package org.opends.server.extensions;

import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginContext;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslServer;
import org.opends.server.api.ClientConnection;
import org.opends.server.core.BindOperation;
import org.opends.server.core.DirectoryException;
import org.opends.server.core.DirectoryServer;
import org.opends.server.core.InitializationException;
import org.opends.server.loggers.Debug;
import org.opends.server.messages.ExtensionsMessages;
import org.opends.server.messages.MessageHandler;
import org.opends.server.protocols.asn1.ASN1OctetString;
import org.opends.server.types.AuthenticationInfo;
import org.opends.server.types.Entry;
import org.opends.server.types.ResultCode;
import org.opends.server.util.ServerConstants;
import org.opends.server.util.StaticUtils;

/* loaded from: input_file:org/opends/server/extensions/GSSAPIStateInfo.class */
public class GSSAPIStateInfo implements PrivilegedExceptionAction<Boolean>, CallbackHandler {
    private static final String CLASS_NAME = "org.opends.server.extensions.GSSAPIStateInfo";
    private BindOperation bindOperation;
    private ClientConnection clientConnection;
    private Entry userEntry;
    private GSSAPISASLMechanismHandler gssapiHandler;
    private LoginContext loginContext;
    private SaslServer saslServer;
    private String protocol;
    private String serverFQDN;
    static final /* synthetic */ boolean $assertionsDisabled;

    public GSSAPIStateInfo(GSSAPISASLMechanismHandler gSSAPISASLMechanismHandler, BindOperation bindOperation, String str) throws InitializationException {
        if (!$assertionsDisabled && !Debug.debugConstructor(CLASS_NAME, String.valueOf(bindOperation), String.valueOf(str))) {
            throw new AssertionError();
        }
        this.gssapiHandler = gSSAPISASLMechanismHandler;
        this.bindOperation = bindOperation;
        this.serverFQDN = str;
        this.clientConnection = bindOperation.getClientConnection();
        this.protocol = StaticUtils.toLowerCase(this.clientConnection.getProtocol());
        this.userEntry = null;
        try {
            this.loginContext = new LoginContext(GSSAPISASLMechanismHandler.class.getName(), this);
            try {
                this.loginContext.login();
                this.saslServer = null;
            } catch (Exception e) {
                if (!$assertionsDisabled && !Debug.debugException(CLASS_NAME, "<init>", e)) {
                    throw new AssertionError();
                }
                throw new InitializationException(ExtensionsMessages.MSGID_SASLGSSAPI_CANNOT_AUTHENTICATE_SERVER, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLGSSAPI_CANNOT_AUTHENTICATE_SERVER, StaticUtils.stackTraceToSingleLineString(e)), e);
            }
        } catch (Exception e2) {
            if (!$assertionsDisabled && !Debug.debugException(CLASS_NAME, "<init>", e2)) {
                throw new AssertionError();
            }
            throw new InitializationException(ExtensionsMessages.MSGID_SASLGSSAPI_CANNOT_CREATE_LOGIN_CONTEXT, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLGSSAPI_CANNOT_CREATE_LOGIN_CONTEXT, StaticUtils.stackTraceToSingleLineString(e2)), e2);
        }
    }

    public void setBindOperation(BindOperation bindOperation) {
        if (!$assertionsDisabled && !Debug.debugEnter(CLASS_NAME, "setBindOperation", String.valueOf(bindOperation))) {
            throw new AssertionError();
        }
        this.bindOperation = bindOperation;
    }

    public Entry getUserEntry() {
        if ($assertionsDisabled || Debug.debugEnter(CLASS_NAME, "getUserEntry", new String[0])) {
            return this.userEntry;
        }
        throw new AssertionError();
    }

    public void dispose() {
        try {
            this.saslServer.dispose();
        } catch (Exception e) {
            if (!$assertionsDisabled && !Debug.debugException(CLASS_NAME, "dispose", e)) {
                throw new AssertionError();
            }
        }
    }

    public void processAuthenticationStage() {
        if (!$assertionsDisabled && !Debug.debugEnter(CLASS_NAME, "processAuthenticationStage", new String[0])) {
            throw new AssertionError();
        }
        try {
            Subject.doAs(this.loginContext.getSubject(), this);
        } catch (Exception e) {
            if (!$assertionsDisabled && !Debug.debugException(CLASS_NAME, "processAuthenticationStage", e)) {
                throw new AssertionError();
            }
        }
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // java.security.PrivilegedExceptionAction
    public Boolean run() {
        if (!$assertionsDisabled && !Debug.debugEnter(CLASS_NAME, "run", new String[0])) {
            throw new AssertionError();
        }
        if (this.saslServer == null) {
            try {
                HashMap hashMap = new HashMap();
                hashMap.put("javax.security.sasl.qop", "auth");
                hashMap.put("javax.security.sasl.reuse", ServerConstants.CONFIG_VALUE_FALSE);
                this.saslServer = Sasl.createSaslServer(ServerConstants.SASL_MECHANISM_GSSAPI, this.protocol, this.serverFQDN, hashMap, this);
            } catch (Exception e) {
                if (!$assertionsDisabled && !Debug.debugException(CLASS_NAME, "run", e)) {
                    throw new AssertionError();
                }
                String message = MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLGSSAPI_CANNOT_CREATE_SASL_SERVER, StaticUtils.stackTraceToSingleLineString(e));
                this.clientConnection.setSASLAuthStateInfo(null);
                this.bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLGSSAPI_CANNOT_CREATE_SASL_SERVER, message);
                this.bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                return false;
            }
        }
        ASN1OctetString sASLCredentials = this.bindOperation.getSASLCredentials();
        try {
            byte[] evaluateResponse = this.saslServer.evaluateResponse(sASLCredentials == null ? new byte[0] : sASLCredentials.value());
            ASN1OctetString aSN1OctetString = evaluateResponse == null ? null : new ASN1OctetString(evaluateResponse);
            if (!this.saslServer.isComplete()) {
                this.clientConnection.setSASLAuthStateInfo(this.saslServer);
                this.bindOperation.setResultCode(ResultCode.SASL_BIND_IN_PROGRESS);
                this.bindOperation.setServerSASLCredentials(aSN1OctetString);
                return true;
            }
            String authorizationID = this.saslServer.getAuthorizationID();
            if (authorizationID == null || authorizationID.length() == 0) {
                try {
                    this.saslServer.dispose();
                } catch (Exception e2) {
                    if (!$assertionsDisabled && !Debug.debugException(CLASS_NAME, "run", e2)) {
                        throw new AssertionError();
                    }
                }
                String message2 = MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLGSSAPI_NO_AUTHZ_ID);
                this.clientConnection.setSASLAuthStateInfo(null);
                this.bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLGSSAPI_NO_AUTHZ_ID, message2);
                this.bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                return false;
            }
            try {
                this.userEntry = this.gssapiHandler.getUserForAuthzID(this.bindOperation, authorizationID);
                if (this.userEntry == null) {
                    try {
                        this.saslServer.dispose();
                    } catch (Exception e3) {
                        if (!$assertionsDisabled && !Debug.debugException(CLASS_NAME, "run", e3)) {
                            throw new AssertionError();
                        }
                    }
                    String message3 = MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLGSSAPI_CANNOT_MAP_AUTHZID, authorizationID);
                    this.clientConnection.setSASLAuthStateInfo(null);
                    this.bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLGSSAPI_CANNOT_MAP_AUTHZID, message3);
                    this.bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                    return false;
                }
                this.bindOperation.setSASLAuthUserEntry(this.userEntry);
                this.clientConnection.setAuthenticationInfo(new AuthenticationInfo(this.userEntry.getDN(), ServerConstants.SASL_MECHANISM_GSSAPI, DirectoryServer.isRootDN(this.userEntry.getDN())));
                this.bindOperation.setResultCode(ResultCode.SUCCESS);
                this.clientConnection.setSASLAuthStateInfo(null);
                try {
                    this.saslServer.dispose();
                } catch (Exception e4) {
                    if (!$assertionsDisabled && !Debug.debugException(CLASS_NAME, "run", e4)) {
                        throw new AssertionError();
                    }
                }
                return true;
            } catch (DirectoryException e5) {
                if (!$assertionsDisabled && !Debug.debugException(CLASS_NAME, "run", e5)) {
                    throw new AssertionError();
                }
                try {
                    this.saslServer.dispose();
                } catch (Exception e6) {
                    if (!$assertionsDisabled && !Debug.debugException(CLASS_NAME, "run", e6)) {
                        throw new AssertionError();
                    }
                }
                this.bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                this.bindOperation.setAuthFailureReason(e5.getErrorMessageID(), e5.getErrorMessage());
                this.clientConnection.setSASLAuthStateInfo(null);
                return false;
            }
        } catch (Exception e7) {
            if (!$assertionsDisabled && !Debug.debugException(CLASS_NAME, "run", e7)) {
                throw new AssertionError();
            }
            try {
                this.saslServer.dispose();
            } catch (Exception e8) {
                if (!$assertionsDisabled && !Debug.debugException(CLASS_NAME, "run", e8)) {
                    throw new AssertionError();
                }
            }
            String message4 = MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLGSSAPI_CANNOT_EVALUATE_RESPONSE, StaticUtils.stackTraceToSingleLineString(e7));
            this.clientConnection.setSASLAuthStateInfo(null);
            this.bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLGSSAPI_CANNOT_EVALUATE_RESPONSE, message4);
            this.bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            return false;
        }
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
        if (!$assertionsDisabled && !Debug.debugEnter(CLASS_NAME, "handle", String.valueOf(callbackArr))) {
            throw new AssertionError();
        }
        for (Callback callback : callbackArr) {
            if (callback instanceof NameCallback) {
                ((NameCallback) callback).setName(StaticUtils.toLowerCase(this.clientConnection.getProtocol()) + "/" + this.serverFQDN);
            } else {
                if (!(callback instanceof AuthorizeCallback)) {
                    throw new UnsupportedCallbackException(callback, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLGSSAPI_UNEXPECTED_CALLBACK, String.valueOf(callback)));
                }
                AuthorizeCallback authorizeCallback = (AuthorizeCallback) callback;
                String authenticationID = authorizeCallback.getAuthenticationID();
                String authorizationID = authorizeCallback.getAuthorizationID();
                if (authenticationID.equals(authorizationID)) {
                    authorizeCallback.setAuthorizedID(authorizationID);
                    authorizeCallback.setAuthorized(true);
                } else {
                    this.bindOperation.setAuthFailureReason(ExtensionsMessages.MSGID_SASLGSSAPI_DIFFERENT_AUTHID_AND_AUTHZID, MessageHandler.getMessage(ExtensionsMessages.MSGID_SASLGSSAPI_DIFFERENT_AUTHID_AND_AUTHZID, authenticationID, authorizationID));
                    authorizeCallback.setAuthorized(false);
                }
            }
        }
    }

    static {
        $assertionsDisabled = !GSSAPIStateInfo.class.desiredAssertionStatus();
    }
}
