package org.apache.hadoop.security;

import java.io.ByteArrayInputStream;
import java.io.DataInput;
import java.io.DataInputStream;
import java.io.DataOutput;
import java.io.IOException;
import java.security.PrivilegedExceptionAction;
import java.security.Security;
import java.util.Map;
import java.util.TreeMap;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.RealmCallback;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.classification.InterfaceStability;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.ipc.Server;
import org.apache.hadoop.security.SaslPlainServer;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.zookeeper.client.ZooKeeperSaslClient;

@InterfaceAudience.LimitedPrivate({"HDFS", "MapReduce"})
@InterfaceStability.Evolving
/* loaded from: input_file:lib/hadoop-common-2.2.0.jar:org/apache/hadoop/security/SaslRpcServer.class */
public class SaslRpcServer {
    public static final String SASL_DEFAULT_REALM = "default";

    @InterfaceAudience.Private
    @InterfaceStability.Unstable
    public AuthMethod authMethod;
    public String mechanism;
    public String protocol;
    public String serverId;
    public static final Log LOG = LogFactory.getLog(SaslRpcServer.class);
    public static final Map<String, String> SASL_PROPS = new TreeMap();

    @InterfaceStability.Evolving
    /* loaded from: input_file:lib/hadoop-common-2.2.0.jar:org/apache/hadoop/security/SaslRpcServer$AuthMethod.class */
    public enum AuthMethod {
        SIMPLE((byte) 80, ""),
        KERBEROS((byte) 81, "GSSAPI"),
        DIGEST((byte) 82, "DIGEST-MD5"),
        TOKEN((byte) 82, "DIGEST-MD5"),
        PLAIN((byte) 83, "PLAIN");

        public final byte code;
        public final String mechanismName;
        private static final int FIRST_CODE = values()[0].code;

        AuthMethod(byte b, String str) {
            this.code = b;
            this.mechanismName = str;
        }

        private static AuthMethod valueOf(byte b) {
            int i = (b & 255) - FIRST_CODE;
            if (i < 0 || i >= values().length) {
                return null;
            }
            return values()[i];
        }

        public String getMechanismName() {
            return this.mechanismName;
        }

        public static AuthMethod read(DataInput dataInput) throws IOException {
            return valueOf(dataInput.readByte());
        }

        public void write(DataOutput dataOutput) throws IOException {
            dataOutput.write(this.code);
        }
    }

    /* loaded from: input_file:lib/hadoop-common-2.2.0.jar:org/apache/hadoop/security/SaslRpcServer$QualityOfProtection.class */
    public enum QualityOfProtection {
        AUTHENTICATION("auth"),
        INTEGRITY("auth-int"),
        PRIVACY("auth-conf");

        public final String saslQop;

        QualityOfProtection(String str) {
            this.saslQop = str;
        }

        public String getSaslQop() {
            return this.saslQop;
        }
    }

    @InterfaceStability.Evolving
    /* loaded from: input_file:lib/hadoop-common-2.2.0.jar:org/apache/hadoop/security/SaslRpcServer$SaslDigestCallbackHandler.class */
    public static class SaslDigestCallbackHandler implements CallbackHandler {
        private SecretManager<TokenIdentifier> secretManager;
        private Server.Connection connection;

        public SaslDigestCallbackHandler(SecretManager<TokenIdentifier> secretManager, Server.Connection connection) {
            this.secretManager = secretManager;
            this.connection = connection;
        }

        private char[] getPassword(TokenIdentifier tokenIdentifier) throws SecretManager.InvalidToken {
            return SaslRpcServer.encodePassword(this.secretManager.retrievePassword(tokenIdentifier));
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws SecretManager.InvalidToken, UnsupportedCallbackException {
            NameCallback nameCallback = null;
            PasswordCallback passwordCallback = null;
            AuthorizeCallback authorizeCallback = null;
            for (Callback callback : callbackArr) {
                if (callback instanceof AuthorizeCallback) {
                    authorizeCallback = (AuthorizeCallback) callback;
                } else if (callback instanceof NameCallback) {
                    nameCallback = (NameCallback) callback;
                } else if (callback instanceof PasswordCallback) {
                    passwordCallback = (PasswordCallback) callback;
                } else if (!(callback instanceof RealmCallback)) {
                    throw new UnsupportedCallbackException(callback, "Unrecognized SASL DIGEST-MD5 Callback");
                }
            }
            if (passwordCallback != null) {
                TokenIdentifier identifier = SaslRpcServer.getIdentifier(nameCallback.getDefaultName(), this.secretManager);
                char[] password = getPassword(identifier);
                this.connection.attemptingUser = identifier.getUser();
                if (SaslRpcServer.LOG.isDebugEnabled()) {
                    SaslRpcServer.LOG.debug("SASL server DIGEST-MD5 callback: setting password for client: " + identifier.getUser());
                }
                passwordCallback.setPassword(password);
            }
            if (authorizeCallback != null) {
                String authenticationID = authorizeCallback.getAuthenticationID();
                String authorizationID = authorizeCallback.getAuthorizationID();
                if (authenticationID.equals(authorizationID)) {
                    authorizeCallback.setAuthorized(true);
                } else {
                    authorizeCallback.setAuthorized(false);
                }
                if (authorizeCallback.isAuthorized()) {
                    if (SaslRpcServer.LOG.isDebugEnabled()) {
                        SaslRpcServer.LOG.debug("SASL server DIGEST-MD5 callback: setting canonicalized client ID: " + SaslRpcServer.getIdentifier(authorizationID, this.secretManager).getUser().getUserName());
                    }
                    authorizeCallback.setAuthorizedID(authorizationID);
                }
            }
        }
    }

    @InterfaceStability.Evolving
    /* loaded from: input_file:lib/hadoop-common-2.2.0.jar:org/apache/hadoop/security/SaslRpcServer$SaslGssCallbackHandler.class */
    public static class SaslGssCallbackHandler implements CallbackHandler {
        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
            AuthorizeCallback authorizeCallback = null;
            for (Callback callback : callbackArr) {
                if (!(callback instanceof AuthorizeCallback)) {
                    throw new UnsupportedCallbackException(callback, "Unrecognized SASL GSSAPI Callback");
                }
                authorizeCallback = (AuthorizeCallback) callback;
            }
            if (authorizeCallback != null) {
                String authenticationID = authorizeCallback.getAuthenticationID();
                String authorizationID = authorizeCallback.getAuthorizationID();
                if (authenticationID.equals(authorizationID)) {
                    authorizeCallback.setAuthorized(true);
                } else {
                    authorizeCallback.setAuthorized(false);
                }
                if (authorizeCallback.isAuthorized()) {
                    if (SaslRpcServer.LOG.isDebugEnabled()) {
                        SaslRpcServer.LOG.debug("SASL server GSSAPI callback: setting canonicalized client ID: " + authorizationID);
                    }
                    authorizeCallback.setAuthorizedID(authorizationID);
                }
            }
        }
    }

    @InterfaceAudience.Private
    @InterfaceStability.Unstable
    public SaslRpcServer(AuthMethod authMethod) throws IOException {
        this.authMethod = authMethod;
        this.mechanism = authMethod.getMechanismName();
        switch (authMethod) {
            case SIMPLE:
                return;
            case TOKEN:
                this.protocol = "";
                this.serverId = "default";
                return;
            case KERBEROS:
                String userName = UserGroupInformation.getCurrentUser().getUserName();
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Kerberos principal name is " + userName);
                }
                String[] split = userName.split("[/@]", 3);
                this.protocol = split[0];
                this.serverId = split.length < 2 ? "" : split[1];
                return;
            default:
                throw new AccessControlException("Server does not support SASL " + authMethod);
        }
    }

    @InterfaceAudience.Private
    @InterfaceStability.Unstable
    public SaslServer create(Server.Connection connection, SecretManager<TokenIdentifier> secretManager) throws IOException, InterruptedException {
        CallbackHandler saslGssCallbackHandler;
        UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
        switch (this.authMethod) {
            case TOKEN:
                saslGssCallbackHandler = new SaslDigestCallbackHandler(secretManager, connection);
                break;
            case KERBEROS:
                if (!this.serverId.isEmpty()) {
                    saslGssCallbackHandler = new SaslGssCallbackHandler();
                    break;
                } else {
                    throw new AccessControlException("Kerberos principal name does NOT have the expected hostname part: " + currentUser.getUserName());
                }
            default:
                throw new AccessControlException("Server does not support SASL " + this.authMethod);
        }
        final CallbackHandler callbackHandler = saslGssCallbackHandler;
        SaslServer saslServer = (SaslServer) currentUser.doAs(new PrivilegedExceptionAction<SaslServer>() { // from class: org.apache.hadoop.security.SaslRpcServer.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public SaslServer run() throws SaslException {
                return Sasl.createSaslServer(SaslRpcServer.this.mechanism, SaslRpcServer.this.protocol, SaslRpcServer.this.serverId, SaslRpcServer.SASL_PROPS, callbackHandler);
            }
        });
        if (saslServer == null) {
            throw new AccessControlException("Unable to find SASL server implementation for " + this.mechanism);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Created SASL server with mechanism = " + this.mechanism);
        }
        return saslServer;
    }

    public static void init(Configuration configuration) {
        QualityOfProtection qualityOfProtection = QualityOfProtection.AUTHENTICATION;
        String str = configuration.get("hadoop.rpc.protection", QualityOfProtection.AUTHENTICATION.name().toLowerCase());
        if (QualityOfProtection.INTEGRITY.name().toLowerCase().equals(str)) {
            qualityOfProtection = QualityOfProtection.INTEGRITY;
        } else if (QualityOfProtection.PRIVACY.name().toLowerCase().equals(str)) {
            qualityOfProtection = QualityOfProtection.PRIVACY;
        }
        SASL_PROPS.put("javax.security.sasl.qop", qualityOfProtection.getSaslQop());
        SASL_PROPS.put("javax.security.sasl.server.authentication", ZooKeeperSaslClient.ENABLE_CLIENT_SASL_DEFAULT);
        Security.addProvider(new SaslPlainServer.SecurityProvider());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String encodeIdentifier(byte[] bArr) {
        return new String(Base64.encodeBase64(bArr));
    }

    static byte[] decodeIdentifier(String str) {
        return Base64.decodeBase64(str.getBytes());
    }

    public static <T extends TokenIdentifier> T getIdentifier(String str, SecretManager<T> secretManager) throws SecretManager.InvalidToken {
        byte[] decodeIdentifier = decodeIdentifier(str);
        T createIdentifier = secretManager.createIdentifier();
        try {
            createIdentifier.readFields(new DataInputStream(new ByteArrayInputStream(decodeIdentifier)));
            return createIdentifier;
        } catch (IOException e) {
            throw ((SecretManager.InvalidToken) new SecretManager.InvalidToken("Can't de-serialize tokenIdentifier").initCause(e));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static char[] encodePassword(byte[] bArr) {
        return new String(Base64.encodeBase64(bArr)).toCharArray();
    }

    public static String[] splitKerberosName(String str) {
        return str.split("[/@]");
    }
}
