package org.keycloak.testsuite.adapter.federation;

import java.security.PrivilegedExceptionAction;
import javax.security.auth.Subject;
import org.apache.http.auth.AuthScheme;
import org.apache.http.auth.Credentials;
import org.apache.http.impl.auth.SPNegoScheme;
import org.apache.http.impl.auth.SPNegoSchemeFactory;
import org.apache.http.params.HttpParams;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.Oid;
import org.keycloak.federation.kerberos.CommonKerberosConfig;
import org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator;

/* loaded from: input_file:org/keycloak/testsuite/adapter/federation/KeycloakSPNegoSchemeFactory.class */
public class KeycloakSPNegoSchemeFactory extends SPNegoSchemeFactory {
    private final CommonKerberosConfig kerberosConfig;
    private String username;
    private String password;

    /* loaded from: input_file:org/keycloak/testsuite/adapter/federation/KeycloakSPNegoSchemeFactory$KeycloakSPNegoScheme.class */
    public class KeycloakSPNegoScheme extends SPNegoScheme {

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:org/keycloak/testsuite/adapter/federation/KeycloakSPNegoSchemeFactory$KeycloakSPNegoScheme$ByteArrayHolder.class */
        public class ByteArrayHolder {
            private byte[] bytes;

            private ByteArrayHolder() {
            }
        }

        /* loaded from: input_file:org/keycloak/testsuite/adapter/federation/KeycloakSPNegoSchemeFactory$KeycloakSPNegoScheme$ClientAcceptSecContext.class */
        private class ClientAcceptSecContext implements PrivilegedExceptionAction<ByteArrayHolder> {
            private final byte[] input;
            private final Oid oid;
            private final String authServer;

            public ClientAcceptSecContext(byte[] bArr, Oid oid, String str) {
                this.input = bArr;
                this.oid = oid;
                this.authServer = str;
            }

            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public ByteArrayHolder run() throws Exception {
                byte[] bArr = this.input;
                if (bArr == null) {
                    bArr = new byte[0];
                }
                GSSManager manager = KeycloakSPNegoScheme.this.getManager();
                GSSContext createContext = manager.createContext(manager.createName("HTTP/" + this.authServer + "@" + KeycloakSPNegoSchemeFactory.this.kerberosConfig.getKerberosRealm(), (Oid) null).canonicalize(this.oid), this.oid, (GSSCredential) null, 0);
                createContext.requestMutualAuth(true);
                createContext.requestCredDeleg(true);
                byte[] initSecContext = createContext.initSecContext(bArr, 0, bArr.length);
                ByteArrayHolder byteArrayHolder = new ByteArrayHolder();
                byteArrayHolder.bytes = initSecContext;
                return byteArrayHolder;
            }
        }

        public KeycloakSPNegoScheme(boolean z, boolean z2) {
            super(z, z2);
        }

        protected byte[] generateGSSToken(byte[] bArr, Oid oid, String str, Credentials credentials) throws GSSException {
            KerberosUsernamePasswordAuthenticator kerberosUsernamePasswordAuthenticator = new KerberosUsernamePasswordAuthenticator(KeycloakSPNegoSchemeFactory.this.kerberosConfig);
            try {
                try {
                    byte[] bArr2 = ((ByteArrayHolder) Subject.doAs(kerberosUsernamePasswordAuthenticator.authenticateSubject(KeycloakSPNegoSchemeFactory.this.username, KeycloakSPNegoSchemeFactory.this.password), new ClientAcceptSecContext(bArr, oid, str))).bytes;
                    kerberosUsernamePasswordAuthenticator.logoutSubject();
                    return bArr2;
                } catch (Exception e) {
                    throw new RuntimeException(e);
                }
            } catch (Throwable th) {
                kerberosUsernamePasswordAuthenticator.logoutSubject();
                throw th;
            }
        }
    }

    public KeycloakSPNegoSchemeFactory(CommonKerberosConfig commonKerberosConfig) {
        super(true, false);
        this.kerberosConfig = commonKerberosConfig;
    }

    public void setCredentials(String str, String str2) {
        this.username = str;
        this.password = str2;
    }

    public AuthScheme newInstance(HttpParams httpParams) {
        return new KeycloakSPNegoScheme(isStripPort(), isUseCanonicalHostname());
    }
}
