package eu.openanalytics.containerproxy.auth.impl.kerberos;

import java.io.File;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.HashSet;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import org.apache.kerby.kerberos.kerb.ccache.Credential;
import org.apache.kerby.kerberos.kerb.ccache.CredentialCache;
import org.apache.kerby.kerberos.kerb.client.KrbClient;
import org.apache.kerby.kerberos.kerb.client.KrbConfig;
import org.apache.kerby.kerberos.kerb.client.jaas.TokenAuthLoginModule;
import org.apache.kerby.kerberos.kerb.type.KerberosTime;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
import org.apache.kerby.kerberos.kerb.type.kdc.EncTgsRepPart;
import org.apache.kerby.kerberos.kerb.type.ticket.SgtTicket;
import org.apache.kerby.kerberos.kerb.type.ticket.Ticket;
import org.apache.kerby.kerberos.kerb.type.ticket.TicketFlags;
import org.keycloak.common.constants.KerberosConstants;
import sun.security.jgss.krb5.Krb5Util;
import sun.security.krb5.Config;
import sun.security.krb5.Credentials;
import sun.security.krb5.KrbTgsReq;
import sun.security.krb5.PrincipalName;
import sun.security.krb5.internal.KDCOptions;
import sun.security.krb5.internal.Krb5;

/* loaded from: input_file:BOOT-INF/lib/containerproxy-0.8.0.jar:eu/openanalytics/containerproxy/auth/impl/kerberos/KRBUtils.class */
public class KRBUtils {
    private static KrbClient krbClient = new KrbClient((KrbConfig) null);

    public static KerberosTicket createGSSContext(final String str, final String str2) throws Exception {
        Configuration configuration = new Configuration() { // from class: eu.openanalytics.containerproxy.auth.impl.kerberos.KRBUtils.1
            public AppConfigurationEntry[] getAppConfigurationEntry(String str3) {
                HashMap hashMap = new HashMap();
                hashMap.put("useKeyTab", "true");
                hashMap.put(KerberosConstants.KEYTAB, str2);
                hashMap.put(TokenAuthLoginModule.PRINCIPAL, str);
                hashMap.put("storeKey", "true");
                hashMap.put("doNotPrompt", "true");
                hashMap.put("debug", "true");
                hashMap.put("isInitiator", "true");
                return new AppConfigurationEntry[]{new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap)};
            }
        };
        HashSet hashSet = new HashSet(1);
        hashSet.add(new KerberosPrincipal(str));
        if (Krb5.DEBUG) {
            System.out.println("DEBUG: Config isForwardable = " + Config.getInstance().getBooleanValue(new String[]{"libdefaults", "forwardable"}));
            System.out.println("DEBUG: KDCOptions isForwardable = " + new KDCOptions().get(1));
            System.out.println("DEBUG: Requesting TGT for " + str);
        }
        Subject subject = new Subject(false, hashSet, new HashSet(), new HashSet());
        new LoginContext("", subject, (CallbackHandler) null, configuration).login();
        KerberosTicket findServiceTGT = findServiceTGT(subject);
        if (Krb5.DEBUG) {
            System.out.println("DEBUG: TGT (KerberosTicket) isForwardable = " + findServiceTGT.isForwardable());
        }
        return findServiceTGT;
    }

    private static KerberosTicket findServiceTGT(final Subject subject) throws PrivilegedActionException {
        return (KerberosTicket) Subject.doAs(subject, new PrivilegedExceptionAction<KerberosTicket>() { // from class: eu.openanalytics.containerproxy.auth.impl.kerberos.KRBUtils.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public KerberosTicket run() throws Exception {
                for (Object obj : subject.getPrivateCredentials()) {
                    if (obj instanceof KerberosTicket) {
                        return (KerberosTicket) obj;
                    }
                }
                return null;
            }
        });
    }

    public static SgtTicket obtainImpersonationTicket(String str, KerberosTicket kerberosTicket) throws Exception {
        Credentials ticketToCreds = Krb5Util.ticketToCreds(kerberosTicket);
        if (Krb5.DEBUG) {
            System.out.println("DEBUG: Config isForwardable = " + Config.getInstance().getBooleanValue(new String[]{"libdefaults", "forwardable"}));
            System.out.println("DEBUG: KDCOptions isForwardable = " + new KDCOptions().get(1));
            System.out.println("DEBUG: TGT (KerberosTicket) isForwardable = " + kerberosTicket.isForwardable());
            System.out.println("DEBUG: TGT (Credentials) isForwardable = " + ticketToCreds.isForwardable());
            System.out.println("DEBUG: Requesting impersonation ticket (S4U2self) for user " + str);
        }
        return convertToTicket(Credentials.acquireS4U2selfCreds(new PrincipalName(str), ticketToCreds), ticketToCreds.getClient().getName(), ticketToCreds.getClient().getRealmAsString());
    }

    public static SgtTicket obtainBackendServiceTicket(String str, Ticket ticket, KerberosTicket kerberosTicket) throws Exception {
        sun.security.krb5.internal.Ticket ticket2 = new sun.security.krb5.internal.Ticket(ticket.encode());
        Credentials ticketToCreds = Krb5Util.ticketToCreds(kerberosTicket);
        if (Krb5.DEBUG) {
            System.out.println("DEBUG: Requesting backend service ticket (S4U2proxy) for service " + str);
        }
        return convertToTicket(new KrbTgsReq(ticketToCreds, ticket2, new PrincipalName(str)).sendAndGetCreds(), str, ticket.getRealm());
    }

    private static SgtTicket convertToTicket(Credentials credentials, String str, String str2) throws Exception {
        EncTgsRepPart encTgsRepPart = new EncTgsRepPart();
        encTgsRepPart.setSname(new org.apache.kerby.kerberos.kerb.type.base.PrincipalName(str));
        encTgsRepPart.setSrealm(str2);
        encTgsRepPart.setAuthTime(new KerberosTime(credentials.getAuthTime().getTime()));
        encTgsRepPart.setStartTime(new KerberosTime(credentials.getStartTime().getTime()));
        encTgsRepPart.setEndTime(new KerberosTime(credentials.getEndTime().getTime()));
        encTgsRepPart.setStartTime(new KerberosTime(credentials.getAuthTime().getTime()));
        if (credentials.getRenewTill() != null) {
            encTgsRepPart.setRenewTill(new KerberosTime(credentials.getRenewTill().getTime()));
        }
        int i = 0;
        for (boolean z : credentials.getFlags()) {
            i = (i << 1) + (z ? 1 : 0);
        }
        encTgsRepPart.setFlags(new TicketFlags(i));
        EncryptionKey encryptionKey = new EncryptionKey();
        encryptionKey.decode(credentials.getSessionKey().asn1Encode());
        encTgsRepPart.setKey(encryptionKey);
        Ticket ticket = new Ticket();
        ticket.decode(credentials.getEncoded());
        org.apache.kerby.kerberos.kerb.type.base.PrincipalName principalName = new org.apache.kerby.kerberos.kerb.type.base.PrincipalName(credentials.getClient().getName());
        principalName.setRealm(credentials.getClient().getRealmAsString());
        SgtTicket sgtTicket = new SgtTicket(ticket, encTgsRepPart);
        sgtTicket.setClientPrincipal(principalName);
        return sgtTicket;
    }

    public static void persistTicket(SgtTicket sgtTicket, String str) throws Exception {
        File file = new File(str);
        if (!file.exists()) {
            krbClient.storeTicket(sgtTicket, file);
            return;
        }
        CredentialCache credentialCache = new CredentialCache();
        credentialCache.load(file);
        Credential credential = new Credential(sgtTicket, sgtTicket.getClientPrincipal());
        credentialCache.removeCredential(credentialCache.getCredentials().stream().filter(credential2 -> {
            return credential2.getServerName().getName().equals(credential.getServerName().getName());
        }).findAny().orElse(null));
        credentialCache.addCredential(credential);
        credentialCache.store(file);
    }
}
