package org.wso2.carbon.mediator.kerberos;

import java.io.File;
import java.io.UnsupportedEncodingException;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.synapse.MessageContext;
import org.apache.synapse.SynapseException;
import org.apache.synapse.core.axis2.Axis2MessageContext;
import org.apache.synapse.mediators.AbstractMediator;
import org.apache.synapse.mediators.Value;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:org/wso2/carbon/mediator/kerberos/KerberosMediator.class */
public class KerberosMediator extends AbstractMediator {
    private static final Log log = LogFactory.getLog(KerberosMediator.class);
    private String spn;
    private Value clientPrincipal;
    private Value password;
    private Value keytabPath;
    private String krb5Config;
    private String clientPrincipalValue;
    private String passwordValue;
    private String keytabPathValue;
    private String loginContextName;
    private String loginConfig;
    private GSSManager gssManager = GSSManager.getInstance();

    public boolean mediate(MessageContext messageContext) {
        if (messageContext.getEnvironment().isDebuggerEnabled() && super.divertMediationRoute(messageContext)) {
            return true;
        }
        setElements(messageContext);
        setKerberosConfigurations(messageContext);
        GSSContext gSSContext = null;
        try {
            try {
                Oid oid = new Oid(KerberosConstants.SPNEGO_BASED_OID);
                GSSContext createContext = this.gssManager.createContext(this.gssManager.createName(getSpn(), GSSName.NT_USER_NAME).canonicalize(oid), oid, createCredentials(oid), 0);
                byte[] bArr = new byte[0];
                byte[] initSecContext = createContext.initSecContext(bArr, 0, bArr.length);
                if (initSecContext == null) {
                    log.error("Unable to get the Kerberos service ticket.");
                    if (createContext != null) {
                        try {
                            createContext.dispose();
                        } catch (GSSException e) {
                            log.warn("Error while disposing GSS Context", e);
                        }
                    }
                    return false;
                }
                setAuthorizationHeader((Axis2MessageContext) messageContext, initSecContext);
                if (createContext == null) {
                    return true;
                }
                try {
                    createContext.dispose();
                    return true;
                } catch (GSSException e2) {
                    log.warn("Error while disposing GSS Context", e2);
                    return true;
                }
            } catch (UnsupportedEncodingException e3) {
                log.error("Unable to encrypt the Kerberos service ticket.", e3);
                if (0 != 0) {
                    try {
                        gSSContext.dispose();
                    } catch (GSSException e4) {
                        log.warn("Error while disposing GSS Context", e4);
                    }
                }
                return false;
            } catch (PrivilegedActionException | LoginException | GSSException e5) {
                log.error("Error while creating the Kerberos service ticket.", e5);
                if (0 != 0) {
                    try {
                        gSSContext.dispose();
                    } catch (GSSException e6) {
                        log.warn("Error while disposing GSS Context", e6);
                    }
                }
                return false;
            }
        } catch (Throwable th) {
            if (0 != 0) {
                try {
                    gSSContext.dispose();
                } catch (GSSException e7) {
                    log.warn("Error while disposing GSS Context", e7);
                }
            }
            throw th;
        }
    }

    private void setElements(MessageContext messageContext) {
        if (getClientPrincipal() != null) {
            this.clientPrincipalValue = getClientPrincipal().evaluateValue(messageContext);
        }
        if (getPassword() != null) {
            this.passwordValue = getPassword().evaluateValue(messageContext);
        }
        if (getKeytabPath() != null) {
            this.keytabPathValue = getKeytabPath().evaluateValue(messageContext);
        }
    }

    private void setAuthorizationHeader(Axis2MessageContext axis2MessageContext, byte[] bArr) throws UnsupportedEncodingException {
        org.apache.axis2.context.MessageContext axis2MessageContext2 = axis2MessageContext.getAxis2MessageContext();
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Negotiate " + new String(Base64.encodeBase64(bArr), KerberosConstants.UTF8));
        axis2MessageContext2.setProperty("TRANSPORT_HEADERS", hashMap);
        Map map = (Map) axis2MessageContext2.getProperty("TRANSPORT_HEADERS");
        ConcurrentHashMap concurrentHashMap = new ConcurrentHashMap();
        for (Map.Entry entry : map.entrySet()) {
            concurrentHashMap.put(entry.getKey(), entry.getValue());
        }
        concurrentHashMap.put("Authorization", "Negotiate " + new String(Base64.encodeBase64(bArr), KerberosConstants.UTF8));
        axis2MessageContext2.setProperty("TRANSPORT_HEADERS", concurrentHashMap);
    }

    private GSSCredential createCredentials(Oid oid) throws LoginException, PrivilegedActionException, GSSException {
        CallbackHandler callbackHandler;
        if (!StringUtils.isNotEmpty(this.clientPrincipalValue)) {
            throw new SynapseException("Could not find the username to authenticate the user.");
        }
        if (StringUtils.isNotEmpty(this.passwordValue)) {
            setJASSConfiguration(false);
            callbackHandler = getUserNamePasswordCallbackHandler(this.clientPrincipalValue, this.passwordValue.toCharArray());
        } else {
            if (!StringUtils.isNotEmpty(this.keytabPathValue)) {
                throw new SynapseException("Could not find the password or keyTab to authenticate the user.");
            }
            setJASSConfiguration(true);
            callbackHandler = null;
        }
        return createClientCredentials(callbackHandler, oid);
    }

    private GSSCredential createClientCredentials(CallbackHandler callbackHandler, final Oid oid) throws LoginException, PrivilegedActionException, GSSException {
        String loginContextName = StringUtils.isNotEmpty(getLoginContextName()) ? getLoginContextName() : "com.sun.security.auth.module.Krb5LoginModule";
        LoginContext loginContext = callbackHandler != null ? new LoginContext(loginContextName, callbackHandler) : new LoginContext(loginContextName);
        loginContext.login();
        if (log.isDebugEnabled()) {
            log.debug("Pre-authentication successful for with Kerberos Server.");
        }
        final GSSName createName = this.gssManager.createName(this.clientPrincipalValue, GSSName.NT_USER_NAME);
        PrivilegedExceptionAction<GSSCredential> privilegedExceptionAction = new PrivilegedExceptionAction<GSSCredential>() { // from class: org.wso2.carbon.mediator.kerberos.KerberosMediator.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public GSSCredential run() throws GSSException {
                return KerberosMediator.this.gssManager.createCredential(createName.canonicalize(oid), 0, oid, 1);
            }
        };
        if (log.isDebugEnabled()) {
            Set<Principal> principals = loginContext.getSubject().getPrincipals();
            String str = null;
            if (principals != null) {
                str = principals.toString();
            }
            log.debug("Creating gss credentials as principal : " + str);
        }
        return (GSSCredential) Subject.doAs(loginContext.getSubject(), privilegedExceptionAction);
    }

    private CallbackHandler getUserNamePasswordCallbackHandler(final String str, final char[] cArr) {
        return new CallbackHandler() { // from class: org.wso2.carbon.mediator.kerberos.KerberosMediator.2
            @Override // javax.security.auth.callback.CallbackHandler
            public void handle(Callback[] callbackArr) {
                for (Callback callback : callbackArr) {
                    if (callback instanceof NameCallback) {
                        ((NameCallback) callback).setName(str);
                    } else if (callback instanceof PasswordCallback) {
                        ((PasswordCallback) callback).setPassword(cArr);
                    } else {
                        KerberosMediator.log.error("Unsupported Callback class = " + callback.getClass().getName());
                    }
                }
            }
        };
    }

    private void setKerberosConfigurations(MessageContext messageContext) {
        if (StringUtils.isNotEmpty(getKrb5Config())) {
            System.setProperty(KerberosConstants.KERBEROS_CONFIG_PROPERTY, new File(getKrb5Config()).getAbsolutePath());
        } else {
            handleException("Could not find the Kerberos configuration.", messageContext);
        }
    }

    private void setJASSConfiguration(boolean z) {
        final HashMap hashMap = new HashMap();
        if (StringUtils.isNotEmpty(getLoginConfig())) {
            System.setProperty(KerberosConstants.JAAS_CONFIG_PROPERTY, new File(getLoginConfig()).getAbsolutePath());
            Map options = Configuration.getConfiguration().getAppConfigurationEntry(getLoginContextName())[0].getOptions();
            for (String str : options.keySet()) {
                hashMap.put(str, options.get(str));
            }
        }
        hashMap.put(KerberosConstants.IS_INITIATOR, "true");
        hashMap.put(KerberosConstants.PRINCIPAL, this.clientPrincipalValue);
        hashMap.put(KerberosConstants.USE_KEYTAB, String.valueOf(z));
        if (z) {
            hashMap.put(KerberosConstants.KEYTAB, new File(this.keytabPathValue).getAbsolutePath());
        } else {
            hashMap.put(KerberosConstants.KEYTAB, null);
        }
        if (log.isDebugEnabled()) {
            hashMap.put(KerberosConstants.DEBUG, "true");
        }
        Configuration.setConfiguration(new Configuration() { // from class: org.wso2.carbon.mediator.kerberos.KerberosMediator.3
            public AppConfigurationEntry[] getAppConfigurationEntry(String str2) {
                return new AppConfigurationEntry[]{new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap)};
            }
        });
    }

    public String getLoginContextName() {
        return this.loginContextName;
    }

    public void setLoginContextName(String str) {
        this.loginContextName = str;
    }

    public String getLoginConfig() {
        return this.loginConfig;
    }

    public void setLoginConfig(String str) {
        this.loginConfig = str;
    }

    public String getKrb5Config() {
        return this.krb5Config;
    }

    public void setKrb5Config(String str) {
        this.krb5Config = str;
    }

    public String getSpn() {
        return this.spn;
    }

    public void setSpn(String str) {
        this.spn = str;
    }

    public Value getClientPrincipal() {
        return this.clientPrincipal;
    }

    public void setClientPrincipal(Value value) {
        this.clientPrincipal = value;
    }

    public Value getPassword() {
        return this.password;
    }

    public void setPassword(Value value) {
        this.password = value;
    }

    public Value getKeytabPath() {
        return this.keytabPath;
    }

    public void setKeytabPath(Value value) {
        this.keytabPath = value;
    }

    public boolean isContentAware() {
        return false;
    }
}
