package org.apache.hadoop.security.rpcauth;

import java.io.ByteArrayInputStream;
import java.io.DataInputStream;
import java.io.IOException;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.RealmCallback;
import javax.security.sasl.RealmChoiceCallback;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslServer;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.ipc.Server;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.SaslRpcServer;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;

/* loaded from: input_file:lib/hadoop-common-2.7.0-mapr-1710.jar:org/apache/hadoop/security/rpcauth/DigestAuthMethod.class */
public final class DigestAuthMethod extends RpcAuthMethod {
    private static final Log LOG = LogFactory.getLog(DigestAuthMethod.class);
    static final RpcAuthMethod INSTANCE = new DigestAuthMethod();

    /* loaded from: input_file:lib/hadoop-common-2.7.0-mapr-1710.jar:org/apache/hadoop/security/rpcauth/DigestAuthMethod$SaslClientCallbackHandler.class */
    private static class SaslClientCallbackHandler implements CallbackHandler {
        private final String userName;
        private final char[] userPassword;

        public SaslClientCallbackHandler(Token<? extends TokenIdentifier> token) {
            this.userName = DigestAuthMethod.encodeIdentifier(token.getIdentifier());
            this.userPassword = DigestAuthMethod.encodePassword(token.getPassword());
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
            NameCallback nameCallback = null;
            PasswordCallback passwordCallback = null;
            RealmCallback realmCallback = null;
            for (Callback callback : callbackArr) {
                if (!(callback instanceof RealmChoiceCallback)) {
                    if (callback instanceof NameCallback) {
                        nameCallback = (NameCallback) callback;
                    } else if (callback instanceof PasswordCallback) {
                        passwordCallback = (PasswordCallback) callback;
                    } else {
                        if (!(callback instanceof RealmCallback)) {
                            throw new UnsupportedCallbackException(callback, "Unrecognized SASL client callback");
                        }
                        realmCallback = (RealmCallback) callback;
                    }
                }
            }
            if (nameCallback != null) {
                if (DigestAuthMethod.LOG.isDebugEnabled()) {
                    DigestAuthMethod.LOG.debug("SASL client callback: setting username: " + this.userName);
                }
                nameCallback.setName(this.userName);
            }
            if (passwordCallback != null) {
                if (DigestAuthMethod.LOG.isDebugEnabled()) {
                    DigestAuthMethod.LOG.debug("SASL client callback: setting userPassword");
                }
                passwordCallback.setPassword(this.userPassword);
            }
            if (realmCallback != null) {
                if (DigestAuthMethod.LOG.isDebugEnabled()) {
                    DigestAuthMethod.LOG.debug("SASL client callback: setting realm: " + realmCallback.getDefaultText());
                }
                realmCallback.setText(realmCallback.getDefaultText());
            }
        }
    }

    /* loaded from: input_file:lib/hadoop-common-2.7.0-mapr-1710.jar:org/apache/hadoop/security/rpcauth/DigestAuthMethod$SaslDigestCallbackHandler.class */
    public static class SaslDigestCallbackHandler implements CallbackHandler {
        private SecretManager<TokenIdentifier> secretManager;
        private Server.Connection connection;

        public SaslDigestCallbackHandler(SecretManager<TokenIdentifier> secretManager, Server.Connection connection) {
            this.secretManager = secretManager;
            this.connection = connection;
        }

        private char[] getPassword(TokenIdentifier tokenIdentifier) throws SecretManager.InvalidToken {
            return DigestAuthMethod.encodePassword(this.secretManager.retrievePassword(tokenIdentifier));
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws SecretManager.InvalidToken, UnsupportedCallbackException {
            NameCallback nameCallback = null;
            PasswordCallback passwordCallback = null;
            AuthorizeCallback authorizeCallback = null;
            for (Callback callback : callbackArr) {
                if (callback instanceof AuthorizeCallback) {
                    authorizeCallback = (AuthorizeCallback) callback;
                } else if (callback instanceof NameCallback) {
                    nameCallback = (NameCallback) callback;
                } else if (callback instanceof PasswordCallback) {
                    passwordCallback = (PasswordCallback) callback;
                } else if (!(callback instanceof RealmCallback)) {
                    throw new UnsupportedCallbackException(callback, "Unrecognized SASL DIGEST-MD5 Callback");
                }
            }
            if (passwordCallback != null) {
                TokenIdentifier identifier = DigestAuthMethod.getIdentifier(nameCallback.getDefaultName(), this.secretManager);
                char[] password = getPassword(identifier);
                this.connection.attemptingUser = identifier.getUser();
                if (SaslRpcServer.LOG.isDebugEnabled()) {
                    SaslRpcServer.LOG.debug("SASL server DIGEST-MD5 callback: setting password for client: " + identifier.getUser());
                }
                passwordCallback.setPassword(password);
            }
            if (authorizeCallback != null) {
                String authenticationID = authorizeCallback.getAuthenticationID();
                String authorizationID = authorizeCallback.getAuthorizationID();
                if (authenticationID.equals(authorizationID)) {
                    authorizeCallback.setAuthorized(true);
                } else {
                    authorizeCallback.setAuthorized(false);
                }
                if (authorizeCallback.isAuthorized()) {
                    if (SaslRpcServer.LOG.isDebugEnabled()) {
                        SaslRpcServer.LOG.debug("SASL server DIGEST-MD5 callback: setting canonicalized client ID: " + DigestAuthMethod.getIdentifier(authorizationID, this.secretManager).getUser().getUserName());
                    }
                    authorizeCallback.setAuthorizedID(authorizationID);
                }
            }
        }
    }

    private DigestAuthMethod() {
        super((byte) 82, "token", "DIGEST-MD5", UserGroupInformation.AuthenticationMethod.TOKEN);
    }

    @Override // org.apache.hadoop.security.rpcauth.RpcAuthMethod
    public boolean isProxyAllowed() {
        return false;
    }

    @Override // org.apache.hadoop.security.rpcauth.RpcAuthMethod
    public UserGroupInformation getAuthorizedUgi(String str, SecretManager secretManager) throws IOException {
        TokenIdentifier identifier = getIdentifier(str, secretManager);
        UserGroupInformation user = identifier.getUser();
        if (user == null) {
            throw new AccessControlException("Can't retrieve username from tokenIdentifier.");
        }
        user.addTokenIdentifier(identifier);
        return user;
    }

    @Override // org.apache.hadoop.security.rpcauth.RpcAuthMethod
    public boolean isSasl() {
        return true;
    }

    @Override // org.apache.hadoop.security.rpcauth.RpcAuthMethod
    public String getProtocol() throws IOException {
        return "default";
    }

    @Override // org.apache.hadoop.security.rpcauth.RpcAuthMethod
    public String getServerId() throws IOException {
        return "";
    }

    @Override // org.apache.hadoop.security.rpcauth.RpcAuthMethod
    public SaslClient createSaslClient(Map<String, Object> map) throws IOException {
        Token token = (Token) map.get(SaslRpcServer.SASL_AUTH_TOKEN);
        if (LOG.isDebugEnabled()) {
            LOG.debug("Creating SASL " + this.mechanismName + " client to authenticate to service at " + token.getService());
        }
        return Sasl.createSaslClient(new String[]{this.mechanismName}, (String) null, (String) null, "default", map, new SaslClientCallbackHandler(token));
    }

    @Override // org.apache.hadoop.security.rpcauth.RpcAuthMethod
    public SaslServer createSaslServer(Server.Connection connection, Map<String, Object> map) throws IOException {
        SecretManager secretManager = (SecretManager) map.get(SaslRpcServer.SASL_AUTH_SECRET_MANAGER);
        if (secretManager == null) {
            throw new AccessControlException("Server is not configured to do DIGEST authentication.");
        }
        return Sasl.createSaslServer(this.mechanismName, (String) null, "default", map, new SaslDigestCallbackHandler(secretManager, connection));
    }

    public static char[] encodePassword(byte[] bArr) {
        return new String(Base64.encodeBase64(bArr)).toCharArray();
    }

    public static <T extends TokenIdentifier> T getIdentifier(String str, SecretManager<T> secretManager) throws SecretManager.InvalidToken {
        byte[] decodeIdentifier = decodeIdentifier(str);
        T createIdentifier = secretManager.createIdentifier();
        try {
            createIdentifier.readFields(new DataInputStream(new ByteArrayInputStream(decodeIdentifier)));
            return createIdentifier;
        } catch (IOException e) {
            throw ((SecretManager.InvalidToken) new SecretManager.InvalidToken("Can't de-serialize tokenIdentifier").initCause(e));
        }
    }

    public static String encodeIdentifier(byte[] bArr) {
        return new String(Base64.encodeBase64(bArr));
    }

    public static byte[] decodeIdentifier(String str) {
        return Base64.decodeBase64(str.getBytes());
    }
}
