package org.apache.qpid.server.security.auth.manager;

import java.io.File;
import java.security.PrivilegedActionException;
import java.util.Base64;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.LoginContext;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslClient;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.AuthenticationProvider;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.BrokerTestHelper;
import org.apache.qpid.server.model.NamedAddressSpace;
import org.apache.qpid.server.security.TokenCarryingPrincipal;
import org.apache.qpid.server.security.auth.AuthenticationResult;
import org.apache.qpid.server.security.auth.sasl.SaslNegotiator;
import org.apache.qpid.server.security.auth.sasl.SaslSettings;
import org.apache.qpid.server.test.KerberosUtilities;
import org.apache.qpid.server.util.StringUtil;
import org.apache.qpid.test.utils.EmbeddedKdcExtension;
import org.apache.qpid.test.utils.SystemPropertySetter;
import org.apache.qpid.test.utils.UnitTestBase;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.RegisterExtension;
import org.mockito.Mockito;

/* loaded from: input_file:org/apache/qpid/server/security/auth/manager/KerberosAuthenticationManagerTest.class */
public class KerberosAuthenticationManagerTest extends UnitTestBase {
    private static final String ANOTHER_SERVICE = "foo/" + KerberosUtilities.HOST_NAME;
    private static final String ANOTHER_SERVICE_FULL_NAME = ANOTHER_SERVICE + "@QPID.ORG";
    private static final KerberosUtilities UTILS = new KerberosUtilities();

    @RegisterExtension
    public static final EmbeddedKdcExtension KDC = new EmbeddedKdcExtension(KerberosUtilities.HOST_NAME, 0, "QpidTestKerberosServer", KerberosUtilities.REALM);

    @RegisterExtension
    public static final SystemPropertySetter SYSTEM_PROPERTY_SETTER = new SystemPropertySetter();
    private static File _clientKeyTabFile;
    private static String _config;
    private KerberosAuthenticationManager _kerberosAuthenticationProvider;
    private Broker<?> _broker;
    private SpnegoAuthenticator _spnegoAuthenticator;

    @BeforeAll
    public static void createKeyTabs() throws Exception {
        KDC.createPrincipal("another.keytab", new String[]{ANOTHER_SERVICE_FULL_NAME});
        _config = UTILS.prepareConfiguration(KerberosUtilities.HOST_NAME, SYSTEM_PROPERTY_SETTER);
        _clientKeyTabFile = UTILS.prepareKeyTabs(KDC);
    }

    @BeforeEach
    public void setUp() throws Exception {
        SYSTEM_PROPERTY_SETTER.setSystemProperty(KerberosUtilities.LOGIN_CONFIG, _config);
        this._broker = BrokerTestHelper.createBrokerMock();
        this._kerberosAuthenticationProvider = createKerberosAuthenticationProvider(KerberosUtilities.ACCEPT_SCOPE);
        this._spnegoAuthenticator = new SpnegoAuthenticator(this._kerberosAuthenticationProvider);
    }

    @Test
    public void testCreateSaslNegotiator() throws Exception {
        SaslSettings saslSettings = (SaslSettings) Mockito.mock(SaslSettings.class);
        Mockito.when(saslSettings.getLocalFQDN()).thenReturn(KerberosUtilities.HOST_NAME);
        SaslNegotiator createSaslNegotiator = this._kerberosAuthenticationProvider.createSaslNegotiator("GSSAPI", saslSettings, (NamedAddressSpace) null);
        Assertions.assertNotNull(createSaslNegotiator, "Could not create SASL negotiator");
        try {
            AuthenticationResult authenticate = authenticate(createSaslNegotiator);
            Assertions.assertEquals(AuthenticationResult.AuthenticationStatus.SUCCESS, authenticate.getStatus());
            Assertions.assertEquals(new KerberosPrincipal(KerberosUtilities.CLIENT_PRINCIPAL_FULL_NAME).getName(), authenticate.getMainPrincipal().getName());
            createSaslNegotiator.dispose();
        } catch (Throwable th) {
            createSaslNegotiator.dispose();
            throw th;
        }
    }

    @Test
    public void testSeveralKerberosAuthenticationProviders() {
        KerberosAuthenticationManager kerberosAuthenticationManager = new KerberosAuthenticationManager(Map.of("name", getTestName() + "2"), this._broker);
        Objects.requireNonNull(kerberosAuthenticationManager);
        Assertions.assertThrows(IllegalConfigurationException.class, kerberosAuthenticationManager::create, "Exception expected");
    }

    @Test
    public void testCreateKerberosAuthenticationProvidersWithNonExistingJaasLoginModule() {
        Mockito.when(this._broker.getChildren(AuthenticationProvider.class)).thenReturn(Set.of());
        SYSTEM_PROPERTY_SETTER.setSystemProperty(KerberosUtilities.LOGIN_CONFIG, "config.module." + System.nanoTime());
        KerberosAuthenticationManager kerberosAuthenticationManager = new KerberosAuthenticationManager(Map.of("name", getTestName()), this._broker);
        Objects.requireNonNull(kerberosAuthenticationManager);
        Assertions.assertThrows(IllegalConfigurationException.class, kerberosAuthenticationManager::create, "Exception expected");
    }

    @Test
    public void testAuthenticateUsingNegotiationToken() throws Exception {
        AuthenticationResult authenticate = this._kerberosAuthenticationProvider.authenticate("Negotiate " + Base64.getEncoder().encodeToString(UTILS.buildToken(KerberosUtilities.CLIENT_PRINCIPAL_NAME, _clientKeyTabFile, KerberosUtilities.SERVICE_PRINCIPAL_NAME)));
        Assertions.assertNotNull(authenticate);
        Assertions.assertEquals(AuthenticationResult.AuthenticationStatus.SUCCESS, authenticate.getStatus());
    }

    @Test
    public void testAuthenticate() throws Exception {
        AuthenticationResult authenticate = this._spnegoAuthenticator.authenticate("Negotiate " + Base64.getEncoder().encodeToString(buildToken(KerberosUtilities.SERVICE_PRINCIPAL_NAME)));
        Assertions.assertNotNull(authenticate);
        Assertions.assertEquals(AuthenticationResult.AuthenticationStatus.SUCCESS, authenticate.getStatus());
        TokenCarryingPrincipal mainPrincipal = authenticate.getMainPrincipal();
        Assertions.assertTrue(mainPrincipal instanceof TokenCarryingPrincipal);
        Assertions.assertEquals(KerberosUtilities.CLIENT_PRINCIPAL_FULL_NAME, mainPrincipal.getName());
        Map tokens = mainPrincipal.getTokens();
        Assertions.assertNotNull(tokens);
        Assertions.assertTrue(tokens.containsKey("WWW-Authenticate"));
    }

    @Test
    public void testAuthenticateNoAuthenticationHeader() {
        AuthenticationResult authenticate = this._spnegoAuthenticator.authenticate((String) null);
        Assertions.assertNotNull(authenticate);
        Assertions.assertEquals(AuthenticationResult.AuthenticationStatus.ERROR, authenticate.getStatus());
    }

    @Test
    public void testAuthenticateNoNegotiatePrefix() throws Exception {
        AuthenticationResult authenticate = this._spnegoAuthenticator.authenticate(Base64.getEncoder().encodeToString(buildToken(KerberosUtilities.SERVICE_PRINCIPAL_NAME)));
        Assertions.assertNotNull(authenticate);
        Assertions.assertEquals(AuthenticationResult.AuthenticationStatus.ERROR, authenticate.getStatus());
    }

    @Test
    public void testAuthenticateEmptyToken() {
        AuthenticationResult authenticate = this._spnegoAuthenticator.authenticate("Negotiate ");
        Assertions.assertNotNull(authenticate);
        Assertions.assertEquals(AuthenticationResult.AuthenticationStatus.ERROR, authenticate.getStatus());
    }

    @Test
    public void testAuthenticateInvalidToken() {
        AuthenticationResult authenticate = this._spnegoAuthenticator.authenticate("Negotiate Zm9v");
        Assertions.assertNotNull(authenticate);
        Assertions.assertEquals(AuthenticationResult.AuthenticationStatus.ERROR, authenticate.getStatus());
    }

    @Test
    public void testAuthenticateWrongConfigName() throws Exception {
        this._kerberosAuthenticationProvider.delete();
        this._kerberosAuthenticationProvider = createKerberosAuthenticationProvider("foo");
        this._spnegoAuthenticator = new SpnegoAuthenticator(this._kerberosAuthenticationProvider);
        AuthenticationResult authenticate = this._spnegoAuthenticator.authenticate("Negotiate " + Base64.getEncoder().encodeToString(buildToken(KerberosUtilities.SERVICE_PRINCIPAL_NAME)));
        Assertions.assertNotNull(authenticate);
        Assertions.assertEquals(AuthenticationResult.AuthenticationStatus.ERROR, authenticate.getStatus());
    }

    @Test
    public void testAuthenticateWrongServer() throws Exception {
        AuthenticationResult authenticate = this._spnegoAuthenticator.authenticate("Negotiate " + Base64.getEncoder().encodeToString(buildToken(ANOTHER_SERVICE)));
        Assertions.assertNotNull(authenticate);
        Assertions.assertEquals(AuthenticationResult.AuthenticationStatus.ERROR, authenticate.getStatus());
    }

    private KerberosAuthenticationManager createKerberosAuthenticationProvider(String str) {
        Mockito.when(this._broker.getChildren(AuthenticationProvider.class)).thenReturn(List.of());
        KerberosAuthenticationManager kerberosAuthenticationManager = new KerberosAuthenticationManager(Map.of("name", getTestName(), "context", Map.of("qpid.auth.gssapi.spnegoConfigScope", str)), this._broker);
        kerberosAuthenticationManager.create();
        Mockito.when(this._broker.getChildren(AuthenticationProvider.class)).thenReturn(Set.of(kerberosAuthenticationManager));
        return kerberosAuthenticationManager;
    }

    private byte[] buildToken(String str) throws Exception {
        return UTILS.buildToken(KerberosUtilities.CLIENT_PRINCIPAL_NAME, _clientKeyTabFile, str);
    }

    private AuthenticationResult authenticate(SaslNegotiator saslNegotiator) throws Exception {
        LoginContext createKerberosKeyTabLoginContext = UTILS.createKerberosKeyTabLoginContext(getTestName(), KerberosUtilities.CLIENT_PRINCIPAL_FULL_NAME, _clientKeyTabFile);
        Subject subject = null;
        try {
            createKerberosKeyTabLoginContext.login();
            subject = createKerberosKeyTabLoginContext.getSubject();
            debug("LoginContext subject {}", subject);
            AuthenticationResult performNegotiation = performNegotiation(subject, createSaslClient(subject), saslNegotiator);
            if (subject != null) {
                createKerberosKeyTabLoginContext.logout();
            }
            return performNegotiation;
        } catch (Throwable th) {
            if (subject != null) {
                createKerberosKeyTabLoginContext.logout();
            }
            throw th;
        }
    }

    private void debug(String str, Object... objArr) {
        UTILS.debug(str, objArr);
    }

    private AuthenticationResult performNegotiation(Subject subject, SaslClient saslClient, SaslNegotiator saslNegotiator) throws PrivilegedActionException {
        AuthenticationResult handleResponse;
        byte[] bArr = null;
        boolean z = false;
        do {
            if (!z) {
                z = true;
                debug("Sending initial challenge", new Object[0]);
                bArr = (byte[]) Subject.doAs(subject, () -> {
                    if (saslClient.hasInitialResponse()) {
                        return saslClient.evaluateChallenge(new byte[0]);
                    }
                    return null;
                });
                debug("Initial challenge sent", new Object[0]);
            }
            debug("Handling response: {}", StringUtil.toHex(bArr));
            handleResponse = saslNegotiator.handleResponse(bArr);
            byte[] challenge = handleResponse.getChallenge();
            if (challenge != null) {
                debug("Challenge: {}", StringUtil.toHex(challenge));
                bArr = (byte[]) Subject.doAs(subject, () -> {
                    return saslClient.evaluateChallenge(challenge);
                });
            }
        } while (handleResponse.getStatus() == AuthenticationResult.AuthenticationStatus.CONTINUE);
        debug("Result {}", handleResponse.getStatus());
        return handleResponse;
    }

    private SaslClient createSaslClient(Subject subject) throws PrivilegedActionException {
        return (SaslClient) Subject.doAs(subject, () -> {
            return Sasl.createSaslClient(new String[]{"GSSAPI"}, (String) null, KerberosUtilities.SERVER_PROTOCOL, KerberosUtilities.HOST_NAME, Map.of("javax.security.sasl.server.authentication", "true"), (CallbackHandler) null);
        });
    }
}
