package net.sf.michaelo.tomcat.realm;

import com.sun.security.jgss.AuthorizationDataEntry;
import com.sun.security.jgss.ExtendedGSSContext;
import com.sun.security.jgss.InquireType;
import java.security.Key;
import java.security.Principal;
import java.security.SignatureException;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.stream.Collectors;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosKey;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KeyTab;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import net.sf.michaelo.tomcat.internal.org.apache.commons.lang3.StringUtils;
import net.sf.michaelo.tomcat.pac.GroupMembership;
import net.sf.michaelo.tomcat.pac.KerbValidationInfo;
import net.sf.michaelo.tomcat.pac.Pac;
import net.sf.michaelo.tomcat.pac.PrivateSunPacSignatureVerifier;
import net.sf.michaelo.tomcat.pac.asn1.AdIfRelevantAsn1Parser;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSName;

/* loaded from: input_file:net/sf/michaelo/tomcat/realm/PacDataActiveDirectoryRealm.class */
public class PacDataActiveDirectoryRealm extends ActiveDirectoryRealmBase {
    private static final long USER_ACCOUNT_DISABLED = 1;
    private static final long USER_NORMAL_ACCOUNT = 16;
    private static final long USER_WORKSTATION_TRUST_ACCOUNT = 128;
    protected String loginEntryName;
    protected boolean prependRoleFormat;
    protected boolean addAdditionalAttributes;

    public void setLoginEntryName(String str) {
        this.loginEntryName = str;
    }

    public void setPrependRoleFormat(boolean z) {
        this.prependRoleFormat = z;
    }

    public void setAddAdditionalAttributes(boolean z) {
        this.addAdditionalAttributes = z;
    }

    protected Principal getPrincipal(GSSName gSSName, GSSCredential gSSCredential, GSSContext gSSContext) {
        if (gSSName.isAnonymous()) {
            return new ActiveDirectoryPrincipal(gSSName, Sid.ANONYMOUS_SID, gSSCredential);
        }
        if (!(gSSContext instanceof ExtendedGSSContext)) {
            this.logger.error(this.sm.getString("krb5AuthzDataRealmBase.incompatibleSecurityContextType"));
            return null;
        }
        AuthorizationDataEntry[] authorizationDataEntryArr = null;
        try {
            authorizationDataEntryArr = (AuthorizationDataEntry[]) ((ExtendedGSSContext) gSSContext).inquireSecContext(InquireType.KRB5_GET_AUTHZ_DATA);
        } catch (GSSException e) {
            this.logger.warn(this.sm.getString("krb5AuthzDataRealmBase.inquireSecurityContextFailed"), e);
        }
        if (authorizationDataEntryArr == null) {
            if (!this.logger.isDebugEnabled()) {
                return null;
            }
            this.logger.debug(this.sm.getString("krb5AuthzDataRealmBase.noDataProvided", new Object[]{gSSName}));
            return null;
        }
        Optional findFirst = Arrays.stream(authorizationDataEntryArr).filter(authorizationDataEntry -> {
            return authorizationDataEntry.getType() == 1;
        }).map(authorizationDataEntry2 -> {
            return AdIfRelevantAsn1Parser.parse(authorizationDataEntry2.getData());
        }).flatMap((v0) -> {
            return v0.stream();
        }).filter(authorizationDataEntry3 -> {
            return authorizationDataEntry3.getType() == 128;
        }).findFirst();
        if (!findFirst.isPresent()) {
            if (!this.logger.isDebugEnabled()) {
                return null;
            }
            this.logger.debug(this.sm.getString("pacDataActiveDirectoryRealm.noDataProvided", new Object[]{gSSName}));
            return null;
        }
        Pac pac = new Pac(((AuthorizationDataEntry) findFirst.get()).getData(), new PrivateSunPacSignatureVerifier());
        try {
            pac.verifySignature(getKeys());
            KerbValidationInfo kerbValidationInfo = pac.getKerbValidationInfo();
            long userAccountControl = kerbValidationInfo.getUserAccountControl();
            if ((userAccountControl & 1) != 0) {
                this.logger.warn(this.sm.getString("activeDirectoryRealm.userFoundButDisabled", new Object[]{gSSName}));
                return null;
            }
            if ((userAccountControl & USER_NORMAL_ACCOUNT) == 0 && (userAccountControl & USER_WORKSTATION_TRUST_ACCOUNT) == 0) {
                this.logger.warn(this.sm.getString("activeDirectoryRealm.userFoundButNotSupported", new Object[]{gSSName}));
                return null;
            }
            long userId = kerbValidationInfo.getUserId();
            Sid sid = userId == 0 ? kerbValidationInfo.getExtraSids().get(0).getSid() : kerbValidationInfo.getLogonDomainId().append(userId);
            HashSet hashSet = new HashSet();
            hashSet.add(kerbValidationInfo.getLogonDomainId().append(kerbValidationInfo.getPrimaryGroupId()));
            Iterator<GroupMembership> it = kerbValidationInfo.getGroupIds().iterator();
            while (it.hasNext()) {
                hashSet.add(kerbValidationInfo.getLogonDomainId().append(it.next().getRelativeId()));
            }
            if (kerbValidationInfo.getExtraSids() != null) {
                hashSet.addAll((Collection) kerbValidationInfo.getExtraSids().stream().skip(userId == 0 ? 1L : 0L).map(kerbSidAndAttributes -> {
                    return kerbSidAndAttributes.getSid();
                }).collect(Collectors.toList()));
            }
            if (kerbValidationInfo.getResourceGroupDomainSid() != null) {
                hashSet.addAll((Collection) kerbValidationInfo.getResourceGroupIds().stream().map(groupMembership -> {
                    return kerbValidationInfo.getResourceGroupDomainSid().append(groupMembership.getRelativeId());
                }).collect(Collectors.toList()));
            }
            HashMap hashMap = null;
            if (this.addAdditionalAttributes) {
                hashMap = new HashMap();
                hashMap.put("sAMAccountName", kerbValidationInfo.getEffectiveName());
                hashMap.put("displayName", kerbValidationInfo.getFullName());
                hashMap.put("msDS-PrincipalName", kerbValidationInfo.getLogonDomainName() + "\\" + kerbValidationInfo.getEffectiveName());
                if (pac.getUpnDnsInfo() != null) {
                    hashMap.put("userPrincipalName", pac.getUpnDnsInfo().getUpn());
                }
            }
            String str = this.prependRoleFormat ? "sid:" : StringUtils.EMPTY;
            List list = (List) hashSet.stream().map((v0) -> {
                return String.valueOf(v0);
            }).map(str2 -> {
                return str + str2;
            }).collect(Collectors.toList());
            if (this.logger.isTraceEnabled()) {
                this.logger.trace(this.sm.getString("activeDirectoryRealm.foundRoles", new Object[]{Integer.valueOf(list.size()), gSSName, list}));
            } else if (this.logger.isDebugEnabled()) {
                this.logger.debug(this.sm.getString("activeDirectoryRealm.foundRolesCount", new Object[]{Integer.valueOf(list.size()), gSSName}));
            }
            return new ActiveDirectoryPrincipal(gSSName, sid, list, gSSCredential, hashMap);
        } catch (SignatureException e2) {
            this.logger.warn(this.sm.getString("pacDataActiveDirectoryRealm.signatureVerificationFailed"), e2);
            return null;
        }
    }

    protected Key[] getKeys() {
        LoginContext loginContext = null;
        try {
            try {
                loginContext = new LoginContext(this.loginEntryName);
                loginContext.login();
                Subject subject = loginContext.getSubject();
                KerberosKey[] keys = ((KeyTab) subject.getPrivateCredentials(KeyTab.class).iterator().next()).getKeys((KerberosPrincipal) subject.getPrincipals(KerberosPrincipal.class).iterator().next());
                if (loginContext != null) {
                    try {
                        loginContext.logout();
                    } catch (LoginException e) {
                    }
                }
                return keys;
            } catch (Throwable th) {
                if (loginContext != null) {
                    try {
                        loginContext.logout();
                    } catch (LoginException e2) {
                    }
                }
                throw th;
            }
        } catch (LoginException e3) {
            throw new IllegalStateException("Failed to load Kerberos keys for login entry '" + this.loginEntryName + "'", e3);
        }
    }
}
