package kafka.security.minikdc;

import java.io.BufferedReader;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.StringReader;
import java.lang.reflect.InvocationTargetException;
import java.net.InetSocketAddress;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.text.MessageFormat;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Objects;
import java.util.Optional;
import java.util.Properties;
import java.util.UUID;
import java.util.stream.Collectors;
import kafka.security.JaasTestUtils;
import org.apache.commons.lang.text.StrSubstitutor;
import org.apache.directory.api.ldap.model.entry.DefaultEntry;
import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.directory.api.ldap.model.exception.LdapException;
import org.apache.directory.api.ldap.model.exception.LdapInvalidDnException;
import org.apache.directory.api.ldap.model.ldif.LdifReader;
import org.apache.directory.api.ldap.model.name.Dn;
import org.apache.directory.api.ldap.schema.extractor.impl.DefaultSchemaLdifExtractor;
import org.apache.directory.api.ldap.schema.loader.LdifSchemaLoader;
import org.apache.directory.api.ldap.schema.manager.impl.DefaultSchemaManager;
import org.apache.directory.server.core.DefaultDirectoryService;
import org.apache.directory.server.core.api.CacheService;
import org.apache.directory.server.core.api.DirectoryService;
import org.apache.directory.server.core.api.InstanceLayout;
import org.apache.directory.server.core.api.schema.SchemaPartition;
import org.apache.directory.server.core.kerberos.KeyDerivationInterceptor;
import org.apache.directory.server.core.partition.impl.btree.jdbm.JdbmIndex;
import org.apache.directory.server.core.partition.impl.btree.jdbm.JdbmPartition;
import org.apache.directory.server.core.partition.ldif.LdifPartition;
import org.apache.directory.server.kerberos.KerberosConfig;
import org.apache.directory.server.kerberos.kdc.KdcServer;
import org.apache.directory.server.kerberos.shared.crypto.encryption.KerberosKeyFactory;
import org.apache.directory.server.kerberos.shared.keytab.Keytab;
import org.apache.directory.server.kerberos.shared.keytab.KeytabEntry;
import org.apache.directory.server.protocol.shared.transport.TcpTransport;
import org.apache.directory.server.protocol.shared.transport.Transport;
import org.apache.directory.server.protocol.shared.transport.UdpTransport;
import org.apache.directory.shared.kerberos.KerberosTime;
import org.apache.kafka.common.utils.Exit;
import org.apache.kafka.common.utils.Java;
import org.apache.kafka.common.utils.Utils;
import org.apache.mina.core.service.IoAcceptor;

/* loaded from: input_file:kafka/security/minikdc/MiniKdc.class */
public class MiniKdc {
    static final String ORG_NAME = "org.name";
    static final String ORG_DOMAIN = "org.domain";
    static final String KDC_BIND_ADDRESS = "kdc.bind.address";
    static final String KDC_PORT = "kdc.port";
    static final String INSTANCE = "instance";
    static final String MAX_TICKET_LIFETIME = "max.ticket.lifetime";
    static final String MAX_RENEWABLE_LIFETIME = "max.renewable.lifetime";
    static final String TRANSPORT = "transport";
    static final String JAVA_SECURITY_KRB5_CONF = "java.security.krb5.conf";
    private static final String SUN_SECURITY_KRB5_DEBUG = "sun.security.krb5.debug";
    private static final String DEBUG = "debug";
    private final String orgName;
    private final String orgDomain;
    private final String realm;
    private final String host;
    private int port;
    private final Properties config;
    private final File workDir;
    private final File krb5conf;
    private DirectoryService ds;
    private KdcServer kdc;
    private boolean closed = false;

    public MiniKdc(Properties properties, File file) {
        HashSet hashSet = new HashSet(Arrays.asList(ORG_NAME, ORG_DOMAIN, KDC_BIND_ADDRESS, KDC_PORT, INSTANCE, TRANSPORT, MAX_TICKET_LIFETIME, MAX_RENEWABLE_LIFETIME));
        if (!properties.keySet().containsAll(hashSet)) {
            throw new IllegalArgumentException("Missing required properties: " + String.valueOf(hashSet));
        }
        this.config = properties;
        this.workDir = file;
        this.orgName = properties.getProperty(ORG_NAME);
        this.orgDomain = properties.getProperty(ORG_DOMAIN);
        this.realm = this.orgName.toUpperCase(Locale.ENGLISH) + "." + this.orgDomain.toUpperCase(Locale.ENGLISH);
        this.krb5conf = new File(file, "krb5.conf");
        this.host = properties.getProperty(KDC_BIND_ADDRESS);
        this.port = Integer.parseInt(properties.getProperty(KDC_PORT));
    }

    public static void main(String[] strArr) throws Exception {
        if (strArr.length < 4) {
            System.out.println("Arguments: <WORKDIR> <MINIKDCPROPERTIES> <KEYTABFILE> [<PRINCIPALS>]+");
            Exit.exit(1);
        }
        String str = strArr[0];
        String str2 = strArr[1];
        String str3 = strArr[2];
        String[] strArr2 = new String[strArr.length - 3];
        System.arraycopy(strArr, 3, strArr2, 0, strArr2.length);
        File file = new File(str);
        if (!file.exists()) {
            throw new RuntimeException("Specified work directory does not exist: " + file.getAbsolutePath());
        }
        Properties createConfig = createConfig();
        File file2 = new File(str2);
        if (!file2.exists()) {
            throw new RuntimeException("Specified configuration does not exist: " + file2.getAbsolutePath());
        }
        createConfig.putAll(Utils.loadProps(file2.getAbsolutePath()));
        start(file, createConfig, new File(str3).getAbsoluteFile(), Arrays.asList(strArr2));
    }

    public static Properties createConfig() {
        Properties properties = new Properties();
        properties.put(ORG_NAME, "EXAMPLE");
        properties.put(ORG_DOMAIN, "COM");
        properties.put(KDC_BIND_ADDRESS, JaasTestUtils.SSL_CERTIFICATE_CN);
        properties.put(KDC_PORT, "0");
        properties.put(INSTANCE, "DefaultKrbServer");
        properties.put(MAX_TICKET_LIFETIME, "86400000");
        properties.put(MAX_RENEWABLE_LIFETIME, "604800000");
        properties.put(TRANSPORT, "TCP");
        properties.put(DEBUG, "false");
        return properties;
    }

    public void start() throws Exception {
        if (this.kdc != null) {
            throw new IllegalStateException("KDC already started");
        }
        if (this.closed) {
            throw new IllegalStateException("KDC already closed");
        }
        initDirectoryService();
        initKdcServer();
        initJvmKerberosConfig();
    }

    public static MiniKdc start(File file, Properties properties, File file2, List<String> list) throws Exception {
        MiniKdc miniKdc = new MiniKdc(properties, file);
        miniKdc.start();
        miniKdc.createPrincipal(file2, list);
        System.out.println(String.format("\nStandalone MiniKdc Running\n---------------------------------------------------\n  Realm           : %s\n  Running at      : %s:%d\n  krb5conf        : %s\n\n  created keytab  : %s\n  with principals : %s\n\nHit <CTRL-C> or kill <PID> to stop it\n---------------------------------------------------\n", miniKdc.getRealm(), miniKdc.getHost(), Integer.valueOf(miniKdc.getPort()), miniKdc.getKrb5conf().getAbsolutePath(), file2.getAbsolutePath(), String.join(", ", list)));
        Objects.requireNonNull(miniKdc);
        Exit.addShutdownHook("minikdc-shutdown-hook", miniKdc::stop);
        return miniKdc;
    }

    public String getRealm() {
        return this.realm;
    }

    public String getHost() {
        return this.host;
    }

    public int getPort() {
        return this.port;
    }

    public File getKrb5conf() {
        return this.krb5conf;
    }

    public void stop() {
        if (this.closed) {
            return;
        }
        this.closed = true;
        if (this.kdc != null) {
            System.clearProperty(JAVA_SECURITY_KRB5_CONF);
            System.clearProperty(SUN_SECURITY_KRB5_DEBUG);
            for (Transport transport : this.kdc.getTransports()) {
                IoAcceptor acceptor = transport.getAcceptor();
                if (acceptor != null) {
                    acceptor.dispose(true);
                }
            }
            this.kdc.stop();
            try {
                this.ds.shutdown();
            } catch (Exception e) {
                System.err.println("Could not shutdown ApacheDS properly, exception: " + String.valueOf(e));
            }
        }
    }

    public void createPrincipal(File file, List<String> list) throws IOException {
        String uuid = UUID.randomUUID().toString();
        Keytab keytab = new Keytab();
        keytab.setEntries((List) list.stream().flatMap(str -> {
            try {
                createPrincipal(str, uuid);
                String str = str + "@" + this.realm;
                KerberosTime kerberosTime = new KerberosTime();
                return KerberosKeyFactory.getKerberosKeys(str, uuid).values().stream().map(encryptionKey -> {
                    return new KeytabEntry(str, 1, kerberosTime, (byte) encryptionKey.getKeyVersion(), encryptionKey);
                });
            } catch (LdapException | IOException e) {
                throw new RuntimeException((Throwable) e);
            }
        }).collect(Collectors.toList()));
        keytab.write(file);
    }

    private void initDirectoryService() throws Exception {
        this.ds = new DefaultDirectoryService();
        this.ds.setInstanceLayout(new InstanceLayout(this.workDir));
        this.ds.setCacheService(new CacheService());
        InstanceLayout instanceLayout = this.ds.getInstanceLayout();
        File file = new File(instanceLayout.getPartitionsDirectory(), "schema");
        new DefaultSchemaLdifExtractor(instanceLayout.getPartitionsDirectory()).extractOrCopy();
        DefaultSchemaManager defaultSchemaManager = new DefaultSchemaManager(new LdifSchemaLoader(file));
        defaultSchemaManager.loadAllEnabled();
        this.ds.setSchemaManager(defaultSchemaManager);
        LdifPartition ldifPartition = new LdifPartition(defaultSchemaManager, this.ds.getDnFactory());
        ldifPartition.setPartitionPath(file.toURI());
        SchemaPartition schemaPartition = new SchemaPartition(defaultSchemaManager);
        schemaPartition.setWrappedPartition(ldifPartition);
        this.ds.setSchemaPartition(schemaPartition);
        JdbmPartition jdbmPartition = new JdbmPartition(this.ds.getSchemaManager(), this.ds.getDnFactory());
        jdbmPartition.setId("system");
        jdbmPartition.setPartitionPath(new File(this.ds.getInstanceLayout().getPartitionsDirectory(), jdbmPartition.getId()).toURI());
        jdbmPartition.setSuffixDn(new Dn(new String[]{"ou=system"}));
        jdbmPartition.setSchemaManager(this.ds.getSchemaManager());
        this.ds.setSystemPartition(jdbmPartition);
        this.ds.getChangeLog().setEnabled(false);
        this.ds.setDenormalizeOpAttrsEnabled(true);
        this.ds.addLast(new KeyDerivationInterceptor());
        String lowerCase = this.config.getProperty(ORG_NAME).toLowerCase(Locale.ENGLISH);
        String lowerCase2 = this.config.getProperty(ORG_DOMAIN).toLowerCase(Locale.ENGLISH);
        JdbmPartition jdbmPartition2 = new JdbmPartition(this.ds.getSchemaManager(), this.ds.getDnFactory());
        jdbmPartition2.setId(lowerCase);
        jdbmPartition2.setPartitionPath(new File(this.ds.getInstanceLayout().getPartitionsDirectory(), lowerCase).toURI());
        Dn dn = new Dn(new String[]{"dc=" + lowerCase + ",dc=" + lowerCase2});
        jdbmPartition2.setSuffixDn(dn);
        this.ds.addPartition(jdbmPartition2);
        HashSet hashSet = new HashSet();
        hashSet.add(new JdbmIndex("objectClass", false));
        hashSet.add(new JdbmIndex("dc", false));
        hashSet.add(new JdbmIndex("ou", false));
        jdbmPartition2.setIndexedAttributes(hashSet);
        this.ds.setInstanceId(this.config.getProperty(INSTANCE));
        this.ds.setShutdownHookEnabled(false);
        this.ds.startup();
        Entry newEntry = this.ds.newEntry(dn);
        newEntry.add("objectClass", new String[]{"top", "domain"});
        newEntry.add("dc", new String[]{lowerCase});
        this.ds.getAdminSession().add(newEntry);
    }

    private void addInitialEntriesToDirectoryService(String str) throws IOException {
        HashMap hashMap = new HashMap();
        hashMap.put("0", this.orgName.toLowerCase(Locale.ENGLISH));
        hashMap.put("1", this.orgDomain.toLowerCase(Locale.ENGLISH));
        hashMap.put("2", this.orgName.toUpperCase(Locale.ENGLISH));
        hashMap.put("3", this.orgDomain.toUpperCase(Locale.ENGLISH));
        hashMap.put("4", str);
        try {
            BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(getResourceAsStream("minikdc.ldiff")));
            try {
                StringBuilder sb = new StringBuilder();
                bufferedReader.lines().forEach(str2 -> {
                    sb.append(str2).append("\n");
                });
                addEntriesToDirectoryService(StrSubstitutor.replace(sb, hashMap));
                bufferedReader.close();
            } finally {
            }
        } catch (LdapException e) {
            throw new RuntimeException((Throwable) e);
        }
    }

    private void initKdcServer() throws IOException, LdapInvalidDnException {
        TcpTransport udpTransport;
        String property = this.config.getProperty(KDC_BIND_ADDRESS);
        addInitialEntriesToDirectoryService(property);
        KerberosConfig kerberosConfig = new KerberosConfig();
        kerberosConfig.setMaximumRenewableLifetime(Long.parseLong(this.config.getProperty(MAX_RENEWABLE_LIFETIME)));
        kerberosConfig.setMaximumTicketLifetime(Long.parseLong(this.config.getProperty(MAX_TICKET_LIFETIME)));
        kerberosConfig.setSearchBaseDn("dc=" + this.orgName + ",dc=" + this.orgDomain);
        kerberosConfig.setPaEncTimestampRequired(false);
        this.kdc = new KdcServer(kerberosConfig);
        this.kdc.setDirectoryService(this.ds);
        String trim = this.config.getProperty(TRANSPORT).trim();
        boolean z = -1;
        switch (trim.hashCode()) {
            case 82881:
                if (trim.equals("TCP")) {
                    z = false;
                    break;
                }
                break;
            case 83873:
                if (trim.equals("UDP")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                udpTransport = new TcpTransport(property, this.port, 3, 50);
                break;
            case true:
                udpTransport = new UdpTransport(this.port);
                break;
            default:
                throw new IllegalArgumentException("Invalid transport: " + trim);
        }
        this.kdc.addTransports(new Transport[]{udpTransport});
        this.kdc.setServiceName(this.config.getProperty(INSTANCE));
        this.kdc.start();
        if (this.port == 0) {
            this.port = ((InetSocketAddress) udpTransport.getAcceptor().getLocalAddress()).getPort();
        }
        System.out.println("MiniKdc listening at port: " + this.port);
    }

    private void initJvmKerberosConfig() throws IOException, ClassNotFoundException, InvocationTargetException, NoSuchMethodException, IllegalAccessException {
        writeKrb5Conf();
        System.setProperty(JAVA_SECURITY_KRB5_CONF, this.krb5conf.getAbsolutePath());
        System.setProperty(SUN_SECURITY_KRB5_DEBUG, this.config.getProperty(DEBUG, "false"));
        System.out.println("MiniKdc setting JVM krb5.conf to: " + this.krb5conf.getAbsolutePath());
        refreshJvmKerberosConfig();
    }

    private void writeKrb5Conf() throws IOException {
        StringBuilder sb = new StringBuilder();
        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(getResourceAsStream("minikdc-krb5.conf"), StandardCharsets.UTF_8));
        try {
            bufferedReader.lines().forEach(str -> {
                sb.append(str).append("{3}");
            });
            bufferedReader.close();
            Files.write(this.krb5conf.toPath(), MessageFormat.format(sb.toString(), this.realm, this.host, String.valueOf(this.port), System.lineSeparator()).getBytes(StandardCharsets.UTF_8), new OpenOption[0]);
        } catch (Throwable th) {
            try {
                bufferedReader.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private void refreshJvmKerberosConfig() throws ClassNotFoundException, NoSuchMethodException, InvocationTargetException, IllegalAccessException {
        Class<?> cls = (!Java.isIbmJdk() || Java.isIbmJdkSemeru()) ? Class.forName("sun.security.krb5.Config") : Class.forName("com.ibm.security.krb5.internal.Config");
        cls.getMethod("refresh", new Class[0]).invoke(cls, new Object[0]);
    }

    private InputStream getResourceAsStream(String str) throws IOException {
        InputStream resourceAsStream = ((ClassLoader) Optional.of(Thread.currentThread().getContextClassLoader()).orElse(MiniKdc.class.getClassLoader())).getResourceAsStream(str);
        if (resourceAsStream == null) {
            throw new IOException("Can not read resource file " + str);
        }
        return resourceAsStream;
    }

    private void createPrincipal(String str, String str2) throws LdapException, IOException {
        addEntriesToDirectoryService("dn: uid=" + str + ",ou=users,dc=" + this.orgName + ",dc=" + this.orgDomain + "\nobjectClass: top\nobjectClass: person\nobjectClass: organizationalPerson\nobjectClass: inetOrgPerson\nobjectClass: krb5principal\nobjectClass: krb5kdcentry\ncn: " + str + "\nsn: " + str + "\nuid: " + str + "\nuserPassword: " + str2 + "\nkrb5PrincipalName: " + str + "@" + this.realm + "\nkrb5KeyVersionNumber: 0\n");
    }

    private void addEntriesToDirectoryService(String str) throws LdapException, IOException {
        LdifReader ldifReader = new LdifReader(new StringReader(str));
        try {
            ldifReader.forEach(ldifEntry -> {
                try {
                    this.ds.getAdminSession().add(new DefaultEntry(this.ds.getSchemaManager(), ldifEntry.getEntry()));
                } catch (LdapException e) {
                    throw new RuntimeException((Throwable) e);
                }
            });
            ldifReader.close();
        } catch (Throwable th) {
            try {
                ldifReader.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }
}
