package org.infinispan.test.integration.security.embedded;

import java.io.File;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import org.infinispan.commons.test.ThreadLeakChecker;
import org.infinispan.commons.test.skip.SkipJunit;
import org.infinispan.security.AuthorizationPermission;
import org.infinispan.security.PrincipalRoleMapper;
import org.infinispan.test.integration.security.embedded.AbstractNodeAuthentication;
import org.infinispan.test.integration.security.tasks.AbstractKrb5ConfServerSetupTask;
import org.infinispan.test.integration.security.tasks.AbstractSecurityDomainsServerSetupTask;
import org.infinispan.test.integration.security.tasks.AbstractSystemPropertiesServerSetupTask;
import org.infinispan.test.integration.security.tasks.AbstractTraceLoggingServerSetupTask;
import org.infinispan.test.integration.security.utils.ApacheDsKrbLdap;
import org.infinispan.test.integration.security.utils.Deployments;
import org.infinispan.test.integration.security.utils.SimplePrincipalGroupRoleMapper;
import org.infinispan.test.integration.security.utils.Utils;
import org.jboss.arquillian.container.test.api.Deployment;
import org.jboss.arquillian.container.test.api.TargetsContainer;
import org.jboss.arquillian.junit.Arquillian;
import org.jboss.as.arquillian.api.ServerSetup;
import org.jboss.as.arquillian.api.ServerSetupTask;
import org.jboss.as.arquillian.container.ManagementClient;
import org.jboss.as.test.integration.security.common.config.SecurityDomain;
import org.jboss.as.test.integration.security.common.config.SecurityModule;
import org.jboss.security.negotiation.AdvancedLdapLoginModule;
import org.jboss.shrinkwrap.api.spec.WebArchive;
import org.junit.ClassRule;
import org.junit.runner.RunWith;

@ServerSetup({KerberosSystemPropertiesSetupTask.class, SecurityDomainsSetupTask.class, SecurityTraceLoggingServerSetupTask.class, KrbLdapServerSetupTask.class, Krb5ConfServerSetupTask.class})
@RunWith(Arquillian.class)
/* loaded from: input_file:org/infinispan/test/integration/security/embedded/KrbLdapAuthenticationIT.class */
public class KrbLdapAuthenticationIT extends AbstractAuthentication {

    @ClassRule
    public static SkipJunit skip = new SkipJunit(13);
    private static final String TRUE = Boolean.TRUE.toString();
    public static final String ADMIN_ROLE = "AdminIspnRole";
    public static final String WRITER_ROLE = "WriterIspnRole";
    public static final String READER_ROLE = "ReaderIspnRole";
    public static final String UNPRIVILEGED_ROLE = "UnprivilegedIspnRole";

    /* loaded from: input_file:org/infinispan/test/integration/security/embedded/KrbLdapAuthenticationIT$KerberosSystemPropertiesSetupTask.class */
    static class KerberosSystemPropertiesSetupTask extends AbstractSystemPropertiesServerSetupTask {
        KerberosSystemPropertiesSetupTask() {
        }

        @Override // org.infinispan.test.integration.security.tasks.AbstractSystemPropertiesServerSetupTask
        protected AbstractSystemPropertiesServerSetupTask.SystemProperty[] getSystemProperties() {
            HashMap hashMap = new HashMap();
            hashMap.put("java.security.krb5.conf", "${java.io.tmpdir}" + File.separator + "krb5.conf");
            hashMap.put("java.security.krb5.debug", KrbLdapAuthenticationIT.TRUE);
            hashMap.put("jboss.security.disable.secdomain.option", KrbLdapAuthenticationIT.TRUE);
            return mapToSystemProperties(hashMap);
        }
    }

    /* loaded from: input_file:org/infinispan/test/integration/security/embedded/KrbLdapAuthenticationIT$Krb5ConfServerSetupTask.class */
    static class Krb5ConfServerSetupTask extends AbstractKrb5ConfServerSetupTask {
        public static final File ADMIN_KEYTAB_FILE = new File(KEYTABS_DIR, "admin.keytab");
        public static final File WRITER_KEYTAB_FILE = new File(KEYTABS_DIR, "writer.keytab");
        public static final File READER_KEYTAB_FILE = new File(KEYTABS_DIR, "reader.keytab");
        public static final File UNPRIV_KEYTAB_FILE = new File(KEYTABS_DIR, "unprivileged.keytab");

        Krb5ConfServerSetupTask() {
        }

        @Override // org.infinispan.test.integration.security.tasks.AbstractKrb5ConfServerSetupTask
        protected List<AbstractKrb5ConfServerSetupTask.UserForKeyTab> kerberosUsers() {
            ArrayList arrayList = new ArrayList();
            arrayList.add(new AbstractKrb5ConfServerSetupTask.UserForKeyTab("admin@INFINISPAN.ORG", LdapAuthenticationIT.ADMIN_PASSWD, ADMIN_KEYTAB_FILE));
            arrayList.add(new AbstractKrb5ConfServerSetupTask.UserForKeyTab("writer@INFINISPAN.ORG", LdapAuthenticationIT.WRITER_PASSWD, WRITER_KEYTAB_FILE));
            arrayList.add(new AbstractKrb5ConfServerSetupTask.UserForKeyTab("reader@INFINISPAN.ORG", LdapAuthenticationIT.READER_PASSWD, READER_KEYTAB_FILE));
            arrayList.add(new AbstractKrb5ConfServerSetupTask.UserForKeyTab("unprivileged@INFINISPAN.ORG", LdapAuthenticationIT.UNPRIVILEGED_PASSWD, UNPRIV_KEYTAB_FILE));
            return arrayList;
        }
    }

    /* loaded from: input_file:org/infinispan/test/integration/security/embedded/KrbLdapAuthenticationIT$KrbLdapServerSetupTask.class */
    static class KrbLdapServerSetupTask implements ServerSetupTask {
        private static ApacheDsKrbLdap krbLdapServer;

        KrbLdapServerSetupTask() {
        }

        public void setup(ManagementClient managementClient, String str) throws Exception {
            String cannonicalHost = Utils.getCannonicalHost(managementClient);
            System.setProperty("java.security.krb5.conf", Utils.getResource("krb5.conf").getPath());
            krbLdapServer = new ApacheDsKrbLdap(cannonicalHost);
            krbLdapServer.start();
        }

        public void tearDown(ManagementClient managementClient, String str) throws Exception {
            ThreadLeakChecker.ignoreThreadsContaining("pool-.*thread-");
            krbLdapServer.stop();
        }
    }

    /* loaded from: input_file:org/infinispan/test/integration/security/embedded/KrbLdapAuthenticationIT$SecurityDomainsSetupTask.class */
    static class SecurityDomainsSetupTask extends AbstractSecurityDomainsServerSetupTask {
        SecurityDomainsSetupTask() {
        }

        @Override // org.infinispan.test.integration.security.tasks.AbstractSecurityDomainsServerSetupTask
        protected SecurityDomain[] getSecurityDomains() {
            return new SecurityDomain[]{getKrbSecurityDomain("ldap-service", "ldap/" + Utils.getCannonicalHost(this.managementClient), true), getKrbSecurityDomain(LdapAuthenticationIT.ADMIN_ROLE, LdapAuthenticationIT.ADMIN_ROLE, false), getKrbSecurityDomain(LdapAuthenticationIT.WRITER_ROLE, LdapAuthenticationIT.WRITER_ROLE, false), getKrbSecurityDomain(LdapAuthenticationIT.READER_ROLE, LdapAuthenticationIT.READER_ROLE, false), getKrbSecurityDomain(LdapAuthenticationIT.UNPRIVILEGED_ROLE, LdapAuthenticationIT.UNPRIVILEGED_ROLE, false), getSpnegoSecurityDomain(LdapAuthenticationIT.ADMIN_ROLE, this.managementClient, 10389, "ldap-service"), getSpnegoSecurityDomain(LdapAuthenticationIT.WRITER_ROLE, this.managementClient, 10389, "ldap-service"), getSpnegoSecurityDomain(LdapAuthenticationIT.READER_ROLE, this.managementClient, 10389, "ldap-service"), getSpnegoSecurityDomain(LdapAuthenticationIT.UNPRIVILEGED_ROLE, this.managementClient, 10389, "ldap-service")};
        }

        private SecurityDomain getKrbSecurityDomain(String str, String str2, boolean z) {
            SecurityModule.Builder builder = new SecurityModule.Builder();
            if (Utils.IBM_JDK) {
                builder.name("com.ibm.security.auth.module.Krb5LoginModule").putOption("useKeytab", "${java.io.tmpdir}" + File.separator + "keytabs" + File.separator + str + ".keytab");
                if (z) {
                    builder.putOption("credsType", "both").putOption("forwardable", KrbLdapAuthenticationIT.TRUE).putOption("proxiable", KrbLdapAuthenticationIT.TRUE).putOption("noAddress", KrbLdapAuthenticationIT.TRUE);
                } else {
                    builder.putOption("credsType", "acceptor");
                }
            } else {
                builder.name("Kerberos").putOption("useKeyTab", KrbLdapAuthenticationIT.TRUE).putOption("keyTab", "${java.io.tmpdir}" + File.separator + "keytabs" + File.separator + str + ".keytab");
                if (z) {
                    builder.putOption("storeKey", KrbLdapAuthenticationIT.TRUE).putOption("refreshKrb5Config", KrbLdapAuthenticationIT.TRUE).putOption("doNotPrompt", KrbLdapAuthenticationIT.TRUE);
                }
            }
            builder.putOption("principal", str2 + "@INFINISPAN.ORG").putOption("debug", KrbLdapAuthenticationIT.TRUE);
            return new SecurityDomain.Builder().name(AbstractNodeAuthentication.SecurityDomainsSetupTask.SECURITY_DOMAIN_PREFIX + str).cacheType("default").loginModules(new SecurityModule[]{builder.build()}).build();
        }

        private static SecurityDomain getSpnegoSecurityDomain(String str, ManagementClient managementClient, int i, String str2) {
            return new SecurityDomain.Builder().name("ispn-" + str).cacheType("default").loginModules(new SecurityModule[]{new SecurityModule.Builder().name("SPNEGO").flag("requisite").putOption("password-stacking", "useFirstPass").putOption("serverSecurityDomain", AbstractNodeAuthentication.SecurityDomainsSetupTask.SECURITY_DOMAIN_PREFIX + str2).putOption("usernamePasswordDomain", AbstractNodeAuthentication.SecurityDomainsSetupTask.SECURITY_DOMAIN_PREFIX + str).build(), new SecurityModule.Builder().name(AdvancedLdapLoginModule.class.getName()).putOption("password-stacking", "useFirstPass").putOption("bindAuthentication", "GSSAPI").putOption("jaasSecurityDomain", AbstractNodeAuthentication.SecurityDomainsSetupTask.SECURITY_DOMAIN_PREFIX + str2).putOption("java.naming.provider.url", "ldap://" + Utils.getCannonicalHost(managementClient) + ":" + i).putOption("baseCtxDN", "ou=People,dc=infinispan,dc=org").putOption("baseFilter", "(krb5PrincipalName={0})").putOption("rolesCtxDN", "ou=Roles,dc=infinispan,dc=org").putOption("roleFilter", "(member={1})").putOption("roleAttributeID", "cn").build()}).build();
        }
    }

    /* loaded from: input_file:org/infinispan/test/integration/security/embedded/KrbLdapAuthenticationIT$SecurityTraceLoggingServerSetupTask.class */
    static class SecurityTraceLoggingServerSetupTask extends AbstractTraceLoggingServerSetupTask {
        SecurityTraceLoggingServerSetupTask() {
        }

        @Override // org.infinispan.test.integration.security.tasks.AbstractTraceLoggingServerSetupTask
        protected Collection<String> getCategories(ManagementClient managementClient, String str) {
            return Arrays.asList("javax.security", "org.jboss.security", "org.wildfly.security");
        }
    }

    @Deployment
    @TargetsContainer(AbstractAuthentication.DEFAULT_DEPLOY_CONTAINER)
    public static WebArchive getDeployment() {
        return Deployments.createKrbLdapTestDeployment();
    }

    @Override // org.infinispan.test.integration.security.embedded.AbstractAuthentication
    public Map<String, AuthorizationPermission[]> getRolePermissionMap() {
        HashMap hashMap = new HashMap();
        hashMap.put(ADMIN_ROLE, new AuthorizationPermission[]{AuthorizationPermission.ALL});
        hashMap.put(WRITER_ROLE, new AuthorizationPermission[]{AuthorizationPermission.WRITE});
        hashMap.put(READER_ROLE, new AuthorizationPermission[]{AuthorizationPermission.READ});
        hashMap.put(UNPRIVILEGED_ROLE, new AuthorizationPermission[]{AuthorizationPermission.NONE});
        return hashMap;
    }

    @Override // org.infinispan.test.integration.security.embedded.AbstractAuthentication
    public PrincipalRoleMapper getPrincipalRoleMapper() {
        return new SimplePrincipalGroupRoleMapper();
    }

    @Override // org.infinispan.test.integration.security.embedded.AbstractAuthentication
    public String getSecurityDomainName() {
        return null;
    }

    @Override // org.infinispan.test.integration.security.embedded.AbstractAuthentication
    public Subject getAdminSubject() throws LoginException {
        return authenticateWithKrb("ispn-admin");
    }

    @Override // org.infinispan.test.integration.security.embedded.AbstractAuthentication
    public Subject getWriterSubject() throws LoginException {
        return authenticateWithKrb("ispn-writer");
    }

    @Override // org.infinispan.test.integration.security.embedded.AbstractAuthentication
    public Subject getReaderSubject() throws LoginException {
        return authenticateWithKrb("ispn-reader");
    }

    @Override // org.infinispan.test.integration.security.embedded.AbstractAuthentication
    public Subject getUnprivilegedSubject() throws LoginException {
        return authenticateWithKrb("ispn-unprivileged");
    }
}
