package org.apache.wss4j.dom.validate;

import java.security.Key;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.kafka.common.security.JaasUtils;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.kerberos.KerberosServiceContext;
import org.apache.wss4j.common.kerberos.KerberosServiceExceptionAction;
import org.apache.wss4j.common.kerberos.KerberosTokenDecoder;
import org.apache.wss4j.common.kerberos.KerberosTokenDecoderException;
import org.apache.wss4j.common.kerberos.KerberosTokenDecoderImpl;
import org.apache.wss4j.common.token.BinarySecurity;
import org.apache.wss4j.dom.handler.RequestData;
import org.apache.wss4j.dom.message.token.KerberosSecurity;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-356-01.zip:modules/system/layers/fuse/org/apache/ws/security/2.1/wss4j-ws-security-dom-2.1.7.jar:org/apache/wss4j/dom/validate/KerberosTokenValidator.class */
public class KerberosTokenValidator implements Validator {
    private static final Logger LOG = LoggerFactory.getLogger(KerberosTokenValidator.class);
    private String serviceName;
    private CallbackHandler callbackHandler;
    private String contextName;
    private KerberosTokenDecoder kerberosTokenDecoder;
    private boolean isUsernameServiceNameForm;
    private boolean spnego;

    public String getContextName() {
        return this.contextName;
    }

    public void setContextName(String str) {
        this.contextName = str;
    }

    public CallbackHandler getCallbackHandler() {
        return this.callbackHandler;
    }

    public void setCallbackHandler(CallbackHandler callbackHandler) {
        this.callbackHandler = callbackHandler;
    }

    public void setServiceName(String str) {
        this.serviceName = str;
    }

    public String getServiceName() {
        return this.serviceName;
    }

    public KerberosTokenDecoder getKerberosTokenDecoder() {
        return this.kerberosTokenDecoder;
    }

    public void setKerberosTokenDecoder(KerberosTokenDecoder kerberosTokenDecoder) {
        this.kerberosTokenDecoder = kerberosTokenDecoder;
    }

    @Override // org.apache.wss4j.dom.validate.Validator
    public Credential validate(Credential credential, RequestData requestData) throws WSSecurityException {
        if (credential == null || credential.getBinarySecurityToken() == null) {
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "noCredential");
        }
        BinarySecurity binarySecurityToken = credential.getBinarySecurityToken();
        if (!(binarySecurityToken instanceof KerberosSecurity)) {
            return credential;
        }
        if (LOG.isDebugEnabled()) {
            try {
                String property = System.getProperty(JaasUtils.JAVA_LOGIN_CONFIG_PARAM);
                String property2 = System.getProperty("java.security.krb5.conf");
                LOG.debug("KerberosTokenValidator - Using JAAS auth login file: " + property);
                LOG.debug("KerberosTokenValidator - Using KRB conf file: " + property2);
            } catch (SecurityException e) {
                LOG.debug(e.getMessage(), e);
            }
        }
        try {
            LoginContext loginContext = this.callbackHandler != null ? new LoginContext(getContextName(), this.callbackHandler) : requestData.getCallbackHandler() != null ? new LoginContext(getContextName(), requestData.getCallbackHandler()) : new LoginContext(getContextName());
            loginContext.login();
            if (LOG.isDebugEnabled()) {
                LOG.debug("Successfully authenticated to the TGT");
            }
            byte[] token = binarySecurityToken.getToken();
            Subject subject = loginContext.getSubject();
            String str = this.serviceName;
            if (str == null) {
                Set<Principal> principals = subject.getPrincipals();
                if (principals.isEmpty()) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "kerberosLoginError", new Object[]{"No Client principals found after login"});
                }
                str = principals.iterator().next().getName();
            }
            try {
                KerberosServiceContext kerberosServiceContext = (KerberosServiceContext) Subject.doAs(subject, new KerberosServiceExceptionAction(token, str, isUsernameServiceNameForm(), this.spnego));
                credential.setPrincipal(kerberosServiceContext.getPrincipal());
                credential.setDelegationCredential(kerberosServiceContext.getDelegationCredential());
                LOG.debug("Trying to obtain the Session Key from the KerberosServiceContext.");
                Key sessionKey = kerberosServiceContext.getSessionKey();
                if (null != sessionKey) {
                    LOG.debug("Found session key in the KerberosServiceContext.");
                    credential.setSecretKey(sessionKey.getEncoded());
                } else {
                    LOG.debug("Session key is not found in the KerberosServiceContext.");
                }
                if (null == credential.getSecretKey()) {
                    KerberosTokenDecoder kerberosTokenDecoder = this.kerberosTokenDecoder;
                    if (kerberosTokenDecoder == null) {
                        kerberosTokenDecoder = new KerberosTokenDecoderImpl();
                    }
                    LOG.debug("KerberosTokenDecoder is set.Trying to obtain the session key from it.");
                    kerberosTokenDecoder.clear();
                    kerberosTokenDecoder.setToken(token);
                    kerberosTokenDecoder.setSubject(subject);
                    try {
                        byte[] sessionKey2 = kerberosTokenDecoder.getSessionKey();
                        if (null != sessionKey2) {
                            LOG.debug("Session key obtained from the KerberosTokenDecoder.");
                            credential.setSecretKey(sessionKey2);
                        } else {
                            LOG.debug("Session key could not be obtained from the KerberosTokenDecoder.");
                        }
                    } catch (KerberosTokenDecoderException e2) {
                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e2, "Error retrieving session key.");
                    }
                } else {
                    LOG.debug("KerberosTokenDecoder is not set.");
                }
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Successfully validated a ticket");
                }
                return credential;
            } catch (PrivilegedActionException e3) {
                Throwable cause = e3.getCause();
                if (cause instanceof WSSecurityException) {
                    throw ((WSSecurityException) cause);
                }
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, new Exception(cause), "kerberosTicketValidationError");
            }
        } catch (LoginException e4) {
            if (LOG.isDebugEnabled()) {
                LOG.debug(e4.getMessage(), e4);
            }
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e4, "kerberosLoginError", new Object[]{e4.getMessage()});
        }
    }

    public boolean isUsernameServiceNameForm() {
        return this.isUsernameServiceNameForm;
    }

    public void setUsernameServiceNameForm(boolean z) {
        this.isUsernameServiceNameForm = z;
    }

    public boolean isSpnego() {
        return this.spnego;
    }

    public void setSpnego(boolean z) {
        this.spnego = z;
    }
}
