package org.apache.hadoop.security;

import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.util.List;
import java.util.Map;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.io.WritableUtils;
import org.apache.hadoop.ipc.RemoteException;
import org.apache.hadoop.security.SaslRpcServer;
import org.apache.hadoop.security.rpcauth.FatalAccessControlException;
import org.apache.hadoop.security.rpcauth.RetryWithNextAuthException;
import org.apache.hadoop.security.rpcauth.RpcAuthMethod;
import org.apache.hadoop.security.rpcauth.RpcAuthRegistry;

/* loaded from: input_file:org/apache/hadoop/security/SaslRpcClient.class */
public class SaslRpcClient {
    public static final Log LOG = LogFactory.getLog(SaslRpcClient.class);
    private final boolean fallbackAllowed;
    private SaslClient saslClient;
    private RpcAuthMethod authMethod;
    private final Map<String, Object> saslProperties;
    private boolean shouldRetry;
    private List<RpcAuthMethod> authMethodList;

    public SaslRpcClient(List<RpcAuthMethod> list, RpcAuthMethod rpcAuthMethod, Map<String, Object> map, boolean z) throws IOException {
        this.fallbackAllowed = z;
        this.authMethod = rpcAuthMethod;
        this.authMethodList = list;
        this.saslProperties = map;
        createSaslClient();
    }

    public boolean saslConnect(InputStream inputStream, OutputStream outputStream) throws IOException {
        DataInputStream dataInputStream = new DataInputStream(new BufferedInputStream(inputStream));
        DataOutputStream dataOutputStream = new DataOutputStream(new BufferedOutputStream(outputStream));
        try {
            byte[] bArr = new byte[0];
            if (this.saslClient.hasInitialResponse()) {
                bArr = this.saslClient.evaluateChallenge(bArr);
            }
            sendSaslToken(dataOutputStream, bArr);
            if (!this.saslClient.isComplete()) {
                try {
                    readStatus(dataInputStream);
                    int readInt = dataInputStream.readInt();
                    if (readInt == -88) {
                        if (!this.fallbackAllowed) {
                            throw new FatalAccessControlException("Server asks us to fall back to SIMPLE auth, but this client is configured to only allow secure connections.");
                        }
                        LOG.debug("Server asks us to fall back to simple auth.");
                        this.saslClient.dispose();
                        return false;
                    }
                    if (readInt == -87) {
                        negotiateSaslAuth(dataInputStream);
                    } else {
                        if (readInt <= 0) {
                            throw new IOException("Unexpected SASL token lenght = " + readInt + " received from the server.");
                        }
                        bArr = new byte[readInt];
                        if (LOG.isDebugEnabled()) {
                            LOG.debug("Will read input token of size " + bArr.length + " for processing by initSASLContext");
                        }
                        dataInputStream.readFully(bArr);
                    }
                } catch (Exception e) {
                    throw new FatalAccessControlException("Sasl connection failed. This could result from incorrect JAAS configuration.", e);
                }
            }
            while (!this.saslClient.isComplete()) {
                sendSaslToken(dataOutputStream, this.saslClient.evaluateChallenge(bArr));
                bArr = receiveSaslToken(dataInputStream);
            }
            if (!LOG.isDebugEnabled()) {
                return true;
            }
            LOG.debug("SASL client context established. Negotiated QoP: " + this.saslClient.getNegotiatedProperty("javax.security.sasl.qop"));
            return true;
        } catch (IOException e2) {
            try {
                this.saslClient.dispose();
            } catch (SaslException e3) {
            }
            throw e2;
        }
    }

    public boolean shouldRetry() {
        return this.shouldRetry;
    }

    private void createSaslClient() throws IOException {
        if (!this.authMethod.isSasl()) {
            throw new IOException(this.authMethod + " does not support SASL authentication.");
        }
        this.saslClient = this.authMethod.createSaslClient(this.saslProperties);
    }

    private static void readStatus(DataInputStream dataInputStream) throws IOException {
        if (dataInputStream.readInt() != SaslRpcServer.SaslStatus.SUCCESS.state) {
            throw new RemoteException(WritableUtils.readString(dataInputStream), WritableUtils.readString(dataInputStream));
        }
    }

    private void sendSaslToken(DataOutputStream dataOutputStream, byte[] bArr) throws IOException {
        if (bArr != null) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Will send token of size " + bArr.length + " from initSASLContext.");
            }
            dataOutputStream.writeInt(bArr.length);
            dataOutputStream.write(bArr, 0, bArr.length);
            dataOutputStream.flush();
            if (LOG.isDebugEnabled()) {
                LOG.debug("Have sent token of size " + bArr.length + " from initSASLContext.");
            }
        }
    }

    private byte[] receiveSaslToken(DataInputStream dataInputStream) throws IOException {
        if (this.saslClient.isComplete()) {
            return new byte[0];
        }
        readStatus(dataInputStream);
        byte[] bArr = new byte[dataInputStream.readInt()];
        if (LOG.isDebugEnabled()) {
            LOG.debug("Will read input token of size " + bArr.length + " for processing by initSASLContext");
        }
        dataInputStream.readFully(bArr);
        return bArr;
    }

    private void negotiateSaslAuth(DataInputStream dataInputStream) throws IOException {
        int read = (byte) dataInputStream.read();
        byte[] bArr = new byte[read];
        for (int i = 0; i < read; i++) {
            bArr[i] = (byte) dataInputStream.read();
        }
        this.shouldRetry = true;
        for (RpcAuthMethod rpcAuthMethod : this.authMethodList) {
            for (byte b : bArr) {
                RpcAuthMethod authMethod = RpcAuthRegistry.getAuthMethod(b);
                if (authMethod != null && authMethod.isNegotiable() && rpcAuthMethod.getAuthCode() == b) {
                    LOG.info("Negotiated authentication method: " + rpcAuthMethod);
                    throw new RetryWithNextAuthException(rpcAuthMethod);
                }
            }
        }
        this.shouldRetry = false;
        throw new FatalAccessControlException(String.format("Client's configured authentication methods %s did not match Server's %s", this.authMethodList, RpcAuthRegistry.getAuthMethodList(bArr)));
    }

    public InputStream getInputStream(InputStream inputStream) throws IOException {
        if (this.saslClient.isComplete()) {
            return new SaslInputStream(inputStream, this.saslClient);
        }
        throw new IOException("Sasl authentication exchange hasn't completed yet");
    }

    public OutputStream getOutputStream(OutputStream outputStream) throws IOException {
        if (this.saslClient.isComplete()) {
            return new SaslOutputStream(outputStream, this.saslClient);
        }
        throw new IOException("Sasl authentication exchange hasn't completed yet");
    }

    public void dispose() throws SaslException {
        this.saslClient.dispose();
    }
}
