package org.jboss.security.negotiation.spnego;

import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.acl.Group;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.Oid;
import org.jboss.security.SecurityConstants;
import org.jboss.security.SimpleGroup;
import org.jboss.security.negotiation.Constants;
import org.jboss.security.negotiation.NegotiationMessage;
import org.jboss.security.negotiation.common.CommonLoginModule;
import org.jboss.security.negotiation.common.NegotiationContext;
import org.jboss.security.negotiation.spnego.encoding.NegTokenInit;
import org.jboss.security.negotiation.spnego.encoding.NegTokenTarg;
import org.jboss.security.negotiation.spnego.encoding.SPNEGOMessage;

/* loaded from: input_file:jboss-as-7.1.1.Final/modules/org/jboss/security/negotiation/main/jboss-negotiation-spnego-2.2.0.SP1.jar:org/jboss/security/negotiation/spnego/SPNEGOLoginModule.class */
public class SPNEGOLoginModule extends CommonLoginModule {
    private static final String REMOVE_REALM_FROM_PRINCIPAL = "removeRealmFromPrincipal";
    private static final String SERVER_SECURITY_DOMAIN = "serverSecurityDomain";
    private static final String USERNAME_PASSWORD_DOMAIN = "usernamePasswordDomain";
    private static final String SPNEGO = "SPNEGO";
    private static final Oid kerberos = Constants.KERBEROS_V5;
    private boolean removeRealmFromPrincipal;
    private String serverSecurityDomain;
    private String usernamePasswordDomain;
    private LoginContext serverLoginContext = null;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:jboss-as-7.1.1.Final/modules/org/jboss/security/negotiation/main/jboss-negotiation-spnego-2.2.0.SP1.jar:org/jboss/security/negotiation/spnego/SPNEGOLoginModule$AcceptSecContext.class */
    public class AcceptSecContext implements PrivilegedAction {
        private final NegotiationContext negotiationContext;

        public AcceptSecContext(NegotiationContext negotiationContext) {
            this.negotiationContext = negotiationContext;
        }

        @Override // java.security.PrivilegedAction
        public Object run() {
            boolean isDebugEnabled = SPNEGOLoginModule.this.log.isDebugEnabled();
            try {
                NegotiationMessage requestMessage = this.negotiationContext.getRequestMessage();
                byte[] bArr = null;
                if (requestMessage instanceof NegTokenInit) {
                    NegTokenInit negTokenInit = (NegTokenInit) requestMessage;
                    List<Oid> mechTypes = negTokenInit.getMechTypes();
                    if (!mechTypes.get(0).equals(SPNEGOLoginModule.kerberos)) {
                        boolean z = false;
                        Iterator<Oid> it = mechTypes.iterator();
                        while (it.hasNext() && !z) {
                            z = it.next().equals(SPNEGOLoginModule.kerberos);
                        }
                        NegTokenTarg negTokenTarg = new NegTokenTarg();
                        if (z) {
                            negTokenTarg.setNegResult(NegTokenTarg.ACCEPT_INCOMPLETE);
                            negTokenTarg.setSupportedMech(SPNEGOLoginModule.kerberos);
                        } else {
                            negTokenTarg.setNegResult(NegTokenTarg.REJECTED);
                        }
                        this.negotiationContext.setResponseMessage(negTokenTarg);
                        return Boolean.FALSE;
                    }
                    bArr = negTokenInit.getMechToken();
                } else if (requestMessage instanceof NegTokenTarg) {
                    bArr = ((NegTokenTarg) requestMessage).getResponseToken();
                }
                Object schemeContext = this.negotiationContext.getSchemeContext();
                if (schemeContext != null && !(schemeContext instanceof GSSContext)) {
                    throw new IllegalStateException("The schemeContext is not a GSSContext");
                }
                GSSContext gSSContext = (GSSContext) schemeContext;
                if (gSSContext == null) {
                    SPNEGOLoginModule.this.log.debug("Creating new GSSContext.");
                    gSSContext = GSSManager.getInstance().createContext((GSSCredential) null);
                    this.negotiationContext.setSchemeContext(gSSContext);
                }
                if (gSSContext.isEstablished()) {
                    SPNEGOLoginModule.this.log.warn("Authentication was performed despite already being authenticated!");
                    SPNEGOLoginModule.this.setIdentity(new KerberosPrincipal(gSSContext.getSrcName().toString()));
                    if (isDebugEnabled) {
                        SPNEGOLoginModule.this.log.debug("context.getCredDelegState() = " + gSSContext.getCredDelegState());
                        SPNEGOLoginModule.this.log.debug("context.getMutualAuthState() = " + gSSContext.getMutualAuthState());
                        SPNEGOLoginModule.this.log.debug("context.getSrcName() = " + gSSContext.getSrcName().toString());
                    }
                    this.negotiationContext.setAuthenticationMethod(SPNEGOLoginModule.SPNEGO);
                    this.negotiationContext.setAuthenticated(true);
                    return Boolean.TRUE;
                }
                byte[] acceptSecContext = gSSContext.acceptSecContext(bArr, 0, bArr.length);
                if (acceptSecContext != null) {
                    NegTokenTarg negTokenTarg2 = new NegTokenTarg();
                    negTokenTarg2.setResponseToken(acceptSecContext);
                    this.negotiationContext.setResponseMessage(negTokenTarg2);
                }
                if (!gSSContext.isEstablished()) {
                    return Boolean.FALSE;
                }
                SPNEGOLoginModule.this.setIdentity(SPNEGOLoginModule.this.createIdentity(gSSContext.getSrcName().toString()));
                if (isDebugEnabled) {
                    SPNEGOLoginModule.this.log.debug("context.getCredDelegState() = " + gSSContext.getCredDelegState());
                    SPNEGOLoginModule.this.log.debug("context.getMutualAuthState() = " + gSSContext.getMutualAuthState());
                    SPNEGOLoginModule.this.log.debug("context.getSrcName() = " + gSSContext.getSrcName().toString());
                }
                this.negotiationContext.setAuthenticationMethod(SPNEGOLoginModule.SPNEGO);
                this.negotiationContext.setAuthenticated(true);
                return Boolean.TRUE;
            } catch (Exception e) {
                return e;
            }
        }
    }

    @Override // org.jboss.security.auth.spi.AbstractServerLoginModule
    public void initialize(Subject subject, CallbackHandler callbackHandler, Map map, Map map2) {
        super.initialize(subject, callbackHandler, map, map2);
        this.serverSecurityDomain = (String) map2.get(SERVER_SECURITY_DOMAIN);
        this.usernamePasswordDomain = (String) map2.get(USERNAME_PASSWORD_DOMAIN);
        this.removeRealmFromPrincipal = Boolean.valueOf((String) map2.get(REMOVE_REALM_FROM_PRINCIPAL)).booleanValue();
        if (!this.removeRealmFromPrincipal && this.principalClassName == null) {
            this.principalClassName = KerberosPrincipal.class.getName();
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("removeRealmFromPrincipal=" + this.removeRealmFromPrincipal);
            this.log.debug("serverSecurityDomain=" + this.serverSecurityDomain);
            this.log.debug("usernamePasswordDomain=" + this.usernamePasswordDomain);
        }
    }

    @Override // org.jboss.security.auth.spi.AbstractServerLoginModule
    public boolean login() throws LoginException {
        boolean isTraceEnabled = this.log.isTraceEnabled();
        if (super.login()) {
            this.log.debug("super.login()==true");
            return true;
        }
        this.loginOk = false;
        Object innerLogin = innerLogin();
        if (isTraceEnabled) {
            this.log.trace("Result - " + innerLogin);
        }
        if (innerLogin instanceof Boolean) {
            if (Boolean.TRUE.equals(innerLogin)) {
                this.loginOk = true;
                if (getUseFirstPass()) {
                    Principal identity = getIdentity();
                    String name = identity.getName();
                    if (this.log.isDebugEnabled()) {
                        this.log.debug("Storing username '" + name + "' and empty password");
                    }
                    this.sharedState.put("javax.security.auth.login.name", identity);
                    this.sharedState.put("javax.security.auth.login.password", "");
                }
            }
        } else if (innerLogin instanceof Exception) {
            Exception exc = (Exception) innerLogin;
            this.log.error("Unable to authenticate", exc);
            throw new LoginException("Unable to authenticate - " + exc.getMessage());
        }
        if (isTraceEnabled) {
            this.log.trace("super.loginOk " + this.loginOk);
        }
        if (this.loginOk) {
            return true;
        }
        throw new LoginException("Continuation Required.");
    }

    protected Object innerLogin() throws LoginException {
        NegotiationContext currentNegotiationContext = NegotiationContext.getCurrentNegotiationContext();
        if (currentNegotiationContext != null) {
            return spnegoLogin(currentNegotiationContext);
        }
        if (this.usernamePasswordDomain == null) {
            throw new LoginException("No NegotiationContext and no usernamePasswordDomain defined.");
        }
        return usernamePasswordLogin();
    }

    private Object usernamePasswordLogin() throws LoginException {
        this.log.debug("Falling back to username/password authentication");
        LoginContext loginContext = new LoginContext(this.usernamePasswordDomain, this.callbackHandler);
        loginContext.login();
        Set<Principal> principals = loginContext.getSubject().getPrincipals();
        if (principals.isEmpty()) {
            throw new LoginException("No principal returned after login.");
        }
        if (principals.size() > 1) {
            this.log.warn("Multiple principals returned, using first principal in set.");
        }
        setIdentity(principals.iterator().next());
        return Boolean.TRUE;
    }

    private Object spnegoLogin(NegotiationContext negotiationContext) throws LoginException {
        NegotiationMessage requestMessage = negotiationContext.getRequestMessage();
        if (!(requestMessage instanceof SPNEGOMessage)) {
            String str = "Unsupported negotiation mechanism '" + requestMessage.getMessageType() + "'.";
            this.log.warn(str);
            throw new LoginException(str);
        }
        try {
            Object doAs = Subject.doAs(getServerSubject(), new AcceptSecContext(negotiationContext));
            if (this.serverLoginContext != null) {
                this.serverLoginContext.logout();
            }
            return doAs;
        } catch (Throwable th) {
            if (this.serverLoginContext != null) {
                this.serverLoginContext.logout();
            }
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.jboss.security.auth.spi.AbstractServerLoginModule
    public Principal createIdentity(String str) throws Exception {
        return this.removeRealmFromPrincipal ? super.createIdentity(str.substring(0, str.indexOf("@"))) : super.createIdentity(str);
    }

    @Override // org.jboss.security.auth.spi.AbstractServerLoginModule
    protected Group[] getRoleSets() throws LoginException {
        SimpleGroup simpleGroup = new SimpleGroup("Roles");
        SimpleGroup simpleGroup2 = new SimpleGroup(SecurityConstants.CALLER_PRINCIPAL_GROUP);
        Group[] groupArr = {simpleGroup, simpleGroup2};
        simpleGroup2.addMember(getIdentity());
        return groupArr;
    }

    protected Subject getServerSubject() throws LoginException {
        LoginContext loginContext = new LoginContext(this.serverSecurityDomain);
        loginContext.login();
        this.serverLoginContext = loginContext;
        Subject subject = this.serverLoginContext.getSubject();
        if (this.log.isDebugEnabled()) {
            this.log.debug("Subject = " + subject);
            this.log.debug("Logged in '" + this.serverSecurityDomain + "' LoginContext");
        }
        return subject;
    }
}
