package com.netflix.astyanax.shaded.org.apache.cassandra.auth;

import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Lists;
import com.netflix.astyanax.shaded.org.apache.cassandra.auth.IAuthenticator;
import com.netflix.astyanax.shaded.org.apache.cassandra.auth.ISaslAwareAuthenticator;
import com.netflix.astyanax.shaded.org.apache.cassandra.config.Schema;
import com.netflix.astyanax.shaded.org.apache.cassandra.cql3.QueryOptions;
import com.netflix.astyanax.shaded.org.apache.cassandra.cql3.QueryProcessor;
import com.netflix.astyanax.shaded.org.apache.cassandra.cql3.UntypedResultSet;
import com.netflix.astyanax.shaded.org.apache.cassandra.cql3.statements.SelectStatement;
import com.netflix.astyanax.shaded.org.apache.cassandra.db.ConsistencyLevel;
import com.netflix.astyanax.shaded.org.apache.cassandra.exceptions.AuthenticationException;
import com.netflix.astyanax.shaded.org.apache.cassandra.exceptions.ConfigurationException;
import com.netflix.astyanax.shaded.org.apache.cassandra.exceptions.InvalidRequestException;
import com.netflix.astyanax.shaded.org.apache.cassandra.exceptions.RequestExecutionException;
import com.netflix.astyanax.shaded.org.apache.cassandra.exceptions.RequestValidationException;
import com.netflix.astyanax.shaded.org.apache.cassandra.service.QueryState;
import com.netflix.astyanax.shaded.org.apache.cassandra.service.StorageService;
import com.netflix.astyanax.shaded.org.apache.cassandra.utils.ByteBufferUtil;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import org.apache.commons.lang3.StringUtils;
import org.mindrot.jbcrypt.BCrypt;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/netflix/astyanax/shaded/org/apache/cassandra/auth/PasswordAuthenticator.class */
public class PasswordAuthenticator implements ISaslAwareAuthenticator {
    private static final String GENSALT_LOG2_ROUNDS_PROPERTY = "cassandra.auth_bcrypt_gensalt_log2_rounds";
    private static final String SALTED_HASH = "salted_hash";
    private static final String DEFAULT_USER_NAME = "cassandra";
    private static final String DEFAULT_USER_PASSWORD = "cassandra";
    private SelectStatement authenticateStatement;
    private static final Logger logger = LoggerFactory.getLogger(PasswordAuthenticator.class);
    private static final int GENSALT_LOG2_ROUNDS = getGensaltLogRounds();
    private static final String CREDENTIALS_CF = "credentials";
    private static final String CREDENTIALS_CF_SCHEMA = String.format("CREATE TABLE %s.%s (username text,salted_hash text,options map<text,text>,PRIMARY KEY(username)) WITH gc_grace_seconds=%d", Auth.AUTH_KS, CREDENTIALS_CF, 7776000);

    /* loaded from: input_file:com/netflix/astyanax/shaded/org/apache/cassandra/auth/PasswordAuthenticator$PlainTextSaslAuthenticator.class */
    private class PlainTextSaslAuthenticator implements ISaslAwareAuthenticator.SaslAuthenticator {
        private static final byte NUL = 0;
        private boolean complete;
        private Map<String, String> credentials;

        private PlainTextSaslAuthenticator() {
            this.complete = false;
        }

        @Override // com.netflix.astyanax.shaded.org.apache.cassandra.auth.ISaslAwareAuthenticator.SaslAuthenticator
        public byte[] evaluateResponse(byte[] bArr) throws AuthenticationException {
            this.credentials = decodeCredentials(bArr);
            this.complete = true;
            return null;
        }

        @Override // com.netflix.astyanax.shaded.org.apache.cassandra.auth.ISaslAwareAuthenticator.SaslAuthenticator
        public boolean isComplete() {
            return this.complete;
        }

        @Override // com.netflix.astyanax.shaded.org.apache.cassandra.auth.ISaslAwareAuthenticator.SaslAuthenticator
        public AuthenticatedUser getAuthenticatedUser() throws AuthenticationException {
            return PasswordAuthenticator.this.authenticate(this.credentials);
        }

        private Map<String, String> decodeCredentials(byte[] bArr) throws AuthenticationException {
            PasswordAuthenticator.logger.debug("Decoding credentials from client token");
            byte[] bArr2 = null;
            byte[] bArr3 = null;
            int length = bArr.length;
            for (int length2 = bArr.length - 1; length2 >= 0; length2--) {
                if (bArr[length2] == 0) {
                    if (bArr3 == null) {
                        bArr3 = Arrays.copyOfRange(bArr, length2 + 1, length);
                    } else if (bArr2 == null) {
                        bArr2 = Arrays.copyOfRange(bArr, length2 + 1, length);
                    }
                    length = length2;
                }
            }
            if (bArr2 == null) {
                throw new AuthenticationException("Authentication ID must not be null");
            }
            if (bArr3 == null) {
                throw new AuthenticationException("Password must not be null");
            }
            HashMap hashMap = new HashMap();
            hashMap.put(IAuthenticator.USERNAME_KEY, new String(bArr2, StandardCharsets.UTF_8));
            hashMap.put(IAuthenticator.PASSWORD_KEY, new String(bArr3, StandardCharsets.UTF_8));
            return hashMap;
        }
    }

    static int getGensaltLogRounds() {
        int intValue = Integer.getInteger(GENSALT_LOG2_ROUNDS_PROPERTY, 10).intValue();
        if (intValue < 4 || intValue > 31) {
            throw new RuntimeException(new ConfigurationException(String.format("Bad value for system property -D%s. Please use a value 4 and 31", GENSALT_LOG2_ROUNDS_PROPERTY)));
        }
        return intValue;
    }

    @Override // com.netflix.astyanax.shaded.org.apache.cassandra.auth.IAuthenticator
    public boolean requireAuthentication() {
        return true;
    }

    @Override // com.netflix.astyanax.shaded.org.apache.cassandra.auth.IAuthenticator
    public Set<IAuthenticator.Option> supportedOptions() {
        return ImmutableSet.of(IAuthenticator.Option.PASSWORD);
    }

    @Override // com.netflix.astyanax.shaded.org.apache.cassandra.auth.IAuthenticator
    public Set<IAuthenticator.Option> alterableOptions() {
        return ImmutableSet.of(IAuthenticator.Option.PASSWORD);
    }

    @Override // com.netflix.astyanax.shaded.org.apache.cassandra.auth.IAuthenticator
    public AuthenticatedUser authenticate(Map<String, String> map) throws AuthenticationException {
        String str = map.get(IAuthenticator.USERNAME_KEY);
        if (str == null) {
            throw new AuthenticationException(String.format("Required key '%s' is missing", IAuthenticator.USERNAME_KEY));
        }
        String str2 = map.get(IAuthenticator.PASSWORD_KEY);
        if (str2 == null) {
            throw new AuthenticationException(String.format("Required key '%s' is missing", IAuthenticator.PASSWORD_KEY));
        }
        try {
            UntypedResultSet untypedResultSet = new UntypedResultSet(this.authenticateStatement.execute(QueryState.forInternalCalls(), new QueryOptions(consistencyForUser(str), Lists.newArrayList(new ByteBuffer[]{ByteBufferUtil.bytes(str)}))).result);
            if (untypedResultSet.isEmpty() || !BCrypt.checkpw(str2, untypedResultSet.one().getString(SALTED_HASH))) {
                throw new AuthenticationException("Username and/or password are incorrect");
            }
            return new AuthenticatedUser(str);
        } catch (RequestExecutionException e) {
            throw new AuthenticationException(e.toString());
        } catch (RequestValidationException e2) {
            throw new AssertionError(e2);
        }
    }

    @Override // com.netflix.astyanax.shaded.org.apache.cassandra.auth.IAuthenticator
    public void create(String str, Map<IAuthenticator.Option, Object> map) throws InvalidRequestException, RequestExecutionException {
        String str2 = (String) map.get(IAuthenticator.Option.PASSWORD);
        if (str2 == null) {
            throw new InvalidRequestException("PasswordAuthenticator requires PASSWORD option");
        }
        process(String.format("INSERT INTO %s.%s (username, salted_hash) VALUES ('%s', '%s')", Auth.AUTH_KS, CREDENTIALS_CF, escape(str), escape(hashpw(str2))), consistencyForUser(str));
    }

    @Override // com.netflix.astyanax.shaded.org.apache.cassandra.auth.IAuthenticator
    public void alter(String str, Map<IAuthenticator.Option, Object> map) throws RequestExecutionException {
        process(String.format("UPDATE %s.%s SET salted_hash = '%s' WHERE username = '%s'", Auth.AUTH_KS, CREDENTIALS_CF, escape(hashpw((String) map.get(IAuthenticator.Option.PASSWORD))), escape(str)), consistencyForUser(str));
    }

    @Override // com.netflix.astyanax.shaded.org.apache.cassandra.auth.IAuthenticator
    public void drop(String str) throws RequestExecutionException {
        process(String.format("DELETE FROM %s.%s WHERE username = '%s'", Auth.AUTH_KS, CREDENTIALS_CF, escape(str)), consistencyForUser(str));
    }

    @Override // com.netflix.astyanax.shaded.org.apache.cassandra.auth.IAuthenticator
    public Set<DataResource> protectedResources() {
        return ImmutableSet.of(DataResource.columnFamily(Auth.AUTH_KS, CREDENTIALS_CF));
    }

    @Override // com.netflix.astyanax.shaded.org.apache.cassandra.auth.IAuthenticator
    public void validateConfiguration() throws ConfigurationException {
    }

    @Override // com.netflix.astyanax.shaded.org.apache.cassandra.auth.IAuthenticator
    public void setup() {
        setupCredentialsTable();
        StorageService.tasks.schedule(new Runnable() { // from class: com.netflix.astyanax.shaded.org.apache.cassandra.auth.PasswordAuthenticator.1
            @Override // java.lang.Runnable
            public void run() {
                PasswordAuthenticator.this.setupDefaultUser();
            }
        }, Auth.SUPERUSER_SETUP_DELAY, TimeUnit.MILLISECONDS);
        try {
            this.authenticateStatement = (SelectStatement) QueryProcessor.parseStatement(String.format("SELECT %s FROM %s.%s WHERE username = ?", SALTED_HASH, Auth.AUTH_KS, CREDENTIALS_CF)).prepare().statement;
        } catch (RequestValidationException e) {
            throw new AssertionError(e);
        }
    }

    @Override // com.netflix.astyanax.shaded.org.apache.cassandra.auth.ISaslAwareAuthenticator
    public ISaslAwareAuthenticator.SaslAuthenticator newAuthenticator() {
        return new PlainTextSaslAuthenticator();
    }

    private void setupCredentialsTable() {
        if (Schema.instance.getCFMetaData(Auth.AUTH_KS, CREDENTIALS_CF) == null) {
            try {
                process(CREDENTIALS_CF_SCHEMA, ConsistencyLevel.ANY);
            } catch (RequestExecutionException e) {
                throw new AssertionError(e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void setupDefaultUser() {
        try {
            if (!hasExistingUsers()) {
                process(String.format("INSERT INTO %s.%s (username, salted_hash) VALUES ('%s', '%s') USING TIMESTAMP 0", Auth.AUTH_KS, CREDENTIALS_CF, "cassandra", escape(hashpw("cassandra"))), ConsistencyLevel.ONE);
                logger.info("PasswordAuthenticator created default user '{}'", "cassandra");
            }
        } catch (RequestExecutionException e) {
            logger.warn("PasswordAuthenticator skipped default user setup: some nodes were not ready");
        }
    }

    private static boolean hasExistingUsers() throws RequestExecutionException {
        String format = String.format("SELECT * FROM %s.%s WHERE username = '%s'", Auth.AUTH_KS, CREDENTIALS_CF, "cassandra");
        return (process(format, ConsistencyLevel.ONE).isEmpty() && process(format, ConsistencyLevel.QUORUM).isEmpty() && process(String.format("SELECT * FROM %s.%s LIMIT 1", Auth.AUTH_KS, CREDENTIALS_CF), ConsistencyLevel.QUORUM).isEmpty()) ? false : true;
    }

    private static String hashpw(String str) {
        return BCrypt.hashpw(str, BCrypt.gensalt(GENSALT_LOG2_ROUNDS));
    }

    private static String escape(String str) {
        return StringUtils.replace(str, "'", "''");
    }

    private static UntypedResultSet process(String str, ConsistencyLevel consistencyLevel) throws RequestExecutionException {
        return QueryProcessor.process(str, consistencyLevel);
    }

    private static ConsistencyLevel consistencyForUser(String str) {
        return str.equals("cassandra") ? ConsistencyLevel.QUORUM : ConsistencyLevel.LOCAL_ONE;
    }
}
