package software.amazon.msk.auth.iam.internals;

import aws_msk_iam_auth_shadow.com.fasterxml.jackson.databind.ObjectMapper;
import aws_msk_iam_auth_shadow.org.slf4j.Logger;
import aws_msk_iam_auth_shadow.org.slf4j.LoggerFactory;
import java.io.IOException;
import java.util.Arrays;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslClientFactory;
import javax.security.sasl.SaslException;
import lombok.NonNull;
import org.apache.kafka.common.errors.IllegalSaslStateException;
import software.amazon.msk.auth.iam.IAMLoginModule;

/* loaded from: input_file:software/amazon/msk/auth/iam/internals/IAMSaslClient.class */
public class IAMSaslClient implements SaslClient {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) IAMSaslClient.class);
    private final String mechanism;
    private final CallbackHandler cbh;
    private final String serverName;
    private final SignedPayloadGenerator payloadGenerator;
    private State state;
    private String responseRequestId;

    /* loaded from: input_file:software/amazon/msk/auth/iam/internals/IAMSaslClient$IAMSaslClientFactory.class */
    public static class IAMSaslClientFactory implements SaslClientFactory {
        public SaslClient createSaslClient(String[] strArr, String str, String str2, String str3, Map<String, ?> map, CallbackHandler callbackHandler) throws SaslException {
            for (String str4 : strArr) {
                if (IAMLoginModule.MECHANISM.equals(str4)) {
                    return new IAMSaslClient(str4, callbackHandler, str3, new AWS4SignedPayloadGenerator());
                }
            }
            throw new SaslException("Requested mechanisms " + Arrays.asList(strArr) + " not supported. The supportedmechanism is " + IAMLoginModule.MECHANISM);
        }

        public String[] getMechanismNames(Map<String, ?> map) {
            return new String[]{IAMLoginModule.MECHANISM};
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:software/amazon/msk/auth/iam/internals/IAMSaslClient$State.class */
    public enum State {
        SEND_CLIENT_FIRST_MESSAGE,
        RECEIVE_SERVER_RESPONSE,
        COMPLETE,
        FAILED
    }

    public IAMSaslClient(@NonNull String str, @NonNull CallbackHandler callbackHandler, @NonNull String str2, @NonNull SignedPayloadGenerator signedPayloadGenerator) {
        if (str == null) {
            throw new NullPointerException("mechanism is marked non-null but is null");
        }
        if (callbackHandler == null) {
            throw new NullPointerException("cbh is marked non-null but is null");
        }
        if (str2 == null) {
            throw new NullPointerException("serverName is marked non-null but is null");
        }
        if (signedPayloadGenerator == null) {
            throw new NullPointerException("payloadGenerator is marked non-null but is null");
        }
        this.mechanism = str;
        this.cbh = callbackHandler;
        this.serverName = str2;
        this.payloadGenerator = signedPayloadGenerator;
        setState(State.SEND_CLIENT_FIRST_MESSAGE);
    }

    public String getMechanismName() {
        return this.mechanism;
    }

    public boolean hasInitialResponse() {
        return true;
    }

    public byte[] evaluateChallenge(byte[] bArr) throws SaslException {
        if (log.isDebugEnabled()) {
            log.debug("State {} at start of evaluating challenge", this.state);
        }
        try {
            try {
                try {
                    switch (this.state) {
                        case SEND_CLIENT_FIRST_MESSAGE:
                            if (!isChallengeEmpty(bArr)) {
                                throw new SaslException("Expects an empty challenge in state " + this.state);
                            }
                            byte[] generateClientMessage = generateClientMessage();
                            if (log.isDebugEnabled()) {
                                log.debug("State {} at end of evaluating challenge", this.state);
                            }
                            return generateClientMessage;
                        case RECEIVE_SERVER_RESPONSE:
                            if (isChallengeEmpty(bArr)) {
                                throw new SaslException("Expects a non-empty authentication response in state " + this.state);
                            }
                            handleServerResponse(bArr);
                            setState(State.COMPLETE);
                            if (log.isDebugEnabled()) {
                                log.debug("State {} at end of evaluating challenge", this.state);
                            }
                            return null;
                        default:
                            throw new IllegalSaslStateException("Challenge received in unexpected state " + this.state);
                    }
                } catch (IOException | IllegalArgumentException | UnsupportedCallbackException e) {
                    setState(State.FAILED);
                    throw new SaslException("Exception while evaluating challenge", e);
                }
            } catch (SaslException e2) {
                setState(State.FAILED);
                throw e2;
            }
        } catch (Throwable th) {
            if (log.isDebugEnabled()) {
                log.debug("State {} at end of evaluating challenge", this.state);
            }
            throw th;
        }
    }

    private void handleServerResponse(byte[] bArr) throws IOException {
        AuthenticationResponse authenticationResponse = (AuthenticationResponse) new ObjectMapper().readValue(bArr, AuthenticationResponse.class);
        if (authenticationResponse == null) {
            throw new SaslException("Invalid response from server ");
        }
        this.responseRequestId = authenticationResponse.getRequestId();
        if (log.isDebugEnabled()) {
            log.debug("Response from server: " + authenticationResponse.toString());
        }
    }

    private byte[] generateClientMessage() throws IOException, UnsupportedCallbackException {
        AWSCredentialsCallback aWSCredentialsCallback = new AWSCredentialsCallback();
        this.cbh.handle(new Callback[]{aWSCredentialsCallback});
        if (!aWSCredentialsCallback.isSuccessful()) {
            throw new SaslException("Failed to find AWS IAM Credentials", aWSCredentialsCallback.getLoadingException());
        }
        byte[] signedPayload = this.payloadGenerator.signedPayload(AuthenticationRequestParams.create(this.serverName, aWSCredentialsCallback.getAwsCredentials(), UserAgentUtils.getUserAgentValue()));
        setState(State.RECEIVE_SERVER_RESPONSE);
        return signedPayload;
    }

    public boolean isComplete() {
        return State.COMPLETE.equals(this.state);
    }

    public byte[] unwrap(byte[] bArr, int i, int i2) throws SaslException {
        if (isComplete()) {
            return Arrays.copyOfRange(bArr, i, i + i2);
        }
        throw new IllegalStateException("Authentication exchange has not completed");
    }

    public byte[] wrap(byte[] bArr, int i, int i2) throws SaslException {
        if (isComplete()) {
            return Arrays.copyOfRange(bArr, i, i + i2);
        }
        throw new IllegalStateException("Authentication exchange has not completed");
    }

    public Object getNegotiatedProperty(String str) {
        if (isComplete()) {
            return null;
        }
        throw new IllegalStateException("Authentication exchange has not completed");
    }

    public void dispose() throws SaslException {
    }

    public String getResponseRequestId() {
        if (isComplete()) {
            return this.responseRequestId;
        }
        throw new IllegalStateException("Authentication exchange has not completed");
    }

    private void setState(State state) {
        if (log.isDebugEnabled()) {
            log.debug("Setting SASL/{} client state to {}", this.mechanism, state);
        }
        this.state = state;
    }

    private static boolean isChallengeEmpty(byte[] bArr) {
        return bArr == null || bArr.length <= 0;
    }
}
