package cern.nxcals.service.client.security.kerberos;

import cern.nxcals.service.client.security.KerberosAuthenticationException;
import com.google.common.base.Strings;
import java.nio.charset.StandardCharsets;
import java.nio.file.Paths;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.commons.lang.StringUtils;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/nxcals-service-client-0.1.148.jar:cern/nxcals/service/client/security/kerberos/GssKerberosContext.class */
public class GssKerberosContext implements KerberosContext {
    private static final Logger log = LoggerFactory.getLogger(GssKerberosContext.class);
    private static final String SPNEGO_OID_VERSION = "1.3.6.1.5.5.2";
    private static final int RENEWAL_MARGIN_SECONDS = 1000;
    private final Oid oid;
    private final ClientLoginConfig loginConfig;
    private final GSSManager manager;
    private Subject subject;
    private GSSName clientName;
    private GSSCredential clientCred;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/nxcals-service-client-0.1.148.jar:cern/nxcals/service/client/security/kerberos/GssKerberosContext$ClientLoginConfig.class */
    public static class ClientLoginConfig extends Configuration {
        private static final String MODULE_NAME = "com.sun.security.auth.module.Krb5LoginModule";
        private final AppConfigurationEntry config;
        private final String userPrincipal;
        private final String keytabLocation;

        private ClientLoginConfig(String str, String str2, Map<String, Object> map) {
            this.userPrincipal = str;
            this.keytabLocation = str2;
            HashMap hashMap = new HashMap();
            hashMap.put("doNotPrompt", "true");
            hashMap.put("useTicketCache", "true");
            hashMap.put("refreshKrb5Config", "true");
            hashMap.put("renewTGT", "true");
            hashMap.put("useFirstPass", "true");
            if (StringUtils.isNotEmpty(str)) {
                hashMap.put("principal", str);
            }
            if (StringUtils.isNotEmpty(str2)) {
                hashMap.put("useKeyTab", "true");
                hashMap.put("keyTab", str2);
            }
            if (map != null) {
                hashMap.putAll(map);
            }
            this.config = new AppConfigurationEntry(MODULE_NAME, AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap);
        }

        String getUserPrincipal() {
            return this.userPrincipal;
        }

        String getKeytabLocation() {
            return this.keytabLocation;
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            return new AppConfigurationEntry[]{this.config};
        }
    }

    public GssKerberosContext(String str, String str2, Map<String, Object> map) {
        verifyKeytab(str2);
        this.manager = GSSManager.getInstance();
        this.oid = initOid();
        this.loginConfig = new ClientLoginConfig(str, str2, map);
        logon();
        log.debug(" ClientName: {}, UserPrincipal: {}, KeytabLocation: {}", this.clientName, str, str2);
    }

    private void verifyKeytab(String str) {
        if (!Strings.isNullOrEmpty(str) && !fileExists(str)) {
            throw logAndWrap("Keytab file not found: " + str);
        }
    }

    private boolean fileExists(String str) {
        return Paths.get(str, new String[0]).toFile().exists();
    }

    private Oid initOid() {
        try {
            return new Oid(SPNEGO_OID_VERSION);
        } catch (GSSException e) {
            throw logAndWrap("Error while creating Oid: 1.3.6.1.5.5.2", e);
        }
    }

    private void logon() {
        try {
            LoginContext loginContext = new LoginContext("", new Subject(), (CallbackHandler) null, this.loginConfig);
            loginContext.login();
            this.subject = loginContext.getSubject();
            this.clientName = (GSSName) Subject.doAs(this.subject, this::initClientName);
            this.clientCred = (GSSCredential) Subject.doAs(this.subject, this::initClientCred);
        } catch (LoginException e) {
            throw logAndWrap("Couldn't log in to Kerberos", e);
        }
    }

    private void tryRelogon() {
        try {
            if (this.clientCred.getRemainingLifetime() < 1000) {
                synchronized (this) {
                    if (this.clientCred.getRemainingLifetime() < 1000) {
                        logon();
                    }
                }
            }
        } catch (GSSException e) {
            throw logAndWrap("Error renewing client credentials ", e);
        }
    }

    private GSSName initClientName() {
        try {
            return this.manager.createName(this.subject.getPrincipals().stream().findFirst().orElseThrow(() -> {
                return new KerberosAuthenticationException("Error while acquiring ticket for service communication. No user principal found");
            }).getName(), GSSName.NT_USER_NAME);
        } catch (GSSException e) {
            throw logAndWrap("Error creating client principal ", e);
        }
    }

    private GSSCredential initClientCred() {
        try {
            return this.manager.createCredential(this.clientName, 0, this.oid, 1);
        } catch (GSSException e) {
            throw logAndWrap("Error creating client credentials ", e);
        }
    }

    private KerberosAuthenticationException logAndWrap(String str) {
        log.error(str);
        return new KerberosAuthenticationException(str);
    }

    private KerberosAuthenticationException logAndWrap(String str, Exception exc) {
        log.error(str);
        return new KerberosAuthenticationException(str, exc);
    }

    @Override // cern.nxcals.service.client.security.kerberos.KerberosContext
    public String requestTokenFor(String str) {
        log.debug("Kerberos execute start");
        tryRelogon();
        return (String) Subject.doAs(this.subject, () -> {
            try {
                log.info("Initializing secure context with: {}", str);
                byte[] initSecContext = establishContext(this.manager.createName(str, GSSName.NT_HOSTBASED_SERVICE)).initSecContext(new byte[0], 0, 0);
                log.debug("Kerberos execution successful");
                return convertToToken(initSecContext);
            } catch (GSSException e) {
                throw logAndWrap("Error while acquiring ticket for service communication", e);
            }
        });
    }

    private String convertToToken(byte[] bArr) {
        return new String(Base64.getEncoder().encode(bArr), StandardCharsets.UTF_8).replace("\n", "");
    }

    private GSSContext establishContext(GSSName gSSName) throws GSSException {
        GSSContext createContext = this.manager.createContext(gSSName, this.oid, this.clientCred, 0);
        createContext.requestMutualAuth(true);
        createContext.requestConf(false);
        createContext.requestInteg(true);
        return createContext;
    }
}
