package org.ametys.plugins.extrausermgt.authentication.kerberos;

import com.google.common.net.InetAddresses;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.Base64;
import java.util.List;
import java.util.Map;
import java.util.concurrent.Callable;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ametys.runtime.model.checker.ItemChecker;
import org.ametys.runtime.model.checker.ItemCheckerTestFailureException;
import org.ametys.runtime.plugin.component.AbstractLogEnabled;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:org/ametys/plugins/extrausermgt/authentication/kerberos/KerberosChecker.class */
public class KerberosChecker extends AbstractLogEnabled implements ItemChecker {
    public void check(List<String> list) throws ItemCheckerTestFailureException {
        String _getToken;
        final String str = list.get(0);
        String str2 = list.get(1);
        String str3 = list.get(2);
        String str4 = list.get(3);
        String str5 = list.get(4);
        final String str6 = list.get(5);
        final String str7 = list.get(6);
        try {
            System.setProperty("java.security.krb5.kdc", str4);
            Configuration configuration = null;
            if (System.getProperty("java.security.auth.login.config") == null) {
                configuration = new Configuration(this) { // from class: org.ametys.plugins.extrausermgt.authentication.kerberos.KerberosChecker.1
                    public AppConfigurationEntry[] getAppConfigurationEntry(String str8) {
                        return new AppConfigurationEntry[]{new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, Map.of())};
                    }
                };
            }
            LoginContext loginContext = new LoginContext("kerberos-client", (Subject) null, new CallbackHandler(this) { // from class: org.ametys.plugins.extrausermgt.authentication.kerberos.KerberosChecker.2
                @Override // javax.security.auth.callback.CallbackHandler
                public void handle(Callback[] callbackArr) {
                    for (Callback callback : callbackArr) {
                        if (callback instanceof NameCallback) {
                            ((NameCallback) callback).setName(str6 + "@" + str.toUpperCase());
                        } else {
                            if (!(callback instanceof PasswordCallback)) {
                                throw new RuntimeException("Invalid callback received during KerberosCredentialProvider initialization");
                            }
                            ((PasswordCallback) callback).setPassword(str7.toCharArray());
                        }
                    }
                }
            }, configuration);
            getLogger().debug("***** Authenticating " + str6);
            loginContext.login();
            Subject subject = loginContext.getSubject();
            getLogger().debug("***** TGT obtained");
            getLogger().debug(subject.toString());
            final GSSManager gSSManager = GSSManager.getInstance();
            GSSCredential gSSCredential = (GSSCredential) Subject.callAs(subject, new Callable<GSSCredential>(this) { // from class: org.ametys.plugins.extrausermgt.authentication.kerberos.KerberosChecker.3
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.util.concurrent.Callable
                public GSSCredential call() throws GSSException {
                    return gSSManager.createCredential((GSSName) null, Integer.MAX_VALUE, new Oid("1.3.6.1.5.5.2"), 1);
                }
            });
            try {
                _getToken = _getToken(gSSManager, str5, str, gSSCredential);
            } catch (GSSException e) {
                if (e.getMajor() != 13) {
                    throw e;
                }
                try {
                    String canonicalHostName = InetAddress.getByName(str5).getCanonicalHostName();
                    if (InetAddresses.isInetAddress(canonicalHostName) || canonicalHostName.equals(str5)) {
                        throw e;
                    }
                    getLogger().debug("***** Cannot get ticket for host {}, try with {}", canonicalHostName);
                    _getToken = _getToken(gSSManager, canonicalHostName, str, gSSCredential);
                } catch (UnknownHostException e2) {
                    getLogger().debug("***** Cannot get ticket for host {} and also fail to resolve", str5, e2);
                    throw e;
                }
            }
            getLogger().debug("***** Decoding token");
            GSSContext createContext = GSSManager.getInstance().createContext((GSSCredential) Subject.callAs(KerberosCredentialProvider.createLoginContext(str, str2, str3).getSubject(), new Callable<GSSCredential>(this) { // from class: org.ametys.plugins.extrausermgt.authentication.kerberos.KerberosChecker.4
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.util.concurrent.Callable
                public GSSCredential call() throws GSSException {
                    return gSSManager.createCredential((GSSName) null, Integer.MAX_VALUE, new Oid("1.3.6.1.5.5.2"), 2);
                }
            }));
            byte[] decode = Base64.getDecoder().decode(_getToken);
            createContext.acceptSecContext(decode, 0, decode.length);
            getLogger().debug("***** User authenticated: " + String.valueOf(createContext.getSrcName()));
        } catch (LoginException | GSSException e3) {
            throw new ItemCheckerTestFailureException("Unable to connect to the KDC (" + e3.getMessage() + ")", e3);
        }
    }

    private String _getToken(GSSManager gSSManager, String str, String str2, GSSCredential gSSCredential) throws GSSException {
        getLogger().debug("***** Getting ticket for {}", str);
        byte[] initSecContext = GSSManager.getInstance().createContext(gSSManager.createName("HTTP/" + str + "@" + str2.toUpperCase(), GSSName.NT_USER_NAME), new Oid("1.3.6.1.5.5.2"), gSSCredential, Integer.MAX_VALUE).initSecContext(new byte[0], 0, 0);
        String encodeToString = initSecContext != null ? Base64.getEncoder().encodeToString(initSecContext) : null;
        getLogger().debug("***** Token generated\n{}", encodeToString);
        return encodeToString;
    }
}
