package org.apache.cassandra.auth;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableSet;
import java.net.InetAddress;
import java.security.cert.Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import org.apache.cassandra.auth.IAuthenticator;
import org.apache.cassandra.config.Config;
import org.apache.cassandra.config.DatabaseDescriptor;
import org.apache.cassandra.config.DurationSpec;
import org.apache.cassandra.config.EncryptionOptions;
import org.apache.cassandra.config.ParameterizedClass;
import org.apache.cassandra.exceptions.AuthenticationException;
import org.apache.cassandra.exceptions.ConfigurationException;
import org.apache.cassandra.metrics.MutualTlsMetrics;
import org.apache.cassandra.schema.SchemaConstants;
import org.apache.cassandra.utils.NoSpamLogger;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.helpers.MessageFormatter;

/* loaded from: input_file:org/apache/cassandra/auth/MutualTlsAuthenticator.class */
public class MutualTlsAuthenticator implements IAuthenticator {
    private static final String VALIDATOR_CLASS_NAME = "validator_class_name";
    private static final String CACHE_NAME = "IdentitiesCache";
    private final IdentityCache identityCache = new IdentityCache();
    private final MutualTlsCertificateValidator certificateValidator;
    private final MutualTlsCertificateValidityPeriodValidator certificateValidityPeriodValidator;
    private final DurationSpec.IntMinutesBound certificateValidityWarnThreshold;
    static final String METADATA_IDENTITY_KEY = "identity";
    private static final Logger logger = LoggerFactory.getLogger(MutualTlsAuthenticator.class);
    private static final NoSpamLogger nospamLogger = NoSpamLogger.getLogger(logger, 1, TimeUnit.MINUTES);
    private static final Set<IAuthenticator.AuthenticationMode> AUTHENTICATION_MODES = Collections.singleton(IAuthenticator.AuthenticationMode.MTLS);

    @VisibleForTesting
    /* loaded from: input_file:org/apache/cassandra/auth/MutualTlsAuthenticator$CertificateNegotiator.class */
    class CertificateNegotiator implements IAuthenticator.SaslNegotiator {
        private final Certificate[] clientCertificateChain;

        private CertificateNegotiator(Certificate[] certificateArr) {
            this.clientCertificateChain = certificateArr;
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public byte[] evaluateResponse(byte[] bArr) throws AuthenticationException {
            return null;
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public boolean shouldSendAuthenticateMessage() {
            return false;
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public boolean isComplete() {
            return true;
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public AuthenticatedUser getAuthenticatedUser() throws AuthenticationException {
            if (this.clientCertificateChain == null || this.clientCertificateChain.length == 0) {
                throw new AuthenticationException("No certificate present on connection");
            }
            if (!MutualTlsAuthenticator.this.certificateValidator.isValidCertificate(this.clientCertificateChain)) {
                MutualTlsAuthenticator.nospamLogger.error("Invalid or not supported certificate", new Object[0]);
                throw new AuthenticationException("Invalid or not supported certificate");
            }
            String identity = MutualTlsAuthenticator.this.certificateValidator.identity(this.clientCertificateChain);
            if (StringUtils.isEmpty(identity)) {
                MutualTlsAuthenticator.nospamLogger.error("Unable to extract client identity from certificate for authentication", new Object[0]);
                throw new AuthenticationException("Unable to extract client identity from certificate for authentication");
            }
            String str = MutualTlsAuthenticator.this.identityCache.get(identity);
            if (str == null) {
                MutualTlsAuthenticator.nospamLogger.error("Certificate identity '{}' not authorized", identity);
                throw new AuthenticationException(MessageFormatter.format("Certificate identity '{}' not authorized", identity).getMessage());
            }
            int validate = MutualTlsAuthenticator.this.certificateValidityPeriodValidator.validate(this.clientCertificateChain);
            int minutesToDays = MutualTlsUtil.minutesToDays(validate);
            if (MutualTlsAuthenticator.this.certificateValidityWarnThreshold != null && validate < MutualTlsAuthenticator.this.certificateValidityWarnThreshold.toMinutes()) {
                MutualTlsAuthenticator.nospamLogger.warn("Certificate with identity '{}' will expire in {}", identity, MutualTlsUtil.toHumanReadableCertificateExpiration(validate));
            }
            MutualTlsMetrics.instance.clientCertificateExpirationDays.update(minutesToDays);
            return new AuthenticatedUser(str, IAuthenticator.AuthenticationMode.MTLS, Collections.singletonMap(MutualTlsAuthenticator.METADATA_IDENTITY_KEY, identity));
        }

        @Override // org.apache.cassandra.auth.IAuthenticator.SaslNegotiator
        public IAuthenticator.AuthenticationMode getAuthenticationMode() {
            return IAuthenticator.AuthenticationMode.MTLS;
        }
    }

    /* loaded from: input_file:org/apache/cassandra/auth/MutualTlsAuthenticator$IdentityCache.class */
    static class IdentityCache extends AuthCache<String, String> {
        IdentityCache() {
            super(MutualTlsAuthenticator.CACHE_NAME, DatabaseDescriptor::setCredentialsValidity, DatabaseDescriptor::getCredentialsValidity, DatabaseDescriptor::setCredentialsUpdateInterval, DatabaseDescriptor::getCredentialsUpdateInterval, DatabaseDescriptor::setCredentialsCacheMaxEntries, DatabaseDescriptor::getCredentialsCacheMaxEntries, (v0) -> {
                DatabaseDescriptor.setCredentialsCacheActiveUpdate(v0);
            }, DatabaseDescriptor::getCredentialsCacheActiveUpdate, str -> {
                return DatabaseDescriptor.getRoleManager().roleForIdentity(str);
            }, () -> {
                return DatabaseDescriptor.getRoleManager().authorizedIdentities();
            }, () -> {
                return true;
            }, (str2, str3) -> {
                return str3 == null;
            });
        }
    }

    public MutualTlsAuthenticator(Map<String, String> map) {
        String str = map != null ? map.get(VALIDATOR_CLASS_NAME) : null;
        if (StringUtils.isEmpty(str)) {
            logger.error("authenticator.parameters.validator_class_name is not set");
            throw new ConfigurationException("authenticator.parameters.validator_class_name is not set");
        }
        this.certificateValidator = (MutualTlsCertificateValidator) ParameterizedClass.newInstance(new ParameterizedClass(str), Arrays.asList("", AuthConfig.class.getPackage().getName()));
        Config rawConfig = DatabaseDescriptor.getRawConfig();
        this.certificateValidityPeriodValidator = new MutualTlsCertificateValidityPeriodValidator(rawConfig.client_encryption_options.max_certificate_validity_period);
        this.certificateValidityWarnThreshold = rawConfig.client_encryption_options.certificate_validity_warn_threshold;
        AuthCacheService.instance.register(this.identityCache);
    }

    @Override // org.apache.cassandra.auth.IAuthenticator
    public boolean requireAuthentication() {
        return true;
    }

    @Override // org.apache.cassandra.auth.IAuthenticator
    public boolean supportsEarlyAuthentication() {
        return true;
    }

    @Override // org.apache.cassandra.auth.IAuthenticator
    public Set<? extends IResource> protectedResources() {
        return ImmutableSet.of(DataResource.table(SchemaConstants.AUTH_KEYSPACE_NAME, AuthKeyspace.ROLES));
    }

    @Override // org.apache.cassandra.auth.IAuthenticator
    public void validateConfiguration() throws ConfigurationException {
        Config rawConfig = DatabaseDescriptor.getRawConfig();
        if (rawConfig.client_encryption_options.getEnabled().booleanValue() && rawConfig.client_encryption_options.getClientAuth() == EncryptionOptions.ClientAuth.REQUIRED) {
            return;
        }
        logger.error("MutualTlsAuthenticator requires client_encryption_options.enabled to be true & client_encryption_options.require_client_auth to be true");
        throw new ConfigurationException("MutualTlsAuthenticator requires client_encryption_options.enabled to be true & client_encryption_options.require_client_auth to be true");
    }

    @Override // org.apache.cassandra.auth.IAuthenticator
    public void setup() {
        this.identityCache.warm();
    }

    @Override // org.apache.cassandra.auth.IAuthenticator
    public IAuthenticator.SaslNegotiator newSaslNegotiator(InetAddress inetAddress) {
        return null;
    }

    @Override // org.apache.cassandra.auth.IAuthenticator
    public IAuthenticator.SaslNegotiator newSaslNegotiator(InetAddress inetAddress, Certificate[] certificateArr) {
        return new CertificateNegotiator(certificateArr);
    }

    @Override // org.apache.cassandra.auth.IAuthenticator
    public Set<IAuthenticator.AuthenticationMode> getSupportedAuthenticationModes() {
        return AUTHENTICATION_MODES;
    }

    @Override // org.apache.cassandra.auth.IAuthenticator
    public AuthenticatedUser legacyAuthenticate(Map<String, String> map) throws AuthenticationException {
        throw new AuthenticationException("mTLS authentication is not supported for CassandraLoginModule");
    }
}
