package org.apache.storm.security.auth.sasl;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.RealmCallback;
import org.apache.storm.security.auth.ReqContext;
import org.apache.storm.security.auth.sasl.SaslTransportPlugin;
import org.apache.storm.streams.Pair;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/storm/security/auth/sasl/SimpleSaslServerCallbackHandler.class */
public class SimpleSaslServerCallbackHandler implements CallbackHandler {
    private static final Logger LOG = LoggerFactory.getLogger(SimpleSaslServerCallbackHandler.class);
    private final List<PasswordProvider> providers;
    private final boolean impersonationAllowed;

    public SimpleSaslServerCallbackHandler(boolean z, PasswordProvider... passwordProviderArr) {
        this(z, (List<PasswordProvider>) Arrays.asList(passwordProviderArr));
    }

    public SimpleSaslServerCallbackHandler(boolean z, List<PasswordProvider> list) {
        this.impersonationAllowed = z;
        this.providers = new ArrayList(list);
    }

    private static void log(String str, AuthorizeCallback authorizeCallback, NameCallback nameCallback, PasswordCallback passwordCallback, RealmCallback realmCallback) {
        if (LOG.isDebugEnabled()) {
            String str2 = authorizeCallback != null ? "athz: " + authorizeCallback.getAuthorizationID() + " athn: " + authorizeCallback.getAuthenticationID() + " authorized: " + authorizeCallback.getAuthorizedID() : "null";
            String str3 = nameCallback != null ? "default: " + nameCallback.getDefaultName() + " name: " + nameCallback.getName() : "null";
            String str4 = "null";
            if (passwordCallback != null) {
                char[] password = passwordCallback.getPassword();
                str4 = "password: " + (password == null ? "null" : "not null " + password.length);
            }
            LOG.debug("{}\nAC: {}\nNC: {}\nPC: {}\nRC: {}", new Object[]{str, str2, str3, str4, realmCallback != null ? "default: " + realmCallback.getDefaultText() + " text: " + realmCallback.getText() : "null"});
        }
    }

    private Pair<String, Boolean> translateName(String str) {
        String userName;
        for (PasswordProvider passwordProvider : this.providers) {
            try {
                userName = passwordProvider.userName(str);
            } catch (Exception e) {
                LOG.debug("{} could not read name from {}", new Object[]{passwordProvider, str, e});
            }
            if (userName != null) {
                return Pair.of(userName, Boolean.valueOf(passwordProvider.isImpersonationAllowed()));
            }
            continue;
        }
        return Pair.of(str, false);
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws UnsupportedCallbackException, IOException {
        NameCallback nameCallback = null;
        PasswordCallback passwordCallback = null;
        AuthorizeCallback authorizeCallback = null;
        RealmCallback realmCallback = null;
        for (Callback callback : callbackArr) {
            if (callback instanceof AuthorizeCallback) {
                authorizeCallback = (AuthorizeCallback) callback;
            } else if (callback instanceof NameCallback) {
                nameCallback = (NameCallback) callback;
            } else if (callback instanceof PasswordCallback) {
                passwordCallback = (PasswordCallback) callback;
            } else {
                if (!(callback instanceof RealmCallback)) {
                    throw new UnsupportedCallbackException(callback, "Unrecognized SASL Callback");
                }
                realmCallback = (RealmCallback) callback;
            }
        }
        log("GOT", authorizeCallback, nameCallback, passwordCallback, realmCallback);
        if (nameCallback != null) {
            String defaultName = nameCallback.getDefaultName();
            boolean z = false;
            Iterator<PasswordProvider> it = this.providers.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                PasswordProvider next = it.next();
                Optional<char[]> passwordFor = next.getPasswordFor(defaultName);
                if (passwordFor.isPresent()) {
                    passwordCallback.setPassword(passwordFor.get());
                    nameCallback.setName(next.userName(defaultName));
                    z = true;
                    break;
                }
            }
            if (!z) {
                LOG.warn("No password found for user: {}", defaultName);
                throw new IOException("NOT ALLOWED.");
            }
        }
        if (realmCallback != null) {
            realmCallback.setText(realmCallback.getDefaultText());
        }
        if (authorizeCallback != null) {
            boolean z2 = this.impersonationAllowed;
            String authenticationID = authorizeCallback.getAuthenticationID();
            if (authenticationID != null) {
                Pair<String, Boolean> translateName = translateName(authenticationID);
                authenticationID = translateName.getFirst();
                z2 = z2 && translateName.getSecond().booleanValue();
            }
            String authorizationID = authorizeCallback.getAuthorizationID();
            if (authorizationID != null) {
                Pair<String, Boolean> translateName2 = translateName(authorizationID);
                authorizationID = translateName2.getFirst();
                z2 = z2 && translateName2.getSecond().booleanValue();
            }
            LOG.debug("Successfully authenticated client: authenticationID = {} authorizationID = {}", authenticationID, authorizationID);
            if (authorizationID == null) {
                authorizeCallback.setAuthorizedID(authenticationID);
                authorizationID = authenticationID;
            } else {
                authorizeCallback.setAuthorizedID(authorizationID);
            }
            if (Objects.equals(authenticationID, authorizationID)) {
                ReqContext.context().setRealPrincipal(null);
            } else {
                LOG.info("Impersonation attempt  authenticationID = {} authorizationID = {}", authenticationID, authorizationID);
                if (!z2) {
                    throw new IllegalArgumentException(authorizeCallback.getAuthenticationID() + " attempting to impersonate " + authorizeCallback.getAuthorizationID() + ".  This is not allowed.");
                }
                ReqContext.context().setRealPrincipal(new SaslTransportPlugin.User(authenticationID));
            }
            authorizeCallback.setAuthorized(true);
        }
        log("FINISHED", authorizeCallback, nameCallback, passwordCallback, realmCallback);
    }
}
