package com.redhat.red.build.koji.kerberos;

import com.redhat.red.build.koji.KojiClientException;
import com.redhat.red.build.koji.config.KojiConfig;
import com.redhat.red.build.koji.model.xmlrpc.KojiKrbAddressInfo;
import com.redhat.red.build.koji.model.xmlrpc.KojiSessionInfo;
import com.redhat.red.build.koji.model.xmlrpc.messages.KrbLoginResponse;
import com.redhat.red.build.koji.model.xmlrpc.messages.KrbLoginResponseInfo;
import io.quarkus.deployment.pkg.steps.JarResultBuildStep;
import java.io.File;
import java.io.IOException;
import java.net.InetAddress;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.UnknownHostException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.EnumSet;
import java.util.concurrent.TimeUnit;
import javax.faces.component.search.SearchExpressionHandler;
import org.apache.kerby.kerberos.kerb.KrbCodec;
import org.apache.kerby.kerberos.kerb.KrbErrorCode;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.ccache.Credential;
import org.apache.kerby.kerberos.kerb.ccache.KrbCredentialCache;
import org.apache.kerby.kerberos.kerb.client.KrbClient;
import org.apache.kerby.kerberos.kerb.client.KrbConfig;
import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
import org.apache.kerby.kerberos.kerb.request.ApRequest;
import org.apache.kerby.kerberos.kerb.type.EncKrbPrivPart;
import org.apache.kerby.kerberos.kerb.type.KrbPriv;
import org.apache.kerby.kerberos.kerb.type.ap.ApOption;
import org.apache.kerby.kerberos.kerb.type.ap.ApRep;
import org.apache.kerby.kerberos.kerb.type.ap.ApReq;
import org.apache.kerby.kerberos.kerb.type.ap.Authenticator;
import org.apache.kerby.kerberos.kerb.type.ap.EncAPRepPart;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
import org.apache.kerby.kerberos.kerb.type.base.KeyUsage;
import org.apache.kerby.kerberos.kerb.type.base.KrbMessageType;
import org.apache.kerby.kerberos.kerb.type.base.NameType;
import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
import org.apache.kerby.kerberos.kerb.type.ticket.TgtTicket;
import org.apache.kerby.util.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/redhat/red/build/koji/kerberos/KrbAuthenticator.class */
public class KrbAuthenticator {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) KrbAuthenticator.class);
    private static final String KRB5_CONF = "krb5.conf";
    private final KojiConfig config;
    private ApReq apReq;
    private EncryptionKey key;
    private KrbClient krbClient;

    public KrbAuthenticator(KojiConfig kojiConfig) {
        this.config = kojiConfig;
    }

    public static String makeServerPrincipal(String str, String str2, String str3) throws UnknownHostException, MalformedURLException {
        return new PrincipalName(str + "/" + InetAddress.getByName(new URL(str2).getHost()).getCanonicalHostName() + SearchExpressionHandler.KEYWORD_PREFIX + str3, NameType.NT_PRINCIPAL).toString();
    }

    public static Path getKrb5ConfFilename() throws IOException {
        String property = System.getProperty("java.security.krb5.conf");
        Path path = null;
        if (property != null) {
            path = Paths.get(property, new String[0]);
        }
        if (path == null || !Files.exists(path, new LinkOption[0])) {
            path = Paths.get(System.getProperty("java.home"), JarResultBuildStep.LIB, "security", KRB5_CONF);
            if (!Files.exists(path, new LinkOption[0])) {
                String property2 = System.getProperty("os.name");
                if (property2.startsWith("Windows")) {
                    String str = System.getenv("SYSTEMROOT");
                    if (str != null) {
                        path = Paths.get(str, "krb5.ini");
                    }
                } else {
                    path = property2.startsWith("SunOS") ? Paths.get(File.separator, "etc", "krb5", KRB5_CONF) : Paths.get(File.separator, "etc", KRB5_CONF);
                }
            }
        }
        if (Files.exists(path, new LinkOption[0]) && Files.isReadable(path)) {
            return path;
        }
        throw new IOException("Must create or point to a krb5 configuration file before logging in");
    }

    public static KrbClient newClient(Path path) throws IOException, KrbException {
        KrbConfig krbConfig = new KrbConfig();
        if (path != null) {
            krbConfig.addKrb5Config(path.toFile());
        }
        KrbClient krbClient = new KrbClient(krbConfig);
        krbClient.init();
        return krbClient;
    }

    public static TgtTicket getTgt(KrbClient krbClient, String str, String str2, String str3, String str4) throws KrbException {
        TgtTicket tgtTicketFromCredential;
        if (str != null) {
            tgtTicketFromCredential = krbClient.requestTgt(str3, new File(str));
        } else if (str2 != null) {
            try {
                tgtTicketFromCredential = krbClient.getTgtTicketFromCredential(findMatchingCredential(str3, krbClient.resolveCredCache(new File(str2))));
            } catch (IOException e) {
                throw new KrbException(e.getMessage(), e);
            }
        } else {
            tgtTicketFromCredential = krbClient.requestTgt(str3, str4);
        }
        return tgtTicketFromCredential;
    }

    private static Credential findMatchingCredential(String str, KrbCredentialCache krbCredentialCache) throws IOException {
        for (Credential credential : krbCredentialCache.getCredentials()) {
            if (str.equals(credential.getClientName().getName())) {
                return credential;
            }
        }
        throw new IOException("Could not find credential with client name matching principal " + str + " in credential cache");
    }

    public static SgtTicket getSgt(KrbClient krbClient, String str, TgtTicket tgtTicket, String str2) throws KrbException {
        return str != null ? krbClient.requestSgt(new File(str), str2) : krbClient.requestSgt(tgtTicket, str2);
    }

    public static ApReq makeReq(SgtTicket sgtTicket) throws KrbException {
        return new ApRequest(sgtTicket.getClientPrincipal(), sgtTicket, EnumSet.of(ApOption.MUTUAL_REQUIRED)).getApReq();
    }

    public static ApRep readRep(byte[] bArr, EncryptionKey encryptionKey, long j, ApReq apReq, InetAddress inetAddress) throws KrbException {
        ApRep apRep = (ApRep) KrbCodec.decode(bArr, ApRep.class);
        if (apRep.getPvno() != 5) {
            throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADVERSION);
        }
        if (apRep.getMsgType() != KrbMessageType.AP_REP) {
            throw new KrbException(KrbErrorCode.KRB_AP_ERR_MSG_TYPE);
        }
        try {
            ApRequest.validate(encryptionKey, apReq, inetAddress, TimeUnit.SECONDS.toMillis(j));
        } catch (KrbException e) {
            logger.debug("Ap Request validation error: code={}, message={}", e.getKrbErrorCode(), e.getMessage(), e);
        }
        apRep.setEncRepPart((EncAPRepPart) EncryptionUtil.unseal(apRep.getEncryptedEncPart(), encryptionKey, KeyUsage.AP_REP_ENCPART, EncAPRepPart.class));
        ApRequest.unsealAuthenticator(encryptionKey, apReq);
        EncAPRepPart encRepPart = apRep.getEncRepPart();
        Authenticator authenticator = apReq.getAuthenticator();
        if (encRepPart.getCtime().equals(authenticator.getCtime()) && encRepPart.getCusec() == authenticator.getCusec()) {
            return apRep;
        }
        throw new KrbException(KrbErrorCode.KRB_AP_ERR_MODIFIED);
    }

    public static KrbPriv readPriv(byte[] bArr, EncryptionKey encryptionKey, InetAddress inetAddress, InetAddress inetAddress2, long j, ApRep apRep) throws KrbException {
        KrbPriv krbPriv = (KrbPriv) KrbCodec.decode(bArr, KrbPriv.class);
        if (krbPriv.getPvno() != 5) {
            throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADVERSION);
        }
        if (krbPriv.getMsgType() != KrbMessageType.KRB_PRIV) {
            throw new KrbException(KrbErrorCode.KRB_AP_ERR_MSG_TYPE);
        }
        krbPriv.setEncPart((EncKrbPrivPart) EncryptionUtil.unseal(krbPriv.getEncryptedEncPart(), encryptionKey, KeyUsage.KRB_PRIV_ENCPART, EncKrbPrivPart.class));
        if (krbPriv.getEncPart().getSAddress() == null || !krbPriv.getEncPart().getSAddress().equalsWith(inetAddress)) {
            throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADADDR);
        }
        if (krbPriv.getEncPart().getRAddress() != null && !krbPriv.getEncPart().getRAddress().equalsWith(inetAddress2)) {
            throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADADDR);
        }
        if (krbPriv.getEncPart().getTimeStamp() == null) {
            throw new KrbException(KrbErrorCode.KRB_AP_ERR_MODIFIED);
        }
        if (!krbPriv.getEncPart().getTimeStamp().isInClockSkew(TimeUnit.SECONDS.toMillis(j))) {
            throw new KrbException(KrbErrorCode.KRB_AP_ERR_SKEW);
        }
        if (krbPriv.getEncPart().getSeqNumber() != apRep.getEncRepPart().getSeqNumber()) {
            throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADORDER);
        }
        return krbPriv;
    }

    public String prepareRequest() throws KojiClientException {
        try {
            if (this.config.getKrbService() == null) {
                throw new KojiClientException("Must set krbService option before logging in", new Object[0]);
            }
            if (this.config.getKrbPrincipal() == null) {
                throw new KojiClientException("Must set krbPrincipal option before logging in", new Object[0]);
            }
            if (this.config.getKrbPassword() == null && this.config.getKrbKeytab() == null && this.config.getKrbCCache() == null) {
                throw new KojiClientException("Must set krbPassword, krbKeyTab, or krbCCache option before logging in", new Object[0]);
            }
            Path krb5ConfFilename = getKrb5ConfFilename();
            logger.debug("Logging into Kerberos service {} using krb5 configuration file {}", this.config.getKrbService(), krb5ConfFilename);
            this.krbClient = newClient(krb5ConfFilename);
            TgtTicket tgt = getTgt(this.krbClient, this.config.getKrbKeytab(), this.config.getKrbCCache(), this.config.getKrbPrincipal(), this.config.getKrbPassword());
            SgtTicket sgt = getSgt(this.krbClient, this.config.getKrbCCache(), tgt, makeServerPrincipal(this.config.getKrbService(), this.config.getKojiURL(), tgt.getRealm()));
            this.key = sgt.getSessionKey();
            this.apReq = makeReq(sgt);
            return new String(new Base64().encode(this.apReq.encode()), StandardCharsets.US_ASCII);
        } catch (IOException | KrbException e) {
            throw new KojiClientException("Failed to login: " + e.getMessage(), e, new Object[0]);
        }
    }

    public KojiSessionInfo handleResponse(KrbLoginResponse krbLoginResponse) throws KojiClientException {
        try {
            KrbLoginResponseInfo info = krbLoginResponse.getInfo();
            byte[] decode = new Base64().decode(info.getEncodedApResponse());
            KojiKrbAddressInfo addressInfo = info.getAddressInfo();
            byte[] userData = readPriv(new Base64().decode(info.getEncodedEncryptedSessionInfo()), this.key, addressInfo.getServerAddress(), addressInfo.getClientAddress(), this.krbClient.getKrbConfig().getAllowableClockSkew(), readRep(decode, this.key, this.krbClient.getKrbConfig().getAllowableClockSkew(), this.apReq, addressInfo.getClientAddress())).getEncPart().getUserData();
            if (userData == null) {
                throw new KojiClientException("Could not find session info in private message", new Object[0]);
            }
            String[] split = new String(userData, StandardCharsets.US_ASCII).split(" ");
            if (split.length != 2) {
                throw new KojiClientException("Failed to split session info string", new Object[0]);
            }
            return new KojiSessionInfo(Integer.parseInt(split[0]), split[1]);
        } catch (KrbException e) {
            throw new KojiClientException("Failed to login: " + e.getMessage(), e, new Object[0]);
        }
    }
}
