package org.keycloak.common.util;

import java.io.File;
import java.net.MalformedURLException;
import java.security.PrivilegedExceptionAction;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.keycloak.common.constants.KerberosConstants;
import org.keycloak.common.util.KerberosSerializationUtils;

/* loaded from: input_file:WEB-INF/lib/keycloak-common-12.0.1.jar:org/keycloak/common/util/KerberosJdkProvider.class */
public abstract class KerberosJdkProvider {

    /* loaded from: input_file:WEB-INF/lib/keycloak-common-12.0.1.jar:org/keycloak/common/util/KerberosJdkProvider$IBMJDKProvider.class */
    private static class IBMJDKProvider extends KerberosJdkProvider {
        private IBMJDKProvider() {
        }

        @Override // org.keycloak.common.util.KerberosJdkProvider
        public Configuration createJaasConfigurationForServer(String str, final String str2, final boolean z) {
            final String keytabURL = getKeytabURL(str);
            return new Configuration() { // from class: org.keycloak.common.util.KerberosJdkProvider.IBMJDKProvider.1
                public AppConfigurationEntry[] getAppConfigurationEntry(String str3) {
                    HashMap hashMap = new HashMap();
                    hashMap.put("noAddress", "true");
                    hashMap.put("credsType", "acceptor");
                    hashMap.put("useKeytab", keytabURL);
                    hashMap.put("principal", str2);
                    hashMap.put(KerberosConstants.DEBUG, String.valueOf(z));
                    return new AppConfigurationEntry[]{new AppConfigurationEntry("com.ibm.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap)};
                }
            };
        }

        private String getKeytabURL(String str) {
            try {
                return new File(str).toURI().toURL().toString();
            } catch (MalformedURLException e) {
                System.err.println("Invalid keytab location specified in configuration: " + str);
                e.printStackTrace();
                return str;
            }
        }

        @Override // org.keycloak.common.util.KerberosJdkProvider
        public Configuration createJaasConfigurationForUsernamePasswordLogin(final boolean z) {
            return new Configuration() { // from class: org.keycloak.common.util.KerberosJdkProvider.IBMJDKProvider.2
                public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
                    HashMap hashMap = new HashMap();
                    hashMap.put("credsType", "initiator");
                    hashMap.put("noAddress", "true");
                    hashMap.put(KerberosConstants.DEBUG, String.valueOf(z));
                    return new AppConfigurationEntry[]{new AppConfigurationEntry("com.ibm.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap)};
                }
            };
        }

        @Override // org.keycloak.common.util.KerberosJdkProvider
        public KerberosTicket gssCredentialToKerberosTicket(KerberosTicket kerberosTicket, GSSCredential gSSCredential) {
            if (kerberosTicket == null) {
                throw new KerberosSerializationUtils.KerberosSerializationException("Not available kerberosTicket in subject credentials in IBM JDK");
            }
            return kerberosTicket;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/keycloak-common-12.0.1.jar:org/keycloak/common/util/KerberosJdkProvider$SunJDKProvider.class */
    private static class SunJDKProvider extends KerberosJdkProvider {
        private SunJDKProvider() {
        }

        @Override // org.keycloak.common.util.KerberosJdkProvider
        public Configuration createJaasConfigurationForServer(final String str, final String str2, final boolean z) {
            return new Configuration() { // from class: org.keycloak.common.util.KerberosJdkProvider.SunJDKProvider.1
                public AppConfigurationEntry[] getAppConfigurationEntry(String str3) {
                    HashMap hashMap = new HashMap();
                    hashMap.put("storeKey", "true");
                    hashMap.put("doNotPrompt", "true");
                    hashMap.put("isInitiator", "false");
                    hashMap.put("useKeyTab", "true");
                    hashMap.put(KerberosConstants.KEYTAB, str);
                    hashMap.put("principal", str2);
                    hashMap.put(KerberosConstants.DEBUG, String.valueOf(z));
                    return new AppConfigurationEntry[]{new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap)};
                }
            };
        }

        @Override // org.keycloak.common.util.KerberosJdkProvider
        public Configuration createJaasConfigurationForUsernamePasswordLogin(final boolean z) {
            return new Configuration() { // from class: org.keycloak.common.util.KerberosJdkProvider.SunJDKProvider.2
                public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
                    HashMap hashMap = new HashMap();
                    hashMap.put("storeKey", "true");
                    hashMap.put(KerberosConstants.DEBUG, String.valueOf(z));
                    return new AppConfigurationEntry[]{new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap)};
                }
            };
        }

        @Override // org.keycloak.common.util.KerberosJdkProvider
        public KerberosTicket gssCredentialToKerberosTicket(KerberosTicket kerberosTicket, GSSCredential gSSCredential) {
            try {
                Subject subject = (Subject) Class.forName("com.sun.security.jgss.GSSUtil").getMethod("createSubject", GSSName.class, GSSCredential.class).invoke(null, null, gSSCredential);
                Iterator it = subject.getPrivateCredentials(KerberosTicket.class).iterator();
                if (it.hasNext()) {
                    return (KerberosTicket) it.next();
                }
                throw new KerberosSerializationUtils.KerberosSerializationException("Not available kerberosTicket in subject credentials. Subject was: " + subject.toString());
            } catch (KerberosSerializationUtils.KerberosSerializationException e) {
                throw e;
            } catch (Exception e2) {
                throw new KerberosSerializationUtils.KerberosSerializationException("Unexpected error during convert GSSCredential to KerberosTicket", e2);
            }
        }
    }

    public abstract Configuration createJaasConfigurationForServer(String str, String str2, boolean z);

    public abstract Configuration createJaasConfigurationForUsernamePasswordLogin(boolean z);

    public abstract KerberosTicket gssCredentialToKerberosTicket(KerberosTicket kerberosTicket, GSSCredential gSSCredential);

    public GSSCredential kerberosTicketToGSSCredential(KerberosTicket kerberosTicket) {
        return kerberosTicketToGSSCredential(kerberosTicket, 0, 1);
    }

    public GSSCredential kerberosTicketToGSSCredential(KerberosTicket kerberosTicket, final int i, final int i2) {
        try {
            final GSSManager gSSManager = GSSManager.getInstance();
            KerberosPrincipal client = kerberosTicket.getClient();
            final GSSName createName = gSSManager.createName(kerberosTicket.getClient().getName(), KerberosConstants.KRB5_NAME_OID);
            return (GSSCredential) Subject.doAs(new Subject(false, Collections.singleton(client), Collections.singleton(createName), Collections.singleton(kerberosTicket)), new PrivilegedExceptionAction<GSSCredential>() { // from class: org.keycloak.common.util.KerberosJdkProvider.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public GSSCredential run() throws Exception {
                    return gSSManager.createCredential(createName, i, KerberosConstants.KRB5_OID, i2);
                }
            });
        } catch (Exception e) {
            throw new KerberosSerializationUtils.KerberosSerializationException("Unexpected exception during convert KerberosTicket to GSSCredential", e);
        }
    }

    public static KerberosJdkProvider getProvider() {
        return Environment.IS_IBM_JAVA ? new IBMJDKProvider() : new SunJDKProvider();
    }
}
