package org.apache.iotdb.rpc.sasl;

import java.nio.charset.StandardCharsets;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.apache.iotdb.rpc.AutoScalingBufferReadTransport;
import org.apache.iotdb.rpc.AutoScalingBufferWriteTransport;
import org.apache.iotdb.rpc.RpcTransportFactory;
import org.apache.thrift.EncodingUtils;
import org.apache.thrift.TConfiguration;
import org.apache.thrift.transport.TTransport;
import org.apache.thrift.transport.TTransportException;
import org.apache.thrift.transport.layered.TFramedTransport;
import org.apache.thrift.transport.sasl.NegotiationStatus;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/iotdb/rpc/sasl/TFastSaslTransport.class */
public abstract class TFastSaslTransport extends TTransport {
    private static final Logger LOGGER = LoggerFactory.getLogger(TFastSaslTransport.class);
    protected static final int STATUS_BYTES = 1;
    protected static final int PAYLOAD_LENGTH_BYTES = 4;
    protected TTransport underlyingTransport;
    private SaslParticipant sasl;
    private Subject loginSubject;
    private boolean shouldWrap;
    protected AutoScalingBufferReadTransport readBuffer;
    protected AutoScalingBufferWriteTransport writeBuffer;
    protected int thriftDefaultBufferSize;
    private int thriftMaxFrameSize;
    private final byte[] messageHeader;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/iotdb/rpc/sasl/TFastSaslTransport$SaslParticipant.class */
    public static class SaslParticipant {
        public SaslServer saslServer;
        public SaslClient saslClient;

        public SaslParticipant(SaslServer saslServer) {
            this.saslServer = saslServer;
        }

        public SaslParticipant(SaslClient saslClient) {
            this.saslClient = saslClient;
        }

        public byte[] evaluateChallengeOrResponse(byte[] bArr) throws SaslException {
            return this.saslClient != null ? this.saslClient.evaluateChallenge(bArr) : this.saslServer.evaluateResponse(bArr);
        }

        public boolean isComplete() {
            return this.saslClient != null ? this.saslClient.isComplete() : this.saslServer.isComplete();
        }

        public void dispose() throws SaslException {
            if (this.saslClient != null) {
                this.saslClient.dispose();
            } else {
                this.saslServer.dispose();
            }
        }

        public byte[] unwrap(byte[] bArr, int i, int i2) throws SaslException {
            return this.saslClient != null ? this.saslClient.unwrap(bArr, i, i2) : this.saslServer.unwrap(bArr, i, i2);
        }

        public byte[] wrap(byte[] bArr, int i, int i2) throws SaslException {
            return this.saslClient != null ? this.saslClient.wrap(bArr, i, i2) : this.saslServer.wrap(bArr, i, i2);
        }

        public Object getNegotiatedProperty(String str) {
            return this.saslClient != null ? this.saslClient.getNegotiatedProperty(str) : this.saslServer.getNegotiatedProperty(str);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/apache/iotdb/rpc/sasl/TFastSaslTransport$SaslResponse.class */
    public static class SaslResponse {
        public NegotiationStatus status;
        public byte[] payload;

        public SaslResponse(NegotiationStatus negotiationStatus, byte[] bArr) {
            this.status = negotiationStatus;
            this.payload = bArr;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/apache/iotdb/rpc/sasl/TFastSaslTransport$SaslRole.class */
    public enum SaslRole {
        SERVER,
        CLIENT
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public TFastSaslTransport(TTransport tTransport, int i, int i2) {
        this.shouldWrap = false;
        this.messageHeader = new byte[5];
        this.underlyingTransport = tTransport;
        this.thriftDefaultBufferSize = i;
        this.thriftMaxFrameSize = i2;
        this.readBuffer = new AutoScalingBufferReadTransport(i);
        this.writeBuffer = new AutoScalingBufferWriteTransport(i);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public TFastSaslTransport(SaslClient saslClient, Subject subject, TTransport tTransport, int i, int i2) {
        this.shouldWrap = false;
        this.messageHeader = new byte[5];
        this.sasl = new SaslParticipant(saslClient);
        this.loginSubject = subject;
        this.underlyingTransport = tTransport;
        this.thriftDefaultBufferSize = i;
        this.thriftMaxFrameSize = i2;
        this.readBuffer = new AutoScalingBufferReadTransport(i);
        this.writeBuffer = new AutoScalingBufferWriteTransport(i);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void setSaslServer(SaslServer saslServer) {
        this.sasl = new SaslParticipant(saslServer);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void sendSaslMessage(NegotiationStatus negotiationStatus, byte[] bArr) throws TTransportException {
        if (bArr == null) {
            bArr = new byte[0];
        }
        this.messageHeader[0] = negotiationStatus.getValue();
        EncodingUtils.encodeBigEndian(bArr.length, this.messageHeader, STATUS_BYTES);
        LOGGER.debug("{}: Writing message with status {} and payload length {}", new Object[]{getRole(), negotiationStatus, Integer.valueOf(bArr.length)});
        this.underlyingTransport.write(this.messageHeader);
        this.underlyingTransport.write(bArr);
        this.underlyingTransport.flush();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SaslResponse receiveSaslMessage() throws TTransportException {
        this.underlyingTransport.readAll(this.messageHeader, 0, this.messageHeader.length);
        byte b = this.messageHeader[0];
        NegotiationStatus byValue = NegotiationStatus.byValue(b);
        if (byValue == null) {
            throw sendAndThrowMessage(NegotiationStatus.ERROR, "Invalid status " + ((int) b));
        }
        int decodeBigEndian = EncodingUtils.decodeBigEndian(this.messageHeader, STATUS_BYTES);
        if (decodeBigEndian < 0 || decodeBigEndian > getConfiguration().getMaxMessageSize()) {
            throw sendAndThrowMessage(NegotiationStatus.ERROR, "Invalid payload header length: " + decodeBigEndian);
        }
        byte[] bArr = new byte[decodeBigEndian];
        this.underlyingTransport.readAll(bArr, 0, bArr.length);
        if (byValue == NegotiationStatus.BAD || byValue == NegotiationStatus.ERROR) {
            throw new TTransportException("Peer indicated failure: " + new String(bArr, StandardCharsets.UTF_8));
        }
        LOGGER.debug("{}: Received message with status {} and payload length {}", new Object[]{getRole(), byValue, Integer.valueOf(bArr.length)});
        return new SaslResponse(byValue, bArr);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public TTransportException sendAndThrowMessage(NegotiationStatus negotiationStatus, String str) throws TTransportException {
        try {
            sendSaslMessage(negotiationStatus, str.getBytes(StandardCharsets.UTF_8));
        } catch (Exception e) {
            LOGGER.warn("Could not send failure response", e);
            str = str + "\nAlso, could not send response: " + e.toString();
        }
        throw new TTransportException(str);
    }

    protected abstract void handleSaslStartMessage() throws TTransportException, SaslException;

    protected abstract SaslRole getRole();

    public void open() throws TTransportException {
        if (this.loginSubject == null) {
            try {
                this.loginSubject = KerberosLogin.loginSubjectFromKeytab(RpcTransportFactory.principal, RpcTransportFactory.keytab);
            } catch (LoginException e) {
                LOGGER.error("Failed to login. principal is {}, keytab is {}.", new Object[]{RpcTransportFactory.principal, RpcTransportFactory.keytab, e});
                throw new TTransportException("Failed to login.", e);
            }
        }
        try {
            Subject.doAs(this.loginSubject, new PrivilegedExceptionAction<Void>() { // from class: org.apache.iotdb.rpc.sasl.TFastSaslTransport.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Void run() throws TTransportException {
                    try {
                        TFastSaslTransport.LOGGER.debug("Open sasl transport with the login credential");
                        TFastSaslTransport.this.openSasl();
                        return null;
                    } catch (Exception e2) {
                        TFastSaslTransport.LOGGER.error("Client failed to open SaslClientTransport to interact with a server during session initiation: ", e2);
                        throw new TTransportException("Client failed to open SaslClientTransport to interact with a server during session initiation:", e2);
                    }
                }
            });
        } catch (PrivilegedActionException e2) {
            throw new TTransportException("Client failed to open SaslClientTransport to interact with a server during session initiation:", e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void openSasl() throws TTransportException {
        LOGGER.debug("opening transport {}", this);
        if (this.sasl != null && this.sasl.isComplete()) {
            throw new TTransportException("SASL transport already open");
        }
        if (!this.underlyingTransport.isOpen()) {
            this.underlyingTransport.open();
        }
        try {
            handleSaslStartMessage();
            LOGGER.debug("{}: Start message handled", getRole());
            SaslResponse saslResponse = null;
            while (!this.sasl.isComplete()) {
                saslResponse = receiveSaslMessage();
                if (saslResponse.status != NegotiationStatus.COMPLETE && saslResponse.status != NegotiationStatus.OK) {
                    throw new TTransportException("Expected COMPLETE or OK, got " + saslResponse.status);
                }
                byte[] evaluateChallengeOrResponse = this.sasl.evaluateChallengeOrResponse(saslResponse.payload);
                if (saslResponse.status == NegotiationStatus.COMPLETE && getRole() == SaslRole.CLIENT) {
                    LOGGER.debug("{}: All done!", getRole());
                } else {
                    sendSaslMessage(this.sasl.isComplete() ? NegotiationStatus.COMPLETE : NegotiationStatus.OK, evaluateChallengeOrResponse);
                }
            }
            LOGGER.debug("{}: Main negotiation loop complete", getRole());
            if (getRole() == SaslRole.CLIENT && (saslResponse == null || saslResponse.status == NegotiationStatus.OK)) {
                LOGGER.debug("{}: SASL Client receiving last message", getRole());
                SaslResponse receiveSaslMessage = receiveSaslMessage();
                if (receiveSaslMessage.status != NegotiationStatus.COMPLETE) {
                    throw new TTransportException("Expected SASL COMPLETE, but got " + receiveSaslMessage.status);
                }
            }
            String str = (String) this.sasl.getNegotiatedProperty("javax.security.sasl.qop");
            if (str == null || str.equalsIgnoreCase("auth")) {
                return;
            }
            this.shouldWrap = true;
        } catch (TTransportException e) {
            if (0 == 0 && e.getType() == PAYLOAD_LENGTH_BYTES) {
                this.underlyingTransport.close();
                LOGGER.debug("No data or no sasl data in the stream during negotiation");
            }
            throw e;
        } catch (SaslException e2) {
            try {
                LOGGER.error("SASL negotiation failure", e2);
                throw sendAndThrowMessage(NegotiationStatus.BAD, e2.getMessage());
            } catch (Throwable th) {
                this.underlyingTransport.close();
                throw th;
            }
        }
    }

    public SaslClient getSaslClient() {
        return this.sasl.saslClient;
    }

    protected int readLength() throws TTransportException {
        byte[] bArr = new byte[PAYLOAD_LENGTH_BYTES];
        this.underlyingTransport.readAll(bArr, 0, bArr.length);
        return EncodingUtils.decodeBigEndian(bArr);
    }

    protected void writeLength(int i) throws TTransportException {
        byte[] bArr = new byte[PAYLOAD_LENGTH_BYTES];
        TFramedTransport.encodeFrameSize(i, bArr);
        this.underlyingTransport.write(bArr);
    }

    public void close() {
        this.underlyingTransport.close();
        try {
            this.sasl.dispose();
        } catch (SaslException e) {
            LOGGER.warn("Failed to dispose sasl participant.", e);
        }
    }

    public boolean isOpen() {
        return this.underlyingTransport.isOpen() && this.sasl != null && this.sasl.isComplete();
    }

    public int read(byte[] bArr, int i, int i2) throws TTransportException {
        if (!isOpen()) {
            throw new TTransportException("SASL authentication not complete");
        }
        int read = this.readBuffer.read(bArr, i, i2);
        if (read > 0) {
            return read;
        }
        try {
            readFrame();
            return this.readBuffer.read(bArr, i, i2);
        } catch (TTransportException e) {
            if (e.getType() == PAYLOAD_LENGTH_BYTES) {
                LOGGER.debug("No data or no sasl data in the stream during negotiation");
            }
            throw e;
        } catch (SaslException e2) {
            throw new TTransportException(e2);
        }
    }

    protected void readFrame() throws TTransportException, SaslException {
        int readLength = readLength();
        if (readLength < 0) {
            close();
            throw new TTransportException(5, "Read a negative frame size (" + readLength + ")!");
        }
        if (readLength > this.thriftMaxFrameSize) {
            close();
            throw new TTransportException(5, "Frame size (" + readLength + ") larger than protect max length (" + this.thriftMaxFrameSize + ")!");
        }
        this.readBuffer.fill(this.underlyingTransport, readLength);
        LOGGER.debug("{}: reading data length: {}", getRole(), Integer.valueOf(readLength));
        if (this.shouldWrap) {
            byte[] unwrap = this.sasl.unwrap(this.readBuffer.getBuffer(), 0, readLength);
            this.readBuffer.reset(unwrap);
            LOGGER.debug("data length after unwrap: {}", Integer.valueOf(unwrap.length));
        }
    }

    public void write(byte[] bArr, int i, int i2) throws TTransportException {
        if (!isOpen()) {
            throw new TTransportException("SASL authentication not complete");
        }
        this.writeBuffer.write(bArr, i, i2);
    }

    public void flush() throws TTransportException {
        int pos = this.writeBuffer.getPos();
        byte[] buffer = this.writeBuffer.getBuffer();
        if (this.shouldWrap) {
            LOGGER.debug("{} : data length before wrap: {}", getRole(), Integer.valueOf(pos));
            try {
                buffer = this.sasl.wrap(buffer, 0, pos);
                pos = buffer.length;
            } catch (SaslException e) {
                throw new TTransportException(e);
            }
        }
        LOGGER.debug("{} : writing data length: {}", getRole(), Integer.valueOf(pos));
        writeLength(pos);
        this.underlyingTransport.write(buffer, 0, pos);
        this.writeBuffer.reset();
        if (pos > this.thriftDefaultBufferSize) {
            this.writeBuffer.resizeIfNecessary(this.thriftDefaultBufferSize);
        }
        this.underlyingTransport.flush();
    }

    public TConfiguration getConfiguration() {
        return this.underlyingTransport.getConfiguration();
    }

    public void updateKnownMessageSize(long j) throws TTransportException {
        this.underlyingTransport.updateKnownMessageSize(j);
    }

    public void checkReadBytesAvailable(long j) throws TTransportException {
        this.underlyingTransport.checkReadBytesAvailable(j);
    }
}
