package org.elasticsearch.xpack.security.authc.kerberos;

import java.nio.file.Path;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Base64;
import java.util.Collections;
import java.util.HashMap;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.core.Tuple;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/kerberos/KerberosTicketValidator.class */
public class KerberosTicketValidator {
    static final Oid SPNEGO_OID = getOid("1.3.6.1.5.5.2");
    static final Oid KERBEROS_V5_OID = getOid("1.2.840.113554.1.2.2");
    static final Oid[] SUPPORTED_OIDS = {SPNEGO_OID, KERBEROS_V5_OID};
    private static final Logger LOGGER = LogManager.getLogger(KerberosTicketValidator.class);
    private static final String KEY_TAB_CONF_NAME = "KeytabConf";
    private static final String SUN_KRB5_LOGIN_MODULE = "com.sun.security.auth.module.Krb5LoginModule";

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/elasticsearch/xpack/security/authc/kerberos/KerberosTicketValidator$KeytabJaasConf.class */
    public static class KeytabJaasConf extends Configuration {
        private final String keytabFilePath;
        private final boolean krbDebug;

        KeytabJaasConf(String str, boolean z) {
            this.keytabFilePath = str;
            this.krbDebug = z;
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            HashMap hashMap = new HashMap();
            hashMap.put("keyTab", this.keytabFilePath);
            hashMap.put("principal", "*");
            hashMap.put("useKeyTab", Boolean.TRUE.toString());
            hashMap.put("storeKey", Boolean.TRUE.toString());
            hashMap.put("doNotPrompt", Boolean.TRUE.toString());
            hashMap.put("isInitiator", Boolean.FALSE.toString());
            hashMap.put("debug", Boolean.toString(this.krbDebug));
            return new AppConfigurationEntry[]{new AppConfigurationEntry(KerberosTicketValidator.SUN_KRB5_LOGIN_MODULE, AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, Collections.unmodifiableMap(hashMap))};
        }
    }

    private static Oid getOid(String str) {
        try {
            return new Oid(str);
        } catch (GSSException e) {
            throw ExceptionsHelper.convertToRuntime(e);
        }
    }

    public void validateTicket(byte[] bArr, Path path, boolean z, ActionListener<Tuple<String, String>> actionListener) {
        GSSManager gSSManager = GSSManager.getInstance();
        GSSContext gSSContext = null;
        LoginContext loginContext = null;
        try {
            try {
                loginContext = serviceLogin(path.toString(), z);
                gSSContext = gSSManager.createContext(createCredentials(gSSManager, loginContext.getSubject()));
                String encodeToString = encodeToString(acceptSecContext(bArr, gSSContext, loginContext.getSubject()));
                LOGGER.trace("validateTicket isGSSContextEstablished = {}, username = {}, outToken = {}", Boolean.valueOf(gSSContext.isEstablished()), gSSContext.getSrcName().toString(), encodeToString);
                actionListener.onResponse(new Tuple(gSSContext.isEstablished() ? gSSContext.getSrcName().toString() : null, encodeToString));
                privilegedLogoutNoThrow(loginContext);
                privilegedDisposeNoThrow(gSSContext);
            } catch (PrivilegedActionException e) {
                if (e.getCause() instanceof LoginException) {
                    actionListener.onFailure((LoginException) e.getCause());
                } else if (e.getCause() instanceof GSSException) {
                    actionListener.onFailure(e.getCause());
                } else {
                    actionListener.onFailure(e.getException());
                }
                privilegedLogoutNoThrow(loginContext);
                privilegedDisposeNoThrow(gSSContext);
            } catch (GSSException e2) {
                actionListener.onFailure(e2);
                privilegedLogoutNoThrow(loginContext);
                privilegedDisposeNoThrow(gSSContext);
            }
        } catch (Throwable th) {
            privilegedLogoutNoThrow(loginContext);
            privilegedDisposeNoThrow(gSSContext);
            throw th;
        }
    }

    private String encodeToString(byte[] bArr) {
        if (bArr == null || bArr.length <= 0) {
            return null;
        }
        return Base64.getEncoder().encodeToString(bArr);
    }

    private static byte[] acceptSecContext(byte[] bArr, GSSContext gSSContext, Subject subject) throws PrivilegedActionException {
        return (byte[]) doAsWrapper(subject, () -> {
            return gSSContext.acceptSecContext(bArr, 0, bArr.length);
        });
    }

    private static GSSCredential createCredentials(GSSManager gSSManager, Subject subject) throws PrivilegedActionException {
        return (GSSCredential) doAsWrapper(subject, () -> {
            return gSSManager.createCredential((GSSName) null, 0, SUPPORTED_OIDS, 2);
        });
    }

    private static <T> T doAsWrapper(Subject subject, PrivilegedExceptionAction<T> privilegedExceptionAction) throws PrivilegedActionException {
        try {
            return (T) AccessController.doPrivileged(() -> {
                return Subject.doAs(subject, privilegedExceptionAction);
            });
        } catch (PrivilegedActionException e) {
            if (e.getCause() instanceof PrivilegedActionException) {
                throw ((PrivilegedActionException) e.getCause());
            }
            throw e;
        }
    }

    private static void privilegedDisposeNoThrow(GSSContext gSSContext) {
        if (gSSContext != null) {
            try {
                AccessController.doPrivileged(() -> {
                    gSSContext.dispose();
                    return null;
                });
            } catch (PrivilegedActionException e) {
                LOGGER.debug("Could not dispose GSS Context", e.getCause());
            }
        }
    }

    private static void privilegedLogoutNoThrow(LoginContext loginContext) {
        if (loginContext != null) {
            try {
                AccessController.doPrivileged(() -> {
                    loginContext.logout();
                    return null;
                });
            } catch (PrivilegedActionException e) {
                LOGGER.debug("Could not close LoginContext", e.getCause());
            }
        }
    }

    private static LoginContext serviceLogin(String str, boolean z) throws PrivilegedActionException {
        return (LoginContext) AccessController.doPrivileged(() -> {
            LoginContext loginContext = new LoginContext(KEY_TAB_CONF_NAME, new Subject(false, Collections.emptySet(), Collections.emptySet(), Collections.emptySet()), (CallbackHandler) null, new KeytabJaasConf(str, z));
            loginContext.login();
            return loginContext;
        });
    }
}
