package org.apache.kafka.controller;

import com.networknt.rule.RuleConstants;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import org.apache.kafka.clients.admin.ScramMechanism;
import org.apache.kafka.common.message.AlterUserScramCredentialsRequestData;
import org.apache.kafka.common.message.AlterUserScramCredentialsResponseData;
import org.apache.kafka.common.metadata.RemoveUserScramCredentialRecord;
import org.apache.kafka.common.metadata.UserScramCredentialRecord;
import org.apache.kafka.common.protocol.Errors;
import org.apache.kafka.common.requests.ApiError;
import org.apache.kafka.common.security.scram.internals.ScramFormatter;
import org.apache.kafka.common.utils.LogContext;
import org.apache.kafka.server.common.ApiMessageAndVersion;
import org.apache.kafka.server.common.MetadataVersion;
import org.apache.kafka.timeline.SnapshotRegistry;
import org.apache.kafka.timeline.TimelineHashMap;
import org.slf4j.Logger;

/* loaded from: input_file:org/apache/kafka/controller/ScramControlManager.class */
public class ScramControlManager {
    static final int MAX_ITERATIONS = 16384;
    private final Logger log;
    private final TimelineHashMap<ScramCredentialKey, ScramCredentialValue> credentials;

    /* loaded from: input_file:org/apache/kafka/controller/ScramControlManager$Builder.class */
    static class Builder {
        private LogContext logContext = null;
        private SnapshotRegistry snapshotRegistry = null;

        /* JADX INFO: Access modifiers changed from: package-private */
        public Builder setLogContext(LogContext logContext) {
            this.logContext = logContext;
            return this;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public Builder setSnapshotRegistry(SnapshotRegistry snapshotRegistry) {
            this.snapshotRegistry = snapshotRegistry;
            return this;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public ScramControlManager build() {
            if (this.logContext == null) {
                this.logContext = new LogContext();
            }
            if (this.snapshotRegistry == null) {
                this.snapshotRegistry = new SnapshotRegistry(this.logContext);
            }
            return new ScramControlManager(this.logContext, this.snapshotRegistry);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/kafka/controller/ScramControlManager$ScramCredentialKey.class */
    public static class ScramCredentialKey {
        private final String username;
        private final ScramMechanism mechanism;

        ScramCredentialKey(String str, ScramMechanism scramMechanism) {
            this.username = str;
            this.mechanism = scramMechanism;
        }

        public int hashCode() {
            return Objects.hash(this.username, this.mechanism);
        }

        public boolean equals(Object obj) {
            if (obj == null || obj.getClass() != getClass()) {
                return false;
            }
            ScramCredentialKey scramCredentialKey = (ScramCredentialKey) obj;
            return this.username.equals(scramCredentialKey.username) && this.mechanism.equals(scramCredentialKey.mechanism);
        }

        public String toString() {
            return "ScramCredentialKey(username=" + this.username + ", mechanism=" + this.mechanism + RuleConstants.RIGHT_PARENTHESIS;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/kafka/controller/ScramControlManager$ScramCredentialValue.class */
    public static class ScramCredentialValue {
        private final byte[] salt;
        private final byte[] storedKey;
        private final byte[] serverKey;
        private final int iterations;

        ScramCredentialValue(byte[] bArr, byte[] bArr2, byte[] bArr3, int i) {
            this.salt = bArr;
            this.storedKey = bArr2;
            this.serverKey = bArr3;
            this.iterations = i;
        }

        public int hashCode() {
            return Objects.hash(Integer.valueOf(Arrays.hashCode(this.salt)), Integer.valueOf(Arrays.hashCode(this.storedKey)), Integer.valueOf(Arrays.hashCode(this.serverKey)), Integer.valueOf(this.iterations));
        }

        public boolean equals(Object obj) {
            if (obj == null || obj.getClass() != getClass()) {
                return false;
            }
            ScramCredentialValue scramCredentialValue = (ScramCredentialValue) obj;
            return Arrays.equals(this.salt, scramCredentialValue.salt) && Arrays.equals(this.storedKey, scramCredentialValue.storedKey) && Arrays.equals(this.serverKey, scramCredentialValue.serverKey) && this.iterations == scramCredentialValue.iterations;
        }

        public String toString() {
            return "ScramCredentialValue(salt=[hidden], storedKey=[hidden], serverKey=[hidden], iterations=[hidden])";
        }
    }

    private ScramControlManager(LogContext logContext, SnapshotRegistry snapshotRegistry) {
        this.log = logContext.logger(ScramControlManager.class);
        this.credentials = new TimelineHashMap<>(snapshotRegistry, 0);
    }

    public ControllerResult<AlterUserScramCredentialsResponseData> alterCredentials(AlterUserScramCredentialsRequestData alterUserScramCredentialsRequestData, MetadataVersion metadataVersion) {
        boolean isScramSupported = metadataVersion.isScramSupported();
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        HashMap hashMap3 = new HashMap();
        for (AlterUserScramCredentialsRequestData.ScramCredentialDeletion scramCredentialDeletion : alterUserScramCredentialsRequestData.deletions()) {
            if (!hashMap3.containsKey(scramCredentialDeletion.name())) {
                if (hashMap.remove(scramCredentialDeletion.name()) != null) {
                    hashMap3.put(scramCredentialDeletion.name(), new ApiError(Errors.DUPLICATE_RESOURCE, "A user credential cannot be altered twice in the same request"));
                } else if (isScramSupported) {
                    ApiError validateDeletion = validateDeletion(scramCredentialDeletion);
                    if (validateDeletion.isFailure()) {
                        hashMap3.put(scramCredentialDeletion.name(), validateDeletion);
                    } else {
                        hashMap.put(scramCredentialDeletion.name(), scramCredentialDeletion);
                    }
                } else {
                    hashMap3.put(scramCredentialDeletion.name(), new ApiError(Errors.UNSUPPORTED_VERSION, "The current metadata.version does not support SCRAM"));
                }
            }
        }
        for (AlterUserScramCredentialsRequestData.ScramCredentialUpsertion scramCredentialUpsertion : alterUserScramCredentialsRequestData.upsertions()) {
            if (!hashMap3.containsKey(scramCredentialUpsertion.name())) {
                if (hashMap.remove(scramCredentialUpsertion.name()) != null || hashMap2.remove(scramCredentialUpsertion.name()) != null) {
                    hashMap3.put(scramCredentialUpsertion.name(), new ApiError(Errors.DUPLICATE_RESOURCE, "A user credential cannot be altered twice in the same request"));
                } else if (isScramSupported) {
                    ApiError validateUpsertion = validateUpsertion(scramCredentialUpsertion);
                    if (validateUpsertion.isFailure()) {
                        hashMap3.put(scramCredentialUpsertion.name(), validateUpsertion);
                    } else {
                        hashMap2.put(scramCredentialUpsertion.name(), scramCredentialUpsertion);
                    }
                } else {
                    hashMap3.put(scramCredentialUpsertion.name(), new ApiError(Errors.UNSUPPORTED_VERSION, "The current metadata.version does not support SCRAM"));
                }
            }
        }
        AlterUserScramCredentialsResponseData alterUserScramCredentialsResponseData = new AlterUserScramCredentialsResponseData();
        ArrayList arrayList = new ArrayList();
        for (AlterUserScramCredentialsRequestData.ScramCredentialDeletion scramCredentialDeletion2 : hashMap.values()) {
            alterUserScramCredentialsResponseData.results().add(new AlterUserScramCredentialsResponseData.AlterUserScramCredentialsResult().setUser(scramCredentialDeletion2.name()).setErrorCode(Errors.NONE.code()).setErrorMessage(null));
            arrayList.add(new ApiMessageAndVersion(new RemoveUserScramCredentialRecord().setName(scramCredentialDeletion2.name()).setMechanism(scramCredentialDeletion2.mechanism()), (short) 0));
        }
        for (AlterUserScramCredentialsRequestData.ScramCredentialUpsertion scramCredentialUpsertion2 : hashMap2.values()) {
            ApiError finishUpsertion = finishUpsertion(arrayList, scramCredentialUpsertion2);
            if (finishUpsertion.isFailure()) {
                hashMap3.put(scramCredentialUpsertion2.name(), finishUpsertion);
            } else {
                alterUserScramCredentialsResponseData.results().add(new AlterUserScramCredentialsResponseData.AlterUserScramCredentialsResult().setUser(scramCredentialUpsertion2.name()).setErrorCode(Errors.NONE.code()).setErrorMessage(null));
            }
        }
        for (Map.Entry entry : hashMap3.entrySet()) {
            alterUserScramCredentialsResponseData.results().add(new AlterUserScramCredentialsResponseData.AlterUserScramCredentialsResult().setUser((String) entry.getKey()).setErrorCode(((ApiError) entry.getValue()).error().code()).setErrorMessage(((ApiError) entry.getValue()).message()));
        }
        return ControllerResult.atomicOf(arrayList, alterUserScramCredentialsResponseData);
    }

    static ApiError finishUpsertion(List<ApiMessageAndVersion> list, AlterUserScramCredentialsRequestData.ScramCredentialUpsertion scramCredentialUpsertion) {
        try {
            ScramFormatter scramFormatter = new ScramFormatter(org.apache.kafka.common.security.scram.internals.ScramMechanism.forMechanismName(ScramMechanism.fromType(scramCredentialUpsertion.mechanism()).mechanismName()));
            list.add(new ApiMessageAndVersion(new UserScramCredentialRecord().setName(scramCredentialUpsertion.name()).setMechanism(scramCredentialUpsertion.mechanism()).setSalt(scramCredentialUpsertion.salt()).setStoredKey(scramFormatter.storedKey(scramFormatter.clientKey(scramCredentialUpsertion.saltedPassword()))).setServerKey(scramFormatter.serverKey(scramCredentialUpsertion.saltedPassword())).setIterations(scramCredentialUpsertion.iterations()), (short) 0));
            return ApiError.NONE;
        } catch (Throwable th) {
            return ApiError.fromThrowable(th);
        }
    }

    static ApiError validateUpsertion(AlterUserScramCredentialsRequestData.ScramCredentialUpsertion scramCredentialUpsertion) {
        ScramMechanism fromType = ScramMechanism.fromType(scramCredentialUpsertion.mechanism());
        ApiError validateScramUsernameAndMechanism = validateScramUsernameAndMechanism(scramCredentialUpsertion.name(), fromType);
        if (validateScramUsernameAndMechanism.isFailure()) {
            return validateScramUsernameAndMechanism;
        }
        return scramCredentialUpsertion.iterations() < org.apache.kafka.common.security.scram.internals.ScramMechanism.forMechanismName(fromType.mechanismName()).minIterations() ? new ApiError(Errors.UNACCEPTABLE_CREDENTIAL, "Too few iterations") : scramCredentialUpsertion.iterations() > 16384 ? new ApiError(Errors.UNACCEPTABLE_CREDENTIAL, "Too many iterations") : ApiError.NONE;
    }

    ApiError validateDeletion(AlterUserScramCredentialsRequestData.ScramCredentialDeletion scramCredentialDeletion) {
        ApiError validateScramUsernameAndMechanism = validateScramUsernameAndMechanism(scramCredentialDeletion.name(), ScramMechanism.fromType(scramCredentialDeletion.mechanism()));
        if (validateScramUsernameAndMechanism.isFailure()) {
            return validateScramUsernameAndMechanism;
        }
        return !this.credentials.containsKey(new ScramCredentialKey(scramCredentialDeletion.name(), ScramMechanism.fromType(scramCredentialDeletion.mechanism()))) ? new ApiError(Errors.RESOURCE_NOT_FOUND, "Attempt to delete a user credential that does not exist") : ApiError.NONE;
    }

    static ApiError validateScramUsernameAndMechanism(String str, ScramMechanism scramMechanism) {
        return str.isEmpty() ? new ApiError(Errors.UNACCEPTABLE_CREDENTIAL, "Username must not be empty") : scramMechanism == ScramMechanism.UNKNOWN ? new ApiError(Errors.UNSUPPORTED_SASL_MECHANISM, "Unknown SCRAM mechanism") : ApiError.NONE;
    }

    public void replay(RemoveUserScramCredentialRecord removeUserScramCredentialRecord) {
        ScramCredentialKey scramCredentialKey = new ScramCredentialKey(removeUserScramCredentialRecord.name(), ScramMechanism.fromType(removeUserScramCredentialRecord.mechanism()));
        if (this.credentials.remove(scramCredentialKey) == null) {
            throw new RuntimeException("Unable to find credential to delete: " + scramCredentialKey);
        }
        this.log.info("Replayed RemoveUserScramCredentialRecord for {} with mechanism {}.", scramCredentialKey.username, scramCredentialKey.mechanism);
    }

    public void replay(UserScramCredentialRecord userScramCredentialRecord) {
        ScramCredentialKey scramCredentialKey = new ScramCredentialKey(userScramCredentialRecord.name(), ScramMechanism.fromType(userScramCredentialRecord.mechanism()));
        if (this.credentials.put(scramCredentialKey, new ScramCredentialValue(userScramCredentialRecord.salt(), userScramCredentialRecord.storedKey(), userScramCredentialRecord.serverKey(), userScramCredentialRecord.iterations())) == null) {
            this.log.info("Replayed UserScramCredentialRecord creating new entry for {} with mechanism {}.", scramCredentialKey.username, scramCredentialKey.mechanism);
        } else {
            this.log.info("Replayed UserScramCredentialRecord modifying existing entry for {} with mechanism {}.", scramCredentialKey.username, scramCredentialKey.mechanism);
        }
    }
}
