package org.wso2.carbon.identity.oauth2.grant.kerberos;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.axiom.om.util.Base64;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.wso2.carbon.identity.application.authentication.framework.model.AuthenticatedUser;
import org.wso2.carbon.identity.application.common.model.FederatedAuthenticatorConfig;
import org.wso2.carbon.identity.application.common.model.IdentityProvider;
import org.wso2.carbon.identity.application.common.model.Property;
import org.wso2.carbon.identity.application.common.util.IdentityApplicationManagementUtil;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.ResponseHeader;
import org.wso2.carbon.identity.oauth2.model.RequestParameter;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler;
import org.wso2.carbon.idp.mgt.IdentityProviderManagementException;
import org.wso2.carbon.idp.mgt.IdentityProviderManager;
import org.wso2.carbon.user.core.UserStoreException;
import org.wso2.carbon.user.core.service.RealmService;
import sun.security.jgss.GSSHeader;
import sun.security.jgss.GSSUtil;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/grant/kerberos/KerberosGrant.class */
public class KerberosGrant extends AbstractAuthorizationGrantHandler {
    private static final Log log = LogFactory.getLog(KerberosGrant.class);
    private static GSSManager gssManager = GSSManager.getInstance();

    private static Oid getOid(byte[] bArr) throws IOException, GSSException {
        return GSSUtil.createOid(new GSSHeader(new ByteArrayInputStream(bArr, 0, bArr.length)).getOid().toString());
    }

    public boolean validateGrant(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        String str = null;
        String str2 = null;
        String str3 = null;
        String str4 = null;
        String str5 = null;
        String str6 = null;
        String tenantDomain = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getTenantDomain();
        if (StringUtils.isEmpty(tenantDomain)) {
            tenantDomain = "carbon.super";
        }
        for (RequestParameter requestParameter : oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getRequestParameters()) {
            if (KerberosGrantConstants.KERBEROS_GRANT_TOKEN.equals(requestParameter.getKey()) && requestParameter.getValue() != null && requestParameter.getValue().length > 0) {
                str = requestParameter.getValue()[0];
                if (StringUtils.isEmpty(str)) {
                    handleException("Kerberos service token cannot be empty.");
                }
            }
            if (KerberosGrantConstants.KERBEROS_REALM.equals(requestParameter.getKey()) && requestParameter.getValue() != null && requestParameter.getValue().length > 0) {
                str2 = requestParameter.getValue()[0];
                if (StringUtils.isEmpty(str2)) {
                    handleException("Kerberos realm cannot be empty.");
                }
            }
        }
        try {
            IdentityProvider idPByName = IdentityProviderManager.getInstance().getIdPByName(str2, tenantDomain);
            if (idPByName != null) {
                FederatedAuthenticatorConfig federatedAuthenticator = IdentityApplicationManagementUtil.getFederatedAuthenticator(idPByName.getFederatedAuthenticatorConfigs(), KerberosGrantConstants.KERBEROS_IDP_IDENTIFIER);
                if (federatedAuthenticator != null) {
                    for (Property property : federatedAuthenticator.getProperties()) {
                        if (KerberosGrantConstants.KERBEROS_IDP_SPNNAME.equals(property.getName())) {
                            str4 = property.getValue();
                        } else if (KerberosGrantConstants.KERBEROS_IDP_SPNPASSWORD.equals(property.getName())) {
                            str5 = property.getValue();
                        } else if (KerberosGrantConstants.USER_STORE_DOMAINS.equals(property.getName())) {
                            str6 = property.getValue();
                        }
                    }
                    if (StringUtils.isEmpty(str4) || StringUtils.isEmpty(str5)) {
                        handleException("Kerberos username/password is not provided for the IDP : " + str2);
                    }
                } else {
                    handleException("Kerberos IDP configuration could not be located : " + str2);
                }
            } else {
                handleException("No Registered IDP found for Kerberos with realm : " + str2);
            }
            Oid oid = GSSUtil.GSS_SPNEGO_MECH_OID;
            try {
                oid = getOid(Base64.decode(str));
            } catch (IOException | GSSException e) {
                log.warn("Unable to get Oid. Setting to default type SPENGO " + e.getMessage());
            }
            GSSCredential gSSCredential = null;
            try {
                gSSCredential = createCredentials(str4, str5.toCharArray(), oid);
            } catch (PrivilegedActionException | LoginException e2) {
                log.error(e2);
            }
            if (gSSCredential != null) {
                try {
                    str3 = validateKerberosTicket(gSSCredential, Base64.decode(str));
                    if (log.isDebugEnabled()) {
                        log.debug("Kerberos token validated successfully");
                    }
                } catch (GSSException e3) {
                    log.error(e3);
                }
            }
            if (str3 != null) {
                int lastIndexOf = str3.lastIndexOf(64) != -1 ? str3.lastIndexOf(64) : str3.length();
                AuthenticatedUser authenticatedUser = new AuthenticatedUser();
                authenticatedUser.setUserName(str3.substring(0, lastIndexOf));
                if (StringUtils.isNotEmpty(str6)) {
                    String[] split = str6.split(",");
                    int length = split.length;
                    int i = 0;
                    while (true) {
                        if (i >= length) {
                            break;
                        }
                        String str7 = split[i];
                        if (isUserExistsInUserStore(authenticatedUser.getUserName(), tenantDomain, str7)) {
                            authenticatedUser.setUserStoreDomain(str7);
                            break;
                        }
                        if (log.isDebugEnabled()) {
                            log.debug("User: " + authenticatedUser.getUserName() + " does not exist in given user store domains: " + str6);
                        }
                        i++;
                    }
                } else {
                    authenticatedUser.setFederatedUser(true);
                }
                authenticatedUser.setTenantDomain(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getTenantDomain());
                oAuthTokenReqMessageContext.setAuthorizedUser(authenticatedUser);
                oAuthTokenReqMessageContext.setScope(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getScope());
                oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().setResourceOwnerUsername(str3);
            } else {
                ResponseHeader responseHeader = new ResponseHeader();
                responseHeader.setKey("OAuth2 Token Request");
                responseHeader.setValue("Provided Kerberos token is Invalid.");
                oAuthTokenReqMessageContext.addProperty("RESPONSE_HEADERS", new ResponseHeader[]{responseHeader});
            }
        } catch (IdentityProviderManagementException e4) {
            handleException("Error while getting the Federated Identity Provider ");
        }
        if (log.isDebugEnabled()) {
            log.debug("Issuing OAuth2 token by kerberos-oauth2 grant");
        }
        return str3 != null;
    }

    private GSSCredential createCredentials(String str, char[] cArr, final Oid oid) throws LoginException, PrivilegedActionException {
        LoginContext loginContext = new LoginContext(KerberosGrantConstants.SERVER, getUserNamePasswordCallbackHandler(str, cArr));
        loginContext.login();
        if (log.isDebugEnabled()) {
            log.debug("Pre-authentication successful for with Kerberos Server.");
        }
        PrivilegedExceptionAction<GSSCredential> privilegedExceptionAction = new PrivilegedExceptionAction<GSSCredential>() { // from class: org.wso2.carbon.identity.oauth2.grant.kerberos.KerberosGrant.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public GSSCredential run() throws GSSException {
                return KerberosGrant.gssManager.createCredential((GSSName) null, Integer.MAX_VALUE, oid, 2);
            }
        };
        if (log.isDebugEnabled()) {
            Set<Principal> principals = loginContext.getSubject().getPrincipals();
            String str2 = null;
            if (principals != null) {
                str2 = principals.toString();
            }
            log.debug("Creating gss credentials as principal : " + str2);
        }
        return (GSSCredential) Subject.doAs(loginContext.getSubject(), privilegedExceptionAction);
    }

    private CallbackHandler getUserNamePasswordCallbackHandler(final String str, final char[] cArr) {
        return new CallbackHandler() { // from class: org.wso2.carbon.identity.oauth2.grant.kerberos.KerberosGrant.2
            @Override // javax.security.auth.callback.CallbackHandler
            public void handle(Callback[] callbackArr) {
                for (Callback callback : callbackArr) {
                    if (callback instanceof NameCallback) {
                        ((NameCallback) callback).setName(str);
                    } else if (callback instanceof PasswordCallback) {
                        ((PasswordCallback) callback).setPassword(cArr);
                    } else {
                        KerberosGrant.log.error("Unsupported Callback class = " + callback.getClass().getName());
                    }
                }
            }
        };
    }

    private String validateKerberosTicket(GSSCredential gSSCredential, byte[] bArr) throws GSSException {
        GSSContext createContext = gssManager.createContext(gSSCredential);
        createContext.acceptSecContext(bArr, 0, bArr.length);
        if (!createContext.isEstablished()) {
            log.error("Unable to decrypt the kerberos ticket as context was not established.");
            return null;
        }
        String gSSName = createContext.getSrcName().toString();
        if (log.isDebugEnabled()) {
            log.debug("Extracted details from GSS Token, Initiator : " + gSSName + " , Intended target : " + createContext.getTargName().toString());
        }
        return gSSName;
    }

    private void handleException(String str) throws IdentityOAuth2Exception {
        log.error(str);
        throw new IdentityOAuth2Exception(str);
    }

    private void handleException(String str, Exception exc) throws IdentityOAuth2Exception {
        log.error(str, exc);
        throw new IdentityOAuth2Exception(str, exc);
    }

    private boolean isUserExistsInUserStore(String str, String str2, String str3) throws IdentityOAuth2Exception {
        try {
            String addDomainToName = IdentityUtil.addDomainToName(str, str3);
            RealmService realmService = IdentityTenantUtil.getRealmService();
            return realmService.getTenantUserRealm(realmService.getTenantManager().getTenantId(str2)).getUserStoreManager().isExistingUser(addDomainToName);
        } catch (UserStoreException e) {
            handleException(String.format("Error when searching for user: %s in '%s' userStoreDomain in '%s' tenant.", str, str3, str2), e);
            return false;
        } catch (org.wso2.carbon.user.api.UserStoreException e2) {
            handleException(String.format("Error while retrieving userStoreManger for tenant: %s.", str2), e2);
            return false;
        }
    }
}
