package org.wildfly.security.sasl.gssapi;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.apache.sshd.common.channel.PtyChannelConfigurationHolder;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.MessageProp;
import org.ietf.jgss.Oid;
import org.jboss.remoting3.RemotingOptions;
import org.wildfly.common.Assert;
import org.wildfly.security.auth.callback.IdentityCredentialCallback;
import org.wildfly.security.auth.callback.ServerCredentialCallback;
import org.wildfly.security.credential.GSSKerberosCredential;
import org.wildfly.security.mechanism._private.ElytronMessages;
import org.wildfly.security.mechanism.gssapi.GSSCredentialSecurityFactory;
import org.wildfly.security.sasl.WildFlySasl;
import org.wildfly.security.sasl.gssapi.AbstractGssapiMechanism;
import org.wildfly.security.sasl.util.SaslMechanismInformation;

/* loaded from: input_file:org/wildfly/security/sasl/gssapi/GssapiServer.class */
final class GssapiServer extends AbstractGssapiMechanism implements SaslServer {
    private static final int ACCEPTOR_STATE = 1;
    private static final int SECURITY_LAYER_ADVERTISER = 2;
    private static final int SECURITY_LAYER_RECEIVER = 3;
    private String authorizationId;
    private String boundServerName;
    private byte offeredSecurityLayer;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    public GssapiServer(String str, String str2, Map<String, ?> map, CallbackHandler callbackHandler) throws SaslException {
        super(SaslMechanismInformation.Names.GSSAPI, str, str2, map, callbackHandler);
        GSSName gSSName;
        GSSManager gSSManager = GSSManager.getInstance();
        if (map.containsKey(WildFlySasl.GSSAPI_CREATE_NAME_GSS_INIT) && Boolean.parseBoolean((String) map.get(WildFlySasl.GSSAPI_CREATE_NAME_GSS_INIT))) {
            try {
                gSSManager.createName(PtyChannelConfigurationHolder.DUMMY_PTY_TYPE, GSSName.NT_USER_NAME, GSSCredentialSecurityFactory.KERBEROS_V5);
                ElytronMessages.saslGssapi.trace("createName workaround for native GSS initialization applied");
            } catch (GSSException e) {
                ElytronMessages.saslGssapi.trace("Exception while applying createName workaround for native GSS initialization", e);
            }
        }
        GSSCredential gSSCredential = null;
        ServerCredentialCallback serverCredentialCallback = new ServerCredentialCallback(GSSKerberosCredential.class);
        try {
            ElytronMessages.saslGssapi.trace("Obtaining GSSCredential for the service from callback handler...");
            callbackHandler.handle(new Callback[]{serverCredentialCallback});
            gSSCredential = (GSSCredential) serverCredentialCallback.applyToCredential(GSSKerberosCredential.class, (v0) -> {
                return v0.getGssCredential();
            });
        } catch (IOException e2) {
            throw ElytronMessages.saslGssapi.mechCallbackHandlerFailedForUnknownReason(e2).toSaslException();
        } catch (UnsupportedCallbackException e3) {
            ElytronMessages.saslGssapi.trace("Unable to obtain GSSCredential from CallbackHandler", e3);
        }
        try {
            if (gSSCredential == null) {
                if (str2 != null) {
                    String str3 = str + "@" + str2;
                    ElytronMessages.saslGssapi.tracef("Our name is '%s'", str3);
                    gSSName = gSSManager.createName(str3, GSSName.NT_HOSTBASED_SERVICE, GSSCredentialSecurityFactory.KERBEROS_V5);
                } else {
                    ElytronMessages.saslGssapi.tracef("Our name is unbound", new Object[0]);
                    gSSName = null;
                }
                gSSCredential = gSSManager.createCredential(gSSName, RemotingOptions.OUTGOING_CHANNEL_DEFAULT_TRANSMIT_WINDOW_SIZE, GSSCredentialSecurityFactory.KERBEROS_V5, 2);
            }
            this.gssContext = gSSManager.createContext(gSSCredential);
        } catch (GSSException e4) {
            throw ElytronMessages.saslGssapi.mechUnableToCreateGssContext(e4).toSaslException();
        }
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    public void init() {
        setNegotiationState(1);
    }

    public String getAuthorizationID() {
        assertComplete();
        return this.authorizationId;
    }

    public byte[] evaluateResponse(byte[] bArr) throws SaslException {
        return evaluateMessage(bArr);
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    protected byte[] evaluateMessage(int i, byte[] bArr) throws SaslException {
        byte[] bArr2;
        switch (i) {
            case 1:
                if (!$assertionsDisabled && this.gssContext.isEstablished()) {
                    throw new AssertionError();
                }
                try {
                    byte[] acceptSecContext = this.gssContext.acceptSecContext(bArr, 0, bArr.length);
                    if (this.gssContext.isEstablished()) {
                        Oid mech = this.gssContext.getMech();
                        ElytronMessages.saslGssapi.tracef("Negotiated mechanism %s", mech);
                        if (!GSSCredentialSecurityFactory.KERBEROS_V5.equals(mech)) {
                            throw ElytronMessages.saslGssapi.mechNegotiatedMechanismWasNotKerberosV5().toSaslException();
                        }
                        setNegotiationState(2);
                        if (acceptSecContext == null || acceptSecContext.length == 0) {
                            ElytronMessages.saslGssapi.trace("No response so triggering next state immediately.");
                            return evaluateMessage(null);
                        }
                    } else {
                        ElytronMessages.saslGssapi.trace("GSSContext not established, expecting subsequent exchange.");
                    }
                    return acceptSecContext;
                } catch (GSSException e) {
                    throw ElytronMessages.saslGssapi.mechUnableToAcceptClientMessage(e).toSaslException();
                }
            case 2:
                if (bArr != null && bArr.length > 0) {
                    throw ElytronMessages.saslGssapi.mechInitialChallengeMustBeEmpty().toSaslException();
                }
                byte[] bArr3 = new byte[4];
                byte b = 0;
                boolean z = false;
                for (AbstractGssapiMechanism.QOP qop : this.orderedQops) {
                    switch (qop) {
                        case AUTH_INT:
                            if (this.gssContext.getIntegState()) {
                                b = (byte) (b | qop.getValue());
                                z = true;
                                ElytronMessages.saslGssapi.trace("Offering AUTH_INT");
                                break;
                            } else {
                                ElytronMessages.saslGssapi.trace("No integrity protection so unable to offer AUTH_INT");
                                break;
                            }
                        case AUTH_CONF:
                            if (this.gssContext.getConfState()) {
                                b = (byte) (b | qop.getValue());
                                z = true;
                                ElytronMessages.saslGssapi.trace("Offering AUTH_CONF");
                                break;
                            } else {
                                ElytronMessages.saslGssapi.trace("No confidentiality available so unable to offer AUTH_CONF");
                                break;
                            }
                        default:
                            b = (byte) (b | qop.getValue());
                            break;
                    }
                }
                if (b == 0) {
                    throw ElytronMessages.saslGssapi.mechInsufficientQopsAvailable().toSaslException();
                }
                bArr3[0] = b;
                try {
                    if (z) {
                        ElytronMessages.saslGssapi.tracef("Our max buffer size %d", this.configuredMaxReceiveBuffer);
                        bArr2 = intToNetworkOrderBytes(this.configuredMaxReceiveBuffer);
                    } else {
                        ElytronMessages.saslGssapi.trace("Not offering a security layer so zero length.");
                        bArr2 = new byte[]{0, 0, 0};
                    }
                    System.arraycopy(bArr2, 0, bArr3, 1, 3);
                    byte[] wrap = this.gssContext.wrap(bArr3, 0, 4, new MessageProp(0, false));
                    ElytronMessages.saslGssapi.trace("Transitioning to receive chosen security layer from client");
                    this.offeredSecurityLayer = b;
                    setNegotiationState(3);
                    return wrap;
                } catch (GSSException e2) {
                    throw ElytronMessages.saslGssapi.mechUnableToGenerateChallenge(e2).toSaslException();
                }
            case 3:
                try {
                    byte[] unwrap = this.gssContext.unwrap(bArr, 0, bArr.length, new MessageProp(0, false));
                    if (unwrap.length < 4) {
                        throw ElytronMessages.saslGssapi.mechInvalidMessageOnUnwrapping(unwrap.length).toSaslException();
                    }
                    if ((this.offeredSecurityLayer & unwrap[0]) == 0) {
                        throw ElytronMessages.saslGssapi.mechSelectedUnofferedQop().toSaslException();
                    }
                    AbstractGssapiMechanism.QOP mapFromValue = AbstractGssapiMechanism.QOP.mapFromValue(unwrap[0]);
                    if (!$assertionsDisabled && mapFromValue == null) {
                        throw new AssertionError();
                    }
                    this.maxBuffer = networkOrderBytesToInt(unwrap, 1, 3);
                    ElytronMessages.saslGssapi.tracef("Client selected security layer %s, with maxBuffer of %d", mapFromValue, Integer.valueOf(this.maxBuffer));
                    if (!this.relaxComplianceChecks && mapFromValue == AbstractGssapiMechanism.QOP.AUTH && this.maxBuffer != 0) {
                        throw ElytronMessages.saslGssapi.mechNoSecurityLayerButLengthReceived().toSaslException();
                    }
                    try {
                        this.maxBuffer = this.gssContext.getWrapSizeLimit(0, mapFromValue == AbstractGssapiMechanism.QOP.AUTH_CONF, this.maxBuffer);
                        this.selectedQop = mapFromValue;
                        try {
                            String gSSName = this.gssContext.getTargName().toString();
                            String[] split = gSSName.split("[/@]");
                            this.boundServerName = split.length > 1 ? split[1] : gSSName;
                            try {
                                String gSSName2 = this.gssContext.getSrcName().toString();
                                String str = unwrap.length > 4 ? new String(unwrap, 4, unwrap.length - 4, StandardCharsets.UTF_8) : gSSName2;
                                ElytronMessages.saslGssapi.tracef("Authentication ID=%s,  Authorization ID=%s", gSSName2, str);
                                AuthorizeCallback authorizeCallback = new AuthorizeCallback(gSSName2, str);
                                handleCallbacks(authorizeCallback);
                                if (!authorizeCallback.isAuthorized()) {
                                    throw ElytronMessages.saslGssapi.mechAuthorizationFailed(gSSName2, str).toSaslException();
                                }
                                this.authorizationId = str;
                                if (mapFromValue != AbstractGssapiMechanism.QOP.AUTH) {
                                    ElytronMessages.saslGssapi.trace("Setting message wrapper.");
                                    setWrapper(new AbstractGssapiMechanism.GssapiWrapper(mapFromValue == AbstractGssapiMechanism.QOP.AUTH_CONF));
                                }
                                try {
                                    GSSCredential delegCred = this.gssContext.getDelegCred();
                                    if (delegCred != null) {
                                        tryHandleCallbacks(new IdentityCredentialCallback(new GSSKerberosCredential(delegCred), true));
                                    } else {
                                        ElytronMessages.saslGssapi.trace("No GSSCredential delegated during authentication.");
                                    }
                                } catch (UnsupportedCallbackException | GSSException e3) {
                                } catch (SaslException e4) {
                                    throw e4;
                                }
                                ElytronMessages.saslGssapi.trace("Negotiation complete.");
                                negotiationComplete();
                                return null;
                            } catch (GSSException e5) {
                                throw ElytronMessages.saslGssapi.mechUnableToDeterminePeerName(e5).toSaslException();
                            }
                        } catch (GSSException e6) {
                            throw ElytronMessages.saslGssapi.mechUnableToDetermineBoundServerName(e6).toSaslException();
                        }
                    } catch (GSSException e7) {
                        throw ElytronMessages.saslGssapi.mechUnableToGetMaximumSizeOfMessage(e7).toSaslException();
                    }
                } catch (GSSException e8) {
                    throw ElytronMessages.saslGssapi.mechUnableToUnwrapMessage(e8).toSaslException();
                }
            default:
                throw Assert.impossibleSwitchCase(i);
        }
    }

    @Override // org.wildfly.security.sasl.gssapi.AbstractGssapiMechanism, org.wildfly.security.sasl.util.AbstractSaslParticipant
    public Object getNegotiatedProperty(String str) {
        assertComplete();
        return "javax.security.sasl.bound.server.name".equals(str) ? this.boundServerName : super.getNegotiatedProperty(str);
    }

    static {
        $assertionsDisabled = !GssapiServer.class.desiredAssertionStatus();
    }
}
