package org.forgerock.opendj.ldap.requests;

import com.forgerock.opendj.ldap.CoreMessages;
import com.forgerock.opendj.util.StaticUtils;
import com.sun.security.auth.callback.TextCallbackHandler;
import com.sun.security.auth.module.Krb5LoginModule;
import java.io.Serializable;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import org.forgerock.opendj.ldap.ByteString;
import org.forgerock.opendj.ldap.ConnectionSecurityLayer;
import org.forgerock.opendj.ldap.LdapException;
import org.forgerock.opendj.ldap.ResultCode;
import org.forgerock.opendj.ldap.controls.Control;
import org.forgerock.opendj.ldap.responses.BindResult;
import org.forgerock.opendj.ldap.responses.Responses;
import org.forgerock.util.Reject;
import org.forgerock.util.Utils;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/forgerock/opendj/ldap/requests/GSSAPISASLBindRequestImpl.class */
public final class GSSAPISASLBindRequestImpl extends AbstractSASLBindRequest<GSSAPISASLBindRequest> implements GSSAPISASLBindRequest {
    private final Map<String, String> additionalAuthParams;
    private String authenticationID;
    private String authorizationID;
    private String kdcAddress;
    private Integer maxReceiveBufferSize;
    private Integer maxSendBufferSize;
    private byte[] password;
    private final List<String> qopValues;
    private String realm;
    private Boolean serverAuth;
    private Subject subject;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/forgerock/opendj/ldap/requests/GSSAPISASLBindRequestImpl$Client.class */
    public static final class Client extends SASLBindClientImpl {
        private final String authorizationID;
        private final PrivilegedExceptionAction<Boolean> evaluateAction;
        private BindResult lastResult;
        private final SaslClient saslClient;
        private final Subject subject;

        private static Subject kerberos5Login(String str, ByteString byteString, String str2, String str3) throws LdapException {
            if (str == null) {
                throw LdapException.newLdapException(Responses.newResult(ResultCode.CLIENT_SIDE_LOCAL_ERROR).setDiagnosticMessage("No authentication ID specified for GSSAPI SASL authentication"));
            }
            if (byteString == null) {
                throw LdapException.newLdapException(Responses.newResult(ResultCode.CLIENT_SIDE_LOCAL_ERROR).setDiagnosticMessage("No password specified for GSSAPI SASL authentication"));
            }
            HashMap hashMap = new HashMap();
            hashMap.put("javax.security.auth.login.name", str);
            hashMap.put("javax.security.auth.login.password", byteString.toString().toCharArray());
            hashMap.put("javax.security.auth.useSubjectCredsOnly", "true");
            hashMap.put("java.security.krb5.realm", str2);
            hashMap.put("java.security.krb5.kdc", str3);
            HashMap hashMap2 = new HashMap();
            hashMap2.put("tryFirstPass", "true");
            hashMap2.put("useTicketCache", "true");
            hashMap2.put("doNotPrompt", "true");
            hashMap2.put("storePass", "false");
            hashMap2.put("forwardable", "true");
            Subject subject = new Subject();
            Krb5LoginModule krb5LoginModule = new Krb5LoginModule();
            krb5LoginModule.initialize(subject, new TextCallbackHandler(), hashMap, hashMap2);
            try {
                if (krb5LoginModule.login()) {
                    krb5LoginModule.commit();
                }
                return subject;
            } catch (LoginException e) {
                throw LdapException.newLdapException(Responses.newResult(ResultCode.CLIENT_SIDE_LOCAL_ERROR).setDiagnosticMessage(CoreMessages.ERR_LDAPAUTH_GSSAPI_LOCAL_AUTHENTICATION_FAILED.get(StaticUtils.getExceptionMessage(e)).toString()).setCause(e));
            }
        }

        private Client(final GSSAPISASLBindRequestImpl gSSAPISASLBindRequestImpl, final String str) throws LdapException {
            super(gSSAPISASLBindRequestImpl);
            this.evaluateAction = new PrivilegedExceptionAction<Boolean>() { // from class: org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequestImpl.Client.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Boolean run() throws LdapException {
                    return Boolean.valueOf(Client.this.evaluateSaslBindResult(Client.this.saslClient, Client.this.lastResult));
                }
            };
            this.authorizationID = gSSAPISASLBindRequestImpl.getAuthorizationID();
            if (gSSAPISASLBindRequestImpl.getSubject() != null) {
                this.subject = gSSAPISASLBindRequestImpl.getSubject();
            } else {
                this.subject = kerberos5Login(gSSAPISASLBindRequestImpl.getAuthenticationID(), ByteString.wrap(gSSAPISASLBindRequestImpl.getPassword()), gSSAPISASLBindRequestImpl.getRealm(), gSSAPISASLBindRequestImpl.getKDCAddress());
            }
            try {
                this.saslClient = (SaslClient) Subject.doAs(this.subject, new PrivilegedExceptionAction<SaslClient>() { // from class: org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequestImpl.Client.2
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public SaslClient run() throws LdapException {
                        HashMap hashMap = new HashMap();
                        List<String> qOPs = gSSAPISASLBindRequestImpl.getQOPs();
                        if (!qOPs.isEmpty()) {
                            hashMap.put("javax.security.sasl.qop", Utils.joinAsString(",", qOPs));
                        }
                        Boolean valueOf = Boolean.valueOf(gSSAPISASLBindRequestImpl.isServerAuth());
                        if (valueOf != null) {
                            hashMap.put("javax.security.sasl.server.authentication", String.valueOf(valueOf));
                        }
                        Integer valueOf2 = Integer.valueOf(gSSAPISASLBindRequestImpl.getMaxReceiveBufferSize());
                        if (valueOf2 != null) {
                            hashMap.put("javax.security.sasl.maxbuffer", String.valueOf(valueOf2));
                        }
                        Integer valueOf3 = Integer.valueOf(gSSAPISASLBindRequestImpl.getMaxSendBufferSize());
                        if (valueOf3 != null) {
                            hashMap.put("javax.security.sasl.sendmaxbuffer", String.valueOf(valueOf3));
                        }
                        for (Map.Entry<String, String> entry : gSSAPISASLBindRequestImpl.getAdditionalAuthParams().entrySet()) {
                            hashMap.put(entry.getKey(), entry.getValue());
                        }
                        try {
                            SaslClient createSaslClient = Sasl.createSaslClient(new String[]{GSSAPISASLBindRequest.SASL_MECHANISM_NAME}, Client.this.authorizationID, "ldap", str, hashMap, Client.this);
                            if (createSaslClient.hasInitialResponse()) {
                                Client.this.setNextSASLCredentials(createSaslClient.evaluateChallenge(new byte[0]));
                            } else {
                                Client.this.setNextSASLCredentials((ByteString) null);
                            }
                            return createSaslClient;
                        } catch (SaslException e) {
                            throw LdapException.newLdapException(ResultCode.CLIENT_SIDE_LOCAL_ERROR, (Throwable) e);
                        }
                    }
                });
            } catch (PrivilegedActionException e) {
                if (e.getCause() instanceof LdapException) {
                    throw ((LdapException) e.getCause());
                }
                throw LdapException.newLdapException(ResultCode.CLIENT_SIDE_LOCAL_ERROR, CoreMessages.ERR_SASL_CONTEXT_CREATE_ERROR.get(GSSAPISASLBindRequest.SASL_MECHANISM_NAME, StaticUtils.getExceptionMessage(e)).toString(), e);
            }
        }

        @Override // org.forgerock.opendj.ldap.requests.BindClientImpl, org.forgerock.opendj.ldap.requests.BindClient, org.forgerock.opendj.ldap.ConnectionSecurityLayer
        public void dispose() {
            try {
                this.saslClient.dispose();
            } catch (SaslException e) {
            }
        }

        @Override // org.forgerock.opendj.ldap.requests.BindClientImpl, org.forgerock.opendj.ldap.requests.BindClient
        public boolean evaluateResult(BindResult bindResult) throws LdapException {
            this.lastResult = bindResult;
            try {
                return ((Boolean) Subject.doAs(this.subject, this.evaluateAction)).booleanValue();
            } catch (PrivilegedActionException e) {
                if (e.getCause() instanceof LdapException) {
                    throw ((LdapException) e.getCause());
                }
                throw LdapException.newLdapException(ResultCode.CLIENT_SIDE_LOCAL_ERROR, CoreMessages.ERR_SASL_PROTOCOL_ERROR.get(GSSAPISASLBindRequest.SASL_MECHANISM_NAME, StaticUtils.getExceptionMessage(e)).toString(), e);
            }
        }

        @Override // org.forgerock.opendj.ldap.requests.BindClientImpl, org.forgerock.opendj.ldap.requests.BindClient
        public ConnectionSecurityLayer getConnectionSecurityLayer() {
            String str = (String) this.saslClient.getNegotiatedProperty("javax.security.sasl.qop");
            if ("auth-int".equalsIgnoreCase(str) || "auth-conf".equalsIgnoreCase(str)) {
                return this;
            }
            return null;
        }

        @Override // org.forgerock.opendj.ldap.requests.BindClientImpl, org.forgerock.opendj.ldap.ConnectionSecurityLayer
        public byte[] unwrap(byte[] bArr, int i, int i2) throws LdapException {
            try {
                return this.saslClient.unwrap(bArr, i, i2);
            } catch (SaslException e) {
                throw LdapException.newLdapException(ResultCode.CLIENT_SIDE_DECODING_ERROR, CoreMessages.ERR_SASL_PROTOCOL_ERROR.get(GSSAPISASLBindRequest.SASL_MECHANISM_NAME, StaticUtils.getExceptionMessage(e)).toString(), e);
            }
        }

        @Override // org.forgerock.opendj.ldap.requests.BindClientImpl, org.forgerock.opendj.ldap.ConnectionSecurityLayer
        public byte[] wrap(byte[] bArr, int i, int i2) throws LdapException {
            try {
                return this.saslClient.wrap(bArr, i, i2);
            } catch (SaslException e) {
                throw LdapException.newLdapException(ResultCode.CLIENT_SIDE_ENCODING_ERROR, CoreMessages.ERR_SASL_PROTOCOL_ERROR.get(GSSAPISASLBindRequest.SASL_MECHANISM_NAME, StaticUtils.getExceptionMessage(e)).toString(), e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public GSSAPISASLBindRequestImpl(GSSAPISASLBindRequest gSSAPISASLBindRequest) {
        super(gSSAPISASLBindRequest);
        this.additionalAuthParams = new LinkedHashMap();
        this.qopValues = new LinkedList();
        this.subject = gSSAPISASLBindRequest.getSubject();
        this.authenticationID = gSSAPISASLBindRequest.getAuthenticationID();
        this.password = StaticUtils.copyOfBytes(gSSAPISASLBindRequest.getPassword());
        this.realm = gSSAPISASLBindRequest.getRealm();
        this.kdcAddress = gSSAPISASLBindRequest.getKDCAddress();
        this.authorizationID = gSSAPISASLBindRequest.getAuthorizationID();
        this.additionalAuthParams.putAll(gSSAPISASLBindRequest.getAdditionalAuthParams());
        this.qopValues.addAll(gSSAPISASLBindRequest.getQOPs());
        this.serverAuth = Boolean.valueOf(gSSAPISASLBindRequest.isServerAuth());
        this.maxReceiveBufferSize = Integer.valueOf(gSSAPISASLBindRequest.getMaxReceiveBufferSize());
        this.maxSendBufferSize = Integer.valueOf(gSSAPISASLBindRequest.getMaxSendBufferSize());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* JADX WARN: Multi-variable type inference failed */
    public GSSAPISASLBindRequestImpl(String str, byte[] bArr) {
        this.additionalAuthParams = new LinkedHashMap();
        this.qopValues = new LinkedList();
        Reject.ifNull(new Serializable[]{str, bArr});
        this.authenticationID = str;
        this.password = bArr;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public GSSAPISASLBindRequestImpl(Subject subject) {
        this.additionalAuthParams = new LinkedHashMap();
        this.qopValues = new LinkedList();
        Reject.ifNull(subject);
        this.subject = subject;
    }

    @Override // org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest
    public GSSAPISASLBindRequest addAdditionalAuthParam(String str, String str2) {
        Reject.ifNull(str, str2);
        this.additionalAuthParams.put(str, str2);
        return this;
    }

    @Override // org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest
    public GSSAPISASLBindRequest addQOP(String... strArr) {
        for (String str : strArr) {
            this.qopValues.add((String) Reject.checkNotNull(str));
        }
        return this;
    }

    @Override // org.forgerock.opendj.ldap.requests.BindRequest
    public BindClient createBindClient(String str) throws LdapException {
        return new Client(str);
    }

    @Override // org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest
    public Map<String, String> getAdditionalAuthParams() {
        return this.additionalAuthParams;
    }

    @Override // org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest
    public String getAuthenticationID() {
        return this.authenticationID;
    }

    @Override // org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest
    public String getAuthorizationID() {
        return this.authorizationID;
    }

    @Override // org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest
    public String getKDCAddress() {
        return this.kdcAddress;
    }

    @Override // org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest
    public int getMaxReceiveBufferSize() {
        if (this.maxReceiveBufferSize == null) {
            return 65536;
        }
        return this.maxReceiveBufferSize.intValue();
    }

    @Override // org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest
    public int getMaxSendBufferSize() {
        if (this.maxSendBufferSize == null) {
            return 65536;
        }
        return this.maxSendBufferSize.intValue();
    }

    @Override // org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest
    public byte[] getPassword() {
        return this.password;
    }

    @Override // org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest
    public List<String> getQOPs() {
        return this.qopValues;
    }

    @Override // org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest
    public String getRealm() {
        return this.realm;
    }

    @Override // org.forgerock.opendj.ldap.requests.SASLBindRequest
    public String getSASLMechanism() {
        return GSSAPISASLBindRequest.SASL_MECHANISM_NAME;
    }

    @Override // org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest
    public Subject getSubject() {
        return this.subject;
    }

    @Override // org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest
    public boolean isServerAuth() {
        if (this.serverAuth == null) {
            return false;
        }
        return this.serverAuth.booleanValue();
    }

    @Override // org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest
    public GSSAPISASLBindRequest setAuthenticationID(String str) {
        Reject.ifNull(str);
        this.authenticationID = str;
        return this;
    }

    @Override // org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest
    public GSSAPISASLBindRequest setAuthorizationID(String str) {
        this.authorizationID = str;
        return this;
    }

    @Override // org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest
    public GSSAPISASLBindRequest setKDCAddress(String str) {
        this.kdcAddress = str;
        return this;
    }

    @Override // org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest
    public GSSAPISASLBindRequest setMaxReceiveBufferSize(int i) {
        this.maxReceiveBufferSize = Integer.valueOf(i);
        return this;
    }

    @Override // org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest
    public GSSAPISASLBindRequest setMaxSendBufferSize(int i) {
        this.maxSendBufferSize = Integer.valueOf(i);
        return this;
    }

    @Override // org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest
    public GSSAPISASLBindRequest setPassword(byte[] bArr) {
        Reject.ifNull(bArr);
        this.password = bArr;
        return this;
    }

    @Override // org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest
    public GSSAPISASLBindRequest setPassword(char[] cArr) {
        Reject.ifNull(cArr);
        this.password = StaticUtils.getBytes(cArr);
        return this;
    }

    @Override // org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest
    public GSSAPISASLBindRequest setRealm(String str) {
        this.realm = str;
        return this;
    }

    @Override // org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest
    public GSSAPISASLBindRequest setServerAuth(boolean z) {
        this.serverAuth = Boolean.valueOf(z);
        return this;
    }

    @Override // org.forgerock.opendj.ldap.requests.GSSAPISASLBindRequest
    public GSSAPISASLBindRequest setSubject(Subject subject) {
        this.subject = subject;
        return this;
    }

    @Override // org.forgerock.opendj.ldap.requests.AbstractRequestImpl
    public String toString() {
        StringBuilder sb = new StringBuilder();
        sb.append("GSSAPISASLBindRequest(bindDN=");
        sb.append(getName());
        sb.append(", authentication=SASL");
        sb.append(", saslMechanism=");
        sb.append(getSASLMechanism());
        if (this.subject != null) {
            sb.append(", subject=");
            sb.append(this.subject);
        } else {
            sb.append(", authenticationID=");
            sb.append(this.authenticationID);
            sb.append(", authorizationID=");
            sb.append(this.authorizationID);
            sb.append(", realm=");
            sb.append(this.realm);
        }
        sb.append(", controls=");
        sb.append(getControls());
        sb.append(")");
        return sb.toString();
    }

    @Override // org.forgerock.opendj.ldap.requests.AbstractSASLBindRequest, org.forgerock.opendj.ldap.requests.AbstractBindRequest, org.forgerock.opendj.ldap.requests.AbstractRequestImpl, org.forgerock.opendj.ldap.requests.Request
    public /* bridge */ /* synthetic */ GSSAPISASLBindRequest addControl(Control control) {
        return (GSSAPISASLBindRequest) super.addControl(control);
    }
}
