package org.jboss.security.negotiation.spnego;

import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.acl.Group;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.Oid;
import org.jboss.security.SimpleGroup;
import org.jboss.security.auth.spi.AbstractServerLoginModule;
import org.jboss.security.negotiation.NegotiationMessage;
import org.jboss.security.negotiation.common.NegotiationContext;
import org.jboss.security.negotiation.spnego.encoding.NegTokenInit;
import org.jboss.security.negotiation.spnego.encoding.NegTokenTarg;
import org.jboss.security.negotiation.spnego.encoding.SPNEGOMessage;

/* loaded from: input_file:org/jboss/security/negotiation/spnego/SPNEGOLoginModule.class */
public class SPNEGOLoginModule extends AbstractServerLoginModule {
    private static final String SPNEGO = "SPNEGO";
    private static final Oid kerberos;
    private String serverSecurityDomain;
    private LoginContext serverLoginContext = null;
    private Principal identity = null;

    /* loaded from: input_file:org/jboss/security/negotiation/spnego/SPNEGOLoginModule$AcceptSecContext.class */
    private class AcceptSecContext implements PrivilegedAction {
        private final NegotiationContext negotiationContext;

        public AcceptSecContext(NegotiationContext negotiationContext) {
            this.negotiationContext = negotiationContext;
        }

        @Override // java.security.PrivilegedAction
        public Object run() {
            try {
                NegotiationMessage requestMessage = this.negotiationContext.getRequestMessage();
                byte[] bArr = null;
                if (requestMessage instanceof NegTokenInit) {
                    NegTokenInit negTokenInit = (NegTokenInit) requestMessage;
                    List<Oid> mechTypes = negTokenInit.getMechTypes();
                    if (!mechTypes.get(0).equals(SPNEGOLoginModule.kerberos)) {
                        boolean z = false;
                        Iterator<Oid> it = mechTypes.iterator();
                        while (it.hasNext() && !z) {
                            z = it.next().equals(SPNEGOLoginModule.kerberos);
                        }
                        NegTokenTarg negTokenTarg = new NegTokenTarg();
                        if (z) {
                            negTokenTarg.setNegResult(NegTokenTarg.ACCEPT_INCOMPLETE);
                            negTokenTarg.setSupportedMech(SPNEGOLoginModule.kerberos);
                        } else {
                            negTokenTarg.setNegResult(NegTokenTarg.REJECTED);
                        }
                        this.negotiationContext.setResponseMessage(negTokenTarg);
                        return Boolean.FALSE;
                    }
                    bArr = negTokenInit.getMechToken();
                } else if (requestMessage instanceof NegTokenTarg) {
                    bArr = ((NegTokenTarg) requestMessage).getResponseToken();
                }
                Object schemeContext = this.negotiationContext.getSchemeContext();
                if (schemeContext != null && !(schemeContext instanceof GSSContext)) {
                    throw new IllegalStateException("The schemeContext is not a GSSContext");
                }
                GSSContext gSSContext = (GSSContext) schemeContext;
                if (gSSContext == null) {
                    SPNEGOLoginModule.this.log.debug("Creating new GSSContext.");
                    gSSContext = GSSManager.getInstance().createContext((GSSCredential) null);
                    this.negotiationContext.setSchemeContext(gSSContext);
                }
                if (gSSContext.isEstablished()) {
                    SPNEGOLoginModule.this.log.warn("Authentication was performed despite already being authenticated!");
                    SPNEGOLoginModule.this.identity = new KerberosPrincipal(gSSContext.getSrcName().toString());
                    SPNEGOLoginModule.this.log.debug("context.getCredDelegState() = " + gSSContext.getCredDelegState());
                    SPNEGOLoginModule.this.log.debug("context.getMutualAuthState() = " + gSSContext.getMutualAuthState());
                    SPNEGOLoginModule.this.log.debug("context.getSrcName() = " + gSSContext.getSrcName().toString());
                    this.negotiationContext.setAuthenticationMethod(SPNEGOLoginModule.SPNEGO);
                    this.negotiationContext.setAuthenticated(true);
                    return Boolean.TRUE;
                }
                byte[] acceptSecContext = gSSContext.acceptSecContext(bArr, 0, bArr.length);
                if (acceptSecContext != null) {
                    NegTokenTarg negTokenTarg2 = new NegTokenTarg();
                    negTokenTarg2.setResponseToken(acceptSecContext);
                    this.negotiationContext.setResponseMessage(negTokenTarg2);
                }
                if (!gSSContext.isEstablished()) {
                    return Boolean.FALSE;
                }
                SPNEGOLoginModule.this.identity = new KerberosPrincipal(gSSContext.getSrcName().toString());
                SPNEGOLoginModule.this.log.debug("context.getCredDelegState() = " + gSSContext.getCredDelegState());
                SPNEGOLoginModule.this.log.debug("context.getMutualAuthState() = " + gSSContext.getMutualAuthState());
                SPNEGOLoginModule.this.log.debug("context.getSrcName() = " + gSSContext.getSrcName().toString());
                this.negotiationContext.setAuthenticationMethod(SPNEGOLoginModule.SPNEGO);
                this.negotiationContext.setAuthenticated(true);
                return Boolean.TRUE;
            } catch (Exception e) {
                return e;
            }
        }
    }

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map map, Map map2) {
        super.initialize(subject, callbackHandler, map, map2);
        this.serverSecurityDomain = (String) map2.get("serverSecurityDomain");
        this.log.debug("serverSecurityDomain=" + this.serverSecurityDomain);
    }

    public boolean login() throws LoginException {
        if (super.login()) {
            this.log.debug("super.login()==true");
            return true;
        }
        ((AbstractServerLoginModule) this).loginOk = false;
        NegotiationContext currentNegotiationContext = NegotiationContext.getCurrentNegotiationContext();
        NegotiationMessage requestMessage = currentNegotiationContext.getRequestMessage();
        if (!(requestMessage instanceof SPNEGOMessage)) {
            String str = "Unsupported negotiation mechanism '" + requestMessage.getMessageType() + "'.";
            this.log.warn(str);
            throw new LoginException(str);
        }
        try {
            Object doAs = Subject.doAs(getServerSubject(), new AcceptSecContext(currentNegotiationContext));
            this.log.trace("Result - " + doAs);
            if (doAs instanceof Boolean) {
                if (Boolean.TRUE.equals(doAs)) {
                    ((AbstractServerLoginModule) this).loginOk = true;
                    if (getUseFirstPass()) {
                        this.log.debug("Storing username '" + this.identity.getName() + "' and empty password");
                        this.sharedState.put("javax.security.auth.login.name", this.identity);
                        this.sharedState.put("javax.security.auth.login.password", "");
                    }
                }
            } else if (doAs instanceof Exception) {
                Exception exc = (Exception) doAs;
                this.log.error("Unable to authenticate", exc);
                throw new LoginException("Unable to authenticate - " + exc.getMessage());
            }
            this.log.trace("super.loginOk " + ((AbstractServerLoginModule) this).loginOk);
            if (((AbstractServerLoginModule) this).loginOk) {
                return true;
            }
            throw new LoginException("Continuation Required.");
        } finally {
            if (this.serverLoginContext != null) {
                this.serverLoginContext.logout();
            }
        }
    }

    protected Principal getIdentity() {
        return this.identity;
    }

    protected Group[] getRoleSets() throws LoginException {
        Group simpleGroup = new SimpleGroup("Roles");
        Group simpleGroup2 = new SimpleGroup("CallerPrincipal");
        Group[] groupArr = {simpleGroup, simpleGroup2};
        simpleGroup2.addMember(getIdentity());
        return groupArr;
    }

    protected Subject getServerSubject() throws LoginException {
        LoginContext loginContext = new LoginContext(this.serverSecurityDomain);
        loginContext.login();
        this.serverLoginContext = loginContext;
        Subject subject = this.serverLoginContext.getSubject();
        this.log.debug("Subject = " + subject);
        this.log.debug("Logged in '" + this.serverSecurityDomain + "' LoginContext");
        return subject;
    }

    static {
        try {
            kerberos = new Oid("1.2.840.113554.1.2.2");
        } catch (GSSException e) {
            throw new RuntimeException("Unable to initialise Oid", e);
        }
    }
}
