package org.apache.kerby.kerberos.kerb.admin.server.kadmin.impl;

import java.io.File;
import java.io.IOException;
import java.net.SocketTimeoutException;
import java.nio.ByteBuffer;
import java.util.HashMap;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.apache.kerby.kerberos.kerb.admin.AuthUtil;
import org.apache.kerby.kerberos.kerb.admin.kadmin.remote.NegotiationStatus;
import org.apache.kerby.kerberos.kerb.admin.message.KadminCode;
import org.apache.kerby.kerberos.kerb.admin.server.kadmin.AdminServerContext;
import org.apache.kerby.kerberos.kerb.admin.server.kadmin.AdminServerHandler;
import org.apache.kerby.kerberos.kerb.admin.server.kadmin.AdminServerUtil;
import org.apache.kerby.kerberos.kerb.common.KrbUtil;
import org.apache.kerby.kerberos.kerb.transport.KrbTransport;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xnio.sasl.SaslUtils;
import org.xnio.sasl.SaslWrapper;

/* loaded from: input_file:org/apache/kerby/kerberos/kerb/admin/server/kadmin/impl/DefaultAdminServerHandler.class */
public class DefaultAdminServerHandler extends AdminServerHandler implements Runnable {
    private static Logger logger = LoggerFactory.getLogger(DefaultAdminServerHandler.class);
    private static final String MECHANISM = "GSSAPI";
    private final KrbTransport transport;
    private AdminServerContext adminServerContext;

    /* loaded from: input_file:org/apache/kerby/kerberos/kerb/admin/server/kadmin/impl/DefaultAdminServerHandler$SaslGssCallbackHandler.class */
    private static class SaslGssCallbackHandler implements CallbackHandler {
        private final String adminPrincipal;

        SaslGssCallbackHandler(String str) {
            this.adminPrincipal = str;
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
            AuthorizeCallback authorizeCallback = null;
            for (Callback callback : callbackArr) {
                if (!(callback instanceof AuthorizeCallback)) {
                    throw new UnsupportedCallbackException(callback, "Unrecognized SASL GSSAPI Callback");
                }
                authorizeCallback = (AuthorizeCallback) callback;
            }
            if (authorizeCallback != null) {
                String authenticationID = authorizeCallback.getAuthenticationID();
                String authorizationID = authorizeCallback.getAuthorizationID();
                if (authenticationID.equals(authorizationID) && authenticationID.equals(this.adminPrincipal)) {
                    authorizeCallback.setAuthorized(true);
                } else {
                    DefaultAdminServerHandler.logger.warn("Client try to login using principal " + authenticationID);
                    authorizeCallback.setAuthorized(false);
                }
                if (authorizeCallback.isAuthorized()) {
                    authorizeCallback.setAuthorizedID(authorizationID);
                }
            }
        }
    }

    public DefaultAdminServerHandler(AdminServerContext adminServerContext, KrbTransport krbTransport) {
        super(adminServerContext);
        this.transport = krbTransport;
        this.adminServerContext = adminServerContext;
    }

    @Override // java.lang.Runnable
    public void run() {
        try {
            doSaslHandshake();
            do {
                try {
                    ByteBuffer receiveMessage = this.transport.receiveMessage();
                    if (receiveMessage == null) {
                        logger.debug("No valid request recved. Disconnect actively");
                        this.transport.release();
                        return;
                    }
                    handleMessage(ByteBuffer.wrap(getSaslServerWrapper().unwrap(receiveMessage)));
                } catch (IOException e) {
                    this.transport.release();
                    logger.debug("Transport or decoding error occurred, disconnecting abnormally", e);
                    return;
                }
            } while (!this.transport.isClosed());
        } catch (Exception e2) {
            logger.error("With exception when SASL negotiation." + e2);
        }
    }

    protected void handleMessage(ByteBuffer byteBuffer) {
        try {
            this.transport.sendMessage(handleMessage(byteBuffer, this.transport.getRemoteAddress()));
        } catch (Exception e) {
            this.transport.release();
            logger.error("Error occured while processing request:", e);
        }
    }

    private void doSaslHandshake() throws Exception {
        File file = new File(this.adminServerContext.getConfig().getKeyTabFile());
        String fixPrincipal = AdminServerUtil.fixPrincipal(this.adminServerContext.getConfig().getProtocol() + "/" + this.adminServerContext.getConfig().getAdminHost(), this.adminServerContext.getAdminServerSetting());
        String name = KrbUtil.makeKadminPrincipal(this.adminServerContext.getAdminServerSetting().getKdcRealm()).getName();
        Subject.doAs(AuthUtil.loginUsingKeytab(fixPrincipal, file), () -> {
            try {
                try {
                    ByteBuffer receiveMessage = this.transport.receiveMessage();
                    HashMap hashMap = new HashMap();
                    hashMap.put("javax.security.sasl.qop", "auth-conf");
                    hashMap.put("javax.security.sasl.server.authentication", "true");
                    SaslServer createSaslServer = Sasl.createSaslServer(MECHANISM, this.adminServerContext.getConfig().getProtocol(), this.adminServerContext.getConfig().getServerName(), hashMap, new SaslGssCallbackHandler(name));
                    if (createSaslServer == null) {
                        throw new Exception("Unable to find server implementation for: GSSAPI");
                    }
                    setSaslServerWrapper(SaslWrapper.create(createSaslServer));
                    while (!createSaslServer.isComplete()) {
                        if (receiveMessage.getInt() == NegotiationStatus.SUCCESS.getValue()) {
                            logger.info("Sasl Client completed");
                        }
                        try {
                            byte[] evaluateResponse = SaslUtils.evaluateResponse(createSaslServer, receiveMessage);
                            if (!createSaslServer.isComplete()) {
                                sendMessage(evaluateResponse, createSaslServer);
                                logger.info("Waiting receive message");
                                receiveMessage = this.transport.receiveMessage();
                            }
                        } catch (SaslException e) {
                            throw new Exception("Sasl server evaluate challenge failed. " + e);
                        }
                    }
                    if (1 != 0) {
                        return null;
                    }
                    this.transport.release();
                    return null;
                } catch (SocketTimeoutException e2) {
                    return null;
                }
            } finally {
                if (0 == 0) {
                    this.transport.release();
                }
            }
        });
    }

    private void sendMessage(byte[] bArr, SaslServer saslServer) throws IOException {
        try {
            this.transport.sendMessage(KadminCode.encodeSaslMessage(bArr, saslServer.isComplete() ? NegotiationStatus.SUCCESS : NegotiationStatus.CONTINUE));
            logger.info("Send message to admin client.");
        } catch (SaslException e) {
            logger.error("Failed to send message to client. " + e.toString());
        }
    }
}
