package org.apache.pulsar.shade.org.apache.bookkeeper.tls;

import java.io.IOException;
import java.security.cert.X509Certificate;
import java.util.Collection;
import org.apache.pulsar.shade.com.google.common.base.Strings;
import org.apache.pulsar.shade.org.apache.bookkeeper.auth.AuthCallbacks;
import org.apache.pulsar.shade.org.apache.bookkeeper.auth.AuthToken;
import org.apache.pulsar.shade.org.apache.bookkeeper.auth.BookKeeperPrincipal;
import org.apache.pulsar.shade.org.apache.bookkeeper.auth.BookieAuthProvider;
import org.apache.pulsar.shade.org.apache.bookkeeper.conf.ServerConfiguration;
import org.apache.pulsar.shade.org.apache.bookkeeper.proto.BookieConnectionPeer;
import org.apache.pulsar.shade.org.apache.bookkeeper.util.CertUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/pulsar/shade/org/apache/bookkeeper/tls/BookieAuthZFactory.class */
public class BookieAuthZFactory implements BookieAuthProvider.Factory {
    private static final Logger log = LoggerFactory.getLogger(BookieAuthZFactory.class);
    public String[] allowedRoles;

    @Override // org.apache.pulsar.shade.org.apache.bookkeeper.auth.BookieAuthProvider.Factory
    public String getPluginName() {
        return "BookieAuthZFactory";
    }

    @Override // org.apache.pulsar.shade.org.apache.bookkeeper.auth.BookieAuthProvider.Factory
    public void init(ServerConfiguration serverConfiguration) throws IOException {
        this.allowedRoles = serverConfiguration.getAuthorizedRoles();
        if (this.allowedRoles == null || this.allowedRoles.length == 0) {
            throw new RuntimeException("Configuration option 'bookieAuthProviderFactoryClass' is set to 'BookieAuthZFactory' but no roles set for configuration field 'authorizedRoles'.");
        }
        for (String str : this.allowedRoles) {
            if (Strings.isNullOrEmpty(str)) {
                throw new RuntimeException("Configuration option 'bookieAuthProviderFactoryClass' is set to 'BookieAuthZFactory' but no roles set for configuration field 'authorizedRoles'.");
            }
        }
    }

    @Override // org.apache.pulsar.shade.org.apache.bookkeeper.auth.BookieAuthProvider.Factory
    public BookieAuthProvider newProvider(final BookieConnectionPeer bookieConnectionPeer, final AuthCallbacks.GenericCallback<Void> genericCallback) {
        return new BookieAuthProvider() { // from class: org.apache.pulsar.shade.org.apache.bookkeeper.tls.BookieAuthZFactory.1
            AuthCallbacks.GenericCallback<Void> completeCallback;

            {
                this.completeCallback = genericCallback;
            }

            @Override // org.apache.pulsar.shade.org.apache.bookkeeper.auth.BookieAuthProvider
            public void onProtocolUpgrade() {
                try {
                    boolean isSecure = bookieConnectionPeer.isSecure();
                    Collection<Object> protocolPrincipals = bookieConnectionPeer.getProtocolPrincipals();
                    if (isSecure && !protocolPrincipals.isEmpty() && (protocolPrincipals.iterator().next() instanceof X509Certificate)) {
                        String[] rolesFromOU = CertUtils.getRolesFromOU((X509Certificate) protocolPrincipals.iterator().next());
                        if (rolesFromOU == null || rolesFromOU.length == 0) {
                            BookieAuthZFactory.log.error("AuthZ failed: No cert role in OU field of certificate. Must have a role from allowedRoles list {} host: {}", BookieAuthZFactory.this.allowedRoles, bookieConnectionPeer.getRemoteAddr());
                            this.completeCallback.operationComplete(-102, null);
                            return;
                        }
                        boolean z = false;
                        for (String str : BookieAuthZFactory.this.allowedRoles) {
                            if (rolesFromOU[0].equals(str)) {
                                z = true;
                            }
                        }
                        if (z) {
                            bookieConnectionPeer.setAuthorizedId(new BookKeeperPrincipal(rolesFromOU[0]));
                            this.completeCallback.operationComplete(0, null);
                        } else {
                            BookieAuthZFactory.log.error("AuthZ failed: Cert role {} doesn't match allowedRoles list {}; host: {}", new Object[]{rolesFromOU, BookieAuthZFactory.this.allowedRoles, bookieConnectionPeer.getRemoteAddr()});
                            this.completeCallback.operationComplete(-102, null);
                        }
                    } else {
                        if (!isSecure) {
                            BookieAuthZFactory.log.error("AuthZ failed: Bookie side channel is not secured; host: {}", bookieConnectionPeer.getRemoteAddr());
                        } else if (protocolPrincipals.isEmpty()) {
                            BookieAuthZFactory.log.error("AuthZ failed: Certificate missing; host: {}", bookieConnectionPeer.getRemoteAddr());
                        } else {
                            BookieAuthZFactory.log.error("AuthZ failed: Certs are missing or not X509 type; host: {}", bookieConnectionPeer.getRemoteAddr());
                        }
                        this.completeCallback.operationComplete(-102, null);
                    }
                } catch (Exception e) {
                    BookieAuthZFactory.log.error("AuthZ failed: Failed to parse certificate; host: {}, {}", bookieConnectionPeer.getRemoteAddr(), e);
                    this.completeCallback.operationComplete(-102, null);
                }
            }

            @Override // org.apache.pulsar.shade.org.apache.bookkeeper.auth.BookieAuthProvider
            public void process(AuthToken authToken, AuthCallbacks.GenericCallback<AuthToken> genericCallback2) {
            }
        };
    }
}
