package org.jboss.security.negotiation;

import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.jboss.logging.Logger;

/* loaded from: input_file:wildfly-10.1.0.Final/modules/system/layers/base/org/jboss/security/negotiation/main/jboss-negotiation-extras-3.0.2.Final.jar:org/jboss/security/negotiation/KerberosLoginModule.class */
public class KerberosLoginModule implements LoginModule {
    private static final Logger log = Logger.getLogger((Class<?>) KerberosLoginModule.class);
    public static final String DELEGATION_CREDENTIAL = "delegationCredential";
    public static final String ADD_GSS_CREDENTIAL = "addGSSCredential";
    public static final String WRAP_GSS_CREDENTIAL = "wrapGSSCredential";
    public static final String CREDENTIAL_LIFETIME = "credentialLifetime";
    private static final String SUN_MODULE = "com.sun.security.auth.module.Krb5LoginModule";
    private static final String IBM_MODULE = "com.ibm.security.auth.module.Krb5LoginModule";
    private static Class<LoginModule> WRAPPED_CLASS;
    private boolean addGssCredential;
    private boolean wrapGssCredential;
    private LoginModule wrapped;
    private Subject subject;
    private GSSCredential rawCredential;
    private GSSCredential storedCredential;
    private boolean usingWrappedLoginModule;
    private Subject intermediateSubject;
    private DelegationCredential delegationCredential = DelegationCredential.IGNORE;
    private int credentialLifetime = 0;

    /* loaded from: input_file:wildfly-10.1.0.Final/modules/system/layers/base/org/jboss/security/negotiation/main/jboss-negotiation-extras-3.0.2.Final.jar:org/jboss/security/negotiation/KerberosLoginModule$DelegationCredential.class */
    private enum DelegationCredential {
        IGNORE,
        REQUIRE,
        USE
    }

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        if (map2.containsKey(DELEGATION_CREDENTIAL)) {
            this.delegationCredential = DelegationCredential.valueOf((String) map2.get(DELEGATION_CREDENTIAL));
        }
        log.tracef("delegationCredential=%s", this.delegationCredential);
        if (this.delegationCredential != DelegationCredential.REQUIRE) {
            this.wrapped = SecurityActions.newInstance(WRAPPED_CLASS);
            if (this.wrapped == null) {
                throw new IllegalStateException("Unable to instantiate Krb5LoginModule to wrap!");
            }
            HashMap hashMap = new HashMap(map2);
            hashMap.remove(ADD_GSS_CREDENTIAL);
            hashMap.remove(WRAP_GSS_CREDENTIAL);
            hashMap.remove(CREDENTIAL_LIFETIME);
            hashMap.remove(DELEGATION_CREDENTIAL);
            this.wrapped.initialize(subject, callbackHandler, map, hashMap);
            log.trace("Initialised wrapped login module.");
        } else {
            log.trace("Skipping wrapped login module initialisation.");
        }
        this.subject = subject;
        this.addGssCredential = Boolean.parseBoolean((String) map2.get(ADD_GSS_CREDENTIAL));
        log.tracef("addGssCredential=%b", Boolean.valueOf(this.addGssCredential));
        this.wrapGssCredential = Boolean.parseBoolean((String) map2.get(WRAP_GSS_CREDENTIAL));
        log.tracef("wrapGssCredential=%b", Boolean.valueOf(this.wrapGssCredential));
        if (map2.containsKey(CREDENTIAL_LIFETIME)) {
            if (!this.addGssCredential) {
                throw new IllegalStateException(String.format("Option '%s' has been specified within enabling '%s'", CREDENTIAL_LIFETIME, ADD_GSS_CREDENTIAL));
            }
            this.credentialLifetime = Integer.parseInt((String) map2.get(CREDENTIAL_LIFETIME));
            if (this.credentialLifetime < 0) {
                this.credentialLifetime = Integer.MAX_VALUE;
            }
            log.tracef("credentialLifetime=%d", this.credentialLifetime);
        }
    }

    public boolean login() throws LoginException {
        switch (this.delegationCredential) {
            case REQUIRE:
                this.rawCredential = DelegationCredentialContext.getDelegCredential();
                if (this.rawCredential == null) {
                    throw new LoginException("Module configured to use delegated credential but no delegated credential available.");
                }
                log.trace("We have a delegation credential, login() is a success.");
                this.usingWrappedLoginModule = false;
                return true;
            case USE:
                this.rawCredential = DelegationCredentialContext.getDelegCredential();
                if (this.rawCredential == null) {
                    log.trace("No delegation credential so falling through to use wrapped login module.");
                    break;
                } else {
                    log.trace("We have a delegation credential, login() is a success.");
                    this.usingWrappedLoginModule = false;
                    return true;
                }
        }
        this.usingWrappedLoginModule = true;
        return this.wrapped.login();
    }

    public boolean commit() throws LoginException {
        boolean z;
        if (this.usingWrappedLoginModule) {
            z = this.wrapped.commit();
            log.tracef("Called wrapped login module respone=%b", Boolean.valueOf(z));
            if (z && this.addGssCredential) {
                log.trace("Adding GSSCredential to populated Subject");
                final GSSManager gSSManager = GSSManager.getInstance();
                try {
                    GSSCredential gSSCredential = (GSSCredential) Subject.doAs(this.subject, new PrivilegedExceptionAction<GSSCredential>() { // from class: org.jboss.security.negotiation.KerberosLoginModule.1
                        /* JADX WARN: Can't rename method to resolve collision */
                        @Override // java.security.PrivilegedExceptionAction
                        public GSSCredential run() throws Exception {
                            Set principals = KerberosLoginModule.this.subject.getPrincipals(KerberosPrincipal.class);
                            if (principals.size() < 1) {
                                throw new LoginException("No KerberosPrincipal Found");
                            }
                            if (principals.size() > 1) {
                                throw new LoginException("Too Many KerberosPrincipals Found");
                            }
                            KerberosPrincipal kerberosPrincipal = (KerberosPrincipal) principals.iterator().next();
                            KerberosLoginModule.log.tracef("Creating GSSName for Principal '%s'", kerberosPrincipal);
                            return gSSManager.createCredential(gSSManager.createName(kerberosPrincipal.getName(), GSSName.NT_USER_NAME, Constants.KERBEROS_V5), KerberosLoginModule.this.credentialLifetime, Constants.KERBEROS_V5, 1);
                        }
                    });
                    this.storedCredential = this.wrapGssCredential ? wrapCredential(gSSCredential) : gSSCredential;
                    SecurityActions.addPrivateCredential(this.subject, this.storedCredential);
                    log.trace("Added private credential.");
                    this.rawCredential = gSSCredential;
                } catch (PrivilegedActionException e) {
                    Exception exception = e.getException();
                    if (exception instanceof LoginException) {
                        throw ((LoginException) exception);
                    }
                    log.debug(e);
                    throw new LoginException("Unable to create GSSCredential");
                }
            }
        } else {
            log.trace("Jumping straight to mapping of delegation credential.");
            if (this.addGssCredential) {
                this.storedCredential = this.wrapGssCredential ? wrapCredential(this.rawCredential) : this.rawCredential;
            }
            this.intermediateSubject = GSSUtil.populateSubject(this.subject, this.rawCredential, this.storedCredential);
            z = true;
        }
        return z;
    }

    public boolean abort() throws LoginException {
        try {
            if (this.usingWrappedLoginModule) {
                log.trace("Calling wrapped login module to abort.");
                return this.wrapped.abort();
            }
            log.trace("No wrapped module call to abort.");
            return true;
        } finally {
            cleanUp();
        }
    }

    public boolean logout() throws LoginException {
        try {
            if (!this.usingWrappedLoginModule) {
                log.trace("Removing credentials from Subject poplulated from delegation credential.");
                GSSUtil.clearSubject(this.subject, this.intermediateSubject, this.storedCredential);
                return true;
            }
            if (this.rawCredential != null) {
                log.trace("Removing GSSCredential added to subject during authentication.");
                SecurityActions.removePrivateCredential(this.subject, this.storedCredential);
            }
            log.trace("Passing to wrapped login module to logout.");
            return this.wrapped.logout();
        } finally {
            cleanUp();
        }
    }

    private void cleanUp() {
        this.wrapped = null;
        this.subject = null;
        if (this.rawCredential != null && this.usingWrappedLoginModule) {
            try {
                log.trace("Disposing of GSSCredential");
                this.rawCredential.dispose();
            } catch (GSSException e) {
            }
        }
        this.rawCredential = null;
    }

    private static GSSCredential wrapCredential(final GSSCredential gSSCredential) {
        return new GSSCredential() { // from class: org.jboss.security.negotiation.KerberosLoginModule.2
            public int getUsage(Oid oid) throws GSSException {
                return gSSCredential.getUsage(oid);
            }

            public int getUsage() throws GSSException {
                return gSSCredential.getUsage();
            }

            public int getRemainingLifetime() throws GSSException {
                return gSSCredential.getRemainingLifetime();
            }

            public int getRemainingInitLifetime(Oid oid) throws GSSException {
                return gSSCredential.getRemainingInitLifetime(oid);
            }

            public int getRemainingAcceptLifetime(Oid oid) throws GSSException {
                return gSSCredential.getRemainingAcceptLifetime(oid);
            }

            public GSSName getName(Oid oid) throws GSSException {
                return gSSCredential.getName(oid);
            }

            public GSSName getName() throws GSSException {
                return gSSCredential.getName();
            }

            public Oid[] getMechs() throws GSSException {
                return gSSCredential.getMechs();
            }

            public void dispose() throws GSSException {
            }

            public void add(GSSName gSSName, int i, int i2, Oid oid, int i3) throws GSSException {
                gSSCredential.add(gSSName, i, i2, oid, i3);
            }
        };
    }

    static {
        Class<LoginModule> loadLoginModuleClass = SecurityActions.loadLoginModuleClass(SUN_MODULE);
        if (loadLoginModuleClass == null) {
            loadLoginModuleClass = SecurityActions.loadLoginModuleClass(IBM_MODULE);
        }
        if (loadLoginModuleClass == null) {
            throw new IllegalStateException("Unable to locate any Krb5LoginModule");
        }
        if (log.isTraceEnabled()) {
            log.tracef("Wrapped Krb5LoginModule is '%s'", loadLoginModuleClass.getName());
        }
        WRAPPED_CLASS = loadLoginModuleClass;
    }
}
