package org.jboss.security.negotiation.spnego;

import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.acl.Group;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.Oid;
import org.jboss.security.SimpleGroup;
import org.jboss.security.auth.spi.AbstractServerLoginModule;
import org.jboss.security.negotiation.MessageTrace;
import org.jboss.security.negotiation.spnego.encoding.NegTokenInit;
import org.jboss.security.negotiation.spnego.encoding.NegTokenInitDecoder;
import org.jboss.security.negotiation.spnego.encoding.NegTokenTarg;
import org.jboss.security.negotiation.spnego.encoding.NegTokenTargDecoder;
import org.jboss.security.negotiation.spnego.encoding.NegTokenTargEncoder;
import org.jboss.util.Base64;

/* loaded from: input_file:org/jboss/security/negotiation/spnego/SPNEGOLoginModule.class */
public class SPNEGOLoginModule extends AbstractServerLoginModule {
    private static final Oid kerberos;
    private String serverSecurityDomain;
    private LoginContext serverLoginContext = null;
    private Principal identity = null;

    /* loaded from: input_file:org/jboss/security/negotiation/spnego/SPNEGOLoginModule$AcceptSecContext.class */
    private class AcceptSecContext implements PrivilegedAction {
        private final SPNEGOContext spnegoContext;

        public AcceptSecContext(SPNEGOContext sPNEGOContext) {
            this.spnegoContext = sPNEGOContext;
        }

        @Override // java.security.PrivilegedAction
        public Object run() {
            byte[] responseToken;
            try {
                byte[] decode = Base64.decode(this.spnegoContext.getRequestHeader());
                MessageTrace.logRequestBase64(this.spnegoContext.getRequestHeader());
                MessageTrace.logRequestHex(decode);
                if (decode[0] == 96) {
                    NegTokenInit decode2 = NegTokenInitDecoder.decode(decode);
                    List<Oid> mechTypes = decode2.getMechTypes();
                    if (!mechTypes.get(0).equals(SPNEGOLoginModule.kerberos)) {
                        boolean z = false;
                        Iterator<Oid> it = mechTypes.iterator();
                        while (it.hasNext() && !z) {
                            z = it.next().equals(SPNEGOLoginModule.kerberos);
                        }
                        NegTokenTarg negTokenTarg = new NegTokenTarg();
                        if (z) {
                            negTokenTarg.setNegResult(NegTokenTarg.ACCEPT_INCOMPLETE);
                            negTokenTarg.setSupportedMech(SPNEGOLoginModule.kerberos);
                        } else {
                            negTokenTarg.setNegResult(NegTokenTarg.REJECTED);
                        }
                        byte[] encode = NegTokenTargEncoder.encode(negTokenTarg);
                        String encodeBytes = Base64.encodeBytes(encode);
                        MessageTrace.logResponseBase64(encodeBytes);
                        MessageTrace.logResponseHex(encode);
                        this.spnegoContext.setResponseHeader(encodeBytes);
                        return Boolean.FALSE;
                    }
                    responseToken = decode2.getMechToken();
                } else {
                    if (decode[0] != -95) {
                        throw new LoginException("Unsupported negotiation mechanism.");
                    }
                    responseToken = NegTokenTargDecoder.decode(decode).getResponseToken();
                }
                GSSContext gssContext = this.spnegoContext.getGssContext();
                if (gssContext == null) {
                    SPNEGOLoginModule.this.log.debug("Creating new GSSContext.");
                    gssContext = GSSManager.getInstance().createContext((GSSCredential) null);
                    this.spnegoContext.setGssContext(gssContext);
                }
                if (gssContext.isEstablished()) {
                    SPNEGOLoginModule.this.log.warn("Authentication was performed despite already being authenticated!");
                    SPNEGOLoginModule.this.identity = new KerberosPrincipal(gssContext.getSrcName().toString());
                    SPNEGOLoginModule.this.log.debug("context.getCredDelegState() = " + gssContext.getCredDelegState());
                    SPNEGOLoginModule.this.log.debug("context.getMutualAuthState() = " + gssContext.getMutualAuthState());
                    SPNEGOLoginModule.this.log.debug("context.getSrcName() = " + gssContext.getSrcName().toString());
                    this.spnegoContext.setAuthenticated(true);
                    return Boolean.TRUE;
                }
                byte[] acceptSecContext = gssContext.acceptSecContext(responseToken, 0, responseToken.length);
                if (acceptSecContext != null) {
                    NegTokenTarg negTokenTarg2 = new NegTokenTarg();
                    negTokenTarg2.setResponseToken(acceptSecContext);
                    byte[] encode2 = NegTokenTargEncoder.encode(negTokenTarg2);
                    String encodeBytes2 = Base64.encodeBytes(encode2);
                    MessageTrace.logResponseBase64(encodeBytes2);
                    MessageTrace.logResponseHex(encode2);
                    this.spnegoContext.setResponseHeader(encodeBytes2);
                }
                if (!gssContext.isEstablished()) {
                    return Boolean.FALSE;
                }
                SPNEGOLoginModule.this.identity = new KerberosPrincipal(gssContext.getSrcName().toString());
                SPNEGOLoginModule.this.log.debug("context.getCredDelegState() = " + gssContext.getCredDelegState());
                SPNEGOLoginModule.this.log.debug("context.getMutualAuthState() = " + gssContext.getMutualAuthState());
                SPNEGOLoginModule.this.log.debug("context.getSrcName() = " + gssContext.getSrcName().toString());
                this.spnegoContext.setAuthenticated(true);
                return Boolean.TRUE;
            } catch (Exception e) {
                return e;
            }
        }
    }

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map map, Map map2) {
        super.initialize(subject, callbackHandler, map, map2);
        this.serverSecurityDomain = (String) map2.get("serverSecurityDomain");
        this.log.debug("serverSecurityDomain=" + this.serverSecurityDomain);
    }

    public boolean login() throws LoginException {
        if (super.login()) {
            this.log.debug("super.login()==true");
            return true;
        }
        ((AbstractServerLoginModule) this).loginOk = false;
        try {
            Object doAs = Subject.doAs(getServerSubject(), new AcceptSecContext(SPNEGOContext.getCurrentSPNEGOContext()));
            this.log.trace("Result - " + doAs);
            if (doAs instanceof Boolean) {
                if (Boolean.TRUE.equals(doAs)) {
                    ((AbstractServerLoginModule) this).loginOk = true;
                    if (getUseFirstPass()) {
                        this.log.debug("Storing username '" + this.identity.getName() + "' and empty password");
                        this.sharedState.put("javax.security.auth.login.name", this.identity);
                        this.sharedState.put("javax.security.auth.login.password", "");
                    }
                }
            } else if (doAs instanceof Exception) {
                Exception exc = (Exception) doAs;
                this.log.error("Unable to authenticate", exc);
                throw new LoginException("Unable to authenticate - " + exc.getMessage());
            }
            this.log.trace("super.loginOk " + ((AbstractServerLoginModule) this).loginOk);
            if (((AbstractServerLoginModule) this).loginOk) {
                return true;
            }
            throw new LoginException("Continuation Required.");
        } finally {
            if (this.serverLoginContext != null) {
                this.serverLoginContext.logout();
            }
        }
    }

    protected Principal getIdentity() {
        return this.identity;
    }

    protected Group[] getRoleSets() throws LoginException {
        Group simpleGroup = new SimpleGroup("Roles");
        Group simpleGroup2 = new SimpleGroup("CallerPrincipal");
        Group[] groupArr = {simpleGroup, simpleGroup2};
        simpleGroup2.addMember(this.identity);
        return groupArr;
    }

    protected Subject getServerSubject() throws LoginException {
        LoginContext loginContext = new LoginContext(this.serverSecurityDomain);
        loginContext.login();
        this.serverLoginContext = loginContext;
        Subject subject = this.serverLoginContext.getSubject();
        this.log.debug("Subject = " + subject);
        this.log.debug("Logged in '" + this.serverSecurityDomain + "' LoginContext");
        return subject;
    }

    static {
        try {
            kerberos = new Oid("1.2.840.113554.1.2.2");
        } catch (GSSException e) {
            throw new RuntimeException("Unable to initialise Oid", e);
        }
    }
}
