package org.apache.kudu.client;

import java.io.IOException;
import java.net.InetSocketAddress;
import java.nio.ByteBuffer;
import java.nio.ByteOrder;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.cert.Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import org.apache.kudu.rpc.RpcHeader;
import org.apache.kudu.security.Token;
import org.apache.kudu.shaded.com.google.common.annotations.VisibleForTesting;
import org.apache.kudu.shaded.com.google.common.base.Joiner;
import org.apache.kudu.shaded.com.google.common.base.Preconditions;
import org.apache.kudu.shaded.com.google.common.collect.ImmutableSet;
import org.apache.kudu.shaded.com.google.common.collect.Lists;
import org.apache.kudu.shaded.com.google.common.collect.Maps;
import org.apache.kudu.shaded.com.google.common.collect.Sets;
import org.apache.kudu.shaded.com.google.protobuf.ByteString;
import org.apache.kudu.shaded.com.google.protobuf.UnsafeByteOperations;
import org.apache.kudu.shaded.org.jboss.netty.buffer.ChannelBuffer;
import org.apache.kudu.shaded.org.jboss.netty.buffer.ChannelBuffers;
import org.apache.kudu.shaded.org.jboss.netty.channel.Channel;
import org.apache.kudu.shaded.org.jboss.netty.channel.ChannelFuture;
import org.apache.kudu.shaded.org.jboss.netty.channel.ChannelHandlerContext;
import org.apache.kudu.shaded.org.jboss.netty.channel.Channels;
import org.apache.kudu.shaded.org.jboss.netty.channel.MessageEvent;
import org.apache.kudu.shaded.org.jboss.netty.channel.SimpleChannelUpstreamHandler;
import org.apache.kudu.shaded.org.jboss.netty.handler.codec.embedder.DecoderEmbedder;
import org.apache.kudu.shaded.org.jboss.netty.handler.ssl.SslHandler;
import org.apache.kudu.util.SecurityUtil;
import org.apache.yetus.audience.InterfaceAudience;
import org.ietf.jgss.GSSException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/kudu/client/Negotiator.class */
public class Negotiator extends SimpleChannelUpstreamHandler {
    private static final Logger LOG;
    private static final SaslClientCallbackHandler SASL_CALLBACK;
    private static final Set<RpcHeader.RpcFeatureFlag> SUPPORTED_RPC_FEATURES;
    private static final String[] PRIORITIZED_MECHS;
    static final int CONNECTION_CTX_CALL_ID = -3;
    static final int SASL_CALL_ID = -33;
    private final String remoteHostname;
    private final SecurityContext securityContext;
    private final Token.SignedTokenPB authnToken;
    private State state = State.INITIAL;
    private SaslClient saslClient;
    private String chosenMech;
    private RpcHeader.AuthenticationTypePB.TypeCase chosenAuthnType;
    private Set<RpcHeader.RpcFeatureFlag> serverFeatures;
    private DecoderEmbedder<ChannelBuffer> sslEmbedder;
    private byte[] nonce;
    private ChannelFuture sslHandshakeFuture;
    private Certificate peerCert;

    @VisibleForTesting
    boolean overrideLoopbackForTests;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/kudu/client/Negotiator$Failure.class */
    public static class Failure {
        final RpcHeader.ErrorStatusPB status;

        public Failure(RpcHeader.ErrorStatusPB errorStatusPB) {
            this.status = errorStatusPB;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/kudu/client/Negotiator$SaslClientCallbackHandler.class */
    public static class SaslClientCallbackHandler implements CallbackHandler {
        private SaslClientCallbackHandler() {
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
            for (Callback callback : callbackArr) {
                if (callback instanceof NameCallback) {
                    ((NameCallback) callback).setName(System.getProperty("user.name"));
                } else {
                    if (!(callback instanceof PasswordCallback)) {
                        throw new UnsupportedCallbackException(callback, "Unrecognized SASL client callback");
                    }
                    ((PasswordCallback) callback).setPassword(new char[0]);
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/kudu/client/Negotiator$State.class */
    public enum State {
        INITIAL,
        AWAIT_NEGOTIATE,
        AWAIT_TLS_HANDSHAKE,
        AWAIT_TOKEN_EXCHANGE,
        AWAIT_SASL,
        FINISHED
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/kudu/client/Negotiator$Success.class */
    public static class Success {
        final Set<RpcHeader.RpcFeatureFlag> serverFeatures;

        public Success(Set<RpcHeader.RpcFeatureFlag> set) {
            this.serverFeatures = set;
        }
    }

    public Negotiator(String str, SecurityContext securityContext, boolean z) {
        this.remoteHostname = str;
        this.securityContext = securityContext;
        if (z) {
            this.authnToken = null;
        } else {
            this.authnToken = securityContext.getAuthenticationToken();
        }
    }

    public void sendHello(Channel channel) {
        sendNegotiateMessage(channel);
    }

    private void sendNegotiateMessage(Channel channel) {
        RpcHeader.NegotiatePB.Builder step = RpcHeader.NegotiatePB.newBuilder().setStep(RpcHeader.NegotiatePB.NegotiateStep.NEGOTIATE);
        Iterator<RpcHeader.RpcFeatureFlag> it = SUPPORTED_RPC_FEATURES.iterator();
        while (it.hasNext()) {
            step.addSupportedFeatures(it.next());
        }
        if (isLoopbackConnection(channel)) {
            step.addSupportedFeatures(RpcHeader.RpcFeatureFlag.TLS_AUTHENTICATION_ONLY);
        }
        step.addAuthnTypesBuilder().setSasl(RpcHeader.AuthenticationTypePB.Sasl.getDefaultInstance());
        if (this.authnToken != null && this.securityContext.hasTrustedCerts()) {
            step.addAuthnTypesBuilder().setToken(RpcHeader.AuthenticationTypePB.Token.getDefaultInstance());
        }
        this.state = State.AWAIT_NEGOTIATE;
        sendSaslMessage(channel, step.build());
    }

    private void sendSaslMessage(Channel channel, RpcHeader.NegotiatePB negotiatePB) {
        Preconditions.checkNotNull(channel);
        RpcHeader.RequestHeader.Builder newBuilder = RpcHeader.RequestHeader.newBuilder();
        newBuilder.setCallId(SASL_CALL_ID);
        Channels.write(channel, new RpcOutboundMessage(newBuilder, negotiatePB));
    }

    @Override // org.apache.kudu.shaded.org.jboss.netty.channel.SimpleChannelUpstreamHandler
    public void messageReceived(ChannelHandlerContext channelHandlerContext, MessageEvent messageEvent) throws IOException {
        Object message = messageEvent.getMessage();
        if (message instanceof CallResponse) {
            handleResponse(channelHandlerContext.getChannel(), (CallResponse) message);
        } else {
            channelHandlerContext.sendUpstream(messageEvent);
        }
    }

    private void handleResponse(Channel channel, CallResponse callResponse) throws IOException {
        if (callResponse.getHeader().getIsError()) {
            RpcHeader.ErrorStatusPB.Builder newBuilder = RpcHeader.ErrorStatusPB.newBuilder();
            KuduRpc.readProtobuf(callResponse.getPBMessage(), newBuilder);
            RpcHeader.ErrorStatusPB build = newBuilder.build();
            LOG.debug("peer {} sent connection negotiation error: {}", channel.getRemoteAddress(), build.getMessage());
            this.state = State.FINISHED;
            channel.getPipeline().remove(this);
            Channels.fireMessageReceived(channel, new Failure(build));
            return;
        }
        RpcHeader.NegotiatePB parseSaslMsgResponse = parseSaslMsgResponse(callResponse);
        switch (this.state) {
            case AWAIT_NEGOTIATE:
                handleNegotiateResponse(channel, parseSaslMsgResponse);
                return;
            case AWAIT_SASL:
                handleSaslMessage(channel, parseSaslMsgResponse);
                return;
            case AWAIT_TOKEN_EXCHANGE:
                handleTokenExchangeResponse(channel, parseSaslMsgResponse);
                return;
            case AWAIT_TLS_HANDSHAKE:
                handleTlsMessage(channel, parseSaslMsgResponse);
                return;
            default:
                throw new IllegalStateException("received a message in unexpected state: " + this.state.toString());
        }
    }

    private void handleSaslMessage(Channel channel, RpcHeader.NegotiatePB negotiatePB) throws IOException {
        switch (negotiatePB.getStep()) {
            case SASL_CHALLENGE:
                handleChallengeResponse(channel, negotiatePB);
                return;
            case SASL_SUCCESS:
                handleSuccessResponse(channel, negotiatePB);
                return;
            default:
                throw new IllegalStateException("Wrong negotiation step: " + negotiatePB.getStep());
        }
    }

    private RpcHeader.NegotiatePB parseSaslMsgResponse(CallResponse callResponse) {
        if (callResponse.getHeader().getCallId() != SASL_CALL_ID) {
            throw new IllegalStateException("Received a call that wasn't for SASL");
        }
        RpcHeader.NegotiatePB.Builder newBuilder = RpcHeader.NegotiatePB.newBuilder();
        KuduRpc.readProtobuf(callResponse.getPBMessage(), newBuilder);
        return newBuilder.build();
    }

    private void handleNegotiateResponse(Channel channel, RpcHeader.NegotiatePB negotiatePB) throws IOException {
        Preconditions.checkState(negotiatePB.getStep() == RpcHeader.NegotiatePB.NegotiateStep.NEGOTIATE, "Expected NEGOTIATE message, got {}", negotiatePB.getStep());
        this.serverFeatures = getFeatureFlags(negotiatePB);
        boolean contains = this.serverFeatures.contains(RpcHeader.RpcFeatureFlag.TLS);
        this.chosenAuthnType = chooseAuthenticationType(negotiatePB);
        if (this.chosenAuthnType == RpcHeader.AuthenticationTypePB.TypeCase.SASL) {
            chooseAndInitializeSaslMech(negotiatePB);
        }
        if (contains) {
            startTlsHandshake(channel);
        } else {
            startAuthentication(channel);
        }
    }

    private boolean isLoopbackConnection(Channel channel) {
        if (this.overrideLoopbackForTests) {
            return true;
        }
        try {
            return ((InetSocketAddress) channel.getLocalAddress()).getAddress().equals(((InetSocketAddress) channel.getRemoteAddress()).getAddress());
        } catch (ClassCastException e) {
            return false;
        }
    }

    private void chooseAndInitializeSaslMech(RpcHeader.NegotiatePB negotiatePB) throws NonRecoverableException {
        HashSet newHashSet = Sets.newHashSet();
        Iterator<RpcHeader.NegotiatePB.SaslMechanism> it = negotiatePB.getSaslMechanismsList().iterator();
        while (it.hasNext()) {
            newHashSet.add(it.next().getMechanism());
        }
        HashMap newHashMap = Maps.newHashMap();
        for (String str : PRIORITIZED_MECHS) {
            if (newHashSet.contains(str)) {
                HashMap newHashMap2 = Maps.newHashMap();
                if ("GSSAPI".equals(str)) {
                    newHashMap2.put("javax.security.sasl.qop", "auth-int");
                }
                try {
                    this.saslClient = Sasl.createSaslClient(new String[]{str}, (String) null, "kudu", this.remoteHostname, newHashMap2, SASL_CALLBACK);
                    this.chosenMech = str;
                    break;
                } catch (SaslException e) {
                    newHashMap.put(str, e.getMessage());
                }
            } else {
                newHashMap.put(str, "not advertised by server");
            }
        }
        if (this.chosenMech == null) {
            throw new NonRecoverableException(Status.ConfigurationError((newHashSet.size() == 1 && newHashSet.contains("GSSAPI")) ? "Server requires Kerberos, but this client is not authenticated (kinit)" : "Unable to negotiate a matching mechanism. Errors: [" + Joiner.on(", ").withKeyValueSeparator(": ").join(newHashMap) + "]"));
        }
        LOG.debug("SASL mechanism {} chosen for peer {}", this.chosenMech, this.remoteHostname);
    }

    private RpcHeader.AuthenticationTypePB.TypeCase chooseAuthenticationType(RpcHeader.NegotiatePB negotiatePB) {
        Preconditions.checkArgument(negotiatePB.getAuthnTypesCount() <= 1, "Expected server to reply with at most one authn type");
        if (negotiatePB.getAuthnTypesCount() == 0) {
            return RpcHeader.AuthenticationTypePB.TypeCase.SASL;
        }
        RpcHeader.AuthenticationTypePB.TypeCase typeCase = negotiatePB.getAuthnTypes(0).getTypeCase();
        switch (typeCase) {
            case SASL:
                break;
            case TOKEN:
                if (this.authnToken == null) {
                    throw new IllegalArgumentException("server chose token authentication but client had no valid token");
                }
                break;
            default:
                throw new IllegalArgumentException("server chose bad authn type " + this.chosenAuthnType);
        }
        return typeCase;
    }

    private Set<RpcHeader.RpcFeatureFlag> getFeatureFlags(RpcHeader.NegotiatePB negotiatePB) {
        ImmutableSet.Builder builder = ImmutableSet.builder();
        for (RpcHeader.RpcFeatureFlag rpcFeatureFlag : negotiatePB.getSupportedFeaturesList()) {
            if (rpcFeatureFlag != RpcHeader.RpcFeatureFlag.UNKNOWN) {
                builder.add((ImmutableSet.Builder) rpcFeatureFlag);
            }
        }
        return builder.build();
    }

    private void startTlsHandshake(Channel channel) throws SSLException {
        SSLEngine createSSLEngine;
        switch (this.chosenAuthnType) {
            case SASL:
                createSSLEngine = this.securityContext.createSSLEngineTrustAll();
                break;
            case TOKEN:
                createSSLEngine = this.securityContext.createSSLEngine();
                break;
            default:
                throw new AssertionError("unreachable");
        }
        createSSLEngine.setUseClientMode(true);
        SslHandler sslHandler = new SslHandler(createSSLEngine);
        sslHandler.setEnableRenegotiation(false);
        this.sslEmbedder = new DecoderEmbedder<>(sslHandler);
        this.sslHandshakeFuture = sslHandler.handshake();
        this.state = State.AWAIT_TLS_HANDSHAKE;
        boolean sendPendingOutboundTls = sendPendingOutboundTls(channel);
        if (!$assertionsDisabled && !sendPendingOutboundTls) {
            throw new AssertionError();
        }
    }

    private void handleTlsMessage(Channel channel, RpcHeader.NegotiatePB negotiatePB) throws IOException {
        Preconditions.checkState(negotiatePB.getStep() == RpcHeader.NegotiatePB.NegotiateStep.TLS_HANDSHAKE);
        Preconditions.checkArgument(!negotiatePB.getTlsHandshake().isEmpty(), "empty TLS message from server");
        this.sslEmbedder.offer(ChannelBuffers.copiedBuffer(negotiatePB.getTlsHandshake().asReadOnlyByteBuffer()));
        if (sendPendingOutboundTls(channel)) {
            return;
        }
        SslHandler sslHandler = (SslHandler) this.sslEmbedder.getPipeline().getFirst();
        if (sslHandler.getEngine().getSession().getPeerCertificates().length == 0) {
            throw new SSLPeerUnverifiedException("no peer cert found");
        }
        if (!(this.serverFeatures.contains(RpcHeader.RpcFeatureFlag.TLS_AUTHENTICATION_ONLY) && isLoopbackConnection(channel))) {
            channel.getPipeline().addFirst("tls", sslHandler);
        }
        startAuthentication(channel);
    }

    private boolean sendPendingOutboundTls(Channel channel) {
        ArrayList newArrayList = Lists.newArrayList();
        while (this.sslEmbedder.peek() != null) {
            newArrayList.add(ByteString.copyFrom(this.sslEmbedder.poll().toByteBuffer()));
        }
        ByteString copyFrom = ByteString.copyFrom(newArrayList);
        if (this.sslHandshakeFuture.isDone()) {
            if ($assertionsDisabled || copyFrom.isEmpty()) {
                return false;
            }
            throw new AssertionError();
        }
        if (!$assertionsDisabled && copyFrom.size() <= 0) {
            throw new AssertionError();
        }
        sendTunneledTls(channel, copyFrom);
        return true;
    }

    private void sendTunneledTls(Channel channel, ByteString byteString) {
        sendSaslMessage(channel, RpcHeader.NegotiatePB.newBuilder().setStep(RpcHeader.NegotiatePB.NegotiateStep.TLS_HANDSHAKE).setTlsHandshake(byteString).build());
    }

    private void startAuthentication(Channel channel) throws SaslException, NonRecoverableException {
        switch (this.chosenAuthnType) {
            case SASL:
                sendSaslInitiate(channel);
                return;
            case TOKEN:
                sendTokenExchange(channel);
                return;
            default:
                throw new AssertionError("unreachable");
        }
    }

    private void sendTokenExchange(Channel channel) {
        Preconditions.checkNotNull(this.authnToken);
        Preconditions.checkNotNull(this.sslHandshakeFuture);
        Preconditions.checkState(this.sslHandshakeFuture.isSuccess());
        RpcHeader.NegotiatePB.Builder authnToken = RpcHeader.NegotiatePB.newBuilder().setStep(RpcHeader.NegotiatePB.NegotiateStep.TOKEN_EXCHANGE).setAuthnToken(this.authnToken);
        this.state = State.AWAIT_TOKEN_EXCHANGE;
        sendSaslMessage(channel, authnToken.build());
    }

    private void handleTokenExchangeResponse(Channel channel, RpcHeader.NegotiatePB negotiatePB) throws SaslException {
        Preconditions.checkArgument(negotiatePB.getStep() == RpcHeader.NegotiatePB.NegotiateStep.TOKEN_EXCHANGE, "expected TOKEN_EXCHANGE, got step: {}", negotiatePB.getStep());
        finish(channel);
    }

    private void sendSaslInitiate(Channel channel) throws SaslException, NonRecoverableException {
        RpcHeader.NegotiatePB.Builder newBuilder = RpcHeader.NegotiatePB.newBuilder();
        if (this.saslClient.hasInitialResponse()) {
            newBuilder.setToken(UnsafeByteOperations.unsafeWrap(evaluateChallenge(new byte[0])));
        }
        newBuilder.setStep(RpcHeader.NegotiatePB.NegotiateStep.SASL_INITIATE);
        newBuilder.addSaslMechanismsBuilder().setMechanism(this.chosenMech);
        this.state = State.AWAIT_SASL;
        sendSaslMessage(channel, newBuilder.build());
    }

    private void handleChallengeResponse(Channel channel, RpcHeader.NegotiatePB negotiatePB) throws SaslException, NonRecoverableException {
        byte[] evaluateChallenge = evaluateChallenge(negotiatePB.getToken().toByteArray());
        if (evaluateChallenge == null) {
            throw new IllegalStateException("Not expecting an empty token");
        }
        RpcHeader.NegotiatePB.Builder newBuilder = RpcHeader.NegotiatePB.newBuilder();
        newBuilder.setToken(UnsafeByteOperations.unsafeWrap(evaluateChallenge));
        newBuilder.setStep(RpcHeader.NegotiatePB.NegotiateStep.SASL_RESPONSE);
        sendSaslMessage(channel, newBuilder.build());
    }

    private void verifyChannelBindings(RpcHeader.NegotiatePB negotiatePB) throws IOException {
        byte[] endpointChannelBindings = SecurityUtil.getEndpointChannelBindings(this.peerCert);
        if (!negotiatePB.hasChannelBindings()) {
            throw new SSLPeerUnverifiedException("no channel bindings provided by remote peer");
        }
        byte[] byteArray = negotiatePB.getChannelBindings().toByteArray();
        if (byteArray.length < 4) {
            throw new SSLPeerUnverifiedException("invalid too-short channel bindings");
        }
        if (!Bytes.equals(endpointChannelBindings, this.saslClient.unwrap(byteArray, 4, byteArray.length - 4))) {
            throw new SSLPeerUnverifiedException("invalid channel bindings provided by remote peer");
        }
    }

    private void handleSuccessResponse(Channel channel, RpcHeader.NegotiatePB negotiatePB) throws IOException {
        Preconditions.checkState(this.saslClient.isComplete(), "server sent SASL_SUCCESS step, but SASL negotiation is not complete");
        if (this.chosenMech.equals("GSSAPI")) {
            if (negotiatePB.hasNonce()) {
                this.nonce = negotiatePB.getNonce().toByteArray();
            }
            if (this.peerCert != null) {
                verifyChannelBindings(negotiatePB);
            }
        }
        finish(channel);
    }

    private void finish(Channel channel) throws SaslException {
        this.state = State.FINISHED;
        channel.getPipeline().remove(this);
        Channels.write(channel, makeConnectionContext());
        Channels.fireMessageReceived(channel, new Success(this.serverFeatures));
    }

    private RpcOutboundMessage makeConnectionContext() throws SaslException {
        RpcHeader.ConnectionContextPB.Builder newBuilder = RpcHeader.ConnectionContextPB.newBuilder();
        RpcHeader.UserInformationPB.Builder newBuilder2 = RpcHeader.UserInformationPB.newBuilder();
        String property = System.getProperty("user.name");
        newBuilder2.setEffectiveUser(property);
        newBuilder2.setRealUser(property);
        newBuilder.setDEPRECATEDUserInfo(newBuilder2.build());
        if (this.nonce != null) {
            byte[] wrap = this.saslClient.wrap(this.nonce, 0, this.nonce.length);
            ByteBuffer allocate = ByteBuffer.allocate(wrap.length + 4);
            allocate.order(ByteOrder.BIG_ENDIAN);
            allocate.putInt(wrap.length);
            allocate.put(wrap);
            newBuilder.setEncodedNonce(UnsafeByteOperations.unsafeWrap(allocate.array()));
        }
        return new RpcOutboundMessage(RpcHeader.RequestHeader.newBuilder().setCallId(-3), newBuilder.build());
    }

    private byte[] evaluateChallenge(final byte[] bArr) throws SaslException, NonRecoverableException {
        try {
            return (byte[]) Subject.doAs(this.securityContext.getSubject(), new PrivilegedExceptionAction<byte[]>() { // from class: org.apache.kudu.client.Negotiator.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public byte[] run() throws SaslException {
                    return Negotiator.this.saslClient.evaluateChallenge(bArr);
                }
            });
        } catch (PrivilegedActionException e) {
            SaslException cause = e.getCause();
            GSSException cause2 = cause.getCause();
            if ((cause2 instanceof GSSException) && cause2.getMajor() == 13) {
                throw new NonRecoverableException(Status.ConfigurationError("Server requires Kerberos, but this client is not authenticated (kinit)"), cause);
            }
            throw cause;
        }
    }

    static {
        $assertionsDisabled = !Negotiator.class.desiredAssertionStatus();
        LOG = LoggerFactory.getLogger((Class<?>) Negotiator.class);
        SASL_CALLBACK = new SaslClientCallbackHandler();
        SUPPORTED_RPC_FEATURES = ImmutableSet.of(RpcHeader.RpcFeatureFlag.APPLICATION_FEATURE_FLAGS, RpcHeader.RpcFeatureFlag.TLS);
        PRIORITIZED_MECHS = new String[]{"GSSAPI", "PLAIN"};
    }
}
