package org.apache.drill.exec.rpc.security;

import com.google.protobuf.ByteString;
import com.google.protobuf.Internal;
import com.google.protobuf.Internal.EnumLite;
import com.google.protobuf.InvalidProtocolBufferException;
import io.netty.buffer.ByteBuf;
import io.netty.buffer.ByteBufInputStream;
import java.io.IOException;
import java.lang.reflect.UndeclaredThrowableException;
import java.security.PrivilegedExceptionAction;
import java.util.EnumMap;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.apache.drill.exec.proto.UserBitShared;
import org.apache.drill.exec.rpc.RequestHandler;
import org.apache.drill.exec.rpc.Response;
import org.apache.drill.exec.rpc.ResponseSender;
import org.apache.drill.exec.rpc.RpcException;
import org.apache.drill.exec.rpc.ServerConnection;
import org.apache.drill.exec.rpc.security.SaslProperties;
import org.apache.drill.shaded.guava.com.google.common.base.Preconditions;
import org.apache.drill.shaded.guava.com.google.common.collect.ImmutableMap;
import org.apache.drill.shaded.guava.com.google.common.collect.Maps;
import org.apache.hadoop.security.UserGroupInformation;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/drill/exec/rpc/security/ServerAuthenticationHandler.class */
public class ServerAuthenticationHandler<S extends ServerConnection<S>, T extends Internal.EnumLite> implements RequestHandler<S> {
    private static final Logger logger = LoggerFactory.getLogger(ServerAuthenticationHandler.class);
    private static final ImmutableMap<UserBitShared.SaslStatus, SaslResponseProcessor> RESPONSE_PROCESSORS;
    private final RequestHandler<S> requestHandler;
    private final int saslRequestTypeValue;
    private final T saslResponseType;
    private static final UserBitShared.SaslMessage SASL_FAILED_MESSAGE;

    /* loaded from: input_file:org/apache/drill/exec/rpc/security/ServerAuthenticationHandler$SaslFailedProcessor.class */
    private static class SaslFailedProcessor implements SaslResponseProcessor {
        private SaslFailedProcessor() {
        }

        @Override // org.apache.drill.exec.rpc.security.ServerAuthenticationHandler.SaslResponseProcessor
        public <S extends ServerConnection<S>, T extends Internal.EnumLite> void process(SaslResponseContext<S, T> saslResponseContext) throws Exception {
            S s = saslResponseContext.connection;
            ServerAuthenticationHandler.logger.info("Client from {} failed authentication with encryption context:{} graciously, and does not want to continue.", s.getRemoteAddress().toString(), s.getEncryptionCtxtString());
            throw new SaslException(String.format("Client graciously failed authentication. [Details: %s]", s.getEncryptionCtxtString()));
        }
    }

    /* loaded from: input_file:org/apache/drill/exec/rpc/security/ServerAuthenticationHandler$SaslInProgressProcessor.class */
    private static class SaslInProgressProcessor implements SaslResponseProcessor {
        private SaslInProgressProcessor() {
        }

        @Override // org.apache.drill.exec.rpc.security.ServerAuthenticationHandler.SaslResponseProcessor
        public <S extends ServerConnection<S>, T extends Internal.EnumLite> void process(SaslResponseContext<S, T> saslResponseContext) throws Exception {
            UserBitShared.SaslMessage.Builder newBuilder = UserBitShared.SaslMessage.newBuilder();
            SaslServer saslServer = saslResponseContext.connection.getSaslServer();
            byte[] evaluateResponse = ServerAuthenticationHandler.evaluateResponse(saslServer, saslResponseContext.saslResponse.getData().toByteArray());
            if (!saslServer.isComplete()) {
                newBuilder.setStatus(UserBitShared.SaslStatus.SASL_IN_PROGRESS).setData(ByteString.copyFrom(evaluateResponse));
                saslResponseContext.sender.send(new Response(saslResponseContext.saslResponseType, newBuilder.build(), new ByteBuf[0]));
            } else {
                newBuilder.setStatus(UserBitShared.SaslStatus.SASL_SUCCESS);
                if (evaluateResponse != null) {
                    newBuilder.setData(ByteString.copyFrom(evaluateResponse));
                }
                ServerAuthenticationHandler.handleSuccess(saslResponseContext, newBuilder, saslServer);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/drill/exec/rpc/security/ServerAuthenticationHandler$SaslResponseContext.class */
    public static class SaslResponseContext<S extends ServerConnection<S>, T extends Internal.EnumLite> {
        final UserBitShared.SaslMessage saslResponse;
        final S connection;
        final ResponseSender sender;
        final RequestHandler<S> requestHandler;
        final T saslResponseType;

        SaslResponseContext(UserBitShared.SaslMessage saslMessage, S s, ResponseSender responseSender, RequestHandler<S> requestHandler, T t) {
            this.saslResponse = (UserBitShared.SaslMessage) Preconditions.checkNotNull(saslMessage);
            this.connection = (S) Preconditions.checkNotNull(s);
            this.sender = (ResponseSender) Preconditions.checkNotNull(responseSender);
            this.requestHandler = (RequestHandler) Preconditions.checkNotNull(requestHandler);
            this.saslResponseType = (T) Preconditions.checkNotNull(t);
        }
    }

    /* loaded from: input_file:org/apache/drill/exec/rpc/security/ServerAuthenticationHandler$SaslResponseProcessor.class */
    private interface SaslResponseProcessor {
        <S extends ServerConnection<S>, T extends Internal.EnumLite> void process(SaslResponseContext<S, T> saslResponseContext) throws Exception;
    }

    /* loaded from: input_file:org/apache/drill/exec/rpc/security/ServerAuthenticationHandler$SaslStartProcessor.class */
    private static class SaslStartProcessor implements SaslResponseProcessor {
        private SaslStartProcessor() {
        }

        @Override // org.apache.drill.exec.rpc.security.ServerAuthenticationHandler.SaslResponseProcessor
        public <S extends ServerConnection<S>, T extends Internal.EnumLite> void process(SaslResponseContext<S, T> saslResponseContext) throws Exception {
            saslResponseContext.connection.initSaslServer(saslResponseContext.saslResponse.getMechanism());
            ((SaslResponseProcessor) ServerAuthenticationHandler.RESPONSE_PROCESSORS.get(UserBitShared.SaslStatus.SASL_IN_PROGRESS)).process(saslResponseContext);
        }
    }

    /* loaded from: input_file:org/apache/drill/exec/rpc/security/ServerAuthenticationHandler$SaslSuccessProcessor.class */
    private static class SaslSuccessProcessor implements SaslResponseProcessor {
        private SaslSuccessProcessor() {
        }

        @Override // org.apache.drill.exec.rpc.security.ServerAuthenticationHandler.SaslResponseProcessor
        public <S extends ServerConnection<S>, T extends Internal.EnumLite> void process(SaslResponseContext<S, T> saslResponseContext) throws Exception {
            SaslServer saslServer = saslResponseContext.connection.getSaslServer();
            ServerAuthenticationHandler.evaluateResponse(saslServer, saslResponseContext.saslResponse.getData().toByteArray());
            if (!saslServer.isComplete()) {
                S s = saslResponseContext.connection;
                ServerAuthenticationHandler.logger.info("Failed to authenticate client from {} with encryption context:{}", s.getRemoteAddress().toString(), s.getEncryptionCtxtString());
                throw new SaslException(String.format("Client allegedly succeeded authentication but server did not. Suspicious? [Details: %s]", s.getEncryptionCtxtString()));
            }
            UserBitShared.SaslMessage.Builder newBuilder = UserBitShared.SaslMessage.newBuilder();
            newBuilder.setStatus(UserBitShared.SaslStatus.SASL_SUCCESS);
            ServerAuthenticationHandler.handleSuccess(saslResponseContext, newBuilder, saslServer);
        }
    }

    public ServerAuthenticationHandler(RequestHandler<S> requestHandler, int i, T t) {
        this.requestHandler = requestHandler;
        this.saslRequestTypeValue = i;
        this.saslResponseType = t;
    }

    public void handle(S s, int i, ByteBuf byteBuf, ByteBuf byteBuf2, ResponseSender responseSender) throws RpcException {
        String obj = s.getRemoteAddress().toString();
        if (this.saslRequestTypeValue != i) {
            throw new RpcException(String.format("Request of type %d is not allowed without authentication. Client on %s must authenticate before making requests. Connection dropped. [Details: %s]", Integer.valueOf(i), obj, s.getEncryptionCtxtString()));
        }
        try {
            UserBitShared.SaslMessage saslMessage = (UserBitShared.SaslMessage) UserBitShared.SaslMessage.PARSER.parseFrom(new ByteBufInputStream(byteBuf));
            logger.trace("Received SASL message {} from {}", saslMessage.getStatus(), obj);
            SaslResponseProcessor saslResponseProcessor = (SaslResponseProcessor) RESPONSE_PROCESSORS.get(saslMessage.getStatus());
            if (saslResponseProcessor == null) {
                logger.info("Unknown message type from client from {}. Will stop authentication.", obj);
                handleAuthFailure(s, responseSender, new SaslException("Received unexpected message"), this.saslResponseType);
            } else {
                try {
                    saslResponseProcessor.process(new SaslResponseContext<>(saslMessage, s, responseSender, this.requestHandler, this.saslResponseType));
                } catch (Exception e) {
                    handleAuthFailure(s, responseSender, e, this.saslResponseType);
                }
            }
        } catch (InvalidProtocolBufferException e2) {
            handleAuthFailure(s, responseSender, e2, this.saslResponseType);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static byte[] evaluateResponse(final SaslServer saslServer, final byte[] bArr) throws SaslException {
        try {
            return (byte[]) UserGroupInformation.getLoginUser().doAs(new PrivilegedExceptionAction<byte[]>() { // from class: org.apache.drill.exec.rpc.security.ServerAuthenticationHandler.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public byte[] run() throws Exception {
                    return saslServer.evaluateResponse(bArr);
                }
            });
        } catch (IOException | InterruptedException e) {
            if (e instanceof SaslException) {
                throw e;
            }
            throw new SaslException(String.format("Unexpected failure trying to authenticate using %s", saslServer.getMechanismName()), e);
        } catch (UndeclaredThrowableException e2) {
            throw new SaslException(String.format("Unexpected failure trying to authenticate using %s", saslServer.getMechanismName()), e2.getCause());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static <S extends ServerConnection<S>, T extends Internal.EnumLite> void handleSuccess(SaslResponseContext<S, T> saslResponseContext, UserBitShared.SaslMessage.Builder builder, SaslServer saslServer) throws IOException {
        S s = saslResponseContext.connection;
        s.changeHandlerTo(saslResponseContext.requestHandler);
        s.finalizeSaslSession();
        try {
            String obj = saslServer.getNegotiatedProperty("javax.security.sasl.qop").toString();
            String saslQop = s.isEncryptionEnabled() ? SaslProperties.QualityOfProtection.PRIVACY.getSaslQop() : SaslProperties.QualityOfProtection.AUTHENTICATION.getSaslQop();
            if (!obj.equals(saslQop)) {
                throw new SaslException(String.format("Mismatch in negotiated QOP value: %s and Expected QOP value: %s", obj, saslQop));
            }
            if (s.isEncryptionEnabled()) {
                int parseInt = Integer.parseInt(saslServer.getNegotiatedProperty("javax.security.sasl.rawsendsize").toString());
                if (parseInt <= 0) {
                    throw new SaslException(String.format("Negotiated rawSendSize: %d is invalid. Please check the configured value of encryption.sasl.max_wrapped_size. It might be configured to a very small value.", Integer.valueOf(parseInt)));
                }
                s.setWrapSizeLimit(parseInt);
            }
            if (logger.isTraceEnabled()) {
                logger.trace("Authenticated {} successfully using {} from {} with encryption context {}", new Object[]{saslServer.getAuthorizationID(), saslServer.getMechanismName(), s.getRemoteAddress().toString(), s.getEncryptionCtxtString()});
            }
            saslResponseContext.sender.send(new Response(saslResponseContext.saslResponseType, builder.build(), new ByteBuf[0]));
            if (s.isEncryptionEnabled()) {
                s.addSecurityHandlers();
            } else {
                s.disposeSaslServer();
            }
        } catch (IllegalStateException | NumberFormatException e) {
            throw new SaslException(String.format("Unexpected failure while retrieving negotiated property values (%s)", e.getMessage()), e);
        }
    }

    private static <S extends ServerConnection<S>, T extends Internal.EnumLite> void handleAuthFailure(S s, ResponseSender responseSender, Exception exc, T t) throws RpcException {
        logger.debug("Authentication using mechanism {} with encryption context {} failed from client {} due to {}", new Object[]{s.getSaslServer().getMechanismName(), s.getEncryptionCtxtString(), s.getRemoteAddress().toString(), exc});
        responseSender.send(new Response(t, SASL_FAILED_MESSAGE, new ByteBuf[0]));
        throw new RpcException(exc);
    }

    static {
        EnumMap enumMap = new EnumMap(UserBitShared.SaslStatus.class);
        enumMap.put((EnumMap) UserBitShared.SaslStatus.SASL_START, (UserBitShared.SaslStatus) new SaslStartProcessor());
        enumMap.put((EnumMap) UserBitShared.SaslStatus.SASL_IN_PROGRESS, (UserBitShared.SaslStatus) new SaslInProgressProcessor());
        enumMap.put((EnumMap) UserBitShared.SaslStatus.SASL_SUCCESS, (UserBitShared.SaslStatus) new SaslSuccessProcessor());
        enumMap.put((EnumMap) UserBitShared.SaslStatus.SASL_FAILED, (UserBitShared.SaslStatus) new SaslFailedProcessor());
        RESPONSE_PROCESSORS = Maps.immutableEnumMap(enumMap);
        SASL_FAILED_MESSAGE = UserBitShared.SaslMessage.newBuilder().setStatus(UserBitShared.SaslStatus.SASL_FAILED).build();
    }
}
