package org.apache.kafka.common.network;

import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.net.Socket;
import java.nio.channels.SelectionKey;
import java.nio.channels.SocketChannel;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.config.SslConfigs;
import org.apache.kafka.common.memory.MemoryPool;
import org.apache.kafka.common.security.JaasContext;
import org.apache.kafka.common.security.auth.SecurityProtocol;
import org.apache.kafka.common.security.authenticator.CredentialCache;
import org.apache.kafka.common.security.authenticator.LoginManager;
import org.apache.kafka.common.security.authenticator.SaslClientAuthenticator;
import org.apache.kafka.common.security.authenticator.SaslServerAuthenticator;
import org.apache.kafka.common.security.kerberos.KerberosShortNamer;
import org.apache.kafka.common.security.ssl.SslFactory;
import org.apache.kafka.common.security.token.delegation.DelegationTokenCache;
import org.apache.kafka.common.utils.Java;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.logging.LoggingSystem;

/* loaded from: input_file:BOOT-INF/lib/kafka-clients-1.1.0.jar:org/apache/kafka/common/network/SaslChannelBuilder.class */
public class SaslChannelBuilder implements ChannelBuilder, ListenerReconfigurable {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) SaslChannelBuilder.class);
    private final SecurityProtocol securityProtocol;
    private final ListenerName listenerName;
    private final boolean isInterBrokerListener;
    private final String clientSaslMechanism;
    private final Mode mode;
    private final Map<String, JaasContext> jaasContexts;
    private final boolean handshakeRequestEnable;
    private final CredentialCache credentialCache;
    private final DelegationTokenCache tokenCache;
    private final Map<String, LoginManager> loginManagers;
    private final Map<String, Subject> subjects;
    private SslFactory sslFactory;
    private Map<String, ?> configs;
    private KerberosShortNamer kerberosShortNamer;

    public SaslChannelBuilder(Mode mode, Map<String, JaasContext> map, SecurityProtocol securityProtocol, ListenerName listenerName, boolean z, String str, boolean z2, CredentialCache credentialCache, DelegationTokenCache delegationTokenCache) {
        this.mode = mode;
        this.jaasContexts = map;
        this.loginManagers = new HashMap(map.size());
        this.subjects = new HashMap(map.size());
        this.securityProtocol = securityProtocol;
        this.listenerName = listenerName;
        this.isInterBrokerListener = z;
        this.handshakeRequestEnable = z2;
        this.clientSaslMechanism = str;
        this.credentialCache = credentialCache;
        this.tokenCache = delegationTokenCache;
    }

    @Override // org.apache.kafka.common.Configurable
    public void configure(Map<String, ?> map) throws KafkaException {
        String str;
        try {
            this.configs = map;
            boolean containsKey = this.jaasContexts.containsKey("GSSAPI");
            if (containsKey) {
                try {
                    str = defaultKerberosRealm();
                } catch (Exception e) {
                    str = "";
                }
                List list = (List) map.get("sasl.kerberos.principal.to.local.rules");
                if (list != null) {
                    this.kerberosShortNamer = KerberosShortNamer.fromUnparsedRules(str, list);
                }
            }
            for (Map.Entry<String, JaasContext> entry : this.jaasContexts.entrySet()) {
                String key = entry.getKey();
                LoginManager acquireLoginManager = LoginManager.acquireLoginManager(entry.getValue(), key, containsKey, map);
                this.loginManagers.put(key, acquireLoginManager);
                this.subjects.put(key, acquireLoginManager.subject());
            }
            if (this.securityProtocol == SecurityProtocol.SASL_SSL) {
                this.sslFactory = new SslFactory(this.mode, LoggingSystem.NONE, this.isInterBrokerListener);
                this.sslFactory.configure(map);
            }
        } catch (Exception e2) {
            close();
            throw new KafkaException(e2);
        }
    }

    @Override // org.apache.kafka.common.Reconfigurable
    public Set<String> reconfigurableConfigs() {
        return this.securityProtocol == SecurityProtocol.SASL_SSL ? SslConfigs.RECONFIGURABLE_CONFIGS : Collections.emptySet();
    }

    @Override // org.apache.kafka.common.Reconfigurable
    public void validateReconfiguration(Map<String, ?> map) {
        if (this.securityProtocol == SecurityProtocol.SASL_SSL) {
            this.sslFactory.validateReconfiguration(map);
        }
    }

    @Override // org.apache.kafka.common.Reconfigurable
    public void reconfigure(Map<String, ?> map) {
        if (this.securityProtocol == SecurityProtocol.SASL_SSL) {
            this.sslFactory.reconfigure(map);
        }
    }

    @Override // org.apache.kafka.common.network.ListenerReconfigurable
    public ListenerName listenerName() {
        return this.listenerName;
    }

    @Override // org.apache.kafka.common.network.ChannelBuilder
    public KafkaChannel buildChannel(String str, SelectionKey selectionKey, int i, MemoryPool memoryPool) throws KafkaException {
        SaslServerAuthenticator buildClientAuthenticator;
        try {
            SocketChannel socketChannel = (SocketChannel) selectionKey.channel();
            Socket socket = socketChannel.socket();
            TransportLayer buildTransportLayer = buildTransportLayer(str, selectionKey, socketChannel);
            if (this.mode == Mode.SERVER) {
                buildClientAuthenticator = buildServerAuthenticator(this.configs, str, buildTransportLayer, this.subjects);
            } else {
                LoginManager loginManager = this.loginManagers.get(this.clientSaslMechanism);
                buildClientAuthenticator = buildClientAuthenticator(this.configs, str, socket.getInetAddress().getHostName(), loginManager.serviceName(), buildTransportLayer, loginManager.subject());
            }
            return new KafkaChannel(str, buildTransportLayer, buildClientAuthenticator, i, memoryPool != null ? memoryPool : MemoryPool.NONE);
        } catch (Exception e) {
            log.info("Failed to create channel due to ", (Throwable) e);
            throw new KafkaException(e);
        }
    }

    @Override // org.apache.kafka.common.network.ChannelBuilder, java.lang.AutoCloseable
    public void close() {
        Iterator<LoginManager> it = this.loginManagers.values().iterator();
        while (it.hasNext()) {
            it.next().release();
        }
        this.loginManagers.clear();
    }

    private TransportLayer buildTransportLayer(String str, SelectionKey selectionKey, SocketChannel socketChannel) throws IOException {
        return this.securityProtocol == SecurityProtocol.SASL_SSL ? SslTransportLayer.create(str, selectionKey, this.sslFactory.createSslEngine(socketChannel.socket().getInetAddress().getHostName(), socketChannel.socket().getPort())) : new PlaintextTransportLayer(selectionKey);
    }

    protected SaslServerAuthenticator buildServerAuthenticator(Map<String, ?> map, String str, TransportLayer transportLayer, Map<String, Subject> map2) throws IOException {
        return new SaslServerAuthenticator(map, str, this.jaasContexts, map2, this.kerberosShortNamer, this.credentialCache, this.listenerName, this.securityProtocol, transportLayer, this.tokenCache);
    }

    protected SaslClientAuthenticator buildClientAuthenticator(Map<String, ?> map, String str, String str2, String str3, TransportLayer transportLayer, Subject subject) throws IOException {
        return new SaslClientAuthenticator(map, str, subject, str3, str2, this.clientSaslMechanism, this.handshakeRequestEnable, transportLayer);
    }

    Map<String, LoginManager> loginManagers() {
        return this.loginManagers;
    }

    private static String defaultKerberosRealm() throws ClassNotFoundException, NoSuchMethodException, IllegalArgumentException, IllegalAccessException, InvocationTargetException {
        Class<?> cls = Java.isIbmJdk() ? Class.forName("com.ibm.security.krb5.internal.Config") : Class.forName("sun.security.krb5.Config");
        return (String) cls.getDeclaredMethod("getDefaultRealm", new Class[0]).invoke(cls.getMethod("getInstance", new Class[0]).invoke(cls, new Object[0]), new Object[0]);
    }
}
