package org.gridgain.grid.security.jaas;

import java.security.Principal;
import java.util.Iterator;
import javax.management.JMException;
import javax.management.ObjectName;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.ignite.Ignite;
import org.apache.ignite.IgniteCheckedException;
import org.apache.ignite.IgniteException;
import org.apache.ignite.IgniteLogger;
import org.apache.ignite.configuration.IgniteConfiguration;
import org.apache.ignite.internal.util.typedef.T3;
import org.apache.ignite.internal.util.typedef.internal.S;
import org.apache.ignite.internal.util.typedef.internal.U;
import org.apache.ignite.lifecycle.LifecycleAware;
import org.apache.ignite.plugin.security.AuthenticationContext;
import org.apache.ignite.plugin.security.SecurityPermissionSet;
import org.apache.ignite.plugin.security.SecuritySubject;
import org.apache.ignite.plugin.security.SecuritySubjectType;
import org.apache.ignite.resources.IgniteInstanceResource;
import org.apache.ignite.resources.LoggerResource;
import org.gridgain.grid.internal.GridPluginUtils;
import org.gridgain.grid.internal.processors.security.SecuritySubjectAdapter;
import org.gridgain.grid.internal.util.security.GridSecurityPermissionSetJsonParser;
import org.gridgain.grid.security.AuthenticationValidator;
import org.gridgain.grid.security.Authenticator;
import org.jetbrains.annotations.Nullable;

/* loaded from: input_file:org/gridgain/grid/security/jaas/JaasAuthenticator.class */
public class JaasAuthenticator implements Authenticator, AuthenticationValidator, JaasAuthenticatorMBean, LifecycleAware {
    private ObjectName mBean;

    @LoggerResource
    private IgniteLogger log;

    @IgniteInstanceResource
    private Ignite ignite;
    private String loginCtxName = "GridJaasLoginContext";
    private JaasCallbackHandlerFactory callbackHndFactory = new DefaultCallbackFactory();
    private String dfltPermissions = "{defaultAllow:false}";
    private SecurityPermissionSet dfltPermSet;
    private JaasPermissionsProvider permProvider;
    private boolean globalNodeAuth;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:org/gridgain/grid/security/jaas/JaasAuthenticator$DefaultCallbackFactory.class */
    private static class DefaultCallbackFactory implements JaasCallbackHandlerFactory {
        private DefaultCallbackFactory() {
        }

        @Override // org.gridgain.grid.security.jaas.JaasCallbackHandlerFactory
        public boolean supported(SecuritySubjectType securitySubjectType) {
            return true;
        }

        @Override // org.gridgain.grid.security.jaas.JaasCallbackHandlerFactory
        @Nullable
        public CallbackHandler newInstance(final AuthenticationContext authenticationContext) throws IgniteException {
            return new CallbackHandler() { // from class: org.gridgain.grid.security.jaas.JaasAuthenticator.DefaultCallbackFactory.1
                @Override // javax.security.auth.callback.CallbackHandler
                public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
                    for (Callback callback : callbackArr) {
                        if (callback instanceof NameCallback) {
                            Object login = authenticationContext.credentials() == null ? null : authenticationContext.credentials().getLogin();
                            if (!(login instanceof String)) {
                                throw new IllegalArgumentException("Failed to handle JAAS callback (unsupported login type: " + (login == null ? "null" : login.getClass().getName()) + ")");
                            }
                            ((NameCallback) callback).setName((String) login);
                        } else {
                            if (!(callback instanceof PasswordCallback)) {
                                throw new UnsupportedCallbackException(callback, "Failed to handle JAAS callback (unsupported callback type): " + callback.getClass().getName());
                            }
                            PasswordCallback passwordCallback = (PasswordCallback) callback;
                            Object password = authenticationContext.credentials() == null ? null : authenticationContext.credentials().getPassword();
                            if (!(password instanceof String) && !(password instanceof char[])) {
                                throw new IllegalArgumentException("Failed to handle JAAS callback (unsupported login type: " + (password == null ? "null" : password.getClass().getName()) + ")");
                            }
                            passwordCallback.setPassword(password instanceof String ? ((String) password).toCharArray() : (char[]) password);
                        }
                    }
                }
            };
        }
    }

    @Override // org.gridgain.grid.security.jaas.JaasAuthenticatorMBean
    public String getLoginContextName() {
        return this.loginCtxName;
    }

    @Override // org.gridgain.grid.security.jaas.JaasAuthenticatorMBean
    public void setLoginContextName(String str) {
        if (!$assertionsDisabled && str == null) {
            throw new AssertionError();
        }
        this.loginCtxName = str;
    }

    @Override // org.gridgain.grid.security.jaas.JaasAuthenticatorMBean
    public String getCallbackHandlerFactoryFormatted() {
        return this.callbackHndFactory.toString();
    }

    public void setCallbackHandlerFactory(JaasCallbackHandlerFactory jaasCallbackHandlerFactory) {
        this.callbackHndFactory = jaasCallbackHandlerFactory;
    }

    public String getDefaultPermissions() {
        return this.dfltPermissions;
    }

    public SecurityPermissionSet getDefaultPermissionSet() {
        return this.dfltPermSet;
    }

    public void setDefaultPermissionSet(SecurityPermissionSet securityPermissionSet) {
        this.dfltPermSet = securityPermissionSet;
    }

    public JaasPermissionsProvider getPermissionsProvider() {
        return this.permProvider;
    }

    public void setPermissionsProvider(JaasPermissionsProvider jaasPermissionsProvider) {
        this.permProvider = jaasPermissionsProvider;
    }

    public void setDefaultPermissions(String str) {
        this.dfltPermissions = str;
    }

    @Override // org.gridgain.grid.security.Authenticator
    public boolean isGlobalNodeAuthentication() {
        return this.globalNodeAuth;
    }

    public void setGlobalNodeAuthentication(boolean z) {
        this.globalNodeAuth = z;
    }

    @Override // org.gridgain.grid.security.AuthenticationValidator
    public Object validationToken() {
        return new T3(this.loginCtxName, this.dfltPermSet, Boolean.valueOf(this.globalNodeAuth));
    }

    @Override // org.gridgain.grid.security.Authenticator
    public SecuritySubject authenticate(AuthenticationContext authenticationContext) throws IgniteCheckedException {
        CallbackHandler newInstance = this.callbackHndFactory.newInstance(authenticationContext);
        if (newInstance == null) {
            return null;
        }
        try {
            LoginContext loginContext = new LoginContext(this.loginCtxName, newInstance);
            try {
                loginContext.login();
                SecurityPermissionSet securityPermissionSet = null;
                Iterator<Principal> it = loginContext.getSubject().getPrincipals().iterator();
                while (it.hasNext()) {
                    securityPermissionSet = parsePermissions(it.next().getName(), this.permProvider == null);
                    if (securityPermissionSet != null) {
                        break;
                    }
                }
                if (securityPermissionSet == null) {
                    securityPermissionSet = this.dfltPermSet;
                }
                SecuritySubjectAdapter securitySubjectAdapter = new SecuritySubjectAdapter(authenticationContext.subjectType(), authenticationContext.subjectId());
                securitySubjectAdapter.permissions(securityPermissionSet);
                securitySubjectAdapter.address(authenticationContext.address());
                if (authenticationContext.credentials() != null) {
                    securitySubjectAdapter.login(authenticationContext.credentials().getLogin());
                }
                return securitySubjectAdapter;
            } catch (LoginException e) {
                U.error(this.log, "Authentication failed.", e);
                return null;
            }
        } catch (LoginException e2) {
            throw new IgniteCheckedException("Failed to create login context: " + this.loginCtxName, e2);
        }
    }

    @Override // org.gridgain.grid.security.Authenticator
    public boolean supported(SecuritySubjectType securitySubjectType) {
        return this.callbackHndFactory.supported(securitySubjectType);
    }

    public void start() {
        GridPluginUtils.assertParameter(this.callbackHndFactory != null, "callbackHandlerFactory != null");
        GridPluginUtils.assertParameter(this.dfltPermissions != null, "defaultPermissions != null");
        if (this.dfltPermSet == null) {
            this.dfltPermSet = parsePermissions(this.dfltPermissions, true);
        }
        GridPluginUtils.assertParameter(this.dfltPermSet != null, "defaultPermissionSet != null");
        GridPluginUtils.assertParameter(this.loginCtxName != null, "loginContextName != null");
        registerMBean();
    }

    public void stop() {
        unregisterMBean();
        if (this.log.isDebugEnabled()) {
            this.log.debug("Authenticator stopped ok.");
        }
    }

    private void registerMBean() {
        if (U.IGNITE_MBEANS_DISABLED) {
            return;
        }
        try {
            IgniteConfiguration configuration = this.ignite.configuration();
            this.mBean = U.registerMBean(configuration.getMBeanServer(), configuration.getGridName(), "authenticator", U.getSimpleName(getClass()), this, JaasAuthenticatorMBean.class);
        } catch (JMException e) {
            throw new IgniteException("Failed to register authenticator MBean: " + JaasAuthenticatorMBean.class, e);
        }
    }

    private void unregisterMBean() {
        if (this.mBean == null) {
            return;
        }
        if (!$assertionsDisabled && U.IGNITE_MBEANS_DISABLED) {
            throw new AssertionError();
        }
        try {
            this.ignite.configuration().getMBeanServer().unregisterMBean(this.mBean);
        } catch (JMException e) {
            throw new IgniteException("Failed to register authenticator MBean: " + JaasAuthenticatorMBean.class, e);
        }
    }

    private SecurityPermissionSet parsePermissions(String str, boolean z) {
        try {
            return z ? new GridSecurityPermissionSetJsonParser(str).parse() : this.permProvider.permissions(str);
        } catch (IgniteCheckedException e) {
            U.error(this.log, "Failed to parse permissions [permStr=" + str + ", permProvider=" + this.permProvider + ']', e);
            return null;
        }
    }

    public String toString() {
        return S.toString(JaasAuthenticator.class, this);
    }

    static {
        $assertionsDisabled = !JaasAuthenticator.class.desiredAssertionStatus();
    }
}
