package org.keycloak.util.ldap;

import java.io.IOException;
import java.lang.reflect.Field;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Locale;
import java.util.Properties;
import java.util.Set;
import javax.security.auth.kerberos.KerberosPrincipal;
import org.apache.directory.api.ldap.model.exception.LdapInvalidDnException;
import org.apache.directory.server.core.api.DirectoryService;
import org.apache.directory.server.core.kerberos.KeyDerivationInterceptor;
import org.apache.directory.server.kerberos.KerberosConfig;
import org.apache.directory.server.kerberos.kdc.KdcServer;
import org.apache.directory.server.kerberos.shared.replay.ReplayCache;
import org.apache.directory.server.ldap.LdapServer;
import org.apache.directory.server.ldap.handlers.sasl.cramMD5.CramMd5MechanismHandler;
import org.apache.directory.server.ldap.handlers.sasl.digestMD5.DigestMd5MechanismHandler;
import org.apache.directory.server.ldap.handlers.sasl.gssapi.GssapiMechanismHandler;
import org.apache.directory.server.ldap.handlers.sasl.ntlm.NtlmMechanismHandler;
import org.apache.directory.server.ldap.handlers.sasl.plain.PlainMechanismHandler;
import org.apache.directory.server.protocol.shared.transport.Transport;
import org.apache.directory.server.protocol.shared.transport.UdpTransport;
import org.apache.directory.shared.kerberos.KerberosTime;
import org.apache.directory.shared.kerberos.KerberosUtils;
import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
import org.jboss.logging.Logger;

/* loaded from: input_file:org/keycloak/util/ldap/KerberosEmbeddedServer.class */
public class KerberosEmbeddedServer extends LDAPEmbeddedServer {
    private static final Logger log = Logger.getLogger(KerberosEmbeddedServer.class);
    public static final String PROPERTY_KERBEROS_REALM = "kerberos.realm";
    public static final String PROPERTY_KDC_PORT = "kerberos.port";
    public static final String PROPERTY_KDC_ENCTYPES = "kerberos.encTypes";
    private static final String DEFAULT_KERBEROS_LDIF_FILE = "classpath:kerberos/default-users.ldif";
    private static final String DEFAULT_KERBEROS_REALM = "KEYCLOAK.ORG";
    private static final String DEFAULT_KDC_PORT = "6088";
    private static final String DEFAULT_KDC_ENCRYPTION_TYPES = "aes128-cts-hmac-sha1-96, des-cbc-md5, des3-cbc-sha1-kd";
    private final String kerberosRealm;
    private final int kdcPort;
    private final String kdcEncryptionTypes;
    private KdcServer kdcServer;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/keycloak/util/ldap/KerberosEmbeddedServer$NoReplayKdcServer.class */
    public class NoReplayKdcServer extends KdcServer {

        /* loaded from: input_file:org/keycloak/util/ldap/KerberosEmbeddedServer$NoReplayKdcServer$DummyReplayCache.class */
        private class DummyReplayCache implements ReplayCache {
            private DummyReplayCache() {
            }

            public boolean isReplay(KerberosPrincipal kerberosPrincipal, KerberosPrincipal kerberosPrincipal2, KerberosTime kerberosTime, int i) {
                return false;
            }

            public void save(KerberosPrincipal kerberosPrincipal, KerberosPrincipal kerberosPrincipal2, KerberosTime kerberosTime, int i) {
            }

            public void clear() {
            }
        }

        NoReplayKdcServer(KerberosConfig kerberosConfig) {
            super(kerberosConfig);
        }

        public void start() throws IOException, LdapInvalidDnException {
            super.start();
            try {
                Field declaredField = KdcServer.class.getDeclaredField("replayCache");
                declaredField.setAccessible(true);
                declaredField.set(this, new DummyReplayCache());
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
    }

    public static void main(String[] strArr) throws Exception {
        Properties properties = new Properties();
        properties.put(LDAPEmbeddedServer.PROPERTY_DSF, "file");
        execute(strArr, properties);
    }

    public static void execute(String[] strArr, Properties properties) throws Exception {
        KerberosEmbeddedServer kerberosEmbeddedServer = new KerberosEmbeddedServer(properties);
        kerberosEmbeddedServer.init();
        kerberosEmbeddedServer.start();
        Runtime.getRuntime().addShutdownHook(new Thread() { // from class: org.keycloak.util.ldap.KerberosEmbeddedServer.1
            @Override // java.lang.Thread, java.lang.Runnable
            public void run() {
                try {
                    KerberosEmbeddedServer.this.stop();
                } catch (Exception e) {
                    e.printStackTrace();
                }
            }
        });
    }

    public KerberosEmbeddedServer(Properties properties) {
        super(properties);
        this.ldifFile = readProperty(LDAPEmbeddedServer.PROPERTY_LDIF_FILE, DEFAULT_KERBEROS_LDIF_FILE);
        this.kerberosRealm = readProperty(PROPERTY_KERBEROS_REALM, DEFAULT_KERBEROS_REALM);
        this.kdcPort = Integer.parseInt(readProperty(PROPERTY_KDC_PORT, DEFAULT_KDC_PORT));
        this.kdcEncryptionTypes = readProperty(PROPERTY_KDC_ENCTYPES, DEFAULT_KDC_ENCRYPTION_TYPES);
        if (this.ldapSaslPrincipal == null || this.ldapSaslPrincipal.isEmpty()) {
            this.ldapSaslPrincipal = "ldap/" + getHostnameForSASLPrincipal(this.bindHost) + "@" + this.kerberosRealm;
        }
    }

    @Override // org.keycloak.util.ldap.LDAPEmbeddedServer
    public void init() throws Exception {
        super.init();
        log.info("Creating KDC server. kerberosRealm: " + this.kerberosRealm + ", kdcPort: " + this.kdcPort + ", kdcEncryptionTypes: " + this.kdcEncryptionTypes);
        createAndStartKdcServer();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.keycloak.util.ldap.LDAPEmbeddedServer
    public DirectoryService createDirectoryService() throws Exception {
        DirectoryService createDirectoryService = super.createDirectoryService();
        createDirectoryService.addLast(new KeyDerivationInterceptor());
        return createDirectoryService;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.keycloak.util.ldap.LDAPEmbeddedServer
    public LdapServer createLdapServer() {
        LdapServer createLdapServer = super.createLdapServer();
        createLdapServer.setSaslHost(this.bindHost);
        createLdapServer.setSaslPrincipal(this.ldapSaslPrincipal);
        createLdapServer.setSaslRealms(new ArrayList());
        createLdapServer.addSaslMechanismHandler("PLAIN", new PlainMechanismHandler());
        createLdapServer.addSaslMechanismHandler("CRAM-MD5", new CramMd5MechanismHandler());
        createLdapServer.addSaslMechanismHandler("DIGEST-MD5", new DigestMd5MechanismHandler());
        createLdapServer.addSaslMechanismHandler("GSSAPI", new GssapiMechanismHandler());
        createLdapServer.addSaslMechanismHandler("NTLM", new NtlmMechanismHandler());
        createLdapServer.addSaslMechanismHandler("GSS-SPNEGO", new NtlmMechanismHandler());
        return createLdapServer;
    }

    protected KdcServer createAndStartKdcServer() throws Exception {
        KerberosConfig kerberosConfig = new KerberosConfig();
        kerberosConfig.setServicePrincipal("krbtgt/" + this.kerberosRealm + "@" + this.kerberosRealm);
        kerberosConfig.setPrimaryRealm(this.kerberosRealm);
        kerberosConfig.setMaximumTicketLifetime(86400000L);
        kerberosConfig.setMaximumRenewableLifetime(604800000L);
        kerberosConfig.setPaEncTimestampRequired(false);
        kerberosConfig.setEncryptionTypes(convertEncryptionTypes());
        this.kdcServer = new NoReplayKdcServer(kerberosConfig);
        this.kdcServer.setSearchBaseDn(this.baseDN);
        this.kdcServer.addTransports(new Transport[]{new UdpTransport(this.bindHost, this.kdcPort)});
        this.kdcServer.setDirectoryService(this.directoryService);
        this.kdcServer.start();
        return this.kdcServer;
    }

    @Override // org.keycloak.util.ldap.LDAPEmbeddedServer
    public void stop() throws Exception {
        stopLdapServer();
        stopKerberosServer();
        shutdownDirectoryService();
    }

    protected void stopKerberosServer() {
        log.info("Stopping Kerberos server.");
        this.kdcServer.stop();
    }

    private Set<EncryptionType> convertEncryptionTypes() {
        HashSet hashSet = new HashSet();
        for (String str : this.kdcEncryptionTypes.split(",")) {
            String trim = str.trim();
            for (EncryptionType encryptionType : EncryptionType.getEncryptionTypes()) {
                if (encryptionType.getName().equalsIgnoreCase(trim)) {
                    hashSet.add(encryptionType);
                }
            }
        }
        return KerberosUtils.orderEtypesByStrength(hashSet);
    }

    private String getHostnameForSASLPrincipal(String str) {
        try {
            String canonicalHostName = InetAddress.getByName(str).getCanonicalHostName();
            if (canonicalHostName.toLowerCase(Locale.ENGLISH).startsWith(str.toLowerCase(Locale.ENGLISH) + ".")) {
                str = canonicalHostName;
            }
        } catch (SecurityException | UnknownHostException e) {
        }
        return str.toLowerCase(Locale.ENGLISH);
    }
}
