package net.shibboleth.idp.authn.impl;

import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.Map;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import net.shibboleth.idp.authn.AbstractUsernamePasswordCredentialValidator;
import net.shibboleth.idp.authn.AuthnEventIds;
import net.shibboleth.idp.authn.CredentialValidator;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.UsernamePasswordContext;
import net.shibboleth.shared.annotation.constraint.NonnullAfterInit;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.annotation.constraint.ThreadSafeAfterInit;
import net.shibboleth.shared.component.ComponentInitializationException;
import net.shibboleth.shared.logic.Constraint;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.primitive.StringSupport;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;

@ThreadSafeAfterInit
/* loaded from: input_file:WEB-INF/lib/idp-authn-impl-5.1.3.jar:net/shibboleth/idp/authn/impl/KerberosCredentialValidator.class */
public class KerberosCredentialValidator extends AbstractUsernamePasswordCredentialValidator {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) KerberosCredentialValidator.class);

    @NotEmpty
    @NonnullAfterInit
    private String loginModuleClassName = "com.sun.security.auth.module.Krb5LoginModule";
    private boolean refreshKrb5Config;
    private boolean preserveTicket;
    private String servicePrincipal;
    private String keytabPath;

    @NonnullAfterInit
    private Map<String, String> clientOptions;

    @NonnullAfterInit
    private Map<String, String> serverOptions;

    /* loaded from: input_file:WEB-INF/lib/idp-authn-impl-5.1.3.jar:net/shibboleth/idp/authn/impl/KerberosCredentialValidator$SimpleCallbackHandler.class */
    private class SimpleCallbackHandler implements CallbackHandler {

        @Nonnull
        private final UsernamePasswordContext context;
        static final /* synthetic */ boolean $assertionsDisabled;

        public SimpleCallbackHandler(@Nonnull UsernamePasswordContext usernamePasswordContext) {
            this.context = usernamePasswordContext;
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
            if (callbackArr == null || callbackArr.length == 0) {
                return;
            }
            for (Callback callback : callbackArr) {
                if (callback instanceof NameCallback) {
                    ((NameCallback) callback).setName(this.context.getTransformedUsername());
                } else if (callback instanceof PasswordCallback) {
                    PasswordCallback passwordCallback = (PasswordCallback) callback;
                    String password = this.context.getPassword();
                    if (!$assertionsDisabled && password == null) {
                        throw new AssertionError();
                    }
                    passwordCallback.setPassword(password.toCharArray());
                } else {
                    continue;
                }
            }
        }

        static {
            $assertionsDisabled = !KerberosCredentialValidator.class.desiredAssertionStatus();
        }
    }

    public void setLoginModuleClassName(@Nonnull String str) {
        checkSetterPreconditions();
        this.loginModuleClassName = (String) Constraint.isNotNull(StringSupport.trimOrNull(str), "Class name cannot be null or empty");
    }

    public void setRefreshKrb5Config(boolean z) {
        checkSetterPreconditions();
        this.refreshKrb5Config = z;
    }

    public void setPreserveTicket(boolean z) {
        checkSetterPreconditions();
        this.preserveTicket = z;
    }

    public void setServicePrincipal(@Nullable String str) {
        checkSetterPreconditions();
        this.servicePrincipal = StringSupport.trimOrNull(str);
    }

    public void setKeytabPath(@Nullable String str) {
        checkSetterPreconditions();
        this.keytabPath = StringSupport.trimOrNull(str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.shared.component.AbstractIdentifiedInitializableComponent, net.shibboleth.shared.component.AbstractInitializableComponent
    public void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.servicePrincipal != null && this.keytabPath == null) {
            throw new ComponentInitializationException("A keytab path is required if a service principal is set");
        }
        this.clientOptions = new HashMap();
        this.clientOptions.put("refreshKrb5Config", Boolean.valueOf(this.refreshKrb5Config).toString());
        if (this.servicePrincipal != null) {
            this.serverOptions = new HashMap();
            this.serverOptions.put("refreshKrb5Config", Boolean.valueOf(this.refreshKrb5Config).toString());
            this.serverOptions.put("useKeyTab", "true");
            this.serverOptions.put("keyTab", this.keytabPath);
            this.serverOptions.put("principal", this.servicePrincipal);
            this.serverOptions.put("doNotPrompt", "true");
            this.serverOptions.put("isInitiator", "false");
            this.serverOptions.put("storeKey", "true");
        }
    }

    @Override // net.shibboleth.idp.authn.AbstractUsernamePasswordCredentialValidator
    protected Subject doValidate(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nonnull UsernamePasswordContext usernamePasswordContext, @Nullable CredentialValidator.WarningHandler warningHandler, @Nullable CredentialValidator.ErrorHandler errorHandler) throws Exception {
        try {
            try {
                try {
                    try {
                        try {
                            Subject subject = new Subject();
                            LoginModule loginModule = (LoginModule) Class.forName(this.loginModuleClassName).getDeclaredConstructor(new Class[0]).newInstance(new Object[0]);
                            loginModule.initialize(subject, new SimpleCallbackHandler(usernamePasswordContext), new HashMap(), this.clientOptions);
                            if (!loginModule.login() || !loginModule.commit()) {
                                loginModule.abort();
                                throw new LoginException("Login module reported failure");
                            }
                            if (this.servicePrincipal != null) {
                                this.log.debug("{} TGT acquired for '{}', attempting to verify authenticity of TGT using service principal {}", getLogPrefix(), usernamePasswordContext.getTransformedUsername(), this.servicePrincipal);
                                verifyKDC(subject);
                            }
                            this.log.info("{} Login by '{}' succeeded", getLogPrefix(), usernamePasswordContext.getTransformedUsername());
                            return populateSubject(subject, usernamePasswordContext);
                        } catch (LoginException e) {
                            this.log.info("{} Login by '{}' failed", getLogPrefix(), usernamePasswordContext.getTransformedUsername(), e);
                            throw e;
                        }
                    } catch (ClassNotFoundException | IllegalAccessException | InstantiationException e2) {
                        this.log.error("{} Unable to instantiate JAAS module for Kerberos", getLogPrefix(), e2);
                        throw e2;
                    }
                } catch (Exception e3) {
                    this.log.warn("{} Login by '{}' produced unknown exception", getLogPrefix(), usernamePasswordContext.getTransformedUsername(), e3);
                    throw e3;
                }
            } catch (GSSException e4) {
                this.log.warn("{} Login by '{}' failed during GSS context establishment to verify KDC", getLogPrefix(), usernamePasswordContext.getTransformedUsername(), e4);
                throw e4;
            }
        } catch (Exception e5) {
            if (errorHandler != null) {
                errorHandler.handleError(profileRequestContext, authenticationContext, e5, AuthnEventIds.AUTHN_EXCEPTION);
            }
            throw e5;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.idp.authn.AbstractUsernamePasswordCredentialValidator
    @Nonnull
    public Subject populateSubject(@Nonnull Subject subject, @Nonnull UsernamePasswordContext usernamePasswordContext) {
        if (!this.preserveTicket) {
            subject.getPrivateCredentials().clear();
        }
        return super.populateSubject(subject, usernamePasswordContext);
    }

    private void verifyKDC(@Nonnull Subject subject) throws Exception {
        Oid oid = new Oid("1.2.840.113554.1.2.2");
        LoginModule loginModule = null;
        try {
            try {
                try {
                    LoginModule loginModule2 = (LoginModule) Class.forName(this.loginModuleClassName).getDeclaredConstructor(new Class[0]).newInstance(new Object[0]);
                    Subject subject2 = new Subject();
                    loginModule2.initialize(subject2, (CallbackHandler) null, new HashMap(), this.serverOptions);
                    if (!loginModule2.login() || !loginModule2.commit()) {
                        loginModule2.abort();
                        throw new LoginException("Login module reported failure");
                    }
                    final GSSManager gSSManager = GSSManager.getInstance();
                    final GSSContext createContext = gSSManager.createContext(gSSManager.createName(this.servicePrincipal, GSSName.NT_USER_NAME), oid, (GSSCredential) null, 0);
                    final byte[] bArr = (byte[]) Subject.doAs(subject, new PrivilegedExceptionAction<byte[]>() { // from class: net.shibboleth.idp.authn.impl.KerberosCredentialValidator.1
                        /* JADX WARN: Can't rename method to resolve collision */
                        @Override // java.security.PrivilegedExceptionAction
                        public byte[] run() throws GSSException {
                            byte[] bArr2 = new byte[0];
                            createContext.requestMutualAuth(false);
                            createContext.requestCredDeleg(false);
                            return createContext.initSecContext(bArr2, 0, bArr2.length);
                        }
                    });
                    String str = (String) Subject.doAs(subject2, new PrivilegedExceptionAction<String>() { // from class: net.shibboleth.idp.authn.impl.KerberosCredentialValidator.2
                        /* JADX WARN: Can't rename method to resolve collision */
                        @Override // java.security.PrivilegedExceptionAction
                        public String run() throws GSSException {
                            GSSContext createContext2 = gSSManager.createContext((GSSCredential) null);
                            createContext2.acceptSecContext(bArr, 0, bArr.length);
                            String gSSName = createContext2.getSrcName().toString();
                            createContext2.dispose();
                            return gSSName;
                        }
                    });
                    createContext.dispose();
                    this.log.debug("{} GSS context established between {} and {}", getLogPrefix(), str, this.servicePrincipal);
                    if (loginModule2 != null) {
                        loginModule2.logout();
                    }
                } catch (LoginException e) {
                    throw new LoginException("Unable to obtain service credentials for KDC verification");
                }
            } catch (PrivilegedActionException e2) {
                if (e2.getException() == null) {
                    throw e2;
                }
                throw e2.getException();
            }
        } catch (Throwable th) {
            if (0 != 0) {
                loginModule.logout();
            }
            throw th;
        }
    }
}
