package com.bea.security.utils.kerberos;

import com.bea.common.logger.spi.LoggerSpi;
import com.bea.common.security.utils.encoders.BASE64Encoder;
import com.bea.security.utils.gss.GSSTokenUtils;
import com.bea.security.utils.negotiate.CredentialObject;
import java.io.IOException;
import java.security.AccessControlContext;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Iterator;
import java.util.Set;
import javax.resource.spi.security.PasswordCredential;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:com/bea/security/utils/kerberos/KerberosTokenFactory.class */
public class KerberosTokenFactory {
    private String jaasConfigName;
    private LoggerSpi logger;
    private boolean isDebugEnabled;
    private GSSManager gssManager = GSSManager.getInstance();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/bea/security/utils/kerberos/KerberosTokenFactory$MyCallbackHandler.class */
    public static class MyCallbackHandler implements CallbackHandler {
        String username;
        char[] password;

        private MyCallbackHandler(PasswordCredential passwordCredential) {
            this.username = null;
            this.password = null;
            this.username = passwordCredential.getUserName();
            this.password = passwordCredential.getPassword();
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            for (Callback callback : callbackArr) {
                if (callback instanceof NameCallback) {
                    ((NameCallback) callback).setName(this.username);
                } else if (callback instanceof PasswordCallback) {
                    ((PasswordCallback) callback).setPassword(this.password);
                }
            }
        }
    }

    private KerberosTokenFactory(String str, LoggerSpi loggerSpi) {
        this.jaasConfigName = str;
        this.logger = loggerSpi;
        this.isDebugEnabled = loggerSpi != null && loggerSpi.isDebugEnabled();
    }

    public static KerberosTokenFactory getInstance(String str, LoggerSpi loggerSpi) {
        return new KerberosTokenFactory(str, loggerSpi);
    }

    public byte[] createGssInitContextToken(Subject subject, String str) throws KerberosException {
        PasswordCredential passwordCredential = null;
        CredentialObject credentialObject = null;
        Iterator<Object> it = subject.getPrivateCredentials().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Object next = it.next();
            if (next instanceof CredentialObject) {
                credentialObject = (CredentialObject) next;
                break;
            }
            if (next instanceof PasswordCredential) {
                passwordCredential = (PasswordCredential) next;
            }
        }
        byte[] bArr = null;
        if (credentialObject != null) {
            bArr = credentialObject.getDelegatedSub() != null ? createGssInitContextTokenWithTGT(credentialObject.getDelegatedSub(), str) : createGssInitContextTokenWithGSSCredential(credentialObject.getCredential(), str);
        } else if (passwordCredential != null) {
            bArr = createGssInitContextTokenWithPasswordCredential(passwordCredential, str);
        }
        return bArr;
    }

    public String createGssInitContextTokenBase64Encoded(Subject subject, String str) throws KerberosException {
        byte[] createGssInitContextToken = createGssInitContextToken(subject, str);
        if (createGssInitContextToken == null) {
            return null;
        }
        return new BASE64Encoder().encodeBuffer(createGssInitContextToken);
    }

    public byte[] createKrbApReqToken(Subject subject, String str) throws KerberosException {
        try {
            return KerberosTokenUtils.getKrbApReqToken(createGssInitContextToken(subject, str), this.logger);
        } catch (IOException e) {
            throw new KerberosException("Failed to get KrbApReqToken from GSS InitContextToken", e);
        }
    }

    public String createKrbApReqTokenBase64Encoded(Subject subject, String str) throws KerberosException {
        byte[] createKrbApReqToken = createKrbApReqToken(subject, str);
        if (createKrbApReqToken == null) {
            return null;
        }
        return new BASE64Encoder().encodeBuffer(createKrbApReqToken);
    }

    private byte[] createGssInitContextTokenWithTGT(Subject subject, String str) throws KerberosException {
        Set<Principal> principals = subject.getPrincipals();
        if (principals.isEmpty()) {
            throw new KerberosException("Illegal subject: empty Principals");
        }
        final String name = principals.iterator().next().getName();
        if (this.isDebugEnabled) {
            this.logger.debug("Begin acquire client credential for " + name + " ...");
        }
        try {
            GSSCredential gSSCredential = (GSSCredential) Subject.doAsPrivileged(subject, new PrivilegedExceptionAction<GSSCredential>() { // from class: com.bea.security.utils.kerberos.KerberosTokenFactory.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public GSSCredential run() throws GSSException {
                    return KerberosTokenFactory.this.gssManager.createCredential(KerberosTokenFactory.this.gssManager.createName(name, GSSName.NT_USER_NAME), 0, new Oid(GSSTokenUtils.KERBEROS_V5_OID), 1);
                }
            }, (AccessControlContext) null);
            if (this.isDebugEnabled) {
                this.logger.debug("Get client credential successfully! ");
            }
            return createGssInitContextTokenWithGSSCredential(gSSCredential, str);
        } catch (PrivilegedActionException e) {
            if (this.isDebugEnabled) {
                this.logger.debug(e.getMessage(), e);
            }
            throw new KerberosException(e);
        }
    }

    private byte[] createGssInitContextTokenWithGSSCredential(GSSCredential gSSCredential, String str) throws KerberosException {
        if (this.isDebugEnabled) {
            this.logger.debug("client credential: " + gSSCredential);
        }
        GSSContext gSSContext = null;
        try {
            try {
                gSSContext = this.gssManager.createContext(this.gssManager.createName(str, GSSName.NT_HOSTBASED_SERVICE), new Oid(GSSTokenUtils.KERBEROS_V5_OID), gSSCredential, 0);
                gSSContext.requestMutualAuth(false);
                if (this.isDebugEnabled) {
                    this.logger.debug("Initialize securirty context...");
                }
                byte[] bArr = new byte[0];
                byte[] initSecContext = gSSContext.initSecContext(bArr, 0, bArr.length);
                if (gSSContext != null) {
                    try {
                        gSSContext.dispose();
                    } catch (GSSException e) {
                    }
                }
                return initSecContext;
            } catch (GSSException e2) {
                if (this.isDebugEnabled) {
                    this.logger.debug(e2.getMessage(), e2);
                }
                throw new KerberosException(e2);
            }
        } catch (Throwable th) {
            if (gSSContext != null) {
                try {
                    gSSContext.dispose();
                } catch (GSSException e3) {
                }
            }
            throw th;
        }
    }

    private byte[] createGssInitContextTokenWithPasswordCredential(PasswordCredential passwordCredential, String str) throws KerberosException {
        try {
            if (this.isDebugEnabled) {
                this.logger.debug("Begin login user: [" + passwordCredential.getUserName() + "]");
            }
            LoginContext loginContext = new LoginContext(this.jaasConfigName, new MyCallbackHandler(passwordCredential));
            loginContext.login();
            Subject subject = loginContext.getSubject();
            if (this.isDebugEnabled) {
                this.logger.debug("Login successfully! subject: [" + subject + "]");
            }
            return createGssInitContextTokenWithTGT(subject, str);
        } catch (LoginException e) {
            if (this.isDebugEnabled) {
                this.logger.debug(e.getMessage(), e);
            }
            throw new KerberosException(e);
        }
    }
}
