package org.apache.pulsar.broker.authentication;

import com.google.common.base.Preconditions;
import com.google.common.collect.Maps;
import java.io.IOException;
import java.net.SocketAddress;
import java.util.Base64;
import java.util.Map;
import java.util.Random;
import java.util.concurrent.ConcurrentHashMap;
import java.util.regex.Pattern;
import java.util.regex.PatternSyntaxException;
import javax.naming.AuthenticationException;
import javax.net.ssl.SSLSession;
import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.pulsar.broker.ServiceConfiguration;
import org.apache.pulsar.broker.authentication.PulsarSaslServer;
import org.apache.pulsar.broker.authentication.metrics.AuthenticationMetrics;
import org.apache.pulsar.broker.web.AuthenticationFilter;
import org.apache.pulsar.common.api.AuthData;
import org.apache.pulsar.common.sasl.JAASCredentialsContainer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/pulsar/broker/authentication/AuthenticationProviderSasl.class */
public class AuthenticationProviderSasl implements AuthenticationProvider {
    private static final Logger log = LoggerFactory.getLogger(AuthenticationProviderSasl.class);
    private Pattern allowedIdsPattern;
    private Map<String, String> configuration;
    private JAASCredentialsContainer jaasCredentialsContainer;
    private String loginContextName;
    private static final long SASL_ROLE_TOKEN_LIVE_SECONDS = 3600;
    private SaslRoleTokenSigner signer;
    private ConcurrentHashMap<Long, AuthenticationState> authStates = new ConcurrentHashMap<>();

    public void initialize(ServiceConfiguration serviceConfiguration) throws IOException {
        this.configuration = Maps.newHashMap();
        String saslJaasClientAllowedIds = serviceConfiguration.getSaslJaasClientAllowedIds();
        this.configuration.put("saslJaasClientAllowedIds", saslJaasClientAllowedIds);
        this.configuration.put("saslJaasServerSectionName", serviceConfiguration.getSaslJaasServerSectionName());
        this.configuration.put("kerberos.kinit", serviceConfiguration.getKinitCommand());
        try {
            this.allowedIdsPattern = Pattern.compile(saslJaasClientAllowedIds);
            this.loginContextName = serviceConfiguration.getSaslJaasServerSectionName();
            if (this.jaasCredentialsContainer == null) {
                log.info("JAAS loginContext is: {}.", this.loginContextName);
                try {
                    this.jaasCredentialsContainer = new JAASCredentialsContainer(this.loginContextName, new PulsarSaslServer.SaslServerCallbackHandler(this.allowedIdsPattern), this.configuration);
                } catch (LoginException e) {
                    log.error("JAAS login in broker failed", e);
                    throw new IOException(e);
                }
            }
            this.signer = new SaslRoleTokenSigner(Long.toString(new Random().nextLong()).getBytes());
        } catch (PatternSyntaxException e2) {
            log.error("Invalid regular expression for id " + saslJaasClientAllowedIds, e2);
            throw new IOException(e2);
        }
    }

    public String authenticate(AuthenticationDataSource authenticationDataSource) throws AuthenticationException {
        try {
            if (!(authenticationDataSource instanceof SaslAuthenticationDataSource)) {
                throw new AuthenticationException("Not support authDataSource type, expect sasl.");
            }
            AuthenticationMetrics.authenticateSuccess(getClass().getSimpleName(), getAuthMethodName());
            return ((SaslAuthenticationDataSource) authenticationDataSource).getAuthorizationID();
        } catch (AuthenticationException e) {
            AuthenticationMetrics.authenticateFailure(getClass().getSimpleName(), getAuthMethodName(), e.getMessage());
            throw e;
        }
    }

    public String getAuthMethodName() {
        return "sasl";
    }

    public void close() throws IOException {
    }

    public AuthenticationState newAuthState(AuthData authData, SocketAddress socketAddress, SSLSession sSLSession) throws AuthenticationException {
        try {
            return new SaslAuthenticationState(new SaslAuthenticationDataSource(new PulsarSaslServer(this.jaasCredentialsContainer.getSubject(), this.allowedIdsPattern)));
        } catch (Throwable th) {
            log.error("Failed create sasl auth state", th);
            throw new AuthenticationException(th.getMessage());
        }
    }

    public String authRoleFromHttpRequest(HttpServletRequest httpServletRequest) throws AuthenticationException {
        String header = httpServletRequest.getHeader("SaslAuthRoleToken");
        if (header == null) {
            return null;
        }
        try {
            SaslRoleToken parse = SaslRoleToken.parse(this.signer.verifyAndExtract(header));
            if (log.isDebugEnabled()) {
                log.debug("server side get role token: {}, session in token:{}, session in request:{}", new Object[]{parse, parse.getSession(), httpServletRequest.getRemoteAddr()});
            }
            if (!parse.isExpired()) {
                return parse.getUserRole();
            }
            if (parse.isExpired()) {
                return "SaslAuthRoleTokenExpired";
            }
            return null;
        } catch (Exception e) {
            log.error("token parse failed, with exception: ", e);
            return "SaslAuthRoleTokenExpired";
        }
    }

    private String createAuthRoleToken(String str, String str2) {
        SaslRoleToken saslRoleToken = new SaslRoleToken(str, str2, System.currentTimeMillis() + 3600000);
        String sign = this.signer.sign(saslRoleToken.toString());
        if (log.isDebugEnabled()) {
            log.debug("create role token token: {}, role: {} session :{}, expires:{}\nsigned:{}", new Object[]{saslRoleToken, saslRoleToken.getUserRole(), saslRoleToken.getSession(), Long.valueOf(saslRoleToken.getExpires()), sign});
        }
        return sign;
    }

    private AuthenticationState getAuthState(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("SASL-Server-ID");
        if (header == null) {
            return null;
        }
        try {
            return this.authStates.get(Long.valueOf(Long.parseLong(header)));
        } catch (NumberFormatException e) {
            log.error("[{}] Wrong Id String in Token {}. e:", new Object[]{httpServletRequest.getRequestURI(), header, e});
            return null;
        }
    }

    private void setResponseHeaderState(HttpServletResponse httpServletResponse, String str) {
        httpServletResponse.setHeader("SASL-Type", "Kerberos");
        httpServletResponse.setHeader("State", str);
    }

    public boolean authenticateHttpRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        AuthenticationState authState = getAuthState(httpServletRequest);
        String authRoleFromHttpRequest = authRoleFromHttpRequest(httpServletRequest);
        if (authRoleFromHttpRequest != null) {
            if (authRoleFromHttpRequest.equalsIgnoreCase("SaslAuthRoleTokenExpired")) {
                setResponseHeaderState(httpServletResponse, "SaslAuthRoleTokenExpired");
                httpServletResponse.sendError(401, "Role token expired");
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("[{}] Server side role token expired: {}", httpServletRequest.getRequestURI(), authRoleFromHttpRequest);
                return false;
            }
            if (httpServletRequest.getHeader("State").equalsIgnoreCase("Done")) {
                httpServletRequest.setAttribute(AuthenticationFilter.AuthenticatedRoleAttributeName, authRoleFromHttpRequest);
                httpServletRequest.setAttribute(AuthenticationFilter.AuthenticatedDataAttributeName, new AuthenticationDataHttps(httpServletRequest));
                if (!log.isDebugEnabled()) {
                    return true;
                }
                log.debug("[{}] Server side role token OK to go on: {}", httpServletRequest.getRequestURI(), authRoleFromHttpRequest);
                return true;
            }
            Preconditions.checkState(httpServletRequest.getHeader("State").equalsIgnoreCase("ServerCheckToken"));
            setResponseHeaderState(httpServletResponse, "Done");
            httpServletResponse.setHeader("SASL-Server-ID", httpServletRequest.getHeader("SASL-Server-ID"));
            httpServletResponse.setStatus(200);
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("[{}] Server side role token verified success: {}", httpServletRequest.getRequestURI(), authRoleFromHttpRequest);
            return false;
        }
        if (authState == null || httpServletRequest.getHeader("State").equalsIgnoreCase("Init")) {
            authState = newAuthState(null, null, null);
            this.authStates.put(Long.valueOf(authState.getStateId()), authState);
        }
        Preconditions.checkState(httpServletRequest.getHeader("SASL-Token") != null, "Header token should exist if no role token.");
        AuthData authenticate = authState.authenticate(AuthData.of(Base64.getDecoder().decode(httpServletRequest.getHeader("SASL-Token"))));
        if (!authState.isComplete()) {
            if (log.isDebugEnabled()) {
                log.debug("[{}] SASL server authentication not complete, send {} back to client.", httpServletRequest.getRequestURI(), 401);
            }
            setResponseHeaderState(httpServletResponse, "ING");
            httpServletResponse.setHeader("SASL-Server-ID", String.valueOf(authState.getStateId()));
            httpServletResponse.setHeader("SASL-Token", Base64.getEncoder().encodeToString(authenticate.getBytes()));
            httpServletResponse.sendError(401, "SASL Authentication not complete.");
            return false;
        }
        if (log.isDebugEnabled()) {
            log.debug("[{}] SASL server authentication complete, send OK to client.", httpServletRequest.getRequestURI());
        }
        httpServletResponse.setHeader("SaslAuthRoleToken", createAuthRoleToken(authState.getAuthRole(), String.valueOf(authState.getStateId())));
        httpServletResponse.setHeader("SASL-Server-ID", String.valueOf(authState.getStateId()));
        setResponseHeaderState(httpServletResponse, "Done");
        httpServletResponse.setStatus(200);
        this.authStates.remove(Long.valueOf(authState.getStateId()));
        return false;
    }
}
