package org.apache.hadoop.hbase.security.provider;

import java.util.Collection;
import java.util.Objects;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.HBaseInterfaceAudience;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.shaded.net.jcip.annotations.NotThreadSafe;
import org.apache.hadoop.hbase.util.Pair;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.yetus.audience.InterfaceAudience;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.LimitedPrivate({HBaseInterfaceAudience.AUTHENTICATION})
@NotThreadSafe
/* loaded from: input_file:org/apache/hadoop/hbase/security/provider/BuiltInProviderSelector.class */
public class BuiltInProviderSelector implements AuthenticationProviderSelector {
    private static final Logger LOG = LoggerFactory.getLogger(BuiltInProviderSelector.class);
    Configuration conf;
    SimpleSaslClientAuthenticationProvider simpleAuth = null;
    GssSaslClientAuthenticationProvider krbAuth = null;
    DigestSaslClientAuthenticationProvider digestAuth = null;
    Text digestAuthTokenKind = null;

    @Override // org.apache.hadoop.hbase.security.provider.AuthenticationProviderSelector
    public void configure(Configuration configuration, Collection<SaslClientAuthenticationProvider> collection) {
        if (this.conf != null) {
            throw new IllegalStateException("configure() should only be called once");
        }
        this.conf = (Configuration) Objects.requireNonNull(configuration);
        for (SaslClientAuthenticationProvider saslClientAuthenticationProvider : (Collection) Objects.requireNonNull(collection)) {
            String name = saslClientAuthenticationProvider.getSaslAuthMethod().getName();
            if (SimpleSaslAuthenticationProvider.SASL_AUTH_METHOD.getName().contentEquals(name)) {
                if (this.simpleAuth != null) {
                    throw new IllegalStateException("Encountered multiple SimpleSaslClientAuthenticationProvider instances");
                }
                this.simpleAuth = (SimpleSaslClientAuthenticationProvider) saslClientAuthenticationProvider;
            } else if (GssSaslAuthenticationProvider.SASL_AUTH_METHOD.getName().equals(name)) {
                if (this.krbAuth != null) {
                    throw new IllegalStateException("Encountered multiple GssSaslClientAuthenticationProvider instances");
                }
                this.krbAuth = (GssSaslClientAuthenticationProvider) saslClientAuthenticationProvider;
            } else if (!DigestSaslAuthenticationProvider.SASL_AUTH_METHOD.getName().equals(name)) {
                LOG.warn("Ignoring unknown SaslClientAuthenticationProvider: {}", saslClientAuthenticationProvider.getClass());
            } else {
                if (this.digestAuth != null) {
                    throw new IllegalStateException("Encountered multiple DigestSaslClientAuthenticationProvider instances");
                }
                this.digestAuth = (DigestSaslClientAuthenticationProvider) saslClientAuthenticationProvider;
                this.digestAuthTokenKind = new Text(this.digestAuth.getTokenKind());
            }
        }
        if (this.simpleAuth == null || this.krbAuth == null || this.digestAuth == null) {
            throw new IllegalStateException("Failed to load SIMPLE, KERBEROS, and DIGEST authentication providers. Classpath is not sane.");
        }
    }

    @Override // org.apache.hadoop.hbase.security.provider.AuthenticationProviderSelector
    public Pair<SaslClientAuthenticationProvider, Token<? extends TokenIdentifier>> selectProvider(String str, User user) {
        Objects.requireNonNull(str, "Null clusterId was given");
        Objects.requireNonNull(user, "Null user was given");
        if (!User.isHBaseSecurityEnabled(this.conf)) {
            return new Pair<>(this.simpleAuth, null);
        }
        Text text = new Text(str);
        for (Token<? extends TokenIdentifier> token : user.getTokens()) {
            if (text.equals(token.getService()) && this.digestAuthTokenKind.equals(token.getKind())) {
                return new Pair<>(this.digestAuth, token);
            }
        }
        UserGroupInformation ugi = user.getUGI();
        UserGroupInformation realUser = ugi.getRealUser();
        if (ugi.hasKerberosCredentials() || (realUser != null && realUser.hasKerberosCredentials())) {
            return new Pair<>(this.krbAuth, null);
        }
        LOG.warn("No matching SASL authentication provider and supporting token found from providers for user: {}", user);
        return null;
    }
}
