package org.wildfly.sasl.gssapi;

import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.MessageProp;
import org.ietf.jgss.Oid;
import org.jboss.logging.Logger;
import org.wildfly.sasl.gssapi.AbstractGssapiMechanism;
import org.wildfly.sasl.util.Charsets;
import org.wildfly.sasl.util.SaslState;
import org.wildfly.sasl.util.SaslStateContext;

/* loaded from: input_file:org/wildfly/sasl/gssapi/GssapiServer.class */
public class GssapiServer extends AbstractGssapiMechanism implements SaslServer {
    private static final Logger log = Logger.getLogger(GssapiServer.class);
    private String authroizationId;

    /* loaded from: input_file:org/wildfly/sasl/gssapi/GssapiServer$AcceptorState.class */
    private class AcceptorState implements SaslState {
        static final /* synthetic */ boolean $assertionsDisabled;

        private AcceptorState() {
        }

        @Override // org.wildfly.sasl.util.SaslState
        public byte[] evaluateMessage(SaslStateContext saslStateContext, byte[] bArr) throws SaslException {
            if (!$assertionsDisabled && GssapiServer.this.gssContext.isEstablished()) {
                throw new AssertionError();
            }
            try {
                byte[] acceptSecContext = GssapiServer.this.gssContext.acceptSecContext(bArr, 0, bArr.length);
                if (GssapiServer.this.gssContext.isEstablished()) {
                    Oid mech = GssapiServer.this.gssContext.getMech();
                    GssapiServer.log.tracef("Negotiated mechanism %s", mech);
                    if (!AbstractGssapiMechanism.KERBEROS_V5.equals(mech)) {
                        throw new SaslException("Negotiated mechanism was not Kerberos V5");
                    }
                    SecurityLayerAdvertiser securityLayerAdvertiser = new SecurityLayerAdvertiser();
                    saslStateContext.setNegotiationState(securityLayerAdvertiser);
                    if (acceptSecContext == null || acceptSecContext.length == 0) {
                        GssapiServer.log.trace("No response so triggering next state immediately.");
                        return securityLayerAdvertiser.evaluateMessage(saslStateContext, null);
                    }
                } else {
                    GssapiServer.log.trace("GSSContext not established, expecting subsequent exchange.");
                }
                return acceptSecContext;
            } catch (GSSException e) {
                throw new SaslException("Unable to accept message from client.", e);
            }
        }

        static {
            $assertionsDisabled = !GssapiServer.class.desiredAssertionStatus();
        }
    }

    /* loaded from: input_file:org/wildfly/sasl/gssapi/GssapiServer$SecurityLayerAdvertiser.class */
    private class SecurityLayerAdvertiser implements SaslState {
        private SecurityLayerAdvertiser() {
        }

        @Override // org.wildfly.sasl.util.SaslState
        public byte[] evaluateMessage(SaslStateContext saslStateContext, byte[] bArr) throws SaslException {
            byte[] bArr2;
            if (bArr != null && bArr.length > 0) {
                throw new SaslException("Only expecting an empty message, received a full message.");
            }
            byte[] bArr3 = new byte[4];
            byte b = 0;
            boolean z = false;
            for (AbstractGssapiMechanism.QOP qop : GssapiServer.this.orderedQops) {
                switch (qop) {
                    case AUTH_INT:
                        if (GssapiServer.this.gssContext.getIntegState()) {
                            b = (byte) (b | qop.getValue());
                            z = true;
                            GssapiServer.log.trace("Offering AUTH_INT");
                            break;
                        } else {
                            GssapiServer.log.trace("No integrity protection so unable to offer AUTH_INT");
                            break;
                        }
                    case AUTH_CONF:
                        if (GssapiServer.this.gssContext.getConfState()) {
                            b = (byte) (b | qop.getValue());
                            z = true;
                            GssapiServer.log.trace("Offering AUTH_CONF");
                            break;
                        } else {
                            GssapiServer.log.trace("No confidentiality available so unable to offer AUTH_CONF");
                            break;
                        }
                    default:
                        b = (byte) (b | qop.getValue());
                        break;
                }
            }
            if (b == 0) {
                throw new SaslException("Insufficient levels of protection available for supported security layers.");
            }
            bArr3[0] = b;
            try {
                if (z) {
                    GssapiServer.this.actualMaxReceiveBuffer = GssapiServer.this.gssContext.getWrapSizeLimit(0, (b & AbstractGssapiMechanism.QOP.AUTH_CONF.getValue()) != 0, GssapiServer.this.configuredMaxReceiveBuffer);
                    GssapiServer.log.tracef("Our max buffer size %d", Integer.valueOf(GssapiServer.this.actualMaxReceiveBuffer));
                    bArr2 = GssapiServer.this.intToNetworkOrderBytes(GssapiServer.this.actualMaxReceiveBuffer);
                } else {
                    GssapiServer.log.trace("Not offering a security layer so zero length.");
                    bArr2 = new byte[]{0, 0, 0};
                }
                System.arraycopy(bArr2, 0, bArr3, 1, 3);
                byte[] wrap = GssapiServer.this.gssContext.wrap(bArr3, 0, 4, new MessageProp(0, false));
                GssapiServer.log.trace("Transitioning to receive chosen security layer from client");
                saslStateContext.setNegotiationState(new SecurityLayerReceiver(b));
                return wrap;
            } catch (GSSException e) {
                throw new SaslException("Unable to generate security layer challenge.", e);
            }
        }
    }

    /* loaded from: input_file:org/wildfly/sasl/gssapi/GssapiServer$SecurityLayerReceiver.class */
    private class SecurityLayerReceiver implements SaslState {
        private final byte offeredSecurityLayer;
        static final /* synthetic */ boolean $assertionsDisabled;

        private SecurityLayerReceiver(byte b) {
            this.offeredSecurityLayer = b;
        }

        @Override // org.wildfly.sasl.util.SaslState
        public byte[] evaluateMessage(SaslStateContext saslStateContext, byte[] bArr) throws SaslException {
            try {
                byte[] unwrap = GssapiServer.this.gssContext.unwrap(bArr, 0, bArr.length, new MessageProp(0, false));
                if (unwrap.length < 4) {
                    throw new SaslException(String.format("Invalid message of length %d on unwrapping.", Integer.valueOf(unwrap.length)));
                }
                if ((this.offeredSecurityLayer & unwrap[0]) == 0) {
                    throw new SaslException("Client selected a security layer that was not offered.");
                }
                AbstractGssapiMechanism.QOP mapFromValue = AbstractGssapiMechanism.QOP.mapFromValue(unwrap[0]);
                if (!$assertionsDisabled && mapFromValue == null) {
                    throw new AssertionError();
                }
                GssapiServer.this.maxBuffer = GssapiServer.this.networkOrderBytesToInt(unwrap, 1, 3);
                GssapiServer.log.tracef("Client selected security layer %s, with maxBuffer of %d", mapFromValue, Integer.valueOf(GssapiServer.this.maxBuffer));
                if (!GssapiServer.this.relaxComplianceChecks && mapFromValue == AbstractGssapiMechanism.QOP.AUTH && GssapiServer.this.maxBuffer != 0) {
                    throw new SaslException("No security layer selected but message length received.");
                }
                GssapiServer.this.selectedQop = mapFromValue;
                try {
                    String gSSName = GssapiServer.this.gssContext.getSrcName().toString();
                    String str = unwrap.length > 4 ? new String(unwrap, 4, unwrap.length - 4, Charsets.UTF_8) : gSSName;
                    GssapiServer.log.tracef("Authentication ID=%s,  Authorization ID=%s", gSSName, str);
                    Callback authorizeCallback = new AuthorizeCallback(gSSName, str);
                    GssapiServer.this.handleCallbacks(authorizeCallback);
                    if (!authorizeCallback.isAuthorized()) {
                        throw new SaslException(String.format("User %s is not authorized to act as %s", gSSName, str));
                    }
                    GssapiServer.this.authroizationId = str;
                    if (mapFromValue != AbstractGssapiMechanism.QOP.AUTH) {
                        GssapiServer.log.trace("Setting message wrapper.");
                        GssapiServer.this.setWrapper(new AbstractGssapiMechanism.GssapiWrapper(GssapiServer.this, mapFromValue == AbstractGssapiMechanism.QOP.AUTH_CONF));
                    }
                    GssapiServer.log.trace("Negotiation complete.");
                    saslStateContext.negotiationComplete();
                    return null;
                } catch (GSSException e) {
                    throw new SaslException("Unable to determine name of peer.", e);
                }
            } catch (GSSException e2) {
                throw new SaslException("Unable to unwrap security layer response.", e2);
            }
        }

        static {
            $assertionsDisabled = !GssapiServer.class.desiredAssertionStatus();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public GssapiServer(String str, String str2, Map<String, ?> map, CallbackHandler callbackHandler) throws SaslException {
        super(AbstractGssapiFactory.GSSAPI, str, str2, map, callbackHandler, log);
        GSSManager gSSManager = GSSManager.getInstance();
        String str3 = str + "@" + str2;
        log.tracef("Our name '%s'", str3);
        try {
            this.gssContext = gSSManager.createContext(gSSManager.createCredential(gSSManager.createName(str3, GSSName.NT_HOSTBASED_SERVICE, KERBEROS_V5), Integer.MAX_VALUE, KERBEROS_V5, 2));
        } catch (GSSException e) {
            throw new SaslException("Unable to create GSSContext", e);
        }
    }

    @Override // org.wildfly.sasl.util.AbstractSaslParticipant
    public void init() {
        getContext().setNegotiationState(new AcceptorState());
    }

    public String getAuthorizationID() {
        assertComplete();
        return this.authroizationId;
    }

    public byte[] evaluateResponse(byte[] bArr) throws SaslException {
        return evaluateMessage(bArr);
    }

    @Override // org.wildfly.sasl.gssapi.AbstractGssapiMechanism, org.wildfly.sasl.util.AbstractSaslParticipant
    public /* bridge */ /* synthetic */ Object getNegotiatedProperty(String str) {
        return super.getNegotiatedProperty(str);
    }

    @Override // org.wildfly.sasl.gssapi.AbstractGssapiMechanism, org.wildfly.sasl.util.AbstractSaslParticipant
    public /* bridge */ /* synthetic */ void dispose() throws SaslException {
        super.dispose();
    }
}
