package com.hazelcast.security.loginimpl;

import com.hazelcast.config.InvalidConfigurationException;
import com.hazelcast.config.security.RealmConfig;
import com.hazelcast.security.ClusterLoginModule;
import com.hazelcast.security.Credentials;
import com.hazelcast.security.CredentialsCallback;
import com.hazelcast.security.TokenCredentials;
import com.hazelcast.security.impl.SecurityUtil;
import java.io.IOException;
import java.security.PrivilegedActionException;
import java.util.Base64;
import java.util.concurrent.atomic.AtomicBoolean;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;

/* loaded from: input_file:com/hazelcast/security/loginimpl/GssApiLoginModule.class */
public class GssApiLoginModule extends ClusterLoginModule {
    public static final String OPTION_RELAX_FLAGS_CHECK = "relaxFlagsCheck";
    public static final String OPTION_SECURITY_REALM = "securityRealm";
    public static final String OPTION_USE_NAME_WITHOUT_REALM = "useNameWithoutRealm";
    public static final String OPTION_KEYTAB_FILE = "keytabFile";
    public static final String OPTION_PRINCIPAL = "principal";
    private static final AtomicBoolean KRB5_REALM_GENERATED_WARNING_PRINTED = new AtomicBoolean(false);
    private String name;

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.hazelcast.security.ClusterLoginModule
    public void onInitialize() {
        super.onInitialize();
        String stringOption = getStringOption("securityRealm", null);
        String stringOption2 = getStringOption("keytabFile", null);
        String stringOption3 = getStringOption("principal", null);
        if (stringOption != null) {
            if (stringOption3 != null || stringOption2 != null) {
                throw new InvalidConfigurationException("The principal and keytabFile must not be configured when securityRealm is used.");
            }
        }
    }

    @Override // com.hazelcast.security.ClusterLoginModule
    public boolean onLogin() throws LoginException {
        Subject runAsSubject;
        CredentialsCallback credentialsCallback = new CredentialsCallback();
        try {
            this.callbackHandler.handle(new Callback[]{credentialsCallback});
            Credentials credentials = credentialsCallback.getCredentials();
            if (credentials == null || !(credentials instanceof TokenCredentials)) {
                throw new FailedLoginException("No valid TokenCredentials found");
            }
            byte[] token = ((TokenCredentials) credentials).getToken();
            if (token == null) {
                throw new FailedLoginException("No token found in TokenCredentials.");
            }
            if (this.logger.isFineEnabled()) {
                this.logger.fine("Received Token: " + Base64.getEncoder().encodeToString(token));
            }
            String stringOption = getStringOption("securityRealm", null);
            if (stringOption != null) {
                runAsSubject = SecurityUtil.getRunAsSubject(this.callbackHandler, stringOption);
            } else {
                RealmConfig createKerberosJaasRealmConfig = SecurityUtil.createKerberosJaasRealmConfig(getStringOption("principal", "*"), getStringOption("keytabFile", null), false);
                if (createKerberosJaasRealmConfig != null && KRB5_REALM_GENERATED_WARNING_PRINTED.compareAndSet(false, true)) {
                    this.logger.warning("Using generated Kerberos acceptor realm configuration is not intended for production use. It's recommended to properly configure the Krb5LoginModule manually to fit your needs. Following configuration was generated from provided keytab and principal properties:\n" + SecurityUtil.generateRealmConfigXml(createKerberosJaasRealmConfig, "krb5Acceptor"));
                }
                runAsSubject = SecurityUtil.getRunAsSubject(this.callbackHandler, createKerberosJaasRealmConfig);
            }
            if (runAsSubject == null) {
                acceptToken(token);
                return true;
            }
            try {
                Subject.doAs(runAsSubject, () -> {
                    return acceptToken(token);
                });
                return true;
            } catch (PrivilegedActionException e) {
                if (e.getCause() instanceof LoginException) {
                    throw ((LoginException) e.getCause());
                }
                LoginException loginException = new LoginException("Accepting the token failed");
                loginException.initCause(e.getCause());
                throw loginException;
            }
        } catch (IOException | UnsupportedCallbackException e2) {
            throw new FailedLoginException("Unable to retrieve Certificates. " + e2.getMessage());
        }
    }

    private Void acceptToken(byte[] bArr) throws LoginException {
        try {
            GSSContext createContext = GSSManager.getInstance().createContext((GSSCredential) null);
            byte[] acceptSecContext = createContext.acceptSecContext(bArr, 0, bArr.length);
            boolean boolOption = getBoolOption(OPTION_RELAX_FLAGS_CHECK, false);
            if (!createContext.isEstablished()) {
                throw new FailedLoginException("Multi-step negotiation is not supported by this login module");
            }
            if (!boolOption) {
                if (acceptSecContext != null && acceptSecContext.length > 0) {
                    throw new FailedLoginException("Mutual authentication is not supported by this login module");
                }
                if (createContext.getConfState() || createContext.getIntegState()) {
                    throw new FailedLoginException("Confidentiality and data integrity is not provided by this login module.");
                }
            }
            this.name = getAuthenticatedName(createContext);
            if (!getBoolOption(ClusterLoginModule.OPTION_SKIP_ROLE, false)) {
                addRole(this.name);
            }
            return null;
        } catch (GSSException e) {
            this.logger.fine("Accepting the GSS-API token failed.", e);
            throw new LoginException("Accepting the GSS-API token failed. " + e.getMessage());
        }
    }

    protected String getAuthenticatedName(GSSContext gSSContext) throws GSSException {
        int lastIndexOf;
        String gSSName = gSSContext.getSrcName().toString();
        if (getBoolOption(OPTION_USE_NAME_WITHOUT_REALM, false) && (lastIndexOf = gSSName.lastIndexOf(64)) > -1) {
            gSSName = gSSName.substring(0, lastIndexOf);
        }
        return gSSName;
    }

    @Override // com.hazelcast.security.ClusterLoginModule
    protected String getName() {
        return this.name;
    }
}
