package org.apache.geronimo.security.realm.providers;

import java.io.IOException;
import java.math.BigInteger;
import java.security.Principal;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.Control;
import javax.naming.ldap.InitialLdapContext;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.geronimo.crypto.encoders.Base64;
import org.apache.geronimo.security.jaas.JaasLoginModuleUse;
import org.apache.geronimo.security.jaas.WrappingLoginModule;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:org/apache/geronimo/security/realm/providers/SpnegoLoginModule.class */
public class SpnegoLoginModule implements LoginModule {
    private String username;
    private boolean loginSucceeded;
    private GSSName srcName;
    private final Set<Principal> allPrincipals = new HashSet();
    private Subject subject;
    private CallbackHandler callbackHandler;
    private String targetName;
    private String ldapUrl;
    private String ldapLoginName;
    private String ldapLoginPassword;
    private String searchBase;
    private String ldapContextFactory;
    public static final String TARGET_NAME = "targetName";
    public static final String LDAP_URL = "ldapUrl";
    public static final String LDAP_LOGIN_NAME = "ldapLoginName";
    public static final String LDAP_LOGIN_PASSWORD = "ldapLoginPassword";
    public static final String SEARCH_BASE = "searchBase";
    public static final String LDAP_CONTEXT_FACTORY = "ldapContextFactory";
    public static final List<String> supportedOptions = Collections.unmodifiableList(Arrays.asList(TARGET_NAME, LDAP_URL, LDAP_LOGIN_NAME, LDAP_LOGIN_PASSWORD, SEARCH_BASE, LDAP_CONTEXT_FACTORY));
    private static Log log = LogFactory.getLog(SpnegoLoginModule.class);

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map map, Map map2) {
        try {
            this.subject = subject;
            this.callbackHandler = callbackHandler;
            for (Object obj : map2.keySet()) {
                if (!supportedOptions.contains(obj) && !JaasLoginModuleUse.supportedOptions.contains(obj) && !WrappingLoginModule.supportedOptions.contains(obj)) {
                    log.warn("Ignoring option: " + obj + ". Not supported.");
                }
            }
            this.targetName = (String) map2.get(TARGET_NAME);
            this.ldapUrl = (String) map2.get(LDAP_URL);
            this.ldapLoginName = (String) map2.get(LDAP_LOGIN_NAME);
            this.ldapLoginPassword = (String) map2.get(LDAP_LOGIN_PASSWORD);
            this.searchBase = (String) map2.get(SEARCH_BASE);
            this.ldapContextFactory = (String) map2.get(LDAP_CONTEXT_FACTORY);
            if (this.ldapContextFactory == null || this.ldapContextFactory.length() == 0) {
                this.ldapContextFactory = "com.sun.jndi.ldap.LdapCtxFactory";
            }
        } catch (Exception e) {
            log.error("Initialization failed", e);
            throw new IllegalArgumentException("Unable to configure Spnego login module: " + e.getMessage(), e);
        }
    }

    public boolean login() throws LoginException {
        this.loginSucceeded = false;
        NameCallback[] nameCallbackArr = {new NameCallback("User name")};
        try {
            this.callbackHandler.handle(nameCallbackArr);
            this.username = nameCallbackArr[0].getName();
            if (this.username == null || this.username.equals("")) {
                this.username = null;
                throw new FailedLoginException();
            }
            byte[] decode = Base64.decode(this.username);
            try {
                GSSManager gSSManager = GSSManager.getInstance();
                GSSContext createContext = gSSManager.createContext(gSSManager.createCredential(gSSManager.createName(this.targetName, GSSName.NT_USER_NAME), Integer.MAX_VALUE, new Oid("1.3.6.1.5.5.2"), 2));
                if (createContext == null) {
                    log.debug("Failed to create a GSSContext");
                    return this.loginSucceeded;
                }
                while (!createContext.isEstablished()) {
                    decode = createContext.acceptSecContext(decode, 0, decode.length);
                }
                if (!createContext.isEstablished()) {
                    log.error("Failed to establish a security context");
                    throw new LoginException("Failed to establish a security context");
                }
                this.loginSucceeded = true;
                this.srcName = createContext.getSrcName();
                log.debug("A security context is successfully established" + createContext);
                return this.loginSucceeded;
            } catch (GSSException e) {
                throw ((LoginException) new LoginException().initCause(e));
            }
        } catch (IOException e2) {
            throw ((LoginException) new LoginException().initCause(e2));
        } catch (UnsupportedCallbackException e3) {
            throw ((LoginException) new LoginException().initCause(e3));
        }
    }

    public boolean commit() throws LoginException {
        if (this.loginSucceeded && this.srcName != null) {
            DirContext dirContext = null;
            String substring = this.srcName.toString().substring(0, this.srcName.toString().indexOf("@"));
            SearchControls searchControls = new SearchControls();
            String[] strArr = {"primaryGroupID", "memberOf", "objectSid;binary"};
            String str = "(&(objectClass=user)(cn=" + substring + "))";
            String str2 = null;
            int i = 0;
            try {
                try {
                    DirContext connection = getConnection();
                    if (connection == null) {
                        log.info("Failed to get a directory context object");
                        throw new LoginException("Failed to get a directory context object");
                    }
                    searchControls.setReturningAttributes(strArr);
                    searchControls.setSearchScope(2);
                    NamingEnumeration search = connection.search(this.searchBase, str, searchControls);
                    while (search.hasMoreElements()) {
                        i++;
                        Attributes attributes = ((SearchResult) search.next()).getAttributes();
                        if (attributes != null) {
                            try {
                                byte[] bArr = (byte[]) attributes.get("objectSid;binary").get();
                                byte[] integerToFourBytes = integerToFourBytes(new Integer((String) attributes.get("primaryGroupID").get()).intValue());
                                byte[] bArr2 = (byte[]) bArr.clone();
                                for (int i2 = 0; i2 < 4; i2++) {
                                    bArr2[(bArr2.length - 1) - i2] = integerToFourBytes[i2];
                                }
                                str2 = "(&(objectSid=" + binaryToStringSID(bArr2) + "))";
                                Attribute attribute = attributes.get("memberOf");
                                for (int i3 = 0; i3 < attribute.size(); i3++) {
                                    String[] split = attribute.get(i3).toString().split("CN=");
                                    this.allPrincipals.add(new GeronimoGroupPrincipal(split[1].substring(0, split[1].indexOf(","))));
                                }
                            } catch (NullPointerException e) {
                                throw new LoginException("Errors listing attributes: " + e);
                            }
                        }
                    }
                    NamingEnumeration search2 = connection.search(this.searchBase, str2, searchControls);
                    while (search2.hasMoreElements()) {
                        String[] split2 = ((SearchResult) search2.next()).getName().split("CN=");
                        this.allPrincipals.add(new GeronimoGroupPrincipal(split2[1].substring(0, split2[1].indexOf(","))));
                    }
                    if (connection != null) {
                        try {
                            connection.close();
                        } catch (Exception e2) {
                        }
                    }
                    this.allPrincipals.add(new GeronimoUserPrincipal(this.srcName.toString()));
                    this.subject.getPrincipals().addAll(this.allPrincipals);
                } catch (NamingException e3) {
                    throw ((LoginException) new LoginException().initCause(e3));
                }
            } catch (Throwable th) {
                if (0 != 0) {
                    try {
                        dirContext.close();
                    } catch (Exception e4) {
                    }
                }
                throw th;
            }
        }
        return this.loginSucceeded;
    }

    public boolean abort() throws LoginException {
        if (this.loginSucceeded) {
            this.username = null;
            this.allPrincipals.clear();
        }
        return this.loginSucceeded;
    }

    public boolean logout() throws LoginException {
        this.loginSucceeded = false;
        this.username = null;
        if (!this.subject.isReadOnly()) {
            this.subject.getPrincipals().removeAll(this.allPrincipals);
        }
        this.allPrincipals.clear();
        return true;
    }

    private DirContext getConnection() throws NamingException {
        Hashtable hashtable = new Hashtable();
        hashtable.put("java.naming.factory.initial", this.ldapContextFactory);
        if (this.ldapLoginName != null && this.ldapLoginName.length() > 0) {
            hashtable.put("java.naming.security.principal", this.ldapLoginName);
        }
        if (this.ldapLoginPassword != null && this.ldapLoginPassword.length() > 0) {
            hashtable.put("java.naming.security.credentials", this.ldapLoginPassword);
        }
        hashtable.put("java.naming.provider.url", this.ldapUrl);
        try {
            return new InitialLdapContext(hashtable, (Control[]) null);
        } catch (NamingException e) {
            throw new NamingException("Instantiation of Ldap Context failed");
        }
    }

    private static String binaryToStringSID(byte[] bArr) {
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append("S-");
        stringBuffer.append(Byte.toString(bArr[0]));
        stringBuffer.append("-0x");
        stringBuffer.append(new BigInteger(new byte[]{Byte.MAX_VALUE, bArr[6], bArr[5], bArr[4], bArr[3], bArr[2], bArr[1]}).toString(16).substring(2));
        byte b = bArr[7];
        for (int i = 0; i < b; i++) {
            int i2 = 8 + (i * 4);
            stringBuffer.append("-0x");
            stringBuffer.append(new BigInteger(new byte[]{Byte.MAX_VALUE, bArr[i2 + 3], bArr[i2 + 2], bArr[i2 + 1], bArr[i2]}).toString(16).substring(2));
        }
        return stringBuffer.toString();
    }

    private static byte[] integerToFourBytes(int i) {
        return new byte[]{(byte) ((i & (-16777216)) >>> 24), (byte) ((i & 16711680) >>> 16), (byte) ((i & 65280) >>> 8), (byte) (i & 255)};
    }
}
