package com.datastax.bdp.cassandra.auth;

import com.datastax.bdp.util.DseUtil;
import com.datastax.dse.byos.shade.com.google.common.base.MoreObjects;
import com.datastax.dse.byos.shade.com.google.inject.Inject;
import com.datastax.dse.byos.shade.com.google.inject.Provider;
import com.datastax.dse.byos.shade.com.google.inject.Singleton;
import java.io.ByteArrayInputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.Serializable;
import java.security.SecureRandom;
import java.util.Optional;
import java.util.UUID;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import org.apache.cassandra.auth.PasswordAuthenticator;
import org.apache.cassandra.db.ConsistencyLevel;
import org.apache.cassandra.utils.UUIDGen;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.io.output.ByteArrayOutputStream;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/datastax/bdp/cassandra/auth/InClusterAuthenticator.class */
public class InClusterAuthenticator {
    private static final SecureRandom random = new SecureRandom();

    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/InClusterAuthenticator$Credentials.class */
    public static class Credentials implements Serializable {
        public final TokenId id;
        public final byte[] password;

        public Credentials(TokenId tokenId, byte[] bArr) {
            this.id = tokenId;
            this.password = bArr;
        }

        public char[] getPasswordChars() {
            return getPasswordChars(this.password);
        }

        public String getIdString() {
            return Base64.encodeBase64String(this.id.decompose());
        }

        public static char[] getPasswordChars(byte[] bArr) {
            return Base64.encodeBase64String(bArr).toCharArray();
        }

        public static Credentials create(String str) {
            TokenId create = TokenId.create(str);
            byte[] bArr = new byte[16];
            InClusterAuthenticator.random.nextBytes(bArr);
            return new Credentials(create, bArr);
        }

        public String toString() {
            return MoreObjects.toStringHelper(this).add("id", this.id).add(PasswordAuthenticator.PASSWORD_KEY, this.password).toString();
        }
    }

    @Singleton
    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/InClusterAuthenticator$SaslServerCallbackHandler.class */
    public static class SaslServerCallbackHandler implements CallbackHandler {
        private static final Logger LOGGER = LoggerFactory.getLogger(SaslServerCallbackHandler.class);

        @Inject
        private static Provider<DigestTokensManager> digestTokensManager;

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
            Optional firstInstanceOf = DseUtil.firstInstanceOf(callbackArr, NameCallback.class);
            Optional firstInstanceOf2 = DseUtil.firstInstanceOf(callbackArr, PasswordCallback.class);
            Optional firstInstanceOf3 = DseUtil.firstInstanceOf(callbackArr, AuthorizeCallback.class);
            firstInstanceOf2.ifPresent(passwordCallback -> {
                byte[] decodeBase64 = Base64.decodeBase64((String) firstInstanceOf.flatMap(nameCallback -> {
                    return Optional.ofNullable(nameCallback.getDefaultName());
                }).orElseThrow(DseAuthenticationException::new));
                Optional<byte[]> passwordById = ((DigestTokensManager) digestTokensManager.get()).getPasswordById(decodeBase64, ConsistencyLevel.LOCAL_QUORUM);
                if (!passwordById.isPresent()) {
                    throw new DseAuthenticationException(TokenId.compose(decodeBase64).username);
                }
                char[] passwordChars = Credentials.getPasswordChars(passwordById.get());
                LOGGER.debug("Read password of {}", TokenId.compose(decodeBase64).username);
                passwordCallback.setPassword(passwordChars);
            });
            firstInstanceOf3.ifPresent(authorizeCallback -> {
                String authenticationID = authorizeCallback.getAuthenticationID();
                String authorizationID = authorizeCallback.getAuthorizationID();
                if (authenticationID == null || !authenticationID.equals(authorizationID)) {
                    LOGGER.debug("Setting authorized to false");
                    authorizeCallback.setAuthorized(false);
                } else {
                    LOGGER.debug("Setting authorized to true");
                    authorizeCallback.setAuthorized(true);
                }
                if (authorizeCallback.isAuthorized()) {
                    LOGGER.debug("Setting authorizedID to {}", authorizationID);
                    authorizeCallback.setAuthorizedID(authorizationID);
                }
            });
        }
    }

    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/InClusterAuthenticator$TokenId.class */
    public static class TokenId implements Serializable {
        public final String username;
        public final UUID code;

        public TokenId(String str, UUID uuid) {
            this.username = str;
            this.code = uuid;
        }

        public static TokenId create(String str) {
            return new TokenId(str, UUIDGen.getTimeUUID());
        }

        public static TokenId compose(byte[] bArr) {
            try {
                DataInputStream dataInputStream = new DataInputStream(new ByteArrayInputStream(bArr));
                return new TokenId(dataInputStream.readUTF(), new UUID(dataInputStream.readLong(), dataInputStream.readLong()));
            } catch (Exception e) {
                throw new IllegalArgumentException("Could not decode token");
            }
        }

        public static TokenId compose(String str) {
            return compose(Base64.decodeBase64(str));
        }

        public byte[] decompose() {
            try {
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                DataOutputStream dataOutputStream = new DataOutputStream(byteArrayOutputStream);
                dataOutputStream.writeUTF(this.username);
                dataOutputStream.writeLong(this.code.getMostSignificantBits());
                dataOutputStream.writeLong(this.code.getLeastSignificantBits());
                dataOutputStream.flush();
                dataOutputStream.close();
                return byteArrayOutputStream.toByteArray();
            } catch (IOException e) {
                throw new RuntimeException("Failed to encode the token");
            }
        }

        public String toString() {
            return MoreObjects.toStringHelper(this).add("username", this.username).add("code", this.code).toString();
        }
    }
}
