package org.apache.pulsar.client.impl.auth;

import java.io.IOException;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import javax.security.auth.login.LoginException;
import javax.ws.rs.client.Client;
import javax.ws.rs.client.ClientBuilder;
import javax.ws.rs.client.Invocation;
import javax.ws.rs.client.InvocationCallback;
import javax.ws.rs.client.WebTarget;
import javax.ws.rs.core.Response;
import org.apache.commons.lang3.StringUtils;
import org.apache.pulsar.client.api.Authentication;
import org.apache.pulsar.client.api.AuthenticationDataProvider;
import org.apache.pulsar.client.api.EncodedAuthenticationParameterSupport;
import org.apache.pulsar.client.api.PulsarClientException;
import org.apache.pulsar.client.impl.AuthenticationUtil;
import org.apache.pulsar.client.impl.auth.PulsarSaslClient;
import org.apache.pulsar.common.api.AuthData;
import org.apache.pulsar.common.sasl.JAASCredentialsContainer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/pulsar/client/impl/auth/AuthenticationSasl.class */
public class AuthenticationSasl implements Authentication, EncodedAuthenticationParameterSupport {
    private static final long serialVersionUID = 1;
    private static JAASCredentialsContainer jaasCredentialsContainer;
    private Map<String, String> configuration;
    private String loginContextName;
    private String serverType = null;
    private String saslRoleToken = null;
    private Client client = null;
    private static final Logger log = LoggerFactory.getLogger(AuthenticationSasl.class);
    private static volatile boolean initializedJAAS = false;

    public String getAuthMethodName() {
        return "sasl";
    }

    public AuthenticationDataProvider getAuthData(String str) throws PulsarClientException {
        try {
            return new SaslAuthenticationDataProvider(new PulsarSaslClient(str, this.serverType, jaasCredentialsContainer.getSubject()));
        } catch (Throwable th) {
            log.error("Failed create sasl client", th);
            throw new PulsarClientException(th);
        }
    }

    public void configure(String str) {
        if (StringUtils.isBlank(str)) {
            log.info("authParams for SASL is be empty, will use default JAAS client section name: {}", "PulsarClient");
        }
        try {
            setAuthParams(AuthenticationUtil.configureFromJsonString(str));
        } catch (IOException e) {
            throw new IllegalArgumentException("Failed to parse SASL authParams", e);
        }
    }

    @Deprecated
    public void configure(Map<String, String> map) {
        try {
            setAuthParams(map);
        } catch (IOException e) {
            throw new IllegalArgumentException("Failed to parse SASL authParams", e);
        }
    }

    private void setAuthParams(Map<String, String> map) throws PulsarClientException {
        this.configuration = map;
        this.loginContextName = map.getOrDefault("saslJaasClientSectionName", "PulsarClient");
        this.serverType = map.getOrDefault("serverType", "broker");
        if (initializedJAAS) {
            return;
        }
        synchronized (this) {
            if (jaasCredentialsContainer == null) {
                log.info("JAAS loginContext is: {}.", this.loginContextName);
                try {
                    jaasCredentialsContainer = new JAASCredentialsContainer(this.loginContextName, new PulsarSaslClient.ClientCallbackHandler(), this.configuration);
                    initializedJAAS = true;
                } catch (LoginException e) {
                    log.error("JAAS login in client failed", e);
                    throw new PulsarClientException(e);
                }
            }
        }
    }

    public void start() throws PulsarClientException {
        this.client = ClientBuilder.newClient();
    }

    public void close() throws IOException {
        if (this.client != null) {
            this.client.close();
        }
    }

    private boolean isRoleTokenExpired(Map<String, String> map) {
        return (this.saslRoleToken == null || map == null || map.get("SASL-Type") == null || !map.get("SASL-Type").equalsIgnoreCase("Kerberos") || map.get("State") == null || !map.get("State").equalsIgnoreCase("SaslAuthRoleTokenExpired")) ? false : true;
    }

    private Invocation.Builder newRequestBuilder(WebTarget webTarget, AuthenticationDataProvider authenticationDataProvider, Map<String, String> map) {
        try {
            Invocation.Builder request = webTarget.request(new String[]{"application/json"});
            newRequestHeader(webTarget.getUri().toString(), authenticationDataProvider, map).forEach(entry -> {
                request.header((String) entry.getKey(), entry.getValue());
            });
            return request;
        } catch (Exception e) {
            throw e;
        }
    }

    public Set<Map.Entry<String, String>> newRequestHeader(String str, AuthenticationDataProvider authenticationDataProvider, Map<String, String> map) throws Exception {
        HashMap hashMap = new HashMap();
        if (authenticationDataProvider.hasDataForHttp()) {
            authenticationDataProvider.getHttpHeaders().forEach(entry -> {
                hashMap.put((String) entry.getKey(), (String) entry.getValue());
            });
        }
        if (isRoleTokenExpired(map)) {
            map = null;
            this.saslRoleToken = null;
            authenticationDataProvider = getAuthData(str);
        }
        if (this.saslRoleToken != null) {
            hashMap.put("SaslAuthRoleToken", this.saslRoleToken);
            if (map == null) {
                if (log.isDebugEnabled()) {
                    log.debug("request builder add token: Check token");
                }
                hashMap.put("State", "ServerCheckToken");
            } else if (map.get("State").equalsIgnoreCase("Done")) {
                hashMap.put("State", "Done");
                if (log.isDebugEnabled()) {
                    log.debug("request builder add token. role verified by server");
                }
            } else {
                if (log.isDebugEnabled()) {
                    log.debug("request builder add token. NOT complete. state: {}", map.get("State"));
                }
                hashMap.put("State", "ING");
            }
            return hashMap.entrySet();
        }
        if (map == null) {
            if (log.isDebugEnabled()) {
                log.debug("Init authn in client side");
            }
            hashMap.put("State", "Init");
            hashMap.put("SASL-Token", Base64.getEncoder().encodeToString(authenticationDataProvider.authenticate(AuthData.INIT_AUTH_DATA).getBytes()));
        } else {
            AuthData authenticate = authenticationDataProvider.authenticate(AuthData.of(Base64.getDecoder().decode(map.get("SASL-Token"))));
            hashMap.put("SASL-Server-ID", map.get("SASL-Server-ID"));
            hashMap.put("SASL-Type", "Kerberos");
            hashMap.put("State", "ING");
            hashMap.put("SASL-Token", Base64.getEncoder().encodeToString(authenticate.getBytes()));
        }
        return hashMap.entrySet();
    }

    private Map<String, String> getHeaders(Response response) {
        HashMap hashMap = new HashMap();
        String headerString = response.getHeaderString("SASL-Type");
        String headerString2 = response.getHeaderString("State");
        String headerString3 = response.getHeaderString("SASL-Token");
        String headerString4 = response.getHeaderString("SASL-Server-ID");
        if (this.saslRoleToken != null) {
            hashMap.put("SaslAuthRoleToken", this.saslRoleToken);
        }
        hashMap.put("SASL-Type", headerString);
        hashMap.put("State", headerString2);
        hashMap.put("SASL-Token", headerString3);
        hashMap.put("SASL-Server-ID", headerString4);
        return hashMap;
    }

    public void authenticationStage(final String str, final AuthenticationDataProvider authenticationDataProvider, Map<String, String> map, final CompletableFuture<Map<String, String>> completableFuture) {
        newRequestBuilder(this.client.target(str), authenticationDataProvider, map).async().get(new InvocationCallback<Response>() { // from class: org.apache.pulsar.client.impl.auth.AuthenticationSasl.1
            public void completed(Response response) {
                if (response.getStatus() == 401) {
                    AuthenticationSasl.this.authenticationStage(str, authenticationDataProvider, AuthenticationSasl.this.getHeaders(response), completableFuture);
                    return;
                }
                if (response.getStatus() != 200) {
                    AuthenticationSasl.log.warn("HTTP get request failed: {}", response.getStatusInfo());
                    completableFuture.completeExceptionally(new PulsarClientException("Sasl Auth request failed: " + response.getStatus()));
                    return;
                }
                if (response.getHeaderString("SaslAuthRoleToken") != null) {
                    AuthenticationSasl.this.saslRoleToken = response.getHeaderString("SaslAuthRoleToken");
                }
                if (AuthenticationSasl.log.isDebugEnabled()) {
                    AuthenticationSasl.log.debug("Complete auth with saslRoleToken: {}", AuthenticationSasl.this.saslRoleToken);
                }
                completableFuture.complete(AuthenticationSasl.this.getHeaders(response));
            }

            public void failed(Throwable th) {
                AuthenticationSasl.log.warn("Failed to perform http request", th);
                completableFuture.completeExceptionally(new PulsarClientException(th));
            }
        });
    }
}
