package org.apache.kafka.common.security.authenticator;

import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Random;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import org.apache.kafka.clients.NetworkClient;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.errors.IllegalSaslStateException;
import org.apache.kafka.common.errors.SaslAuthenticationException;
import org.apache.kafka.common.errors.UnsupportedSaslMechanismException;
import org.apache.kafka.common.message.ApiVersionsResponseData;
import org.apache.kafka.common.message.RequestHeaderData;
import org.apache.kafka.common.message.SaslAuthenticateRequestData;
import org.apache.kafka.common.message.SaslHandshakeRequestData;
import org.apache.kafka.common.network.Authenticator;
import org.apache.kafka.common.network.NetworkReceive;
import org.apache.kafka.common.network.NetworkSend;
import org.apache.kafka.common.network.ReauthenticationContext;
import org.apache.kafka.common.network.Send;
import org.apache.kafka.common.network.TransportLayer;
import org.apache.kafka.common.protocol.ApiKeys;
import org.apache.kafka.common.protocol.Errors;
import org.apache.kafka.common.protocol.types.SchemaException;
import org.apache.kafka.common.record.KafkaLZ4BlockOutputStream;
import org.apache.kafka.common.record.LegacyRecord;
import org.apache.kafka.common.record.Records;
import org.apache.kafka.common.requests.AbstractResponse;
import org.apache.kafka.common.requests.ApiVersionsRequest;
import org.apache.kafka.common.requests.ApiVersionsResponse;
import org.apache.kafka.common.requests.RequestHeader;
import org.apache.kafka.common.requests.SaslAuthenticateRequest;
import org.apache.kafka.common.requests.SaslAuthenticateResponse;
import org.apache.kafka.common.requests.SaslHandshakeRequest;
import org.apache.kafka.common.requests.SaslHandshakeResponse;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.auth.KafkaPrincipal;
import org.apache.kafka.common.security.kerberos.KerberosError;
import org.apache.kafka.common.utils.LogContext;
import org.apache.kafka.common.utils.Time;
import org.apache.kafka.common.utils.Utils;
import org.slf4j.Logger;

/* loaded from: input_file:org/apache/kafka/common/security/authenticator/SaslClientAuthenticator.class */
public class SaslClientAuthenticator implements Authenticator {
    private static final short DISABLE_KAFKA_SASL_AUTHENTICATE_HEADER = -1;
    private static final Random RNG = new Random();
    private final Subject subject;
    private final String servicePrincipal;
    private final String host;
    private final String node;
    private final String mechanism;
    private final TransportLayer transportLayer;
    private final SaslClient saslClient;
    private final Map<String, ?> configs;
    private final String clientPrincipalName;
    private final AuthenticateCallbackHandler callbackHandler;
    private final Time time;
    private final Logger log;
    private NetworkReceive netInBuffer;
    private Send netOutBuffer;
    private SaslState saslState;
    private SaslState pendingSaslState;
    private RequestHeader currentRequestHeader;
    private short saslHandshakeVersion;
    private int correlationId = 0;
    private short saslAuthenticateVersion = -1;
    private final ReauthInfo reauthInfo = new ReauthInfo(this, null);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.kafka.common.security.authenticator.SaslClientAuthenticator$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/kafka/common/security/authenticator/SaslClientAuthenticator$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$kafka$common$security$authenticator$SaslClientAuthenticator$SaslState;

        static {
            try {
                $SwitchMap$org$apache$kafka$common$protocol$Errors[Errors.NONE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$protocol$Errors[Errors.UNSUPPORTED_SASL_MECHANISM.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$protocol$Errors[Errors.ILLEGAL_SASL_STATE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            $SwitchMap$org$apache$kafka$common$security$authenticator$SaslClientAuthenticator$SaslState = new int[SaslState.values().length];
            try {
                $SwitchMap$org$apache$kafka$common$security$authenticator$SaslClientAuthenticator$SaslState[SaslState.SEND_APIVERSIONS_REQUEST.ordinal()] = 1;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$security$authenticator$SaslClientAuthenticator$SaslState[SaslState.RECEIVE_APIVERSIONS_RESPONSE.ordinal()] = 2;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$security$authenticator$SaslClientAuthenticator$SaslState[SaslState.SEND_HANDSHAKE_REQUEST.ordinal()] = 3;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$security$authenticator$SaslClientAuthenticator$SaslState[SaslState.RECEIVE_HANDSHAKE_RESPONSE.ordinal()] = 4;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$security$authenticator$SaslClientAuthenticator$SaslState[SaslState.INITIAL.ordinal()] = 5;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$security$authenticator$SaslClientAuthenticator$SaslState[SaslState.REAUTH_PROCESS_ORIG_APIVERSIONS_RESPONSE.ordinal()] = 6;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$security$authenticator$SaslClientAuthenticator$SaslState[SaslState.REAUTH_SEND_HANDSHAKE_REQUEST.ordinal()] = 7;
            } catch (NoSuchFieldError e10) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$security$authenticator$SaslClientAuthenticator$SaslState[SaslState.REAUTH_RECEIVE_HANDSHAKE_OR_OTHER_RESPONSE.ordinal()] = 8;
            } catch (NoSuchFieldError e11) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$security$authenticator$SaslClientAuthenticator$SaslState[SaslState.REAUTH_INITIAL.ordinal()] = 9;
            } catch (NoSuchFieldError e12) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$security$authenticator$SaslClientAuthenticator$SaslState[SaslState.INTERMEDIATE.ordinal()] = 10;
            } catch (NoSuchFieldError e13) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$security$authenticator$SaslClientAuthenticator$SaslState[SaslState.CLIENT_COMPLETE.ordinal()] = 11;
            } catch (NoSuchFieldError e14) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$security$authenticator$SaslClientAuthenticator$SaslState[SaslState.COMPLETE.ordinal()] = 12;
            } catch (NoSuchFieldError e15) {
            }
            try {
                $SwitchMap$org$apache$kafka$common$security$authenticator$SaslClientAuthenticator$SaslState[SaslState.FAILED.ordinal()] = 13;
            } catch (NoSuchFieldError e16) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/kafka/common/security/authenticator/SaslClientAuthenticator$ReauthInfo.class */
    public class ReauthInfo {
        public ApiVersionsResponse apiVersionsResponseFromOriginalAuthentication;
        public long reauthenticationBeginNanos;
        public List<NetworkReceive> pendingAuthenticatedReceives;
        public ApiVersionsResponse apiVersionsResponseReceivedFromBroker;
        public Long positiveSessionLifetimeMs;
        public long authenticationEndNanos;
        public Long clientSessionReauthenticationTimeNanos;

        private ReauthInfo() {
            this.pendingAuthenticatedReceives = new ArrayList();
        }

        public void reauthenticating(ApiVersionsResponse apiVersionsResponse, long j) {
            this.apiVersionsResponseFromOriginalAuthentication = (ApiVersionsResponse) Objects.requireNonNull(apiVersionsResponse);
            this.reauthenticationBeginNanos = j;
        }

        public boolean reauthenticating() {
            return this.apiVersionsResponseFromOriginalAuthentication != null;
        }

        public ApiVersionsResponse apiVersionsResponse() {
            return reauthenticating() ? this.apiVersionsResponseFromOriginalAuthentication : this.apiVersionsResponseReceivedFromBroker;
        }

        public Optional<NetworkReceive> pollResponseReceivedDuringReauthentication() {
            return this.pendingAuthenticatedReceives.isEmpty() ? Optional.empty() : Optional.of(this.pendingAuthenticatedReceives.remove(0));
        }

        public void setAuthenticationEndAndSessionReauthenticationTimes(long j) {
            this.authenticationEndNanos = j;
            if (this.positiveSessionLifetimeMs == null) {
                SaslClientAuthenticator.this.log.debug("Finished {} with no session expiration and no session re-authentication", authenticationOrReauthenticationText());
                return;
            }
            long longValue = (long) (this.positiveSessionLifetimeMs.longValue() * (0.85d + (SaslClientAuthenticator.RNG.nextDouble() * 0.1d)));
            this.clientSessionReauthenticationTimeNanos = Long.valueOf(this.authenticationEndNanos + (1000000 * longValue));
            SaslClientAuthenticator.this.log.debug("Finished {} with session expiration in {} ms and session re-authentication on or after {} ms", new Object[]{authenticationOrReauthenticationText(), this.positiveSessionLifetimeMs, Long.valueOf(longValue)});
        }

        public Long reauthenticationLatencyMs() {
            if (reauthenticating()) {
                return Long.valueOf(Math.round(((this.authenticationEndNanos - this.reauthenticationBeginNanos) / 1000.0d) / 1000.0d));
            }
            return null;
        }

        private String authenticationOrReauthenticationText() {
            return reauthenticating() ? "re-authentication" : "authentication";
        }

        /* synthetic */ ReauthInfo(SaslClientAuthenticator saslClientAuthenticator, AnonymousClass1 anonymousClass1) {
            this();
        }
    }

    /* loaded from: input_file:org/apache/kafka/common/security/authenticator/SaslClientAuthenticator$SaslState.class */
    public enum SaslState {
        SEND_APIVERSIONS_REQUEST,
        RECEIVE_APIVERSIONS_RESPONSE,
        SEND_HANDSHAKE_REQUEST,
        RECEIVE_HANDSHAKE_RESPONSE,
        INITIAL,
        INTERMEDIATE,
        CLIENT_COMPLETE,
        COMPLETE,
        FAILED,
        REAUTH_PROCESS_ORIG_APIVERSIONS_RESPONSE,
        REAUTH_SEND_HANDSHAKE_REQUEST,
        REAUTH_RECEIVE_HANDSHAKE_OR_OTHER_RESPONSE,
        REAUTH_INITIAL
    }

    public SaslClientAuthenticator(Map<String, ?> map, AuthenticateCallbackHandler authenticateCallbackHandler, String str, Subject subject, String str2, String str3, String str4, boolean z, TransportLayer transportLayer, Time time, LogContext logContext) {
        this.node = str;
        this.subject = subject;
        this.callbackHandler = authenticateCallbackHandler;
        this.host = str3;
        this.servicePrincipal = str2;
        this.mechanism = str4;
        this.transportLayer = transportLayer;
        this.configs = map;
        this.time = time;
        this.log = logContext.logger(getClass());
        try {
            setSaslState(z ? SaslState.SEND_APIVERSIONS_REQUEST : SaslState.INITIAL);
            if (str4.equals("GSSAPI")) {
                this.clientPrincipalName = firstPrincipal(subject);
            } else {
                this.clientPrincipalName = null;
            }
            this.saslClient = createSaslClient();
        } catch (Exception e) {
            throw new SaslAuthenticationException("Failed to configure SaslClientAuthenticator", e);
        }
    }

    private SaslClient createSaslClient() {
        try {
            return (SaslClient) Subject.doAs(this.subject, () -> {
                String[] strArr = {this.mechanism};
                this.log.debug("Creating SaslClient: client={};service={};serviceHostname={};mechs={}", new Object[]{this.clientPrincipalName, this.servicePrincipal, this.host, Arrays.toString(strArr)});
                return Sasl.createSaslClient(strArr, this.clientPrincipalName, this.servicePrincipal, this.host, this.configs, this.callbackHandler);
            });
        } catch (PrivilegedActionException e) {
            throw new SaslAuthenticationException("Failed to create SaslClient with mechanism " + this.mechanism, e.getCause());
        }
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:8:0x001a. Please report as an issue. */
    @Override // org.apache.kafka.common.network.Authenticator
    public void authenticate() throws IOException {
        if (this.netOutBuffer != null && !flushNetOutBufferAndUpdateInterestOps()) {
            return;
        }
        switch (AnonymousClass1.$SwitchMap$org$apache$kafka$common$security$authenticator$SaslClientAuthenticator$SaslState[this.saslState.ordinal()]) {
            case 1:
                ApiVersionsRequest build = new ApiVersionsRequest.Builder().build((short) 0);
                send(build.toSend(this.node, nextRequestHeader(ApiKeys.API_VERSIONS, build.version())));
                setSaslState(SaslState.RECEIVE_APIVERSIONS_RESPONSE);
                return;
            case 2:
                ApiVersionsResponse apiVersionsResponse = (ApiVersionsResponse) receiveKafkaResponse();
                if (apiVersionsResponse == null) {
                    return;
                }
                setSaslAuthenticateAndHandshakeVersions(apiVersionsResponse);
                this.reauthInfo.apiVersionsResponseReceivedFromBroker = apiVersionsResponse;
                setSaslState(SaslState.SEND_HANDSHAKE_REQUEST);
            case 3:
                sendHandshakeRequest(this.saslHandshakeVersion);
                setSaslState(SaslState.RECEIVE_HANDSHAKE_RESPONSE);
                return;
            case 4:
                SaslHandshakeResponse saslHandshakeResponse = (SaslHandshakeResponse) receiveKafkaResponse();
                if (saslHandshakeResponse == null) {
                    return;
                }
                handleSaslHandshakeResponse(saslHandshakeResponse);
                setSaslState(SaslState.INITIAL);
            case 5:
                sendInitialToken();
                setSaslState(SaslState.INTERMEDIATE);
                return;
            case 6:
                setSaslAuthenticateAndHandshakeVersions(this.reauthInfo.apiVersionsResponseFromOriginalAuthentication);
                setSaslState(SaslState.REAUTH_SEND_HANDSHAKE_REQUEST);
            case KafkaLZ4BlockOutputStream.BLOCKSIZE_4MB /* 7 */:
                sendHandshakeRequest(this.saslHandshakeVersion);
                setSaslState(SaslState.REAUTH_RECEIVE_HANDSHAKE_OR_OTHER_RESPONSE);
                return;
            case 8:
                SaslHandshakeResponse saslHandshakeResponse2 = (SaslHandshakeResponse) receiveKafkaResponse();
                if (saslHandshakeResponse2 == null) {
                    return;
                }
                handleSaslHandshakeResponse(saslHandshakeResponse2);
                setSaslState(SaslState.REAUTH_INITIAL);
            case 9:
                sendInitialToken();
                setSaslState(SaslState.INTERMEDIATE);
                return;
            case LegacyRecord.KEY_OFFSET_V0 /* 10 */:
                byte[] receiveToken = receiveToken();
                boolean z = (receiveToken == null || sendSaslClientToken(receiveToken, false)) ? false : true;
                if (this.saslClient.isComplete()) {
                    if (this.saslAuthenticateVersion == -1 || z) {
                        setSaslState(SaslState.COMPLETE);
                        return;
                    } else {
                        setSaslState(SaslState.CLIENT_COMPLETE);
                        return;
                    }
                }
                return;
            case 11:
                if (receiveToken() != null) {
                    setSaslState(SaslState.COMPLETE);
                    return;
                }
                return;
            case Records.LOG_OVERHEAD /* 12 */:
            default:
                return;
            case 13:
                throw new IllegalStateException("SASL handshake has already failed");
        }
    }

    private void sendHandshakeRequest(short s) throws IOException {
        SaslHandshakeRequest createSaslHandshakeRequest = createSaslHandshakeRequest(s);
        send(createSaslHandshakeRequest.toSend(this.node, nextRequestHeader(ApiKeys.SASL_HANDSHAKE, createSaslHandshakeRequest.version())));
    }

    private void sendInitialToken() throws IOException {
        sendSaslClientToken(new byte[0], true);
    }

    @Override // org.apache.kafka.common.network.Authenticator
    public void reauthenticate(ReauthenticationContext reauthenticationContext) throws IOException {
        SaslClientAuthenticator saslClientAuthenticator = (SaslClientAuthenticator) ((ReauthenticationContext) Objects.requireNonNull(reauthenticationContext)).previousAuthenticator();
        ApiVersionsResponse apiVersionsResponse = saslClientAuthenticator.reauthInfo.apiVersionsResponse();
        saslClientAuthenticator.close();
        this.reauthInfo.reauthenticating(apiVersionsResponse, reauthenticationContext.reauthenticationBeginNanos());
        this.netInBuffer = reauthenticationContext.networkReceive();
        setSaslState(SaslState.REAUTH_PROCESS_ORIG_APIVERSIONS_RESPONSE);
        authenticate();
    }

    @Override // org.apache.kafka.common.network.Authenticator
    public Optional<NetworkReceive> pollResponseReceivedDuringReauthentication() {
        return this.reauthInfo.pollResponseReceivedDuringReauthentication();
    }

    @Override // org.apache.kafka.common.network.Authenticator
    public Long clientSessionReauthenticationTimeNanos() {
        return this.reauthInfo.clientSessionReauthenticationTimeNanos;
    }

    @Override // org.apache.kafka.common.network.Authenticator
    public Long reauthenticationLatencyMs() {
        return this.reauthInfo.reauthenticationLatencyMs();
    }

    private RequestHeader nextRequestHeader(ApiKeys apiKeys, short s) {
        RequestHeaderData clientId = new RequestHeaderData().setRequestApiKey(apiKeys.id).setRequestApiVersion(s).setClientId((String) this.configs.get("client.id"));
        int i = this.correlationId;
        this.correlationId = i + 1;
        this.currentRequestHeader = new RequestHeader(clientId.setCorrelationId(i), apiKeys.requestHeaderVersion(s));
        return this.currentRequestHeader;
    }

    protected SaslHandshakeRequest createSaslHandshakeRequest(short s) {
        return new SaslHandshakeRequest.Builder(new SaslHandshakeRequestData().setMechanism(this.mechanism)).build(s);
    }

    protected void setSaslAuthenticateAndHandshakeVersions(ApiVersionsResponse apiVersionsResponse) {
        ApiVersionsResponseData.ApiVersionsResponseKey apiVersion = apiVersionsResponse.apiVersion(ApiKeys.SASL_AUTHENTICATE.id);
        if (apiVersion != null) {
            this.saslAuthenticateVersion = (short) Math.min((int) apiVersion.maxVersion(), (int) ApiKeys.SASL_AUTHENTICATE.latestVersion());
        }
        ApiVersionsResponseData.ApiVersionsResponseKey apiVersion2 = apiVersionsResponse.apiVersion(ApiKeys.SASL_HANDSHAKE.id);
        if (apiVersion2 != null) {
            this.saslHandshakeVersion = (short) Math.min((int) apiVersion2.maxVersion(), (int) ApiKeys.SASL_HANDSHAKE.latestVersion());
        }
    }

    private void setSaslState(SaslState saslState) {
        if (this.netOutBuffer != null && !this.netOutBuffer.completed()) {
            this.pendingSaslState = saslState;
            return;
        }
        this.pendingSaslState = null;
        this.saslState = saslState;
        this.log.debug("Set SASL client state to {}", saslState);
        if (saslState == SaslState.COMPLETE) {
            this.reauthInfo.setAuthenticationEndAndSessionReauthenticationTimes(this.time.nanoseconds());
            if (this.reauthInfo.reauthenticating()) {
                this.transportLayer.addInterestOps(4);
            } else {
                this.transportLayer.removeInterestOps(4);
            }
        }
    }

    private boolean sendSaslClientToken(byte[] bArr, boolean z) throws IOException {
        byte[] createSaslToken;
        if (this.saslClient.isComplete() || (createSaslToken = createSaslToken(bArr, z)) == null) {
            return false;
        }
        ByteBuffer wrap = ByteBuffer.wrap(createSaslToken);
        if (this.saslAuthenticateVersion != -1) {
            wrap = new SaslAuthenticateRequest.Builder(new SaslAuthenticateRequestData().setAuthBytes(wrap.array())).build(this.saslAuthenticateVersion).serialize(nextRequestHeader(ApiKeys.SASL_AUTHENTICATE, this.saslAuthenticateVersion));
        }
        send(new NetworkSend(this.node, wrap));
        return true;
    }

    private void send(Send send) throws IOException {
        try {
            this.netOutBuffer = send;
            flushNetOutBufferAndUpdateInterestOps();
        } catch (IOException e) {
            setSaslState(SaslState.FAILED);
            throw e;
        }
    }

    private boolean flushNetOutBufferAndUpdateInterestOps() throws IOException {
        boolean flushNetOutBuffer = flushNetOutBuffer();
        if (flushNetOutBuffer) {
            this.transportLayer.removeInterestOps(4);
            if (this.pendingSaslState != null) {
                setSaslState(this.pendingSaslState);
            }
        } else {
            this.transportLayer.addInterestOps(4);
        }
        return flushNetOutBuffer;
    }

    private byte[] receiveResponseOrToken() throws IOException {
        if (this.netInBuffer == null) {
            this.netInBuffer = new NetworkReceive(this.node);
        }
        this.netInBuffer.readFrom(this.transportLayer);
        byte[] bArr = null;
        if (this.netInBuffer.complete()) {
            this.netInBuffer.payload().rewind();
            bArr = new byte[this.netInBuffer.payload().remaining()];
            this.netInBuffer.payload().get(bArr, 0, bArr.length);
            this.netInBuffer = null;
        }
        return bArr;
    }

    @Override // org.apache.kafka.common.network.Authenticator
    public KafkaPrincipal principal() {
        return new KafkaPrincipal(KafkaPrincipal.USER_TYPE, this.clientPrincipalName);
    }

    @Override // org.apache.kafka.common.network.Authenticator
    public boolean complete() {
        return this.saslState == SaslState.COMPLETE;
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() throws IOException {
        if (this.saslClient != null) {
            this.saslClient.dispose();
        }
    }

    private byte[] receiveToken() throws IOException {
        if (this.saslAuthenticateVersion == -1) {
            return receiveResponseOrToken();
        }
        SaslAuthenticateResponse saslAuthenticateResponse = (SaslAuthenticateResponse) receiveKafkaResponse();
        if (saslAuthenticateResponse == null) {
            return null;
        }
        Errors error = saslAuthenticateResponse.error();
        if (error != Errors.NONE) {
            setSaslState(SaslState.FAILED);
            String errorMessage = saslAuthenticateResponse.errorMessage();
            if (errorMessage == null) {
                throw error.exception();
            }
            throw error.exception(errorMessage);
        }
        long sessionLifetimeMs = saslAuthenticateResponse.sessionLifetimeMs();
        if (sessionLifetimeMs > 0) {
            this.reauthInfo.positiveSessionLifetimeMs = Long.valueOf(sessionLifetimeMs);
        }
        return Utils.copyArray(saslAuthenticateResponse.saslAuthBytes());
    }

    private byte[] createSaslToken(byte[] bArr, boolean z) throws SaslException {
        if (bArr == null) {
            throw new IllegalSaslStateException("Error authenticating with the Kafka Broker: received a `null` saslToken.");
        }
        if (z) {
            try {
                if (!this.saslClient.hasInitialResponse()) {
                    return bArr;
                }
            } catch (PrivilegedActionException e) {
                String str = "An error: (" + e + ") occurred when evaluating SASL token received from the Kafka Broker.";
                KerberosError fromException = KerberosError.fromException(e);
                if (fromException == KerberosError.SERVER_NOT_FOUND) {
                    str = str + " This may be caused by Java's being unable to resolve the Kafka Broker's hostname correctly. You may want to try to adding '-Dsun.net.spi.nameservice.provider.1=dns,sun' to your client's JVMFLAGS environment. Users must configure FQDN of kafka brokers when authenticating using SASL and `socketChannel.socket().getInetAddress().getHostName()` must match the hostname in `principal/hostname@realm`";
                }
                String str2 = str + " Kafka Client will go to AUTHENTICATION_FAILED state.";
                Throwable cause = e.getCause();
                if (fromException == null || !fromException.retriable()) {
                    throw new SaslAuthenticationException(str2, cause);
                }
                throw new SaslException(str2, cause);
            }
        }
        return (byte[]) Subject.doAs(this.subject, () -> {
            return this.saslClient.evaluateChallenge(bArr);
        });
    }

    private boolean flushNetOutBuffer() throws IOException {
        if (!this.netOutBuffer.completed()) {
            this.netOutBuffer.writeTo(this.transportLayer);
        }
        return this.netOutBuffer.completed();
    }

    private AbstractResponse receiveKafkaResponse() throws IOException {
        if (this.netInBuffer == null) {
            this.netInBuffer = new NetworkReceive(this.node);
        }
        NetworkReceive networkReceive = this.netInBuffer;
        try {
            byte[] receiveResponseOrToken = receiveResponseOrToken();
            if (receiveResponseOrToken == null) {
                return null;
            }
            AbstractResponse parseResponse = NetworkClient.parseResponse(ByteBuffer.wrap(receiveResponseOrToken), this.currentRequestHeader);
            this.currentRequestHeader = null;
            return parseResponse;
        } catch (IllegalArgumentException | SchemaException e) {
            if (this.reauthInfo.reauthenticating()) {
                networkReceive.payload().rewind();
                this.reauthInfo.pendingAuthenticatedReceives.add(networkReceive);
                return null;
            }
            this.log.debug("Invalid SASL mechanism response, server may be expecting only GSSAPI tokens");
            setSaslState(SaslState.FAILED);
            throw new IllegalSaslStateException("Invalid SASL mechanism response, server may be expecting a different protocol", e);
        }
    }

    private void handleSaslHandshakeResponse(SaslHandshakeResponse saslHandshakeResponse) {
        Errors error = saslHandshakeResponse.error();
        if (error != Errors.NONE) {
            setSaslState(SaslState.FAILED);
        }
        switch (error) {
            case NONE:
                return;
            case UNSUPPORTED_SASL_MECHANISM:
                throw new UnsupportedSaslMechanismException(String.format("Client SASL mechanism '%s' not enabled in the server, enabled mechanisms are %s", this.mechanism, saslHandshakeResponse.enabledMechanisms()));
            case ILLEGAL_SASL_STATE:
                throw new IllegalSaslStateException(String.format("Unexpected handshake request with client mechanism %s, enabled mechanisms are %s", this.mechanism, saslHandshakeResponse.enabledMechanisms()));
            default:
                throw new IllegalSaslStateException(String.format("Unknown error code %s, client mechanism is %s, enabled mechanisms are %s", saslHandshakeResponse.error(), this.mechanism, saslHandshakeResponse.enabledMechanisms()));
        }
    }

    public static String firstPrincipal(Subject subject) {
        String name;
        Set<Principal> principals = subject.getPrincipals();
        synchronized (principals) {
            Iterator<Principal> it = principals.iterator();
            if (!it.hasNext()) {
                throw new KafkaException("Principal could not be determined from Subject, this may be a transient failure due to Kerberos re-login");
            }
            name = it.next().getName();
        }
        return name;
    }
}
