package com.orientechnologies.orient.core.security.kerberos;

import com.orientechnologies.common.exception.OException;
import com.orientechnologies.common.log.OLogManager;
import com.orientechnologies.orient.core.config.OGlobalConfiguration;
import com.orientechnologies.orient.core.exception.OSecurityException;
import com.orientechnologies.orient.core.security.OCredentialInterceptor;
import com.orientechnologies.orient.core.serialization.OBase64Utils;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.Principal;
import java.security.PrivilegedAction;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:com/orientechnologies/orient/core/security/kerberos/OKerberosCredentialInterceptor.class */
public class OKerberosCredentialInterceptor implements OCredentialInterceptor {
    private String principal;
    private String serviceTicket;
    private static final boolean __TRANSFORMED_BY_JAVASSIST_MAVEN_PLUGIN__com_orientechnologies_common_javassist_OStaticInitializerExceptionLoggerWeaver = true;

    @Override // com.orientechnologies.orient.core.security.OCredentialInterceptor
    public String getUsername() {
        return this.principal;
    }

    @Override // com.orientechnologies.orient.core.security.OCredentialInterceptor
    public String getPassword() {
        return this.serviceTicket;
    }

    @Override // com.orientechnologies.orient.core.security.OCredentialInterceptor
    public void intercept(String str, String str2, String str3) throws OSecurityException {
        if (str2 == null || str2.isEmpty()) {
            throw new OSecurityException("OKerberosCredentialInterceptor Principal cannot be null!");
        }
        this.principal = str2;
        String str4 = str3;
        if (str3 == null || str3.isEmpty()) {
            if (str == null || str.isEmpty()) {
                throw new OSecurityException("OKerberosCredentialInterceptor URL and SPN cannot both be null!");
            }
            try {
                String str5 = str;
                if (str5.startsWith("remote:") && !str5.startsWith("remote://")) {
                    str5 = str5.replace("remote:", "remote://");
                }
                String host = new URI(str5).getHost();
                if (host == null) {
                    throw new OSecurityException("OKerberosCredentialInterceptor Could not create SPN from URL: " + str);
                }
                str4 = "OrientDB/" + host;
            } catch (URISyntaxException e) {
                throw OException.wrapException(new OSecurityException("OKerberosCredentialInterceptor Could not create SPN from URL: " + str), e);
            }
        }
        String str6 = System.getenv("KRB5_CONFIG");
        String valueAsString = OGlobalConfiguration.CLIENT_KRB5_CONFIG.getValueAsString();
        if (valueAsString != null) {
            str6 = valueAsString;
        }
        String str7 = System.getenv("KRB5CCNAME");
        String valueAsString2 = OGlobalConfiguration.CLIENT_KRB5_CCNAME.getValueAsString();
        if (valueAsString2 != null) {
            str7 = valueAsString2;
        }
        String str8 = System.getenv("KRB5_CLIENT_KTNAME");
        String valueAsString3 = OGlobalConfiguration.CLIENT_KRB5_KTNAME.getValueAsString();
        if (valueAsString3 != null) {
            str8 = valueAsString3;
        }
        if (str6 == null) {
            throw new OSecurityException("OKerberosCredentialInterceptor KRB5 Config cannot be null!");
        }
        if (str7 == null && str8 == null) {
            throw new OSecurityException("OKerberosCredentialInterceptor KRB5 Credential Cache and KeyTab cannot both be null!");
        }
        try {
            System.setProperty("java.security.krb5.conf", str6);
            LoginContext loginContext = new LoginContext("ignore", (Subject) null, (CallbackHandler) null, new OKrb5ClientLoginModuleConfig(str2, str7, str8));
            loginContext.login();
            this.serviceTicket = getServiceTicket(loginContext.getSubject(), str2, str4);
            try {
                loginContext.logout();
            } catch (LoginException e2) {
                OLogManager.instance().debug(this, "intercept() LogoutException", e2, new Object[0]);
            }
            if (this.serviceTicket == null) {
                throw new OSecurityException("OKerberosCredentialInterceptor Cannot obtain the service ticket!");
            }
        } catch (LoginException e3) {
            OLogManager.instance().debug(this, "intercept() LoginException", e3, new Object[0]);
            throw OException.wrapException(new OSecurityException("OKerberosCredentialInterceptor Client Validation Exception!"), e3);
        }
    }

    private String getFirstPrincipal(Subject subject) {
        if (subject != null) {
            return ((Principal) subject.getPrincipals().toArray()[0]).getName();
        }
        return null;
    }

    private String getServiceTicket(Subject subject, String str, String str2) {
        try {
            GSSManager gSSManager = GSSManager.getInstance();
            GSSName createName = gSSManager.createName(str2, GSSName.NT_USER_NAME);
            Oid oid = new Oid("1.2.840.113554.1.2.2");
            final GSSContext createContext = gSSManager.createContext(createName, oid, (GSSCredential) null, 0);
            if (createContext != null) {
                if (Boolean.getBoolean("sun.security.jgss.native")) {
                    OLogManager.instance().info(this, "getServiceTicket() Using Native JGSS", new Object[0]);
                    try {
                        subject.getPrivateCredentials().add(gSSManager.createCredential(gSSManager.createName(str, GSSName.NT_USER_NAME), 0, oid, 1));
                    } catch (GSSException e) {
                        OLogManager.instance().error(this, "getServiceTicket() Use Native JGSS GSSException", e, new Object[0]);
                    }
                }
                byte[] bArr = (byte[]) Subject.doAs(subject, new PrivilegedAction<byte[]>() { // from class: com.orientechnologies.orient.core.security.kerberos.OKerberosCredentialInterceptor.1
                    private static final boolean __TRANSFORMED_BY_JAVASSIST_MAVEN_PLUGIN__com_orientechnologies_common_javassist_OStaticInitializerExceptionLoggerWeaver = true;

                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedAction
                    public byte[] run() {
                        try {
                            byte[] bArr2 = new byte[0];
                            createContext.requestMutualAuth(false);
                            createContext.requestCredDeleg(false);
                            return createContext.initSecContext(bArr2, 0, bArr2.length);
                        } catch (Exception e2) {
                            OLogManager.instance().debug(this, "getServiceTicket() doAs() Exception", e2, new Object[0]);
                            return null;
                        }
                    }
                });
                if (bArr != null) {
                    return OBase64Utils.encodeBytes(bArr);
                }
                createContext.dispose();
            } else {
                OLogManager.instance().debug(this, "getServiceTicket() GSSContext is null!", new Object[0]);
            }
            return null;
        } catch (Exception e2) {
            OLogManager.instance().error(this, "getServiceTicket() Exception", e2, new Object[0]);
            return null;
        }
    }
}
