package io.confluent.kafka.server.plugins.auth;

import io.confluent.kafka.multitenant.MultiTenantPrincipal;
import io.confluent.kafka.multitenant.MultiTenantSaslServer;
import io.confluent.kafka.multitenant.TenantMetadata;
import io.confluent.kafka.server.plugins.auth.stats.AuthenticationStats;
import io.confluent.kafka.server.plugins.auth.stats.TenantAuthenticationStats;
import java.io.UnsupportedEncodingException;
import java.util.Arrays;
import java.util.Map;
import javax.security.auth.callback.CallbackHandler;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import javax.security.sasl.SaslServerFactory;
import org.apache.kafka.common.security.JaasContext;
import org.apache.kafka.common.security.authenticator.SaslServerCallbackHandler;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.MDC;

/* loaded from: input_file:io/confluent/kafka/server/plugins/auth/PlainSaslServer.class */
public class PlainSaslServer implements MultiTenantSaslServer {
    public static final String PLAIN_MECHANISM = "PLAIN";
    private final SaslAuthenticator authenticator;
    private static final AuthenticationStats stats = AuthenticationStats.getInstance();
    private static final TenantAuthenticationStats tenantStats = TenantAuthenticationStats.instance();
    private static final Logger logger = LoggerFactory.getLogger(new Object() { // from class: io.confluent.kafka.server.plugins.auth.PlainSaslServer.1
    }.getClass().getEnclosingClass());
    private boolean complete;
    private String authorizationID;
    private TenantMetadata tenantMetadata;

    /* loaded from: input_file:io/confluent/kafka/server/plugins/auth/PlainSaslServer$PlainSaslServerFactory.class */
    public static class PlainSaslServerFactory implements SaslServerFactory {
        private final SaslServerSupplier saslServerSupplier;

        public PlainSaslServerFactory(SaslServerSupplier saslServerSupplier) {
            this.saslServerSupplier = saslServerSupplier;
        }

        public SaslServer createSaslServer(String str, String str2, String str3, Map<String, ?> map, CallbackHandler callbackHandler) throws SaslException {
            if (!PlainSaslServer.PLAIN_MECHANISM.equals(str)) {
                throw new SaslException(String.format("Mechanism '%s' is not supported. Only PLAIN is supported.", str));
            }
            if (callbackHandler instanceof SaslServerCallbackHandler) {
                return this.saslServerSupplier.get(((SaslServerCallbackHandler) callbackHandler).jaasContext());
            }
            throw new SaslException("CallbackHandler must be of type SaslServerCallbackHandler, but it is: " + callbackHandler.getClass());
        }

        public String[] getMechanismNames(Map<String, ?> map) {
            return "true".equals((String) map.get("javax.security.sasl.policy.noplaintext")) ? new String[0] : new String[]{PlainSaslServer.PLAIN_MECHANISM};
        }
    }

    public PlainSaslServer(JaasContext jaasContext, SaslAuthenticator saslAuthenticator) {
        this.authenticator = saslAuthenticator;
        saslAuthenticator.initialize(jaasContext);
    }

    public byte[] evaluateResponse(byte[] bArr) throws SaslException {
        try {
            try {
                byte[] doEvaluateResponse = doEvaluateResponse(bArr);
                stats.incrSucceeded();
                clearMdc();
                return doEvaluateResponse;
            } catch (Exception e) {
                stats.incrFailed();
                logger.info("SASL/PLAIN authentication failed: {}", e.getCause() == null ? "" : e.getCause().getMessage(), e);
                throw e;
            }
        } catch (Throwable th) {
            clearMdc();
            throw th;
        }
    }

    private void clearMdc() {
        MDC.remove("username");
        MDC.remove("saslMechanism");
        MDC.remove("authorizationId");
        MDC.remove("tenant");
    }

    private byte[] doEvaluateResponse(byte[] bArr) throws SaslException {
        MDC.put("saslMechanism", PLAIN_MECHANISM);
        try {
            String[] split = new String(bArr, "UTF-8").split("��");
            if (split.length != 3) {
                throw new SaslException("Invalid SASL/PLAIN response: expected 3 tokens, got " + split.length);
            }
            String str = split[0];
            String str2 = split[1];
            String str3 = split[2];
            if (str2.isEmpty()) {
                throw new SaslException("Authentication failed: username not specified");
            }
            MDC.put("username", str2);
            if (str3.isEmpty()) {
                throw new SaslException("Authentication failed: password not specified");
            }
            if (!str.isEmpty() && !str.equals(str2)) {
                throw new SaslException("Authentication failed: Impersonation is not allowed; authorization id must match username");
            }
            MultiTenantPrincipal authenticate = this.authenticator.authenticate(str2, str3);
            this.authorizationID = authenticate.getName();
            MDC.put("authorizationId", this.authorizationID);
            this.tenantMetadata = authenticate.tenantMetadata();
            MDC.put("tenant", this.tenantMetadata.tenantName);
            tenantStats.onSuccessfulAuthentication(authenticate);
            logger.info("SASL/PLAIN authentication succeeded for user {}", str2);
            this.complete = true;
            return new byte[0];
        } catch (UnsupportedEncodingException e) {
            throw new SaslException("UTF-8 encoding not supported", e);
        }
    }

    public TenantMetadata tenantMetadata() {
        throwIfNotComplete();
        return this.tenantMetadata;
    }

    public String getAuthorizationID() {
        throwIfNotComplete();
        return this.authorizationID;
    }

    public String getMechanismName() {
        return PLAIN_MECHANISM;
    }

    public Object getNegotiatedProperty(String str) {
        throwIfNotComplete();
        return null;
    }

    public boolean isComplete() {
        return this.complete;
    }

    public byte[] unwrap(byte[] bArr, int i, int i2) throws SaslException {
        throwIfNotComplete();
        return Arrays.copyOfRange(bArr, i, i + i2);
    }

    public byte[] wrap(byte[] bArr, int i, int i2) throws SaslException {
        throwIfNotComplete();
        return Arrays.copyOfRange(bArr, i, i + i2);
    }

    public void dispose() throws SaslException {
    }

    private void throwIfNotComplete() {
        if (!this.complete) {
            throw new IllegalStateException("Authentication exchange has not completed");
        }
    }
}
