package org.jgroups.protocols;

import java.util.ArrayList;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import org.jgroups.Address;
import org.jgroups.Event;
import org.jgroups.Header;
import org.jgroups.Message;
import org.jgroups.PhysicalAddress;
import org.jgroups.annotations.MBean;
import org.jgroups.annotations.Property;
import org.jgroups.annotations.XmlAttribute;
import org.jgroups.auth.AuthToken;
import org.jgroups.auth.Krb5Token;
import org.jgroups.auth.X509Token;
import org.jgroups.conf.ClassConfigurator;
import org.jgroups.protocols.pbcast.GMS;
import org.jgroups.protocols.pbcast.JoinRsp;
import org.jgroups.stack.Protocol;
import org.jgroups.util.MessageBatch;

@MBean(description = "Provides authentication of joiners, to prevent un-authorized joining of a cluster")
@XmlAttribute(attrs = {X509Token.TOKEN_ATTR, "fixed_members_value", "fixed_members_seperator", "block_time", Krb5Token.CLIENT_PRINCIPAL_NAME, Krb5Token.CLIENT_PASSWORD, Krb5Token.SERVICE_PRINCIPAL_NAME, "token_hash", "match_string", "match_ip_address", "match_logical_name", X509Token.KEYSTORE_TYPE, X509Token.CERT_ALIAS, X509Token.KEYSTORE_PATH, X509Token.CIPHER_TYPE, X509Token.CERT_PASSWORD, X509Token.KEYSTORE_PASSWORD})
/* loaded from: input_file:lib/org.jgroups-3.6.16.LIFERAY-PATCHED-1.jar:org/jgroups/protocols/AUTH.class */
public class AUTH extends Protocol {
    protected AuthToken auth_token;
    protected static final short GMS_ID = ClassConfigurator.getProtocolId(GMS.class);
    protected Address local_addr;
    protected final List<UpHandler> up_handlers = new ArrayList();
    protected volatile boolean authenticate_coord = true;

    /* loaded from: input_file:lib/org.jgroups-3.6.16.LIFERAY-PATCHED-1.jar:org/jgroups/protocols/AUTH$UpHandler.class */
    public interface UpHandler {
        boolean handleUpEvent(Event event);
    }

    public AUTH() {
        this.name = "AUTH";
    }

    @Property(description = "Do join or merge responses from the coordinator also need to be authenticated")
    public AUTH setAuthCoord(boolean z) {
        this.authenticate_coord = z;
        return this;
    }

    @Property(name = "auth_class", description = "The fully qualified name of the class implementing the AuthToken interface")
    public void setAuthClass(String str) throws Exception {
        this.auth_token = (AuthToken) Class.forName(str).newInstance();
        this.auth_token.setAuth(this);
    }

    public String getAuthClass() {
        if (this.auth_token != null) {
            return this.auth_token.getClass().getName();
        }
        return null;
    }

    public AuthToken getAuthToken() {
        return this.auth_token;
    }

    public AUTH setAuthToken(AuthToken authToken) {
        this.auth_token = authToken;
        return this;
    }

    public AUTH register(UpHandler upHandler) {
        this.up_handlers.add(upHandler);
        return this;
    }

    public AUTH unregister(UpHandler upHandler) {
        this.up_handlers.remove(upHandler);
        return this;
    }

    public Address getAddress() {
        return this.local_addr;
    }

    public PhysicalAddress getPhysicalAddress() {
        return getTransport().getPhysicalAddress();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.jgroups.stack.Protocol
    public List<Object> getConfigurableObjects() {
        LinkedList linkedList = new LinkedList();
        if (this.auth_token != null) {
            linkedList.add(this.auth_token);
        }
        return linkedList;
    }

    @Override // org.jgroups.stack.Protocol
    public void init() throws Exception {
        super.init();
        if (this.auth_token == null) {
            throw new IllegalStateException("no authentication mechanism configured");
        }
        if (this.auth_token instanceof X509Token) {
            ((X509Token) this.auth_token).setCertificate();
        }
        this.auth_token.init();
    }

    @Override // org.jgroups.stack.Protocol
    public void start() throws Exception {
        super.start();
        if (this.auth_token != null) {
            this.auth_token.start();
        }
    }

    @Override // org.jgroups.stack.Protocol
    public void stop() {
        if (this.auth_token != null) {
            this.auth_token.stop();
        }
        super.stop();
    }

    @Override // org.jgroups.stack.Protocol
    public void destroy() {
        if (this.auth_token != null) {
            this.auth_token.destroy();
        }
        super.destroy();
    }

    @Override // org.jgroups.stack.Protocol, org.jgroups.UpHandler
    public Object up(Event event) {
        switch (event.getType()) {
            case 1:
                Message message = (Message) event.getArg();
                GMS.GmsHeader gMSHeader = getGMSHeader(event);
                if (gMSHeader != null && needsAuthentication(gMSHeader)) {
                    AuthHeader authHeader = (AuthHeader) message.getHeader(this.id);
                    if (authHeader == null) {
                        throw new IllegalStateException(String.format("found %s from %s but no AUTH header", gMSHeader, message.src()));
                    }
                    if (!handleAuthHeader(gMSHeader, authHeader, message)) {
                        return null;
                    }
                }
                break;
        }
        if (callUpHandlers(event)) {
            return this.up_prot.up(event);
        }
        return null;
    }

    @Override // org.jgroups.stack.Protocol
    public void up(MessageBatch messageBatch) {
        Iterator<Message> it = messageBatch.iterator();
        while (it.hasNext()) {
            Message next = it.next();
            GMS.GmsHeader gMSHeader = getGMSHeader(next);
            if (gMSHeader != null && needsAuthentication(gMSHeader)) {
                AuthHeader authHeader = (AuthHeader) next.getHeader(this.id);
                if (authHeader == null) {
                    this.log.warn("%s: found GMS join or merge request from %s but no AUTH header", this.local_addr, messageBatch.sender());
                    sendRejectionMessage(gMSHeader.getType(), messageBatch.sender(), "join or merge without an AUTH header");
                    messageBatch.remove(next);
                } else if (!handleAuthHeader(gMSHeader, authHeader, next)) {
                    messageBatch.remove(next);
                }
            }
        }
        if (messageBatch.isEmpty()) {
            return;
        }
        this.up_prot.up(messageBatch);
    }

    @Override // org.jgroups.stack.Protocol
    public Object down(Event event) {
        GMS.GmsHeader gMSHeader = getGMSHeader(event);
        if (gMSHeader != null && needsAuthentication(gMSHeader)) {
            ((Message) event.getArg()).putHeader(this.id, new AuthHeader(this.auth_token));
        }
        if (event.getType() == 8) {
            this.local_addr = (Address) event.getArg();
        }
        return this.down_prot.down(event);
    }

    protected boolean needsAuthentication(GMS.GmsHeader gmsHeader) {
        switch (gmsHeader.getType()) {
            case 1:
            case 6:
            case 11:
                return true;
            case 2:
            case 7:
            case 8:
                return this.authenticate_coord;
            case 3:
            case 4:
            case 5:
            case 9:
            case 10:
            default:
                return false;
        }
    }

    protected boolean handleAuthHeader(GMS.GmsHeader gmsHeader, AuthHeader authHeader, Message message) {
        if (!needsAuthentication(gmsHeader) || this.auth_token.authenticate(authHeader.getToken(), message)) {
            return true;
        }
        this.log.warn("%s: failed to validate AuthHeader (token: %s) from %s; dropping message", this.local_addr, this.auth_token.getClass().getSimpleName(), message.src());
        sendRejectionMessage(gmsHeader.getType(), message.getSrc(), "authentication failed");
        return false;
    }

    protected void sendRejectionMessage(byte b, Address address, String str) {
        switch (b) {
            case 1:
            case 11:
                sendJoinRejectionMessage(address, str);
                return;
            case 6:
                sendMergeRejectionMessage(address);
                return;
            default:
                return;
        }
    }

    protected void sendJoinRejectionMessage(Address address, String str) {
        if (address == null) {
            return;
        }
        Message buffer = new Message(address).putHeader(GMS_ID, new GMS.GmsHeader((byte) 2)).setBuffer(GMS.marshal(new JoinRsp(str)));
        if (this.authenticate_coord) {
            buffer.putHeader(this.id, new AuthHeader(this.auth_token));
        }
        this.down_prot.down(new Event(1, buffer));
    }

    protected void sendMergeRejectionMessage(Address address) {
        GMS.GmsHeader gmsHeader = new GMS.GmsHeader((byte) 7);
        gmsHeader.setMergeRejected(true);
        Message putHeader = new Message(address).setFlag(Message.Flag.OOB).putHeader(GMS_ID, gmsHeader);
        if (this.authenticate_coord) {
            putHeader.putHeader(this.id, new AuthHeader(this.auth_token));
        }
        this.log.debug("merge response=%s", gmsHeader);
        this.down_prot.down(new Event(1, putHeader));
    }

    protected boolean callUpHandlers(Event event) {
        boolean z = true;
        Iterator<UpHandler> it = this.up_handlers.iterator();
        while (it.hasNext()) {
            if (!it.next().handleUpEvent(event)) {
                z = false;
            }
        }
        return z;
    }

    protected static GMS.GmsHeader getGMSHeader(Event event) {
        if (event.getType() == 1) {
            return getGMSHeader((Message) event.getArg());
        }
        return null;
    }

    protected static GMS.GmsHeader getGMSHeader(Message message) {
        Header header = message.getHeader(GMS_ID);
        if (header instanceof GMS.GmsHeader) {
            return (GMS.GmsHeader) header;
        }
        return null;
    }
}
