package com.sun.identity.authentication.modules.windowsdesktopsso;

import com.iplanet.am.util.Debug;
import com.iplanet.am.util.Misc;
import com.sun.identity.authentication.spi.AMLoginModule;
import com.sun.identity.authentication.spi.AuthLoginException;
import com.sun.identity.authentication.util.DerValue;
import com.sun.identity.federation.common.IFSConstants;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.security.Principal;
import java.security.PrivilegedExceptionAction;
import java.security.Provider;
import java.security.Security;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import sun.misc.BASE64Decoder;
import sun.security.provider.Sun;

/* loaded from: input_file:115766-05/SUNWamsdk/reloc/SUNWam/lib/am_services.jar:com/sun/identity/authentication/modules/windowsdesktopsso/WindowsDesktopSSO.class */
public class WindowsDesktopSSO extends AMLoginModule {
    private static final String amAuthWindowsDesktopSSO = "amAuthWindowsDesktopSSO";
    private static final int PRINCIPAL = 0;
    private static final int KEYTAB = 1;
    private static final int REALM = 2;
    private static final int KDC = 3;
    private static final int RETURNREALM = 4;
    private static final int AUTHLEVEL = 5;
    private static final int SUBJECT = 6;
    private static final int SUCCEED = -1;
    private Principal userPrincipal = null;
    private Subject serviceSubject = null;
    private String servicePrincipalName = null;
    private String keyTabFile = null;
    private String kdcRealm = null;
    private String kdcServer = null;
    private boolean returnRealm = false;
    private String authLevel = null;
    private Map options = null;
    private String orgDN = null;
    private Debug debug = Debug.getInstance(amAuthWindowsDesktopSSO);
    private static final String[] configAttributes = {"iplanet-am-auth-windowsdesktopsso-principal-name", "iplanet-am-auth-windowsdesktopsso-keytab-file", "iplanet-am-auth-windowsdesktopsso-kerberos-realm", "iplanet-am-auth-windowsdesktopsso-kdc", "iplanet-am-auth-windowsdesktopsso-returnRealm", "iplanet-am-auth-windowsdesktopsso-auth-level", "serviceSubject"};
    private static Hashtable configTable = new Hashtable();
    private static byte[] spnegoOID = {6, 6, 43, 6, 1, 5, 5, 2};
    private static byte[] MS_KERBEROS_OID = {6, 9, 42, -122, 72, -126, -9, 18, 1, 2, 2};
    private static byte[] KERBEROS_V5_OID = {6, 9, 42, -122, 72, -122, -9, 18, 1, 2, 2};

    @Override // com.sun.identity.authentication.spi.AMLoginModule
    public void init(Subject subject, Map map, Map map2) {
        this.options = map2;
    }

    @Override // com.sun.identity.authentication.spi.AMLoginModule
    public Principal getPrincipal() {
        return this.userPrincipal;
    }

    @Override // com.sun.identity.authentication.spi.AMLoginModule
    public int process(Callback[] callbackArr, int i) throws AuthLoginException {
        if (!getConfigParams()) {
            initWindowsDesktopSSOAuth(this.options);
        }
        byte[] sPNEGOToken = getSPNEGOToken();
        if (sPNEGOToken == null) {
            this.debug.message("spnego token is not valid.");
            throw new AuthLoginException(amAuthWindowsDesktopSSO, "token", null);
        }
        if (this.debug.messageEnabled()) {
            this.debug.message(new StringBuffer().append("SPNEGO token: \n").append(DerValue.printByteArray(sPNEGOToken, 0, sPNEGOToken.length)).toString());
        }
        byte[] parseToken = parseToken(sPNEGOToken);
        if (parseToken == null) {
            this.debug.message("kerberos token is not valid.");
            throw new AuthLoginException(amAuthWindowsDesktopSSO, "token", null);
        }
        if (this.debug.messageEnabled()) {
            this.debug.message(new StringBuffer().append("Kerberos token retrieved from SPNEGO token: \n").append(DerValue.printByteArray(parseToken, 0, parseToken.length)).toString());
        }
        try {
            Subject.doAs(this.serviceSubject, new PrivilegedExceptionAction(this, parseToken) { // from class: com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDesktopSSO.1
                private final byte[] val$kerberosToken;
                private final WindowsDesktopSSO this$0;

                {
                    this.this$0 = this;
                    this.val$kerberosToken = parseToken;
                }

                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    GSSContext createContext = GSSManager.getInstance().createContext((GSSCredential) null);
                    this.this$0.debug.message("Context created.");
                    byte[] acceptSecContext = createContext.acceptSecContext(this.val$kerberosToken, 0, this.val$kerberosToken.length);
                    if (acceptSecContext != null && this.this$0.debug.messageEnabled()) {
                        this.this$0.debug.message(new StringBuffer().append("Token returned from acceptSecContext: \n").append(DerValue.printByteArray(acceptSecContext, 0, acceptSecContext.length)).toString());
                    }
                    if (!createContext.isEstablished()) {
                        this.this$0.debug.message("Cannot establish context !");
                        throw new AuthLoginException(WindowsDesktopSSO.amAuthWindowsDesktopSSO, "context", null);
                    }
                    this.this$0.debug.message("Context establised !");
                    GSSName srcName = createContext.getSrcName();
                    this.this$0.storeUsernamePasswd(srcName.toString(), null);
                    if (this.this$0.debug.messageEnabled()) {
                        this.this$0.debug.message(new StringBuffer().append("User authenticated: ").append(srcName.toString()).toString());
                    }
                    if (srcName == null) {
                        return null;
                    }
                    this.this$0.setPrincipal(srcName.toString());
                    return null;
                }
            });
            this.debug.message("WindowsDesktopSSO authentication succeeded.");
            return -1;
        } catch (Exception e) {
            this.debug.message("WindowsDesktopSSO authentication failed.");
            throw new AuthLoginException(amAuthWindowsDesktopSSO, "auth", null, e);
        }
    }

    @Override // com.sun.identity.authentication.spi.AMLoginModule
    public void destroyModuleState() {
        this.userPrincipal = null;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void setPrincipal(String str) {
        int indexOf;
        String str2 = str;
        if (!this.returnRealm && (indexOf = str.indexOf("@")) != -1) {
            str2 = str.substring(0, indexOf);
        }
        this.userPrincipal = new WindowsDesktopSSOPrincipal(str2);
    }

    private byte[] getSPNEGOToken() {
        byte[] bArr = null;
        String header = getHttpServletRequest().getHeader("Authorization");
        if (header.startsWith("Negotiate")) {
            try {
                bArr = new BASE64Decoder().decodeBuffer(header.substring("Negotiate".length()).trim());
            } catch (Exception e) {
                this.debug.error("Decoding token error.");
                if (this.debug.messageEnabled()) {
                    this.debug.message("Stack trace: ", e);
                }
            }
        }
        return bArr;
    }

    private byte[] parseToken(byte[] bArr) {
        DerValue derValue;
        byte[] bArr2 = null;
        DerValue derValue2 = new DerValue(bArr);
        if (this.debug.messageEnabled()) {
            this.debug.message(new StringBuffer().append("token tag:").append(DerValue.printByte(derValue2.getTag())).toString());
        }
        if (derValue2.getTag() != 96) {
            return null;
        }
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(derValue2.getData());
        byte[] bArr3 = new byte[spnegoOID.length];
        byteArrayInputStream.read(bArr3, 0, bArr3.length);
        if (!Arrays.equals(bArr3, spnegoOID)) {
            this.debug.message("SPNEGO OID not found in SPNEGO Token");
            return null;
        }
        DerValue derValue3 = new DerValue(byteArrayInputStream);
        if (derValue3.getTag() == -96) {
            this.debug.message("DerValue: found init token");
            DerValue derValue4 = new DerValue(derValue3.getData());
            if (derValue4.getTag() == 48) {
                this.debug.message("DerValue: 0x30 constructed token found");
                ByteArrayInputStream byteArrayInputStream2 = new ByteArrayInputStream(derValue4.getData());
                DerValue derValue5 = new DerValue(byteArrayInputStream2);
                while (true) {
                    derValue = derValue5;
                    if (derValue.getTag() == -1 || derValue.getTag() == -94) {
                        break;
                    }
                    derValue5 = new DerValue(byteArrayInputStream2);
                }
                if (derValue.getTag() != -1) {
                    bArr2 = new DerValue(derValue.getData()).getData();
                }
            }
        }
        return bArr2;
    }

    private boolean getConfigParams() {
        this.servicePrincipalName = getMapAttr(this.options, 0).toUpperCase();
        this.keyTabFile = getMapAttr(this.options, 1);
        this.kdcRealm = getMapAttr(this.options, 2);
        this.kdcServer = getMapAttr(this.options, 3);
        this.authLevel = getMapAttr(this.options, 5);
        this.returnRealm = Boolean.valueOf(getMapAttr(this.options, 4)).booleanValue();
        if (this.debug.messageEnabled()) {
            this.debug.message(new StringBuffer().append("WindowsDesktopSSO params: \nprincipal: ").append(this.servicePrincipalName).append("\nkeytab file: ").append(this.keyTabFile).append("\nrealm : ").append(this.kdcRealm).append("\nkdc server: ").append(this.kdcServer).append("\ndomain principal: ").append(this.returnRealm).append("\nauth level: ").append(this.authLevel).toString());
        }
        this.orgDN = getRequestOrg();
        Map map = (Map) configTable.get(this.orgDN);
        if (map == null) {
            return false;
        }
        String str = (String) map.get(configAttributes[0]);
        String str2 = (String) map.get(configAttributes[1]);
        String str3 = (String) map.get(configAttributes[2]);
        String str4 = (String) map.get(configAttributes[3]);
        if (str == null || str2 == null || str3 == null || str4 == null || !this.servicePrincipalName.equalsIgnoreCase(str) || !this.keyTabFile.equals(str2) || !this.kdcRealm.equals(str3) || !this.kdcServer.equalsIgnoreCase(str4)) {
            return false;
        }
        this.serviceSubject = (Subject) map.get(configAttributes[6]);
        if (this.serviceSubject == null) {
            return false;
        }
        this.debug.message("Retrieved config params from cache.");
        return true;
    }

    private void initWindowsDesktopSSOAuth(Map map) throws AuthLoginException {
        this.debug.message("Init WindowsDesktopSSO. This should not happen often.");
        verifyAttributes();
        serviceLogin();
        Map map2 = (Map) configTable.get(this.orgDN);
        if (map2 == null) {
            map2 = new HashMap();
        }
        map2.put(configAttributes[6], this.serviceSubject);
        map2.put(configAttributes[0], this.servicePrincipalName);
        map2.put(configAttributes[1], this.keyTabFile);
        map2.put(configAttributes[2], this.kdcRealm);
        map2.put(configAttributes[3], this.kdcServer);
        configTable.put(getRequestOrg(), map2);
    }

    private synchronized void serviceLogin() throws AuthLoginException {
        this.debug.message("New Service Login ...");
        System.setProperty("java.security.krb5.realm", this.kdcRealm);
        System.setProperty("java.security.krb5.kdc", this.kdcServer);
        System.setProperty("java.security.auth.login.config", "/dev/null");
        try {
            boolean z = true;
            Provider provider = Security.getProviders()[0];
            Sun sun = new Sun();
            if (this.debug.messageEnabled()) {
                this.debug.message(new StringBuffer().append("default provider: ").append(provider.getName()).append(", sun provider: ").append(sun.getName()).toString());
            }
            if (provider.getName().equals(sun.getName())) {
                z = false;
            } else {
                Security.removeProvider(sun.getName());
                Security.insertProviderAt(sun, 1);
            }
            if (this.debug.messageEnabled()) {
                StringBuffer stringBuffer = new StringBuffer();
                for (Provider provider2 : Security.getProviders()) {
                    stringBuffer.append(new StringBuffer().append("\t").append(provider2.getName()).append("\n").toString());
                }
                this.debug.message(new StringBuffer().append("Current providers = ").append(stringBuffer.toString()).toString());
            }
            WindowsDesktopSSOConfig windowsDesktopSSOConfig = new WindowsDesktopSSOConfig(Configuration.getConfiguration());
            windowsDesktopSSOConfig.setPrincipalName(this.servicePrincipalName);
            windowsDesktopSSOConfig.setKeyTab(this.keyTabFile);
            Configuration.setConfiguration(windowsDesktopSSOConfig);
            LoginContext loginContext = new LoginContext(WindowsDesktopSSOConfig.defaultAppName);
            loginContext.login();
            this.serviceSubject = loginContext.getSubject();
            this.debug.message("Service login succeeded.");
            if (z) {
                Security.removeProvider(provider.getName());
                Security.insertProviderAt(provider, 1);
            }
        } catch (Exception e) {
            this.debug.error("Service Login Error: ");
            if (this.debug.messageEnabled()) {
                this.debug.message("Stack trace: ", e);
            }
            throw new AuthLoginException(amAuthWindowsDesktopSSO, "serviceAuth", null, e);
        }
    }

    private String getMapAttr(Map map, int i) {
        return Misc.getMapAttr(map, configAttributes[i]);
    }

    private void verifyAttributes() throws AuthLoginException {
        if (this.servicePrincipalName == null || this.servicePrincipalName.length() == 0) {
            throw new AuthLoginException(amAuthWindowsDesktopSSO, "nullprincipal", null);
        }
        if (this.keyTabFile == null || this.keyTabFile.length() == 0) {
            throw new AuthLoginException(amAuthWindowsDesktopSSO, "nullkeytab", null);
        }
        if (this.kdcRealm == null || this.kdcRealm.length() == 0) {
            throw new AuthLoginException(amAuthWindowsDesktopSSO, "nullrealm", null);
        }
        if (this.kdcServer == null || this.kdcServer.length() == 0) {
            throw new AuthLoginException(amAuthWindowsDesktopSSO, "nullkdc", null);
        }
        if (this.authLevel == null || this.authLevel.length() == 0) {
            throw new AuthLoginException(amAuthWindowsDesktopSSO, "nullauthlevel", null);
        }
        if (!new File(this.keyTabFile).exists()) {
            throw new AuthLoginException(amAuthWindowsDesktopSSO, "nokeytab", null);
        }
        try {
            setAuthLevel(Integer.parseInt(this.authLevel));
        } catch (Exception e) {
            throw new AuthLoginException(amAuthWindowsDesktopSSO, IFSConstants.AUTH_LEVEL_KEY, null, e);
        }
    }
}
