package org.apache.qpid.server.security.auth.manager;

import java.io.File;
import java.net.URL;
import java.net.URLDecoder;
import java.security.PrivilegedActionException;
import java.util.Base64;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.LoginContext;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslClient;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.AuthenticationProvider;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.BrokerTestHelper;
import org.apache.qpid.server.model.NamedAddressSpace;
import org.apache.qpid.server.security.auth.AuthenticationResult;
import org.apache.qpid.server.security.auth.sasl.SaslNegotiator;
import org.apache.qpid.server.security.auth.sasl.SaslSettings;
import org.apache.qpid.server.test.EmbeddedKdcResource;
import org.apache.qpid.server.test.KerberosUtilities;
import org.apache.qpid.test.utils.JvmVendor;
import org.apache.qpid.test.utils.SystemPropertySetter;
import org.apache.qpid.test.utils.UnitTestBase;
import org.hamcrest.Matchers;
import org.ietf.jgss.GSSException;
import org.junit.Assert;
import org.junit.Assume;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;
import org.mockito.Mockito;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManagerTest.class */
public class KerberosAuthenticationManagerTest extends UnitTestBase {
    private static final String LOGIN_CONFIG = "login.config";
    private static final String SERVER_NAME = "localhost";
    private static final String SERVER_PROTOCOL = "AMQP";
    private static final String SERVICE_PRINCIPAL_NAME = "AMQP/localhost";
    private static final String SERVER_PRINCIPAL_FULL_NAME = "AMQP/localhost@QPID.ORG";
    private static final String CLIENT_PRINCIPAL_NAME = "client";
    private static final String CLIENT_PRINCIPAL_FULL_NAME = "client@QPID.ORG";
    private static File _clientKeyTabFile;
    private KerberosAuthenticationManager _kerberosAuthenticationProvider;
    private Broker<?> _broker;
    private static final Logger LOGGER = LoggerFactory.getLogger(KerberosAuthenticationManagerTest.class);
    private static final KerberosUtilities UTILS = new KerberosUtilities();
    private static final String REALM = "QPID.ORG";

    @ClassRule
    public static final EmbeddedKdcResource KDC = new EmbeddedKdcResource(REALM);

    @ClassRule
    public static final SystemPropertySetter SYSTEM_PROPERTY_SETTER = new SystemPropertySetter();

    @BeforeClass
    public static void createKeyTabs() throws Exception {
        Assume.assumeThat(getJvmVendor(), Matchers.not(JvmVendor.IBM));
        KDC.createPrincipal("broker.keytab", SERVER_PRINCIPAL_FULL_NAME);
        _clientKeyTabFile = KDC.createPrincipal("client.keytab", CLIENT_PRINCIPAL_FULL_NAME);
        URL resource = KerberosAuthenticationManagerTest.class.getClassLoader().getResource(LOGIN_CONFIG);
        LOGGER.debug("JAAS config:" + resource);
        Assert.assertNotNull(resource);
        SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.auth.login.config", URLDecoder.decode(resource.getPath(), "UTF-8"));
        SYSTEM_PROPERTY_SETTER.setSystemProperty("javax.security.auth.useSubjectCredsOnly", "false");
    }

    @Before
    public void setUp() throws Exception {
        Map singletonMap = Collections.singletonMap("qpid.auth.gssapi.spnegoConfigScope", "com.sun.security.jgss.accept");
        HashMap hashMap = new HashMap();
        hashMap.put("name", getTestName());
        hashMap.put("context", singletonMap);
        this._broker = BrokerTestHelper.createBrokerMock();
        this._kerberosAuthenticationProvider = new KerberosAuthenticationManager(hashMap, this._broker);
        this._kerberosAuthenticationProvider.create();
        Mockito.when(this._broker.getChildren(AuthenticationProvider.class)).thenReturn(Collections.singleton(this._kerberosAuthenticationProvider));
    }

    @Test
    public void testCreateSaslNegotiator() throws Exception {
        SaslSettings saslSettings = (SaslSettings) Mockito.mock(SaslSettings.class);
        Mockito.when(saslSettings.getLocalFQDN()).thenReturn(SERVER_NAME);
        SaslNegotiator createSaslNegotiator = this._kerberosAuthenticationProvider.createSaslNegotiator("GSSAPI", saslSettings, (NamedAddressSpace) null);
        Assert.assertNotNull("Could not create SASL negotiator", createSaslNegotiator);
        try {
            AuthenticationResult authenticate = authenticate(createSaslNegotiator);
            Assert.assertEquals(AuthenticationResult.AuthenticationStatus.SUCCESS, authenticate.getStatus());
            Assert.assertEquals(new KerberosPrincipal(CLIENT_PRINCIPAL_FULL_NAME).getName(), authenticate.getMainPrincipal().getName());
            createSaslNegotiator.dispose();
        } catch (Throwable th) {
            createSaslNegotiator.dispose();
            throw th;
        }
    }

    @Test
    public void testSeveralKerberosAuthenticationProviders() {
        try {
            new KerberosAuthenticationManager(Collections.singletonMap("name", getTestName() + "2"), this._broker).create();
            Assert.fail("Exception expected");
        } catch (IllegalConfigurationException e) {
        }
    }

    @Test
    public void testCreateKerberosAuthenticationProvidersWithNonExistingJaasLoginModule() {
        Mockito.when(this._broker.getChildren(AuthenticationProvider.class)).thenReturn(Collections.emptySet());
        SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.auth.login.config", "config.module." + System.nanoTime());
        try {
            new KerberosAuthenticationManager(Collections.singletonMap("name", getTestName()), this._broker).create();
            Assert.fail("Exception expected");
        } catch (IllegalConfigurationException e) {
        }
    }

    @Test
    public void testAuthenticateUsingNegotiationToken() throws GSSException {
        AuthenticationResult authenticate = this._kerberosAuthenticationProvider.authenticate("Negotiate " + Base64.getEncoder().encodeToString(UTILS.buildToken(CLIENT_PRINCIPAL_NAME, SERVICE_PRINCIPAL_NAME)));
        Assert.assertNotNull(authenticate);
        Assert.assertEquals(AuthenticationResult.AuthenticationStatus.SUCCESS, authenticate.getStatus());
    }

    private AuthenticationResult authenticate(SaslNegotiator saslNegotiator) throws Exception {
        LoginContext createKerberosKeyTabLoginContext = UTILS.createKerberosKeyTabLoginContext(getTestName(), CLIENT_PRINCIPAL_FULL_NAME, _clientKeyTabFile);
        try {
            createKerberosKeyTabLoginContext.login();
            Subject subject = createKerberosKeyTabLoginContext.getSubject();
            AuthenticationResult performNegotiation = performNegotiation(subject, createSaslClient(subject), saslNegotiator);
            createKerberosKeyTabLoginContext.logout();
            return performNegotiation;
        } catch (Throwable th) {
            createKerberosKeyTabLoginContext.logout();
            throw th;
        }
    }

    private AuthenticationResult performNegotiation(Subject subject, SaslClient saslClient, SaslNegotiator saslNegotiator) throws PrivilegedActionException {
        AuthenticationResult handleResponse;
        byte[] bArr = null;
        boolean z = false;
        do {
            if (!z) {
                z = true;
                bArr = (byte[]) Subject.doAs(subject, () -> {
                    if (saslClient.hasInitialResponse()) {
                        return saslClient.evaluateChallenge(new byte[0]);
                    }
                    return null;
                });
            }
            handleResponse = saslNegotiator.handleResponse(bArr);
            byte[] challenge = handleResponse.getChallenge();
            if (challenge != null) {
                bArr = (byte[]) Subject.doAs(subject, () -> {
                    return saslClient.evaluateChallenge(challenge);
                });
            }
        } while (handleResponse.getStatus() == AuthenticationResult.AuthenticationStatus.CONTINUE);
        return handleResponse;
    }

    private SaslClient createSaslClient(Subject subject) throws PrivilegedActionException {
        return (SaslClient) Subject.doAs(subject, () -> {
            return Sasl.createSaslClient(new String[]{"GSSAPI"}, (String) null, SERVER_PROTOCOL, SERVER_NAME, Collections.singletonMap("javax.security.sasl.server.authentication", "true"), (CallbackHandler) null);
        });
    }
}
