package org.apache.spark.network.crypto;

import io.netty.buffer.ByteBuf;
import io.netty.buffer.Unpooled;
import io.netty.channel.Channel;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.concurrent.TimeoutException;
import org.apache.spark.network.client.TransportClient;
import org.apache.spark.network.client.TransportClientBootstrap;
import org.apache.spark.network.sasl.SaslClientBootstrap;
import org.apache.spark.network.sasl.SecretKeyHolder;
import org.apache.spark.network.util.TransportConf;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.sparkproject.guava.base.Throwables;

/* loaded from: input_file:org/apache/spark/network/crypto/AuthClientBootstrap.class */
public class AuthClientBootstrap implements TransportClientBootstrap {
    private static final Logger LOG = LoggerFactory.getLogger(AuthClientBootstrap.class);
    private final TransportConf conf;
    private final String appId;
    private final SecretKeyHolder secretKeyHolder;

    public AuthClientBootstrap(TransportConf transportConf, String str, SecretKeyHolder secretKeyHolder) {
        this.conf = transportConf;
        this.appId = str;
        this.secretKeyHolder = secretKeyHolder;
    }

    @Override // org.apache.spark.network.client.TransportClientBootstrap
    public void doBootstrap(TransportClient transportClient, Channel channel) {
        if (!this.conf.encryptionEnabled()) {
            LOG.debug("AES encryption disabled, using old auth protocol.");
            doSaslAuth(transportClient, channel);
            return;
        }
        try {
            doSparkAuth(transportClient, channel);
            transportClient.setClientId(this.appId);
        } catch (IOException | GeneralSecurityException e) {
            throw Throwables.propagate(e);
        } catch (RuntimeException e2) {
            if (!this.conf.saslFallback() || (e2.getCause() instanceof TimeoutException)) {
                throw e2;
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("New auth protocol failed, trying SASL.", e2.getCause() != null ? e2.getCause() : e2);
            } else {
                LOG.info("New auth protocol failed, trying SASL.");
            }
            doSaslAuth(transportClient, channel);
        }
    }

    private void doSparkAuth(TransportClient transportClient, Channel channel) throws GeneralSecurityException, IOException {
        AuthEngine authEngine = new AuthEngine(this.appId, this.secretKeyHolder.getSecretKey(this.appId), this.conf);
        try {
            ClientChallenge challenge = authEngine.challenge();
            ByteBuf buffer = Unpooled.buffer(challenge.encodedLength());
            challenge.encode(buffer);
            authEngine.validate(ServerResponse.decodeMessage(transportClient.sendRpcSync(buffer.nioBuffer(), this.conf.authRTTimeoutMs())));
            authEngine.sessionCipher().addToChannel(channel);
            authEngine.close();
        } catch (Throwable th) {
            try {
                authEngine.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private void doSaslAuth(TransportClient transportClient, Channel channel) {
        new SaslClientBootstrap(this.conf, this.appId, this.secretKeyHolder).doBootstrap(transportClient, channel);
    }
}
