package com.orientechnologies.security.kerberos;

import com.orientechnologies.common.log.OLogManager;
import com.orientechnologies.common.parser.OSystemVariableResolver;
import com.orientechnologies.orient.core.metadata.schema.OType;
import com.orientechnologies.orient.core.record.impl.ODocument;
import com.orientechnologies.orient.core.security.kerberos.OKrb5ClientLoginModuleConfig;
import com.orientechnologies.orient.server.OServer;
import com.orientechnologies.orient.server.config.OServerConfigurationManager;
import com.orientechnologies.orient.server.security.OSecurityAuthenticatorAbstract;
import com.orientechnologies.orient.server.security.OSecurityAuthenticatorException;
import java.util.Base64;
import java.util.Map;
import java.util.Timer;
import java.util.TimerTask;
import java.util.concurrent.ConcurrentHashMap;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginContext;

/* loaded from: input_file:com/orientechnologies/security/kerberos/OKerberosAuthenticator.class */
public class OKerberosAuthenticator extends OSecurityAuthenticatorAbstract {
    private String _Client_Principal;
    private Timer _RenewalTimer;
    private String _Service_Principal;
    private String _SPNEGO_Principal;
    private Subject _Client_Subject;
    private Subject _Service_Subject;
    private Subject _SPNEGO_Subject;
    private Timer _ExpirationTimer;
    private final String KERBEROS_PLUGIN_VERSION = "0.15";
    private final long TicketRelayExpiration = 600000;
    private final ConcurrentHashMap<String, TicketItem> _TicketRelayMap = new ConcurrentHashMap<>();
    private String _Client_CCName = System.getenv("KRB5CCNAME");
    private String _Client_KTName = System.getenv("KRB5_CLIENT_KTNAME");
    private boolean _Client_UseTicketCache = false;
    private int _Client_Period = 300;
    private String _Krb5_Config = System.getenv("KRB5_CONFIG");
    private String _Service_KTName = System.getenv("KRB5_KTNAME");
    private String _SPNEGO_KTName = System.getenv("KRB5_KTNAME");
    private Object _AuthenticateSync = new Object();

    /* loaded from: input_file:com/orientechnologies/security/kerberos/OKerberosAuthenticator$ExpirationTask.class */
    private class ExpirationTask extends TimerTask {
        private ExpirationTask() {
        }

        @Override // java.util.TimerTask, java.lang.Runnable
        public void run() {
            OKerberosAuthenticator.this.checkTicketExpirations();
        }
    }

    /* loaded from: input_file:com/orientechnologies/security/kerberos/OKerberosAuthenticator$RenewalTask.class */
    private class RenewalTask extends TimerTask {
        private RenewalTask() {
        }

        @Override // java.util.TimerTask, java.lang.Runnable
        public void run() {
            OKerberosAuthenticator.this.createClientSubject();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/orientechnologies/security/kerberos/OKerberosAuthenticator$TicketItem.class */
    public class TicketItem {
        private int _HashCode;
        private String _Principal;
        private long _Time = System.currentTimeMillis();

        public TicketItem(int i, String str) {
            this._HashCode = i;
            this._Principal = str;
        }

        public int getHashCode() {
            return this._HashCode;
        }

        public String getPrincipal() {
            return this._Principal;
        }

        public boolean hasExpired(long j) {
            return j - this._Time >= 600000;
        }
    }

    public void active() {
        ExpirationTask expirationTask = new ExpirationTask();
        this._ExpirationTimer = new Timer(true);
        this._ExpirationTimer.scheduleAtFixedRate(expirationTask, 30000L, 600000L);
        RenewalTask renewalTask = new RenewalTask();
        this._RenewalTimer = new Timer(true);
        this._RenewalTimer.scheduleAtFixedRate(renewalTask, this._Client_Period * 1000 * 60, this._Client_Period * 1000 * 60);
        OLogManager.instance().info(this, "OrientDB Kerberos Version: 0.15", new Object[0]);
        OLogManager.instance().info(this, "***********************************************", new Object[0]);
        OLogManager.instance().info(this, "** OrientDB Kerberos Authenticator Is Active **", new Object[0]);
        OLogManager.instance().info(this, "***********************************************", new Object[0]);
    }

    public String authenticate(String str, String str2) {
        String str3 = null;
        try {
            if (isDebug()) {
                OLogManager.instance().info(this, "** Authenticating username: %s", new Object[]{str});
                if (OKerberosLibrary.isServiceTicket(str2)) {
                    OLogManager.instance().info(this, "** Authenticating password: SERVICE TICKET", new Object[0]);
                } else {
                    OLogManager.instance().info(this, "** Authenticating password: %s", new Object[]{str2});
                }
            }
            if (str2 != null && OKerberosLibrary.isServiceTicket(str2)) {
                TicketItem ticket = getTicket(Integer.toString(str2.hashCode()));
                if (ticket == null || ticket.getHashCode() != str2.hashCode()) {
                    byte[] decode = Base64.getDecoder().decode(str2.getBytes("UTF8"));
                    try {
                        synchronized (this._AuthenticateSync) {
                            str3 = OKerberosLibrary.isSPNegoTicket(decode) ? OKerberosLibrary.getSPNegoSource(this._SPNEGO_Subject, this._SPNEGO_Principal, decode) : OKerberosLibrary.getKerberosSource(this._Service_Subject, this._Service_Principal, decode);
                        }
                    } catch (Exception e) {
                        OLogManager.instance().error(this, "OKerberosAuthenticator.authenticate() Exception: ", e, new Object[0]);
                    }
                    if (isDebug()) {
                        OLogManager.instance().info(this, "OKerberosAuthenticator.authenticate() OKerberosLibrary.authenticate() returned " + str3, new Object[0]);
                    }
                    addTicket(Integer.toString(str2.hashCode()), str2.hashCode(), str3);
                } else {
                    if (isDebug()) {
                        OLogManager.instance().info(this, "OKerberosAuthenticator.authenticate() TicketHash and password Hash are equal, return principal: " + ticket.getPrincipal(), new Object[0]);
                    }
                    if (isDebug()) {
                        OLogManager.instance().info(this, "OKerberosAuthenticator.authenticate() principal: " + ticket.getPrincipal(), new Object[0]);
                    }
                    str3 = ticket.getPrincipal();
                }
            }
        } catch (Exception e2) {
            OLogManager.instance().debug(this, "OKerberosAuthenticator.authenticate() Exception: ", e2, new Object[0]);
        }
        return str3;
    }

    public void config(OServer oServer, OServerConfigurationManager oServerConfigurationManager, ODocument oDocument) {
        super.config(oServer, oServerConfigurationManager, oDocument);
        if (oDocument.containsField("krb5_config")) {
            this._Krb5_Config = OSystemVariableResolver.resolveSystemVariables((String) oDocument.field("krb5_config"));
            OLogManager.instance().info(this, "Krb5Config = " + this._Krb5_Config, new Object[0]);
        }
        if (oDocument.containsField("service")) {
            ODocument oDocument2 = (ODocument) oDocument.field("service");
            if (oDocument2.containsField("ktname")) {
                this._Service_KTName = OSystemVariableResolver.resolveSystemVariables((String) oDocument2.field("ktname"));
                OLogManager.instance().info(this, "Svc ktname = " + this._Service_KTName, new Object[0]);
            }
            if (oDocument2.containsField("principal")) {
                this._Service_Principal = (String) oDocument2.field("principal");
                OLogManager.instance().info(this, "Svc princ = " + this._Service_Principal, new Object[0]);
            }
        }
        if (oDocument.containsField("spnego")) {
            ODocument oDocument3 = (ODocument) oDocument.field("spnego");
            if (oDocument3.containsField("ktname")) {
                this._SPNEGO_KTName = OSystemVariableResolver.resolveSystemVariables((String) oDocument3.field("ktname"));
                OLogManager.instance().info(this, "SPNEGO ktname = " + this._SPNEGO_KTName, new Object[0]);
            }
            if (oDocument3.containsField("principal")) {
                this._SPNEGO_Principal = (String) oDocument3.field("principal");
                OLogManager.instance().info(this, "SPNEGO princ = " + this._SPNEGO_Principal, new Object[0]);
            }
        }
        if (oDocument.containsField("client")) {
            ODocument oDocument4 = (ODocument) oDocument.field("client");
            if (oDocument4.containsField("useTicketCache")) {
                this._Client_UseTicketCache = ((Boolean) oDocument4.field("useTicketCache", OType.BOOLEAN)).booleanValue();
                OLogManager.instance().info(this, "Client useTicketCache = " + this._Client_UseTicketCache, new Object[0]);
            }
            if (oDocument4.containsField("principal")) {
                this._Client_Principal = (String) oDocument4.field("principal");
                OLogManager.instance().info(this, "Client princ = " + this._Client_Principal, new Object[0]);
            }
            if (oDocument4.containsField("ccname")) {
                this._Client_CCName = OSystemVariableResolver.resolveSystemVariables((String) oDocument4.field("ccname"));
                OLogManager.instance().info(this, "Client ccname = " + this._Client_CCName, new Object[0]);
            }
            if (oDocument4.containsField("ktname")) {
                this._Client_KTName = OSystemVariableResolver.resolveSystemVariables((String) oDocument4.field("ktname"));
                OLogManager.instance().info(this, "Client ktname = " + this._Client_KTName, new Object[0]);
            }
            if (oDocument4.containsField("renewalPeriod")) {
                this._Client_Period = ((Integer) oDocument4.field("renewalPeriod")).intValue();
            }
        }
        initializeKerberos();
        synchronized (this._AuthenticateSync) {
            createServiceSubject();
            createSpnegoSubject();
        }
        createClientSubject();
    }

    public void dispose() {
        if (this._ExpirationTimer != null) {
            this._ExpirationTimer.cancel();
            this._ExpirationTimer = null;
        }
        if (this._RenewalTimer != null) {
            this._RenewalTimer.cancel();
            this._RenewalTimer = null;
        }
        synchronized (this._TicketRelayMap) {
            this._TicketRelayMap.clear();
        }
    }

    public String getAuthenticationHeader(String str) {
        return "WWW-Authenticate: Negotiate";
    }

    public Subject getClientSubject() {
        return this._Client_Subject;
    }

    public boolean isSingleSignOnSupported() {
        return true;
    }

    private void initializeKerberos() {
        if (this._Krb5_Config == null) {
            throw new OSecurityAuthenticatorException("OKerberosAuthenticator KRB5 Config cannot be null");
        }
        System.setProperty("sun.security.krb5.debug", Boolean.toString(isDebug()));
        System.setProperty("sun.security.spnego.debug", Boolean.toString(isDebug()));
        System.setProperty("java.security.krb5.conf", this._Krb5_Config);
        System.setProperty("javax.security.auth.useSubjectCredsOnly", "true");
    }

    private void createServiceSubject() {
        if (this._Service_Principal == null) {
            throw new OSecurityAuthenticatorException("OKerberosAuthenticator.createServiceSubject() Service Principal cannot be null");
        }
        if (this._Service_KTName == null) {
            throw new OSecurityAuthenticatorException("OKerberosAuthenticator.createServiceSubject() Service KeyTab cannot be null");
        }
        try {
            OKrb5LoginModuleConfig oKrb5LoginModuleConfig = new OKrb5LoginModuleConfig(this._Service_Principal, this._Service_KTName);
            OLogManager.instance().info(this, "createServiceSubject() Service Principal: " + this._Service_Principal, new Object[0]);
            LoginContext loginContext = new LoginContext("ignore", (Subject) null, (CallbackHandler) null, oKrb5LoginModuleConfig);
            loginContext.login();
            this._Service_Subject = loginContext.getSubject();
            if (this._Service_Subject != null) {
                OKerberosLibrary.checkNativeJGSS(this._Service_Subject, this._Service_Principal, false);
                OLogManager.instance().info(this, "** Created Kerberos Service Subject **", new Object[0]);
            }
        } catch (Exception e) {
            OLogManager.instance().error(this, "createServiceSubject() Exception: ", e, new Object[0]);
        }
        if (this._Service_Subject == null) {
            throw new OSecurityAuthenticatorException("OKerberosAuthenticator could not create service Subject");
        }
    }

    private void createSpnegoSubject() {
        if (this._SPNEGO_Principal == null) {
            throw new OSecurityAuthenticatorException("OKerberosAuthenticator.createSpnegoSubject() SPNEGO Principal cannot be null");
        }
        if (this._SPNEGO_KTName == null) {
            throw new OSecurityAuthenticatorException("OKerberosAuthenticator.createSpnegoSubject() SPNEGO KeyTab cannot be null");
        }
        try {
            OKrb5LoginModuleConfig oKrb5LoginModuleConfig = new OKrb5LoginModuleConfig(this._SPNEGO_Principal, this._SPNEGO_KTName);
            OLogManager.instance().info(this, "createSpnegoSubject() SPNEGO Principal: " + this._SPNEGO_Principal, new Object[0]);
            LoginContext loginContext = new LoginContext("ignore", (Subject) null, (CallbackHandler) null, oKrb5LoginModuleConfig);
            loginContext.login();
            this._SPNEGO_Subject = loginContext.getSubject();
            if (this._SPNEGO_Subject != null) {
                OKerberosLibrary.checkNativeJGSS(this._SPNEGO_Subject, this._SPNEGO_Principal, false);
                OLogManager.instance().info(this, "** Created Kerberos SPNEGO Subject **", new Object[0]);
            }
        } catch (Exception e) {
            OLogManager.instance().error(this, "createSpnegoSubject() Exception: ", e, new Object[0]);
        }
        if (this._SPNEGO_Subject == null) {
            throw new OSecurityAuthenticatorException("OKerberosAuthenticator could not create SPNEGO Subject");
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void createClientSubject() {
        if (this._Client_Principal == null) {
            throw new OSecurityAuthenticatorException("OKerberosAuthenticator.createClientSubject() Client Principal cannot be null");
        }
        if (this._Client_UseTicketCache && this._Client_CCName == null) {
            throw new OSecurityAuthenticatorException("OKerberosAuthenticator.createClientSubject() Client UseTicketCache cannot be true while Credential Cache is null");
        }
        if (this._Client_CCName == null && this._Client_KTName == null) {
            throw new OSecurityAuthenticatorException("OKerberosAuthenticator.createClientSubject() Client Credential Cache and Client KeyTab cannot both be null");
        }
        try {
            OKrb5ClientLoginModuleConfig oKrb5ClientLoginModuleConfig = new OKrb5ClientLoginModuleConfig(this._Client_Principal, this._Client_UseTicketCache, this._Client_CCName, this._Client_KTName);
            OLogManager.instance().info(this, "createClientSubject() Client Principal: " + this._Client_Principal, new Object[0]);
            LoginContext loginContext = new LoginContext("ignore", (Subject) null, (CallbackHandler) null, oKrb5ClientLoginModuleConfig);
            loginContext.login();
            this._Client_Subject = loginContext.getSubject();
            if (this._Client_Subject != null) {
                OKerberosLibrary.checkNativeJGSS(this._Client_Subject, this._Client_Principal, true);
                OLogManager.instance().info(this, "** Created Kerberos Client Subject **", new Object[0]);
            }
        } catch (Exception e) {
            OLogManager.instance().error(this, "createClientSubject() Exception: ", e, new Object[0]);
        }
        if (this._Client_Subject == null) {
            throw new OSecurityAuthenticatorException("OKerberosAuthenticator could not create client Subject");
        }
    }

    private void addTicket(String str, int i, String str2) {
        synchronized (this._TicketRelayMap) {
            this._TicketRelayMap.put(str, new TicketItem(i, str2));
        }
    }

    private TicketItem getTicket(String str) {
        TicketItem ticketItem;
        synchronized (this._TicketRelayMap) {
            ticketItem = this._TicketRelayMap.get(str);
        }
        return ticketItem;
    }

    private void removeTicket(String str) {
        synchronized (this._TicketRelayMap) {
            if (this._TicketRelayMap.containsKey(str)) {
                this._TicketRelayMap.remove(str);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void checkTicketExpirations() {
        synchronized (this._TicketRelayMap) {
            long currentTimeMillis = System.currentTimeMillis();
            for (Map.Entry<String, TicketItem> entry : this._TicketRelayMap.entrySet()) {
                if (entry.getValue().hasExpired(currentTimeMillis)) {
                    this._TicketRelayMap.remove(entry.getKey());
                }
            }
        }
    }
}
