package org.apache.hudi.org.apache.hadoop.hbase.security.provider;

import java.io.IOException;
import java.util.Map;
import java.util.concurrent.atomic.AtomicReference;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.RealmCallback;
import javax.security.sasl.Sasl;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.hudi.org.apache.hadoop.hbase.security.AccessDeniedException;
import org.apache.hudi.org.apache.hadoop.hbase.security.HBaseSaslRpcServer;
import org.apache.hudi.org.apache.hadoop.hbase.security.SaslUtil;
import org.apache.yetus.audience.InterfaceAudience;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hudi/org/apache/hadoop/hbase/security/provider/DigestSaslServerAuthenticationProvider.class */
public class DigestSaslServerAuthenticationProvider extends DigestSaslAuthenticationProvider implements SaslServerAuthenticationProvider {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) DigestSaslServerAuthenticationProvider.class);
    private AtomicReference<UserGroupInformation> attemptingUser = new AtomicReference<>(null);

    /* loaded from: input_file:org/apache/hudi/org/apache/hadoop/hbase/security/provider/DigestSaslServerAuthenticationProvider$SaslDigestCallbackHandler.class */
    private static class SaslDigestCallbackHandler implements CallbackHandler {
        private final SecretManager<TokenIdentifier> secretManager;
        private final AtomicReference<UserGroupInformation> attemptingUser;

        public SaslDigestCallbackHandler(SecretManager<TokenIdentifier> secretManager, AtomicReference<UserGroupInformation> atomicReference) {
            this.secretManager = secretManager;
            this.attemptingUser = atomicReference;
        }

        private char[] getPassword(TokenIdentifier tokenIdentifier) throws SecretManager.InvalidToken {
            return SaslUtil.encodePassword(this.secretManager.retrievePassword(tokenIdentifier));
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws SecretManager.InvalidToken, UnsupportedCallbackException {
            NameCallback nameCallback = null;
            PasswordCallback passwordCallback = null;
            AuthorizeCallback authorizeCallback = null;
            for (Callback callback : callbackArr) {
                if (callback instanceof AuthorizeCallback) {
                    authorizeCallback = (AuthorizeCallback) callback;
                } else if (callback instanceof NameCallback) {
                    nameCallback = (NameCallback) callback;
                } else if (callback instanceof PasswordCallback) {
                    passwordCallback = (PasswordCallback) callback;
                } else if (!(callback instanceof RealmCallback)) {
                    throw new UnsupportedCallbackException(callback, "Unrecognized SASL DIGEST-MD5 Callback");
                }
            }
            if (passwordCallback != null) {
                TokenIdentifier identifier = HBaseSaslRpcServer.getIdentifier(nameCallback.getDefaultName(), this.secretManager);
                this.attemptingUser.set(identifier.getUser());
                char[] password = getPassword(identifier);
                if (DigestSaslServerAuthenticationProvider.LOG.isTraceEnabled()) {
                    DigestSaslServerAuthenticationProvider.LOG.trace("SASL server DIGEST-MD5 callback: setting password for client: {}", identifier.getUser());
                }
                passwordCallback.setPassword(password);
            }
            if (authorizeCallback != null) {
                String authenticationID = authorizeCallback.getAuthenticationID();
                String authorizationID = authorizeCallback.getAuthorizationID();
                if (!authenticationID.equals(authorizationID)) {
                    authorizeCallback.setAuthorized(false);
                    return;
                }
                authorizeCallback.setAuthorized(true);
                if (DigestSaslServerAuthenticationProvider.LOG.isTraceEnabled()) {
                    DigestSaslServerAuthenticationProvider.LOG.trace("SASL server DIGEST-MD5 callback: setting canonicalized client ID: " + HBaseSaslRpcServer.getIdentifier(authorizationID, this.secretManager).getUser().getUserName());
                }
                authorizeCallback.setAuthorizedID(authorizationID);
            }
        }
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.security.provider.SaslServerAuthenticationProvider
    public AttemptingUserProvidingSaslServer createServer(SecretManager<TokenIdentifier> secretManager, Map<String, String> map) throws IOException {
        if (secretManager == null) {
            throw new AccessDeniedException("Server is not configured to do DIGEST authentication.");
        }
        return new AttemptingUserProvidingSaslServer(Sasl.createSaslServer(getSaslAuthMethod().getSaslMechanism(), (String) null, "default", map, new SaslDigestCallbackHandler(secretManager, this.attemptingUser)), () -> {
            return this.attemptingUser.get();
        });
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.security.provider.SaslServerAuthenticationProvider
    public boolean supportsProtocolAuthentication() {
        return false;
    }

    @Override // org.apache.hudi.org.apache.hadoop.hbase.security.provider.SaslServerAuthenticationProvider
    public UserGroupInformation getAuthorizedUgi(String str, SecretManager<TokenIdentifier> secretManager) throws IOException {
        TokenIdentifier identifier = HBaseSaslRpcServer.getIdentifier(str, secretManager);
        UserGroupInformation user = identifier.getUser();
        if (user == null) {
            throw new AccessDeniedException("Can't retrieve username from tokenIdentifier.");
        }
        user.addTokenIdentifier(identifier);
        user.setAuthenticationMethod(getSaslAuthMethod().getAuthMethod());
        return user;
    }
}
