package cern.nxcals.service.client.security;

import feign.Client;
import feign.Request;
import feign.Response;
import java.io.IOException;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.security.Principal;
import java.util.Base64;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSocketFactory;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.commons.lang.StringUtils;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/nxcals-service-client-0.1.84.jar:cern/nxcals/service/client/security/KerberosAwareClient.class */
public class KerberosAwareClient implements Client {
    private static final Logger log = LoggerFactory.getLogger(KerberosAwareClient.class);
    private static final String SPNEGO_OID_VERSION = "1.3.6.1.5.5.2";
    private final Oid spnegoOid;
    private final String keytabLocation;
    private final String userPrincipal;
    private final String serviceType;
    private final Client client;
    private final ClientLoginConfig loginConfig;

    /* loaded from: input_file:BOOT-INF/lib/nxcals-service-client-0.1.84.jar:cern/nxcals/service/client/security/KerberosAwareClient$Builder.class */
    public static class Builder {
        private String keytabLocation;
        private String userPrincipal;
        private Map<String, Object> loginOptions;
        private SSLSocketFactory sslContextFactory;
        private HostnameVerifier hostnameVerifier;
        private String serviceType;
        private Client client;

        private Builder() {
            this.keytabLocation = null;
            this.userPrincipal = null;
            this.loginOptions = null;
            this.sslContextFactory = null;
            this.hostnameVerifier = null;
            this.serviceType = null;
            this.client = null;
        }

        public Builder setKeytabLocation(String str) {
            this.keytabLocation = str;
            return this;
        }

        public Builder setUserPrincipal(String str) {
            this.userPrincipal = str;
            return this;
        }

        public Builder setLoginOptions(Map<String, Object> map) {
            if (map != null) {
                this.loginOptions = new HashMap(map);
            }
            return this;
        }

        public Builder setSslContextFactory(SSLSocketFactory sSLSocketFactory) {
            this.sslContextFactory = sSLSocketFactory;
            return this;
        }

        public Builder setHostnameVerifier(HostnameVerifier hostnameVerifier) {
            this.hostnameVerifier = hostnameVerifier;
            return this;
        }

        public Builder setServiceType(String str) {
            this.serviceType = str;
            return this;
        }

        public Builder setFeignClient(Client client) {
            this.client = client;
            return this;
        }

        public KerberosAwareClient build() {
            if (this.client == null) {
                this.client = new Client.Default(this.sslContextFactory, this.hostnameVerifier);
            }
            return new KerberosAwareClient(this.keytabLocation, this.userPrincipal, this.loginOptions, this.serviceType, this.client);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/nxcals-service-client-0.1.84.jar:cern/nxcals/service/client/security/KerberosAwareClient$ClientLoginConfig.class */
    public static class ClientLoginConfig extends Configuration {
        private final String keyTabLocation;
        private final String userPrincipal;
        private final Map<String, Object> loginOptions;

        private ClientLoginConfig(String str, String str2, Map<String, Object> map) {
            this.keyTabLocation = str;
            this.userPrincipal = str2;
            this.loginOptions = map;
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            HashMap hashMap = new HashMap();
            hashMap.put("doNotPrompt", "true");
            hashMap.put("useTicketCache", "true");
            hashMap.put("refreshKrb5Config", "true");
            hashMap.put("renewTGT", "true");
            hashMap.put("useFirstPass", "true");
            if (StringUtils.isNotEmpty(this.userPrincipal)) {
                hashMap.put("principal", this.userPrincipal);
            }
            if (StringUtils.isNotEmpty(this.keyTabLocation)) {
                hashMap.put("useKeyTab", "true");
                hashMap.put("keyTab", this.keyTabLocation);
            }
            if (this.loginOptions != null) {
                hashMap.putAll(this.loginOptions);
            }
            return new AppConfigurationEntry[]{new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap)};
        }
    }

    private KerberosAwareClient(String str, String str2, Map<String, Object> map, String str3, Client client) {
        try {
            this.spnegoOid = new Oid(SPNEGO_OID_VERSION);
            this.client = client;
            this.serviceType = str3;
            this.keytabLocation = str;
            this.userPrincipal = str2;
            this.loginConfig = new ClientLoginConfig(str, str2, map);
            log.debug("KeytabLocation: {}, UserPrincipal: {}", this.keytabLocation, this.userPrincipal);
        } catch (GSSException e) {
            log.error("Error while creating Oid: ");
            throw new KerberosAuthenticationException("Error while creating Oid: 1.3.6.1.5.5.2", e);
        }
    }

    @Override // feign.Client
    public Response execute(Request request, Request.Options options) throws IOException {
        log.debug("Kerberos execute start");
        Subject kerberosLogin = kerberosLogin();
        GSSManager gSSManager = GSSManager.getInstance();
        String str = (String) Subject.doAs(kerberosLogin, () -> {
            try {
                Optional<Principal> findFirst = kerberosLogin.getPrincipals().stream().findFirst();
                if (!findFirst.isPresent()) {
                    throw new KerberosAuthenticationException("Error while acquiring ticket for service communication. No user principal found");
                }
                GSSCredential createCredential = gSSManager.createCredential(gSSManager.createName(findFirst.get().getName(), GSSName.NT_USER_NAME), Integer.MAX_VALUE, this.spnegoOid, 1);
                GSSName createName = gSSManager.createName(this.serviceType + "@" + URI.create(request.url()).getHost(), GSSName.NT_HOSTBASED_SERVICE);
                log.info("Trying to reach service host: {}", URI.create(request.url()).getHost());
                GSSContext createContext = gSSManager.createContext(createName, this.spnegoOid, createCredential, 0);
                createContext.requestMutualAuth(true);
                createContext.requestConf(false);
                createContext.requestInteg(true);
                String replace = new String(Base64.getEncoder().encode(createContext.initSecContext(new byte[0], 0, 0)), StandardCharsets.UTF_8).replace("\n", "");
                createContext.dispose();
                return replace;
            } catch (GSSException e) {
                log.error("Error while acquiring ticket for service communication ", e);
                throw new KerberosAuthenticationException("Error while acquiring ticket for service communication", e);
            }
        });
        HashMap hashMap = new HashMap(request.headers());
        hashMap.put("Authorization", Collections.singletonList("Negotiate " + str));
        Request create = Request.create(request.method(), request.url(), hashMap, request.body(), request.charset());
        log.debug("Kerberos execute end");
        Response execute = this.client.execute(create, options);
        log.debug("Kerberos execute after response");
        return execute;
    }

    public static Builder builder() {
        return new Builder();
    }

    private Subject kerberosLogin() {
        try {
            LoginContext loginContext = new LoginContext("", new Subject(false, Collections.emptySet(), Collections.emptySet(), Collections.emptySet()), (CallbackHandler) null, this.loginConfig);
            loginContext.login();
            return loginContext.getSubject();
        } catch (LoginException e) {
            log.error("Couldn't log in to Kerberos", (Throwable) e);
            throw new KerberosAuthenticationException("Couldn't log in to Kerberos", e);
        }
    }
}
