package org.apache.hadoop.hdfs.protocol.datatransfer.sasl;

import java.io.ByteArrayInputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.util.ArrayList;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.RealmCallback;
import javax.security.sasl.SaslException;
import org.apache.commons.codec.binary.Base64;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.crypto.CipherOption;
import org.apache.hadoop.hdfs.net.Peer;
import org.apache.hadoop.hdfs.protocol.DatanodeID;
import org.apache.hadoop.hdfs.protocol.datatransfer.IOStreamPair;
import org.apache.hadoop.hdfs.protocol.datatransfer.InvalidEncryptionKeyException;
import org.apache.hadoop.hdfs.protocol.datatransfer.sasl.DataTransferSaslUtil;
import org.apache.hadoop.hdfs.protocol.proto.DataTransferProtos;
import org.apache.hadoop.hdfs.security.token.block.BlockPoolTokenSecretManager;
import org.apache.hadoop.hdfs.security.token.block.BlockTokenIdentifier;
import org.apache.hadoop.hdfs.security.token.block.InvalidBlockTokenException;
import org.apache.hadoop.hdfs.server.datanode.DNConf;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.thirdparty.com.google.common.annotations.VisibleForTesting;
import org.apache.hadoop.thirdparty.com.google.common.base.Charsets;
import org.apache.hadoop.thirdparty.com.google.common.collect.Lists;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@InterfaceAudience.Private
/* loaded from: input_file:WEB-INF/lib/hadoop-hdfs-3.3.4.206-eep-911.jar:org/apache/hadoop/hdfs/protocol/datatransfer/sasl/SaslDataTransferServer.class */
public class SaslDataTransferServer {
    private static final Logger LOG;
    private final BlockPoolTokenSecretManager blockPoolTokenSecretManager;
    private final DNConf dnConf;
    private String negotiatedQOP;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/hadoop-hdfs-3.3.4.206-eep-911.jar:org/apache/hadoop/hdfs/protocol/datatransfer/sasl/SaslDataTransferServer$PasswordFunction.class */
    public interface PasswordFunction {
        char[] apply(String str) throws IOException;
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/hadoop-hdfs-3.3.4.206-eep-911.jar:org/apache/hadoop/hdfs/protocol/datatransfer/sasl/SaslDataTransferServer$SaslServerCallbackHandler.class */
    public static final class SaslServerCallbackHandler implements CallbackHandler {
        private final PasswordFunction passwordFunction;

        public SaslServerCallbackHandler(PasswordFunction passwordFunction) {
            this.passwordFunction = passwordFunction;
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            NameCallback nameCallback = null;
            PasswordCallback passwordCallback = null;
            AuthorizeCallback authorizeCallback = null;
            for (Callback callback : callbackArr) {
                if (callback instanceof AuthorizeCallback) {
                    authorizeCallback = (AuthorizeCallback) callback;
                } else if (callback instanceof PasswordCallback) {
                    passwordCallback = (PasswordCallback) callback;
                } else if (callback instanceof NameCallback) {
                    nameCallback = (NameCallback) callback;
                } else if (!(callback instanceof RealmCallback)) {
                    throw new UnsupportedCallbackException(callback, "Unrecognized SASL DIGEST-MD5 Callback: " + callback);
                }
            }
            if (passwordCallback != null) {
                passwordCallback.setPassword(this.passwordFunction.apply(nameCallback.getDefaultName()));
            }
            if (authorizeCallback != null) {
                authorizeCallback.setAuthorized(true);
                authorizeCallback.setAuthorizedID(authorizeCallback.getAuthorizationID());
            }
        }
    }

    public SaslDataTransferServer(DNConf dNConf, BlockPoolTokenSecretManager blockPoolTokenSecretManager) {
        this.blockPoolTokenSecretManager = blockPoolTokenSecretManager;
        this.dnConf = dNConf;
    }

    public IOStreamPair receive(Peer peer, OutputStream outputStream, InputStream inputStream, int i, DatanodeID datanodeID) throws IOException {
        if (this.dnConf.getEncryptDataTransfer()) {
            LOG.debug("SASL server doing encrypted handshake for peer = {}, datanodeId = {}", peer, datanodeID);
            return getEncryptedStreams(peer, outputStream, inputStream);
        }
        if (!UserGroupInformation.isSecurityEnabled()) {
            LOG.debug("SASL server skipping handshake in unsecured configuration for peer = {}, datanodeId = {}", peer, datanodeID);
            return new IOStreamPair(inputStream, outputStream);
        }
        if (SecurityUtil.isPrivilegedPort(i)) {
            LOG.debug("SASL server skipping handshake in secured configuration for peer = {}, datanodeId = {}", peer, datanodeID);
            return new IOStreamPair(inputStream, outputStream);
        }
        if (this.dnConf.getSaslPropsResolver() != null) {
            LOG.debug("SASL server doing general handshake for peer = {}, datanodeId = {}", peer, datanodeID);
            return getSaslStreams(peer, outputStream, inputStream);
        }
        if (!this.dnConf.getIgnoreSecurePortsForTesting()) {
            throw new IOException(String.format("Cannot create a secured connection if DataNode listens on unprivileged port (%d) and no protection is defined in configuration property %s.", Integer.valueOf(datanodeID.getXferPort()), "dfs.data.transfer.protection"));
        }
        LOG.debug("SASL server skipping handshake in secured configuration with no SASL protection configured for peer = {}, datanodeId = {}", peer, datanodeID);
        return new IOStreamPair(inputStream, outputStream);
    }

    private IOStreamPair getEncryptedStreams(Peer peer, OutputStream outputStream, InputStream inputStream) throws IOException {
        if (peer.hasSecureChannel() || this.dnConf.getTrustedChannelResolver().isTrusted(DataTransferSaslUtil.getPeerAddress(peer))) {
            return new IOStreamPair(inputStream, outputStream);
        }
        Map<String, String> createSaslPropertiesForEncryption = DataTransferSaslUtil.createSaslPropertiesForEncryption(this.dnConf.getEncryptionAlgorithm());
        if (LOG.isDebugEnabled()) {
            LOG.debug("Server using encryption algorithm " + this.dnConf.getEncryptionAlgorithm());
        }
        return doSaslHandshake(peer, outputStream, inputStream, createSaslPropertiesForEncryption, new SaslServerCallbackHandler(new PasswordFunction() { // from class: org.apache.hadoop.hdfs.protocol.datatransfer.sasl.SaslDataTransferServer.1
            @Override // org.apache.hadoop.hdfs.protocol.datatransfer.sasl.SaslDataTransferServer.PasswordFunction
            public char[] apply(String str) throws IOException {
                return DataTransferSaslUtil.encryptionKeyToPassword(SaslDataTransferServer.this.getEncryptionKeyFromUserName(str));
            }
        }));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public byte[] getEncryptionKeyFromUserName(String str) throws IOException {
        String[] split = str.split(" ");
        if (split.length != 3) {
            throw new IOException("Provided name '" + str + "' has " + split.length + " components instead of the expected 3.");
        }
        return this.blockPoolTokenSecretManager.retrieveDataEncryptionKey(Integer.parseInt(split[0]), split[1], Base64.decodeBase64(split[2]));
    }

    private IOStreamPair getSaslStreams(Peer peer, OutputStream outputStream, InputStream inputStream) throws IOException {
        return (peer.hasSecureChannel() || this.dnConf.getTrustedChannelResolver().isTrusted(DataTransferSaslUtil.getPeerAddress(peer))) ? new IOStreamPair(inputStream, outputStream) : doSaslHandshake(peer, outputStream, inputStream, this.dnConf.getSaslPropsResolver().getServerProperties(DataTransferSaslUtil.getPeerAddress(peer)), new SaslServerCallbackHandler(new PasswordFunction() { // from class: org.apache.hadoop.hdfs.protocol.datatransfer.sasl.SaslDataTransferServer.2
            @Override // org.apache.hadoop.hdfs.protocol.datatransfer.sasl.SaslDataTransferServer.PasswordFunction
            public char[] apply(String str) throws IOException {
                return SaslDataTransferServer.this.buildServerPassword(str);
            }
        }));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public char[] buildServerPassword(String str) throws IOException {
        return new String(Base64.encodeBase64(this.blockPoolTokenSecretManager.retrievePassword(deserializeIdentifier(str)), false), Charsets.UTF_8).toCharArray();
    }

    private BlockTokenIdentifier deserializeIdentifier(String str) throws IOException {
        BlockTokenIdentifier blockTokenIdentifier = new BlockTokenIdentifier();
        blockTokenIdentifier.readFields(new DataInputStream(new ByteArrayInputStream(Base64.decodeBase64(str))));
        return blockTokenIdentifier;
    }

    @VisibleForTesting
    public String getNegotiatedQOP() {
        return this.negotiatedQOP;
    }

    private IOStreamPair doSaslHandshake(Peer peer, OutputStream outputStream, InputStream inputStream, Map<String, String> map, CallbackHandler callbackHandler) throws IOException {
        DataInputStream dataInputStream = new DataInputStream(inputStream);
        DataOutputStream dataOutputStream = new DataOutputStream(outputStream);
        int readInt = dataInputStream.readInt();
        if (readInt != -559038737) {
            throw new InvalidMagicNumberException(readInt, this.dnConf.getEncryptDataTransfer());
        }
        try {
            DataTransferSaslUtil.SaslMessageWithHandshake readSaslMessageWithHandshakeSecret = DataTransferSaslUtil.readSaslMessageWithHandshakeSecret(dataInputStream);
            byte[] secret = readSaslMessageWithHandshakeSecret.getSecret();
            String bpid = readSaslMessageWithHandshakeSecret.getBpid();
            if (secret != null || bpid != null) {
                if (!$assertionsDisabled && (secret == null || bpid == null)) {
                    throw new AssertionError();
                }
                map.put("javax.security.sasl.qop", new String(secret, Charsets.UTF_8));
            }
            SaslParticipant createServerSaslParticipant = SaslParticipant.createServerSaslParticipant(map, callbackHandler);
            DataTransferSaslUtil.sendSaslMessage(dataOutputStream, createServerSaslParticipant.evaluateChallengeOrResponse(readSaslMessageWithHandshakeSecret.getPayload()));
            ArrayList newArrayList = Lists.newArrayList();
            byte[] evaluateChallengeOrResponse = createServerSaslParticipant.evaluateChallengeOrResponse(DataTransferSaslUtil.readSaslMessageAndNegotiationCipherOptions(dataInputStream, newArrayList));
            DataTransferSaslUtil.checkSaslComplete(createServerSaslParticipant, map);
            CipherOption cipherOption = null;
            this.negotiatedQOP = createServerSaslParticipant.getNegotiatedQop();
            if (createServerSaslParticipant.isNegotiatedQopPrivacy()) {
                Configuration conf = this.dnConf.getConf();
                cipherOption = DataTransferSaslUtil.negotiateCipherOption(conf, newArrayList);
                if (LOG.isDebugEnabled()) {
                    if (cipherOption == null) {
                        String str = conf.get("dfs.encrypt.data.transfer.cipher.suites");
                        if (str != null && !str.isEmpty()) {
                            LOG.debug("Server accepts cipher suites {}, but client {} does not accept any of them", str, peer.getRemoteAddressString());
                        }
                    } else {
                        LOG.debug("Server using cipher suite {} with client {}", cipherOption.getCipherSuite().getName(), peer.getRemoteAddressString());
                    }
                }
            }
            DataTransferSaslUtil.sendSaslMessageAndNegotiatedCipherOption(dataOutputStream, evaluateChallengeOrResponse, DataTransferSaslUtil.wrap(cipherOption, createServerSaslParticipant));
            return cipherOption != null ? DataTransferSaslUtil.createStreamPair(this.dnConf.getConf(), cipherOption, outputStream, inputStream, true) : createServerSaslParticipant.createStreamPair(dataOutputStream, dataInputStream);
        } catch (IOException e) {
            if ((e instanceof SaslException) && e.getCause() != null && (e.getCause() instanceof InvalidEncryptionKeyException)) {
                sendInvalidKeySaslErrorMessage(dataOutputStream, e.getCause().getMessage());
            } else if ((e instanceof SaslException) && e.getCause() != null && ((e.getCause() instanceof InvalidBlockTokenException) || (e.getCause() instanceof SecretManager.InvalidToken))) {
                sendInvalidTokenSaslErrorMessage(dataOutputStream, e.getCause().getMessage());
            } else {
                DataTransferSaslUtil.sendGenericSaslErrorMessage(dataOutputStream, e.getMessage());
            }
            throw e;
        }
    }

    private static void sendInvalidKeySaslErrorMessage(DataOutputStream dataOutputStream, String str) throws IOException {
        DataTransferSaslUtil.sendSaslMessage(dataOutputStream, DataTransferProtos.DataTransferEncryptorMessageProto.DataTransferEncryptorStatus.ERROR_UNKNOWN_KEY, null, str);
    }

    private static void sendInvalidTokenSaslErrorMessage(DataOutputStream dataOutputStream, String str) throws IOException {
        DataTransferSaslUtil.sendSaslMessage(dataOutputStream, DataTransferProtos.DataTransferEncryptorMessageProto.DataTransferEncryptorStatus.ERROR, null, str, null, true);
    }

    static {
        $assertionsDisabled = !SaslDataTransferServer.class.desiredAssertionStatus();
        LOG = LoggerFactory.getLogger((Class<?>) SaslDataTransferServer.class);
    }
}
