package org.apache.hadoop.hbase.security;

import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.FilterInputStream;
import java.io.FilterOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.InetAddress;
import java.nio.ByteBuffer;
import javax.security.sasl.SaslException;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.io.crypto.aes.CryptoAES;
import org.apache.hadoop.hbase.security.provider.SaslClientAuthenticationProvider;
import org.apache.hadoop.hbase.shaded.protobuf.generated.RPCProtos;
import org.apache.hadoop.io.WritableUtils;
import org.apache.hadoop.ipc.RemoteException;
import org.apache.hadoop.security.SaslInputStream;
import org.apache.hadoop.security.SaslOutputStream;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.yetus.audience.InterfaceAudience;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/hbase/security/HBaseSaslRpcClient.class */
public class HBaseSaslRpcClient extends AbstractHBaseSaslRpcClient {
    private static final Logger LOG = LoggerFactory.getLogger(HBaseSaslRpcClient.class);
    private boolean cryptoAesEnable;
    private CryptoAES cryptoAES;
    private InputStream saslInputStream;
    private InputStream cryptoInputStream;
    private OutputStream saslOutputStream;
    private OutputStream cryptoOutputStream;
    private boolean initStreamForCrypto;

    /* loaded from: input_file:org/apache/hadoop/hbase/security/HBaseSaslRpcClient$WrappedInputStream.class */
    class WrappedInputStream extends FilterInputStream {
        private ByteBuffer unwrappedRpcBuffer;

        public WrappedInputStream(InputStream inputStream) throws IOException {
            super(inputStream);
            this.unwrappedRpcBuffer = ByteBuffer.allocate(0);
        }

        @Override // java.io.FilterInputStream, java.io.InputStream
        public int read() throws IOException {
            byte[] bArr = new byte[1];
            if (read(bArr, 0, 1) != -1) {
                return bArr[0];
            }
            return -1;
        }

        @Override // java.io.FilterInputStream, java.io.InputStream
        public int read(byte[] bArr) throws IOException {
            return read(bArr, 0, bArr.length);
        }

        @Override // java.io.FilterInputStream, java.io.InputStream
        public synchronized int read(byte[] bArr, int i, int i2) throws IOException {
            if (this.unwrappedRpcBuffer.remaining() == 0) {
                readNextRpcPacket();
            }
            int min = Math.min(i2, this.unwrappedRpcBuffer.remaining());
            this.unwrappedRpcBuffer.get(bArr, i, min);
            return min;
        }

        private void readNextRpcPacket() throws IOException {
            HBaseSaslRpcClient.LOG.debug("reading next wrapped RPC packet");
            DataInputStream dataInputStream = new DataInputStream(this.in);
            byte[] bArr = new byte[dataInputStream.readInt()];
            dataInputStream.readFully(bArr);
            byte[] unwrap = HBaseSaslRpcClient.this.cryptoAES.unwrap(bArr, 0, bArr.length);
            if (HBaseSaslRpcClient.LOG.isDebugEnabled()) {
                HBaseSaslRpcClient.LOG.debug("unwrapping token of length:" + unwrap.length);
            }
            this.unwrappedRpcBuffer = ByteBuffer.wrap(unwrap);
        }
    }

    /* loaded from: input_file:org/apache/hadoop/hbase/security/HBaseSaslRpcClient$WrappedOutputStream.class */
    class WrappedOutputStream extends FilterOutputStream {
        public WrappedOutputStream(OutputStream outputStream) throws IOException {
            super(outputStream);
        }

        @Override // java.io.FilterOutputStream, java.io.OutputStream
        public void write(byte[] bArr, int i, int i2) throws IOException {
            if (HBaseSaslRpcClient.LOG.isDebugEnabled()) {
                HBaseSaslRpcClient.LOG.debug("wrapping token of length:" + i2);
            }
            byte[] wrap = HBaseSaslRpcClient.this.cryptoAES.wrap(bArr, i, i2);
            DataOutputStream dataOutputStream = new DataOutputStream(this.out);
            dataOutputStream.writeInt(wrap.length);
            dataOutputStream.write(wrap, 0, wrap.length);
            dataOutputStream.flush();
        }
    }

    public HBaseSaslRpcClient(Configuration configuration, SaslClientAuthenticationProvider saslClientAuthenticationProvider, Token<? extends TokenIdentifier> token, InetAddress inetAddress, SecurityInfo securityInfo, boolean z) throws IOException {
        super(configuration, saslClientAuthenticationProvider, token, inetAddress, securityInfo, z);
    }

    public HBaseSaslRpcClient(Configuration configuration, SaslClientAuthenticationProvider saslClientAuthenticationProvider, Token<? extends TokenIdentifier> token, InetAddress inetAddress, SecurityInfo securityInfo, boolean z, String str, boolean z2) throws IOException {
        super(configuration, saslClientAuthenticationProvider, token, inetAddress, securityInfo, z, str);
        this.initStreamForCrypto = z2;
    }

    private static void readStatus(DataInputStream dataInputStream) throws IOException {
        if (dataInputStream.readInt() != SaslStatus.SUCCESS.state) {
            throw new RemoteException(WritableUtils.readString(dataInputStream), WritableUtils.readString(dataInputStream));
        }
    }

    public boolean saslConnect(InputStream inputStream, OutputStream outputStream) throws IOException {
        DataInputStream dataInputStream = new DataInputStream(new BufferedInputStream(inputStream));
        DataOutputStream dataOutputStream = new DataOutputStream(new BufferedOutputStream(outputStream));
        try {
            byte[] initialResponse = getInitialResponse();
            if (initialResponse != null) {
                dataOutputStream.writeInt(initialResponse.length);
                dataOutputStream.write(initialResponse, 0, initialResponse.length);
                dataOutputStream.flush();
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Have sent token of size " + initialResponse.length + " from initSASLContext.");
                }
            }
            if (!isComplete()) {
                readStatus(dataInputStream);
                int readInt = dataInputStream.readInt();
                if (readInt == -88) {
                    if (!this.fallbackAllowed) {
                        throw new IOException("Server asks us to fall back to SIMPLE auth, but this client is configured to only allow secure connections.");
                    }
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Server asks us to fall back to simple auth.");
                    }
                    dispose();
                    return false;
                }
                initialResponse = new byte[readInt];
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Will read input token of size " + initialResponse.length + " for processing by initSASLContext");
                }
                dataInputStream.readFully(initialResponse);
            }
            while (!isComplete()) {
                initialResponse = evaluateChallenge(initialResponse);
                if (initialResponse != null) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Will send token of size " + initialResponse.length + " from initSASLContext.");
                    }
                    dataOutputStream.writeInt(initialResponse.length);
                    dataOutputStream.write(initialResponse, 0, initialResponse.length);
                    dataOutputStream.flush();
                }
                if (!isComplete()) {
                    readStatus(dataInputStream);
                    initialResponse = new byte[dataInputStream.readInt()];
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Will read input token of size " + initialResponse.length + " for processing by initSASLContext");
                    }
                    dataInputStream.readFully(initialResponse);
                }
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("SASL client context established. Negotiated QoP: " + this.saslClient.getNegotiatedProperty("javax.security.sasl.qop"));
            }
            this.saslInputStream = new SaslInputStream(inputStream, this.saslClient);
            this.saslOutputStream = new SaslOutputStream(outputStream, this.saslClient);
            if (!this.initStreamForCrypto) {
                return true;
            }
            this.cryptoInputStream = new WrappedInputStream(inputStream);
            this.cryptoOutputStream = new WrappedOutputStream(outputStream);
            return true;
        } catch (IOException e) {
            try {
                this.saslClient.dispose();
            } catch (SaslException e2) {
            }
            throw e;
        }
    }

    public String getSaslQOP() {
        return (String) this.saslClient.getNegotiatedProperty("javax.security.sasl.qop");
    }

    public void initCryptoCipher(RPCProtos.CryptoCipherMeta cryptoCipherMeta, Configuration configuration) throws IOException {
        this.cryptoAES = EncryptionUtil.createCryptoAES(cryptoCipherMeta, configuration);
        this.cryptoAesEnable = true;
    }

    public InputStream getInputStream() throws IOException {
        if (this.saslClient.isComplete()) {
            return (!this.cryptoAesEnable || this.cryptoInputStream == null) ? this.saslInputStream : this.cryptoInputStream;
        }
        throw new IOException("Sasl authentication exchange hasn't completed yet");
    }

    public OutputStream getOutputStream() throws IOException {
        if (this.saslClient.isComplete()) {
            return (!this.cryptoAesEnable || this.cryptoOutputStream == null) ? this.saslOutputStream : this.cryptoOutputStream;
        }
        throw new IOException("Sasl authentication exchange hasn't completed yet");
    }
}
