package com.yahoo.athenz.auth.token;

import java.nio.charset.StandardCharsets;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import javax.security.auth.Subject;
import org.bouncycastle.util.encoders.Base64;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yahoo/athenz/auth/token/KerberosToken.class */
public class KerberosToken extends Token {
    public static final String KRB_AUTH_VAL_FLD = "Negotiate";
    public static final String KRB_PROP_TOKEN_PRIV_ACTION = "athenz.auth.kerberos.krb_privileged_action_class";
    String krbPrivActionClass = System.getProperty(KRB_PROP_TOKEN_PRIV_ACTION);
    String userName = null;
    private static final Logger LOG = LoggerFactory.getLogger(KerberosToken.class);
    public static final String ATHENZ_PROP_USER_DOMAIN = "athenz.user_domain";
    public static final String USER_DOMAIN = System.getProperty(ATHENZ_PROP_USER_DOMAIN, "user");
    public static final String ATHENZ_PROP_USER_REALM = "athenz.auth.kerberos.user_realm";
    public static final String USER_REALM = System.getProperty(ATHENZ_PROP_USER_REALM, "USER_REALM");
    public static final String ATHENZ_PROP_KRB_USER_DOMAIN = "athenz.auth.kerberos.krb_user_domain";
    public static final String KRB_USER_DOMAIN = System.getProperty(ATHENZ_PROP_KRB_USER_DOMAIN, "krb");
    public static final String ATHENZ_PROP_KRB_USER_REALM = "athenz.auth.kerberos.krb_user_realm";
    public static final String KRB_USER_REALM = System.getProperty(ATHENZ_PROP_KRB_USER_REALM, "KRB_REALM");

    /* loaded from: input_file:com/yahoo/athenz/auth/token/KerberosToken$KerberosValidateAction.class */
    private static class KerberosValidateAction implements PrivilegedExceptionAction<String> {
        byte[] kerberosTicket;

        public KerberosValidateAction(byte[] bArr) {
            this.kerberosTicket = bArr;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedExceptionAction
        public String run() throws Exception {
            GSSContext createContext = GSSManager.getInstance().createContext((GSSCredential) null);
            createContext.acceptSecContext(this.kerberosTicket, 0, this.kerberosTicket.length);
            String gSSName = createContext.getSrcName().toString();
            createContext.dispose();
            return gSSName;
        }
    }

    public KerberosToken(String str, String str2) {
        if (str == null || str.isEmpty()) {
            LOG.error("KerberosToken: Missing credentials");
            throw new IllegalArgumentException("KerberosToken: creds must not be empty");
        }
        if (!str.startsWith(KRB_AUTH_VAL_FLD)) {
            throw new IllegalArgumentException("KerberosToken: creds do not contain required Negotiate component");
        }
        this.signedToken = str;
        this.unsignedToken = str.substring(KRB_AUTH_VAL_FLD.length()).trim();
        this.domain = KRB_USER_DOMAIN;
    }

    public boolean validate(Subject subject, StringBuilder sb) {
        byte[] decode = Base64.decode(this.unsignedToken.getBytes(StandardCharsets.UTF_8));
        try {
            this.userName = (String) Subject.doAs(subject, this.krbPrivActionClass == null ? new KerberosValidateAction(decode) : (PrivilegedExceptionAction) Class.forName(this.krbPrivActionClass).getConstructor(byte[].class).newInstance(decode));
            int indexOf = this.userName.indexOf(64);
            if (indexOf == -1) {
                return true;
            }
            if (this.userName.indexOf(KRB_USER_REALM, indexOf) == -1) {
                if (this.userName.indexOf(USER_REALM, indexOf) == -1) {
                    throw new Exception("KerberosToken:validate: invalid Kerberos Realm: " + this.userName);
                }
                this.domain = USER_DOMAIN;
            }
            this.userName = this.userName.substring(0, indexOf);
            return true;
        } catch (PrivilegedActionException e) {
            if (sb == null) {
                sb = new StringBuilder(512);
            }
            sb.append("KerberosToken:validate: token=").append(this.unsignedToken).append(" : privilege exc=").append(e);
            LOG.error(sb.toString());
            return false;
        } catch (Exception e2) {
            if (sb == null) {
                sb = new StringBuilder(512);
            }
            sb.append("KerberosToken:validate: token=").append(this.unsignedToken).append(" : unknown exc=").append(e2);
            LOG.error(sb.toString());
            return false;
        }
    }

    public String getUserName() {
        return this.userName;
    }
}
