package org.infinispan.server.hotrod;

import io.netty.buffer.ByteBuf;
import io.netty.channel.Channel;
import io.netty.channel.ChannelFuture;
import java.util.concurrent.Executor;
import javax.security.auth.Subject;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.infinispan.commons.logging.LogFactory;
import org.infinispan.server.core.configuration.SaslAuthenticationConfiguration;
import org.infinispan.server.core.security.sasl.SaslAuthenticator;
import org.infinispan.server.core.transport.ConnectionMetadata;
import org.infinispan.server.core.transport.SaslQopHandler;
import org.infinispan.server.hotrod.configuration.HotRodServerConfiguration;
import org.infinispan.server.hotrod.logging.Log;

/* loaded from: input_file:org/infinispan/server/hotrod/Authentication.class */
public class Authentication extends BaseRequestProcessor {
    private static final Log log = (Log) LogFactory.getLog(Authentication.class, Log.class);
    private static final Subject ANONYMOUS = new Subject();
    public static final String HOTROD_SASL_PROTOCOL = "hotrod";
    private final HotRodServerConfiguration serverConfig;
    private final SaslAuthenticationConfiguration authenticationConfig;
    private final boolean enabled;
    private final boolean requireAuthentication;
    private SaslServer saslServer;
    private Subject subject;

    public Authentication(Channel channel, Executor executor, HotRodServer hotRodServer) {
        super(channel, executor, hotRodServer);
        this.subject = ANONYMOUS;
        this.serverConfig = (HotRodServerConfiguration) hotRodServer.getConfiguration();
        this.authenticationConfig = this.serverConfig.m46authentication();
        this.enabled = this.authenticationConfig.enabled();
        this.requireAuthentication = !this.authenticationConfig.sasl().mechProperties().containsKey("javax.security.sasl.policy.noanonymous") || "true".equals(this.authenticationConfig.sasl().mechProperties().get("javax.security.sasl.policy.noanonymous"));
    }

    public void authMechList(HotRodHeader hotRodHeader) {
        if (this.server.hasDefaultCache()) {
            this.server.ensureCacheInitialized(hotRodHeader).whenComplete((r10, th) -> {
                if (th != null) {
                    writeException(hotRodHeader, th);
                } else {
                    writeResponse(hotRodHeader, hotRodHeader.encoder().authMechListResponse(hotRodHeader, this.server, this.channel, this.authenticationConfig.sasl().mechanisms()));
                }
            });
        } else {
            writeResponse(hotRodHeader, hotRodHeader.encoder().authMechListResponse(hotRodHeader, this.server, this.channel, this.authenticationConfig.sasl().mechanisms()));
        }
    }

    public void auth(HotRodHeader hotRodHeader, String str, byte[] bArr) {
        if (this.enabled) {
            this.executor.execute(() -> {
                try {
                    authInternal(hotRodHeader, str, bArr);
                } catch (Throwable th) {
                    disposeSaslServer();
                    String message = th.getMessage();
                    if (message.startsWith("ELY05055") || message.startsWith("ELY05051")) {
                        writeException(hotRodHeader, log.authenticationException(th));
                    } else {
                        writeException(hotRodHeader, th);
                    }
                }
            });
            return;
        }
        UnsupportedOperationException invalidOperation = log.invalidOperation();
        ByteBuf errorResponse = hotRodHeader.encoder().errorResponse(hotRodHeader, this.server, this.channel, invalidOperation.toString(), OperationStatus.ServerError);
        int readableBytes = errorResponse.readableBytes();
        ChannelFuture writeAndFlush = this.channel.writeAndFlush(errorResponse);
        if (hotRodHeader instanceof AccessLoggingHeader) {
            this.server.accessLogging().logException(writeAndFlush, (AccessLoggingHeader) hotRodHeader, invalidOperation.toString(), readableBytes);
        }
    }

    private void authInternal(HotRodHeader hotRodHeader, String str, byte[] bArr) throws Throwable {
        if (this.saslServer == null) {
            this.saslServer = SaslAuthenticator.createSaslServer(this.serverConfig.m46authentication().sasl(), this.channel, str, HOTROD_SASL_PROTOCOL);
            if (this.saslServer == null) {
                throw log.invalidMech(str);
            }
        }
        byte[] evaluateResponse = this.saslServer.evaluateResponse(bArr);
        if (this.saslServer.isComplete()) {
            authComplete(hotRodHeader, evaluateResponse);
        } else {
            writeResponse(hotRodHeader, hotRodHeader.encoder().authResponse(hotRodHeader, this.server, this.channel, evaluateResponse));
        }
    }

    private void authComplete(HotRodHeader hotRodHeader, byte[] bArr) {
        this.subject = (Subject) this.saslServer.getNegotiatedProperty("org.infinispan.security.Subject");
        ConnectionMetadata.getInstance(this.channel).subject(this.subject);
        String str = (String) this.saslServer.getNegotiatedProperty("javax.security.sasl.qop");
        if ("auth-int".equals(str) || "auth-conf".equals(str)) {
            this.channel.eventLoop().submit(() -> {
                writeResponse(hotRodHeader, hotRodHeader.encoder().authResponse(hotRodHeader, this.server, this.channel, bArr));
                this.channel.pipeline().addBefore("decoder", "saslQop", new SaslQopHandler(this.saslServer));
            });
            return;
        }
        writeResponse(hotRodHeader, hotRodHeader.encoder().authResponse(hotRodHeader, this.server, this.channel, bArr));
        disposeSaslServer();
        this.saslServer = null;
    }

    private void disposeSaslServer() {
        try {
            if (this.saslServer != null) {
                this.saslServer.dispose();
            }
        } catch (SaslException e) {
            log.debug("Exception while disposing SaslServer", e);
        } finally {
            this.saslServer = null;
        }
    }

    public Subject getSubject(HotRodOperation hotRodOperation) {
        if (!this.enabled || !hotRodOperation.requiresAuthentication()) {
            return null;
        }
        if (this.requireAuthentication && this.subject == ANONYMOUS) {
            throw log.unauthorizedOperation(hotRodOperation.name());
        }
        return this.subject;
    }
}
