package org.keycloak.federation.kerberos.impl;

import java.io.IOException;
import java.security.PrivilegedExceptionAction;
import java.util.Iterator;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosTicket;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.jboss.logging.Logger;
import org.keycloak.common.constants.KerberosConstants;
import org.keycloak.common.util.Base64;
import org.keycloak.common.util.KerberosSerializationUtils;
import org.keycloak.federation.kerberos.CommonKerberosConfig;

/* loaded from: input_file:org/keycloak/federation/kerberos/impl/SPNEGOAuthenticator.class */
public class SPNEGOAuthenticator {
    private static final Logger log = Logger.getLogger(SPNEGOAuthenticator.class);
    private final KerberosServerSubjectAuthenticator kerberosSubjectAuthenticator;
    private final String spnegoToken;
    private final CommonKerberosConfig kerberosConfig;
    private GSSCredential delegationCredential;
    private KerberosTicket kerberosTicket;
    private boolean authenticated = false;
    private String authenticatedKerberosPrincipal = null;
    private String responseToken = null;

    /* loaded from: input_file:org/keycloak/federation/kerberos/impl/SPNEGOAuthenticator$AcceptSecContext.class */
    private class AcceptSecContext implements PrivilegedExceptionAction<Boolean> {
        private AcceptSecContext() {
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedExceptionAction
        public Boolean run() throws Exception {
            GSSContext gSSContext = null;
            try {
                if (SPNEGOAuthenticator.log.isTraceEnabled()) {
                    SPNEGOAuthenticator.log.trace("Going to establish security context");
                }
                GSSContext establishContext = SPNEGOAuthenticator.this.establishContext();
                SPNEGOAuthenticator.this.logAuthDetails(establishContext);
                if (!establishContext.isEstablished()) {
                    if (establishContext != null) {
                        establishContext.dispose();
                    }
                    return false;
                }
                if (establishContext.getSrcName() == null) {
                    SPNEGOAuthenticator.log.warn("GSS Context accepted, but no context initiator recognized. Check your kerberos configuration and reverse DNS lookup configuration");
                    if (establishContext != null) {
                        establishContext.dispose();
                    }
                    return false;
                }
                SPNEGOAuthenticator.this.authenticatedKerberosPrincipal = establishContext.getSrcName().toString();
                if (establishContext.getCredDelegState()) {
                    SPNEGOAuthenticator.this.delegationCredential = establishContext.getDelegCred();
                }
                if (establishContext != null) {
                    establishContext.dispose();
                }
                return true;
            } catch (Throwable th) {
                if (0 != 0) {
                    gSSContext.dispose();
                }
                throw th;
            }
        }
    }

    public SPNEGOAuthenticator(CommonKerberosConfig commonKerberosConfig, KerberosServerSubjectAuthenticator kerberosServerSubjectAuthenticator, String str) {
        this.kerberosConfig = commonKerberosConfig;
        this.kerberosSubjectAuthenticator = kerberosServerSubjectAuthenticator;
        this.spnegoToken = str;
    }

    public void authenticate() {
        if (log.isTraceEnabled()) {
            log.trace("SPNEGO Login with token: " + this.spnegoToken);
        }
        try {
            try {
                Subject authenticateServerSubject = this.kerberosSubjectAuthenticator.authenticateServerSubject();
                this.authenticated = ((Boolean) Subject.doAs(authenticateServerSubject, new AcceptSecContext())).booleanValue();
                Iterator it = authenticateServerSubject.getPrivateCredentials(KerberosTicket.class).iterator();
                if (it.hasNext()) {
                    this.kerberosTicket = (KerberosTicket) it.next();
                }
                this.kerberosSubjectAuthenticator.logoutServerSubject();
            } catch (Exception e) {
                log.warn("SPNEGO login failed", e);
                this.kerberosSubjectAuthenticator.logoutServerSubject();
            }
        } catch (Throwable th) {
            this.kerberosSubjectAuthenticator.logoutServerSubject();
            throw th;
        }
    }

    public boolean isAuthenticated() {
        return this.authenticated;
    }

    public String getResponseToken() {
        return this.responseToken;
    }

    public String getSerializedDelegationCredential() {
        if (this.delegationCredential == null) {
            if (!log.isTraceEnabled()) {
                return null;
            }
            log.trace("No delegation credential available.");
            return null;
        }
        try {
            if (log.isTraceEnabled()) {
                log.trace("Serializing credential " + this.delegationCredential);
            }
            return KerberosSerializationUtils.serializeCredential(this.kerberosTicket, this.delegationCredential);
        } catch (KerberosSerializationUtils.KerberosSerializationException e) {
            log.warn("Couldn't serialize credential: " + this.delegationCredential, e);
            return null;
        }
    }

    public String getAuthenticatedUsername() {
        return this.authenticatedKerberosPrincipal.split("@")[0];
    }

    protected GSSContext establishContext() throws GSSException, IOException {
        GSSManager gSSManager = GSSManager.getInstance();
        GSSContext createContext = gSSManager.createContext(gSSManager.createCredential((GSSName) null, Integer.MAX_VALUE, new Oid[]{KerberosConstants.KRB5_OID, KerberosConstants.SPNEGO_OID}, 2));
        byte[] decode = Base64.decode(this.spnegoToken);
        this.responseToken = Base64.encodeBytes(createContext.acceptSecContext(decode, 0, decode.length));
        return createContext;
    }

    protected void logAuthDetails(GSSContext gSSContext) throws GSSException {
        if (log.isDebugEnabled()) {
            log.debug(("SPNEGO Security context accepted with token: " + this.responseToken) + ", established: " + gSSContext.isEstablished() + ", credDelegState: " + gSSContext.getCredDelegState() + ", mutualAuthState: " + gSSContext.getMutualAuthState() + ", lifetime: " + gSSContext.getLifetime() + ", confState: " + gSSContext.getConfState() + ", integState: " + gSSContext.getIntegState() + ", srcName: " + gSSContext.getSrcName() + ", targName: " + gSSContext.getTargName());
        }
    }
}
