package com.datastax.bdp.cassandra.auth;

import com.datastax.bdp.cassandra.audit.AuditLogger;
import com.datastax.bdp.cassandra.audit.AuditableEvent;
import com.datastax.bdp.cassandra.audit.AuditableEventType;
import com.datastax.bdp.cassandra.auth.InClusterAuthenticator;
import com.datastax.bdp.cassandra.auth.negotiators.ProxyAuthenticatedUser;
import com.datastax.bdp.config.ClientConfiguration;
import com.datastax.bdp.config.ClientConfigurationFactory;
import com.datastax.bdp.config.ConfigUtil;
import com.datastax.bdp.config.DseConfig;
import com.datastax.bdp.config.LdapConfig;
import com.datastax.bdp.ioc.DseInjector;
import com.datastax.bdp.transport.common.SaslProperties;
import com.datastax.bdp.transport.common.ServicePrincipal;
import com.datastax.bdp.transport.server.DigestAuthUtils;
import com.datastax.bdp.transport.server.KerberosServerUtils;
import com.datastax.bdp.util.DseUtil;
import com.datastax.dse.byos.shade.com.google.common.annotations.VisibleForTesting;
import com.datastax.dse.byos.shade.com.google.common.cache.Cache;
import com.datastax.dse.byos.shade.com.google.common.cache.CacheBuilder;
import java.io.ByteArrayInputStream;
import java.io.DataInputStream;
import java.io.File;
import java.io.IOException;
import java.net.InetAddress;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.apache.cassandra.auth.AuthenticatedUser;
import org.apache.cassandra.auth.IAuthenticator;
import org.apache.cassandra.auth.IResource;
import org.apache.cassandra.auth.PasswordAuthenticator;
import org.apache.cassandra.auth.Resources;
import org.apache.cassandra.auth.RoleResource;
import org.apache.cassandra.auth.permission.CorePermission;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.db.ConsistencyLevel;
import org.apache.cassandra.exceptions.AuthenticationException;
import org.apache.cassandra.exceptions.ConfigurationException;
import org.apache.cassandra.serializers.UUIDSerializer;
import org.apache.cassandra.utils.Pair;
import org.apache.cassandra.utils.Throwables;
import org.apache.cassandra.utils.UUIDGen;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.ArrayUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.hadoop.security.token.SecretManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthenticator.class */
public class DseAuthenticator implements IAuthenticator {
    private static final Logger logger = LoggerFactory.getLogger(DseAuthenticator.class);
    public static final String SASL_DEFAULT_REALM = "default";
    private static final String DEFAULT_SUPER_USER_NAME = "cassandra";
    protected static final String KEYTAB_UNREADABLE_ERROR = "The dse service keytab at this location %s either doesn't exist or cannot be read by the dse service";
    protected boolean enabled;
    protected AuthenticationScheme defaultScheme;
    protected Set<AuthenticationScheme> allowedSchemes;
    protected TransitionalMode transitionalMode;
    private PasswordAuthenticator internalAuthenticator;
    private boolean schemePermissions;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthenticator$DigestMD5SaslNegotiator.class */
    public class DigestMD5SaslNegotiator extends DseSaslNegotiator {
        private final SaslServer saslServer;

        /* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthenticator$DigestMD5SaslNegotiator$DigestMD5CallbackHandler.class */
        private class DigestMD5CallbackHandler extends DseSaslNegotiator.DseSaslCallbackHandler {
            private final CassandraDelegationTokenSecretManager tokenSecretManager;

            private DigestMD5CallbackHandler() {
                super();
                this.tokenSecretManager = (CassandraDelegationTokenSecretManager) DseInjector.get().getInstance(CassandraDelegationTokenSecretManager.class);
            }

            @Override // com.datastax.bdp.cassandra.auth.DseAuthenticator.DseSaslNegotiator.DseSaslCallbackHandler
            protected void handleNamePasswordCallback(Optional<NameCallback> optional, Optional<PasswordCallback> optional2) throws IOException {
                if (optional2.isPresent()) {
                    if (!optional.isPresent()) {
                        throw new IOException("Password callback without name callback?  Something is very wrong.");
                    }
                    CassandraDelegationTokenIdentifier cassandraDelegationTokenIdentifier = new CassandraDelegationTokenIdentifier();
                    try {
                        cassandraDelegationTokenIdentifier.readFields(new DataInputStream(new ByteArrayInputStream(Base64.decodeBase64(optional.get().getDefaultName().getBytes()))));
                        try {
                            optional2.get().setPassword(new String(Base64.encodeBase64(this.tokenSecretManager.retrievePassword(cassandraDelegationTokenIdentifier))).toCharArray());
                            DseAuthenticator.logger.debug("Setting DIGEST-MD5 password for client {}", cassandraDelegationTokenIdentifier.getUser());
                        } catch (IOException e) {
                            throw new SecretManager.InvalidToken("Invalid password").initCause(e.getCause());
                        }
                    } catch (IOException e2) {
                        throw new SecretManager.InvalidToken("Can't de-serialize tokenIdentifier").initCause(e2.getCause());
                    }
                }
            }
        }

        public DigestMD5SaslNegotiator(AuthenticationState authenticationState) {
            super();
            authenticationState.setActualScheme(AuthenticationScheme.KERBEROS);
            try {
                this.saslServer = Sasl.createSaslServer(SaslMechanism.DIGEST.mechanism, (String) null, "default", SaslProperties.defaultProperties(ClientConfigurationFactory.getClientConfiguration()), new DigestMD5CallbackHandler());
            } catch (SaslException e) {
                DseAuthenticator.logger.error("Error initialising SASL server", e);
                throw new RuntimeException((Throwable) e);
            }
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public AuthenticatedUser getAuthenticatedUser() throws CredentialsAuthenticationException {
            try {
                return KerberosServerUtils.getUserFromAuthzId(DigestAuthUtils.getUserNameFromDelegationToken(this.saslServer.getAuthorizationID()), AuthenticationScheme.TOKEN);
            } catch (IOException e) {
                throw new CredentialsAuthenticationException();
            }
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public byte[] evaluateResponse(byte[] bArr) throws CredentialsAuthenticationException {
            try {
                DseAuthenticator.logger.debug("Evaluating input token {}", bArr == null ? "null" : Integer.valueOf(bArr.length));
                return this.saslServer.evaluateResponse(bArr);
            } catch (SaslException e) {
                throw new CredentialsAuthenticationException();
            }
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public boolean isComplete() {
            return this.saslServer.isComplete();
        }
    }

    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthenticator$DseExternalSaslNegotiator.class */
    protected abstract class DseExternalSaslNegotiator extends DseSaslNegotiator {
        protected boolean authenticationError;
        protected AuthenticationException authenticationException;

        protected DseExternalSaslNegotiator() {
            super();
            this.authenticationError = false;
            this.authenticationException = null;
        }

        protected abstract String getAuthenticationUser();

        protected abstract String getAuthorizationUser();

        protected abstract boolean passwordSupplied();

        protected abstract AuthenticationScheme getAuthenticationScheme();

        @Override // com.datastax.bdp.cassandra.auth.DseAuthenticator.DseSaslNegotiator
        protected boolean authorize(String str, String str2) {
            if (StringUtils.isEmpty(str2) || Objects.equals(str, str2)) {
                return true;
            }
            if (new AuthenticatedUser(str2, getAuthenticationScheme()).isSuper()) {
                return false;
            }
            return DatabaseDescriptor.getAuthorizer().authorize(new AuthenticatedUser(str, getAuthenticationScheme()), RoleResource.role(str2)).contains(ProxyPermission.LOGIN);
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public AuthenticatedUser getAuthenticatedUser() {
            String authenticationUser = getAuthenticationUser();
            String authorizationUser = getAuthorizationUser();
            if (DseAuthenticator.this.forceAnonymous(authenticationUser, passwordSupplied())) {
                return AuthenticatedUser.ANONYMOUS_USER;
            }
            if (!this.authenticationError) {
                return (StringUtils.isEmpty(authorizationUser) || Objects.equals(authenticationUser, authorizationUser)) ? new AuthenticatedUser(authenticationUser, getAuthenticationScheme()) : new ProxyAuthenticatedUser(new AuthenticatedUser(authenticationUser, getAuthenticationScheme()), new AuthenticatedUser(authorizationUser, getAuthenticationScheme()));
            }
            if (DseAuthenticator.this.transitionalMode == TransitionalMode.PERMISSIVE || DseAuthenticator.this.transitionalMode == TransitionalMode.NORMAL) {
                return AuthenticatedUser.ANONYMOUS_USER;
            }
            if (this.authenticationException instanceof ProviderAuthenticationException) {
                throw this.authenticationException;
            }
            throw new CredentialsAuthenticationException(StringUtils.isEmpty(authorizationUser) ? authenticationUser : authorizationUser, authenticationUser);
        }
    }

    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthenticator$DseSaslNegotiator.class */
    protected abstract class DseSaslNegotiator implements IAuthenticator.SaslNegotiator {

        /* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthenticator$DseSaslNegotiator$DseSaslCallbackHandler.class */
        protected class DseSaslCallbackHandler implements CallbackHandler {
            protected DseSaslCallbackHandler() {
            }

            protected void handleNamePasswordCallback(Optional<NameCallback> optional, Optional<PasswordCallback> optional2) throws IOException {
            }

            protected void handleAuthorizeCallback(Optional<AuthorizeCallback> optional) throws IOException {
                optional.ifPresent(authorizeCallback -> {
                    String authenticationID = authorizeCallback.getAuthenticationID();
                    String authorizationID = authorizeCallback.getAuthorizationID();
                    authorizeCallback.setAuthorized(DseSaslNegotiator.this.authorize(authenticationID, authorizationID));
                    if (authorizeCallback.isAuthorized()) {
                        authorizeCallback.setAuthorizedID(authorizationID);
                        DseAuthenticator.logger.debug("Allowing login for {} as {} via {}", new Object[]{authenticationID, authorizationID, getClass().getSimpleName()});
                    }
                });
            }

            @Override // javax.security.auth.callback.CallbackHandler
            public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                handleNamePasswordCallback(DseUtil.firstInstanceOf(callbackArr, NameCallback.class), DseUtil.firstInstanceOf(callbackArr, PasswordCallback.class));
                handleAuthorizeCallback(DseUtil.firstInstanceOf(callbackArr, AuthorizeCallback.class));
            }
        }

        protected DseSaslNegotiator() {
        }

        protected boolean authorize(String str, String str2) {
            return str == null || Objects.equals(str, str2);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthenticator$GSSAPISaslNegotiator.class */
    public class GSSAPISaslNegotiator extends DseExternalSaslNegotiator {
        private final Subject serverIdentity;
        private final SaslServer saslServer;
        private final AuthenticationState state;
        private String authenticatedUser;

        /* JADX INFO: Access modifiers changed from: protected */
        /* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthenticator$GSSAPISaslNegotiator$DseGSSCallbackHandler.class */
        public class DseGSSCallbackHandler extends DseSaslNegotiator.DseSaslCallbackHandler {
            protected DseGSSCallbackHandler() {
                super();
            }

            @Override // com.datastax.bdp.cassandra.auth.DseAuthenticator.DseSaslNegotiator.DseSaslCallbackHandler
            public void handleAuthorizeCallback(Optional<AuthorizeCallback> optional) throws IOException {
                super.handleAuthorizeCallback(optional);
                optional.ifPresent(authorizeCallback -> {
                    GSSAPISaslNegotiator.this.authenticatedUser = authorizeCallback.getAuthenticationID();
                });
            }
        }

        public GSSAPISaslNegotiator(AuthenticationState authenticationState) {
            super();
            this.state = authenticationState;
            this.state.setActualScheme(AuthenticationScheme.KERBEROS);
            try {
                String asLocal = DseConfig.getDseServicePrincipal().asLocal();
                if (DseAuthenticator.logger.isTraceEnabled()) {
                    DseAuthenticator.logger.trace("[gssapi-negotiator] service principal = {}", asLocal);
                }
                KerberosServerUtils.validateServicePrincipal(asLocal);
                this.serverIdentity = KerberosServerUtils.loginServer(asLocal);
                String name = this.serverIdentity.getPrincipals().iterator().next().getName();
                if (DseAuthenticator.logger.isTraceEnabled()) {
                    DseAuthenticator.logger.trace("[gssapi-negotiator] service identity principal name = {}", name);
                }
                final ServicePrincipal servicePrincipal = new ServicePrincipal(name);
                this.saslServer = (SaslServer) Subject.doAs(this.serverIdentity, new PrivilegedAction<SaslServer>() { // from class: com.datastax.bdp.cassandra.auth.DseAuthenticator.GSSAPISaslNegotiator.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedAction
                    public SaslServer run() {
                        try {
                            return Sasl.createSaslServer(SaslMechanism.GSSAPI.mechanism, servicePrincipal.service, servicePrincipal.host, SaslProperties.defaultProperties(ClientConfigurationFactory.getClientConfiguration()), new DseGSSCallbackHandler());
                        } catch (SaslException e) {
                            DseAuthenticator.logger.error("Error initialising SASL server", e);
                            throw new RuntimeException((Throwable) e);
                        }
                    }
                });
            } catch (Exception e) {
                DseAuthenticator.logger.error("Error obtaining subject for server identity", e);
                throw new RuntimeException(e);
            }
        }

        @Override // com.datastax.bdp.cassandra.auth.DseAuthenticator.DseExternalSaslNegotiator
        protected String getAuthenticationUser() {
            return this.authenticatedUser == null ? getAuthorizationUser() : KerberosServerUtils.getUserNameFromAuthzId(this.authenticatedUser);
        }

        @Override // com.datastax.bdp.cassandra.auth.DseAuthenticator.DseExternalSaslNegotiator
        protected String getAuthorizationUser() {
            return KerberosServerUtils.getUserNameFromAuthzId(this.saslServer.getAuthorizationID());
        }

        @Override // com.datastax.bdp.cassandra.auth.DseAuthenticator.DseExternalSaslNegotiator
        protected boolean passwordSupplied() {
            return true;
        }

        @Override // com.datastax.bdp.cassandra.auth.DseAuthenticator.DseExternalSaslNegotiator
        protected AuthenticationScheme getAuthenticationScheme() {
            return this.state.getActualScheme();
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public byte[] evaluateResponse(final byte[] bArr) throws CredentialsAuthenticationException {
            try {
                return (byte[]) Subject.doAs(this.serverIdentity, new PrivilegedExceptionAction<byte[]>() { // from class: com.datastax.bdp.cassandra.auth.DseAuthenticator.GSSAPISaslNegotiator.2
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public byte[] run() throws CredentialsAuthenticationException {
                        try {
                            return GSSAPISaslNegotiator.this.saslServer.evaluateResponse(bArr);
                        } catch (SaslException e) {
                            DseAuthenticator.logger.debug("Kerberos sasl exception", e);
                            throw new CredentialsAuthenticationException();
                        }
                    }
                });
            } catch (PrivilegedActionException e) {
                throw new CredentialsAuthenticationException();
            }
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public boolean isComplete() {
            return this.saslServer.isComplete();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthenticator$InClusterSaslNegotiator.class */
    public class InClusterSaslNegotiator extends DseSaslNegotiator {
        private final SaslServer saslServer;

        /* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthenticator$InClusterSaslNegotiator$InClusterCallbackHandler.class */
        public class InClusterCallbackHandler extends DseSaslNegotiator.DseSaslCallbackHandler {
            private final DigestTokensManager digestTokensManager;

            InClusterCallbackHandler(DigestTokensManager digestTokensManager) {
                super();
                this.digestTokensManager = digestTokensManager;
            }

            @Override // com.datastax.bdp.cassandra.auth.DseAuthenticator.DseSaslNegotiator.DseSaslCallbackHandler
            protected void handleNamePasswordCallback(Optional<NameCallback> optional, Optional<PasswordCallback> optional2) throws IOException {
                optional2.ifPresent(passwordCallback -> {
                    byte[] decodeBase64 = Base64.decodeBase64((String) optional.flatMap(nameCallback -> {
                        return Optional.ofNullable(nameCallback.getDefaultName());
                    }).orElseThrow(CredentialsAuthenticationException::new));
                    Optional<Pair<byte[], Long>> passwordById = this.digestTokensManager.getPasswordById(decodeBase64, ConsistencyLevel.LOCAL_QUORUM);
                    if (!passwordById.isPresent()) {
                        throw new CredentialsAuthenticationException(InClusterAuthenticator.TokenId.compose(decodeBase64).username);
                    }
                    char[] passwordChars = InClusterAuthenticator.Credentials.getPasswordChars(passwordById.get().left);
                    DseAuthenticator.logger.debug("Read password of {}", InClusterAuthenticator.TokenId.compose(decodeBase64).username);
                    passwordCallback.setPassword(passwordChars);
                });
            }

            @Override // com.datastax.bdp.cassandra.auth.DseAuthenticator.DseSaslNegotiator.DseSaslCallbackHandler, javax.security.auth.callback.CallbackHandler
            public /* bridge */ /* synthetic */ void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                super.handle(callbackArr);
            }
        }

        public InClusterSaslNegotiator(ClientConfiguration clientConfiguration, DigestTokensManager digestTokensManager) {
            super();
            try {
                this.saslServer = Sasl.createSaslServer("DIGEST-MD5", (String) null, "default", SaslProperties.defaultProperties(clientConfiguration), new InClusterCallbackHandler(digestTokensManager));
            } catch (SaslException e) {
                DseAuthenticator.logger.error("Error initialising SASL server", e);
                throw new RuntimeException((Throwable) e);
            }
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public AuthenticatedUser getAuthenticatedUser() throws CredentialsAuthenticationException {
            InClusterAuthenticator.TokenId compose = InClusterAuthenticator.TokenId.compose(this.saslServer.getAuthorizationID());
            return new AuthenticatedUser(compose.username, compose.authContext);
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public byte[] evaluateResponse(byte[] bArr) throws CredentialsAuthenticationException {
            try {
                DseAuthenticator.logger.debug("Evaluating input token {}", bArr == null ? "null" : Integer.valueOf(bArr.length));
                return this.saslServer.evaluateResponse(bArr);
            } catch (SaslException e) {
                throw new CredentialsAuthenticationException();
            }
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public boolean isComplete() {
            return this.saslServer.isComplete();
        }
    }

    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthenticator$InProcAuthenticatedUser.class */
    private static class InProcAuthenticatedUser extends AuthenticatedUser {
        private static final String INPROC_USERNAME = "dse_inproc_user";

        public InProcAuthenticatedUser() {
            super(INPROC_USERNAME, AuthenticationScheme.INTERNAL);
        }

        @Override // org.apache.cassandra.auth.AuthenticatedUser
        public boolean isSuper() {
            return true;
        }

        @Override // org.apache.cassandra.auth.AuthenticatedUser
        public boolean isAnonymous() {
            return true;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthenticator$InProcessSaslNegotiator.class */
    public static class InProcessSaslNegotiator implements IAuthenticator.SaslNegotiator {
        private boolean complete = false;
        private static final int CACHE_VALIDITY_IN_S = 5;
        private static final Cache<UUID, UUID> uuidCache = CacheBuilder.newBuilder().expireAfterWrite(5, TimeUnit.SECONDS).build();
        private static final InProcAuthenticatedUser INPROC_USER = new InProcAuthenticatedUser();

        protected InProcessSaslNegotiator() {
        }

        public static byte[] generateOneTimeToken() {
            UUID timeUUID = UUIDGen.getTimeUUID();
            uuidCache.put(timeUUID, timeUUID);
            return UUIDSerializer.instance.serialize(timeUUID).array();
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public byte[] evaluateResponse(byte[] bArr) throws AuthenticationException {
            UUID deserialize = UUIDSerializer.instance.deserialize(ByteBuffer.wrap(bArr));
            if (deserialize == null || uuidCache.getIfPresent(deserialize) == null) {
                throw new CredentialsAuthenticationException();
            }
            uuidCache.invalidate(deserialize);
            this.complete = true;
            return null;
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public boolean isComplete() {
            return this.complete;
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public AuthenticatedUser getAuthenticatedUser() throws AuthenticationException {
            return INPROC_USER;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthenticator$PlainTextSaslNegotiator.class */
    public class PlainTextSaslNegotiator extends DseExternalSaslNegotiator {
        private final AuthenticationState state;
        private boolean complete;
        private Credentials credentials;

        public PlainTextSaslNegotiator(AuthenticationState authenticationState) {
            super();
            this.complete = false;
            this.state = authenticationState;
        }

        @Override // com.datastax.bdp.cassandra.auth.DseAuthenticator.DseExternalSaslNegotiator
        protected String getAuthenticationUser() {
            return this.credentials.authenticationUser;
        }

        @Override // com.datastax.bdp.cassandra.auth.DseAuthenticator.DseExternalSaslNegotiator
        protected String getAuthorizationUser() {
            return this.credentials.authorizationUser;
        }

        @Override // com.datastax.bdp.cassandra.auth.DseAuthenticator.DseExternalSaslNegotiator
        protected boolean passwordSupplied() {
            return !StringUtils.isEmpty(this.credentials.password);
        }

        @Override // com.datastax.bdp.cassandra.auth.DseAuthenticator.DseExternalSaslNegotiator
        protected AuthenticationScheme getAuthenticationScheme() {
            return this.state.getActualScheme();
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public byte[] evaluateResponse(byte[] bArr) throws CredentialsAuthenticationException {
            int indexOf = ArrayUtils.indexOf(bArr, (byte) 0);
            int indexOf2 = ArrayUtils.indexOf(bArr, (byte) 0, indexOf + 1);
            if (indexOf < 0 || indexOf2 < 0) {
                throw new CredentialsAuthenticationException();
            }
            this.credentials = new Credentials(new String(bArr, indexOf + 1, (indexOf2 - indexOf) - 1, StandardCharsets.UTF_8), new String(bArr, indexOf2 + 1, (bArr.length - indexOf2) - 1, StandardCharsets.UTF_8), new String(bArr, 0, indexOf, StandardCharsets.UTF_8));
            try {
                DseAuthenticator.this.plainTextAuthenticate(this.credentials, this.state);
                if (!authorize(this.credentials.authenticationUser, this.credentials.authorizationUser)) {
                    this.authenticationError = true;
                }
            } catch (AuthenticationException e) {
                this.authenticationError = true;
                this.authenticationException = e;
            }
            this.complete = true;
            return null;
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public boolean isComplete() {
            return this.complete;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthenticator$TransitionalMode.class */
    public enum TransitionalMode {
        DISABLED,
        PERMISSIVE,
        NORMAL,
        STRICT
    }

    /* loaded from: input_file:com/datastax/bdp/cassandra/auth/DseAuthenticator$UnifiedSaslNegotiator.class */
    protected class UnifiedSaslNegotiator implements IAuthenticator.SaslNegotiator {
        private final AuthenticationState authenticationState = new AuthenticationState();
        private IAuthenticator.SaslNegotiator selectedNegotiator;

        public UnifiedSaslNegotiator(InetAddress inetAddress) {
            this.authenticationState.setClientAddress(inetAddress);
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public byte[] evaluateResponse(byte[] bArr) throws CredentialsAuthenticationException {
            try {
                if (this.selectedNegotiator == null) {
                    boolean z = false;
                    for (AuthenticationScheme authenticationScheme : AuthenticationScheme.values()) {
                        if (Arrays.equals(authenticationScheme.saslMechanism.mechanism_bytes, bArr)) {
                            z = true;
                            if (DseAuthenticator.this.usingScheme(authenticationScheme)) {
                                this.authenticationState.setSelectedScheme(authenticationScheme);
                                this.selectedNegotiator = DseAuthenticator.this.getSaslNegotiatorForScheme(this.authenticationState);
                                return authenticationScheme.saslMechanism.response;
                            }
                        }
                    }
                    if (z) {
                        throw new CredentialsAuthenticationException();
                    }
                    this.authenticationState.setSelectedScheme(DseAuthenticator.this.defaultScheme);
                    this.authenticationState.setLegacy(true);
                    this.selectedNegotiator = DseAuthenticator.this.getSaslNegotiatorForScheme(this.authenticationState);
                }
                return this.selectedNegotiator.evaluateResponse(bArr);
            } catch (CredentialsAuthenticationException e) {
                throw maybeRecordFailedAuthentication(this.authenticationState.getClientAddress().toString(), e);
            }
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public boolean isComplete() {
            return this.selectedNegotiator != null && this.selectedNegotiator.isComplete();
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public AuthenticatedUser getAuthenticatedUser() throws CredentialsAuthenticationException {
            try {
                if (this.selectedNegotiator == null) {
                    throw new CredentialsAuthenticationException();
                }
                AuthenticatedUser authenticatedUser = this.selectedNegotiator.getAuthenticatedUser();
                DseAuthenticator.this.checkPermissions(authenticatedUser, this.authenticationState);
                maybeLogAuthentication(authenticatedUser);
                return authenticatedUser;
            } catch (CredentialsAuthenticationException e) {
                throw maybeRecordFailedAuthentication(String.valueOf(this.authenticationState.getClientAddress()), e);
            }
        }

        @VisibleForTesting
        IAuthenticator.SaslNegotiator getSelectedNegotiator() {
            return this.selectedNegotiator;
        }

        private void maybeLogAuthentication(AuthenticatedUser authenticatedUser) {
            if (AuditLogger.getInstance().isEnabled()) {
                try {
                    String name = (authenticatedUser instanceof ProxyAuthenticatedUser ? ((ProxyAuthenticatedUser) authenticatedUser).authenticatedUser : authenticatedUser).getName();
                    AuditLogger.getInstance().recordEvent(new AuditableEvent.Builder(authenticatedUser, this.authenticationState.getClientAddress().toString()).type(AuditableEventType.LOGIN).operation(DatabaseDescriptor.getRoleManager().canLogin(authenticatedUser) ? "Successful login for user - " + name : "User - " + name + " - does not exist").build());
                } catch (Exception e) {
                    DseAuthenticator.logger.debug("Failed to record the event:", e);
                }
            }
        }

        private CredentialsAuthenticationException maybeRecordFailedAuthentication(String str, CredentialsAuthenticationException credentialsAuthenticationException) {
            DseAuthenticator.logger.debug("Failed to authenticate from {}: ", str, credentialsAuthenticationException);
            if (AuditLogger.getInstance().isEnabled()) {
                try {
                    AuditLogger.getInstance().recordEvent(new AuditableEvent.Builder(AuditableEventType.LOGIN_ERROR, credentialsAuthenticationException.authorizationUser, credentialsAuthenticationException.authenticationUser, str).operation("Failed login attempt for user - " + credentialsAuthenticationException.authenticationUser).build());
                } catch (Exception e) {
                    DseAuthenticator.logger.debug("Failed to record the event:", e);
                }
            }
            return credentialsAuthenticationException;
        }
    }

    public DseAuthenticator() {
        this.allowedSchemes = new LinkedHashSet();
        this.transitionalMode = TransitionalMode.DISABLED;
        this.schemePermissions = false;
        this.enabled = DseConfig.isAuthenticationEnabled();
    }

    public DseAuthenticator(boolean z) {
        this.allowedSchemes = new LinkedHashSet();
        this.transitionalMode = TransitionalMode.DISABLED;
        this.schemePermissions = false;
        this.enabled = z;
    }

    public static String getAuthenticationName(AuthenticatedUser authenticatedUser) {
        return authenticatedUser instanceof ProxyAuthenticatedUser ? ((ProxyAuthenticatedUser) authenticatedUser).authenticatedUser.getName() : authenticatedUser.getName();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static AuthenticatedUser proxy(AuthenticatedUser authenticatedUser, String str) {
        return new ProxyAuthenticatedUser(authenticatedUser, new AuthenticatedUser(str, authenticatedUser.getAuthContext()));
    }

    @Override // org.apache.cassandra.auth.IAuthenticator
    public boolean requireAuthentication() {
        return this.enabled;
    }

    @Override // org.apache.cassandra.auth.IAuthenticator
    public Set<IResource> protectedResources() {
        return Collections.emptySet();
    }

    @VisibleForTesting
    void setAuthSchemes(AuthenticationScheme authenticationScheme, Set<String> set, boolean z) {
        this.defaultScheme = authenticationScheme;
        this.allowedSchemes.add(this.defaultScheme);
        this.allowedSchemes.add(AuthenticationScheme.INPROCESS);
        this.allowedSchemes.add(AuthenticationScheme.INCLUSTER);
        Iterator<String> it2 = set.iterator();
        while (it2.hasNext()) {
            this.allowedSchemes.add(AuthenticationScheme.valueOf(it2.next().toUpperCase()));
        }
        if (usingScheme(AuthenticationScheme.KERBEROS) && z) {
            this.allowedSchemes.add(AuthenticationScheme.TOKEN);
        }
    }

    @Override // org.apache.cassandra.auth.IAuthenticator
    public void validateConfiguration() throws ConfigurationException {
        setAuthSchemes(AuthenticationScheme.valueOf(DseConfig.getDefaultAuthenticationScheme().toUpperCase()), DseConfig.getOtherAuthenticationSchemes(), DseConfig.isAllowDigestWithKerberos());
        this.transitionalMode = TransitionalMode.valueOf(DseConfig.getAuthenticationTransitionalMode().toUpperCase());
        if (this.enabled) {
            if (usingScheme(AuthenticationScheme.KERBEROS)) {
                validateKeytab();
            }
            if (usingScheme(AuthenticationScheme.LDAP)) {
                LdapConfig ldapConfig = DseConfig.getLdapConfig();
                ConfigUtil.maybeThrowCombinedConfigurationException("LDAP configuration failed - please check ldap_options section in dse.yaml and fix the following problem", ldapConfig.connectionConfig.validate(), ldapConfig.searchConfig.validateForUserSearches());
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateKeytab() throws ConfigurationException {
        if (DseConfig.getDseServiceKeytab() == null || !new File(DseConfig.getDseServiceKeytab()).canRead()) {
            throw new ConfigurationException(String.format(KEYTAB_UNREADABLE_ERROR, DseConfig.getDseServiceKeytab()));
        }
    }

    @Override // org.apache.cassandra.auth.IAuthenticator
    public void setup() {
        if (usingScheme(AuthenticationScheme.LDAP)) {
            getLdapInstance().setupWith(DseConfig.getLdapConfig(), false);
            getLdapInstance().installJMXBean();
            DnsServiceDiscoveryBasedLdapConfigurator.instance.maybeConfigure(getLdapInstance());
        }
        if (usingScheme(AuthenticationScheme.INTERNAL)) {
            setupInternalAuthenticator(new PasswordAuthenticator());
        }
        setCheckSchemePermissions(DseConfig.isAuthenticationSchemePermissions() && (DatabaseDescriptor.getAuthorizer() instanceof DseAuthorizer));
    }

    @VisibleForTesting
    void setupInternalAuthenticator(PasswordAuthenticator passwordAuthenticator) {
        this.internalAuthenticator = passwordAuthenticator;
        this.internalAuthenticator.setup();
    }

    @VisibleForTesting
    void setCheckSchemePermissions(boolean z) {
        this.schemePermissions = z;
    }

    public boolean isKerberosDefaultScheme() {
        return this.enabled && this.defaultScheme == AuthenticationScheme.KERBEROS;
    }

    public boolean isKerberosEnabled() {
        return this.enabled && usingScheme(AuthenticationScheme.KERBEROS);
    }

    public boolean isLdapAuthEnabled() {
        return this.enabled && usingScheme(AuthenticationScheme.LDAP);
    }

    public boolean isPlainTextAuthEnabled() {
        return this.enabled && (usingScheme(AuthenticationScheme.INTERNAL) || usingScheme(AuthenticationScheme.LDAP));
    }

    public boolean isInternalAuthEnabled() {
        return this.enabled && usingScheme(AuthenticationScheme.INTERNAL);
    }

    public boolean isDigestAuthEnabled() {
        return this.enabled && usingScheme(AuthenticationScheme.TOKEN);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean usingScheme(AuthenticationScheme authenticationScheme) {
        return this.allowedSchemes.contains(authenticationScheme);
    }

    @Override // org.apache.cassandra.auth.IAuthenticator
    public IAuthenticator.SaslNegotiator newSaslNegotiator(InetAddress inetAddress) {
        return new UnifiedSaslNegotiator(inetAddress);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean forceAnonymous(String str, boolean z) {
        switch (this.transitionalMode) {
            case PERMISSIVE:
                return !str.equals("cassandra");
            case NORMAL:
            case STRICT:
                return StringUtils.isEmpty(str) && !z;
            default:
                return false;
        }
    }

    public static Credentials decodeHttpBasicCredentials(String str) {
        try {
            String[] split = new String(Base64.decodeBase64(str)).split(":");
            if (split.length != 2) {
                throw new CredentialsAuthenticationException();
            }
            String str2 = split[0];
            String str3 = split[1];
            if (StringUtils.isNotBlank(str2) && StringUtils.isBlank(str3)) {
                throw new CredentialsAuthenticationException(str2);
            }
            return new Credentials(str2, str3);
        } catch (Exception e) {
            logger.debug("Failed to decode credentials from Base64");
            throw new CredentialsAuthenticationException();
        }
    }

    public AuthenticatedUser plainTextAuthenticate(Credentials credentials, AuthenticationState authenticationState) throws AuthenticationException {
        ProviderAuthenticationException providerAuthenticationException = null;
        for (AuthenticationScheme authenticationScheme : authenticationState.isLegacy() ? Collections.singleton(this.defaultScheme) : this.allowedSchemes) {
            try {
                AuthenticatedUser authenticatedUser = new AuthenticatedUser(credentials.authenticationUser, authenticationScheme);
                authenticationState.setActualScheme(authenticationScheme);
                switch (authenticationScheme) {
                    case INTERNAL:
                        checkPermissions(authenticatedUser, authenticationState);
                        return new AuthenticatedUser(this.internalAuthenticator.legacyAuthenticate(credentials.toMap()).getName(), authenticationScheme);
                    case LDAP:
                        checkPermissions(authenticatedUser, authenticationState);
                        return new AuthenticatedUser(getLdapInstance().getManager().authenticate(credentials).getName(), authenticationScheme);
                }
            } catch (ProviderAuthenticationException e) {
                providerAuthenticationException = (ProviderAuthenticationException) Throwables.merge(providerAuthenticationException, e);
            } catch (AuthenticationException e2) {
            }
        }
        if (providerAuthenticationException != null) {
            throw providerAuthenticationException;
        }
        throw new CredentialsAuthenticationException(credentials.authorizationUser, credentials.authenticationUser);
    }

    @VisibleForTesting
    Ldap getLdapInstance() {
        return Ldap.instance;
    }

    @Override // org.apache.cassandra.auth.IAuthenticator
    public AuthenticatedUser legacyAuthenticate(Map<String, String> map) throws CredentialsAuthenticationException {
        if (!this.enabled) {
            return AuthenticatedUser.ANONYMOUS_USER;
        }
        Credentials credentials = new Credentials(map);
        if (forceAnonymous(credentials.authenticationUser, !StringUtils.isEmpty(credentials.password))) {
            return AuthenticatedUser.ANONYMOUS_USER;
        }
        AuthenticationState authenticationState = new AuthenticationState();
        AuthenticatedUser authenticatedUser = null;
        try {
            if (StringUtils.isNotEmpty(credentials.authenticationUser)) {
                if (StringUtils.isNotEmpty(credentials.password)) {
                    authenticatedUser = plainTextAuthenticate(credentials, authenticationState);
                } else if (usingScheme(AuthenticationScheme.KERBEROS)) {
                    authenticationState.setActualScheme(AuthenticationScheme.KERBEROS);
                    authenticatedUser = KerberosServerUtils.getUserFromAuthzId(credentials.authenticationUser, AuthenticationScheme.KERBEROS);
                }
            }
            if (authenticatedUser == null) {
                throw new CredentialsAuthenticationException(credentials.authenticationUser);
            }
            checkPermissions(authenticatedUser, authenticationState);
            return authenticatedUser;
        } catch (AuthenticationException e) {
            if (this.transitionalMode == TransitionalMode.PERMISSIVE || this.transitionalMode == TransitionalMode.NORMAL) {
                return AuthenticatedUser.ANONYMOUS_USER;
            }
            throw e;
        }
    }

    public void checkPermissions(AuthenticatedUser authenticatedUser, AuthenticationScheme authenticationScheme) throws CredentialsAuthenticationException {
        AuthenticationState authenticationState = new AuthenticationState();
        authenticationState.setActualScheme(authenticationScheme);
        checkPermissions(authenticatedUser, authenticationState);
    }

    @VisibleForTesting
    void checkPermissions(AuthenticatedUser authenticatedUser, AuthenticationState authenticationState) throws AuthenticationException {
        if (authenticationState.isPermissionsChecked()) {
            return;
        }
        AuthenticatedUser authenticatedUser2 = authenticatedUser instanceof ProxyAuthenticatedUser ? ((ProxyAuthenticatedUser) authenticatedUser).authenticatedUser : authenticatedUser;
        if (StringUtils.isEmpty(authenticatedUser2.getName())) {
            throw new CredentialsAuthenticationException(authenticatedUser2.getName());
        }
        if (authenticatedUser2.isSuper() || !this.schemePermissions) {
            return;
        }
        if (this.transitionalMode == TransitionalMode.DISABLED || (this.transitionalMode == TransitionalMode.STRICT && !authenticatedUser2.isAnonymous())) {
            Iterator<? extends IResource> it2 = Resources.chain(AuthenticationSchemeResource.scheme(authenticationState.getActualScheme())).iterator();
            while (it2.hasNext()) {
                if (authenticatedUser2.getPermissions(it2.next()).contains(CorePermission.EXECUTE)) {
                    authenticationState.setPermissionsChecked(true);
                    return;
                }
            }
            if (!(authenticatedUser instanceof ProxyAuthenticatedUser)) {
                throw new CredentialsAuthenticationException(authenticatedUser.getName());
            }
            throw new CredentialsAuthenticationException(((ProxyAuthenticatedUser) authenticatedUser).authorizedUser.getName(), ((ProxyAuthenticatedUser) authenticatedUser).authenticatedUser.getName());
        }
    }

    @VisibleForTesting
    PlainTextSaslNegotiator createPlainTextSaslNegotiator(AuthenticationState authenticationState) {
        return new PlainTextSaslNegotiator(authenticationState);
    }

    @VisibleForTesting
    DigestMD5SaslNegotiator createDigestMD5SaslNegotiator(AuthenticationState authenticationState) {
        return new DigestMD5SaslNegotiator(authenticationState);
    }

    @VisibleForTesting
    GSSAPISaslNegotiator createGSSAPISaslNegotiator(AuthenticationState authenticationState) {
        return new GSSAPISaslNegotiator(authenticationState);
    }

    @VisibleForTesting
    InClusterSaslNegotiator createInClusterSaslNegotiator(ClientConfiguration clientConfiguration, DigestTokensManager digestTokensManager) {
        return new InClusterSaslNegotiator(clientConfiguration, digestTokensManager);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public IAuthenticator.SaslNegotiator getSaslNegotiatorForScheme(AuthenticationState authenticationState) throws CredentialsAuthenticationException {
        if (authenticationState.getSelectedScheme().saslMechanism != SaslMechanism.PLAIN) {
            return authenticationState.getSelectedScheme().saslMechanism == SaslMechanism.DIGEST ? createDigestMD5SaslNegotiator(authenticationState) : authenticationState.getSelectedScheme().saslMechanism == SaslMechanism.INPROCESS ? new InProcessSaslNegotiator() : authenticationState.getSelectedScheme().saslMechanism == SaslMechanism.INCLUSTER ? createInClusterSaslNegotiator(ClientConfigurationFactory.getClientConfiguration(), (DigestTokensManager) DseInjector.get().getInstance(DigestTokensManager.class)) : createGSSAPISaslNegotiator(authenticationState);
        }
        if (!DatabaseDescriptor.getClientEncryptionOptions().enabled) {
            String plainTextWithoutSsl = DseConfig.getPlainTextWithoutSsl();
            if (plainTextWithoutSsl.equals("block")) {
                throw new CredentialsAuthenticationException();
            }
            if (plainTextWithoutSsl.equals("warn")) {
                logger.warn("Plain text authentication without client / server encryption is strongly discouraged");
            }
        }
        return createPlainTextSaslNegotiator(authenticationState);
    }
}
