package com.mysql.cj.protocol.a.authentication;

import com.mysql.cj.Messages;
import com.mysql.cj.callback.MysqlCallbackHandler;
import com.mysql.cj.callback.UsernameCallback;
import com.mysql.cj.exceptions.CJException;
import com.mysql.cj.exceptions.ExceptionFactory;
import com.mysql.cj.protocol.AuthenticationPlugin;
import com.mysql.cj.protocol.Protocol;
import com.mysql.cj.protocol.a.NativeConstants;
import com.mysql.cj.protocol.a.NativePacketPayload;
import com.mysql.cj.util.StringUtils;
import java.security.PrivilegedActionException;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import org.apache.http.protocol.HTTP;

/* loaded from: input_file:META-INF/libraries/com/mysql/mysql-connector-j/8.1.0/mysql-connector-j-8.1.0.jar:com/mysql/cj/protocol/a/authentication/AuthenticationKerberosClient.class */
public class AuthenticationKerberosClient implements AuthenticationPlugin<NativePacketPayload> {
    public static String PLUGIN_NAME = "authentication_kerberos_client";
    private static final String LOGIN_CONFIG_ENTRY = "MySQLConnectorJ";
    private static final String AUTHENTICATION_MECHANISM = "GSSAPI";
    private String sourceOfAuthData = PLUGIN_NAME;
    private MysqlCallbackHandler usernameCallbackHandler = null;
    private String user = null;
    private String password = null;
    private String userPrincipalName = null;
    private Subject subject = null;
    private String cachedPrincipalName = null;
    private CallbackHandler credentialsCallbackHandler = callbackArr -> {
        for (Callback callback : callbackArr) {
            if (NameCallback.class.isAssignableFrom(callback.getClass())) {
                ((NameCallback) callback).setName(this.userPrincipalName);
            } else {
                if (!PasswordCallback.class.isAssignableFrom(callback.getClass())) {
                    throw new UnsupportedCallbackException(callback, callback.getClass().getName());
                }
                ((PasswordCallback) callback).setPassword(this.password == null ? new char[0] : this.password.toCharArray());
            }
        }
    };
    private SaslClient saslClient = null;

    @Override // com.mysql.cj.protocol.AuthenticationPlugin
    public void init(Protocol<NativePacketPayload> protocol, MysqlCallbackHandler mysqlCallbackHandler) {
        this.usernameCallbackHandler = mysqlCallbackHandler;
    }

    @Override // com.mysql.cj.protocol.AuthenticationPlugin
    public void reset() {
        if (this.saslClient != null) {
            try {
                this.saslClient.dispose();
            } catch (SaslException e) {
            }
        }
        this.user = null;
        this.password = null;
        this.saslClient = null;
    }

    @Override // com.mysql.cj.protocol.AuthenticationPlugin
    public void destroy() {
        reset();
        this.usernameCallbackHandler = null;
        this.userPrincipalName = null;
        this.subject = null;
        this.cachedPrincipalName = null;
    }

    @Override // com.mysql.cj.protocol.AuthenticationPlugin
    public String getProtocolPluginName() {
        return PLUGIN_NAME;
    }

    @Override // com.mysql.cj.protocol.AuthenticationPlugin
    public boolean requiresConfidentiality() {
        return false;
    }

    @Override // com.mysql.cj.protocol.AuthenticationPlugin
    public boolean isReusable() {
        return false;
    }

    @Override // com.mysql.cj.protocol.AuthenticationPlugin
    public void setAuthenticationParameters(String str, String str2) {
        this.user = str;
        this.password = str2;
        if (this.user == null) {
            try {
                initializeAuthentication();
                int indexOf = this.cachedPrincipalName.indexOf(64);
                if (indexOf >= 0) {
                    this.user = this.cachedPrincipalName.substring(0, indexOf);
                } else {
                    this.user = this.cachedPrincipalName;
                }
            } catch (CJException e) {
                this.user = System.getProperty("user.name");
            }
            if (this.usernameCallbackHandler != null) {
                this.usernameCallbackHandler.handle(new UsernameCallback(this.user));
            }
        }
    }

    @Override // com.mysql.cj.protocol.AuthenticationPlugin
    public void setSourceOfAuthData(String str) {
        this.sourceOfAuthData = str;
    }

    @Override // com.mysql.cj.protocol.AuthenticationPlugin
    public boolean nextAuthenticationStep(NativePacketPayload nativePacketPayload, List<NativePacketPayload> list) {
        String substring;
        list.clear();
        if (!this.sourceOfAuthData.equals(PLUGIN_NAME) || nativePacketPayload.getPayloadLength() == 0) {
            return true;
        }
        if (this.saslClient == null) {
            try {
                String readString = nativePacketPayload.readString(NativeConstants.StringLengthDataType.STRING_VAR, HTTP.ASCII, (int) nativePacketPayload.readInteger(NativeConstants.IntegerDataType.INT2));
                String str = "";
                int indexOf = readString.indexOf(64);
                if (indexOf < 0) {
                    indexOf = readString.length();
                }
                int lastIndexOf = readString.lastIndexOf(47, indexOf);
                if (lastIndexOf >= 0) {
                    substring = readString.substring(0, lastIndexOf);
                    str = readString.substring(lastIndexOf + 1, indexOf);
                } else {
                    substring = readString.substring(0, indexOf);
                }
                this.userPrincipalName = this.user + "@" + nativePacketPayload.readString(NativeConstants.StringLengthDataType.STRING_VAR, HTTP.ASCII, (int) nativePacketPayload.readInteger(NativeConstants.IntegerDataType.INT2));
                initializeAuthentication();
                try {
                    String str2 = substring;
                    String str3 = str;
                    this.saslClient = (SaslClient) Subject.doAs(this.subject, () -> {
                        return Sasl.createSaslClient(new String[]{AUTHENTICATION_MECHANISM}, (String) null, str2, str3, (Map) null, (CallbackHandler) null);
                    });
                    if (this.saslClient == null) {
                        throw ExceptionFactory.createException(Messages.getString("AuthenticationKerberosClientPlugin.FailCreateSaslClient", new Object[]{AUTHENTICATION_MECHANISM}));
                    }
                } catch (PrivilegedActionException e) {
                    throw e.getException();
                }
            } catch (SaslException e2) {
                throw ExceptionFactory.createException(Messages.getString("AuthenticationKerberosClientPlugin.FailCreateSaslClient", new Object[]{AUTHENTICATION_MECHANISM}), (Throwable) e2);
            }
        }
        if (this.saslClient.isComplete()) {
            return true;
        }
        try {
            Subject.doAs(this.subject, () -> {
                byte[] evaluateChallenge = this.saslClient.evaluateChallenge(nativePacketPayload.readBytes(NativeConstants.StringSelfDataType.STRING_EOF));
                if (evaluateChallenge == null) {
                    return null;
                }
                NativePacketPayload nativePacketPayload2 = new NativePacketPayload(evaluateChallenge);
                nativePacketPayload2.setPosition(0);
                list.add(nativePacketPayload2);
                return null;
            });
            return true;
        } catch (PrivilegedActionException e3) {
            throw ExceptionFactory.createException(Messages.getString("AuthenticationKerberosClientPlugin.ErrProcessingAuthIter", new Object[]{AUTHENTICATION_MECHANISM}), e3.getException());
        }
    }

    private void initializeAuthentication() {
        if (this.subject == null || this.cachedPrincipalName == null || !this.cachedPrincipalName.equals(this.userPrincipalName)) {
            Configuration configuration = null;
            if (StringUtils.isNullOrEmpty(System.getProperty("java.security.auth.login.config"))) {
                final String str = this.userPrincipalName;
                final boolean z = Boolean.getBoolean("sun.security.jgss.debug");
                configuration = new Configuration() { // from class: com.mysql.cj.protocol.a.authentication.AuthenticationKerberosClient.1
                    public AppConfigurationEntry[] getAppConfigurationEntry(String str2) {
                        HashMap hashMap = new HashMap();
                        hashMap.put("useTicketCache", "true");
                        hashMap.put("renewTGT", "false");
                        if (str != null) {
                            hashMap.put("principal", str);
                        }
                        hashMap.put("debug", Boolean.toString(z));
                        return new AppConfigurationEntry[]{new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap)};
                    }
                };
            }
            try {
                LoginContext loginContext = new LoginContext(LOGIN_CONFIG_ENTRY, (Subject) null, this.credentialsCallbackHandler, configuration);
                loginContext.login();
                this.subject = loginContext.getSubject();
                this.cachedPrincipalName = this.subject.getPrincipals().iterator().next().getName();
            } catch (LoginException e) {
                throw ExceptionFactory.createException(Messages.getString("AuthenticationKerberosClientPlugin.FailAuthenticateUser"), e);
            }
        }
    }
}
