package com.datastax.bdp.cassandra.auth;

import com.datastax.bdp.cassandra.audit.AuditLogger;
import com.datastax.bdp.cassandra.audit.AuditableEvent;
import com.datastax.bdp.cassandra.audit.AuditableEventType;
import com.datastax.bdp.cassandra.auth.InClusterAuthenticator;
import com.datastax.bdp.config.ClientConfigurationFactory;
import com.datastax.bdp.config.DseConfig;
import com.datastax.bdp.ioc.DseInjector;
import com.datastax.bdp.transport.common.SaslProperties;
import com.datastax.bdp.transport.common.ServicePrincipal;
import com.datastax.bdp.transport.server.DigestAuthUtils;
import com.datastax.bdp.transport.server.KerberosServerUtils;
import com.datastax.bdp.transport.server.SaslGssCallbackHandler;
import com.datastax.dse.byos.shade.com.google.common.cache.Cache;
import com.datastax.dse.byos.shade.com.google.common.cache.CacheBuilder;
import java.io.File;
import java.io.IOException;
import java.net.InetAddress;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.apache.cassandra.auth.AuthenticatedUser;
import org.apache.cassandra.auth.IAuthenticator;
import org.apache.cassandra.auth.IResource;
import org.apache.cassandra.auth.PasswordAuthenticator;
import org.apache.cassandra.auth.Permission;
import org.apache.cassandra.auth.Resources;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.exceptions.AuthenticationException;
import org.apache.cassandra.exceptions.ConfigurationException;
import org.apache.cassandra.serializers.UUIDSerializer;
import org.apache.cassandra.utils.UUIDGen;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthenticator.class */
public class DseAuthenticator implements IAuthenticator {
    private static Logger logger = LoggerFactory.getLogger(DseAuthenticator.class);
    private static final String SASL_DEFAULT_REALM = "default";
    private static final String DEFAULT_SUPER_USER_NAME = "cassandra";
    protected static final String KEYTAB_UNREADABLE_ERROR = "The dse service keytab at this location %s either doesn't exist or cannot be read by the dse service";
    private IAuthenticator internalAuthenticator;
    protected boolean enabled;
    protected AuthenticationScheme defaultScheme;
    private boolean schemePermissions = false;
    protected Set<AuthenticationScheme> allowedSchemes = new LinkedHashSet();
    protected TransitionalMode transitionalMode = TransitionalMode.DISABLED;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthenticator$AuthenticationState.class */
    public class AuthenticationState {
        public AuthenticationScheme selectedScheme;
        public AuthenticationScheme actualScheme;
        public boolean legacy;
        public InetAddress clientAddress;

        private AuthenticationState() {
            this.legacy = false;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthenticator$DigestMD5SaslNegotiator.class */
    public class DigestMD5SaslNegotiator implements IAuthenticator.SaslNegotiator {
        private final SaslServer saslServer;

        public DigestMD5SaslNegotiator(AuthenticationState authenticationState) {
            authenticationState.actualScheme = AuthenticationScheme.KERBEROS;
            try {
                this.saslServer = Sasl.createSaslServer(SaslMechanism.DIGEST.mechanism, (String) null, "default", SaslProperties.defaultProperties(ClientConfigurationFactory.getClientConfiguration()), (CallbackHandler) DseInjector.get().getInstance(SaslServerDigestCallbackHandler.class));
            } catch (SaslException e) {
                DseAuthenticator.logger.error("Error initialising SASL server", e);
                throw new RuntimeException((Throwable) e);
            }
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public AuthenticatedUser getAuthenticatedUser() throws DseAuthenticationException {
            try {
                return KerberosServerUtils.getUserFromAuthzId(DigestAuthUtils.getUserNameFromDelegationToken(this.saslServer.getAuthorizationID()));
            } catch (IOException e) {
                throw new DseAuthenticationException();
            }
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public byte[] evaluateResponse(byte[] bArr) throws DseAuthenticationException {
            try {
                DseAuthenticator.logger.debug("Evaluating input token {}", bArr == null ? "null" : Integer.valueOf(bArr.length));
                return this.saslServer.evaluateResponse(bArr);
            } catch (SaslException e) {
                throw new DseAuthenticationException();
            }
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public boolean isComplete() {
            return this.saslServer.isComplete();
        }
    }

    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthenticator$DseSaslNegotiator.class */
    private class DseSaslNegotiator implements IAuthenticator.SaslNegotiator {
        private AuthenticationState authenticationState;
        private IAuthenticator.SaslNegotiator selectedNegotiator;

        public DseSaslNegotiator(InetAddress inetAddress) {
            this.authenticationState = new AuthenticationState();
            this.authenticationState.clientAddress = inetAddress;
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public byte[] evaluateResponse(byte[] bArr) throws DseAuthenticationException {
            if (this.selectedNegotiator == null) {
                boolean z = false;
                for (AuthenticationScheme authenticationScheme : AuthenticationScheme.values()) {
                    if (Arrays.equals(authenticationScheme.saslMechanism.mechanism_bytes, bArr)) {
                        z = true;
                        if (DseAuthenticator.this.usingScheme(authenticationScheme)) {
                            this.authenticationState.selectedScheme = authenticationScheme;
                            this.selectedNegotiator = DseAuthenticator.this.getSaslNegotiatorForScheme(this.authenticationState);
                            return authenticationScheme.saslMechanism.response;
                        }
                    }
                }
                if (z) {
                    DseAuthenticationException dseAuthenticationException = new DseAuthenticationException();
                    DseAuthenticator.this.maybeRecordFailedAuthentication(this.authenticationState.clientAddress.toString(), dseAuthenticationException);
                    throw dseAuthenticationException;
                }
                this.authenticationState.selectedScheme = DseAuthenticator.this.defaultScheme;
                this.authenticationState.legacy = true;
                this.selectedNegotiator = DseAuthenticator.this.getSaslNegotiatorForScheme(this.authenticationState);
            }
            try {
                return this.selectedNegotiator.evaluateResponse(bArr);
            } catch (DseAuthenticationException e) {
                DseAuthenticator.this.maybeRecordFailedAuthentication(this.authenticationState.clientAddress.toString(), e);
                throw e;
            }
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public boolean isComplete() {
            return this.selectedNegotiator != null && this.selectedNegotiator.isComplete();
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public AuthenticatedUser getAuthenticatedUser() throws DseAuthenticationException {
            if (this.selectedNegotiator == null) {
                DseAuthenticationException dseAuthenticationException = new DseAuthenticationException();
                DseAuthenticator.this.maybeRecordFailedAuthentication(this.authenticationState.clientAddress.toString(), dseAuthenticationException);
                throw dseAuthenticationException;
            }
            try {
                AuthenticatedUser authenticatedUser = this.selectedNegotiator.getAuthenticatedUser();
                DseAuthenticator.this.checkPermissions(authenticatedUser, this.authenticationState);
                maybeLogAuthentication(authenticatedUser);
                return authenticatedUser;
            } catch (DseAuthenticationException e) {
                DseAuthenticator.this.maybeRecordFailedAuthentication(this.authenticationState.clientAddress.toString(), e);
                throw e;
            }
        }

        private void maybeLogAuthentication(AuthenticatedUser authenticatedUser) {
            AuditLogger auditLogger = AuditLogger.getInstance();
            if (auditLogger.isEnabled()) {
                try {
                    auditLogger.recordEvent(DatabaseDescriptor.getRoleManager().canLogin(authenticatedUser.getPrimaryRole()) ? new AuditableEvent.Builder(authenticatedUser.getName(), this.authenticationState.clientAddress.toString()).type(AuditableEventType.LOGIN).operation("Succesful login for user - " + authenticatedUser.getName()).build() : new AuditableEvent.Builder(authenticatedUser.getName(), this.authenticationState.clientAddress.toString()).type(AuditableEventType.LOGIN).operation("User - " + authenticatedUser.getName() + " - does not exist").build());
                } catch (Exception e) {
                    DseAuthenticator.logger.debug("Failed to record the event:", e);
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthenticator$GSSAPISaslNegotiator.class */
    public class GSSAPISaslNegotiator implements IAuthenticator.SaslNegotiator {
        private final Subject serverIdentity;
        private final SaslServer saslServer;
        private AuthenticationState state;

        public GSSAPISaslNegotiator(AuthenticationState authenticationState) {
            this.state = authenticationState;
            this.state.actualScheme = AuthenticationScheme.KERBEROS;
            try {
                String asLocal = DseConfig.getDseServicePrincipal().asLocal();
                KerberosServerUtils.validateServicePrincipal(asLocal);
                this.serverIdentity = KerberosServerUtils.loginServer(asLocal);
                final ServicePrincipal servicePrincipal = new ServicePrincipal(this.serverIdentity.getPrincipals().iterator().next().getName());
                this.saslServer = (SaslServer) Subject.doAs(this.serverIdentity, new PrivilegedAction<SaslServer>() { // from class: com.datastax.bdp.cassandra.auth.DseAuthenticator.GSSAPISaslNegotiator.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedAction
                    public SaslServer run() {
                        try {
                            return Sasl.createSaslServer(SaslMechanism.GSSAPI.mechanism, servicePrincipal.service, servicePrincipal.host, SaslProperties.defaultProperties(ClientConfigurationFactory.getClientConfiguration()), new SaslGssCallbackHandler());
                        } catch (SaslException e) {
                            DseAuthenticator.logger.error("Error initialising SASL server", e);
                            throw new RuntimeException((Throwable) e);
                        }
                    }
                });
            } catch (LoginException e) {
                DseAuthenticator.logger.error("Error obtaining subject for server identity", e);
                throw new RuntimeException(e);
            } catch (ConfigurationException e2) {
                DseAuthenticator.logger.error("Error obtaining subject for server identity", e2);
                throw new RuntimeException(e2);
            }
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public AuthenticatedUser getAuthenticatedUser() throws DseAuthenticationException {
            return KerberosServerUtils.getUserFromAuthzId(this.saslServer.getAuthorizationID());
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public byte[] evaluateResponse(final byte[] bArr) throws DseAuthenticationException {
            try {
                return (byte[]) Subject.doAs(this.serverIdentity, new PrivilegedExceptionAction<byte[]>() { // from class: com.datastax.bdp.cassandra.auth.DseAuthenticator.GSSAPISaslNegotiator.2
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public byte[] run() throws SaslException {
                        try {
                            return GSSAPISaslNegotiator.this.saslServer.evaluateResponse(bArr);
                        } catch (SaslException e) {
                            DseAuthenticator.this.maybeRecordFailedAuthentication(GSSAPISaslNegotiator.this.state.clientAddress.toString(), new DseAuthenticationException("unknown"));
                            throw e;
                        }
                    }
                });
            } catch (PrivilegedActionException e) {
                throw new DseAuthenticationException();
            }
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public boolean isComplete() {
            return this.saslServer.isComplete();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthenticator$InClusterSaslNegotiator.class */
    public class InClusterSaslNegotiator implements IAuthenticator.SaslNegotiator {
        private final SaslServer saslServer;

        public InClusterSaslNegotiator() {
            try {
                this.saslServer = Sasl.createSaslServer(SaslProperties.SASL_DIGEST_MECHANISM, (String) null, "default", SaslProperties.defaultProperties(ClientConfigurationFactory.getClientConfiguration()), new InClusterAuthenticator.SaslServerCallbackHandler());
            } catch (SaslException e) {
                DseAuthenticator.logger.error("Error initialising SASL server", e);
                throw new RuntimeException((Throwable) e);
            }
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public AuthenticatedUser getAuthenticatedUser() throws DseAuthenticationException {
            return new AuthenticatedUser(InClusterAuthenticator.TokenId.compose(this.saslServer.getAuthorizationID()).username);
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public byte[] evaluateResponse(byte[] bArr) throws DseAuthenticationException {
            try {
                DseAuthenticator.logger.debug("Evaluating input token {}", bArr == null ? "null" : Integer.valueOf(bArr.length));
                return this.saslServer.evaluateResponse(bArr);
            } catch (SaslException e) {
                throw new DseAuthenticationException();
            }
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public boolean isComplete() {
            return this.saslServer.isComplete();
        }
    }

    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthenticator$InProcAuthenticatedUser.class */
    private static class InProcAuthenticatedUser extends AuthenticatedUser {
        private static final String INPROC_USERNAME = "dse_inproc_user";

        public InProcAuthenticatedUser() {
            super(INPROC_USERNAME);
        }

        @Override // org.apache.cassandra.auth.AuthenticatedUser
        public boolean isSuper() {
            return true;
        }

        @Override // org.apache.cassandra.auth.AuthenticatedUser
        public boolean isAnonymous() {
            return true;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthenticator$InProcessSaslNegotiator.class */
    public static class InProcessSaslNegotiator implements IAuthenticator.SaslNegotiator {
        private static final Cache<UUID, UUID> uuidCache = initUUIDCache();
        private static final InProcAuthenticatedUser INPROC_USER = new InProcAuthenticatedUser();
        private static final int CACHE_VALIDITY_IN_S = 5;
        private boolean complete = false;

        InProcessSaslNegotiator() {
        }

        public static byte[] generateOneTimeToken() {
            UUID timeUUID = UUIDGen.getTimeUUID();
            uuidCache.put(timeUUID, timeUUID);
            return UUIDSerializer.instance.serialize(timeUUID).array();
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public byte[] evaluateResponse(byte[] bArr) throws AuthenticationException {
            UUID deserialize = UUIDSerializer.instance.deserialize(ByteBuffer.wrap(bArr));
            if (deserialize == null || uuidCache.getIfPresent(deserialize) == null) {
                throw new DseAuthenticationException(DseAuthenticationException.reason);
            }
            uuidCache.invalidate(deserialize);
            this.complete = true;
            return null;
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public boolean isComplete() {
            return this.complete;
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public AuthenticatedUser getAuthenticatedUser() throws AuthenticationException {
            return INPROC_USER;
        }

        private static Cache<UUID, UUID> initUUIDCache() {
            return CacheBuilder.newBuilder().expireAfterWrite(5L, TimeUnit.SECONDS).build();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthenticator$PlainTextSaslNegotiator.class */
    public class PlainTextSaslNegotiator implements IAuthenticator.SaslNegotiator {
        private static final byte NUL = 0;
        private final AuthenticationState state;
        private boolean complete = false;
        private Map<String, String> credentials;

        public PlainTextSaslNegotiator(AuthenticationState authenticationState) {
            this.state = authenticationState;
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public byte[] evaluateResponse(byte[] bArr) throws DseAuthenticationException {
            this.credentials = decodeCredentials(bArr);
            this.complete = true;
            return null;
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public boolean isComplete() {
            return this.complete;
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public AuthenticatedUser getAuthenticatedUser() throws DseAuthenticationException {
            return DseAuthenticator.this.getAuthenticatedUserWithCredentials(this.credentials, this.state);
        }

        private Map<String, String> decodeCredentials(byte[] bArr) throws DseAuthenticationException {
            byte[] bArr2 = null;
            byte[] bArr3 = null;
            int length = bArr.length;
            for (int length2 = bArr.length - 1; length2 >= 0; length2--) {
                if (bArr[length2] == 0) {
                    if (bArr3 == null) {
                        bArr3 = Arrays.copyOfRange(bArr, length2 + 1, length);
                    } else if (bArr2 == null) {
                        bArr2 = Arrays.copyOfRange(bArr, length2 + 1, length);
                    }
                    length = length2;
                }
            }
            if (bArr2 == null || bArr3 == null) {
                if (bArr2 != null) {
                    throw new DseAuthenticationException(new String(bArr2, StandardCharsets.UTF_8));
                }
                throw new DseAuthenticationException();
            }
            HashMap hashMap = new HashMap();
            hashMap.put("username", new String(bArr2, StandardCharsets.UTF_8));
            hashMap.put(PasswordAuthenticator.PASSWORD_KEY, new String(bArr3, StandardCharsets.UTF_8));
            return hashMap;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthenticator$TransitionalMode.class */
    public enum TransitionalMode {
        DISABLED,
        PERMISSIVE,
        NORMAL,
        STRICT
    }

    @Override // org.apache.cassandra.auth.IAuthenticator
    public boolean requireAuthentication() {
        return this.enabled;
    }

    @Override // org.apache.cassandra.auth.IAuthenticator
    public Set<IResource> protectedResources() {
        return Collections.emptySet();
    }

    @Override // org.apache.cassandra.auth.IAuthenticator
    public void validateConfiguration() throws ConfigurationException {
        this.enabled = DseConfig.isAuthenticationEnabled();
        this.defaultScheme = AuthenticationScheme.valueOf(DseConfig.getDefaultAuthenticationScheme().toUpperCase());
        this.allowedSchemes.add(this.defaultScheme);
        this.allowedSchemes.add(AuthenticationScheme.INPROCESS);
        this.allowedSchemes.add(AuthenticationScheme.INCLUSTER);
        Iterator<String> it = DseConfig.getOtherAuthenticationSchemes().iterator();
        while (it.hasNext()) {
            this.allowedSchemes.add(AuthenticationScheme.valueOf(it.next().toUpperCase()));
        }
        if (usingScheme(AuthenticationScheme.KERBEROS) && DseConfig.isAllowDigestWithKerberos()) {
            this.allowedSchemes.add(AuthenticationScheme.TOKEN);
        }
        this.transitionalMode = TransitionalMode.valueOf(DseConfig.getAuthenticationTransitionalMode().toUpperCase());
        if (this.enabled) {
            if (usingScheme(AuthenticationScheme.KERBEROS)) {
                validateKeytab();
            }
            if (usingScheme(AuthenticationScheme.LDAP)) {
                LdapUtils.instance.validateAuthenticationConfiguration();
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateKeytab() throws ConfigurationException {
        if (DseConfig.getDseServiceKeytab() == null || !new File(DseConfig.getDseServiceKeytab()).canRead()) {
            throw new ConfigurationException(String.format(KEYTAB_UNREADABLE_ERROR, DseConfig.getDseServiceKeytab()));
        }
    }

    @Override // org.apache.cassandra.auth.IAuthenticator
    public void setup() {
        if (usingScheme(AuthenticationScheme.LDAP)) {
            LdapUtils.instance.setupAuthentication();
        }
        if (usingScheme(AuthenticationScheme.INTERNAL)) {
            this.internalAuthenticator = new PasswordAuthenticator();
            this.internalAuthenticator.setup();
        }
        this.schemePermissions = DseConfig.isAuthenticationSchemePermissions() && (DatabaseDescriptor.getAuthorizer() instanceof DseAuthorizer);
    }

    public boolean isKerberosDefaultScheme() {
        return this.enabled && this.defaultScheme == AuthenticationScheme.KERBEROS;
    }

    public boolean isKerberosEnabled() {
        return this.enabled && usingScheme(AuthenticationScheme.KERBEROS);
    }

    public boolean isLdapAuthEnabled() {
        return this.enabled && usingScheme(AuthenticationScheme.LDAP);
    }

    public boolean isPlainTextAuthEnabled() {
        return this.enabled && (usingScheme(AuthenticationScheme.INTERNAL) || usingScheme(AuthenticationScheme.LDAP));
    }

    public boolean isInternalAuthEnabled() {
        return this.enabled && usingScheme(AuthenticationScheme.INTERNAL);
    }

    @Override // org.apache.cassandra.auth.IAuthenticator
    public IAuthenticator.SaslNegotiator newSaslNegotiator(InetAddress inetAddress) {
        return new DseSaslNegotiator(inetAddress);
    }

    @Override // org.apache.cassandra.auth.IAuthenticator
    public AuthenticatedUser legacyAuthenticate(Map<String, String> map) throws DseAuthenticationException {
        if (!this.enabled) {
            return AuthenticatedUser.ANONYMOUS_USER;
        }
        String str = map.get("username");
        String str2 = map.get(PasswordAuthenticator.PASSWORD_KEY);
        AuthenticatedUser authenticatedUser = null;
        AuthenticationState authenticationState = new AuthenticationState();
        if (forceAnonymous(map)) {
            authenticatedUser = AuthenticatedUser.ANONYMOUS_USER;
        } else if (StringUtils.isNotEmpty(str)) {
            if (StringUtils.isNotEmpty(str2)) {
                authenticatedUser = getAuthenticatedUserWithCredentials(map, authenticationState);
            } else if (usingScheme(AuthenticationScheme.KERBEROS)) {
                authenticationState.actualScheme = AuthenticationScheme.KERBEROS;
                authenticatedUser = KerberosServerUtils.getUserFromAuthzId(str);
            }
        }
        if (authenticatedUser == null) {
            if (this.transitionalMode != TransitionalMode.PERMISSIVE && this.transitionalMode != TransitionalMode.NORMAL) {
                throw new DseAuthenticationException(DseAuthenticationException.reason);
            }
            authenticatedUser = AuthenticatedUser.ANONYMOUS_USER;
        }
        checkPermissions(authenticatedUser, authenticationState);
        return authenticatedUser;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean usingScheme(AuthenticationScheme authenticationScheme) {
        return this.allowedSchemes.contains(authenticationScheme);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void checkPermissions(AuthenticatedUser authenticatedUser, AuthenticationState authenticationState) throws DseAuthenticationException {
        if (authenticatedUser.isSuper() || !this.schemePermissions) {
            return;
        }
        if (this.transitionalMode == TransitionalMode.DISABLED || (this.transitionalMode == TransitionalMode.STRICT && !authenticatedUser.isAnonymous())) {
            Iterator<? extends IResource> it = Resources.chain(AuthenticationSchemeResource.scheme(authenticationState.actualScheme)).iterator();
            while (it.hasNext()) {
                if (authenticatedUser.getPermissions(it.next()).contains(Permission.EXECUTE)) {
                    return;
                }
            }
            throw new DseAuthenticationException(DseAuthenticationException.reason);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public IAuthenticator.SaslNegotiator getSaslNegotiatorForScheme(AuthenticationState authenticationState) throws DseAuthenticationException {
        if (authenticationState.selectedScheme.saslMechanism != SaslMechanism.PLAIN) {
            return authenticationState.selectedScheme.saslMechanism == SaslMechanism.DIGEST ? new DigestMD5SaslNegotiator(authenticationState) : authenticationState.selectedScheme.saslMechanism == SaslMechanism.INPROCESS ? new InProcessSaslNegotiator() : authenticationState.selectedScheme.saslMechanism == SaslMechanism.INCLUSTER ? new InClusterSaslNegotiator() : new GSSAPISaslNegotiator(authenticationState);
        }
        if (!DatabaseDescriptor.getClientEncryptionOptions().enabled) {
            String plainTextWithoutSsl = DseConfig.getPlainTextWithoutSsl();
            if (plainTextWithoutSsl.equals("block")) {
                throw new DseAuthenticationException();
            }
            if (plainTextWithoutSsl.equals("warn")) {
                logger.warn("Plain text authentication without client / server encryption is strongly discouraged");
            }
        }
        return new PlainTextSaslNegotiator(authenticationState);
    }

    protected boolean forceAnonymous(Map<String, String> map) {
        String str = map.get("username");
        String str2 = map.get(PasswordAuthenticator.PASSWORD_KEY);
        return this.transitionalMode == TransitionalMode.PERMISSIVE ? StringUtils.isEmpty(str) || !str.equals("cassandra") : this.transitionalMode == TransitionalMode.NORMAL ? StringUtils.isEmpty(str) || StringUtils.isEmpty(str2) : this.transitionalMode == TransitionalMode.STRICT && StringUtils.isEmpty(str) && StringUtils.isEmpty(str2);
    }

    private AuthenticatedUser plainTextAuthenticate(Map<String, String> map, AuthenticationState authenticationState) throws DseAuthenticationException {
        if (!authenticationState.legacy) {
            for (AuthenticationScheme authenticationScheme : this.allowedSchemes) {
                if (authenticationScheme.saslMechanism == SaslMechanism.PLAIN) {
                    try {
                        if (authenticationScheme == AuthenticationScheme.LDAP) {
                            authenticationState.actualScheme = AuthenticationScheme.LDAP;
                            return LdapUtils.instance.authenticate(map);
                        }
                        authenticationState.actualScheme = AuthenticationScheme.INTERNAL;
                        return this.internalAuthenticator.legacyAuthenticate(map);
                    } catch (AuthenticationException e) {
                    }
                }
            }
        } else if (this.defaultScheme.saslMechanism == SaslMechanism.PLAIN) {
            try {
                if (this.defaultScheme == AuthenticationScheme.LDAP) {
                    authenticationState.actualScheme = AuthenticationScheme.LDAP;
                    return LdapUtils.instance.authenticate(map);
                }
                authenticationState.actualScheme = AuthenticationScheme.INTERNAL;
                return this.internalAuthenticator.legacyAuthenticate(map);
            } catch (AuthenticationException e2) {
            }
        }
        throw new DseAuthenticationException(map.get("username"));
    }

    public AuthenticatedUser getAuthenticatedUserWithCredentials(Map<String, String> map, AuthenticationState authenticationState) throws DseAuthenticationException {
        if (forceAnonymous(map)) {
            return AuthenticatedUser.ANONYMOUS_USER;
        }
        try {
            return plainTextAuthenticate(map, authenticationState);
        } catch (AuthenticationException e) {
            if (this.transitionalMode == TransitionalMode.PERMISSIVE || this.transitionalMode == TransitionalMode.NORMAL) {
                return AuthenticatedUser.ANONYMOUS_USER;
            }
            throw e;
        }
    }

    public void maybeRecordFailedAuthentication(String str, DseAuthenticationException dseAuthenticationException) {
        logger.debug("Failed to authenticate:", dseAuthenticationException);
        AuditLogger auditLogger = AuditLogger.getInstance();
        if (auditLogger.isEnabled()) {
            try {
                auditLogger.recordEvent(new AuditableEvent.Builder(dseAuthenticationException.username, str).type(AuditableEventType.LOGIN_ERROR).operation("Failed login attempt for user - " + dseAuthenticationException.username).build());
            } catch (Exception e) {
                logger.debug("Failed to record the event:", e);
            }
        }
    }
}
