package org.apache.cassandra.auth;

import com.google.common.annotations.VisibleForTesting;
import java.io.InputStream;
import java.net.InetAddress;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Enumeration;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import org.apache.cassandra.auth.IInternodeAuthenticator;
import org.apache.cassandra.config.Config;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.config.EncryptionOptions;
import org.apache.cassandra.config.ParameterizedClass;
import org.apache.cassandra.exceptions.AuthenticationException;
import org.apache.cassandra.exceptions.ConfigurationException;
import org.apache.cassandra.utils.NoSpamLogger;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/cassandra/auth/MutualTlsInternodeAuthenticator.class */
public class MutualTlsInternodeAuthenticator implements IInternodeAuthenticator {
    private static final String VALIDATOR_CLASS_NAME = "validator_class_name";
    private static final String TRUSTED_PEER_IDENTITIES = "trusted_peer_identities";
    private static final String NODE_IDENTITY = "node_identity";
    private final Logger logger = LoggerFactory.getLogger(getClass());
    private final NoSpamLogger noSpamLogger = NoSpamLogger.getLogger(this.logger, 30, TimeUnit.SECONDS);
    private final MutualTlsCertificateValidator certificateValidator;
    private final List<String> trustedIdentities;

    public MutualTlsInternodeAuthenticator(Map<String, String> map) {
        String str = map.get(VALIDATOR_CLASS_NAME);
        if (StringUtils.isEmpty(str)) {
            this.logger.error("internode_authenticator.parameters.validator_class_name is not set");
            throw new ConfigurationException("internode_authenticator.parameters.validator_class_name is not set");
        }
        this.certificateValidator = (MutualTlsCertificateValidator) ParameterizedClass.newInstance(new ParameterizedClass(str), Arrays.asList("", AuthConfig.class.getPackage().getName()));
        Config rawConfig = DatabaseDescriptor.getRawConfig();
        checkInternodeMtlsConfigurationIsValid(rawConfig);
        if (map.containsKey(TRUSTED_PEER_IDENTITIES)) {
            this.trustedIdentities = (List) Arrays.stream(map.get(TRUSTED_PEER_IDENTITIES).split(",")).collect(Collectors.toList());
        } else {
            this.trustedIdentities = getIdentitiesFromKeyStore(rawConfig.server_encryption_options.outbound_keystore, rawConfig.server_encryption_options.outbound_keystore_password, rawConfig.server_encryption_options.store_type);
            if (map.containsKey(NODE_IDENTITY)) {
                String str2 = map.get(NODE_IDENTITY);
                if (!this.trustedIdentities.contains(str2)) {
                    throw new ConfigurationException("Configured node identity is not matching identity extractedfrom the keystore");
                }
                this.trustedIdentities.retainAll(Collections.singleton(str2));
            }
        }
        if (!this.trustedIdentities.isEmpty()) {
            this.logger.info("Initializing internode authenticator with identities {}", this.trustedIdentities);
        } else {
            String format = String.format("No identity was extracted from the outbound keystore '%s'", rawConfig.server_encryption_options.outbound_keystore);
            this.logger.info(format);
            throw new ConfigurationException(format);
        }
    }

    @Override // org.apache.cassandra.auth.IInternodeAuthenticator
    public boolean authenticate(InetAddress inetAddress, int i) {
        throw new UnsupportedOperationException("mTLS Authenticator only supports certificate based authenticate method");
    }

    @Override // org.apache.cassandra.auth.IInternodeAuthenticator
    public boolean authenticate(InetAddress inetAddress, int i, Certificate[] certificateArr, IInternodeAuthenticator.InternodeConnectionDirection internodeConnectionDirection) {
        return authenticateInternodeWithMtls(inetAddress, i, certificateArr, internodeConnectionDirection);
    }

    @Override // org.apache.cassandra.auth.IInternodeAuthenticator
    public void validateConfiguration() throws ConfigurationException {
    }

    protected boolean authenticateInternodeWithMtls(InetAddress inetAddress, int i, Certificate[] certificateArr, IInternodeAuthenticator.InternodeConnectionDirection internodeConnectionDirection) {
        if (internodeConnectionDirection != IInternodeAuthenticator.InternodeConnectionDirection.INBOUND) {
            return true;
        }
        String identity = this.certificateValidator.identity(certificateArr);
        if (!this.certificateValidator.isValidCertificate(certificateArr)) {
            this.noSpamLogger.error("Not a valid certificate from {}:{} with identity '{}'", inetAddress, Integer.valueOf(i), identity);
            return false;
        }
        if (this.trustedIdentities.contains(identity)) {
            return true;
        }
        this.noSpamLogger.error("Unable to authenticate user {}", identity);
        return false;
    }

    @VisibleForTesting
    List<String> getIdentitiesFromKeyStore(String str, String str2, String str3) {
        ArrayList arrayList = new ArrayList();
        try {
            InputStream newInputStream = Files.newInputStream(Paths.get(str, new String[0]), new OpenOption[0]);
            try {
                KeyStore keyStore = KeyStore.getInstance(str3);
                keyStore.load(newInputStream, str2.toCharArray());
                Enumeration<String> aliases = keyStore.aliases();
                while (aliases.hasMoreElements()) {
                    String nextElement = aliases.nextElement();
                    Certificate[] certificateChain = keyStore.getCertificateChain(nextElement);
                    if (certificateChain == null) {
                        this.logger.warn("Full chain/private key is not present in the keystore for certificate {}", nextElement);
                    } else {
                        try {
                            arrayList.add(this.certificateValidator.identity(certificateChain));
                        } catch (AuthenticationException e) {
                        }
                    }
                }
                if (newInputStream != null) {
                    newInputStream.close();
                }
            } finally {
            }
        } catch (Exception e2) {
            this.logger.error("Failed to get identities from outbound_keystore {}", str, e2);
        }
        return arrayList;
    }

    private void checkInternodeMtlsConfigurationIsValid(Config config) {
        if (config.server_encryption_options.internode_encryption == EncryptionOptions.ServerEncryptionOptions.InternodeEncryption.none || !config.server_encryption_options.require_client_auth) {
            this.logger.error("MutualTlsInternodeAuthenticator requires server_encryption_options.internode_encryption to be enabled & server_encryption_options.require_client_auth to be true");
            throw new ConfigurationException("MutualTlsInternodeAuthenticator requires server_encryption_options.internode_encryption to be enabled & server_encryption_options.require_client_auth to be true");
        }
    }
}
