package org.wso2.carbon.mediator.kerberos;

import java.io.File;
import java.io.UnsupportedEncodingException;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.axiom.om.impl.llom.OMTextImpl;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.synapse.MessageContext;
import org.apache.synapse.SynapseException;
import org.apache.synapse.core.axis2.Axis2MessageContext;
import org.apache.synapse.mediators.AbstractMediator;
import org.apache.synapse.mediators.Value;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.wso2.carbon.core.util.CryptoException;
import org.wso2.carbon.core.util.CryptoUtil;

/* loaded from: input_file:org/wso2/carbon/mediator/kerberos/KerberosMediator.class */
public class KerberosMediator extends AbstractMediator {
    private String spn;
    private Value spnKey;
    private Value clientPrincipal;
    private Value password;
    private Value keytabFile;
    private String krb5Config;
    private String clientPrincipalValue;
    private String passwordValue;
    private String keytabPath;
    private String loginContextName;
    private String loginConfig;
    private static final Log log = LogFactory.getLog(KerberosMediator.class);
    private static final String ROOT = System.getProperty(KerberosConstants.CARBON_HOME, ".");
    private static final String CONFIG_PATH = ROOT + File.separator + "repository" + File.separator + "resources" + File.separator + "security" + File.separator;
    private static final String DEFAULT_KERBEROS_CONFIG_PATH = ROOT + File.separator + "repository" + File.separator + "resources" + File.separator + "security" + File.separator + KerberosConstants.DEFAULT_KERBEROS_CONFIG_FILE;
    private static final String DEFAULT_LOGIN_CONFIG_PATH = ROOT + File.separator + "repository" + File.separator + "resources" + File.separator + "security" + File.separator + KerberosConstants.DEFAULT_LOGIN_CONFIG_FILE;
    private Map<String, ?> logDetails = new HashMap();
    private GSSManager gssManager = GSSManager.getInstance();

    public boolean mediate(MessageContext messageContext) {
        if (messageContext.getEnvironment().isDebuggerEnabled() && super.divertMediationRoute(messageContext)) {
            return true;
        }
        extractDataFromLoginConf(messageContext);
        setKerberosConfigurations(messageContext);
        GSSContext gSSContext = null;
        try {
            try {
                Oid oid = new Oid(KerberosConstants.SPNEGO_BASED_OID);
                GSSContext createContext = this.gssManager.createContext((StringUtils.isNotEmpty(getSpnValueFromRegistry(messageContext)) ? this.gssManager.createName(getSpnValueFromRegistry(messageContext), GSSName.NT_USER_NAME) : this.gssManager.createName(getSpn(), GSSName.NT_USER_NAME)).canonicalize(oid), oid, createCredentials(oid, messageContext), 0);
                byte[] bArr = new byte[0];
                byte[] initSecContext = createContext.initSecContext(bArr, 0, bArr.length);
                if (initSecContext == null) {
                    log.error("Unable to get the Kerberos service ticket.");
                    if (createContext != null) {
                        try {
                            createContext.dispose();
                        } catch (GSSException e) {
                            log.warn("Error while disposing GSS Context", e);
                        }
                    }
                    return false;
                }
                setAuthorizationHeader((Axis2MessageContext) messageContext, initSecContext);
                if (createContext == null) {
                    return true;
                }
                try {
                    createContext.dispose();
                    return true;
                } catch (GSSException e2) {
                    log.warn("Error while disposing GSS Context", e2);
                    return true;
                }
            } catch (Throwable th) {
                if (0 != 0) {
                    try {
                        gSSContext.dispose();
                    } catch (GSSException e3) {
                        log.warn("Error while disposing GSS Context", e3);
                    }
                }
                throw th;
            }
        } catch (UnsupportedEncodingException e4) {
            log.error("Unable to encrypt the Kerberos service ticket.", e4);
            if (0 != 0) {
                try {
                    gSSContext.dispose();
                } catch (GSSException e5) {
                    log.warn("Error while disposing GSS Context", e5);
                }
            }
            return false;
        } catch (PrivilegedActionException | LoginException | GSSException e6) {
            log.error("Error while creating the Kerberos service ticket.", e6);
            if (0 != 0) {
                try {
                    gSSContext.dispose();
                } catch (GSSException e7) {
                    log.warn("Error while disposing GSS Context", e7);
                }
            }
            return false;
        }
    }

    private String getSpnValueFromRegistry(MessageContext messageContext) {
        if (getSpnKey() == null) {
            return null;
        }
        String evaluateValue = getSpnKey().evaluateValue(messageContext);
        Object entry = messageContext.getEntry(evaluateValue);
        if (entry == null) {
            handleException("Key " + evaluateValue + " not found ", messageContext);
        }
        if (!(entry instanceof OMTextImpl)) {
            return null;
        }
        if (log.isDebugEnabled()) {
            log.debug("Retrieving the spnConfig key :" + evaluateValue);
        }
        return ((OMTextImpl) entry).getText();
    }

    private void setElements(Map<String, ?> map, MessageContext messageContext) {
        if (getClientPrincipal() != null) {
            this.clientPrincipalValue = getClientPrincipal().getKeyValue();
        } else {
            this.clientPrincipalValue = map.get(KerberosConstants.PRINCIPAL).toString();
        }
        if (this.password != null) {
            this.passwordValue = this.password.getKeyValue();
        }
        if (getKeytabFileName() != null) {
            this.keytabPath = CONFIG_PATH + getKeytabFileName().evaluateValue(messageContext);
        } else {
            this.keytabPath = map.get(KerberosConstants.KEYTAB).toString();
        }
    }

    private void setAuthorizationHeader(Axis2MessageContext axis2MessageContext, byte[] bArr) throws UnsupportedEncodingException {
        org.apache.axis2.context.MessageContext axis2MessageContext2 = axis2MessageContext.getAxis2MessageContext();
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Negotiate " + new String(Base64.encodeBase64(bArr), KerberosConstants.UTF8));
        axis2MessageContext2.setProperty("TRANSPORT_HEADERS", hashMap);
        Map map = (Map) axis2MessageContext2.getProperty("TRANSPORT_HEADERS");
        ConcurrentHashMap concurrentHashMap = new ConcurrentHashMap();
        for (Map.Entry entry : map.entrySet()) {
            concurrentHashMap.put((String) entry.getKey(), entry.getValue());
        }
        concurrentHashMap.put("Authorization", "Negotiate " + new String(Base64.encodeBase64(bArr), KerberosConstants.UTF8));
        axis2MessageContext2.setProperty("TRANSPORT_HEADERS", concurrentHashMap);
    }

    private GSSCredential createCredentials(Oid oid, MessageContext messageContext) throws LoginException, PrivilegedActionException, GSSException {
        CallbackHandler callbackHandler;
        if (!StringUtils.isNotEmpty(this.clientPrincipalValue)) {
            throw new SynapseException("Could not find the username to authenticate the user.");
        }
        if (StringUtils.isNotEmpty(this.passwordValue)) {
            setJASSConfiguration(false, messageContext);
            callbackHandler = getUserNamePasswordCallbackHandler(this.clientPrincipalValue, this.passwordValue.toCharArray());
        } else {
            if (!StringUtils.isNotEmpty(this.keytabPath)) {
                throw new SynapseException("Could not find the password or keyTab to authenticate the user.");
            }
            setJASSConfiguration(true, messageContext);
            callbackHandler = null;
        }
        return createClientCredentials(callbackHandler, oid);
    }

    private GSSCredential createClientCredentials(CallbackHandler callbackHandler, final Oid oid) throws LoginException, PrivilegedActionException, GSSException {
        String loginContextName = StringUtils.isNotEmpty(getLoginContextName()) ? getLoginContextName() : "com.sun.security.auth.module.Krb5LoginModule";
        LoginContext loginContext = callbackHandler != null ? new LoginContext(loginContextName, callbackHandler) : new LoginContext(loginContextName);
        loginContext.login();
        if (log.isDebugEnabled()) {
            log.debug("Pre-authentication successful for with Kerberos Server.");
        }
        final GSSName createName = this.gssManager.createName(this.clientPrincipalValue, GSSName.NT_USER_NAME);
        PrivilegedExceptionAction<GSSCredential> privilegedExceptionAction = new PrivilegedExceptionAction<GSSCredential>() { // from class: org.wso2.carbon.mediator.kerberos.KerberosMediator.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public GSSCredential run() throws GSSException {
                return KerberosMediator.this.gssManager.createCredential(createName.canonicalize(oid), 0, oid, 1);
            }
        };
        if (log.isDebugEnabled()) {
            Set<Principal> principals = loginContext.getSubject().getPrincipals();
            String str = null;
            if (principals != null) {
                str = principals.toString();
            }
            log.debug("Creating gss credentials as principal : " + str);
        }
        return (GSSCredential) Subject.doAs(loginContext.getSubject(), privilegedExceptionAction);
    }

    private CallbackHandler getUserNamePasswordCallbackHandler(final String str, final char[] cArr) {
        return new CallbackHandler() { // from class: org.wso2.carbon.mediator.kerberos.KerberosMediator.2
            @Override // javax.security.auth.callback.CallbackHandler
            public void handle(Callback[] callbackArr) {
                for (Callback callback : callbackArr) {
                    if (callback instanceof NameCallback) {
                        ((NameCallback) callback).setName(str);
                    } else if (callback instanceof PasswordCallback) {
                        ((PasswordCallback) callback).setPassword(cArr);
                    } else {
                        KerberosMediator.log.error("Unsupported Callback class = " + callback.getClass().getName());
                    }
                }
            }
        };
    }

    private void setKerberosConfigurations(MessageContext messageContext) {
        File file = new File(StringUtils.isNotEmpty(getKrb5Config()) ? CONFIG_PATH + getKrb5Config() : DEFAULT_KERBEROS_CONFIG_PATH);
        if (file.exists()) {
            System.setProperty(KerberosConstants.KERBEROS_CONFIG_PROPERTY, file.getAbsolutePath());
        } else {
            handleException("Could not find the Kerberos configuration.", messageContext);
        }
    }

    private void extractDataFromLoginConf(MessageContext messageContext) {
        if (StringUtils.isNotEmpty(getLoginContextName())) {
            Configuration.setConfiguration((Configuration) null);
        }
        if (StringUtils.isNotEmpty(getLoginConfig())) {
            File file = new File(CONFIG_PATH + getLoginConfig());
            if (!file.exists()) {
                handleException("Could not find the login configuration.", messageContext);
                return;
            }
            System.setProperty(KerberosConstants.JAAS_CONFIG_PROPERTY, file.getAbsolutePath());
            AppConfigurationEntry[] appConfigurationEntry = Configuration.getConfiguration().getAppConfigurationEntry(getLoginContextName());
            if (appConfigurationEntry == null || appConfigurationEntry.length == 0) {
                handleException("Could not find specified service account.", messageContext);
                return;
            } else {
                setElements(appConfigurationEntry[0].getOptions(), messageContext);
                return;
            }
        }
        if (!StringUtils.isNotEmpty(getLoginContextName())) {
            if (getClientPrincipal() != null && StringUtils.isNotEmpty(getClientPrincipal().getKeyValue())) {
                this.clientPrincipalValue = getClientPrincipal().getKeyValue();
            }
            if (this.password == null || !StringUtils.isNotEmpty(this.password.getKeyValue())) {
                return;
            }
            this.passwordValue = this.password.getKeyValue();
            return;
        }
        File file2 = new File(DEFAULT_LOGIN_CONFIG_PATH);
        if (!file2.exists()) {
            handleException("Could not find the login configuration.", messageContext);
            return;
        }
        System.setProperty(KerberosConstants.JAAS_CONFIG_PROPERTY, file2.getAbsolutePath());
        AppConfigurationEntry[] appConfigurationEntry2 = Configuration.getConfiguration().getAppConfigurationEntry(getLoginContextName());
        if (appConfigurationEntry2 == null || appConfigurationEntry2.length == 0) {
            handleException("Could not find specified service account.", messageContext);
        } else {
            setElements(appConfigurationEntry2[0].getOptions(), messageContext);
        }
    }

    private void setJASSConfiguration(boolean z, MessageContext messageContext) {
        final HashMap hashMap = new HashMap();
        if (StringUtils.isNotEmpty(getLoginConfig())) {
            File file = new File(CONFIG_PATH + getLoginConfig());
            if (file.exists()) {
                System.setProperty(KerberosConstants.JAAS_CONFIG_PROPERTY, file.getAbsolutePath());
                AppConfigurationEntry[] appConfigurationEntry = Configuration.getConfiguration().getAppConfigurationEntry(getLoginContextName());
                if (appConfigurationEntry == null || appConfigurationEntry.length == 0) {
                    handleException("Could not find specified service account.", messageContext);
                } else {
                    Map options = appConfigurationEntry[0].getOptions();
                    for (String str : options.keySet()) {
                        hashMap.put(str, options.get(str));
                    }
                }
            } else {
                handleException("Could not find the login configuration.", messageContext);
            }
        } else if (StringUtils.isNotEmpty(getLoginContextName())) {
            File file2 = new File(DEFAULT_LOGIN_CONFIG_PATH);
            if (file2.exists()) {
                System.setProperty(KerberosConstants.JAAS_CONFIG_PROPERTY, file2.getAbsolutePath());
                AppConfigurationEntry[] appConfigurationEntry2 = Configuration.getConfiguration().getAppConfigurationEntry(getLoginContextName());
                if (appConfigurationEntry2 == null || appConfigurationEntry2.length == 0) {
                    handleException("Could not find specified service account.", messageContext);
                } else {
                    Map options2 = appConfigurationEntry2[0].getOptions();
                    for (String str2 : options2.keySet()) {
                        hashMap.put(str2, options2.get(str2));
                    }
                }
            } else {
                handleException("Could not find the login configuration.", messageContext);
            }
        }
        hashMap.put(KerberosConstants.IS_INITIATOR, "true");
        hashMap.put(KerberosConstants.PRINCIPAL, this.clientPrincipalValue);
        hashMap.put(KerberosConstants.USE_KEYTAB, String.valueOf(z));
        if (z) {
            File file3 = new File(this.keytabPath);
            if (file3.exists()) {
                hashMap.put(KerberosConstants.KEYTAB, file3.getAbsolutePath());
            } else {
                handleException("Could not find the keytab file " + this.keytabPath + " in the location " + CONFIG_PATH, messageContext);
            }
        } else {
            hashMap.put(KerberosConstants.KEYTAB, null);
        }
        if (log.isDebugEnabled()) {
            hashMap.put(KerberosConstants.DEBUG, "true");
        }
        Configuration.setConfiguration(new Configuration() { // from class: org.wso2.carbon.mediator.kerberos.KerberosMediator.3
            public AppConfigurationEntry[] getAppConfigurationEntry(String str3) {
                return new AppConfigurationEntry[]{new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap)};
            }
        });
    }

    public String getLoginContextName() {
        return this.loginContextName;
    }

    public void setLoginContextName(String str) {
        this.loginContextName = str;
    }

    public String getLoginConfig() {
        return this.loginConfig;
    }

    public void setLoginConfig(String str) {
        this.loginConfig = str;
    }

    public String getKrb5Config() {
        return this.krb5Config;
    }

    public void setKrb5Config(String str) {
        this.krb5Config = str;
    }

    public String getSpn() {
        return this.spn;
    }

    public void setSpn(String str) {
        this.spn = str;
    }

    public Value getClientPrincipal() {
        return this.clientPrincipal;
    }

    public void setClientPrincipal(Value value) {
        this.clientPrincipal = value;
    }

    public Value getPassword() {
        if (this.password != null && !this.password.getKeyValue().startsWith("enc:")) {
            try {
                return new Value("enc:" + CryptoUtil.getDefaultCryptoUtil().encryptAndBase64Encode(this.password.getKeyValue().getBytes()));
            } catch (CryptoException e) {
                log.error(e);
            }
        }
        return this.password;
    }

    public void setPassword(Value value) {
        if (!value.getKeyValue().startsWith("enc:")) {
            this.password = value;
            return;
        }
        try {
            this.password = new Value(String.valueOf(CryptoUtil.getDefaultCryptoUtil().base64DecodeAndDecrypt(value.getKeyValue().substring(4))));
        } catch (CryptoException e) {
            log.error(e);
        }
    }

    public Value getKeytabFileName() {
        return this.keytabFile;
    }

    public void setKeytabFileName(Value value) {
        this.keytabFile = value;
    }

    public Value getSpnKey() {
        return this.spnKey;
    }

    public void setSpnKey(Value value) {
        this.spnKey = value;
    }

    public boolean isContentAware() {
        return false;
    }
}
