package org.apache.kerby.kerberos.kerb.server.request;

import org.apache.kerby.kerberos.kerb.KrbErrorCode;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
import org.apache.kerby.kerberos.kerb.request.KdcClientRequest;
import org.apache.kerby.kerberos.kerb.server.KdcConfig;
import org.apache.kerby.kerberos.kerb.server.KdcContext;
import org.apache.kerby.kerberos.kerb.type.KerberosTime;
import org.apache.kerby.kerberos.kerb.type.ad.AuthorizationData;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionType;
import org.apache.kerby.kerberos.kerb.type.base.HostAddresses;
import org.apache.kerby.kerberos.kerb.type.base.KeyUsage;
import org.apache.kerby.kerberos.kerb.type.base.KrbMessageType;
import org.apache.kerby.kerberos.kerb.type.base.NameType;
import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
import org.apache.kerby.kerberos.kerb.type.base.TransitedEncoding;
import org.apache.kerby.kerberos.kerb.type.base.TransitedEncodingType;
import org.apache.kerby.kerberos.kerb.type.kdc.KdcOption;
import org.apache.kerby.kerberos.kerb.type.kdc.KdcOptions;
import org.apache.kerby.kerberos.kerb.type.kdc.KdcReq;
import org.apache.kerby.kerberos.kerb.type.ticket.EncTicketPart;
import org.apache.kerby.kerberos.kerb.type.ticket.Ticket;
import org.apache.kerby.kerberos.kerb.type.ticket.TicketFlag;
import org.apache.kerby.kerberos.kerb.type.ticket.TicketFlags;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/kerby/kerberos/kerb/server/request/TicketIssuer.class */
public abstract class TicketIssuer {
    private static final Logger LOG = LoggerFactory.getLogger(TicketIssuer.class);
    private final KdcRequest kdcRequest;

    public TicketIssuer(KdcRequest kdcRequest) {
        this.kdcRequest = kdcRequest;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public KdcRequest getKdcRequest() {
        return this.kdcRequest;
    }

    public Ticket issueTicket() throws KrbException {
        KdcReq kdcReq = this.kdcRequest.getKdcReq();
        Ticket ticket = new Ticket();
        ticket.setSname(getServerPrincipal());
        ticket.setRealm(kdcReq.getReqBody().getRealm());
        EncTicketPart makeEncTicketPart = makeEncTicketPart();
        ticket.setEncryptedEncPart(EncryptionUtil.seal(makeEncTicketPart, getTicketEncryptionKey(), KeyUsage.KDC_REP_TICKET));
        ticket.setEncPart(makeEncTicketPart);
        return ticket;
    }

    public EncTicketPart makeEncTicketPart() throws KrbException {
        KdcReq kdcReq = this.kdcRequest.getKdcReq();
        EncTicketPart encTicketPart = new EncTicketPart();
        KdcConfig config = this.kdcRequest.getKdcContext().getConfig();
        TicketFlags ticketFlags = new TicketFlags();
        encTicketPart.setFlags(ticketFlags);
        ticketFlags.setFlag(TicketFlag.INITIAL);
        if (this.kdcRequest.isPreAuthenticated()) {
            ticketFlags.setFlag(TicketFlag.PRE_AUTH);
        }
        if (kdcReq.getReqBody().getKdcOptions().isFlagSet(KdcOption.FORWARDABLE)) {
            if (!config.isForwardableAllowed()) {
                LOG.warn("Forward is not allowed.");
                throw new KrbException(KrbErrorCode.KDC_ERR_POLICY);
            }
            ticketFlags.setFlag(TicketFlag.FORWARDABLE);
        }
        if (kdcReq.getReqBody().getKdcOptions().isFlagSet(KdcOption.PROXIABLE)) {
            if (!config.isProxiableAllowed()) {
                LOG.warn("Proxy is not allowed.");
                throw new KrbException(KrbErrorCode.KDC_ERR_POLICY);
            }
            ticketFlags.setFlag(TicketFlag.PROXIABLE);
        }
        if (kdcReq.getReqBody().getKdcOptions().isFlagSet(KdcOption.ALLOW_POSTDATE)) {
            if (!config.isPostdatedAllowed()) {
                LOG.warn("Post date is not allowed.");
                throw new KrbException(KrbErrorCode.KDC_ERR_POLICY);
            }
            ticketFlags.setFlag(TicketFlag.MAY_POSTDATE);
        }
        encTicketPart.setKey(EncryptionHandler.random2Key(this.kdcRequest.getEncryptionType()));
        PrincipalName principalName = getclientPrincipal();
        encTicketPart.setCname(getclientPrincipal());
        if (principalName.getRealm() != null) {
            encTicketPart.setCrealm(principalName.getRealm());
        } else {
            encTicketPart.setCrealm(kdcReq.getReqBody().getRealm());
        }
        encTicketPart.setTransited(getTransitedEncoding());
        KdcOptions kdcOptions = kdcReq.getReqBody().getKdcOptions();
        KerberosTime now = KerberosTime.now();
        encTicketPart.setAuthTime(now);
        KerberosTime from = kdcReq.getReqBody().getFrom();
        if (from == null || from.lessThan(now) || from.isInClockSkew(config.getAllowableClockSkew())) {
            from = now;
        }
        if (from.greaterThan(now) && !from.isInClockSkew(config.getAllowableClockSkew()) && !kdcOptions.isFlagSet(KdcOption.POSTDATED)) {
            throw new KrbException(KrbErrorCode.KDC_ERR_CANNOT_POSTDATE);
        }
        if (kdcOptions.isFlagSet(KdcOption.POSTDATED)) {
            if (!config.isPostdatedAllowed()) {
                throw new KrbException(KrbErrorCode.KDC_ERR_POLICY);
            }
            ticketFlags.setFlag(TicketFlag.POSTDATED);
            encTicketPart.setStartTime(from);
        }
        KerberosTime till = kdcReq.getReqBody().getTill();
        if (till == null || till.getTime() == 0) {
            till = from.extend(config.getMaximumTicketLifetime() * 1000);
        } else if (from.greaterThan(till)) {
            throw new KrbException(KrbErrorCode.KDC_ERR_NEVER_VALID);
        }
        encTicketPart.setEndTime(till);
        if (Math.abs(till.diff(from)) < config.getMinimumTicketLifetime()) {
            throw new KrbException(KrbErrorCode.KDC_ERR_NEVER_VALID);
        }
        KerberosTime rtime = kdcReq.getReqBody().getRtime();
        if (kdcOptions.isFlagSet(KdcOption.RENEWABLE_OK)) {
            kdcOptions.setFlag(KdcOption.RENEWABLE);
        }
        if (kdcOptions.isFlagSet(KdcOption.RENEWABLE)) {
            if (!config.isRenewableAllowed()) {
                throw new KrbException(KrbErrorCode.KDC_ERR_POLICY);
            }
            ticketFlags.setFlag(TicketFlag.RENEWABLE);
            if (rtime == null || rtime.getTime() == 0) {
                rtime = till;
            }
            KerberosTime extend = from.extend(config.getMaximumRenewableLifetime() * 1000);
            if (rtime.greaterThan(extend)) {
                rtime = extend;
            }
            encTicketPart.setRenewtill(rtime);
        }
        HostAddresses addresses = kdcReq.getReqBody().getAddresses();
        if (addresses != null && !addresses.isEmpty()) {
            encTicketPart.setClientAddresses(addresses);
        } else if (!config.isEmptyAddressesAllowed()) {
            throw new KrbException(KrbErrorCode.KDC_ERR_POLICY);
        }
        AuthorizationData makeAuthorizationData = makeAuthorizationData(this.kdcRequest, encTicketPart);
        if (makeAuthorizationData != null) {
            encTicketPart.setAuthorizationData(makeAuthorizationData);
        }
        return encTicketPart;
    }

    protected AuthorizationData makeAuthorizationData(KdcRequest kdcRequest, EncTicketPart encTicketPart) throws KrbException {
        KdcClientRequest kdcClientRequest = new KdcClientRequest();
        kdcClientRequest.setAnonymous(kdcRequest.isAnonymous());
        kdcClientRequest.setClientAddress(kdcRequest.getClientAddress());
        kdcClientRequest.setClientKey(kdcRequest.getClientKey());
        kdcClientRequest.setClientPrincipal(kdcRequest.getClientPrincipal());
        kdcClientRequest.setClientEntry(kdcRequest.getClientEntry());
        kdcClientRequest.setServerPrincipal(kdcRequest.getServerPrincipal());
        kdcClientRequest.setServerEntry(kdcRequest.getServerEntry());
        kdcClientRequest.setKdcRealm(kdcRequest.getKdcContext().getKdcRealm());
        kdcClientRequest.setEncryptionType(kdcRequest.getEncryptionType());
        kdcClientRequest.setPkinit(kdcRequest.isPkinit());
        kdcClientRequest.setPreAuthenticated(kdcRequest.isPreAuthenticated());
        kdcClientRequest.setToken(kdcRequest.getToken());
        kdcClientRequest.setIsToken(kdcRequest.isToken());
        KrbMessageType msgType = kdcRequest.getKdcReq().getMsgType();
        kdcClientRequest.setMsgType(msgType);
        if (msgType == KrbMessageType.TGS_REQ) {
            TgsRequest tgsRequest = (TgsRequest) kdcRequest;
            kdcClientRequest.setTgt(tgsRequest.getTgtTicket());
            kdcClientRequest.setTgsName(tgsRequest.getTgsPrincipal());
            kdcClientRequest.setTgsKeyType(tgsRequest.getEncryptionType());
            kdcClientRequest.setTgsKey(tgsRequest.getTgsEntry().getKey(tgsRequest.getEncryptionType()));
            kdcClientRequest.setTgsSessionKey(tgsRequest.getTgtSessionKey());
            kdcClientRequest.setTgsServerKey(tgsRequest.getServerKey());
        }
        return getKdcContext().getIdentityService().getIdentityAuthorizationData(kdcClientRequest, encTicketPart);
    }

    protected KdcContext getKdcContext() {
        return this.kdcRequest.getKdcContext();
    }

    protected KdcReq getKdcReq() {
        return this.kdcRequest.getKdcReq();
    }

    protected PrincipalName getclientPrincipal() {
        if (this.kdcRequest.isToken()) {
            return new PrincipalName(this.kdcRequest.getToken().getSubject());
        }
        PrincipalName cname = getKdcReq().getReqBody().getCname();
        if (getKdcRequest().isAnonymous()) {
            cname.setNameType(NameType.NT_WELLKNOWN);
        }
        return cname;
    }

    protected PrincipalName getServerPrincipal() {
        return getKdcReq().getReqBody().getSname();
    }

    protected EncryptionType getTicketEncryptionType() throws KrbException {
        return this.kdcRequest.getEncryptionType();
    }

    protected EncryptionKey getTicketEncryptionKey() throws KrbException {
        return this.kdcRequest.getServerEntry().getKeys().get(getTicketEncryptionType());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public TransitedEncoding getTransitedEncoding() {
        TransitedEncoding transitedEncoding = new TransitedEncoding();
        transitedEncoding.setTrType(TransitedEncodingType.DOMAIN_X500_COMPRESS);
        transitedEncoding.setContents(new byte[0]);
        return transitedEncoding;
    }
}
