package cern.rbac.client.impl.authentication;

import cern.rbac.client.ClientConfiguration;
import cern.rbac.client.impl.ClientConstants;
import com.sun.security.auth.module.Krb5LoginModule;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/rbac-client-6.0.2.jar:cern/rbac/client/impl/authentication/KerberosCallback.class */
public class KerberosCallback implements Callback {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) KerberosCallback.class);
    private final ClientConfiguration configuration;
    private final Oid krb5Oid = new Oid(ClientConstants.KRB5OID);
    private Subject clientSubject;
    private byte[] krb5ServiceTicket;
    private int lifetime;

    public KerberosCallback(ClientConfiguration clientConfiguration) throws GSSException {
        this.configuration = clientConfiguration;
    }

    public byte[] getKrb5ServiceTicket() {
        return (byte[]) this.krb5ServiceTicket.clone();
    }

    public Subject getClientSubject() {
        return this.clientSubject;
    }

    public int getLifetime() {
        return this.lifetime;
    }

    public void init() throws GSSException, LoginException {
        init(null);
    }

    public void init(Map<String, Object> map) throws GSSException, LoginException {
        kerberosLogin(map);
        setClientSubjectLifetime();
        initiateSecurityContext();
    }

    private Configuration createJaasConfig(Map<String, Object> map) {
        if (map == null) {
            map = new HashMap();
        }
        map.put("debug", this.configuration.getKerberosDebug());
        map.put("doNotPrompt", "true");
        map.put("useTicketCache", "true");
        map.put("realm", this.configuration.getKerberosRealm());
        map.put("kdc", this.configuration.getKdc());
        final AppConfigurationEntry[] appConfigurationEntryArr = {new AppConfigurationEntry(Krb5LoginModule.class.getCanonicalName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, map)};
        return new Configuration() { // from class: cern.rbac.client.impl.authentication.KerberosCallback.1
            public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
                return "krb5-login".equals(str) ? appConfigurationEntryArr : new AppConfigurationEntry[0];
            }
        };
    }

    private void kerberosLogin(Map<String, Object> map) throws LoginException {
        LoginContext loginContext = new LoginContext("krb5-login", (Subject) null, (CallbackHandler) null, createJaasConfig(map));
        loginContext.login();
        this.clientSubject = loginContext.getSubject();
    }

    private void setClientSubjectLifetime() {
        Matcher matcher = Pattern.compile("End Time = (.*?)\\n").matcher(this.clientSubject.getPrivateCredentials().toString());
        matcher.find();
        try {
            this.lifetime = Math.toIntExact(TimeUnit.MILLISECONDS.toMinutes(new SimpleDateFormat("EEE MMM dd HH:mm:ss zzzz yyyy").parse(matcher.group(1)).getTime() - new Date().getTime()));
        } catch (ParseException e) {
            LOGGER.info("Could not parse Kerberos TGT endTime: {}", e.getMessage());
            this.lifetime = Integer.MAX_VALUE;
        }
    }

    private void initiateSecurityContext() throws GSSException {
        String servicePrincipalName = this.configuration.getServicePrincipalName();
        GSSManager gSSManager = GSSManager.getInstance();
        GSSContext createContext = gSSManager.createContext(gSSManager.createName(servicePrincipalName, GSSName.NT_USER_NAME), this.krb5Oid, (GSSCredential) null, this.lifetime);
        this.krb5ServiceTicket = (byte[]) Subject.doAs(this.clientSubject, () -> {
            byte[] bArr = new byte[0];
            try {
                return createContext.initSecContext(bArr, 0, bArr.length);
            } catch (GSSException e) {
                LOGGER.info("Could not initiate security context for Kerberos authentication: {}", e.getMessage());
                return new byte[0];
            }
        });
    }
}
