package org.wildfly.security.auth.util;

import io.netty.channel.internal.ChannelUtils;
import java.io.File;
import java.io.IOException;
import java.security.AccessController;
import java.security.GeneralSecurityException;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.kerberos.KeyTab;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.wildfly.common.Assert;
import org.wildfly.common.function.ExceptionSupplier;
import org.wildfly.security.SecurityFactory;
import org.wildfly.security.auth.callback.FastUnsupportedCallbackException;
import org.wildfly.security.credential.GSSKerberosCredential;
import org.wildfly.security.manager.action.SetContextClassLoaderAction;

@Deprecated
/* loaded from: input_file:org/wildfly/security/auth/util/GSSCredentialSecurityFactory.class */
public final class GSSCredentialSecurityFactory implements SecurityFactory<GSSKerberosCredential> {
    private static final boolean IS_IBM = System.getProperty("java.vendor").contains("IBM");
    private static final String KRB5LoginModule = "com.sun.security.auth.module.Krb5LoginModule";
    private static final String IBMKRB5LoginModule = "com.ibm.security.auth.module.Krb5LoginModule";
    public static final Oid KERBEROS_V5;
    public static final Oid SPNEGO;
    private final int minimumRemainingLifetime;
    private final ExceptionSupplier<GSSKerberosCredential, GeneralSecurityException> rawSupplier;
    private volatile GSSKerberosCredential cachedCredential;

    /* loaded from: input_file:org/wildfly/security/auth/util/GSSCredentialSecurityFactory$Builder.class */
    public static class Builder {
        private String principal;
        private File keyTab;
        private boolean isServer;
        private boolean obtainKerberosTicket;
        private int minimumRemainingLifetime;
        private int requestLifetime;
        private boolean debug;
        private boolean wrapGssCredential;
        private boolean checkKeyTab;
        private Map<String, Object> options;
        private boolean built = false;
        private List<Oid> mechanismOids = new ArrayList();
        private volatile long lastFailTime = 0;
        private long failCache = 0;

        Builder() {
        }

        public Builder setKeyTab(File file) {
            assertNotBuilt();
            this.keyTab = file;
            return this;
        }

        public Builder setIsServer(boolean z) {
            assertNotBuilt();
            this.isServer = z;
            return this;
        }

        public Builder setObtainKerberosTicket(boolean z) {
            assertNotBuilt();
            this.obtainKerberosTicket = z;
            return this;
        }

        public Builder setMinimumRemainingLifetime(int i) {
            assertNotBuilt();
            this.minimumRemainingLifetime = i;
            return this;
        }

        public Builder setRequestLifetime(int i) {
            assertNotBuilt();
            this.requestLifetime = i < 0 ? ChannelUtils.WRITE_STATUS_SNDBUF_FULL : i;
            return this;
        }

        public Builder addMechanismOid(Oid oid) {
            assertNotBuilt();
            this.mechanismOids.add((Oid) Assert.checkNotNullParam("oid", oid));
            return this;
        }

        public Builder setPrincipal(String str) {
            assertNotBuilt();
            this.principal = str;
            return this;
        }

        public Builder setDebug(boolean z) {
            assertNotBuilt();
            this.debug = z;
            return this;
        }

        public Builder setWrapGssCredential(boolean z) {
            assertNotBuilt();
            this.wrapGssCredential = z;
            return this;
        }

        public Builder setCheckKeyTab(boolean z) {
            assertNotBuilt();
            this.checkKeyTab = z;
            return this;
        }

        public Builder setOptions(Map<String, Object> map) {
            assertNotBuilt();
            this.options = map;
            return this;
        }

        public Builder setFailCache(long j) {
            assertNotBuilt();
            this.failCache = j;
            return this;
        }

        public SecurityFactory<GSSKerberosCredential> build() throws IOException {
            assertNotBuilt();
            if (this.checkKeyTab) {
                checkKeyTab();
            }
            Configuration createConfiguration = createConfiguration();
            this.built = true;
            return new GSSCredentialSecurityFactory(this.minimumRemainingLifetime > 0 ? this.minimumRemainingLifetime : 0, () -> {
                return createGSSCredential(createConfiguration);
            });
        }

        private GSSKerberosCredential createGSSCredential(Configuration configuration) throws GeneralSecurityException {
            KerberosTicket kerberosTicket;
            if (this.failCache != 0 && System.currentTimeMillis() - this.lastFailTime < this.failCache * 1000) {
                throw ElytronMessages.log.initialLoginSkipped(this.failCache);
            }
            Subject subject = new Subject();
            try {
                ClassLoader classLoader = (ClassLoader) doPrivileged(new SetContextClassLoaderAction(Builder.class.getClassLoader()));
                try {
                    LoginContext loginContext = new LoginContext("KDC", subject, callbackArr -> {
                        throw new FastUnsupportedCallbackException(callbackArr[0]);
                    }, configuration);
                    doPrivileged(new SetContextClassLoaderAction(classLoader));
                    ElytronMessages.log.tracef("Logging in using LoginContext and subject [%s]", subject);
                    loginContext.login();
                    ElytronMessages.log.tracef("Logging in using LoginContext and subject [%s] succeed", subject);
                    if (this.obtainKerberosTicket) {
                        Set set = (Set) doPrivileged(() -> {
                            return subject.getPrivateCredentials(KerberosTicket.class);
                        });
                        if (set.size() > 1) {
                            throw ElytronMessages.log.tooManyKerberosTicketsFound();
                        }
                        kerberosTicket = set.size() == 1 ? (KerberosTicket) set.iterator().next() : null;
                    } else {
                        kerberosTicket = null;
                    }
                    GSSManager gSSManager = GSSManager.getInstance();
                    KerberosTicket kerberosTicket2 = kerberosTicket;
                    return (GSSKerberosCredential) Subject.doAs(subject, () -> {
                        Set principals = subject.getPrincipals(KerberosPrincipal.class);
                        if (principals.size() < 1) {
                            throw ElytronMessages.log.noKerberosPrincipalsFound();
                        }
                        if (principals.size() > 1) {
                            throw ElytronMessages.log.tooManyKerberosPrincipalsFound();
                        }
                        KerberosPrincipal kerberosPrincipal = (KerberosPrincipal) principals.iterator().next();
                        ElytronMessages.log.tracef("Creating GSSName for Principal '%s'", kerberosPrincipal);
                        GSSName createName = gSSManager.createName(kerberosPrincipal.getName(), GSSName.NT_USER_NAME, GSSCredentialSecurityFactory.KERBEROS_V5);
                        if (this.wrapGssCredential) {
                            return new GSSKerberosCredential(GSSCredentialSecurityFactory.wrapCredential(gSSManager.createCredential(createName, this.requestLifetime, (Oid[]) this.mechanismOids.toArray(new Oid[this.mechanismOids.size()]), this.isServer ? 2 : 1)), kerberosTicket2);
                        }
                        return new GSSKerberosCredential(gSSManager.createCredential(createName, this.requestLifetime, (Oid[]) this.mechanismOids.toArray(new Oid[this.mechanismOids.size()]), this.isServer ? 2 : 1), kerberosTicket2);
                    });
                } catch (Throwable th) {
                    doPrivileged(new SetContextClassLoaderAction(classLoader));
                    throw th;
                }
            } catch (PrivilegedActionException e) {
                if (e.getCause() instanceof GeneralSecurityException) {
                    throw ((GeneralSecurityException) e.getCause());
                }
                throw new GeneralSecurityException(e.getCause());
            } catch (LoginException e2) {
                if (this.failCache != 0) {
                    this.lastFailTime = System.currentTimeMillis();
                }
                throw ElytronMessages.log.unableToPerformInitialLogin(e2);
            }
        }

        private static <T> T doPrivileged(PrivilegedAction<T> privilegedAction) {
            return System.getSecurityManager() != null ? (T) AccessController.doPrivileged(privilegedAction) : privilegedAction.run();
        }

        private void checkKeyTab() throws IOException {
            KeyTab keyTab = KeyTab.getInstance(this.keyTab);
            if (!keyTab.exists()) {
                throw ElytronMessages.log.keyTabDoesNotExists(this.keyTab.getAbsolutePath());
            }
            if (keyTab.getKeys(new KerberosPrincipal(this.principal)).length == 0) {
                throw ElytronMessages.log.noKeysForPrincipalInKeyTab(this.principal, this.keyTab.getAbsolutePath());
            }
        }

        private Configuration createConfiguration() throws IOException {
            HashMap hashMap = new HashMap();
            if (this.debug) {
                hashMap.put("debug", "true");
            }
            hashMap.put("principal", this.principal);
            if (GSSCredentialSecurityFactory.IS_IBM) {
                hashMap.put("noAddress", "true");
                hashMap.put("credsType", (!this.isServer || this.obtainKerberosTicket) ? "both" : "acceptor");
                if (this.keyTab != null) {
                    hashMap.put("useKeytab", this.keyTab.toURI().toURL().toString());
                }
            } else {
                hashMap.put("storeKey", "true");
                hashMap.put("useKeyTab", "true");
                if (this.keyTab != null) {
                    hashMap.put("keyTab", this.keyTab.getAbsolutePath());
                }
                hashMap.put("isInitiator", (!this.isServer || this.obtainKerberosTicket) ? "true" : "false");
            }
            if (this.options != null) {
                hashMap.putAll(this.options);
            }
            ElytronMessages.log.tracef("Created LoginContext configuration: %s", hashMap.toString());
            final AppConfigurationEntry[] appConfigurationEntryArr = new AppConfigurationEntry[1];
            appConfigurationEntryArr[0] = new AppConfigurationEntry(GSSCredentialSecurityFactory.IS_IBM ? GSSCredentialSecurityFactory.IBMKRB5LoginModule : GSSCredentialSecurityFactory.KRB5LoginModule, AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap);
            return new Configuration() { // from class: org.wildfly.security.auth.util.GSSCredentialSecurityFactory.Builder.1
                static final /* synthetic */ boolean $assertionsDisabled;

                public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
                    if ($assertionsDisabled || "KDC".equals(str)) {
                        return appConfigurationEntryArr;
                    }
                    throw new AssertionError();
                }

                static {
                    $assertionsDisabled = !GSSCredentialSecurityFactory.class.desiredAssertionStatus();
                }
            };
        }

        private void assertNotBuilt() {
            if (this.built) {
                throw ElytronMessages.log.builderAlreadyBuilt();
            }
        }
    }

    GSSCredentialSecurityFactory(int i, ExceptionSupplier<GSSKerberosCredential, GeneralSecurityException> exceptionSupplier) {
        this.minimumRemainingLifetime = i;
        this.rawSupplier = exceptionSupplier;
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // org.wildfly.security.SecurityFactory
    public GSSKerberosCredential create() throws GeneralSecurityException {
        GSSKerberosCredential gSSKerberosCredential = this.cachedCredential;
        GSSCredential gssCredential = gSSKerberosCredential != null ? gSSKerberosCredential.getGssCredential() : null;
        if (gssCredential != null) {
            try {
                if (gssCredential.getRemainingLifetime() >= this.minimumRemainingLifetime) {
                    ElytronMessages.log.tracef("Used cached GSSCredential [%s]", gssCredential);
                    return gSSKerberosCredential;
                }
            } catch (GSSException e) {
                throw new GeneralSecurityException((Throwable) e);
            }
        }
        ElytronMessages.log.tracef("No valid cached credential, obtaining new one...", new Object[0]);
        GSSKerberosCredential gSSKerberosCredential2 = this.rawSupplier.get();
        ElytronMessages.log.tracef("Obtained GSSCredentialCredential [%s]", gSSKerberosCredential2);
        this.cachedCredential = gSSKerberosCredential2;
        return gSSKerberosCredential2;
    }

    public static Builder builder() {
        return new Builder();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static GSSCredential wrapCredential(final GSSCredential gSSCredential) {
        return new GSSCredential() { // from class: org.wildfly.security.auth.util.GSSCredentialSecurityFactory.1
            public int getUsage(Oid oid) throws GSSException {
                return gSSCredential.getUsage(oid);
            }

            public int getUsage() throws GSSException {
                return gSSCredential.getUsage();
            }

            public int getRemainingLifetime() throws GSSException {
                return gSSCredential.getRemainingLifetime();
            }

            public int getRemainingInitLifetime(Oid oid) throws GSSException {
                return gSSCredential.getRemainingInitLifetime(oid);
            }

            public int getRemainingAcceptLifetime(Oid oid) throws GSSException {
                return gSSCredential.getRemainingAcceptLifetime(oid);
            }

            public GSSName getName(Oid oid) throws GSSException {
                return gSSCredential.getName(oid);
            }

            public GSSName getName() throws GSSException {
                return gSSCredential.getName();
            }

            public Oid[] getMechs() throws GSSException {
                return gSSCredential.getMechs();
            }

            public void dispose() throws GSSException {
            }

            public void add(GSSName gSSName, int i, int i2, Oid oid, int i3) throws GSSException {
                gSSCredential.add(gSSName, i, i2, oid, i3);
            }
        };
    }

    static {
        try {
            KERBEROS_V5 = new Oid("1.2.840.113554.1.2.2");
            SPNEGO = new Oid("1.3.6.1.5.5.2");
        } catch (GSSException e) {
            throw new RuntimeException("Unable to initialise Oid", e);
        }
    }
}
