package net.shibboleth.idp.authn.spnego.impl;

import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/idp-authn-impl-4.0.0.jar:net/shibboleth/idp/authn/spnego/impl/GSSContextAcceptor.class */
public class GSSContextAcceptor {

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) GSSContextAcceptor.class);

    @Nonnull
    private final Oid spnegoOid;

    @Nonnull
    private KerberosSettings kerberosSettings;

    @Nullable
    private KerberosRealmSettings realmSettings;

    @Nullable
    private GSSAcceptorLoginModule krbLoginModule;

    @Nullable
    private GSSCredential serverCreds;

    @Nullable
    private GSSContext context;

    public GSSContextAcceptor(@Nonnull KerberosSettings kerberosSettings) throws GSSException {
        this.kerberosSettings = kerberosSettings;
        try {
            this.spnegoOid = new Oid("1.3.6.1.5.5.2");
        } catch (GSSException e) {
            this.log.debug("Unable to create SPNEGO mechanism OID");
            throw e;
        }
    }

    @Nullable
    public GSSContext getContext() {
        return this.context;
    }

    @Nullable
    public byte[] acceptSecContext(@Nonnull byte[] bArr, int i, int i2) throws Exception {
        if (this.context == null) {
            this.log.trace("Processing first GSS input token");
            return acceptFirstToken(bArr, i, i2);
        }
        this.log.trace("Processing an additional GSS input token");
        byte[] acceptSecContext = this.context.acceptSecContext(bArr, i, i2);
        if (this.context.isEstablished()) {
            this.log.trace("Security context established");
        } else {
            this.log.trace("Security context partially established");
        }
        return acceptSecContext;
    }

    public void logout() {
        if (this.context != null) {
            try {
                this.context.dispose();
                this.context = null;
            } catch (GSSException e) {
                this.log.error("GSS-API context disposal failed", e);
            }
        }
        if (this.serverCreds != null) {
            try {
                this.serverCreds.dispose();
                this.serverCreds = null;
            } catch (GSSException e2) {
                this.log.error("GSS-API credentials disposal failed", e2);
            }
        }
        if (this.krbLoginModule != null) {
            try {
                this.krbLoginModule.logout();
                this.krbLoginModule = null;
            } catch (LoginException e3) {
                this.log.error("Server credentials logout failed", (Throwable) e3);
            }
        }
    }

    @Nullable
    private byte[] acceptFirstToken(@Nonnull byte[] bArr, int i, int i2) throws Exception {
        Exception exc = null;
        for (KerberosRealmSettings kerberosRealmSettings : this.kerberosSettings.getRealms()) {
            this.log.debug("Validating the first GSS input token against service principal: {}", kerberosRealmSettings.getServicePrincipal());
            try {
                createGSSContext(kerberosRealmSettings);
                byte[] acceptSecContext = this.context.acceptSecContext(bArr, i, i2);
                this.realmSettings = kerberosRealmSettings;
                if (getContext().isEstablished()) {
                    this.log.trace("Security context fully established");
                } else {
                    this.log.trace("Security context partially established");
                }
                return acceptSecContext;
            } catch (Exception e) {
                this.log.debug("Error establishing security context", (Throwable) e);
                logout();
                exc = e;
            }
        }
        throw exc;
    }

    private void createGSSContext(@Nonnull KerberosRealmSettings kerberosRealmSettings) throws GSSException, LoginException, PrivilegedActionException {
        this.krbLoginModule = new GSSAcceptorLoginModule(kerberosRealmSettings, this.kerberosSettings.getRefreshKrb5Config(), this.kerberosSettings.getLoginModuleClassName());
        try {
            Subject login = this.krbLoginModule.login();
            this.log.trace("Server login successful using principal: {}", kerberosRealmSettings.getServicePrincipal());
            this.log.trace("Creating GSS credentials and context");
            GSSManager gSSManager = GSSManager.getInstance();
            try {
                this.serverCreds = getServerCredential(login);
                this.context = gSSManager.createContext(this.serverCreds);
                this.log.trace("GSS acceptor context created");
            } catch (PrivilegedActionException e) {
                this.log.error("Error creating GSS credentials: {}", e.getMessage());
                throw e;
            } catch (GSSException e2) {
                this.log.error("Error creating GSS acceptor context: {}", e2.getMessage());
                throw e2;
            }
        } catch (LoginException e3) {
            this.log.error("Server login error using principal: {}", kerberosRealmSettings.getServicePrincipal());
            throw e3;
        }
    }

    @Nonnull
    private GSSCredential getServerCredential(@Nonnull Subject subject) throws PrivilegedActionException {
        return (GSSCredential) Subject.doAs(subject, new PrivilegedExceptionAction<GSSCredential>() { // from class: net.shibboleth.idp.authn.spnego.impl.GSSContextAcceptor.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public GSSCredential run() throws GSSException {
                return GSSManager.getInstance().createCredential((GSSName) null, Integer.MAX_VALUE, GSSContextAcceptor.this.spnegoOid, 2);
            }
        });
    }
}
