package org.apache.storm.security.auth.kerberos;

import java.io.IOException;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.Configuration;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.RealmCallback;
import org.apache.storm.security.auth.ClientAuthUtils;
import org.apache.storm.security.auth.ReqContext;
import org.apache.storm.security.auth.sasl.SaslTransportPlugin;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/storm/security/auth/kerberos/ServerCallbackHandler.class */
public class ServerCallbackHandler implements CallbackHandler {
    private static final Logger LOG = LoggerFactory.getLogger(ServerCallbackHandler.class);
    private final boolean impersonationAllowed;

    public ServerCallbackHandler(Map<String, Object> map, boolean z) throws IOException {
        this.impersonationAllowed = z;
        Configuration configuration = ClientAuthUtils.getConfiguration(map);
        if (configuration != null && configuration.getAppConfigurationEntry(ClientAuthUtils.LOGIN_CONTEXT_SERVER) == null) {
            LOG.error("Could not find a 'StormServer' entry in this configuration: Server cannot start.");
            throw new IOException("Could not find a 'StormServer' entry in this configuration: Server cannot start.");
        }
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
        NameCallback nameCallback = null;
        PasswordCallback passwordCallback = null;
        AuthorizeCallback authorizeCallback = null;
        for (Callback callback : callbackArr) {
            if (callback instanceof AuthorizeCallback) {
                authorizeCallback = (AuthorizeCallback) callback;
            } else if (callback instanceof NameCallback) {
                nameCallback = (NameCallback) callback;
            } else if (callback instanceof PasswordCallback) {
                passwordCallback = (PasswordCallback) callback;
            } else if (!(callback instanceof RealmCallback)) {
                throw new UnsupportedCallbackException(callback, "Unrecognized SASL Callback");
            }
        }
        String str = "UNKNOWN";
        if (nameCallback != null) {
            LOG.debug("handleNameCallback");
            str = nameCallback.getDefaultName();
            nameCallback.setName(nameCallback.getDefaultName());
        }
        if (passwordCallback != null) {
            LOG.error("No password found for user: {}, validate klist matches jaas conf", str);
        }
        if (authorizeCallback != null) {
            String authenticationID = authorizeCallback.getAuthenticationID();
            LOG.debug("Successfully authenticated client: authenticationID={}  authorizationID= {}", authenticationID, authorizeCallback.getAuthorizationID());
            if (authorizeCallback.getAuthorizationID() == null) {
                authorizeCallback.setAuthorizedID(authenticationID);
            }
            if (authorizeCallback.getAuthenticationID().equals(authorizeCallback.getAuthorizationID())) {
                ReqContext.context().setRealPrincipal(null);
            } else {
                if (!this.impersonationAllowed) {
                    throw new IllegalArgumentException(authorizeCallback.getAuthenticationID() + " attempting to impersonate " + authorizeCallback.getAuthorizationID() + ".  This is not allowed by this server.");
                }
                ReqContext.context().setRealPrincipal(new SaslTransportPlugin.User(authorizeCallback.getAuthenticationID()));
            }
            authorizeCallback.setAuthorized(true);
        }
    }
}
