package org.apache.qpid.server.test;

import com.google.common.io.ByteStreams;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.net.InetAddress;
import java.net.URL;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardOpenOption;
import java.util.Collections;
import java.util.HashMap;
import javax.security.auth.DestroyFailedException;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.TextOutputCallback;
import javax.security.auth.kerberos.KerberosKey;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KeyTab;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.qpid.test.utils.JvmVendor;
import org.apache.qpid.test.utils.SystemPropertySetter;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/qpid/server/test/KerberosUtilities.class */
public class KerberosUtilities {
    public static final String REALM = "QPID.ORG";
    public static final String CLIENT_PRINCIPAL_NAME = "client";
    public static final String CLIENT_PRINCIPAL_FULL_NAME = "client@QPID.ORG";
    public static final String SERVER_PROTOCOL = "AMQP";
    public static final String ACCEPT_SCOPE;
    private static final String USE_SUBJECT_CREDS_ONLY = "javax.security.auth.useSubjectCredsOnly";
    public static final String LOGIN_CONFIG = "java.security.auth.login.config";
    private static final String INITIATE_SCOPE;
    private static final Logger LOGGER;
    private static final String IBM_LOGIN_MODULE_CLASS = "com.ibm.security.auth.module.Krb5LoginModule";
    private static final String SUN_LOGIN_MODULE_CLASS = "com.sun.security.auth.module.Krb5LoginModule";
    private static final String KERBEROS_LOGIN_MODULE_CLASS;
    private static final String LOGIN_CONFIG_RESOURCE = "login.config";
    private static final String LOGIN_IBM_CONFIG_RESOURCE = "login.ibm.config";
    private static final String SERVICE_PRINCIPAL_FULL_NAME;
    private static final String BROKER_KEYTAB = "broker.keytab";
    private static final String CLIENT_KEYTAB = "client.keytab";
    public static final String HOST_NAME = InetAddress.getLoopbackAddress().getCanonicalHostName();
    public static final String SERVICE_PRINCIPAL_NAME = "AMQP/" + HOST_NAME;

    /* loaded from: input_file:org/apache/qpid/server/test/KerberosUtilities$KerberosKeyTabLoginConfiguration.class */
    public static class KerberosKeyTabLoginConfiguration extends Configuration {
        private final String _scopeName;
        private final AppConfigurationEntry _entry;

        KerberosKeyTabLoginConfiguration(String str, String str2, File file) {
            HashMap hashMap = new HashMap();
            hashMap.put("principal", str2);
            if (KerberosUtilities.access$000()) {
                hashMap.put("useKeytab", file.getAbsolutePath());
                hashMap.put("credsType", "both");
            } else {
                hashMap.put("keyTab", file.getAbsolutePath());
                hashMap.put("useKeyTab", Boolean.TRUE.toString());
                hashMap.put("doNotPrompt", Boolean.TRUE.toString());
                hashMap.put("refreshKrb5Config", Boolean.TRUE.toString());
            }
            this._entry = new AppConfigurationEntry(KerberosUtilities.KERBEROS_LOGIN_MODULE_CLASS, AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap);
            this._scopeName = str;
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            return this._scopeName.equals(str) ? new AppConfigurationEntry[]{this._entry} : new AppConfigurationEntry[0];
        }
    }

    public File prepareKeyTabs(EmbeddedKdcResource embeddedKdcResource) throws Exception {
        embeddedKdcResource.createPrincipal(BROKER_KEYTAB, SERVICE_PRINCIPAL_FULL_NAME);
        return embeddedKdcResource.createPrincipal(CLIENT_KEYTAB, CLIENT_PRINCIPAL_FULL_NAME);
    }

    public void prepareConfiguration(String str, SystemPropertySetter systemPropertySetter) throws IOException {
        systemPropertySetter.setSystemProperty(LOGIN_CONFIG, URLDecoder.decode(transformLoginConfig(str).toFile().getAbsolutePath(), StandardCharsets.UTF_8.name()));
        systemPropertySetter.setSystemProperty(USE_SUBJECT_CREDS_ONLY, "false");
    }

    public byte[] buildToken(String str, File file, String str2) throws Exception {
        LoginContext createKerberosKeyTabLoginContext = createKerberosKeyTabLoginContext(INITIATE_SCOPE, str, file);
        Subject subject = null;
        String property = System.getProperty(USE_SUBJECT_CREDS_ONLY);
        try {
            debug("Before login", new Object[0]);
            createKerberosKeyTabLoginContext.login();
            subject = createKerberosKeyTabLoginContext.getSubject();
            debug("LoginContext subject {}", subject);
            System.setProperty(USE_SUBJECT_CREDS_ONLY, "true");
            byte[] bArr = (byte[]) Subject.doAs(subject, () -> {
                return buildTokenWithinSubjectWithKerberosTicket(str, str2);
            });
            if (property == null) {
                System.clearProperty(USE_SUBJECT_CREDS_ONLY);
            } else {
                System.setProperty(USE_SUBJECT_CREDS_ONLY, property);
            }
            if (subject != null) {
                createKerberosKeyTabLoginContext.logout();
            }
            return bArr;
        } catch (Throwable th) {
            if (property == null) {
                System.clearProperty(USE_SUBJECT_CREDS_ONLY);
            } else {
                System.setProperty(USE_SUBJECT_CREDS_ONLY, property);
            }
            if (subject != null) {
                createKerberosKeyTabLoginContext.logout();
            }
            throw th;
        }
    }

    private byte[] buildTokenWithinSubjectWithKerberosTicket(String str, String str2) throws GSSException {
        debug("Building token for client principal '{}' and server principal '{}'", str, str2);
        GSSManager gSSManager = GSSManager.getInstance();
        GSSName createName = gSSManager.createName(str, GSSName.NT_USER_NAME);
        try {
            GSSCredential createCredential = gSSManager.createCredential(createName, 0, new Oid("1.2.840.113554.1.2.2"), 1);
            debug("Client credential '{}'", createCredential);
            GSSName createName2 = gSSManager.createName(str2, GSSName.NT_USER_NAME);
            Oid oid = new Oid("1.3.6.1.5.5.2");
            GSSContext createContext = gSSManager.createContext(createName2.canonicalize(oid), oid, createCredential, 0);
            debug("Requesting ticket using initiator's credentials", new Object[0]);
            try {
                try {
                    createContext.requestCredDeleg(true);
                    debug("Requesting ticket", new Object[0]);
                    byte[] initSecContext = createContext.initSecContext(new byte[0], 0, 0);
                    createContext.dispose();
                    return initSecContext;
                } catch (GSSException e) {
                    debug("Failure to request token", e);
                    throw e;
                }
            } catch (Throwable th) {
                createContext.dispose();
                throw th;
            }
        } catch (GSSException e2) {
            debug("Failure to create credential for {}", createName, e2);
            throw e2;
        }
    }

    public LoginContext createKerberosKeyTabLoginContext(String str, String str2, File file) throws LoginException {
        KerberosPrincipal kerberosPrincipal = new KerberosPrincipal(str2);
        return createLoginContext(str, new Subject(false, Collections.singleton(kerberosPrincipal), Collections.emptySet(), Collections.singleton(getKeyTab(kerberosPrincipal, file))), createKeyTabConfiguration(str, file, kerberosPrincipal.getName()));
    }

    public KerberosKeyTabLoginConfiguration createKeyTabConfiguration(String str, File file, String str2) {
        return new KerberosKeyTabLoginConfiguration(str, str2, file);
    }

    private LoginContext createLoginContext(String str, Subject subject, Configuration configuration) throws LoginException {
        return new LoginContext(str, subject, callbackArr -> {
            for (Callback callback : callbackArr) {
                if (callback instanceof TextOutputCallback) {
                    LOGGER.error(((TextOutputCallback) callback).getMessage());
                }
            }
        }, configuration);
    }

    private KeyTab getKeyTab(KerberosPrincipal kerberosPrincipal, File file) {
        if (!file.exists() || !file.canRead()) {
            throw new IllegalArgumentException("Specified file does not exist or is not readable.");
        }
        KeyTab keyTab = KeyTab.getInstance(kerberosPrincipal, file);
        if (!keyTab.exists()) {
            throw new IllegalArgumentException("Specified file is not a keyTab file.");
        }
        KerberosKey[] keys = keyTab.getKeys(kerberosPrincipal);
        if (keys.length == 0) {
            throw new IllegalArgumentException("Specified file does not contain at least one key for this principal.");
        }
        for (KerberosKey kerberosKey : keys) {
            try {
                kerberosKey.destroy();
            } catch (DestroyFailedException e) {
                LOGGER.debug("Unable to destroy key", e);
            }
        }
        return keyTab;
    }

    public void debug(String str, Object... objArr) {
        LOGGER.debug(str, objArr);
        if (Boolean.TRUE.toString().equalsIgnoreCase(System.getProperty("sun.security.krb5.debug"))) {
            System.out.println(String.format(str.replace("{}", "%s"), objArr));
        }
    }

    private Path transformLoginConfig(String str) throws IOException {
        String str2 = isIBM() ? LOGIN_IBM_CONFIG_RESOURCE : LOGIN_CONFIG_RESOURCE;
        URL resource = KerberosUtilities.class.getClassLoader().getResource(str2);
        if (resource == null) {
            throw new IllegalArgumentException(String.format("Unknown resource '%s'", str2));
        }
        try {
            InputStream openStream = resource.openStream();
            Throwable th = null;
            try {
                try {
                    String str3 = new String(ByteStreams.toByteArray(openStream), StandardCharsets.UTF_8);
                    if (openStream != null) {
                        if (0 != 0) {
                            try {
                                openStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            openStream.close();
                        }
                    }
                    String replace = str3.replace("AMQP/localhost", "AMQP/" + str).replace("target/broker.keytab", toAbsolutePath(BROKER_KEYTAB)).replace("target/client.keytab", toAbsolutePath(CLIENT_KEYTAB));
                    Path path = Paths.get("target", LOGIN_CONFIG_RESOURCE);
                    Files.write(path, replace.getBytes(StandardCharsets.UTF_8), StandardOpenOption.WRITE, StandardOpenOption.CREATE, StandardOpenOption.TRUNCATE_EXISTING);
                    return path.toRealPath(LinkOption.NOFOLLOW_LINKS);
                } finally {
                }
            } finally {
            }
        } catch (IOException e) {
            throw new IOException(String.format("Failed to load resource '%s'", resource.toExternalForm()), e);
        }
    }

    private String toAbsolutePath(String str) {
        return Paths.get("target", str).toAbsolutePath().normalize().toUri().getPath();
    }

    private static boolean isIBM() {
        return JvmVendor.getJvmVendor() == JvmVendor.IBM;
    }

    static /* synthetic */ boolean access$000() {
        return isIBM();
    }

    static {
        ACCEPT_SCOPE = isIBM() ? "com.ibm.security.jgss.krb5.accept" : "com.sun.security.jgss.accept";
        INITIATE_SCOPE = isIBM() ? "com.ibm.security.jgss.krb5.initiate" : "com.sun.security.jgss.initiate";
        LOGGER = LoggerFactory.getLogger(KerberosUtilities.class);
        KERBEROS_LOGIN_MODULE_CLASS = isIBM() ? IBM_LOGIN_MODULE_CLASS : SUN_LOGIN_MODULE_CLASS;
        SERVICE_PRINCIPAL_FULL_NAME = SERVICE_PRINCIPAL_NAME + "@" + REALM;
    }
}
