package com.datastax.bdp.transport.server;

import com.datastax.bdp.cassandra.audit.AuditLogger;
import com.datastax.bdp.cassandra.audit.AuditableEvent;
import com.datastax.bdp.cassandra.audit.AuditableEventType;
import com.datastax.bdp.cassandra.auth.DseAuthenticationException;
import com.datastax.bdp.cassandra.auth.SaslServerDigestCallbackHandler;
import com.datastax.bdp.config.ClientConfiguration;
import com.datastax.bdp.config.ClientConfigurationFactory;
import com.datastax.bdp.config.DseConfig;
import com.datastax.bdp.ioc.DseInjector;
import com.datastax.bdp.server.DseServer;
import com.datastax.bdp.transport.common.SaslProperties;
import com.datastax.bdp.transport.common.ServicePrincipal;
import java.io.DataInput;
import java.io.DataOutput;
import java.io.IOException;
import java.security.PrivilegedAction;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import javax.security.sasl.SaslServer;
import org.apache.cassandra.exceptions.AuthenticationException;
import org.apache.cassandra.exceptions.ConfigurationException;
import org.apache.cassandra.service.ClientState;
import org.apache.cassandra.thrift.ThriftClientState;
import org.apache.cassandra.thrift.ThriftSessionManager;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.thrift.TApplicationException;
import org.apache.thrift.TException;
import org.apache.thrift.TProcessor;
import org.apache.thrift.protocol.TMessage;
import org.apache.thrift.protocol.TProtocol;
import org.apache.thrift.protocol.TProtocolUtil;
import org.apache.thrift.transport.TSaslServerTransport;
import org.apache.thrift.transport.TTransport;
import org.apache.thrift.transport.TTransportFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/datastax/bdp/transport/server/TKerberosServerTransportFactory.class */
public class TKerberosServerTransportFactory extends TTransportFactory {
    private static final Logger logger = LoggerFactory.getLogger(TKerberosServerTransportFactory.class);
    private TTransportFactory delegate;

    /* loaded from: input_file:com/datastax/bdp/transport/server/TKerberosServerTransportFactory$AuthMethod.class */
    public enum AuthMethod {
        SIMPLE((byte) 80, "", UserGroupInformation.AuthenticationMethod.SIMPLE),
        KERBEROS((byte) 81, SaslProperties.SASL_GSSAPI_MECHANISM, UserGroupInformation.AuthenticationMethod.KERBEROS),
        DIGEST((byte) 82, SaslProperties.SASL_DIGEST_MECHANISM, UserGroupInformation.AuthenticationMethod.TOKEN);

        public final byte code;
        public final String mechanismName;
        public final UserGroupInformation.AuthenticationMethod authenticationMethod;
        private static final int FIRST_CODE = values()[0].code;

        AuthMethod(byte b, String str, UserGroupInformation.AuthenticationMethod authenticationMethod) {
            this.code = b;
            this.mechanismName = str;
            this.authenticationMethod = authenticationMethod;
        }

        public static AuthMethod valueOf(byte b) {
            int i = (b & 255) - FIRST_CODE;
            if (i < 0 || i >= values().length) {
                return null;
            }
            return values()[i];
        }

        public String getMechanismName() {
            return this.mechanismName;
        }

        public static AuthMethod read(DataInput dataInput) throws IOException {
            return valueOf(dataInput.readByte());
        }

        public void write(DataOutput dataOutput) throws IOException {
            dataOutput.write(this.code);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/datastax/bdp/transport/server/TKerberosServerTransportFactory$PrivledgedTransportFactory.class */
    public static class PrivledgedTransportFactory extends TTransportFactory {
        private final Subject tkt;
        private final TTransportFactory wrapped;
        static final /* synthetic */ boolean $assertionsDisabled;

        public PrivledgedTransportFactory(TTransportFactory tTransportFactory, Subject subject) {
            if (!$assertionsDisabled && tTransportFactory == null) {
                throw new AssertionError();
            }
            if (!$assertionsDisabled && subject == null) {
                throw new AssertionError();
            }
            this.wrapped = tTransportFactory;
            this.tkt = subject;
        }

        public TTransport getTransport(final TTransport tTransport) {
            return (TTransport) Subject.doAs(this.tkt, new PrivilegedAction<TTransport>() { // from class: com.datastax.bdp.transport.server.TKerberosServerTransportFactory.PrivledgedTransportFactory.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedAction
                public TTransport run() {
                    return new WrappedTFramedTransport(PrivledgedTransportFactory.this.wrapped.getTransport(tTransport));
                }
            });
        }

        static {
            $assertionsDisabled = !TKerberosServerTransportFactory.class.desiredAssertionStatus();
        }
    }

    /* loaded from: input_file:com/datastax/bdp/transport/server/TKerberosServerTransportFactory$SaslEnabledProcessor.class */
    static class SaslEnabledProcessor implements TProcessor {
        TProcessor wrapped;
        ClientState clientState;

        public SaslEnabledProcessor(TProcessor tProcessor, ClientState clientState) {
            this.wrapped = tProcessor;
            this.clientState = clientState;
        }

        public boolean process(TProtocol tProtocol, TProtocol tProtocol2) throws TException {
            try {
                TTransport transport = tProtocol.getTransport();
                ThriftSessionManager.instance.setCurrentSocket(TTransportUtil.getSocket(transport).getRemoteSocketAddress());
                maybeLogin(getUserName(getSaslServerTransport(transport).getSaslServer()));
                return this.wrapped.process(tProtocol, tProtocol2);
            } catch (Exception e) {
                TMessage readMessageBegin = tProtocol.readMessageBegin();
                TProtocolUtil.skip(tProtocol, (byte) 12);
                tProtocol.readMessageEnd();
                TApplicationException tApplicationException = new TApplicationException(e.getMessage());
                tProtocol2.writeMessageBegin(new TMessage(readMessageBegin.name, (byte) 3, readMessageBegin.seqid));
                tApplicationException.write(tProtocol2);
                tProtocol2.writeMessageEnd();
                tProtocol2.getTransport().flush();
                return true;
            }
        }

        private TSaslServerTransport getSaslServerTransport(TTransport tTransport) {
            TSaslServerTransport unwrapRecursive = TTransportUtil.unwrapRecursive(tTransport, TSaslServerTransport.class);
            if (unwrapRecursive == null) {
                throw new RuntimeException("Unexpected transport class: " + tTransport.getClass());
            }
            return unwrapRecursive;
        }

        private String getUserName(SaslServer saslServer) throws IOException {
            String authorizationID = saslServer.getAuthorizationID();
            return saslServer.getMechanismName().equals(SaslProperties.SASL_DIGEST_MECHANISM) ? getUserNameFromDelegationToken(authorizationID) : authorizationID;
        }

        private String getUserNameFromDelegationToken(String str) throws IOException {
            return DigestAuthUtils.getUserNameFromDelegationToken(str);
        }

        private void maybeLogin(String str) throws LoginException {
            ClientState clientState = TKerberosServerTransportFactory.getClientState(this.clientState);
            try {
                if (clientState.getUser() == null) {
                    clientState.login(KerberosServerUtils.getUserFromAuthzId(str));
                }
            } catch (AuthenticationException e) {
                if (AuditLogger.getInstance().isEnabled()) {
                    AuditLogger.getInstance().recordEvent(new AuditableEvent.Builder(str, DseServer.getClientAddress(clientState).toString()).type(AuditableEventType.LOGIN_ERROR).operation(e.getLocalizedMessage()).build());
                }
                throw new LoginException(DseAuthenticationException.reason);
            }
        }
    }

    public TKerberosServerTransportFactory(String str) {
        try {
            logger.debug("Creating server transport factory with servicePrincipal = " + str);
            String asLocal = DseConfig.getDseServicePrincipal().asLocal();
            KerberosServerUtils.validateServicePrincipal(asLocal);
            this.delegate = createTransportFactory(KerberosServerUtils.loginServer(asLocal));
        } catch (LoginException | ConfigurationException e) {
            throw new RuntimeException(e);
        }
    }

    public TTransport getTransport(TTransport tTransport) {
        return this.delegate.getTransport(tTransport);
    }

    public static TTransportFactory createTransportFactory(Subject subject) {
        ServicePrincipal servicePrincipal = new ServicePrincipal(subject.getPrincipals().iterator().next().getName());
        TSaslServerTransport.Factory factory = new TSaslServerTransport.Factory();
        logger.info("Creating server transport factory with protocol = " + servicePrincipal.service + ", server = " + servicePrincipal.host);
        ClientConfiguration clientConfiguration = ClientConfigurationFactory.getClientConfiguration();
        factory.addServerDefinition(AuthMethod.KERBEROS.getMechanismName(), servicePrincipal.service, servicePrincipal.host, SaslProperties.defaultProperties(clientConfiguration), new SaslGssCallbackHandler());
        factory.addServerDefinition(AuthMethod.DIGEST.getMechanismName(), (String) null, SaslProperties.SASL_DEFAULT_REALM, SaslProperties.defaultProperties(clientConfiguration), (CallbackHandler) DseInjector.get().getInstance(SaslServerDigestCallbackHandler.class));
        return new PrivledgedTransportFactory(factory, subject);
    }

    public static TProcessor wrapProcessor(TProcessor tProcessor, ClientState clientState) {
        return new SaslEnabledProcessor(tProcessor, clientState);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static ClientState getClientState(ClientState clientState) {
        ThriftClientState currentSession = ThriftSessionManager.instance.currentSession();
        return currentSession != null ? currentSession : clientState;
    }
}
