package io.confluent.connect.elasticsearch;

import com.sun.security.auth.module.Krb5LoginModule;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import javax.net.ssl.SSLContext;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import org.apache.http.HttpHost;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.KerberosCredentials;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.config.RegistryBuilder;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.impl.auth.SPNegoSchemeFactory;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.apache.http.impl.nio.client.HttpAsyncClientBuilder;
import org.apache.http.impl.nio.conn.PoolingNHttpClientConnectionManager;
import org.apache.http.impl.nio.reactor.DefaultConnectingIOReactor;
import org.apache.http.nio.conn.NHttpClientConnectionManager;
import org.apache.http.nio.conn.NoopIOSessionStrategy;
import org.apache.http.nio.conn.ssl.SSLIOSessionStrategy;
import org.apache.http.nio.reactor.IOReactorException;
import org.apache.kafka.common.network.Mode;
import org.apache.kafka.common.security.ssl.SslFactory;
import org.apache.kafka.connect.errors.ConnectException;
import org.elasticsearch.client.RestClientBuilder;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/connect/elasticsearch/ConfigCallbackHandler.class */
public class ConfigCallbackHandler implements RestClientBuilder.HttpClientConfigCallback, RestClientBuilder.RequestConfigCallback {
    private static final Logger log = LoggerFactory.getLogger(ConfigCallbackHandler.class);
    private static final Oid SPNEGO_OID = spnegoOid();
    private final ElasticsearchSinkConnectorConfig config;
    private final NHttpClientConnectionManager connectionManager = configureConnectionManager();

    public ConfigCallbackHandler(ElasticsearchSinkConnectorConfig elasticsearchSinkConnectorConfig) {
        this.config = elasticsearchSinkConnectorConfig;
    }

    public HttpAsyncClientBuilder customizeHttpClient(HttpAsyncClientBuilder httpAsyncClientBuilder) {
        httpAsyncClientBuilder.setConnectionManager(this.connectionManager);
        httpAsyncClientBuilder.setMaxConnPerRoute(this.config.maxInFlightRequests());
        httpAsyncClientBuilder.setMaxConnTotal(this.config.maxInFlightRequests());
        configureAuthentication(httpAsyncClientBuilder);
        if (this.config.isKerberosEnabled()) {
            configureKerberos(httpAsyncClientBuilder);
        }
        if (this.config.isSslEnabled()) {
            configureSslContext(httpAsyncClientBuilder);
        }
        if (this.config.isKerberosEnabled() && this.config.isSslEnabled()) {
            log.info("Using Kerberos and SSL connection to {}.", this.config.connectionUrls());
        } else if (this.config.isKerberosEnabled()) {
            log.info("Using Kerberos connection to {}.", this.config.connectionUrls());
        } else if (this.config.isSslEnabled()) {
            log.info("Using SSL connection to {}.", this.config.connectionUrls());
        } else {
            log.info("Using unsecured connection to {}.", this.config.connectionUrls());
        }
        return httpAsyncClientBuilder;
    }

    public RequestConfig.Builder customizeRequestConfig(RequestConfig.Builder builder) {
        return builder.setContentCompressionEnabled(this.config.compression()).setConnectTimeout(this.config.connectionTimeoutMs()).setConnectionRequestTimeout(this.config.readTimeoutMs());
    }

    public NHttpClientConnectionManager connectionManager() {
        return this.connectionManager;
    }

    private void configureAuthentication(HttpAsyncClientBuilder httpAsyncClientBuilder) {
        BasicCredentialsProvider basicCredentialsProvider = new BasicCredentialsProvider();
        if (this.config.isAuthenticatedConnection()) {
            this.config.connectionUrls().forEach(str -> {
                basicCredentialsProvider.setCredentials(new AuthScope(HttpHost.create(str)), new UsernamePasswordCredentials(this.config.username(), this.config.password().value()));
            });
            httpAsyncClientBuilder.setDefaultCredentialsProvider(basicCredentialsProvider);
        }
        if (this.config.isBasicProxyConfigured()) {
            HttpHost httpHost = new HttpHost(this.config.proxyHost(), this.config.proxyPort());
            httpAsyncClientBuilder.setProxy(httpHost);
            if (this.config.isProxyWithAuthenticationConfigured()) {
                basicCredentialsProvider.setCredentials(new AuthScope(httpHost), new UsernamePasswordCredentials(this.config.proxyUsername(), this.config.proxyPassword().value()));
            }
            httpAsyncClientBuilder.setDefaultCredentialsProvider(basicCredentialsProvider);
        }
    }

    private PoolingNHttpClientConnectionManager configureConnectionManager() {
        PoolingNHttpClientConnectionManager poolingNHttpClientConnectionManager;
        try {
            DefaultConnectingIOReactor defaultConnectingIOReactor = new DefaultConnectingIOReactor();
            if (this.config.isSslEnabled()) {
                poolingNHttpClientConnectionManager = new PoolingNHttpClientConnectionManager(defaultConnectingIOReactor, RegistryBuilder.create().register("http", NoopIOSessionStrategy.INSTANCE).register("https", new SSLIOSessionStrategy(sslContext(), this.config.shouldDisableHostnameVerification() ? new NoopHostnameVerifier() : SSLConnectionSocketFactory.getDefaultHostnameVerifier())).build());
            } else {
                poolingNHttpClientConnectionManager = new PoolingNHttpClientConnectionManager(defaultConnectingIOReactor);
            }
            poolingNHttpClientConnectionManager.setDefaultMaxPerRoute(this.config.maxInFlightRequests());
            poolingNHttpClientConnectionManager.setMaxTotal(this.config.maxInFlightRequests());
            return poolingNHttpClientConnectionManager;
        } catch (IOReactorException e) {
            throw new ConnectException("Unable to open ElasticsearchClient.", e);
        }
    }

    private HttpAsyncClientBuilder configureKerberos(HttpAsyncClientBuilder httpAsyncClientBuilder) {
        GSSManager gSSManager = GSSManager.getInstance();
        httpAsyncClientBuilder.setDefaultAuthSchemeRegistry(RegistryBuilder.create().register("Negotiate", new SPNegoSchemeFactory()).build());
        try {
            GSSCredential gSSCredential = (GSSCredential) Subject.doAs(loginContext().getSubject(), () -> {
                return gSSManager.createCredential((GSSName) null, 0, SPNEGO_OID, 1);
            });
            BasicCredentialsProvider basicCredentialsProvider = new BasicCredentialsProvider();
            basicCredentialsProvider.setCredentials(new AuthScope(AuthScope.ANY_HOST, -1, AuthScope.ANY_REALM, "Negotiate"), new KerberosCredentials(gSSCredential));
            httpAsyncClientBuilder.setDefaultCredentialsProvider(basicCredentialsProvider);
            return httpAsyncClientBuilder;
        } catch (PrivilegedActionException e) {
            throw new ConnectException(e);
        }
    }

    private void configureSslContext(HttpAsyncClientBuilder httpAsyncClientBuilder) {
        NoopHostnameVerifier noopHostnameVerifier = this.config.shouldDisableHostnameVerification() ? new NoopHostnameVerifier() : SSLConnectionSocketFactory.getDefaultHostnameVerifier();
        SSLContext sslContext = sslContext();
        httpAsyncClientBuilder.setSSLContext(sslContext);
        httpAsyncClientBuilder.setSSLHostnameVerifier(noopHostnameVerifier);
        httpAsyncClientBuilder.setSSLStrategy(new SSLIOSessionStrategy(sslContext, noopHostnameVerifier));
    }

    private SSLContext sslContext() {
        Object invoke;
        SslFactory sslFactory = new SslFactory(Mode.CLIENT, (String) null, false);
        sslFactory.configure(this.config.sslConfigs());
        try {
            log.debug("Trying AK 2.2 SslFactory methods.");
            return (SSLContext) SslFactory.class.getDeclaredMethod("sslContext", new Class[0]).invoke(sslFactory, new Object[0]);
        } catch (Exception e) {
            log.debug("Could not find AK 2.2 SslFactory methods. Trying AK 2.3+ methods for SslFactory.");
            try {
                invoke = SslFactory.class.getDeclaredMethod("sslEngineBuilder", new Class[0]).invoke(sslFactory, new Object[0]);
                log.debug("Using AK 2.2-2.5 SslFactory methods.");
            } catch (Exception e2) {
                log.debug("Could not find AK 2.3-2.5 SslFactory methods. Trying AK 2.6+ methods for SslFactory.");
                try {
                    invoke = SslFactory.class.getDeclaredMethod("sslEngineFactory", new Class[0]).invoke(sslFactory, new Object[0]);
                    log.debug("Using AK 2.6+ SslFactory methods.");
                } catch (Exception e3) {
                    throw new ConnectException("Failed to find methods for SslFactory.", e3);
                }
            }
            try {
                return (SSLContext) invoke.getClass().getDeclaredMethod("sslContext", new Class[0]).invoke(invoke, new Object[0]);
            } catch (Exception e4) {
                throw new ConnectException("Could not create SSLContext.", e4);
            }
        }
    }

    private LoginContext loginContext() throws PrivilegedActionException {
        Configuration configuration = new Configuration() { // from class: io.confluent.connect.elasticsearch.ConfigCallbackHandler.1
            public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
                return new AppConfigurationEntry[]{new AppConfigurationEntry(Krb5LoginModule.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, ConfigCallbackHandler.this.kerberosConfigs())};
            }
        };
        return (LoginContext) AccessController.doPrivileged(() -> {
            LoginContext loginContext = new LoginContext("ElasticsearchSinkConnector", new Subject(false, Collections.singleton(new KerberosPrincipal(this.config.kerberosUserPrincipal())), new HashSet(), new HashSet()), (CallbackHandler) null, configuration);
            loginContext.login();
            return loginContext;
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Map<String, Object> kerberosConfigs() {
        HashMap hashMap = new HashMap();
        hashMap.put("useTicketCache", "true");
        hashMap.put("renewTGT", "true");
        hashMap.put("useKeyTab", "true");
        hashMap.put("keyTab", this.config.keytabPath());
        hashMap.put("refreshKrb5Config", "true");
        hashMap.put("principal", this.config.kerberosUserPrincipal());
        hashMap.put("storeKey", "false");
        hashMap.put("doNotPrompt", "true");
        return hashMap;
    }

    private static Oid spnegoOid() {
        try {
            return new Oid("1.3.6.1.5.5.2");
        } catch (GSSException e) {
            throw new ConnectException(e);
        }
    }
}
