package com.yahoo.athenz.auth.impl;

import com.yahoo.athenz.auth.Authority;
import com.yahoo.athenz.auth.Principal;
import com.yahoo.athenz.auth.token.KerberosToken;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.atomic.AtomicReference;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yahoo/athenz/auth/impl/KerberosAuthority.class */
public class KerberosAuthority implements Authority {
    private static final Logger LOG = LoggerFactory.getLogger(KerberosAuthority.class);
    static final String KRB_AUTH_HEADER = "Authorization";
    static final String KRB_AUTH_CHALLENGE = "Negotiate";
    static final String KRB_PROP_SVCPRPL = "athenz.auth.kerberos.service_principal";
    static final String KRB_PROP_KEYTAB = "athenz.auth.kerberos.keytab_location";
    static final String KRB_PROP_DEBUG = "athenz.auth.kerberos.debug";
    static final String KRB_PROP_JAASCFG = "athenz.auth.kerberos.jaas_cfg_section";
    static final String KRB_PROP_LOGIN_CB_CLASS = "athenz.auth.kerberos.login_callback_handler_class";
    static final String KRB_PROP_LOGIN_RENEW_TGT = "athenz.auth.kerberos.renewTGT";
    static final String KRB_PROP_LOGIN_USE_TKT_CACHE = "athenz.auth.kerberos.use_ticket_cache";
    static final String KRB_PROP_LOGIN_TKT_CACHE_NAME = "athenz.auth.kerberos.ticket_cache_name";
    static final String KRB_PROP_LOGIN_WINDOW = "athenz.auth.kerberos.login_window";
    static final String LOGIN_WINDOW_DEF = "60000";
    private String servicePrincipal;
    private String keyTabConfFile;
    private String jaasConfigSection;
    private String loginCallbackHandler;
    private AtomicReference<Subject> serviceSubject;
    private Exception initState;
    private long lastLogin;
    private long loginWindow;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/yahoo/athenz/auth/impl/KerberosAuthority$LoginConfig.class */
    public static class LoginConfig extends Configuration {
        private String keyTabConfFile;
        private String servicePrincipalName;
        private boolean debugKrbEnabled = Boolean.parseBoolean(System.getProperty(KerberosAuthority.KRB_PROP_DEBUG, "false"));

        public LoginConfig(String str, String str2) {
            this.keyTabConfFile = str;
            this.servicePrincipalName = str2;
        }

        public boolean isDebugEnabled() {
            return this.debugKrbEnabled;
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            HashMap hashMap = new HashMap();
            if (this.keyTabConfFile == null || this.keyTabConfFile.isEmpty()) {
                hashMap.put("useKeyTab", "false");
                hashMap.put("tryFirstPass", "true");
            } else {
                hashMap.put("useKeyTab", "true");
                hashMap.put("keyTab", this.keyTabConfFile);
                if (KerberosAuthority.LOG.isDebugEnabled()) {
                    KerberosAuthority.LOG.debug("KerberosAuthority:authenticate: use keytab=" + this.keyTabConfFile);
                }
            }
            hashMap.put("principal", this.servicePrincipalName);
            hashMap.put("storeKey", "true");
            hashMap.put("doNotPrompt", "true");
            String property = System.getProperty(KerberosAuthority.KRB_PROP_LOGIN_USE_TKT_CACHE, "true");
            hashMap.put("useTicketCache", property);
            hashMap.put("renewTGT", System.getProperty(KerberosAuthority.KRB_PROP_LOGIN_RENEW_TGT, "true"));
            hashMap.put("refreshKrb5Config", "true");
            if (Boolean.parseBoolean(property)) {
                String str2 = System.getenv("KRB5CCNAME");
                if (str2 != null) {
                    hashMap.put("ticketCache", str2);
                } else {
                    String property2 = System.getProperty(KerberosAuthority.KRB_PROP_LOGIN_TKT_CACHE_NAME);
                    if (property2 != null) {
                        hashMap.put("ticketCache", property2);
                    }
                }
            }
            if (this.debugKrbEnabled) {
                hashMap.put("debug", "true");
            }
            hashMap.put("isInitiator", "false");
            return new AppConfigurationEntry[]{new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap)};
        }
    }

    public KerberosAuthority(String str, String str2, String str3) {
        this();
        if (str != null) {
            this.servicePrincipal = str;
        }
        if (str2 != null) {
            this.keyTabConfFile = str2;
        }
        if (str3 == null) {
            this.jaasConfigSection = "";
        } else {
            this.jaasConfigSection = str3;
        }
    }

    public KerberosAuthority() {
        this.serviceSubject = new AtomicReference<>();
        this.initState = null;
        this.lastLogin = 0L;
        this.loginWindow = 60000L;
        this.servicePrincipal = System.getProperty(KRB_PROP_SVCPRPL);
        this.keyTabConfFile = System.getProperty(KRB_PROP_KEYTAB);
        this.jaasConfigSection = System.getProperty(KRB_PROP_JAASCFG, "");
        this.loginCallbackHandler = System.getProperty(KRB_PROP_LOGIN_CB_CLASS);
        this.loginWindow = Long.decode(System.getProperty(KRB_PROP_LOGIN_WINDOW, LOGIN_WINDOW_DEF)).longValue();
    }

    public Exception getInitState() {
        return this.initState;
    }

    public void setInitState(Exception exc) {
        this.initState = exc;
    }

    public long getLoginWindow() {
        return this.loginWindow;
    }

    public void setLoginWindow(long j) {
        this.loginWindow = j;
    }

    public long getLastLogin() {
        return this.lastLogin;
    }

    @Override // com.yahoo.athenz.auth.Authority
    public void initialize() {
        login(false);
    }

    public synchronized void login(boolean z) {
        if (System.currentTimeMillis() - this.lastLogin < this.loginWindow) {
            return;
        }
        Subject subject = null;
        if (this.servicePrincipal != null) {
            HashSet hashSet = new HashSet(1);
            hashSet.add(new KerberosPrincipal(this.servicePrincipal));
            subject = new Subject(false, hashSet, new HashSet(), new HashSet());
        }
        LoginConfig loginConfig = new LoginConfig(this.keyTabConfFile, this.servicePrincipal);
        this.initState = null;
        try {
            CallbackHandler callbackHandler = null;
            if (this.loginCallbackHandler != null) {
                callbackHandler = (CallbackHandler) Class.forName(this.loginCallbackHandler).getConstructor(String.class, String.class).newInstance(this.servicePrincipal, null);
            }
            LoginContext loginContext = subject == null ? new LoginContext(this.jaasConfigSection, (CallbackHandler) Objects.requireNonNull(callbackHandler)) : new LoginContext(this.jaasConfigSection, subject, callbackHandler, loginConfig);
            if (z) {
                loginContext.logout();
            }
            loginContext.login();
            this.serviceSubject.set(loginContext.getSubject());
            this.lastLogin = System.currentTimeMillis();
        } catch (Exception e) {
            this.initState = e;
            LOG.error("KerberosAuthority:initialize: Login context failure: config params=(" + ("svc-princ=" + this.servicePrincipal + " login-callback=" + this.loginCallbackHandler + " keytab=" + this.keyTabConfFile + " jaas-section=" + this.jaasConfigSection) + ") exc: " + e.getMessage());
        }
    }

    boolean isTargetPrincipal(KerberosTicket kerberosTicket, String str) {
        if (kerberosTicket == null) {
            return false;
        }
        KerberosPrincipal server = kerberosTicket.getServer();
        if (LOG.isDebugEnabled()) {
            LOG.debug("KerberosAuthority:isTargetPrincipal: our princ=" + this.servicePrincipal + " ticket princ=" + server.getName());
        }
        return server.getName().equals(str);
    }

    public boolean refreshLogin(String str) {
        KerberosTicket kerberosTicket = null;
        Set privateCredentials = this.serviceSubject.get().getPrivateCredentials(KerberosTicket.class);
        Iterator it = privateCredentials.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            KerberosTicket kerberosTicket2 = (KerberosTicket) it.next();
            if (isTargetPrincipal(kerberosTicket2, str)) {
                kerberosTicket = kerberosTicket2;
                break;
            }
        }
        if (kerberosTicket == null) {
            if (!LOG.isDebugEnabled()) {
                return true;
            }
            LOG.debug("KerberosAuthority:refreshLogin: Process tickets found no principal match: subject contains number of tickets=" + privateCredentials.size());
            return true;
        }
        if (System.currentTimeMillis() <= kerberosTicket.getEndTime().getTime()) {
            return false;
        }
        login(true);
        return true;
    }

    @Override // com.yahoo.athenz.auth.Authority
    public String getDomain() {
        return null;
    }

    @Override // com.yahoo.athenz.auth.Authority
    public String getHeader() {
        return "Authorization";
    }

    @Override // com.yahoo.athenz.auth.Authority
    public String getAuthenticateChallenge() {
        return "Negotiate";
    }

    @Override // com.yahoo.athenz.auth.Authority
    public Principal authenticate(String str, String str2, String str3, StringBuilder sb) {
        try {
            KerberosToken kerberosToken = new KerberosToken(str, str2);
            StringBuilder sb2 = new StringBuilder(512);
            if (!kerberosToken.validate(this.serviceSubject.get(), sb2)) {
                if (sb == null) {
                    return null;
                }
                sb.append("KerberosAuthority:authenticate: token validation failure: ");
                sb.append((CharSequence) sb2);
                return null;
            }
            String domain = kerberosToken.getDomain();
            String userName = kerberosToken.getUserName();
            if (userName != null) {
                return SimplePrincipal.create(domain, userName, str, this);
            }
            if (sb == null) {
                return null;
            }
            sb.append("KerberosAuthority:authenticate: token validation failure: missing user");
            return null;
        } catch (IllegalArgumentException e) {
            if (sb == null) {
                sb = new StringBuilder();
            }
            sb.append("KerberosAuthority:authenticate: Invalid token: exc=").append(e.getMessage()).append(" : credential=").append(str);
            LOG.error("KerberosAuthority:authenticate: " + sb.toString());
            return null;
        }
    }
}
