package io.confluent.kafka.server.plugins.auth;

import io.confluent.kafka.multitenant.MultiTenantPrincipal;
import io.confluent.kafka.multitenant.MultiTenantSaslServer;
import io.confluent.kafka.multitenant.TenantMetadata;
import io.confluent.kafka.server.plugins.auth.stats.AuthenticationStats;
import java.lang.reflect.Field;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import javax.security.sasl.SaslServerFactory;
import org.apache.directory.api.ldap.model.constants.JndiPropertyConstants;
import org.apache.kafka.common.errors.SaslAuthenticationException;
import org.apache.kafka.common.errors.SecretsLogFailedException;
import org.apache.kafka.common.security.authenticator.PathAwareSniHostName;
import org.apache.kafka.common.security.plain.internals.PlainServerCallbackHandler;
import org.apache.kafka.server.audit.AuditEventStatus;
import org.apache.kafka.server.audit.AuthenticationErrorInfo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.MDC;

/* loaded from: input_file:io/confluent/kafka/server/plugins/auth/PlainSaslServer.class */
public class PlainSaslServer implements MultiTenantSaslServer {
    public static final String PLAIN_MECHANISM = "PLAIN";
    private final SaslAuthenticator authenticator;
    private static final AuthenticationStats STATS = AuthenticationStats.getInstance();
    private static final Logger log = LoggerFactory.getLogger((Class<?>) PlainSaslServer.class);
    private boolean complete;
    private String authorizationId;
    private String authenticationId;
    private TenantMetadata tenantMetadata;
    private String username;
    private final PathAwareSniHostName sniHostName;

    /* loaded from: input_file:io/confluent/kafka/server/plugins/auth/PlainSaslServer$PlainSaslServerFactory.class */
    public static class PlainSaslServerFactory implements SaslServerFactory {
        private final SaslServerSupplier saslServerSupplier;

        public PlainSaslServerFactory(SaslServerSupplier saslServerSupplier) {
            this.saslServerSupplier = saslServerSupplier;
        }

        public SaslServer createSaslServer(String str, String str2, String str3, Map<String, ?> map, CallbackHandler callbackHandler) throws SaslException {
            if (!"PLAIN".equals(str)) {
                throw new SaslException(String.format("Mechanism '%s' is not supported. Only PLAIN is supported.", str));
            }
            if (!(callbackHandler instanceof PlainServerCallbackHandler)) {
                throw new SaslException("CallbackHandler must be of type PlainServerCallbackHandler, but it is: " + callbackHandler.getClass());
            }
            try {
                Field declaredField = PlainServerCallbackHandler.class.getDeclaredField("jaasConfigEntries");
                declaredField.setAccessible(true);
                return this.saslServerSupplier.get((List) declaredField.get(callbackHandler), map);
            } catch (SecretsLogFailedException e) {
                throw new SecretsLogFailedException("Could not find source topic", e);
            } catch (Throwable th) {
                throw new SaslException("Could not obtain JAAS context", th);
            }
        }

        public String[] getMechanismNames(Map<String, ?> map) {
            return "true".equals((String) map.get(JndiPropertyConstants.JNDI_SASL_POLICY_NO_PLAIN_TEXT)) ? new String[0] : new String[]{"PLAIN"};
        }
    }

    public PlainSaslServer(List<AppConfigurationEntry> list, SaslAuthenticator saslAuthenticator) {
        this(list, saslAuthenticator, null);
    }

    public PlainSaslServer(List<AppConfigurationEntry> list, SaslAuthenticator saslAuthenticator, PathAwareSniHostName pathAwareSniHostName) {
        this.username = "";
        this.authenticator = saslAuthenticator;
        saslAuthenticator.initialize(list);
        this.sniHostName = pathAwareSniHostName;
    }

    public byte[] evaluateResponse(byte[] bArr) throws SaslException {
        try {
            try {
                byte[] doEvaluateResponse = doEvaluateResponse(bArr);
                STATS.incrSucceeded();
                clearMdc();
                return doEvaluateResponse;
            } catch (Exception e) {
                STATS.incrFailed();
                log.debug("SASL/PLAIN authentication failed: {}", e.getCause() == null ? "" : e.getCause().getMessage(), e);
                throw e;
            }
        } catch (Throwable th) {
            clearMdc();
            throw th;
        }
    }

    private void clearMdc() {
        MDC.remove("username");
        MDC.remove("saslMechanism");
        MDC.remove("authorizationId");
        MDC.remove("tenant");
    }

    private byte[] doEvaluateResponse(byte[] bArr) throws SaslException {
        MDC.put("saslMechanism", "PLAIN");
        List<String> extractTokens = extractTokens(new String(bArr, StandardCharsets.UTF_8));
        String str = extractTokens.get(0);
        String str2 = extractTokens.get(1);
        String str3 = extractTokens.get(2);
        if (str2.isEmpty()) {
            throw new SaslAuthenticationException("Authentication failed: username not specified", AuthenticationErrorInfo.UNKNOWN_USER_ERROR);
        }
        MDC.put("username", str2);
        this.username = str2;
        if (str3.isEmpty()) {
            throw new SaslAuthenticationException("Authentication failed: password not specified", getErrorInfo());
        }
        if (!str.isEmpty() && !str.equals(str2)) {
            throw new SaslAuthenticationException("Authentication failed: Client requested an authorization id that is different from username", getErrorInfo());
        }
        MultiTenantPrincipal authenticate = this.authenticator.authenticate(str2, str3, Optional.ofNullable(this.sniHostName));
        this.authorizationId = authenticate.user();
        this.authenticationId = str2;
        this.tenantMetadata = authenticate.tenantMetadata();
        String str4 = this.tenantMetadata.userResourceId;
        MDC.put("authorizationId", this.authorizationId);
        MDC.put("tenant", this.tenantMetadata.tenantName);
        log.debug("SASL/PLAIN authentication succeeded for userId : {},  userResourceId : {}, apiKey : {}, clusterId : {}", this.authorizationId, str4, str2, this.tenantMetadata.tenantName);
        this.complete = true;
        return new byte[0];
    }

    private AuthenticationErrorInfo getErrorInfo() throws SaslException {
        return new AuthenticationErrorInfo(AuditEventStatus.UNAUTHENTICATED, "", this.username, this.authenticator.clusterId(this.username).orElse(""));
    }

    private List<String> extractTokens(String str) {
        ArrayList arrayList = new ArrayList();
        int i = 0;
        int i2 = 0;
        while (true) {
            if (i2 >= 4) {
                break;
            }
            int indexOf = str.indexOf("��", i);
            if (indexOf == -1) {
                arrayList.add(str.substring(i));
                break;
            }
            arrayList.add(str.substring(i, indexOf));
            i = indexOf + 1;
            i2++;
        }
        if (arrayList.size() != 3) {
            throw new SaslAuthenticationException("Invalid SASL/PLAIN response: expected 3 tokens, got " + arrayList.size(), AuthenticationErrorInfo.UNKNOWN_USER_ERROR);
        }
        return arrayList;
    }

    @Override // io.confluent.kafka.multitenant.MultiTenantSaslServer
    public TenantMetadata tenantMetadata() {
        throwIfNotComplete();
        return this.tenantMetadata;
    }

    public String getAuthorizationID() {
        throwIfNotComplete();
        return this.authorizationId;
    }

    @Override // io.confluent.kafka.multitenant.MultiTenantSaslServer
    public String authenticationId() {
        return this.authenticationId;
    }

    public String getMechanismName() {
        return "PLAIN";
    }

    public Object getNegotiatedProperty(String str) {
        throwIfNotComplete();
        return null;
    }

    public boolean isComplete() {
        return this.complete;
    }

    public byte[] unwrap(byte[] bArr, int i, int i2) {
        throwIfNotComplete();
        return Arrays.copyOfRange(bArr, i, i + i2);
    }

    public byte[] wrap(byte[] bArr, int i, int i2) {
        throwIfNotComplete();
        return Arrays.copyOfRange(bArr, i, i + i2);
    }

    public void dispose() {
    }

    private void throwIfNotComplete() {
        if (!this.complete) {
            throw new IllegalStateException("Authentication exchange has not completed");
        }
    }

    @Override // io.confluent.kafka.multitenant.MultiTenantSaslServer
    public String userIdentifier() {
        return this.username;
    }
}
