package com.mapr.security.maprsasl;

import com.google.protobuf.ByteString;
import com.google.protobuf.InvalidProtocolBufferException;
import com.mapr.baseutils.audit.AuditConstants;
import com.mapr.baseutils.cldbutils.CLDBRpcCommonUtils;
import com.mapr.fs.proto.Security;
import com.mapr.login.client.MapRLoginHttpsClient;
import com.mapr.security.JNISecurity;
import com.mapr.security.MutableInt;
import com.mapr.security.SecurityHelper;
import com.mapr.security.maprsasl.MaprSaslServer;
import java.util.List;
import java.util.Map;
import javax.security.auth.callback.CallbackHandler;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslClientFactory;
import javax.security.sasl.SaslException;
import org.apache.commons.codec.binary.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/mapr/security/maprsasl/MaprSaslClient.class */
public class MaprSaslClient extends MapRSaslImplBase implements SaslClient {
    private static final Logger LOG = LoggerFactory.getLogger(MaprSaslClient.class);
    private static final Integer MAX_BUF_SIZE_FOR_WRAP = new Integer(MapRSaslConst.DEFAULT_BUFFER_SIZE);
    private int passDone;
    private CallbackHandler cbh;
    private long randomSecret;
    private String authorizationId;
    private String authenticationId;
    private Security.Key userKey;
    private String localqopProperty;
    private String clusterName;

    /* loaded from: input_file:com/mapr/security/maprsasl/MaprSaslClient$SaslMaprClientFactory.class */
    public static class SaslMaprClientFactory implements SaslClientFactory {
        public String[] getMechanismNames(Map<String, ?> map) {
            return new String[]{MapRSaslConst.MECHANISM_NAME};
        }

        public SaslClient createSaslClient(String[] strArr, String str, String str2, String str3, Map<String, ?> map, CallbackHandler callbackHandler) throws SaslException {
            if (strArr == null) {
                return null;
            }
            for (String str4 : strArr) {
                if (MapRSaslConst.MECHANISM_NAME.equals(str4)) {
                    return new MaprSaslClient(map, callbackHandler);
                }
            }
            return null;
        }
    }

    public MaprSaslClient(Map<String, ?> map, CallbackHandler callbackHandler) throws SaslException {
        super(map);
        Object value;
        this.passDone = 0;
        this.cbh = callbackHandler;
        this.clusterName = AuditConstants.EMPTY_STRING;
        if (map == null || map.isEmpty()) {
            this.localqopProperty = MaprSaslServer.QOP.AUTHENTICATION.getQopString();
            return;
        }
        for (Map.Entry<String, ?> entry : map.entrySet()) {
            String key = entry.getKey();
            if (key.equals("javax.security.sasl.qop")) {
                if (entry.getValue() instanceof String) {
                    this.localqopProperty = (String) entry.getValue();
                }
            } else if (key.equals("ClusterName") && (value = entry.getValue()) != null && (value instanceof String)) {
                this.clusterName = (String) entry.getValue();
            }
        }
    }

    public void dispose() throws SaslException {
        this.sessionKey = null;
        this.randomSecret = -1L;
        this.authorizationId = null;
        this.authenticationId = null;
    }

    public byte[] evaluateChallenge(byte[] bArr) throws SaslException {
        Security.TicketAndKey authenticateIfNeeded;
        String clusterFromHost;
        if (this.completed) {
            throw new IllegalStateException("MaprSasl authentication already completed");
        }
        List list = null;
        if (this.passDone > 0) {
            if (bArr == null || bArr.length < 1) {
                throw new SaslException("Received challenge is empty when secret expected");
            }
            if (this.userKey == null) {
                throw new SaslException("Bad userKey");
            }
            try {
                MutableInt mutableInt = new MutableInt();
                byte[] decodeBase64 = Base64.decodeBase64(bArr);
                byte[] Decrypt = com.mapr.security.Security.Decrypt(this.userKey, decodeBase64, mutableInt);
                if (mutableInt.GetValue() != 0) {
                    Decrypt = decodeBase64;
                }
                try {
                    Security.AuthenticationResp parseFrom = Security.AuthenticationResp.parseFrom(Decrypt);
                    if (parseFrom == null) {
                        throw new SaslException("Bad response");
                    }
                    if (parseFrom.getStatus() == 0) {
                        if (!parseFrom.hasChallengeResponse()) {
                            throw new SaslException("No returned secret");
                        }
                        if (this.randomSecret != parseFrom.getChallengeResponse()) {
                            throw new SaslException("Bad returned secret");
                        }
                        if (!parseFrom.hasEncodingType()) {
                            throw new SaslException("No server QOP in response");
                        }
                        String stringFromQOPInt = MaprSaslServer.QOP.getStringFromQOPInt(parseFrom.getEncodingType());
                        if (stringFromQOPInt != null) {
                            if (!stringFromQOPInt.equals(this.localqopProperty)) {
                                LOG.warn("SASL Server qopProperty: " + stringFromQOPInt + "is different from Client: " + this.localqopProperty + ".Using Server one");
                            }
                            this.negotiatedQOPProperty = stringFromQOPInt;
                        }
                        if (!MaprSaslServer.QOP.AUTHENTICATION.getQopString().equals(this.negotiatedQOPProperty)) {
                            this.sessionKey = parseFrom.getSessionKey();
                            if (this.sessionKey == null) {
                                throw new SaslException("Bad returned sessionKey");
                            }
                        }
                        this.completed = true;
                        return new byte[0];
                    }
                    if (this.passDone > 1) {
                        throw new SaslException("Max Attempts reached");
                    }
                    list = parseFrom.getReceivingCldbList();
                    if (list == null || list.isEmpty()) {
                        throw new SaslException("Error in response: No CLDBs recieved from the server");
                    }
                } catch (InvalidProtocolBufferException e) {
                    throw new SaslException("Can not parse out the data from server response", e);
                }
            } catch (Throwable th) {
                if (th instanceof SaslException) {
                    throw th;
                }
                LOG.error("Exception while processing ticket data", th);
                throw new SaslException("Exception while processing ticket data", th);
            }
        }
        try {
            MutableInt mutableInt2 = new MutableInt();
            MapRLoginHttpsClient mapRLoginHttpsClient = new MapRLoginHttpsClient();
            if (MaprSecurityLoginModule.isUseMaprServerTicket()) {
                if (list == null) {
                    clusterFromHost = CLDBRpcCommonUtils.getInstance().getCurrentClusterName();
                } else {
                    clusterFromHost = SecurityHelper.getClusterFromHost(list);
                    if (clusterFromHost == null) {
                        throw new SaslException("Cannot find the cluster name given cldb hosts from server");
                    }
                }
                authenticateIfNeeded = com.mapr.security.Security.GetTicketAndKeyForCluster(Security.ServerKeyType.CldbKey, clusterFromHost, mutableInt2);
            } else {
                String str = null;
                if (list != null) {
                    str = SecurityHelper.getClusterFromHost(list);
                }
                authenticateIfNeeded = str != null ? mapRLoginHttpsClient.authenticateIfNeeded(str) : !this.clusterName.isEmpty() ? mapRLoginHttpsClient.authenticateIfNeeded(this.clusterName) : mapRLoginHttpsClient.authenticateIfNeeded();
            }
            if (authenticateIfNeeded == null) {
                throw new SaslException("ServerTicketKey was not set and cannot get remote ticket");
            }
            if (authenticateIfNeeded.getExpiryTime() * 1000 < System.currentTimeMillis()) {
                throw new SaslException("MaprSaslClient My ticket Expired. Cannot auto renew nontemp ticket");
            }
            this.userKey = authenticateIfNeeded.getUserKey();
            this.randomSecret = JNISecurity.GenerateRandomNumber();
            Security.AuthenticationReqFull.Builder newBuilder = Security.AuthenticationReqFull.newBuilder();
            byte[] Encrypt = com.mapr.security.Security.Encrypt(this.userKey, new byte[]{(byte) (this.randomSecret >>> 56), (byte) (this.randomSecret >>> 48), (byte) (this.randomSecret >>> 40), (byte) (this.randomSecret >>> 32), (byte) (this.randomSecret >>> 24), (byte) (this.randomSecret >>> 16), (byte) (this.randomSecret >>> 8), (byte) (this.randomSecret >>> 0)}, mutableInt2);
            if (mutableInt2.GetValue() != 0) {
                throw new SaslException("Error while encrypting data: " + mutableInt2.GetValue());
            }
            newBuilder.setEncryptedRandomSecret(ByteString.copyFrom(Encrypt));
            newBuilder.setEncryptedTicket(authenticateIfNeeded.getEncryptedTicket());
            SecurityHelper.addCLDBsToAuthReqFull(newBuilder, this.clusterName);
            byte[] encodeBase64 = Base64.encodeBase64(newBuilder.build().toByteArray());
            this.passDone++;
            return encodeBase64;
        } catch (Throwable th2) {
            if (th2 instanceof SaslException) {
                throw th2;
            }
            LOG.error("Exception while processing ticket data", th2);
            throw new SaslException("Exception while processing ticket data", th2);
        }
    }

    public boolean hasInitialResponse() {
        return true;
    }
}
