package net.shibboleth.idp.authn.spnego.impl;

import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.util.HashMap;
import java.util.Map;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/idp-authn-impl-4.3.3.jar:net/shibboleth/idp/authn/spnego/impl/GSSAcceptorLoginModule.class */
public class GSSAcceptorLoginModule {

    @Nullable
    private LoginModule krbModule;

    @Nonnull
    private KerberosRealmSettings realm;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) GSSAcceptorLoginModule.class);

    @Nonnull
    private Map<String, String> state = new HashMap();

    @Nonnull
    private Map<String, String> options = new HashMap();

    /* loaded from: input_file:WEB-INF/lib/idp-authn-impl-4.3.3.jar:net/shibboleth/idp/authn/spnego/impl/GSSAcceptorLoginModule$UsernamePasswordCallbackHandler.class */
    private class UsernamePasswordCallbackHandler implements CallbackHandler {

        @Nullable
        private String name;

        @Nullable
        private String password;

        public UsernamePasswordCallbackHandler(@Nullable String str, @Nullable String str2) {
            this.name = str;
            this.password = str2;
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(@Nullable Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            if (callbackArr == null || callbackArr.length <= 0) {
                return;
            }
            if (this.name == null || this.name.length() == 0) {
                throw new IllegalArgumentException("No username provided");
            }
            if (this.password == null || this.password.length() == 0) {
                throw new IllegalArgumentException("No password provided");
            }
            for (Callback callback : callbackArr) {
                if (callback instanceof NameCallback) {
                    ((NameCallback) callback).setName(this.name);
                } else {
                    if (!(callback instanceof PasswordCallback)) {
                        throw new UnsupportedCallbackException(callback);
                    }
                    ((PasswordCallback) callback).setPassword(this.password.toCharArray());
                }
            }
        }
    }

    public GSSAcceptorLoginModule(@Nonnull KerberosRealmSettings kerberosRealmSettings, boolean z, @NotEmpty @Nonnull String str) {
        this.realm = (KerberosRealmSettings) Constraint.isNotNull(kerberosRealmSettings, "KerberosRealmSettings cannot be null");
        this.options.put("refreshKrb5Config", Boolean.valueOf(z).toString());
        this.options.put("useKeyTab", "true");
        this.options.put("keyTab", kerberosRealmSettings.getKeytab());
        this.options.put("principal", kerberosRealmSettings.getServicePrincipal());
        this.options.put("isInitiator", kerberosRealmSettings.getPassword() != null ? "true" : "false");
        this.options.put("storeKey", "true");
        try {
            this.krbModule = (LoginModule) Class.forName(str).getDeclaredConstructor(new Class[0]).newInstance(new Object[0]);
        } catch (ClassNotFoundException | IllegalAccessException | IllegalArgumentException | InstantiationException | NoSuchMethodException | SecurityException | InvocationTargetException e) {
            this.log.error("Unable to instantiate JAAS module for Kerberos", e);
            this.krbModule = null;
        }
    }

    public Subject login() throws LoginException {
        if (this.krbModule == null) {
            throw new LoginException("No JAAS module for Kerberos available");
        }
        UsernamePasswordCallbackHandler usernamePasswordCallbackHandler = new UsernamePasswordCallbackHandler(this.realm.getServicePrincipal(), this.realm.getPassword());
        Subject subject = new Subject();
        this.krbModule.initialize(subject, usernamePasswordCallbackHandler, this.state, this.options);
        if (this.krbModule.login()) {
            this.krbModule.commit();
        }
        return subject;
    }

    public void logout() throws LoginException {
        if (this.krbModule != null) {
            this.krbModule.logout();
        }
    }
}
