package com.bea.security.utils.kerberos;

import com.bea.common.logger.spi.LoggerSpi;
import com.bea.common.security.SecurityLogger;
import com.bea.common.security.utils.encoders.BASE64Decoder;
import com.bea.security.utils.gss.GSSExceptionInfo;
import com.bea.security.utils.negotiate.CredentialObject;
import com.bea.security.utils.negotiate.NegotiateTokenUtils;
import java.io.IOException;
import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.List;
import javax.security.auth.Subject;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import weblogic.utils.Hex;

/* loaded from: input_file:com/bea/security/utils/kerberos/KerberosTokenHandler.class */
public class KerberosTokenHandler {
    private static final String USE_GSS_NAME_PROP = "weblogic.security.krb5.useGSSName";
    private LoggerSpi logger;
    private boolean isDebugEnabled;
    private static boolean USE_GSS_NAME;
    private String username = null;
    private boolean moreRequired = true;
    boolean acceptCompleted = false;
    private byte[] outputToken = null;
    private CredentialObject delegatedCredential = null;
    private GSSManager gssManager = GSSManager.getInstance();

    public KerberosTokenHandler(LoggerSpi loggerSpi) {
        this.logger = loggerSpi;
        this.isDebugEnabled = loggerSpi != null && loggerSpi.isDebugEnabled();
    }

    public String getUsername() {
        return this.username;
    }

    public boolean isMoreRequired() {
        return this.moreRequired;
    }

    public boolean isAcceptCompleted() {
        return this.acceptCompleted;
    }

    public byte[] getOutputToken() {
        return this.outputToken;
    }

    public CredentialObject getDelegatedCredential() {
        return this.delegatedCredential;
    }

    public void acceptGssInitContextToken(NegotiateTokenUtils.NegTokenInitInfo negTokenInitInfo) throws KerberosException {
        if (this.username != null) {
            return;
        }
        if (negTokenInitInfo == null || negTokenInitInfo.mechToken == null || negTokenInitInfo.mechToken.length < 1) {
            throw new IllegalArgumentException("Input token cannot be null or empty.");
        }
        acceptGssInitContextToken(null, negTokenInitInfo.mechToken, negTokenInitInfo.contextFlagMutual);
    }

    public void acceptGssInitContextToken(String str, boolean z) throws KerberosException {
        if (this.username != null) {
            return;
        }
        if (str == null || str.length() < 1) {
            throw new IllegalArgumentException("Input token cannot be null or empty.");
        }
        try {
            acceptGssInitContextToken(null, new BASE64Decoder().decodeBuffer(str), z);
        } catch (IOException e) {
            String message = e.getMessage();
            if (this.isDebugEnabled) {
                this.logger.debug(message, e);
            }
            throw new KerberosException(message, e);
        }
    }

    public void acceptKrbApReqToken(String str, boolean z) throws KerberosException {
        if (this.username != null) {
            return;
        }
        if (str == null || str.length() < 1) {
            throw new IllegalArgumentException("Input token cannot be null or empty.");
        }
        try {
            acceptGssInitContextToken(null, KerberosTokenUtils.getGssInitContextToken(new BASE64Decoder().decodeBuffer(str), this.logger), z);
        } catch (IOException e) {
            String message = e.getMessage();
            if (this.isDebugEnabled) {
                this.logger.debug("Base64 decoding error: " + message, e);
            }
            throw new KerberosException(message, e);
        }
    }

    private void acceptGssInitContextToken(final GSSContext gSSContext, final byte[] bArr, final boolean z) throws KerberosException {
        try {
            Subject.doAsPrivileged((Subject) null, new PrivilegedExceptionAction<Object>() { // from class: com.bea.security.utils.kerberos.KerberosTokenHandler.2
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws KerberosException {
                    KerberosTokenHandler.this.handleInitTokenForMultiKDC(gSSContext, bArr, z);
                    return null;
                }
            }, (AccessControlContext) null);
        } catch (PrivilegedActionException e) {
            KerberosException kerberosException = (KerberosException) e.getException();
            if (this.isDebugEnabled) {
                this.logger.debug("acceptGssInitContextToken failed", kerberosException);
            }
            throw kerberosException;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void handleInitTokenForMultiKDC(GSSContext gSSContext, byte[] bArr, boolean z) throws KerberosException {
        String str = null;
        if (gSSContext == null) {
            str = KerberosTokenUtils.extractServicePrincipalFromToken(bArr, this.logger);
            if (str != null) {
                try {
                    gSSContext = KerberosTokenUtils.getAcceptGSSContextForService(this.gssManager, str, this.logger);
                } catch (Exception e) {
                    if (this.isDebugEnabled) {
                        this.logger.debug(e.getMessage(), e);
                    }
                }
            }
        }
        if (gSSContext != null) {
            acceptGssInitContextTokenInDoAs(gSSContext, bArr, z);
            return;
        }
        List<String> configedPrincipals = KerberosTokenUtils.getConfigedPrincipals(this.logger);
        if (configedPrincipals.size() == 0) {
            throw new KerberosException("There is no kerberos login module being configured in the system!");
        }
        KerberosException kerberosException = new KerberosException("Failed to create GSSContext to accept token!");
        if (configedPrincipals.contains(str)) {
            throw kerberosException;
        }
        for (String str2 : configedPrincipals) {
            if (this.isDebugEnabled) {
                this.logger.debug("Trying to create GSSContext for principal:" + str2);
            }
            gSSContext = KerberosTokenUtils.getAcceptGSSContextForService(this.gssManager, str2, this.logger);
            if (gSSContext != null) {
                try {
                    acceptGssInitContextTokenInDoAs(gSSContext, bArr, z);
                    try {
                        gSSContext.dispose();
                        return;
                    } catch (GSSException e2) {
                        return;
                    }
                } catch (KerberosException e3) {
                    kerberosException = e3;
                    try {
                        gSSContext.dispose();
                    } catch (GSSException e4) {
                    }
                } catch (Throwable th) {
                    try {
                        gSSContext.dispose();
                    } catch (GSSException e5) {
                    }
                    throw th;
                }
            }
        }
        if (gSSContext == null) {
            try {
                GSSContext createContext = this.gssManager.createContext((GSSCredential) null);
                if (createContext != null) {
                    acceptGssInitContextTokenInDoAs(createContext, bArr, z);
                    return;
                }
            } catch (GSSException e6) {
                if (this.isDebugEnabled) {
                    this.logger.debug(e6.getMessage(), e6);
                }
                kerberosException = new KerberosException(e6.getMessage(), e6);
            }
        }
        throw kerberosException;
    }

    private void acceptGssInitContextTokenInDoAs(GSSContext gSSContext, byte[] bArr, boolean z) throws KerberosException {
        try {
            try {
                try {
                    try {
                        byte[] acceptSecContext = gSSContext.acceptSecContext(bArr, 0, bArr.length);
                        this.acceptCompleted = gSSContext.isEstablished();
                        if (this.isDebugEnabled) {
                            this.logger.debug("gssContext isEstablished " + this.acceptCompleted);
                        }
                        this.outputToken = null;
                        if (acceptSecContext != null) {
                            if (this.isDebugEnabled) {
                                this.logger.debug("Out token \n" + Hex.dump(acceptSecContext));
                            }
                            if (z) {
                                this.outputToken = acceptSecContext;
                            }
                        } else if (this.isDebugEnabled) {
                            this.logger.debug("No Output token present");
                        }
                        if (this.acceptCompleted) {
                            GSSName srcName = gSSContext.getSrcName();
                            String gSSName = srcName.toString();
                            if (this.isDebugEnabled) {
                                this.logger.debug("GSS name is " + gSSName);
                            }
                            int i = -1;
                            if (!USE_GSS_NAME) {
                                i = gSSName.indexOf(64);
                            }
                            if (i != -1) {
                                this.username = gSSName.substring(0, i);
                            } else {
                                this.username = gSSName;
                            }
                            if (this.isDebugEnabled) {
                                this.logger.debug("User name is " + this.username);
                            }
                            this.moreRequired = false;
                            if (gSSContext.getCredDelegState()) {
                                if (this.isDebugEnabled) {
                                    this.logger.debug("delegate state is true, acquire delegated credential...");
                                }
                                GSSCredential delegCred = gSSContext.getDelegCred();
                                try {
                                    this.delegatedCredential = new CredentialObject((Subject) Class.forName("com.sun.security.jgss.GSSUtil").getMethod("createSubject", GSSName.class, GSSCredential.class).invoke(null, srcName, delegCred));
                                } catch (ClassNotFoundException e) {
                                    this.delegatedCredential = new CredentialObject(delegCred);
                                }
                            } else if (this.isDebugEnabled) {
                                this.logger.debug("delegate state is false, no delegated credential will be obtained.");
                            }
                        } else {
                            this.moreRequired = true;
                        }
                        if (gSSContext != null) {
                            try {
                                gSSContext.dispose();
                            } catch (GSSException e2) {
                            }
                        }
                    } catch (Throwable th) {
                        if (gSSContext != null) {
                            try {
                                gSSContext.dispose();
                            } catch (GSSException e3) {
                            }
                        }
                        throw th;
                    }
                } catch (NullPointerException e4) {
                    if (this.isDebugEnabled) {
                        this.logger.debug("NPE caught accepting the context, verify the JCE configuration is correct in java.security and the sun.security.jgss.SunProvider is configured");
                    }
                    throw new KerberosException(SecurityLogger.getUnableToAcceptKrbSecContext(), e4);
                }
            } catch (Exception e5) {
                this.moreRequired = false;
                String message = e5.getMessage();
                if (this.isDebugEnabled) {
                    this.logger.debug("Exception: " + message, e5);
                }
                throw new KerberosException(message, e5);
            }
        } catch (GSSException e6) {
            this.moreRequired = false;
            if (this.isDebugEnabled) {
                GSSExceptionInfo.logInterpretedFailureInfo(this.logger, e6);
            }
            throw new KerberosException(e6.getMessage(), e6);
        }
    }

    static {
        AccessController.doPrivileged(new PrivilegedAction<Object>() { // from class: com.bea.security.utils.kerberos.KerberosTokenHandler.1
            @Override // java.security.PrivilegedAction
            public Object run() {
                boolean unused = KerberosTokenHandler.USE_GSS_NAME = Boolean.getBoolean(KerberosTokenHandler.USE_GSS_NAME_PROP);
                return null;
            }
        });
    }
}
