package org.apache.spark.network.crypto;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.common.base.Throwables;
import io.netty.buffer.ByteBuf;
import io.netty.buffer.Unpooled;
import io.netty.channel.Channel;
import java.nio.ByteBuffer;
import org.apache.spark.network.client.RpcResponseCallback;
import org.apache.spark.network.client.TransportClient;
import org.apache.spark.network.sasl.SaslRpcHandler;
import org.apache.spark.network.sasl.SecretKeyHolder;
import org.apache.spark.network.server.AbstractAuthRpcHandler;
import org.apache.spark.network.server.RpcHandler;
import org.apache.spark.network.util.TransportConf;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/spark/network/crypto/AuthRpcHandler.class */
class AuthRpcHandler extends AbstractAuthRpcHandler {
    private static final Logger LOG = LoggerFactory.getLogger(AuthRpcHandler.class);
    private final TransportConf conf;
    private final Channel channel;
    private final SecretKeyHolder secretKeyHolder;

    @VisibleForTesting
    SaslRpcHandler saslHandler;

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthRpcHandler(TransportConf transportConf, Channel channel, RpcHandler rpcHandler, SecretKeyHolder secretKeyHolder) {
        super(rpcHandler);
        this.conf = transportConf;
        this.channel = channel;
        this.secretKeyHolder = secretKeyHolder;
    }

    @Override // org.apache.spark.network.server.AbstractAuthRpcHandler
    protected boolean doAuthChallenge(TransportClient transportClient, ByteBuffer byteBuffer, RpcResponseCallback rpcResponseCallback) {
        if (this.saslHandler != null) {
            return this.saslHandler.doAuthChallenge(transportClient, byteBuffer, rpcResponseCallback);
        }
        int position = byteBuffer.position();
        int limit = byteBuffer.limit();
        try {
            AuthMessage decodeMessage = AuthMessage.decodeMessage(byteBuffer);
            LOG.debug("Received new auth challenge for client {}.", this.channel.remoteAddress());
            AuthEngine authEngine = null;
            try {
                try {
                    String secretKey = this.secretKeyHolder.getSecretKey(decodeMessage.appId);
                    Preconditions.checkState(secretKey != null, "Trying to authenticate non-registered app %s.", decodeMessage.appId);
                    LOG.debug("Authenticating challenge for app {}.", decodeMessage.appId);
                    authEngine = new AuthEngine(decodeMessage.appId, secretKey, this.conf);
                    AuthMessage response = authEngine.response(decodeMessage);
                    ByteBuf buffer = Unpooled.buffer(response.encodedLength());
                    response.encode(buffer);
                    rpcResponseCallback.onSuccess(buffer.nioBuffer());
                    authEngine.sessionCipher().addToChannel(this.channel);
                    transportClient.setClientId(decodeMessage.appId);
                    if (authEngine != null) {
                        try {
                            authEngine.close();
                        } catch (Exception e) {
                            throw Throwables.propagate(e);
                        }
                    }
                    LOG.debug("Authorization successful for client {}.", this.channel.remoteAddress());
                    return true;
                } catch (Throwable th) {
                    if (authEngine != null) {
                        try {
                            authEngine.close();
                        } catch (Exception e2) {
                            throw Throwables.propagate(e2);
                        }
                    }
                    throw th;
                }
            } catch (Exception e3) {
                LOG.debug("Authentication failed for client {}, closing channel.", this.channel.remoteAddress());
                rpcResponseCallback.onFailure(new IllegalArgumentException("Authentication failed."));
                this.channel.close();
                if (authEngine != null) {
                    try {
                        authEngine.close();
                    } catch (Exception e4) {
                        throw Throwables.propagate(e4);
                    }
                }
                return false;
            }
        } catch (RuntimeException e5) {
            if (!this.conf.saslFallback()) {
                LOG.debug("Unexpected challenge message from client {}, closing channel.", this.channel.remoteAddress());
                rpcResponseCallback.onFailure(new IllegalArgumentException("Unknown challenge message."));
                this.channel.close();
                return false;
            }
            LOG.warn("Failed to parse new auth challenge, reverting to SASL for client {}.", this.channel.remoteAddress());
            this.saslHandler = new SaslRpcHandler(this.conf, this.channel, null, this.secretKeyHolder);
            byteBuffer.position(position);
            byteBuffer.limit(limit);
            return this.saslHandler.doAuthChallenge(transportClient, byteBuffer, rpcResponseCallback);
        }
    }

    @Override // org.apache.spark.network.server.AbstractAuthRpcHandler, org.apache.spark.network.server.RpcHandler
    public RpcHandler.MergedBlockMetaReqHandler getMergedBlockMetaReqHandler() {
        return this.saslHandler.getMergedBlockMetaReqHandler();
    }
}
