package com.sun.identity.authentication.modules.windowsdesktopsso;

import com.iplanet.am.util.SystemProperties;
import com.iplanet.sso.SSOException;
import com.sun.identity.authentication.spi.AMLoginModule;
import com.sun.identity.authentication.spi.AuthLoginException;
import com.sun.identity.authentication.spi.HttpCallback;
import com.sun.identity.authentication.util.DerValue;
import com.sun.identity.idm.AMIdentity;
import com.sun.identity.idm.AMIdentityRepository;
import com.sun.identity.idm.IdRepoException;
import com.sun.identity.idm.IdSearchControl;
import com.sun.identity.idm.IdSearchOpModifier;
import com.sun.identity.idm.IdSearchResults;
import com.sun.identity.idm.IdType;
import com.sun.identity.shared.datastruct.CollectionHelper;
import com.sun.identity.shared.debug.Debug;
import com.sun.identity.shared.encode.Base64;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.PrintWriter;
import java.nio.file.Files;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.servlet.http.HttpServletRequest;
import org.forgerock.openam.utils.CrestQuery;
import org.forgerock.openam.utils.StringUtils;
import org.forgerock.util.annotations.VisibleForTesting;
import org.forgerock.util.query.QueryFilter;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;

/* loaded from: input_file:com/sun/identity/authentication/modules/windowsdesktopsso/WindowsDesktopSSO.class */
public class WindowsDesktopSSO extends AMLoginModule {
    private static final String amAuthWindowsDesktopSSO = "amAuthWindowsDesktopSSO";
    private static final int PRINCIPAL = 0;
    private static final int KDC = 3;
    private static final int RETURNREALM = 4;
    private static final int SUBJECT = 7;
    private static final String ACCEPTED_REALMS_ATTR = "iplanet-am-auth-windowsdesktopsso-kerberos-realms-trusted";
    private Principal userPrincipal = null;
    private Subject serviceSubject = null;
    private String servicePrincipalName = null;
    private String keyTabFile = null;
    private String kdcRealm = null;
    private String kdcServer = null;
    private boolean returnRealm = false;
    private String authLevel = null;
    private Map options = null;
    private String confIndex = null;
    private boolean lookupUserInRealm = false;
    private Debug debug = Debug.getInstance(amAuthWindowsDesktopSSO);
    private Set<String> trustedKerberosRealms = Collections.EMPTY_SET;
    private static final String REALM_SEPARATOR = "@";
    private static final String[] configAttributes = {"iplanet-am-auth-windowsdesktopsso-principal-name", "iplanet-am-auth-windowsdesktopsso-keytab-file", "iplanet-am-auth-windowsdesktopsso-kerberos-realm", "iplanet-am-auth-windowsdesktopsso-kdc", "iplanet-am-auth-windowsdesktopsso-returnRealm", "iplanet-am-auth-windowsdesktopsso-lookupUserInRealm", "iplanet-am-auth-windowsdesktopsso-auth-level", "serviceSubject"};
    private static Hashtable configTable = new Hashtable();
    private static final boolean USE_KRB5_CONF_FILE = SystemProperties.getAsBoolean(WindowsDesktopSSO.class.getName().concat(".useKrb5ConfFile"), true);
    private static final int AUTHLEVEL = 6;
    private static final int KEYTAB = 1;
    private static final int LOOKUPUSER = 5;
    private static final int REALM = 2;
    private static byte[] spnegoOID = {AUTHLEVEL, AUTHLEVEL, 43, AUTHLEVEL, KEYTAB, LOOKUPUSER, LOOKUPUSER, REALM};
    private static byte[] MS_KERBEROS_OID = {AUTHLEVEL, 9, 42, -122, 72, -126, -9, 18, KEYTAB, REALM, REALM};
    private static byte[] KERBEROS_V5_OID = {AUTHLEVEL, 9, 42, -122, 72, -122, -9, 18, KEYTAB, REALM, REALM};
    private static final String REALM_REGEX = "^(\\S+)\\s*\\=\\s*\\{\\s*$";
    private static final Pattern REALM_PATTERN = Pattern.compile(REALM_REGEX);
    private static final String KDC_REGEX = "^kdc\\s*=\\s*(\\S*)\\s*$";
    private static final Pattern KDC_PATTERN = Pattern.compile(KDC_REGEX);

    public void init(Subject subject, Map map, Map map2) {
        this.options = map2;
        HttpServletRequest httpServletRequest = getHttpServletRequest();
        if (httpServletRequest == null || "true".equals(httpServletRequest.getParameter("skipKerberos"))) {
            setSharedStateEnabled(true);
        }
    }

    public Principal getPrincipal() {
        return this.userPrincipal;
    }

    public int process(Callback[] callbackArr, int i) throws AuthLoginException {
        int i2 = PRINCIPAL;
        HttpServletRequest httpServletRequest = getHttpServletRequest();
        if (httpServletRequest == null || hasWDSSOFailed(httpServletRequest) || "true".equals(httpServletRequest.getParameter("skipKerberos"))) {
            return PRINCIPAL;
        }
        if (!getConfigParams()) {
            initWindowsDesktopSSOAuth(this.options);
        }
        byte[] sPNEGOTokenFromHTTPRequest = getSPNEGOTokenFromHTTPRequest(httpServletRequest);
        if (sPNEGOTokenFromHTTPRequest == null) {
            sPNEGOTokenFromHTTPRequest = getSPNEGOTokenFromCallback(callbackArr);
        }
        if (sPNEGOTokenFromHTTPRequest == null) {
            this.debug.error("spnego token is not valid.");
            throw new AuthLoginException(amAuthWindowsDesktopSSO, "token", (Object[]) null);
        }
        if (this.debug.messageEnabled()) {
            this.debug.message("SPNEGO token: \n" + DerValue.printByteArray(sPNEGOTokenFromHTTPRequest, PRINCIPAL, sPNEGOTokenFromHTTPRequest.length));
        }
        byte[] parseToken = parseToken(sPNEGOTokenFromHTTPRequest);
        if (parseToken == null) {
            this.debug.error("kerberos token is not valid.");
            throw new AuthLoginException(amAuthWindowsDesktopSSO, "token", (Object[]) null);
        }
        if (this.debug.messageEnabled()) {
            this.debug.message("Kerberos token retrieved from SPNEGO token: \n" + DerValue.printByteArray(parseToken, PRINCIPAL, parseToken.length));
        }
        try {
            authenticateToken(parseToken, this.trustedKerberosRealms);
            if (this.debug.messageEnabled()) {
                this.debug.message("WindowsDesktopSSO kerberos authentication passed succesfully.");
            }
            i2 = -1;
        } catch (AuthLoginException e) {
            this.debug.error("Authentication failed with AuthLoginException. Stack Trace", e);
            throw e;
        } catch (GSSException e2) {
            if (e2.getMajor() != 8) {
                this.debug.error("Authentication failed with GSSException. Stack Trace", e2);
                throw new AuthLoginException(amAuthWindowsDesktopSSO, "auth", (Object[]) null, e2);
            }
            this.debug.message("Credential expired. Re-establish credential...");
            serviceLogin();
            try {
                authenticateToken(parseToken, this.trustedKerberosRealms);
                if (this.debug.messageEnabled()) {
                    this.debug.message("Authentication succeeded with new cred.");
                    i2 = -1;
                }
            } catch (Exception e3) {
                this.debug.error("Authentication failed with new cred. Stack Trace", e3);
                throw new AuthLoginException(amAuthWindowsDesktopSSO, "auth", (Object[]) null, e3);
            }
        } catch (PrivilegedActionException e4) {
            GSSException extractException = extractException(e4);
            if (extractException instanceof GSSException) {
                if (extractException.getMajor() != 8) {
                    this.debug.error("Authentication failed with PrivilegedActionException wrapped GSSException. Stack Trace", extractException);
                    throw new AuthLoginException(amAuthWindowsDesktopSSO, "auth", (Object[]) null, extractException);
                }
                this.debug.message("Credential expired. Re-establish credential...");
                serviceLogin();
                try {
                    authenticateToken(parseToken, this.trustedKerberosRealms);
                    if (this.debug.messageEnabled()) {
                        this.debug.message("Authentication succeeded with new cred.");
                        i2 = -1;
                    }
                } catch (Exception e5) {
                    this.debug.error("Authentication failed with new cred.Stack Trace", e5);
                    throw new AuthLoginException(amAuthWindowsDesktopSSO, "auth", (Object[]) null, e5);
                }
            }
        } catch (Exception e6) {
            this.debug.error("Authentication failed with generic exception. Stack Trace", e6);
            throw new AuthLoginException(amAuthWindowsDesktopSSO, "auth", (Object[]) null, e6);
        }
        return i2;
    }

    private void authenticateToken(final byte[] bArr, final Set<String> set) throws AuthLoginException, GSSException, Exception {
        this.debug.message("In authenticationToken ...");
        Subject.doAs(this.serviceSubject, new PrivilegedExceptionAction() { // from class: com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDesktopSSO.1
            @Override // java.security.PrivilegedExceptionAction
            public Object run() throws Exception {
                GSSContext createContext = GSSManager.getInstance().createContext((GSSCredential) null);
                if (WindowsDesktopSSO.this.debug.messageEnabled()) {
                    WindowsDesktopSSO.this.debug.message("Context created.");
                }
                byte[] acceptSecContext = createContext.acceptSecContext(bArr, WindowsDesktopSSO.PRINCIPAL, bArr.length);
                if (acceptSecContext != null && WindowsDesktopSSO.this.debug.messageEnabled()) {
                    WindowsDesktopSSO.this.debug.message("Token returned from acceptSecContext: \n" + DerValue.printByteArray(acceptSecContext, WindowsDesktopSSO.PRINCIPAL, acceptSecContext.length));
                }
                if (!createContext.isEstablished()) {
                    WindowsDesktopSSO.this.debug.error("Cannot establish context !");
                    throw new AuthLoginException(WindowsDesktopSSO.amAuthWindowsDesktopSSO, "context", (Object[]) null);
                }
                if (WindowsDesktopSSO.this.debug.messageEnabled()) {
                    WindowsDesktopSSO.this.debug.message("Context established !");
                }
                GSSName srcName = createContext.getSrcName();
                String gSSName = srcName.toString();
                if (!set.isEmpty()) {
                    boolean z = WindowsDesktopSSO.PRINCIPAL;
                    Iterator it = set.iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        if (WindowsDesktopSSO.isTokenTrusted(gSSName, (String) it.next())) {
                            z = WindowsDesktopSSO.KEYTAB;
                            break;
                        }
                    }
                    if (!z) {
                        WindowsDesktopSSO.this.debug.error("Kerberos token for " + gSSName + " not trusted");
                        throw new AuthLoginException(WindowsDesktopSSO.amAuthWindowsDesktopSSO, "untrustedToken", new String[]{gSSName});
                    }
                }
                if (WindowsDesktopSSO.this.lookupUserInRealm) {
                    String requestOrg = WindowsDesktopSSO.this.getRequestOrg();
                    String userName = WindowsDesktopSSO.this.getUserName(gSSName);
                    String searchUserAccount = WindowsDesktopSSO.this.searchUserAccount(userName, requestOrg);
                    if (searchUserAccount == null || searchUserAccount.isEmpty()) {
                        String[] strArr = {userName, requestOrg};
                        WindowsDesktopSSO.this.debug.error("WindowsDesktopSSO.authenticateToken: : Unable to find the user " + userName);
                        throw new AuthLoginException(WindowsDesktopSSO.amAuthWindowsDesktopSSO, "notfound", strArr);
                    }
                    WindowsDesktopSSO.this.storeUsernamePasswd(userName, null);
                }
                if (WindowsDesktopSSO.this.debug.messageEnabled()) {
                    WindowsDesktopSSO.this.debug.message("WindowsDesktopSSO.authenticateToken:User authenticated: " + srcName.toString());
                }
                if (srcName != null) {
                    WindowsDesktopSSO.this.setPrincipal(gSSName);
                }
                createContext.dispose();
                return null;
            }
        });
    }

    private static Exception extractException(Exception exc) {
        while (exc instanceof PrivilegedActionException) {
            exc = ((PrivilegedActionException) exc).getException();
        }
        return exc;
    }

    public void destroyModuleState() {
        this.userPrincipal = null;
    }

    public void nullifyUsedVars() {
        this.serviceSubject = null;
        this.servicePrincipalName = null;
        this.keyTabFile = null;
        this.kdcRealm = null;
        this.kdcServer = null;
        this.authLevel = null;
        this.options = null;
        this.confIndex = null;
        this.trustedKerberosRealms = Collections.EMPTY_SET;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void setPrincipal(String str) {
        this.userPrincipal = new WindowsDesktopSSOPrincipal(getUserName(str));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String getUserName(String str) {
        int indexOf;
        String str2 = str;
        if (!this.returnRealm && (indexOf = str.indexOf(REALM_SEPARATOR)) != -1) {
            str2 = str.toString().substring(PRINCIPAL, indexOf);
        }
        return str2;
    }

    private boolean hasWDSSOFailed(HttpServletRequest httpServletRequest) {
        return Boolean.valueOf((String) httpServletRequest.getAttribute("http-auth-failed")).booleanValue();
    }

    private byte[] getSPNEGOTokenFromHTTPRequest(HttpServletRequest httpServletRequest) {
        String header;
        byte[] bArr = PRINCIPAL;
        if (httpServletRequest != null && (header = httpServletRequest.getHeader("Authorization")) != null && header.startsWith("Negotiate")) {
            try {
                bArr = Base64.decode(header.substring("Negotiate".length()).trim());
            } catch (Exception e) {
                this.debug.error("Decoding token error.");
                if (this.debug.messageEnabled()) {
                    this.debug.message("Stack trace: ", e);
                }
            }
        }
        return bArr;
    }

    private byte[] getSPNEGOTokenFromCallback(Callback[] callbackArr) {
        byte[] bArr = PRINCIPAL;
        if (callbackArr != null && callbackArr.length != 0) {
            String authorization = ((HttpCallback) callbackArr[PRINCIPAL]).getAuthorization();
            try {
                if (StringUtils.isNotBlank(authorization)) {
                    bArr = Base64.decode(authorization);
                }
            } catch (Exception e) {
                this.debug.error("Decoding token error.");
                if (this.debug.messageEnabled()) {
                    this.debug.message("Stack trace: ", e);
                }
            }
        }
        return bArr;
    }

    private byte[] parseToken(byte[] bArr) {
        DerValue derValue;
        byte[] bArr2 = bArr;
        DerValue derValue2 = new DerValue(bArr);
        if (this.debug.messageEnabled()) {
            this.debug.message("token tag:" + DerValue.printByte(derValue2.getTag()));
        }
        if (derValue2.getTag() != 96) {
            return null;
        }
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(derValue2.getData());
        byte[] bArr3 = new byte[spnegoOID.length];
        byteArrayInputStream.read(bArr3, PRINCIPAL, bArr3.length);
        if (Arrays.equals(bArr3, spnegoOID)) {
            if (this.debug.messageEnabled()) {
                this.debug.message("SPNEGO OID found in the Auth Token");
            }
            DerValue derValue3 = new DerValue(byteArrayInputStream);
            if (derValue3.getTag() == -96) {
                if (this.debug.messageEnabled()) {
                    this.debug.message("DerValue: found init token");
                }
                DerValue derValue4 = new DerValue(derValue3.getData());
                if (derValue4.getTag() == 48) {
                    if (this.debug.messageEnabled()) {
                        this.debug.message("DerValue: 0x30 constructed token found");
                    }
                    ByteArrayInputStream byteArrayInputStream2 = new ByteArrayInputStream(derValue4.getData());
                    DerValue derValue5 = new DerValue(byteArrayInputStream2);
                    while (true) {
                        derValue = derValue5;
                        if (derValue.getTag() == -1 || derValue.getTag() == -94) {
                            break;
                        }
                        derValue5 = new DerValue(byteArrayInputStream2);
                    }
                    if (derValue.getTag() != -1) {
                        bArr2 = new DerValue(derValue.getData()).getData();
                    }
                }
            }
        } else {
            if (this.debug.messageEnabled()) {
                this.debug.message("SPNEGO OID not found in the Auth Token");
            }
            byte[] bArr4 = new byte[KERBEROS_V5_OID.length];
            int i = PRINCIPAL;
            while (i < bArr3.length) {
                bArr4[i] = bArr3[i];
                i += KEYTAB;
            }
            byteArrayInputStream.read(bArr4, i, bArr4.length - i);
            if (!Arrays.equals(bArr4, KERBEROS_V5_OID)) {
                if (this.debug.messageEnabled()) {
                    this.debug.message("Kerberos V5 OID not found in the Auth Token");
                }
                bArr2 = PRINCIPAL;
            } else if (this.debug.messageEnabled()) {
                this.debug.message("Kerberos V5 OID found in the Auth Token");
            }
        }
        return bArr2;
    }

    private boolean getConfigParams() {
        this.servicePrincipalName = getMapAttr(this.options, PRINCIPAL);
        this.keyTabFile = getMapAttr(this.options, KEYTAB);
        this.kdcRealm = getMapAttr(this.options, REALM);
        this.kdcServer = getMapAttr(this.options, KDC);
        this.authLevel = getMapAttr(this.options, AUTHLEVEL);
        this.returnRealm = Boolean.valueOf(getMapAttr(this.options, RETURNREALM)).booleanValue();
        this.lookupUserInRealm = Boolean.valueOf(getMapAttr(this.options, LOOKUPUSER)).booleanValue();
        this.trustedKerberosRealms = getAcceptedKerberosRealms(this.options);
        if (this.debug.messageEnabled()) {
            this.debug.message("WindowsDesktopSSO params: \nprincipal: " + this.servicePrincipalName + "\nkeytab file: " + this.keyTabFile + "\nrealm : " + this.kdcRealm + "\nkdc server: " + this.kdcServer + "\ndomain principal: " + this.returnRealm + "\nLookup user in realm:" + this.lookupUserInRealm + "\nAccepted Kerberos realms: " + this.trustedKerberosRealms + "\nauth level: " + this.authLevel);
        }
        this.confIndex = getRequestOrg() + "/" + this.options.get("moduleInstanceName");
        Map map = (Map) configTable.get(this.confIndex);
        if (map == null) {
            return false;
        }
        String str = (String) map.get(configAttributes[PRINCIPAL]);
        String str2 = (String) map.get(configAttributes[KEYTAB]);
        String str3 = (String) map.get(configAttributes[REALM]);
        String str4 = (String) map.get(configAttributes[KDC]);
        if (str == null || str2 == null || str3 == null || str4 == null || !this.servicePrincipalName.equalsIgnoreCase(str) || !this.keyTabFile.equals(str2) || !this.kdcRealm.equals(str3) || !this.kdcServer.equalsIgnoreCase(str4)) {
            return false;
        }
        this.serviceSubject = (Subject) map.get(configAttributes[SUBJECT]);
        if (this.serviceSubject == null) {
            return false;
        }
        if (!this.debug.messageEnabled()) {
            return true;
        }
        this.debug.message("Retrieved config params from cache.");
        return true;
    }

    private void initWindowsDesktopSSOAuth(Map map) throws AuthLoginException {
        if (this.debug.messageEnabled()) {
            this.debug.message("Init WindowsDesktopSSO. This should not happen often.");
        }
        verifyAttributes();
        serviceLogin();
        Map map2 = (Map) configTable.get(this.confIndex);
        if (map2 == null) {
            map2 = new HashMap();
        }
        map2.put(configAttributes[SUBJECT], this.serviceSubject);
        map2.put(configAttributes[PRINCIPAL], this.servicePrincipalName);
        map2.put(configAttributes[KEYTAB], this.keyTabFile);
        map2.put(configAttributes[REALM], this.kdcRealm);
        map2.put(configAttributes[KDC], this.kdcServer);
        configTable.put(this.confIndex, map2);
    }

    private void serviceLoginDynamic() throws AuthLoginException {
        if (this.debug.messageEnabled()) {
            this.debug.message("New Service Login Dynamic ...");
        }
        System.setProperty("java.security.auth.login.config", "/dev/null");
        createUpdateKrb5ConfigFile();
        try {
            WindowsDesktopSSOConfig windowsDesktopSSOConfig = new WindowsDesktopSSOConfig(Configuration.getConfiguration());
            windowsDesktopSSOConfig.setPrincipalName(this.servicePrincipalName);
            windowsDesktopSSOConfig.setKeyTab(this.keyTabFile);
            if (this.options.containsKey("debug")) {
                windowsDesktopSSOConfig.setDebug(CollectionHelper.getMapAttr(this.options, "debug"));
            }
            LoginContext loginContext = new LoginContext(WindowsDesktopSSOConfig.defaultAppName, (Subject) null, (CallbackHandler) null, windowsDesktopSSOConfig);
            loginContext.login();
            this.serviceSubject = loginContext.getSubject();
            if (this.debug.messageEnabled()) {
                this.debug.message("Service login succeeded.");
            }
        } catch (Exception e) {
            this.debug.error("Service Login Error: ");
            if (this.debug.messageEnabled()) {
                this.debug.message("Stack trace: ", e);
            }
            throw new AuthLoginException(amAuthWindowsDesktopSSO, "serviceAuth", (Object[]) null, e);
        }
    }

    @VisibleForTesting
    protected void createUpdateKrb5ConfigFile() {
        PrintWriter printWriter;
        Throwable th;
        if (System.getProperty("java.security.krb5.conf") == null) {
            System.setProperty("java.security.krb5.conf", System.getProperty("java.io.tmpdir") + File.separator + "krb5.conf");
        }
        File file = new File(System.getProperty("java.security.krb5.conf"));
        LinkedList linkedList = new LinkedList();
        if (file.exists()) {
            try {
                linkedList.addAll(Files.readAllLines(file.toPath()));
            } catch (Exception e) {
                this.debug.warning("error reading krb5.conf file", e);
            }
        }
        List<String> updatedKrb5ConfigLines = getUpdatedKrb5ConfigLines(linkedList);
        if (updatedKrb5ConfigLines != null) {
            if (this.debug.messageEnabled()) {
                this.debug.message("settings updated, need to update krb5.conf file in " + System.getProperty("java.security.krb5.conf"));
                this.debug.message("new config: " + updatedKrb5ConfigLines);
            }
            synchronized (WindowsDesktopSSO.class) {
                try {
                    printWriter = new PrintWriter(new FileOutputStream(file, false));
                    th = PRINCIPAL;
                } catch (Exception e2) {
                    this.debug.warning("error writing krb5.conf file", e2);
                }
                try {
                    try {
                        Iterator<String> it = updatedKrb5ConfigLines.iterator();
                        while (it.hasNext()) {
                            printWriter.println(it.next());
                        }
                        if (printWriter != null) {
                            if (th != null) {
                                try {
                                    printWriter.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                printWriter.close();
                            }
                        }
                    } catch (Throwable th3) {
                        th = th3;
                        throw th3;
                    }
                } catch (Throwable th4) {
                    if (printWriter != null) {
                        if (th != null) {
                            try {
                                printWriter.close();
                            } catch (Throwable th5) {
                                th.addSuppressed(th5);
                            }
                        } else {
                            printWriter.close();
                        }
                    }
                    throw th4;
                }
            }
        }
    }

    @VisibleForTesting
    protected List<String> getUpdatedKrb5ConfigLines(List<String> list) {
        LinkedList linkedList = new LinkedList(list);
        int i = -1;
        int i2 = -1;
        int i3 = -1;
        HashSet hashSet = new HashSet();
        int i4 = PRINCIPAL;
        while (true) {
            if (i4 >= linkedList.size()) {
                break;
            }
            String trim = ((String) linkedList.get(i4)).trim();
            if (!trim.equalsIgnoreCase("[realms]")) {
                if (i > -1 && trim.startsWith("[")) {
                    break;
                }
                Matcher matcher = REALM_PATTERN.matcher(trim);
                if (matcher.matches()) {
                    if (this.kdcRealm.equalsIgnoreCase(matcher.group(KEYTAB))) {
                        i2 = i4;
                    }
                }
                if (i2 > -1 && trim.startsWith("}")) {
                    i3 = i4 - i2;
                    break;
                }
                Matcher matcher2 = KDC_PATTERN.matcher(trim);
                if (i < i4 && matcher2.matches()) {
                    hashSet.add(matcher2.group(KEYTAB));
                }
            } else {
                i = i4;
            }
            i4 += KEYTAB;
        }
        List asList = Arrays.asList(this.kdcServer.split(":"));
        if (!(!new HashSet(asList).containsAll(hashSet) || !hashSet.containsAll(asList) || i2 == -1 || i == -1)) {
            return null;
        }
        ArrayList arrayList = new ArrayList();
        if (i == -1) {
            arrayList.add("[realms]");
        }
        arrayList.add("  ".concat(this.kdcRealm.toUpperCase()).concat("={"));
        Iterator it = asList.iterator();
        while (it.hasNext()) {
            arrayList.add("    kdc=".concat((String) it.next()));
        }
        arrayList.add("}");
        if (i == -1 || i2 == -1) {
            linkedList.addAll(arrayList);
        } else {
            for (int i5 = PRINCIPAL; i5 <= i3; i5 += KEYTAB) {
                linkedList.remove(i2);
            }
            linkedList.addAll(i2, arrayList);
        }
        return linkedList;
    }

    private synchronized void serviceLoginStatic() throws AuthLoginException {
        WindowsDesktopSSOConfig windowsDesktopSSOConfig;
        if (this.debug.messageEnabled()) {
            this.debug.message("New Service Login Static ...");
        }
        System.setProperty("java.security.krb5.realm", this.kdcRealm);
        System.setProperty("java.security.krb5.kdc", this.kdcServer);
        System.setProperty("java.security.auth.login.config", "/dev/null");
        try {
            Configuration configuration = Configuration.getConfiguration();
            if (configuration instanceof WindowsDesktopSSOConfig) {
                windowsDesktopSSOConfig = (WindowsDesktopSSOConfig) configuration;
                windowsDesktopSSOConfig.setRefreshConfig("true");
            } else {
                windowsDesktopSSOConfig = new WindowsDesktopSSOConfig(configuration);
            }
            windowsDesktopSSOConfig.setPrincipalName(this.servicePrincipalName);
            windowsDesktopSSOConfig.setKeyTab(this.keyTabFile);
            if (this.options.containsKey("debug")) {
                windowsDesktopSSOConfig.setDebug(CollectionHelper.getMapAttr(this.options, "debug"));
            }
            Configuration.setConfiguration(windowsDesktopSSOConfig);
            LoginContext loginContext = new LoginContext(WindowsDesktopSSOConfig.defaultAppName);
            loginContext.login();
            this.serviceSubject = loginContext.getSubject();
            if (this.debug.messageEnabled()) {
                this.debug.message("Service login succeeded.");
            }
        } catch (Exception e) {
            this.debug.error("Service Login Error: ");
            if (this.debug.messageEnabled()) {
                this.debug.message("Stack trace: ", e);
            }
            throw new AuthLoginException(amAuthWindowsDesktopSSO, "serviceAuth", (Object[]) null, e);
        }
    }

    private void serviceLogin() throws AuthLoginException {
        if (USE_KRB5_CONF_FILE) {
            if (this.debug.messageEnabled()) {
                this.debug.message("java.security.krb5.conf set, using dynamic service login and config from krb5.conf file");
            }
            serviceLoginDynamic();
        } else {
            if (this.debug.messageEnabled()) {
                this.debug.message("java.security.krb5.conf not set, using static service login");
            }
            serviceLoginStatic();
        }
    }

    private String getMapAttr(Map map, int i) {
        return CollectionHelper.getMapAttr(map, configAttributes[i]);
    }

    private void verifyAttributes() throws AuthLoginException {
        if (this.servicePrincipalName == null || this.servicePrincipalName.length() == 0) {
            throw new AuthLoginException(amAuthWindowsDesktopSSO, "nullprincipal", (Object[]) null);
        }
        if (this.keyTabFile == null || this.keyTabFile.length() == 0) {
            throw new AuthLoginException(amAuthWindowsDesktopSSO, "nullkeytab", (Object[]) null);
        }
        if (this.kdcRealm == null || this.kdcRealm.length() == 0) {
            throw new AuthLoginException(amAuthWindowsDesktopSSO, "nullrealm", (Object[]) null);
        }
        if (this.kdcServer == null || this.kdcServer.length() == 0) {
            throw new AuthLoginException(amAuthWindowsDesktopSSO, "nullkdc", (Object[]) null);
        }
        if (this.authLevel == null || this.authLevel.length() == 0) {
            throw new AuthLoginException(amAuthWindowsDesktopSSO, "nullauthlevel", (Object[]) null);
        }
        if (!new File(this.keyTabFile).exists() && !new File(this.keyTabFile.substring(SUBJECT)).exists()) {
            throw new AuthLoginException(amAuthWindowsDesktopSSO, "nokeytab", (Object[]) null);
        }
        try {
            setAuthLevel(Integer.parseInt(this.authLevel));
        } catch (Exception e) {
            throw new AuthLoginException(amAuthWindowsDesktopSSO, "authlevel", (Object[]) null, e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String searchUserAccount(String str, String str2) throws AuthLoginException {
        if (str2.isEmpty()) {
            str2 = "/";
        }
        if (this.debug.messageEnabled()) {
            this.debug.message("WindowsDesktopSSO.searchUserAccount:  searching for user " + str + " in the organization =" + str2);
        }
        IdSearchControl idSearchControl = new IdSearchControl();
        idSearchControl.setMaxResults(KEYTAB);
        idSearchControl.setTimeOut(3000);
        idSearchControl.setSearchModifiers(IdSearchOpModifier.OR, buildSearchControl(str));
        idSearchControl.setAllReturnAttributes(false);
        try {
            IdSearchResults searchIdentities = new AMIdentityRepository(getSSOSession(), str2).searchIdentities(IdType.USER, new CrestQuery("*", (QueryFilter) null, (List) null, false), idSearchControl);
            if (searchIdentities.getErrorCode() == 0 && searchIdentities != null) {
                Set searchResults = searchIdentities.getSearchResults();
                if (!searchResults.isEmpty()) {
                    if (this.debug.messageEnabled()) {
                        this.debug.message("WindowsDesktopSSO.searchUserAccount: " + searchResults.size() + " result(s) obtained");
                    }
                    AMIdentity aMIdentity = (AMIdentity) searchResults.iterator().next();
                    if (aMIdentity != null) {
                        if (this.debug.messageEnabled()) {
                            this.debug.message("WindowsDesktopSSO.searchUserAccount: user = " + aMIdentity.getUniversalId());
                            this.debug.message("WindowsDesktopSSO.searchUserAccount: attrs =" + aMIdentity.getAttributes(getUserAliasList()));
                        }
                        return str.trim();
                    }
                }
            }
            if (!this.debug.messageEnabled()) {
                return null;
            }
            this.debug.message("WindowsDesktopSSO.searchUserAccount:  No results were found !");
            return null;
        } catch (IdRepoException e) {
            throw new AuthLoginException(amAuthWindowsDesktopSSO, "idRepoSearch", new String[]{str, str2}, e);
        } catch (SSOException e2) {
            throw new AuthLoginException(amAuthWindowsDesktopSSO, "ssoSearch", new String[]{str, str2}, e2);
        }
    }

    private Map<String, Set<String>> buildSearchControl(String str) throws AuthLoginException {
        HashMap hashMap = new HashMap();
        Iterator it = getUserAliasList().iterator();
        while (it.hasNext()) {
            hashMap.put((String) it.next(), addToSet(new HashSet(), str));
        }
        return hashMap;
    }

    private static Set<String> addToSet(Set<String> set, String str) {
        set.add(str);
        return set;
    }

    private static Set<String> getAcceptedKerberosRealms(Map map) {
        Set<String> set = Collections.EMPTY_SET;
        Object obj = map.get(ACCEPTED_REALMS_ATTR);
        if (obj != null) {
            set = Collections.unmodifiableSet((Set) obj);
        }
        return set;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isTokenTrusted(String str, String str2) {
        int indexOf;
        boolean z = PRINCIPAL;
        if (str != null && (indexOf = str.indexOf(REALM_SEPARATOR)) != -1 && str.substring(indexOf + KEYTAB).equalsIgnoreCase(str2)) {
            z = KEYTAB;
        }
        return z;
    }
}
