package com.floragunn.searchguard.enterprise.auth.kerberos;

import com.floragunn.codova.documents.DocNode;
import com.floragunn.codova.validation.ConfigValidationException;
import com.floragunn.codova.validation.ValidatingDocNode;
import com.floragunn.codova.validation.ValidationErrors;
import com.floragunn.codova.validation.errors.ValidationError;
import com.floragunn.fluent.collections.ImmutableMap;
import com.floragunn.fluent.collections.ImmutableSet;
import com.floragunn.searchguard.TypedComponent;
import com.floragunn.searchguard.authc.CredentialsException;
import com.floragunn.searchguard.authc.RequestMetaData;
import com.floragunn.searchguard.authc.base.AuthcResult;
import com.floragunn.searchguard.authc.rest.HttpAuthenticationFrontend;
import com.floragunn.searchguard.configuration.ConfigurationRepository;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchsupport.PrivilegedCode;
import com.floragunn.searchsupport.cstate.ComponentState;
import java.io.File;
import java.nio.file.Path;
import java.security.PrivilegedActionException;
import java.util.Base64;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/auth/kerberos/KerberosAuthenticationFrontend.class */
public class KerberosAuthenticationFrontend implements HttpAuthenticationFrontend {
    private static final String TYPE = "kerberos";
    private final boolean stripRealmFromPrincipalName;
    private final boolean challenge;
    private final boolean debug;
    private final ImmutableSet<KerberosPrincipal> acceptorPrincipal;
    private final Path acceptorKeyTabFile;
    private final Configuration keytabConfiguration;
    private final ComponentState componentState = new ComponentState(0, "authentication_frontend", TYPE, KerberosAuthenticationFrontend.class).requiresEnterpriseLicense();
    private static final Oid SPNEGO_OID = createOid("1.3.6.1.5.5.2");
    private static final Oid KRB5MECH_OID = createOid("1.2.840.113554.1.2.2");
    private static final Oid[] KRB_OIDS = {SPNEGO_OID, KRB5MECH_OID};
    private static final Logger log = LogManager.getLogger(KerberosAuthenticationFrontend.class);
    public static TypedComponent.Info<HttpAuthenticationFrontend> INFO = new TypedComponent.Info<HttpAuthenticationFrontend>() { // from class: com.floragunn.searchguard.enterprise.auth.kerberos.KerberosAuthenticationFrontend.1
        public Class<HttpAuthenticationFrontend> getType() {
            return HttpAuthenticationFrontend.class;
        }

        public String getName() {
            return KerberosAuthenticationFrontend.TYPE;
        }

        public TypedComponent.Factory<HttpAuthenticationFrontend> getFactory() {
            return (docNode, context) -> {
                return new KerberosAuthenticationFrontend(docNode, context);
            };
        }
    };

    public KerberosAuthenticationFrontend(DocNode docNode, ConfigurationRepository.Context context) throws ConfigValidationException {
        Path path;
        ValidationErrors validationErrors = new ValidationErrors();
        ValidatingDocNode validatingDocNode = new ValidatingDocNode(docNode, validationErrors, context);
        this.challenge = validatingDocNode.get("challenge").withDefault(true).asBoolean();
        this.debug = validatingDocNode.get("debug").withDefault(false).asBoolean();
        boolean asBoolean = validatingDocNode.get("use_system_properties").withDefault(false).asBoolean();
        if (asBoolean) {
            path = null;
            validatingDocNode.used(new String[]{"krb5_config_file"});
        } else {
            path = resolve(validatingDocNode.get("krb5_config_file").withDefault("/etc/krb5.conf").asString(), "krb5_config_file", validationErrors, context);
        }
        this.stripRealmFromPrincipalName = validatingDocNode.get("strip_realm_from_principal").withDefault(true).asBoolean();
        this.acceptorPrincipal = ImmutableSet.of(validatingDocNode.get("acceptor_principal").asList().withEmptyListAsDefault().ofObjectsParsedByString(str -> {
            return (KerberosPrincipal) PrivilegedCode.execute(() -> {
                return new KerberosPrincipal(str);
            });
        }));
        this.acceptorKeyTabFile = resolve(validatingDocNode.get("acceptor_keytab").required().asString(), "acceptor_keytab", validationErrors, context);
        validatingDocNode.checkForUnusedAttributes();
        validationErrors.throwExceptionForPresentErrors();
        if (!asBoolean) {
            Path path2 = path;
            PrivilegedCode.execute(() -> {
                try {
                    if (this.debug) {
                        System.setProperty("sun.security.krb5.debug", "true");
                        System.setProperty("java.security.debug", "gssloginconfig,logincontext,configparser,configfile");
                        System.setProperty("sun.security.spnego.debug", "true");
                        System.out.println("Kerberos debug is enabled");
                        System.err.println("Kerberos debug is enabled");
                        log.info("Kerberos debug is enabled on stdout");
                    }
                } catch (Throwable th) {
                    log.error("Unable to enable krb_debug due to ", th);
                    System.err.println("Unable to enable krb_debug due to " + String.valueOf(th));
                    System.out.println("Unable to enable krb_debug due to " + String.valueOf(th));
                }
                System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
                System.setProperty("java.security.krb5.conf", path2.toString());
            });
        }
        this.keytabConfiguration = new KeytabJaasConf("*", this.acceptorKeyTabFile, false, this.debug);
        try {
            Subject subject = (Subject) PrivilegedCode.execute(() -> {
                return getLoginSubject();
            }, LoginException.class);
            if (log.isDebugEnabled()) {
                log.debug("loginSubject: " + String.valueOf(subject));
            }
            this.componentState.initialized();
        } catch (LoginException e) {
            log.error("Got login exception", e);
            throw new ConfigValidationException(new ValidationError((String) null, e.getMessage()).cause(e));
        }
    }

    public AuthCredentials extractCredentials(RequestMetaData<?> requestMetaData) throws CredentialsException {
        String authorizationByScheme = requestMetaData.getAuthorizationByScheme("negotiate");
        if (authorizationByScheme == null) {
            log.debug("No negotiate authorization header found");
            return null;
        }
        byte[] decode = Base64.getDecoder().decode(authorizationByScheme);
        return (AuthCredentials) PrivilegedCode.execute(() -> {
            try {
                Subject subject = (Subject) PrivilegedCode.execute(() -> {
                    return getLoginSubject();
                }, LoginException.class);
                GSSManager gSSManager = GSSManager.getInstance();
                try {
                    GSSContext createContext = gSSManager.createContext((GSSCredential) Subject.doAs(subject, () -> {
                        return gSSManager.createCredential((GSSName) null, Integer.MAX_VALUE, KRB_OIDS, 2);
                    }));
                    try {
                        try {
                            byte[] bArr = (byte[]) Subject.doAs(subject, () -> {
                                return createContext.acceptSecContext(decode, 0, decode.length);
                            });
                            if (bArr == null) {
                                log.debug("Ticket validation not successful, outToken is null");
                                throw new CredentialsException("Unable to authenticate with SPNEGO", new AuthcResult.DebugInfo(getType(), false, "Ticket validation not successful, outToken is null", ImmutableMap.of("login_subject", subject.toString())));
                            }
                            String str = (String) Subject.doAs(subject, () -> {
                                return getUsername(createContext);
                            });
                            if (str == null) {
                                return AuthCredentials.forUser("_incomplete_").authenticatorType(getType()).nativeCredentials(bArr).build();
                            }
                            if (this.stripRealmFromPrincipalName) {
                                str = stripRealm(str);
                            }
                            AuthCredentials build = AuthCredentials.forUser(str).authenticatorType(getType()).nativeCredentials(bArr).complete().build();
                            try {
                                createContext.dispose();
                            } catch (GSSException e) {
                                log.warn("Exception while disposing gssContext", e);
                            }
                            return build;
                        } catch (PrivilegedActionException e2) {
                            log.info("Exception while GSSContext.acceptSecContext()", e2.getCause());
                            throw new CredentialsException("Unable to authenticate with SPNEGO", new AuthcResult.DebugInfo(getType(), false, "Did not accept negotiate header", ImmutableMap.of("login_subject", subject.toString())), e2.getCause());
                        }
                    } finally {
                        try {
                            createContext.dispose();
                        } catch (GSSException e3) {
                            log.warn("Exception while disposing gssContext", e3);
                        }
                    }
                } catch (GSSException e4) {
                    log.warn("Exception while creating GSSContext", e4);
                    throw new CredentialsException("Unable to authenticate with SPNEGO", new AuthcResult.DebugInfo(getType(), false, "Exception while creating GSSContext", ImmutableMap.of("login_subject", subject.toString())), e4);
                } catch (PrivilegedActionException e5) {
                    log.warn("Exception while creating GSSContext", e5.getCause());
                    throw new CredentialsException("Unable to authenticate with SPNEGO", new AuthcResult.DebugInfo(getType(), false, "Exception while creating GSSContext", ImmutableMap.of("login_subject", subject.toString())), e5.getCause());
                }
            } catch (LoginException e6) {
                throw new CredentialsException("Unable to authenticate with SPNEGO", new AuthcResult.DebugInfo(getType(), false, e6.getMessage(), ImmutableMap.of("acceptor_principal", this.acceptorPrincipal.toString(), "keytab", this.keytabConfiguration.toString())), e6);
            }
        }, CredentialsException.class);
    }

    public String getChallenge(AuthCredentials authCredentials) {
        if (this.challenge) {
            return (authCredentials == null || authCredentials.getNativeCredentials() == null) ? "Negotiate" : "Negotiate " + Base64.getEncoder().encodeToString((byte[]) authCredentials.getNativeCredentials());
        }
        return null;
    }

    public String getType() {
        return TYPE;
    }

    public ComponentState getComponentState() {
        return this.componentState;
    }

    private Path resolve(String str, String str2, ValidationErrors validationErrors, ConfigurationRepository.Context context) {
        if (str == null) {
            return null;
        }
        File file = new File(str);
        return file.isAbsolute() ? file.toPath() : context.getStaticSettings().getPatformConfigDirectory().resolve(file.toPath());
    }

    private Subject getLoginSubject() throws LoginException {
        LoginContext loginContext = new LoginContext("KeytabConf", new Subject(false, this.acceptorPrincipal, ImmutableSet.empty(), ImmutableSet.empty()), (CallbackHandler) null, this.keytabConfiguration);
        loginContext.login();
        return loginContext.getSubject();
    }

    private static String stripRealm(String str) {
        if (str == null) {
            return null;
        }
        int indexOf = str.indexOf(64);
        return indexOf > 0 ? str.substring(0, indexOf) : str;
    }

    private static Oid createOid(String str) {
        try {
            return new Oid(str);
        } catch (GSSException e) {
            throw new RuntimeException((Throwable) e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String getUsername(GSSContext gSSContext) {
        GSSName srcName;
        try {
            if (gSSContext.isEstablished() && (srcName = gSSContext.getSrcName()) != null) {
                return srcName.toString();
            }
            return null;
        } catch (GSSException e) {
            log.warn("Error while retrieving name from " + String.valueOf(gSSContext), e);
            return null;
        }
    }
}
