package org.keycloak.federation.kerberos.impl;

import java.io.IOException;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.jboss.logging.Logger;
import org.keycloak.common.util.KerberosJdkProvider;
import org.keycloak.federation.kerberos.CommonKerberosConfig;
import org.keycloak.models.ModelException;

/* loaded from: input_file:org/keycloak/federation/kerberos/impl/KerberosUsernamePasswordAuthenticator.class */
public class KerberosUsernamePasswordAuthenticator {
    private static final Logger logger = Logger.getLogger(KerberosUsernamePasswordAuthenticator.class);
    private final CommonKerberosConfig config;
    private LoginContext loginContext;

    public KerberosUsernamePasswordAuthenticator(CommonKerberosConfig commonKerberosConfig) {
        this.config = commonKerberosConfig;
    }

    public boolean isUserAvailable(String str) {
        logger.debugf("Checking existence of user: %s", str);
        try {
            this.loginContext = new LoginContext("does-not-matter", (Subject) null, createJaasCallbackHandler(getKerberosPrincipal(str), "fake-password-which-nobody-has"), createJaasConfiguration());
            this.loginContext.login();
            throw new IllegalStateException("Didn't expect to end here");
        } catch (LoginException e) {
            String message = e.getMessage();
            logger.debugf("Message from kerberos: %s", message);
            checkKerberosServerAvailable(e);
            return !message.contains("Client not found");
        }
    }

    public boolean validUser(String str, String str2) {
        try {
            authenticateSubject(str, str2);
            logoutSubject();
            return true;
        } catch (LoginException e) {
            checkKerberosServerAvailable(e);
            logger.debug("Failed to authenticate user " + str, e);
            return false;
        }
    }

    protected void checkKerberosServerAvailable(LoginException loginException) {
        String upperCase = loginException.getMessage().toUpperCase();
        if (upperCase.contains("PORT UNREACHABLE") || upperCase.contains("CANNOT LOCATE") || upperCase.contains("CANNOT CONTACT") || upperCase.contains("CANNOT FIND") || upperCase.contains("UNKNOWN ERROR")) {
            throw new ModelException("Kerberos unreachable", loginException);
        }
    }

    public Subject authenticateSubject(String str, String str2) throws LoginException {
        String kerberosPrincipal = getKerberosPrincipal(str);
        logger.debug("Validating password of principal: " + kerberosPrincipal);
        this.loginContext = new LoginContext("does-not-matter", (Subject) null, createJaasCallbackHandler(kerberosPrincipal, str2), createJaasConfiguration());
        this.loginContext.login();
        logger.debug("Principal " + kerberosPrincipal + " authenticated succesfully");
        return this.loginContext.getSubject();
    }

    public void logoutSubject() {
        if (this.loginContext != null) {
            try {
                this.loginContext.logout();
            } catch (LoginException e) {
                logger.error("Failed to logout kerberos subject", e);
            }
        }
    }

    protected String getKerberosPrincipal(String str) throws LoginException {
        if (str.contains("@")) {
            String[] split = str.split("@");
            if (!split[1].toUpperCase().equals(this.config.getKerberosRealm())) {
                logger.warn("Invalid kerberos realm. Expected realm: " + this.config.getKerberosRealm() + ", username: " + str);
                throw new LoginException("Client not found");
            }
            str = split[0];
        }
        return str + "@" + this.config.getKerberosRealm();
    }

    protected CallbackHandler createJaasCallbackHandler(final String str, final String str2) {
        return new CallbackHandler() { // from class: org.keycloak.federation.kerberos.impl.KerberosUsernamePasswordAuthenticator.1
            @Override // javax.security.auth.callback.CallbackHandler
            public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                for (Callback callback : callbackArr) {
                    if (callback instanceof NameCallback) {
                        ((NameCallback) callback).setName(str);
                    } else {
                        if (!(callback instanceof PasswordCallback)) {
                            throw new UnsupportedCallbackException(callback, "Unsupported callback: " + callback.getClass().getCanonicalName());
                        }
                        ((PasswordCallback) callback).setPassword(str2.toCharArray());
                    }
                }
            }
        };
    }

    protected Configuration createJaasConfiguration() {
        return KerberosJdkProvider.getProvider().createJaasConfigurationForUsernamePasswordLogin(this.config.isDebug());
    }
}
