e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.hbase.thirdparty.io.netty.channel.SimpleChannelInboundHandler
    public void channelRead0(ChannelHandlerContext channelHandlerContext, ByteBuf byteBuf) throws Exception {
        int readInt = byteBuf.readInt();
        if (readInt == -88) {
            this.saslRpcClient.dispose();
            if (this.saslRpcClient.fallbackAllowed) {
                this.saslPromise.trySuccess(false);
                return;
            } else {
                this.saslPromise.tryFailure(new FallbackDisallowedException());
                return;
            }
        }
        LOG.trace("Reading input token size={} for processing by initSASLContext", Integer.valueOf(readInt));
        final byte[] bArr = new byte[readInt];
        byteBuf.readBytes(bArr);
        byte[] bArr2 = (byte[]) this.ugi.doAs(new PrivilegedExceptionAction<byte[]>() { // from class: org.apache.flink.hbase.shaded.org.apache.hadoop.hbase.security.NettyHBaseSaslRpcClientHandler.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public byte[] run() throws Exception {
                return NettyHBaseSaslRpcClientHandler.this.saslRpcClient.evaluateChallenge(bArr);
            }
        });
        if (bArr2 != null) {
            writeResponse(channelHandlerContext, bArr2);
        } else {
            LOG.trace("SASL challenge response was empty, not sending response to server.");
        }
        tryComplete(channelHandlerContext);
    }

    @Override // org.apache.hbase.thirdparty.io.netty.channel.ChannelInboundHandlerAdapter, org.apache.hbase.thirdparty.io.netty.channel.ChannelInboundHandler
    public void channelInactive(ChannelHandlerContext channelHandlerContext) throws Exception {
        this.saslRpcClient.dispose();
        this.saslPromise.tryFailure(new ConnectionClosedException("Connection closed"));
        channelHandlerContext.fireChannelInactive();
    }

    @Override // org.apache.hbase.thirdparty.io.netty.channel.ChannelInboundHandlerAdapter, org.apache.hbase.thirdparty.io.netty.channel.ChannelHandlerAdapter, org.apache.hbase.thirdparty.io.netty.channel.ChannelHandler, org.apache.hbase.thirdparty.io.netty.channel.ChannelInboundHandler
    public void exceptionCaught(ChannelHandlerContext channelHandlerContext, Throwable th) {
        this.saslRpcClient.dispose();
        this.saslPromise.tryFailure(th);
    }

    static {
        $assertionsDisabled = !NettyHBaseSaslRpcClientHandler.class.desiredAssertionStatus();
        LOG = LoggerFactory.getLogger(NettyHBaseSaslRpcClientHandler.class);
    }
}
