package org.opends.server.extensions;

import java.io.BufferedWriter;
import java.io.File;
import java.io.FileWriter;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.HashMap;
import java.util.List;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.security.sasl.SaslException;
import org.forgerock.i18n.LocalizableMessage;
import org.forgerock.i18n.LocalizableMessageBuilder;
import org.forgerock.i18n.slf4j.LocalizedLogger;
import org.forgerock.opendj.config.server.ConfigChangeResult;
import org.forgerock.opendj.config.server.ConfigException;
import org.forgerock.opendj.ldap.ResultCode;
import org.ietf.jgss.GSSException;
import org.opends.messages.ExtensionMessages;
import org.opends.server.admin.server.ConfigurationChangeListener;
import org.opends.server.admin.std.meta.GSSAPISASLMechanismHandlerCfgDefn;
import org.opends.server.admin.std.server.GSSAPISASLMechanismHandlerCfg;
import org.opends.server.admin.std.server.SASLMechanismHandlerCfg;
import org.opends.server.api.ClientConnection;
import org.opends.server.api.IdentityMapper;
import org.opends.server.api.SASLMechanismHandler;
import org.opends.server.core.BindOperation;
import org.opends.server.core.DirectoryServer;
import org.opends.server.types.DN;
import org.opends.server.types.InitializationException;
import org.opends.server.util.ServerConstants;
import org.opends.server.util.StaticUtils;

/* loaded from: input_file:org/opends/server/extensions/GSSAPISASLMechanismHandler.class */
public class GSSAPISASLMechanismHandler extends SASLMechanismHandler<GSSAPISASLMechanismHandlerCfg> implements ConfigurationChangeListener<GSSAPISASLMechanismHandlerCfg>, CallbackHandler {
    private static final LocalizedLogger logger = LocalizedLogger.getLoggerForThisClass();
    private DN configEntryDN;
    private GSSAPISASLMechanismHandlerCfg configuration;
    private IdentityMapper<?> identityMapper;
    private HashMap<String, String> saslProps;
    private String serverFQDN;
    private volatile LoginContext loginContext;
    private final Object loginContextLock = new Object();

    @Override // org.opends.server.api.SASLMechanismHandler
    public void initializeSASLMechanismHandler(GSSAPISASLMechanismHandlerCfg gSSAPISASLMechanismHandlerCfg) throws ConfigException, InitializationException {
        try {
            initialize(gSSAPISASLMechanismHandlerCfg);
            DirectoryServer.registerSASLMechanismHandler(ServerConstants.SASL_MECHANISM_GSSAPI, this);
            gSSAPISASLMechanismHandlerCfg.addGSSAPIChangeListener(this);
            this.configuration = gSSAPISASLMechanismHandlerCfg;
            logger.error(ExtensionMessages.INFO_GSSAPI_STARTED);
        } catch (UnknownHostException e) {
            logger.traceException(e);
            throw new InitializationException(ExtensionMessages.ERR_SASL_CANNOT_GET_SERVER_FQDN.get(this.configEntryDN, StaticUtils.getExceptionMessage(e)), e);
        } catch (IOException e2) {
            logger.traceException(e2);
            throw new InitializationException(ExtensionMessages.ERR_SASLGSSAPI_CANNOT_CREATE_JAAS_CONFIG.get(StaticUtils.getExceptionMessage(e2)), e2);
        }
    }

    private void getKdcRealm(GSSAPISASLMechanismHandlerCfg gSSAPISASLMechanismHandlerCfg) throws InitializationException {
        String kdcAddress = gSSAPISASLMechanismHandlerCfg.getKdcAddress();
        String realm = gSSAPISASLMechanismHandlerCfg.getRealm();
        if ((kdcAddress != null && realm == null) || (kdcAddress == null && realm != null)) {
            throw new InitializationException(ExtensionMessages.ERR_SASLGSSAPI_KDC_REALM_NOT_DEFINED.get());
        }
        if (kdcAddress != null) {
            System.setProperty(ServerConstants.KRBV_PROPERTY_KDC, kdcAddress);
            System.setProperty(ServerConstants.KRBV_PROPERTY_REALM, realm);
        }
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
    }

    private String getFQDN(GSSAPISASLMechanismHandlerCfg gSSAPISASLMechanismHandlerCfg) throws UnknownHostException {
        String serverFqdn = gSSAPISASLMechanismHandlerCfg.getServerFqdn();
        if (serverFqdn == null) {
            serverFqdn = InetAddress.getLocalHost().getCanonicalHostName();
        }
        return serverFqdn;
    }

    private LoginContext getLoginContext() throws LoginException {
        if (this.loginContext == null) {
            synchronized (this.loginContextLock) {
                if (this.loginContext == null) {
                    this.loginContext = new LoginContext(GSSAPISASLMechanismHandler.class.getName(), this);
                    this.loginContext.login();
                }
            }
        }
        return this.loginContext;
    }

    private void logout() {
        try {
            synchronized (this.loginContextLock) {
                if (this.loginContext != null) {
                    this.loginContext.logout();
                    this.loginContext = null;
                }
            }
        } catch (LoginException e) {
            logger.traceException(e);
        }
    }

    private String configureLoginConfFile(GSSAPISASLMechanismHandlerCfg gSSAPISASLMechanismHandlerCfg) throws IOException, InitializationException {
        File createTempFile = File.createTempFile("login", ".conf", StaticUtils.getFileForPath("config"));
        String absolutePath = createTempFile.getAbsolutePath();
        createTempFile.deleteOnExit();
        BufferedWriter bufferedWriter = new BufferedWriter(new FileWriter(createTempFile, false));
        bufferedWriter.write(getClass().getName() + " {");
        bufferedWriter.newLine();
        bufferedWriter.write("  com.sun.security.auth.module.Krb5LoginModule required storeKey=true useKeyTab=true doNotPrompt=true ");
        String keytab = gSSAPISASLMechanismHandlerCfg.getKeytab();
        if (keytab == null) {
            keytab = System.getProperty("user.home") + System.getProperty("file.separator") + "krb5.keytab";
        }
        File file = new File(keytab);
        if (!file.exists()) {
            throw new InitializationException(ExtensionMessages.ERR_SASL_GSSAPI_KEYTAB_INVALID.get(keytab));
        }
        bufferedWriter.write("keyTab=\"" + file + "\" ");
        StringBuilder sb = new StringBuilder();
        String principalName = gSSAPISASLMechanismHandlerCfg.getPrincipalName();
        String realm = gSSAPISASLMechanismHandlerCfg.getRealm();
        if (principalName != null) {
            sb.append("principal=\"").append(principalName);
        } else {
            sb.append("principal=\"ldap/").append(this.serverFQDN);
        }
        if (realm != null) {
            sb.append("@").append(realm);
        }
        bufferedWriter.write(sb.toString());
        logger.error(ExtensionMessages.INFO_GSSAPI_PRINCIPAL_NAME, sb);
        bufferedWriter.write("\" isInitiator=false;");
        bufferedWriter.newLine();
        bufferedWriter.write("};");
        bufferedWriter.newLine();
        bufferedWriter.flush();
        bufferedWriter.close();
        return absolutePath;
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public void finalizeSASLMechanismHandler() {
        logout();
        if (this.configuration != null) {
            this.configuration.removeGSSAPIChangeListener(this);
        }
        DirectoryServer.deregisterSASLMechanismHandler(ServerConstants.SASL_MECHANISM_GSSAPI);
        clearProperties();
        logger.error(ExtensionMessages.INFO_GSSAPI_STOPPED);
    }

    private void clearProperties() {
        System.clearProperty(ServerConstants.KRBV_PROPERTY_KDC);
        System.clearProperty(ServerConstants.KRBV_PROPERTY_REALM);
        System.clearProperty(ServerConstants.JAAS_PROPERTY_CONFIG_FILE);
        System.clearProperty(ServerConstants.JAAS_PROPERTY_SUBJECT_CREDS_ONLY);
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public void processSASLBind(BindOperation bindOperation) {
        ClientConnection clientConnection = bindOperation.getClientConnection();
        if (clientConnection == null) {
            bindOperation.setAuthFailureReason(ExtensionMessages.ERR_SASLGSSAPI_NO_CLIENT_CONNECTION.get());
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
            return;
        }
        SASLContext sASLContext = (SASLContext) clientConnection.getSASLAuthStateInfo();
        if (sASLContext == null) {
            try {
                sASLContext = SASLContext.createSASLContext(this.saslProps, this.serverFQDN, ServerConstants.SASL_MECHANISM_GSSAPI, this.identityMapper);
            } catch (SaslException e) {
                logger.traceException(e);
                GSSException cause = e.getCause();
                LocalizableMessage localizableMessage = cause != null ? ExtensionMessages.ERR_SASL_CONTEXT_CREATE_ERROR.get(ServerConstants.SASL_MECHANISM_GSSAPI, getGSSExceptionMessage(cause)) : ExtensionMessages.ERR_SASL_CONTEXT_CREATE_ERROR.get(ServerConstants.SASL_MECHANISM_GSSAPI, StaticUtils.getExceptionMessage(e));
                clientConnection.setSASLAuthStateInfo(null);
                bindOperation.setAuthFailureReason(localizableMessage);
                bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
                return;
            }
        }
        try {
            sASLContext.performAuthentication(getLoginContext(), bindOperation);
        } catch (LoginException e2) {
            logger.traceException(e2);
            LocalizableMessage localizableMessage2 = ExtensionMessages.ERR_SASLGSSAPI_CANNOT_CREATE_LOGIN_CONTEXT.get(StaticUtils.getExceptionMessage(e2));
            logger.error(localizableMessage2);
            clientConnection.setSASLAuthStateInfo(null);
            bindOperation.setAuthFailureReason(localizableMessage2);
            bindOperation.setResultCode(ResultCode.INVALID_CREDENTIALS);
        }
    }

    public static LocalizableMessage getGSSExceptionMessage(GSSException gSSException) {
        LocalizableMessageBuilder localizableMessageBuilder = new LocalizableMessageBuilder();
        localizableMessageBuilder.append("major code (").append(gSSException.getMajor()).append(") ").append(gSSException.getMajorString());
        if (gSSException.getMinor() != 0) {
            localizableMessageBuilder.append(", minor code (").append(gSSException.getMinor()).append(") ").append(gSSException.getMinorString());
        }
        return localizableMessageBuilder.toMessage();
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public boolean isPasswordBased(String str) {
        return false;
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public boolean isSecure(String str) {
        return true;
    }

    @Override // org.opends.server.api.SASLMechanismHandler
    public boolean isConfigurationAcceptable(SASLMechanismHandlerCfg sASLMechanismHandlerCfg, List<LocalizableMessage> list) {
        return isConfigurationChangeAcceptable2((GSSAPISASLMechanismHandlerCfg) sASLMechanismHandlerCfg, list);
    }

    /* renamed from: isConfigurationChangeAcceptable, reason: avoid collision after fix types in other method */
    public boolean isConfigurationChangeAcceptable2(GSSAPISASLMechanismHandlerCfg gSSAPISASLMechanismHandlerCfg, List<LocalizableMessage> list) {
        boolean z = true;
        try {
            getFQDN(gSSAPISASLMechanismHandlerCfg);
        } catch (UnknownHostException e) {
            logger.traceException(e);
            list.add(ExtensionMessages.ERR_SASL_CANNOT_GET_SERVER_FQDN.get(this.configEntryDN, StaticUtils.getExceptionMessage(e)));
            z = false;
        }
        String keytab = gSSAPISASLMechanismHandlerCfg.getKeytab();
        if (keytab == null) {
            keytab = System.getProperty("user.home") + System.getProperty("file.separator") + "krb5.keytab";
        }
        if (!new File(keytab).exists()) {
            LocalizableMessage localizableMessage = ExtensionMessages.ERR_SASL_GSSAPI_KEYTAB_INVALID.get(keytab);
            list.add(localizableMessage);
            logger.trace(localizableMessage);
            z = false;
        }
        String kdcAddress = gSSAPISASLMechanismHandlerCfg.getKdcAddress();
        String realm = gSSAPISASLMechanismHandlerCfg.getRealm();
        if ((kdcAddress != null && realm == null) || (kdcAddress == null && realm != null)) {
            LocalizableMessage localizableMessage2 = ExtensionMessages.ERR_SASLGSSAPI_KDC_REALM_NOT_DEFINED.get();
            list.add(localizableMessage2);
            logger.trace(localizableMessage2);
            z = false;
        }
        return z;
    }

    @Override // org.opends.server.admin.server.ConfigurationChangeListener
    public ConfigChangeResult applyConfigurationChange(GSSAPISASLMechanismHandlerCfg gSSAPISASLMechanismHandlerCfg) {
        ConfigChangeResult configChangeResult = new ConfigChangeResult();
        try {
            logout();
            clearProperties();
            initialize(gSSAPISASLMechanismHandlerCfg);
            this.configuration = gSSAPISASLMechanismHandlerCfg;
        } catch (UnknownHostException e) {
            logger.traceException(e);
            configChangeResult.addMessage(ExtensionMessages.ERR_SASL_CANNOT_GET_SERVER_FQDN.get(this.configEntryDN, StaticUtils.getExceptionMessage(e)));
            clearProperties();
            configChangeResult.setResultCode(ResultCode.OTHER);
        } catch (IOException e2) {
            logger.traceException(e2);
            configChangeResult.addMessage(ExtensionMessages.ERR_SASLGSSAPI_CANNOT_CREATE_JAAS_CONFIG.get(StaticUtils.getExceptionMessage(e2)));
            clearProperties();
            configChangeResult.setResultCode(ResultCode.OTHER);
        } catch (InitializationException e3) {
            logger.traceException(e3);
            configChangeResult.addMessage(e3.getMessageObject());
            clearProperties();
            configChangeResult.setResultCode(ResultCode.OTHER);
        }
        return configChangeResult;
    }

    private void initialize(GSSAPISASLMechanismHandlerCfg gSSAPISASLMechanismHandlerCfg) throws UnknownHostException, IOException, InitializationException {
        this.configEntryDN = gSSAPISASLMechanismHandlerCfg.dn();
        this.identityMapper = DirectoryServer.getIdentityMapper(gSSAPISASLMechanismHandlerCfg.getIdentityMapperDN());
        this.serverFQDN = getFQDN(gSSAPISASLMechanismHandlerCfg);
        logger.error(ExtensionMessages.INFO_GSSAPI_SERVER_FQDN, this.serverFQDN);
        this.saslProps = new HashMap<>();
        this.saslProps.put("javax.security.sasl.qop", getQOP(gSSAPISASLMechanismHandlerCfg));
        this.saslProps.put("javax.security.sasl.reuse", ServerConstants.CONFIG_VALUE_FALSE);
        System.setProperty(ServerConstants.JAAS_PROPERTY_CONFIG_FILE, configureLoginConfFile(gSSAPISASLMechanismHandlerCfg));
        System.setProperty(ServerConstants.JAAS_PROPERTY_SUBJECT_CREDS_ONLY, ServerConstants.CONFIG_VALUE_FALSE);
        getKdcRealm(gSSAPISASLMechanismHandlerCfg);
    }

    private String getQOP(GSSAPISASLMechanismHandlerCfg gSSAPISASLMechanismHandlerCfg) {
        GSSAPISASLMechanismHandlerCfgDefn.QualityOfProtection qualityOfProtection = gSSAPISASLMechanismHandlerCfg.getQualityOfProtection();
        return qualityOfProtection.equals(GSSAPISASLMechanismHandlerCfgDefn.QualityOfProtection.CONFIDENTIALITY) ? "auth-conf" : qualityOfProtection.equals(GSSAPISASLMechanismHandlerCfgDefn.QualityOfProtection.INTEGRITY) ? "auth-int" : "auth";
    }

    @Override // org.opends.server.admin.server.ConfigurationChangeListener
    public /* bridge */ /* synthetic */ boolean isConfigurationChangeAcceptable(GSSAPISASLMechanismHandlerCfg gSSAPISASLMechanismHandlerCfg, List list) {
        return isConfigurationChangeAcceptable2(gSSAPISASLMechanismHandlerCfg, (List<LocalizableMessage>) list);
    }
}
