package org.apache.kerby.has.server.kdc;

import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import org.apache.kerby.has.common.util.HasUtil;
import org.apache.kerby.has.server.HasServer;
import org.apache.kerby.kerberos.kerb.KrbCodec;
import org.apache.kerby.kerberos.kerb.KrbErrorCode;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.client.KrbContext;
import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
import org.apache.kerby.kerberos.kerb.common.KrbUtil;
import org.apache.kerby.kerberos.kerb.server.KdcConfigKey;
import org.apache.kerby.kerberos.kerb.server.KdcContext;
import org.apache.kerby.kerberos.kerb.server.KdcRecoverableException;
import org.apache.kerby.kerberos.kerb.server.KdcServer;
import org.apache.kerby.kerberos.kerb.server.preauth.PreauthHandler;
import org.apache.kerby.kerberos.kerb.server.request.AsRequest;
import org.apache.kerby.kerberos.kerb.server.request.KdcRequest;
import org.apache.kerby.kerberos.kerb.type.KerberosTime;
import org.apache.kerby.kerberos.kerb.type.base.AuthToken;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionType;
import org.apache.kerby.kerberos.kerb.type.base.HostAddress;
import org.apache.kerby.kerberos.kerb.type.base.HostAddresses;
import org.apache.kerby.kerberos.kerb.type.base.KrbError;
import org.apache.kerby.kerberos.kerb.type.base.KrbMessage;
import org.apache.kerby.kerberos.kerb.type.base.KrbToken;
import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
import org.apache.kerby.kerberos.kerb.type.base.TokenFormat;
import org.apache.kerby.kerberos.kerb.type.kdc.AsReq;
import org.apache.kerby.kerberos.kerb.type.kdc.KdcOption;
import org.apache.kerby.kerberos.kerb.type.kdc.KdcOptions;
import org.apache.kerby.kerberos.kerb.type.kdc.KdcReqBody;
import org.apache.kerby.kerberos.kerb.type.pa.PaData;
import org.apache.kerby.kerberos.kerb.type.pa.PaDataEntry;
import org.apache.kerby.kerberos.kerb.type.pa.PaDataType;
import org.apache.kerby.kerberos.kerb.type.pa.token.PaTokenRequest;
import org.apache.kerby.kerberos.kerb.type.pa.token.TokenInfo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/kerby/has/server/kdc/HasKdcHandler.class */
public class HasKdcHandler {
    private static final Logger LOG = LoggerFactory.getLogger(HasKdcHandler.class);
    private KdcContext kdcContext;
    private KrbContext krbContext = new KrbContext();
    private KdcServer kdcServer;

    public HasKdcHandler(HasServer hasServer) {
        this.krbContext.init(hasServer.getKrbSetting());
        this.kdcServer = hasServer.getKdcServer();
        prepareHandler(this.kdcServer);
    }

    public KrbContext getKrbContext() {
        return this.krbContext;
    }

    public KdcContext getKdcContext() {
        return this.kdcContext;
    }

    private KdcServer getKdcServer() {
        return this.kdcServer;
    }

    private void prepareHandler(KdcServer kdcServer) {
        this.kdcContext = new KdcContext(kdcServer.getKdcSetting());
        this.kdcContext.setIdentityService(kdcServer.getIdentityService());
        PreauthHandler preauthHandler = new PreauthHandler();
        preauthHandler.init();
        this.kdcContext.setPreauthHandler(preauthHandler);
    }

    private String getAudience(String str) {
        return str + "/" + getKdcContext().getKdcRealm() + "@" + getKdcContext().getKdcRealm();
    }

    public KrbMessage getResponse(AuthToken authToken, String str) {
        KrbMessage krbMessage = null;
        try {
            krbMessage = handleMessage(authToken, str);
        } catch (KrbException e) {
            LOG.error("Failed to handle message. " + e.getMessage());
        }
        return krbMessage;
    }

    public KrbMessage handleMessage(AuthToken authToken, String str) throws KrbException {
        KrbMessage krbMessage;
        ArrayList arrayList = new ArrayList();
        arrayList.add(getAudience("krbtgt"));
        authToken.setAudiences(arrayList);
        AsReq createAsReq = createAsReq(authToken);
        AsRequest asRequest = new AsRequest(createAsReq, this.kdcContext);
        asRequest.setHttps(true);
        EncryptionType bestEncryptionType = EncryptionUtil.getBestEncryptionType(getEncryptionTypes(), this.kdcContext.getConfig().getEncryptionTypes());
        if (bestEncryptionType == null) {
            LOG.error("Can't get the best encryption type.");
            throw new KrbException(KrbErrorCode.KDC_ERR_ETYPE_NOSUPP);
        }
        PrincipalName principalName = new PrincipalName(authToken.getSubject());
        String realm = createAsReq.getReqBody().getRealm();
        if (realm == null || realm.isEmpty()) {
            realm = getKdcContext().getKdcRealm();
        }
        principalName.setRealm(realm);
        asRequest.setClientKey(HasUtil.getClientKey(principalName.getName(), str, bestEncryptionType));
        getKdcServer().getKdcConfig().setString(KdcConfigKey.TOKEN_ISSUERS, "has");
        try {
            asRequest.process();
            krbMessage = asRequest.getReply();
        } catch (KrbException e) {
            LOG.error("Error occurred when request tgt. " + e.getMessage());
            if (e instanceof KdcRecoverableException) {
                krbMessage = handleRecoverableException((KdcRecoverableException) e, asRequest);
            } else {
                KrbMessage krbError = new KrbError();
                krbError.setStime(KerberosTime.now());
                krbError.setSusec(100);
                if (e.getKrbErrorCode() != null) {
                    krbError.setErrorCode(e.getKrbErrorCode());
                } else {
                    krbError.setErrorCode(KrbErrorCode.UNKNOWN_ERR);
                }
                krbError.setCrealm(this.kdcContext.getKdcRealm());
                if (asRequest.getClientPrincipal() != null) {
                    krbError.setCname(asRequest.getClientPrincipal());
                }
                krbError.setRealm(this.kdcContext.getKdcRealm());
                if (asRequest.getServerPrincipal() != null) {
                    krbError.setSname(asRequest.getServerPrincipal());
                } else {
                    PrincipalName sname = asRequest.getKdcReq().getReqBody().getSname();
                    sname.setRealm(asRequest.getKdcReq().getReqBody().getRealm());
                    krbError.setSname(sname);
                }
                if (KrbErrorCode.KRB_AP_ERR_BAD_INTEGRITY.equals(e.getKrbErrorCode())) {
                    krbError.setEtext("PREAUTH_FAILED");
                } else {
                    krbError.setEtext(e.getMessage());
                }
                krbMessage = krbError;
            }
        }
        return krbMessage;
    }

    private KrbMessage handleRecoverableException(KdcRecoverableException kdcRecoverableException, KdcRequest kdcRequest) {
        LOG.info("KRB error occurred while processing request:" + kdcRecoverableException.getMessage());
        KrbError krbError = kdcRecoverableException.getKrbError();
        krbError.setStime(KerberosTime.now());
        krbError.setSusec(100);
        krbError.setErrorCode(kdcRecoverableException.getKrbError().getErrorCode());
        krbError.setRealm(this.kdcContext.getKdcRealm());
        if (kdcRequest != null) {
            krbError.setSname(kdcRequest.getKdcReq().getReqBody().getCname());
        } else {
            krbError.setSname(new PrincipalName("NONE"));
        }
        krbError.setEtext(kdcRecoverableException.getMessage());
        return krbError;
    }

    public AsReq createAsReq(AuthToken authToken) throws KrbException {
        AsReq asReq = new AsReq();
        asReq.setReqBody(makeReqBody());
        PaTokenRequest paTokenRequest = new PaTokenRequest();
        paTokenRequest.setToken(new KrbToken(authToken, TokenFormat.JWT));
        TokenInfo tokenInfo = new TokenInfo();
        tokenInfo.setTokenVendor(authToken.getIssuer());
        paTokenRequest.setTokenInfo(tokenInfo);
        PaDataEntry paDataEntry = new PaDataEntry();
        paDataEntry.setPaDataType(PaDataType.TOKEN_REQUEST);
        paDataEntry.setPaDataValue(KrbCodec.encode(paTokenRequest));
        PaData paData = new PaData();
        paData.addElement(paDataEntry);
        asReq.setPaData(paData);
        return asReq;
    }

    protected KdcReqBody makeReqBody() {
        KdcReqBody kdcReqBody = new KdcReqBody();
        long currentTimeMillis = System.currentTimeMillis();
        kdcReqBody.setFrom(new KerberosTime(currentTimeMillis));
        kdcReqBody.setCname((PrincipalName) null);
        kdcReqBody.setRealm(getKrbContext().getKrbSetting().getKdcRealm());
        kdcReqBody.setSname(getServerPrincipal());
        kdcReqBody.setTill(new KerberosTime(currentTimeMillis + this.krbContext.getTicketValidTime()));
        kdcReqBody.setNonce(this.krbContext.generateNonce());
        kdcReqBody.setKdcOptions(getKdcOptions());
        HostAddresses hostAddresses = getHostAddresses();
        if (hostAddresses != null) {
            kdcReqBody.setAddresses(hostAddresses);
        }
        kdcReqBody.setEtypes(getEncryptionTypes());
        return kdcReqBody;
    }

    private PrincipalName getServerPrincipal() {
        return KrbUtil.makeTgsPrincipal(getKrbContext().getKrbSetting().getKdcRealm());
    }

    private KdcOptions getKdcOptions() {
        KdcOptions kdcOptions = new KdcOptions();
        kdcOptions.setFlag(KdcOption.FORWARDABLE);
        kdcOptions.setFlag(KdcOption.PROXIABLE);
        kdcOptions.setFlag(KdcOption.RENEWABLE_OK);
        return kdcOptions;
    }

    public HostAddresses getHostAddresses() {
        ArrayList arrayList = new ArrayList();
        HostAddresses hostAddresses = null;
        if (!arrayList.isEmpty()) {
            hostAddresses = new HostAddresses();
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                hostAddresses.addElement((HostAddress) it.next());
            }
        }
        return hostAddresses;
    }

    public List<EncryptionType> getEncryptionTypes() {
        return EncryptionUtil.orderEtypesByStrength(this.krbContext.getConfig().getEncryptionTypes());
    }
}
