package org.apache.wss4j.common.spnego;

import java.security.Principal;
import java.security.PrivilegedActionException;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.wss4j.common.ext.WSSecurityException;
import org.apache.wss4j.common.kerberos.KerberosClientExceptionAction;
import org.apache.wss4j.common.kerberos.KerberosContext;
import org.apache.wss4j.common.kerberos.KerberosServiceContext;
import org.apache.wss4j.common.kerberos.KerberosServiceExceptionAction;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.MessageProp;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-439.zip:modules/system/layers/fuse/org/apache/ws/security/2.1/wss4j-ws-security-common-2.1.7.jar:org/apache/wss4j/common/spnego/SpnegoTokenContext.class */
public class SpnegoTokenContext {
    private static final Logger LOG = LoggerFactory.getLogger(SpnegoTokenContext.class);
    private GSSContext secContext;
    private byte[] token;
    private boolean mutualAuth;
    private SpnegoClientAction clientAction;
    private SpnegoServiceAction serviceAction;
    private GSSCredential delegationCredential;
    private Principal spnegoPrincipal;

    public void retrieveServiceTicket(String str, CallbackHandler callbackHandler, String str2) throws WSSecurityException {
        retrieveServiceTicket(str, callbackHandler, str2, false);
    }

    public void retrieveServiceTicket(String str, CallbackHandler callbackHandler, String str2, boolean z) throws WSSecurityException {
        retrieveServiceTicket(str, callbackHandler, str2, z, false, null);
    }

    public void retrieveServiceTicket(String str, CallbackHandler callbackHandler, String str2, boolean z, boolean z2, GSSCredential gSSCredential) throws WSSecurityException {
        try {
            LoginContext loginContext = callbackHandler == null ? new LoginContext(str) : new LoginContext(str, callbackHandler);
            loginContext.login();
            if (LOG.isDebugEnabled()) {
                LOG.debug("Successfully authenticated to the TGT");
            }
            Subject subject = loginContext.getSubject();
            if (subject.getPrincipals().isEmpty()) {
                throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "kerberosLoginError", new Object[]{"No Client principals found after login"});
            }
            if (this.clientAction != null) {
                this.clientAction.setServiceName(str2);
                this.clientAction.setMutualAuth(this.mutualAuth);
                this.clientAction.setUserNameServiceForm(z);
                this.token = (byte[]) Subject.doAs(subject, this.clientAction);
                if (this.token == null) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "kerberosServiceTicketError");
                }
                this.secContext = this.clientAction.getContext();
            } else {
                try {
                    KerberosContext kerberosContext = (KerberosContext) Subject.doAs(subject, new KerberosClientExceptionAction(null, str2, z, z2, gSSCredential, true, this.mutualAuth));
                    this.token = kerberosContext.getKerberosToken();
                    if (this.token == null) {
                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "kerberosServiceTicketError");
                    }
                    this.secContext = kerberosContext.getGssContext();
                } catch (PrivilegedActionException e) {
                    Throwable cause = e.getCause();
                    if (!(cause instanceof WSSecurityException)) {
                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, new Exception(cause), "kerberosServiceTicketError");
                    }
                    throw ((WSSecurityException) cause);
                }
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("Successfully retrieved a service ticket");
            }
        } catch (LoginException e2) {
            if (LOG.isDebugEnabled()) {
                LOG.debug(e2.getMessage(), e2);
            }
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e2, "kerberosLoginError", new Object[]{e2.getMessage()});
        }
    }

    public void validateServiceTicket(String str, CallbackHandler callbackHandler, String str2, byte[] bArr) throws WSSecurityException {
        validateServiceTicket(str, callbackHandler, str2, false, bArr);
    }

    public void validateServiceTicket(String str, CallbackHandler callbackHandler, String str2, boolean z, byte[] bArr) throws WSSecurityException {
        try {
            LoginContext loginContext = callbackHandler == null ? new LoginContext(str) : new LoginContext(str, callbackHandler);
            loginContext.login();
            if (LOG.isDebugEnabled()) {
                LOG.debug("Successfully authenticated to the TGT");
            }
            Subject subject = loginContext.getSubject();
            String str3 = str2;
            if (str3 == null) {
                Set<Principal> principals = subject.getPrincipals();
                if (principals.isEmpty()) {
                    throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "kerberosLoginError", new Object[]{"No Client principals found after login"});
                }
                str3 = principals.iterator().next().getName();
            }
            if (this.serviceAction != null) {
                this.serviceAction.setTicket(bArr);
                this.serviceAction.setServiceName(str3);
                this.serviceAction.setUsernameServiceNameForm(z);
                this.token = (byte[]) Subject.doAs(subject, this.serviceAction);
                this.secContext = this.serviceAction.getContext();
            } else {
                try {
                    KerberosServiceContext kerberosServiceContext = (KerberosServiceContext) Subject.doAs(subject, new KerberosServiceExceptionAction(bArr, str3, z, true));
                    this.token = kerberosServiceContext.getKerberosToken();
                    if (this.token == null) {
                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, "kerberosServiceTicketError");
                    }
                    this.secContext = kerberosServiceContext.getGssContext();
                    this.delegationCredential = kerberosServiceContext.getDelegationCredential();
                    this.spnegoPrincipal = kerberosServiceContext.getPrincipal();
                } catch (PrivilegedActionException e) {
                    Throwable cause = e.getCause();
                    if (!(cause instanceof WSSecurityException)) {
                        throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, new Exception(cause), "kerberosServiceTicketError");
                    }
                    throw ((WSSecurityException) cause);
                }
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("Successfully validated a service ticket");
            }
        } catch (LoginException e2) {
            if (LOG.isDebugEnabled()) {
                LOG.debug(e2.getMessage(), e2);
            }
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, e2, "kerberosLoginError", new Object[]{e2.getMessage()});
        }
    }

    public void setMutualAuth(boolean z) {
        this.mutualAuth = z;
    }

    public byte[] getToken() {
        return this.token;
    }

    public boolean isEstablished() {
        if (this.secContext == null) {
            return false;
        }
        return this.secContext.isEstablished();
    }

    public byte[] unwrapKey(byte[] bArr) throws WSSecurityException {
        try {
            return this.secContext.unwrap(bArr, 0, bArr.length, new MessageProp(0, true));
        } catch (GSSException e) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Error in cleaning up a GSS context", e);
            }
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, (Exception) e, "spnegoKeyError");
        }
    }

    public byte[] wrapKey(byte[] bArr) throws WSSecurityException {
        try {
            return this.secContext.wrap(bArr, 0, bArr.length, new MessageProp(0, true));
        } catch (GSSException e) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Error in cleaning up a GSS context", e);
            }
            throw new WSSecurityException(WSSecurityException.ErrorCode.FAILURE, (Exception) e, "spnegoKeyError");
        }
    }

    public void setSpnegoClientAction(SpnegoClientAction spnegoClientAction) {
        this.clientAction = spnegoClientAction;
    }

    public void setSpnegoServiceAction(SpnegoServiceAction spnegoServiceAction) {
        this.serviceAction = spnegoServiceAction;
    }

    public void clear() {
        this.token = null;
        this.mutualAuth = false;
        this.delegationCredential = null;
        this.spnegoPrincipal = null;
        try {
            this.secContext.dispose();
        } catch (GSSException e) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Error in cleaning up a GSS context", e);
            }
        }
    }

    public GSSCredential getDelegationCredential() {
        return this.delegationCredential;
    }

    public Principal getSpnegoPrincipal() {
        return this.spnegoPrincipal;
    }
}
