package org.opends.server.extensions;

import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginContext;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslServer;
import org.opends.server.api.ClientConnection;
import org.opends.server.core.BindOperation;
import org.opends.server.core.DirectoryServer;
import org.opends.server.loggers.debug.DebugLogger;
import org.opends.server.loggers.debug.DebugTracer;
import org.opends.server.messages.ExtensionsMessages;
import org.opends.server.messages.MessageHandler;
import org.opends.server.protocols.asn1.ASN1OctetString;
import org.opends.server.types.AuthenticationInfo;
import org.opends.server.types.DebugLogLevel;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;
import org.opends.server.types.InitializationException;
import org.opends.server.types.ResultCode;
import org.opends.server.util.ServerConstants;
import org.opends.server.util.StaticUtils;

/* loaded from: input_file:org/opends/server/extensions/GSSAPIStateInfo.class */
public class GSSAPIStateInfo implements PrivilegedExceptionAction<Boolean>, CallbackHandler {
    private static final DebugTracer TRACER = DebugLogger.getTracer();
    private BindOperation bindOperation;
    private ClientConnection clientConnection;
    private Entry userEntry = null;
    private GSSAPISASLMechanismHandler gssapiHandler;
    private LoginContext loginContext;
    private SaslServer saslServer;
    private String protocol;
    private String serverFQDN;

    public GSSAPIStateInfo(GSSAPISASLMechanismHandler gSSAPISASLMechanismHandler, BindOperation bindOperation, String str) throws InitializationException {
        this.gssapiHandler = gSSAPISASLMechanismHandler;
        this.bindOperation = bindOperation;
        this.serverFQDN = str;
        this.clientConnection = bindOperation.getClientConnection();
        this.protocol = StaticUtils.toLowerCase(this.clientConnection.getProtocol());
        try {
            this.loginContext = new LoginContext(GSSAPISASLMechanismHandler.class.getName(), this);
            try {
                this.loginContext.login();
                this.saslServer = null;
            } catch (Exception e) {
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugCaught(DebugLogLevel.ERROR, e);
                }
                throw new InitializationException(ExtensionsMessages.MSGID_SASLGSSAPI_CANNOT_AUTHENTICATE_SERVER, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLGSSAPI_CANNOT_AUTHENTICATE_SERVER, StaticUtils.getExceptionMessage(e)), e);
            }
        } catch (Exception e2) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e2);
            }
            throw new InitializationException(ExtensionsMessages.MSGID_SASLGSSAPI_CANNOT_CREATE_LOGIN_CONTEXT, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLGSSAPI_CANNOT_CREATE_LOGIN_CONTEXT, StaticUtils.getExceptionMessage(e2)), e2);
        }
    }

    public void setBindOperation(BindOperation bindOperation) {
        this.bindOperation = bindOperation;
    }

    public Entry getUserEntry() {
        return this.userEntry;
    }

    public void dispose() {
        try {
            this.saslServer.dispose();
        } catch (Exception e) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e);
            }
        }
    }

    public void processAuthenticationStage() {
        try {
            Subject.doAs(this.loginContext.getSubject(), this);
        } catch (Exception e) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e);
            }
        }
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // java.security.PrivilegedExceptionAction
    public Boolean run() {
        if (this.saslServer == null) {
            try {
                HashMap hashMap = new HashMap();
                hashMap.put("javax.security.sasl.qop", "auth");
                hashMap.put("javax.security.sasl.reuse", ServerConstants.CONFIG_VALUE_FALSE);
                this.saslServer = Sasl.createSaslServer(ServerConstants.SASL_MECHANISM_GSSAPI, this.protocol, this.serverFQDN, hashMap, this);
            } catch (Exception e) {
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugCaught(DebugLogLevel.ERROR, e);
                }
                String message = MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLGSSAPI_CANNOT_CREATE_SASL_SERVER, StaticUtils.getExceptionMessage(e));
                this.clientConnection.setSASLAuthStateInfo(null);
                this.bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLGSSAPI_CANNOT_CREATE_SASL_SERVER, message);
                this.bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                return false;
            }
        }
        ASN1OctetString sASLCredentials = this.bindOperation.getSASLCredentials();
        try {
            byte[] evaluateResponse = this.saslServer.evaluateResponse(sASLCredentials == null ? new byte[0] : sASLCredentials.value());
            ASN1OctetString aSN1OctetString = evaluateResponse == null ? null : new ASN1OctetString(evaluateResponse);
            if (!this.saslServer.isComplete()) {
                this.clientConnection.setSASLAuthStateInfo(this.saslServer);
                this.bindOperation.setResultCode(ResultCode.SASL_BIND_IN_PROGRESS);
                this.bindOperation.setServerSASLCredentials(aSN1OctetString);
                return true;
            }
            String authorizationID = this.saslServer.getAuthorizationID();
            if (authorizationID == null || authorizationID.length() == 0) {
                try {
                    this.saslServer.dispose();
                } catch (Exception e2) {
                    if (DebugLogger.debugEnabled()) {
                        TRACER.debugCaught(DebugLogLevel.ERROR, e2);
                    }
                }
                String message2 = MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLGSSAPI_NO_AUTHZ_ID);
                this.clientConnection.setSASLAuthStateInfo(null);
                this.bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLGSSAPI_NO_AUTHZ_ID, message2);
                this.bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                return false;
            }
            try {
                this.userEntry = this.gssapiHandler.getUserForAuthzID(this.bindOperation, authorizationID);
                if (this.userEntry == null) {
                    try {
                        this.saslServer.dispose();
                    } catch (Exception e3) {
                        if (DebugLogger.debugEnabled()) {
                            TRACER.debugCaught(DebugLogLevel.ERROR, e3);
                        }
                    }
                    String message3 = MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLGSSAPI_CANNOT_MAP_AUTHZID, authorizationID);
                    this.clientConnection.setSASLAuthStateInfo(null);
                    this.bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLGSSAPI_CANNOT_MAP_AUTHZID, message3);
                    this.bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                    return false;
                }
                this.bindOperation.setSASLAuthUserEntry(this.userEntry);
                this.bindOperation.setAuthenticationInfo(new AuthenticationInfo(this.userEntry, ServerConstants.SASL_MECHANISM_GSSAPI, DirectoryServer.isRootDN(this.userEntry.getDN())));
                this.bindOperation.setResultCode(ResultCode.SUCCESS);
                this.clientConnection.setSASLAuthStateInfo(null);
                try {
                    this.saslServer.dispose();
                } catch (Exception e4) {
                    if (DebugLogger.debugEnabled()) {
                        TRACER.debugCaught(DebugLogLevel.ERROR, e4);
                    }
                }
                return true;
            } catch (DirectoryException e5) {
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugCaught(DebugLogLevel.ERROR, e5);
                }
                try {
                    this.saslServer.dispose();
                } catch (Exception e6) {
                    if (DebugLogger.debugEnabled()) {
                        TRACER.debugCaught(DebugLogLevel.ERROR, e6);
                    }
                }
                this.bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                this.bindOperation.setAuthFailureReason(e5.getMessageID(), e5.getErrorMessage());
                this.clientConnection.setSASLAuthStateInfo(null);
                return false;
            }
        } catch (Exception e7) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e7);
            }
            try {
                this.saslServer.dispose();
            } catch (Exception e8) {
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugCaught(DebugLogLevel.ERROR, e8);
                }
            }
            String message4 = MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLGSSAPI_CANNOT_EVALUATE_RESPONSE, StaticUtils.getExceptionMessage(e7));
            this.clientConnection.setSASLAuthStateInfo(null);
            this.bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLGSSAPI_CANNOT_EVALUATE_RESPONSE, message4);
            this.bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            return false;
        }
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
        for (Callback callback : callbackArr) {
            if (callback instanceof NameCallback) {
                ((NameCallback) callback).setName(StaticUtils.toLowerCase(this.clientConnection.getProtocol()) + "/" + this.serverFQDN);
            } else {
                if (!(callback instanceof AuthorizeCallback)) {
                    throw new UnsupportedCallbackException(callback, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLGSSAPI_UNEXPECTED_CALLBACK, String.valueOf(callback)));
                }
                AuthorizeCallback authorizeCallback = (AuthorizeCallback) callback;
                String authenticationID = authorizeCallback.getAuthenticationID();
                String authorizationID = authorizeCallback.getAuthorizationID();
                if (authenticationID.equals(authorizationID)) {
                    authorizeCallback.setAuthorizedID(authorizationID);
                    authorizeCallback.setAuthorized(true);
                } else {
                    this.bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLGSSAPI_DIFFERENT_AUTHID_AND_AUTHZID, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLGSSAPI_DIFFERENT_AUTHID_AND_AUTHZID, authenticationID, authorizationID));
                    authorizeCallback.setAuthorized(false);
                }
            }
        }
    }
}
