package org.teiid.resource.adapter.ws;

import java.security.PrivilegedAction;
import java.util.Set;
import javax.crypto.SecretKey;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.cxf.Bus;
import org.apache.cxf.helpers.DOMUtils;
import org.apache.cxf.ws.security.kerberos.KerberosClient;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.ws.security.WSSConfig;
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.message.token.KerberosSecurity;
import org.apache.ws.security.util.Base64;
import org.apache.ws.security.util.WSSecurityUtil;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.teiid.logging.LogManager;
import org.teiid.resource.spi.ConnectionContext;
import org.w3c.dom.Document;

/* loaded from: input_file:connector-ws-8.10.0.Beta2.jar:org/teiid/resource/adapter/ws/DelegateKerberosClient.class */
public class DelegateKerberosClient extends KerberosClient {
    private static final String KERBEROS_OID = "1.2.840.113554.1.2.2";
    private GSSCredential credential;
    private WSSConfig wssConfig;

    /* loaded from: input_file:connector-ws-8.10.0.Beta2.jar:org/teiid/resource/adapter/ws/DelegateKerberosClient$DelegatedKerberosSecurity.class */
    static class DelegatedKerberosSecurity extends KerberosSecurity {
        private SecretKey secretKey;

        public DelegatedKerberosSecurity(Document document) {
            super(document);
        }

        @Override // org.apache.ws.security.message.token.KerberosSecurity
        public SecretKey getSecretKey() {
            return this.secretKey;
        }

        public void retrieveServiceTicket(String str, String str2, GSSCredential gSSCredential) throws WSSecurityException {
            try {
                LoginContext loginContext = new LoginContext(str);
                loginContext.login();
                Subject subject = loginContext.getSubject();
                if (subject.getPrincipals().isEmpty()) {
                    throw new WSSecurityException(0, "kerberosLoginError", new Object[]{"No Client principals found after login"});
                }
                KerberosTicket kerberosTicket = getKerberosTicket(subject, null);
                byte[] bArr = (byte[]) Subject.doAs(subject, new KerberosClientAction(str2, gSSCredential));
                if (bArr == null) {
                    throw new WSSecurityException(0, "kerberosServiceTicketError");
                }
                KerberosTicket kerberosTicket2 = getKerberosTicket(subject, kerberosTicket);
                if (kerberosTicket2 != null) {
                    this.secretKey = kerberosTicket2.getSessionKey();
                }
                setToken(bArr);
                if ("".equals(getValueType())) {
                    setValueType("http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ");
                }
            } catch (LoginException e) {
                throw new WSSecurityException(0, "kerberosLoginError", new Object[]{e.getMessage()}, e);
            }
        }

        private KerberosTicket getKerberosTicket(Subject subject, KerberosTicket kerberosTicket) {
            Set<KerberosTicket> privateCredentials = subject.getPrivateCredentials(KerberosTicket.class);
            if (privateCredentials == null || privateCredentials.isEmpty()) {
                return null;
            }
            for (KerberosTicket kerberosTicket2 : privateCredentials) {
                if (!kerberosTicket2.equals(kerberosTicket)) {
                    return kerberosTicket2;
                }
            }
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:connector-ws-8.10.0.Beta2.jar:org/teiid/resource/adapter/ws/DelegateKerberosClient$KerberosClientAction.class */
    public static class KerberosClientAction implements PrivilegedAction<byte[]> {
        private String serviceName;
        private GSSCredential delegatedCredential;

        public KerberosClientAction(String str, GSSCredential gSSCredential) {
            this.serviceName = str;
            this.delegatedCredential = gSSCredential;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedAction
        public byte[] run() {
            try {
                GSSManager gSSManager = GSSManager.getInstance();
                GSSContext createContext = gSSManager.createContext(gSSManager.createName(this.serviceName, GSSName.NT_HOSTBASED_SERVICE), new Oid("1.2.840.113554.1.2.2"), this.delegatedCredential, 0);
                createContext.requestMutualAuth(false);
                byte[] bArr = new byte[0];
                byte[] initSecContext = createContext.initSecContext(bArr, 0, bArr.length);
                createContext.dispose();
                return initSecContext;
            } catch (GSSException e) {
                if (!LogManager.isMessageToBeRecorded("org.teiid.CONNECTOR.WS", 5)) {
                    return null;
                }
                LogManager.logDetail("org.teiid.CONNECTOR.WS", "Error in obtaining a Kerberos token");
                return null;
            }
        }
    }

    @Deprecated
    public DelegateKerberosClient(Bus bus) {
        super(bus);
        this.wssConfig = WSSConfig.getNewInstance();
    }

    public DelegateKerberosClient() {
        super(null);
        this.wssConfig = WSSConfig.getNewInstance();
    }

    @Override // org.apache.cxf.ws.security.kerberos.KerberosClient
    public SecurityToken requestSecurityToken() throws Exception {
        DelegatedKerberosSecurity delegatedKerberosSecurity = new DelegatedKerberosSecurity(DOMUtils.createDocument());
        delegatedKerberosSecurity.retrieveServiceTicket(getContextName(), getServiceName(), getGssCredential());
        delegatedKerberosSecurity.addWSUNamespace();
        delegatedKerberosSecurity.setID(this.wssConfig.getIdAllocator().createSecureId("BST-", delegatedKerberosSecurity));
        SecurityToken securityToken = new SecurityToken(delegatedKerberosSecurity.getID());
        securityToken.setToken(delegatedKerberosSecurity.getElement());
        securityToken.setWsuId(delegatedKerberosSecurity.getID());
        SecretKey secretKey = delegatedKerberosSecurity.getSecretKey();
        if (secretKey != null) {
            securityToken.setSecret(secretKey.getEncoded());
        }
        securityToken.setSHA1(Base64.encode(WSSecurityUtil.generateDigest(delegatedKerberosSecurity.getToken())));
        securityToken.setTokenType(delegatedKerberosSecurity.getValueType());
        return securityToken;
    }

    public GSSCredential getGssCredential() {
        if (this.credential != null) {
            return this.credential;
        }
        Subject subject = ConnectionContext.getSubject();
        if (subject != null) {
            return (GSSCredential) ConnectionContext.getSecurityCredential(subject, GSSCredential.class);
        }
        return null;
    }

    public void setGssCredential(GSSCredential gSSCredential) {
        this.credential = gSSCredential;
    }
}
