package org.jboss.security.negotiation.net;

import java.io.ByteArrayInputStream;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.net.InetAddress;
import java.net.ServerSocket;
import java.net.Socket;
import java.security.Principal;
import javax.management.ObjectName;
import javax.naming.InitialContext;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.jboss.logging.Logger;
import org.jboss.mx.util.MBeanServerLocator;
import org.jboss.security.auth.callback.SecurityAssociationHandler;
import org.jboss.security.negotiation.MessageFactory;
import org.jboss.security.negotiation.common.MessageTrace;
import org.jboss.security.negotiation.common.NegotiationContext;
import org.jboss.security.negotiation.spnego.encoding.NegTokenInit;
import org.jboss.security.negotiation.spnego.encoding.NegTokenTarg;
import org.jboss.security.negotiation.spnego.encoding.TokenParser;
import org.jboss.security.plugins.JaasSecurityManager;

/* loaded from: input_file:org/jboss/security/negotiation/net/SPNEGOServerSocket.class */
public class SPNEGOServerSocket extends ServerSocket {
    private static Logger log = Logger.getLogger(SPNEGOServerSocket.class);
    private Principal principal;
    private String securityDomain;
    private String hostSecurityDomain;
    private LoginContext lc;
    private Subject subject;

    public SPNEGOServerSocket() throws IOException {
        if (log.isTraceEnabled()) {
            log.trace("Creating " + getClass().getName());
        }
    }

    public SPNEGOServerSocket(int i) throws IOException {
        super(i);
    }

    public SPNEGOServerSocket(int i, int i2) throws IOException {
        super(i, i2);
    }

    public SPNEGOServerSocket(int i, int i2, InetAddress inetAddress) throws IOException {
        super(i, i2, inetAddress);
    }

    @Override // java.net.ServerSocket
    public Socket accept() throws IOException {
        boolean isTraceEnabled = log.isTraceEnabled();
        if (isTraceEnabled) {
            log.trace(getClass().getName() + ".accept()");
        }
        Socket accept = super.accept();
        if (isTraceEnabled) {
            log.trace("Creating new NegotiationContext");
        }
        NegotiationContext negotiationContext = new NegotiationContext();
        try {
            try {
                negotiationContext.associate();
                acceptSocket(accept, negotiationContext);
                negotiationContext.clear();
                return accept;
            } catch (Exception e) {
                IOException iOException = new IOException();
                iOException.initCause(e);
                throw iOException;
            }
        } catch (Throwable th) {
            negotiationContext.clear();
            throw th;
        }
    }

    @Override // java.net.ServerSocket, java.io.Closeable, java.lang.AutoCloseable
    public void close() throws IOException {
        try {
            logout();
        } catch (LoginException e) {
            log.error("Error during logout: " + e.getMessage(), e);
        }
        super.close();
    }

    protected void acceptSocket(Socket socket, NegotiationContext negotiationContext) throws Exception {
        boolean isTraceEnabled = log.isTraceEnabled();
        byte[] bArr = new byte[0];
        DataInputStream dataInputStream = new DataInputStream(socket.getInputStream());
        byte[] bArr2 = new byte[dataInputStream.readInt()];
        if (isTraceEnabled) {
            log.debug("Receiving token of length " + bArr2.length);
        }
        dataInputStream.readFully(bArr2);
        MessageTrace.logRequestHex(bArr2);
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr2);
        MessageFactory newInstance = MessageFactory.newInstance();
        if (!newInstance.accepts(byteArrayInputStream)) {
            throw new IOException("Unsupported negotiation mechanism.");
        }
        NegTokenInit createMessage = newInstance.createMessage(byteArrayInputStream);
        byteArrayInputStream.close();
        byte[] mechToken = createMessage.getMechToken();
        createMessage.setMechToken(bArr2);
        negotiationContext.setRequestMessage(createMessage);
        if (this.subject == null) {
            if (isTraceEnabled) {
                log.trace("Starting host login");
            }
            this.subject = login();
            if (isTraceEnabled) {
                log.trace("Host login successful");
            }
        }
        this.principal = getClientPrincipal(mechToken, this.subject);
        if (isTraceEnabled) {
            log.trace("Flushing cache");
        }
        flushPrincipalFromCache(this.principal, this.securityDomain);
        isValid(this.principal, null, this.securityDomain);
        NegTokenTarg responseMessage = negotiationContext.getResponseMessage();
        DataOutputStream dataOutputStream = new DataOutputStream(socket.getOutputStream());
        byte[] responseToken = responseMessage.getResponseToken();
        if (isTraceEnabled) {
            log.debug("Sending token of length " + responseToken.length);
        }
        MessageTrace.logResponseHex(responseToken);
        dataOutputStream.writeInt(responseToken.length);
        dataOutputStream.write(responseToken);
        dataOutputStream.flush();
    }

    protected boolean isValid(Principal principal, Object obj, String str) throws Exception {
        return ((JaasSecurityManager) new InitialContext().lookup("java:/jaas/" + str)).isValid(principal, obj);
    }

    protected void flushPrincipalFromCache(Principal principal, String str) throws Exception {
        MBeanServerLocator.locateJBoss().invoke(new ObjectName("jboss.security:service=JaasSecurityManager"), "flushAuthenticationCache", new Object[]{str, principal}, new String[]{String.class.getName(), Principal.class.getName()});
    }

    public String getSecurityDomain() {
        return this.securityDomain;
    }

    public void setSecurityDomain(String str) {
        this.securityDomain = str;
    }

    public String getHostSecurityDomain() {
        return this.hostSecurityDomain;
    }

    public void setHostSecurityDomain(String str) {
        this.hostSecurityDomain = str;
    }

    protected Subject login() throws LoginException {
        if (this.lc == null) {
            this.lc = new LoginContext(this.hostSecurityDomain, new SecurityAssociationHandler());
        }
        this.lc.login();
        return this.lc.getSubject();
    }

    protected void logout() throws LoginException {
        if (this.lc != null) {
            this.lc.logout();
        }
        this.subject = null;
    }

    protected Principal getClientPrincipal(byte[] bArr, Subject subject) {
        TokenParser tokenParser = new TokenParser();
        try {
            tokenParser.parseToken(bArr, subject);
            return new KerberosPrincipal(tokenParser.getPrincipalName());
        } catch (Exception e) {
            log.error("Error parsing/decoding ticket: " + e.getMessage(), e);
            return null;
        }
    }
}
