package org.apache.iotdb.rpc.sasl;

import java.util.HashMap;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.security.sasl.AuthorizeCallback;
import org.apache.iotdb.rpc.RpcTransportFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/iotdb/rpc/sasl/KerberosLogin.class */
public class KerberosLogin {
    private static final Logger LOG = LoggerFactory.getLogger(KerberosLogin.class);
    private static final String KERBEROS_LOGIN_MODULE_NAME = "com.sun.security.auth.module.Krb5LoginModule";
    private static final String KEYTAB_KERBEROS_CONFIG_NAME = "IoTDBServer";

    /* loaded from: input_file:org/apache/iotdb/rpc/sasl/KerberosLogin$KerberosSaslCallbackHandler.class */
    public static class KerberosSaslCallbackHandler implements CallbackHandler {
        public KerberosSaslCallbackHandler() {
            KerberosLogin.LOG.debug("KerberosSaslCallback: Creating KerberosSaslCallback handler.");
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
            AuthorizeCallback authorizeCallback = null;
            for (Callback callback : callbackArr) {
                if (!(callback instanceof AuthorizeCallback)) {
                    throw new UnsupportedCallbackException(callback, "Unrecognized SASL GSSAPI Callback");
                }
                authorizeCallback = (AuthorizeCallback) callback;
            }
            if (authorizeCallback != null) {
                String authenticationID = authorizeCallback.getAuthenticationID();
                String authorizationID = authorizeCallback.getAuthorizationID();
                if (!authenticationID.equals(authorizationID)) {
                    authorizeCallback.setAuthorized(false);
                    return;
                }
                authorizeCallback.setAuthorized(true);
                String userFromPrincipal = KerberosLogin.getUserFromPrincipal(authorizationID);
                KerberosLogin.LOG.info("Effective user: {}", userFromPrincipal);
                authorizeCallback.setAuthorizedID(userFromPrincipal);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/iotdb/rpc/sasl/KerberosLogin$LoginConfigurationKeytab.class */
    public static class LoginConfigurationKeytab extends Configuration {
        private String principal;
        private String keytab;
        private static final Map<String, String> KEYTAB_KERBEROS_OPTIONS = new HashMap();
        private static final AppConfigurationEntry KEYTAB_KERBEROS_LOGIN;
        private static final AppConfigurationEntry[] KEYTAB_KERBEROS_CONF;

        LoginConfigurationKeytab(String str, String str2) {
            this.principal = str;
            this.keytab = str2;
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            if (!KerberosLogin.KEYTAB_KERBEROS_CONFIG_NAME.equals(str)) {
                return new AppConfigurationEntry[0];
            }
            KEYTAB_KERBEROS_OPTIONS.put("keyTab", this.keytab);
            KEYTAB_KERBEROS_OPTIONS.put("principal", this.principal);
            return KEYTAB_KERBEROS_CONF;
        }

        static {
            KEYTAB_KERBEROS_OPTIONS.put("useKeyTab", "true");
            KEYTAB_KERBEROS_OPTIONS.put("storeKey", "true");
            KEYTAB_KERBEROS_OPTIONS.put("useTicketCache", "false");
            if (KerberosLogin.LOG.isDebugEnabled()) {
                KEYTAB_KERBEROS_OPTIONS.put("debug", "true");
            }
            KEYTAB_KERBEROS_OPTIONS.put("refreshKrb5Config", "true");
            KEYTAB_KERBEROS_LOGIN = new AppConfigurationEntry(KerberosLogin.KERBEROS_LOGIN_MODULE_NAME, AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, KEYTAB_KERBEROS_OPTIONS);
            KEYTAB_KERBEROS_CONF = new AppConfigurationEntry[]{KEYTAB_KERBEROS_LOGIN};
        }
    }

    private KerberosLogin() {
    }

    public static Subject loginSubjectFromKeytab(String str, String str2) throws LoginException {
        Subject subject = loginFromKeytab(str, str2).getSubject();
        if (subject == null) {
            throw new LoginException("Subject is null");
        }
        if (!subject.getPrivateCredentials(KerberosTicket.class).isEmpty()) {
            return subject;
        }
        LOG.error("Failed to verify principal, which is {}, ticket is null.", RpcTransportFactory.principal);
        throw new LoginException("Failed to verify principal, ticket is null");
    }

    public static LoginContext loginFromKeytab(String str, String str2) throws LoginException {
        if (null == str || null == str2) {
            return null;
        }
        Configuration configuration = Configuration.getConfiguration();
        if (configuration.getAppConfigurationEntry(KEYTAB_KERBEROS_CONFIG_NAME) == null) {
            LOG.info("The jaas file does not exist, start create configuration.");
            configuration = new LoginConfigurationKeytab(str, str2);
        }
        LOG.debug("User account login with JWT Login failed as a non-empty Password was given token.");
        return doLogin(KEYTAB_KERBEROS_CONFIG_NAME, new KerberosSaslCallbackHandler(), configuration);
    }

    private static LoginContext doLogin(String str, CallbackHandler callbackHandler, Configuration configuration) throws LoginException {
        LoginContext loginContext = new LoginContext(str, new Subject(), callbackHandler, configuration);
        loginContext.login();
        return loginContext;
    }

    public static String[] splitKerberosName(String str) {
        return str.split("[/@]");
    }

    public static String getUserFromPrincipal(String str) {
        int indexOf = str.indexOf("/");
        if (indexOf == -1) {
            indexOf = str.indexOf("@");
        }
        return indexOf > -1 ? str.substring(0, indexOf) : str;
    }
}
