package org.apache.accumulo.server.rpc;

import java.lang.reflect.InvocationHandler;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.util.concurrent.ConcurrentHashMap;
import org.apache.accumulo.core.client.impl.DelegationTokenImpl;
import org.apache.accumulo.core.client.impl.thrift.SecurityErrorCode;
import org.apache.accumulo.core.client.impl.thrift.ThriftSecurityException;
import org.apache.accumulo.core.client.security.tokens.AuthenticationToken;
import org.apache.accumulo.core.client.security.tokens.KerberosToken;
import org.apache.accumulo.core.conf.AccumuloConfiguration;
import org.apache.accumulo.core.rpc.SaslConnectionParams;
import org.apache.accumulo.core.security.thrift.TCredentials;
import org.apache.accumulo.server.security.SystemCredentials;
import org.apache.accumulo.server.security.UserImpersonation;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/accumulo/server/rpc/TCredentialsUpdatingInvocationHandler.class */
public class TCredentialsUpdatingInvocationHandler<I> implements InvocationHandler {
    private static final Logger log = LoggerFactory.getLogger(TCredentialsUpdatingInvocationHandler.class);
    private static final ConcurrentHashMap<String, Class<? extends AuthenticationToken>> TOKEN_CLASS_CACHE = new ConcurrentHashMap<>();
    private final I instance;
    private final UserImpersonation impersonation;

    /* JADX INFO: Access modifiers changed from: protected */
    public TCredentialsUpdatingInvocationHandler(I i, AccumuloConfiguration accumuloConfiguration) {
        this.instance = i;
        this.impersonation = new UserImpersonation(accumuloConfiguration);
    }

    @Override // java.lang.reflect.InvocationHandler
    public Object invoke(Object obj, Method method, Object[] objArr) throws Throwable {
        updateArgs(objArr);
        return invokeMethod(method, objArr);
    }

    protected void updateArgs(Object[] objArr) throws ThriftSecurityException {
        if (objArr == null || objArr.length < 2) {
            return;
        }
        TCredentials tCredentials = null;
        if (objArr[0] != null && (objArr[0] instanceof TCredentials)) {
            tCredentials = (TCredentials) objArr[0];
        } else if (objArr[1] != null && (objArr[1] instanceof TCredentials)) {
            tCredentials = (TCredentials) objArr[1];
        }
        if (null == tCredentials) {
            log.trace("Did not find a TCredentials object in the first two positions of the argument list, not updating principal");
            return;
        }
        Class<? extends AuthenticationToken> tokenClassFromName = getTokenClassFromName(tCredentials.tokenClassName);
        String rpcPrincipal = UGIAssumingProcessor.rpcPrincipal();
        if (SaslConnectionParams.SaslMechanism.DIGEST_MD5 == UGIAssumingProcessor.rpcMechanism() && DelegationTokenImpl.class.isAssignableFrom(tokenClassFromName)) {
            if (rpcPrincipal.equals(tCredentials.principal)) {
                return;
            }
            log.warn("{} issued RPC with delegation token over DIGEST-MD5 as theAccumulo principal {}. Disallowing RPC", rpcPrincipal, tCredentials.principal);
            throw new ThriftSecurityException("RPC principal did not match provided Accumulo principal", SecurityErrorCode.BAD_CREDENTIALS);
        }
        if (!KerberosToken.class.isAssignableFrom(tokenClassFromName) && !SystemCredentials.SystemToken.class.isAssignableFrom(tokenClassFromName)) {
            log.debug("Will not update principal on authentication tokens other than KerberosToken. Received {}", tokenClassFromName);
            throw new ThriftSecurityException("Did not receive a valid token", SecurityErrorCode.BAD_CREDENTIALS);
        }
        if (null == rpcPrincipal) {
            log.debug("Found KerberosToken in TCredentials, but did not receive principal from SASL processor");
            throw new ThriftSecurityException("Did not extract principal from Thrift SASL processor", SecurityErrorCode.BAD_CREDENTIALS);
        }
        if (rpcPrincipal.equals(tCredentials.principal)) {
            return;
        }
        UserImpersonation.UsersWithHosts usersWithHosts = this.impersonation.get(rpcPrincipal);
        if (null == usersWithHosts) {
            principalMismatch(rpcPrincipal, tCredentials.principal);
        }
        if (!usersWithHosts.getUsers().contains(tCredentials.principal)) {
            principalMismatch(rpcPrincipal, tCredentials.principal);
        }
        String str = TServerUtils.clientAddress.get();
        if (usersWithHosts.getHosts().contains(str)) {
            return;
        }
        String str2 = "Principal in credentials object allowed mismatched Kerberos principals, but not on " + str;
        log.warn(str2);
        throw new ThriftSecurityException(str2, SecurityErrorCode.BAD_CREDENTIALS);
    }

    protected void principalMismatch(String str, String str2) throws ThriftSecurityException {
        String str3 = "Principal in credentials object should match kerberos principal. Expected '" + str + "' but was '" + str2 + "'";
        log.warn(str3);
        throw new ThriftSecurityException(str3, SecurityErrorCode.BAD_CREDENTIALS);
    }

    protected Class<? extends AuthenticationToken> getTokenClassFromName(String str) {
        Class<? extends AuthenticationToken> cls = TOKEN_CLASS_CACHE.get(str);
        if (null == cls) {
            try {
                cls = Class.forName(str).asSubclass(AuthenticationToken.class);
            } catch (ClassNotFoundException e) {
                log.debug("Could not create class from token name: {}", str, e);
                return null;
            }
        }
        Class<? extends AuthenticationToken> putIfAbsent = TOKEN_CLASS_CACHE.putIfAbsent(str, cls);
        return putIfAbsent != null ? putIfAbsent : cls;
    }

    private Object invokeMethod(Method method, Object[] objArr) throws Throwable {
        try {
            return method.invoke(this.instance, objArr);
        } catch (InvocationTargetException e) {
            throw e.getCause();
        }
    }

    protected ConcurrentHashMap<String, Class<? extends AuthenticationToken>> getTokenCache() {
        return TOKEN_CLASS_CACHE;
    }
}
