package org.apache.spark.network.crypto;

import java.io.IOException;
import java.security.GeneralSecurityException;
import org.apache.pinot.shaded.io.netty.buffer.ByteBuf;
import org.apache.pinot.shaded.io.netty.buffer.Unpooled;
import org.apache.pinot.shaded.io.netty.channel.Channel;
import org.apache.spark.network.client.TransportClient;
import org.apache.spark.network.client.TransportClientBootstrap;
import org.apache.spark.network.sasl.SaslClientBootstrap;
import org.apache.spark.network.sasl.SecretKeyHolder;
import org.apache.spark.network.util.TransportConf;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.spark_project.guava.base.Throwables;

/* loaded from: input_file:org/apache/spark/network/crypto/AuthClientBootstrap.class */
public class AuthClientBootstrap implements TransportClientBootstrap {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) AuthClientBootstrap.class);
    private final TransportConf conf;
    private final String appId;
    private final SecretKeyHolder secretKeyHolder;

    public AuthClientBootstrap(TransportConf transportConf, String str, SecretKeyHolder secretKeyHolder) {
        this.conf = transportConf;
        this.appId = str;
        this.secretKeyHolder = secretKeyHolder;
    }

    @Override // org.apache.spark.network.client.TransportClientBootstrap
    public void doBootstrap(TransportClient transportClient, Channel channel) {
        if (!this.conf.encryptionEnabled()) {
            LOG.debug("AES encryption disabled, using old auth protocol.");
            doSaslAuth(transportClient, channel);
            return;
        }
        try {
            doSparkAuth(transportClient, channel);
            transportClient.setClientId(this.appId);
        } catch (IOException | GeneralSecurityException e) {
            throw Throwables.propagate(e);
        } catch (RuntimeException e2) {
            if (!this.conf.saslFallback()) {
                throw e2;
            }
            LOG.warn("New auth protocol failed, trying SASL.", (Throwable) e2);
            doSaslAuth(transportClient, channel);
        }
    }

    private void doSparkAuth(TransportClient transportClient, Channel channel) throws GeneralSecurityException, IOException {
        AuthEngine authEngine = new AuthEngine(this.appId, this.secretKeyHolder.getSecretKey(this.appId), this.conf);
        Throwable th = null;
        try {
            try {
                ClientChallenge challenge = authEngine.challenge();
                ByteBuf buffer = Unpooled.buffer(challenge.encodedLength());
                challenge.encode(buffer);
                authEngine.validate(ServerResponse.decodeMessage(transportClient.sendRpcSync(buffer.nioBuffer(), this.conf.authRTTimeoutMs())));
                authEngine.sessionCipher().addToChannel(channel);
                if (authEngine != null) {
                    if (0 == 0) {
                        authEngine.close();
                        return;
                    }
                    try {
                        authEngine.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (authEngine != null) {
                if (th != null) {
                    try {
                        authEngine.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    authEngine.close();
                }
            }
            throw th4;
        }
    }

    private void doSaslAuth(TransportClient transportClient, Channel channel) {
        new SaslClientBootstrap(this.conf, this.appId, this.secretKeyHolder).doBootstrap(transportClient, channel);
    }
}
