package org.opends.server.extensions;

import java.io.BufferedWriter;
import java.io.File;
import java.io.FileWriter;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.security.sasl.SaslException;
import org.ietf.jgss.GSSException;
import org.opends.messages.ExtensionMessages;
import org.opends.messages.Message;
import org.opends.messages.MessageBuilder;
import org.opends.server.admin.server.ConfigurationChangeListener;
import org.opends.server.admin.std.meta.GSSAPISASLMechanismHandlerCfgDefn;
import org.opends.server.admin.std.server.GSSAPISASLMechanismHandlerCfg;
import org.opends.server.admin.std.server.SASLMechanismHandlerCfg;
import org.opends.server.api.ClientConnection;
import org.opends.server.api.IdentityMapper;
import org.opends.server.api.SASLMechanismHandler;
import org.opends.server.config.ConfigException;
import org.opends.server.core.BindOperation;
import org.opends.server.core.DirectoryServer;
import org.opends.server.loggers.ErrorLogger;
import org.opends.server.loggers.debug.DebugLogger;
import org.opends.server.loggers.debug.DebugTracer;
import org.opends.server.types.ConfigChangeResult;
import org.opends.server.types.DN;
import org.opends.server.types.DebugLogLevel;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;
import org.opends.server.types.InitializationException;
import org.opends.server.types.ResultCode;
import org.opends.server.util.ServerConstants;
import org.opends.server.util.StaticUtils;

/* loaded from: input_file:org/opends/server/extensions/GSSAPISASLMechanismHandler.class */
public class GSSAPISASLMechanismHandler extends SASLMechanismHandler<GSSAPISASLMechanismHandlerCfg> implements ConfigurationChangeListener<GSSAPISASLMechanismHandlerCfg>, CallbackHandler {
    private static final DebugTracer TRACER = DebugLogger.getTracer();
    private DN configEntryDN;
    private GSSAPISASLMechanismHandlerCfg configuration;
    private IdentityMapper<?> identityMapper;
    private HashMap<String, String> saslProps;
    private String serverFQDN;
    private LoginContext loginContext;

    @Override // org.opends.server.api.SASLMechanismHandler
    public void initializeSASLMechanismHandler(GSSAPISASLMechanismHandlerCfg gSSAPISASLMechanismHandlerCfg) throws ConfigException, InitializationException {
        try {
            initialize(gSSAPISASLMechanismHandlerCfg);
            DirectoryServer.registerSASLMechanismHandler(ServerConstants.SASL_MECHANISM_GSSAPI, this);
            gSSAPISASLMechanismHandlerCfg.addGSSAPIChangeListener(this);
            this.configuration = gSSAPISASLMechanismHandlerCfg;
            ErrorLogger.logError(ExtensionMessages.INFO_GSSAPI_STARTED.get());
        } catch (UnknownHostException e) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e);
            }
            throw new InitializationException(ExtensionMessages.ERR_SASL_CANNOT_GET_SERVER_FQDN.get(String.valueOf(this.configEntryDN), StaticUtils.getExceptionMessage(e)), e);
        } catch (IOException e2) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e2);
            }
            throw new InitializationException(ExtensionMessages.ERR_SASLGSSAPI_CANNOT_CREATE_JAAS_CONFIG.get(StaticUtils.getExceptionMessage(e2)), e2);
        } catch (LoginException e3) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e3);
            }
            throw new InitializationException(ExtensionMessages.ERR_SASLGSSAPI_CANNOT_CREATE_LOGIN_CONTEXT.get(StaticUtils.getExceptionMessage(e3)), e3);
        }
    }

    private void getKdcRealm(GSSAPISASLMechanismHandlerCfg gSSAPISASLMechanismHandlerCfg) throws InitializationException {
        String kdcAddress = gSSAPISASLMechanismHandlerCfg.getKdcAddress();
        String realm = gSSAPISASLMechanismHandlerCfg.getRealm();
        if ((kdcAddress != null && realm == null) || (kdcAddress == null && realm != null)) {
            throw new InitializationException(ExtensionMessages.ERR_SASLGSSAPI_KDC_REALM_NOT_DEFINED.get());
        }
        if (kdcAddress == null || realm == null) {
            return;
        }
        System.setProperty(ServerConstants.KRBV_PROPERTY_KDC, kdcAddress);
        System.setProperty(ServerConstants.KRBV_PROPERTY_REALM, realm);
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
    }

    private String getFQDN(GSSAPISASLMechanismHandlerCfg gSSAPISASLMechanismHandlerCfg) throws UnknownHostException {
        String serverFqdn = gSSAPISASLMechanismHandlerCfg.getServerFqdn();
        if (serverFqdn == null) {
            serverFqdn = InetAddress.getLocalHost().getCanonicalHostName();
        }
        return serverFqdn;
    }

    private void login() throws LoginException {
        this.loginContext = new LoginContext(GSSAPISASLMechanismHandler.class.getName(), this);
        this.loginContext.login();
    }

    private void logout() {
        try {
            this.loginContext.logout();
        } catch (LoginException e) {
            if (DebugLogger.debugEnabled()) {
                TRACER.debugCaught(DebugLogLevel.ERROR, e);
            }
        }
    }

    private String configureLoginConfFile(GSSAPISASLMechanismHandlerCfg gSSAPISASLMechanismHandlerCfg) throws IOException, InitializationException {
        File createTempFile = File.createTempFile("login", "conf");
        String absolutePath = createTempFile.getAbsolutePath();
        createTempFile.deleteOnExit();
        BufferedWriter bufferedWriter = new BufferedWriter(new FileWriter(createTempFile, false));
        bufferedWriter.write(getClass().getName() + " {");
        bufferedWriter.newLine();
        bufferedWriter.write("  com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true doNotPrompt=true ");
        String keytab = gSSAPISASLMechanismHandlerCfg.getKeytab();
        if (keytab == null) {
            keytab = System.getProperty("user.home") + System.getProperty("file.separator") + "krb5.keytab";
        }
        File file = new File(keytab);
        if (!file.exists()) {
            throw new InitializationException(ExtensionMessages.ERR_SASL_GSSAPI_KEYTAB_INVALID.get(keytab));
        }
        bufferedWriter.write("keyTab=\"" + file + "\" ");
        StringBuilder sb = new StringBuilder();
        String principalName = gSSAPISASLMechanismHandlerCfg.getPrincipalName();
        String realm = gSSAPISASLMechanismHandlerCfg.getRealm();
        if (principalName != null) {
            sb.append("principal=\"" + principalName);
        } else {
            sb.append("principal=\"ldap/" + this.serverFQDN);
        }
        if (realm != null) {
            sb.append("@" + realm);
        }
        bufferedWriter.write(sb.toString());
        ErrorLogger.logError(ExtensionMessages.INFO_GSSAPI_PRINCIPAL_NAME.get(sb.toString()));
        bufferedWriter.write("\";");
        bufferedWriter.newLine();
        bufferedWriter.write("};");
        bufferedWriter.newLine();
        bufferedWriter.flush();
        bufferedWriter.close();
        return absolutePath;
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public void finalizeSASLMechanismHandler() {
        logout();
        if (this.configuration != null) {
            this.configuration.removeGSSAPIChangeListener(this);
        }
        DirectoryServer.deregisterSASLMechanismHandler(ServerConstants.SASL_MECHANISM_GSSAPI);
        clearProperties();
        ErrorLogger.logError(ExtensionMessages.INFO_GSSAPI_STOPPED.get());
    }

    private void clearProperties() {
        System.clearProperty(ServerConstants.KRBV_PROPERTY_KDC);
        System.clearProperty(ServerConstants.KRBV_PROPERTY_REALM);
        System.clearProperty(ServerConstants.JAAS_PROPERTY_CONFIG_FILE);
        System.clearProperty(ServerConstants.JAAS_PROPERTY_SUBJECT_CREDS_ONLY);
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public void processSASLBind(BindOperation bindOperation) {
        if (bindOperation.getClientConnection() == null) {
            bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLGSSAPI_NO_CLIENT_CONNECTION.get());
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            return;
        }
        ClientConnection clientConnection = bindOperation.getClientConnection();
        SASLContext sASLContext = (SASLContext) clientConnection.getSASLAuthStateInfo();
        if (sASLContext == null) {
            try {
                if (clientConnection.isSecure()) {
                    HashMap hashMap = new HashMap(this.saslProps);
                    hashMap.put("javax.security.sasl.maxbuffer", Integer.toString(clientConnection.getAppBufferSize()));
                    sASLContext = SASLContext.createSASLContext(hashMap, this.serverFQDN, ServerConstants.SASL_MECHANISM_GSSAPI, this.identityMapper);
                } else {
                    sASLContext = SASLContext.createSASLContext(this.saslProps, this.serverFQDN, ServerConstants.SASL_MECHANISM_GSSAPI, this.identityMapper);
                }
            } catch (SaslException e) {
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugCaught(DebugLogLevel.ERROR, e);
                }
                GSSException cause = e.getCause();
                Message message = cause != null ? ExtensionMessages.ERR_SASL_CONTEXT_CREATE_ERROR.get(ServerConstants.SASL_MECHANISM_GSSAPI, getGSSExceptionMessage(cause)) : ExtensionMessages.ERR_SASL_CONTEXT_CREATE_ERROR.get(ServerConstants.SASL_MECHANISM_GSSAPI, StaticUtils.getExceptionMessage(e));
                clientConnection.setSASLAuthStateInfo(null);
                bindOperation.setAuthFailureReason(message);
                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                return;
            }
        }
        sASLContext.performAuthentication(this.loginContext, bindOperation);
    }

    public static Message getGSSExceptionMessage(GSSException gSSException) {
        MessageBuilder messageBuilder = new MessageBuilder();
        messageBuilder.append((CharSequence) ("major code (" + Integer.valueOf(gSSException.getMajor()).toString() + ") " + gSSException.getMajorString()));
        if (gSSException.getMinor() != 0) {
            messageBuilder.append((CharSequence) (", minor code (" + Integer.valueOf(gSSException.getMinor()).toString() + ") " + gSSException.getMinorString()));
        }
        return messageBuilder.toMessage();
    }

    public Entry getUserForAuthzID(BindOperation bindOperation, String str) throws DirectoryException {
        return this.identityMapper.getEntryForID(str);
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public boolean isPasswordBased(String str) {
        return false;
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public boolean isSecure(String str) {
        return true;
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public boolean isConfigurationAcceptable(SASLMechanismHandlerCfg sASLMechanismHandlerCfg, List<Message> list) {
        return isConfigurationChangeAcceptable2((GSSAPISASLMechanismHandlerCfg) sASLMechanismHandlerCfg, list);
    }

    /* renamed from: isConfigurationChangeAcceptable, reason: avoid collision after fix types in other method */
    public boolean isConfigurationChangeAcceptable2(GSSAPISASLMechanismHandlerCfg gSSAPISASLMechanismHandlerCfg, List<Message> list) {
        boolean z = true;
        boolean isEnabled = gSSAPISASLMechanismHandlerCfg.isEnabled();
        boolean z2 = false;
        if (this.configuration != null) {
            z2 = this.configuration.isEnabled();
        }
        if (isEnabled) {
            if (z2) {
                try {
                    finalizeSASLMechanismHandler();
                } catch (UnknownHostException e) {
                    if (DebugLogger.debugEnabled()) {
                        TRACER.debugCaught(DebugLogLevel.ERROR, e);
                    }
                    list.add(ExtensionMessages.ERR_SASL_CANNOT_GET_SERVER_FQDN.get(String.valueOf(this.configEntryDN), StaticUtils.getExceptionMessage(e)));
                    clearProperties();
                    z = false;
                } catch (IOException e2) {
                    if (DebugLogger.debugEnabled()) {
                        TRACER.debugCaught(DebugLogLevel.ERROR, e2);
                    }
                    list.add(ExtensionMessages.ERR_SASLGSSAPI_CANNOT_CREATE_JAAS_CONFIG.get(StaticUtils.getExceptionMessage(e2)));
                    clearProperties();
                    z = false;
                } catch (LoginException e3) {
                    if (DebugLogger.debugEnabled()) {
                        TRACER.debugCaught(DebugLogLevel.ERROR, e3);
                    }
                    list.add(ExtensionMessages.ERR_SASLGSSAPI_CANNOT_CREATE_LOGIN_CONTEXT.get(StaticUtils.getExceptionMessage(e3)));
                    clearProperties();
                    z = false;
                } catch (InitializationException e4) {
                    if (DebugLogger.debugEnabled()) {
                        TRACER.debugCaught(DebugLogLevel.ERROR, e4);
                    }
                    list.add(e4.getMessageObject());
                    clearProperties();
                    z = false;
                }
            }
            initialize(gSSAPISASLMechanismHandlerCfg);
            finalizeSASLMechanismHandler();
        } else if (z2) {
            finalizeSASLMechanismHandler();
        }
        return z;
    }

    @Override // org.opends.server.admin.server.ConfigurationChangeListener
    public ConfigChangeResult applyConfigurationChange(GSSAPISASLMechanismHandlerCfg gSSAPISASLMechanismHandlerCfg) {
        return new ConfigChangeResult(ResultCode.SUCCESS, false, new ArrayList());
    }

    private void initialize(GSSAPISASLMechanismHandlerCfg gSSAPISASLMechanismHandlerCfg) throws UnknownHostException, IOException, LoginException, InitializationException {
        this.configEntryDN = gSSAPISASLMechanismHandlerCfg.dn();
        this.identityMapper = DirectoryServer.getIdentityMapper(gSSAPISASLMechanismHandlerCfg.getIdentityMapperDN());
        this.serverFQDN = getFQDN(gSSAPISASLMechanismHandlerCfg);
        ErrorLogger.logError(ExtensionMessages.INFO_GSSAPI_SERVER_FQDN.get(this.serverFQDN));
        this.saslProps = new HashMap<>();
        this.saslProps.put("javax.security.sasl.qop", getQOP(gSSAPISASLMechanismHandlerCfg));
        this.saslProps.put("javax.security.sasl.reuse", ServerConstants.CONFIG_VALUE_FALSE);
        System.setProperty(ServerConstants.JAAS_PROPERTY_CONFIG_FILE, configureLoginConfFile(gSSAPISASLMechanismHandlerCfg));
        System.setProperty(ServerConstants.JAAS_PROPERTY_SUBJECT_CREDS_ONLY, ServerConstants.CONFIG_VALUE_FALSE);
        getKdcRealm(gSSAPISASLMechanismHandlerCfg);
        login();
    }

    private String getQOP(GSSAPISASLMechanismHandlerCfg gSSAPISASLMechanismHandlerCfg) {
        GSSAPISASLMechanismHandlerCfgDefn.QualityOfProtection qualityOfProtection = gSSAPISASLMechanismHandlerCfg.getQualityOfProtection();
        return qualityOfProtection.equals(GSSAPISASLMechanismHandlerCfgDefn.QualityOfProtection.CONFIDENTIALITY) ? "auth-conf" : qualityOfProtection.equals(GSSAPISASLMechanismHandlerCfgDefn.QualityOfProtection.INTEGRITY) ? "auth-int" : "auth";
    }

    @Override // org.opends.server.admin.server.ConfigurationChangeListener
    public /* bridge */ /* synthetic */ boolean isConfigurationChangeAcceptable(GSSAPISASLMechanismHandlerCfg gSSAPISASLMechanismHandlerCfg, List list) {
        return isConfigurationChangeAcceptable2(gSSAPISASLMechanismHandlerCfg, (List<Message>) list);
    }
}
