package org.apache.kerby.kerberos.kerb.server.request;

import java.net.InetAddress;
import java.nio.ByteBuffer;
import java.util.Date;
import java.util.List;
import org.apache.kerby.kerberos.kerb.KrbCodec;
import org.apache.kerby.kerberos.kerb.KrbErrorCode;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
import org.apache.kerby.kerberos.kerb.common.KrbUtil;
import org.apache.kerby.kerberos.kerb.crypto.CheckSumHandler;
import org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler;
import org.apache.kerby.kerberos.kerb.crypto.fast.FastUtil;
import org.apache.kerby.kerberos.kerb.request.KrbIdentity;
import org.apache.kerby.kerberos.kerb.server.KdcContext;
import org.apache.kerby.kerberos.kerb.server.KdcRecoverableException;
import org.apache.kerby.kerberos.kerb.server.preauth.KdcFastContext;
import org.apache.kerby.kerberos.kerb.server.preauth.PreauthContext;
import org.apache.kerby.kerberos.kerb.server.preauth.PreauthHandler;
import org.apache.kerby.kerberos.kerb.type.ap.ApReq;
import org.apache.kerby.kerberos.kerb.type.ap.Authenticator;
import org.apache.kerby.kerberos.kerb.type.base.AuthToken;
import org.apache.kerby.kerberos.kerb.type.base.CheckSum;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionType;
import org.apache.kerby.kerberos.kerb.type.base.EtypeInfo;
import org.apache.kerby.kerberos.kerb.type.base.EtypeInfo2;
import org.apache.kerby.kerberos.kerb.type.base.EtypeInfo2Entry;
import org.apache.kerby.kerberos.kerb.type.base.EtypeInfoEntry;
import org.apache.kerby.kerberos.kerb.type.base.KeyUsage;
import org.apache.kerby.kerberos.kerb.type.base.KrbError;
import org.apache.kerby.kerberos.kerb.type.base.KrbMessage;
import org.apache.kerby.kerberos.kerb.type.base.MethodData;
import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
import org.apache.kerby.kerberos.kerb.type.fast.ArmorType;
import org.apache.kerby.kerberos.kerb.type.fast.KrbFastArmor;
import org.apache.kerby.kerberos.kerb.type.fast.KrbFastArmoredReq;
import org.apache.kerby.kerberos.kerb.type.fast.KrbFastReq;
import org.apache.kerby.kerberos.kerb.type.fast.PaFxFastRequest;
import org.apache.kerby.kerberos.kerb.type.kdc.KdcOption;
import org.apache.kerby.kerberos.kerb.type.kdc.KdcOptions;
import org.apache.kerby.kerberos.kerb.type.kdc.KdcRep;
import org.apache.kerby.kerberos.kerb.type.kdc.KdcReq;
import org.apache.kerby.kerberos.kerb.type.pa.PaData;
import org.apache.kerby.kerberos.kerb.type.pa.PaDataEntry;
import org.apache.kerby.kerberos.kerb.type.pa.PaDataType;
import org.apache.kerby.kerberos.kerb.type.ticket.EncTicketPart;
import org.apache.kerby.kerberos.kerb.type.ticket.Ticket;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/kerb-server-1.1.1.jar:org/apache/kerby/kerberos/kerb/server/request/KdcRequest.class */
public abstract class KdcRequest {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) KdcRequest.class);
    private final KdcReq kdcReq;
    private final KdcContext kdcContext;
    private Ticket ticket;
    private boolean isPreAuthenticated;
    private KdcRep reply;
    private InetAddress clientAddress;
    private EncryptionType encryptionType;
    private EncryptionKey clientKey;
    private KrbIdentity clientEntry;
    private KrbIdentity serverEntry;
    private EncryptionKey serverKey;
    private KrbIdentity tgsEntry;
    private PreauthContext preauthContext;
    private PrincipalName clientPrincipal;
    private PrincipalName serverPrincipal;
    private byte[] innerBodyout;
    private AuthToken token;
    private EncryptionKey sessionKey;
    private ByteBuffer reqPackage;
    private boolean isTcp = true;
    private boolean isToken = false;
    private boolean isPkinit = false;
    private boolean isAnonymous = false;
    private boolean isHttps = false;
    private boolean isCrossRealm = false;
    private String remoteRealm = null;
    private KdcFastContext fastContext = new KdcFastContext();

    public EncryptionKey getSessionKey() {
        return this.sessionKey;
    }

    public void setSessionKey(EncryptionKey encryptionKey) {
        this.sessionKey = encryptionKey;
    }

    public KdcRequest(KdcReq kdcReq, KdcContext kdcContext) {
        this.kdcReq = kdcReq;
        this.kdcContext = kdcContext;
        this.preauthContext = kdcContext.getPreauthHandler().preparePreauthContext(this);
    }

    public KdcContext getKdcContext() {
        return this.kdcContext;
    }

    public KdcReq getKdcReq() {
        return this.kdcReq;
    }

    public PreauthContext getPreauthContext() {
        return this.preauthContext;
    }

    public void process() throws KrbException {
        checkVersion();
        checkTgsEntry();
        if (isPreauthRequired()) {
            kdcFindFast();
        }
        checkEncryptionType();
        if (PreauthHandler.isToken(getKdcReq().getPaData())) {
            this.isToken = true;
            if (isPreauthRequired()) {
                preauth();
            }
            checkClient();
            checkServer();
        } else {
            if (PreauthHandler.isPkinit(getKdcReq().getPaData())) {
                this.isPkinit = true;
            }
            checkClient();
            checkServer();
            if (isPreauthRequired()) {
                preauth();
            }
        }
        checkPolicy();
        issueTicket();
        makeReply();
    }

    private void checkTgsEntry() throws KrbException {
        setTgsEntry(getEntry(getTgsPrincipal().getName()));
    }

    private void kdcFindFast() throws KrbException {
        KrbFastArmor armor;
        PaData paData = getKdcReq().getPaData();
        if (paData != null) {
            for (T t : paData.getElements()) {
                if (t.getPaDataType() == PaDataType.FX_FAST) {
                    LOG.info("Found fast padata and starting to process it.");
                    try {
                        KrbFastArmoredReq fastArmoredReq = ((PaFxFastRequest) KrbCodec.decode(t.getPaDataValue(), PaFxFastRequest.class)).getFastArmoredReq();
                        if (fastArmoredReq == null || (armor = fastArmoredReq.getArmor()) == null) {
                            return;
                        }
                        try {
                            armorApRequest(armor);
                            if (getArmorKey() == null) {
                                return;
                            }
                            try {
                                try {
                                    this.innerBodyout = KrbCodec.encode(((KrbFastReq) KrbCodec.decode(EncryptionHandler.decrypt(fastArmoredReq.getEncryptedFastReq(), getArmorKey(), KeyUsage.FAST_ENC), KrbFastReq.class)).getKdcReqBody());
                                    CheckSum reqChecksum = fastArmoredReq.getReqChecksum();
                                    if (reqChecksum == null) {
                                        LOG.warn("Checksum is empty.");
                                        throw new KrbException(KrbErrorCode.KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED);
                                    }
                                    try {
                                        try {
                                            if (!CheckSumHandler.verifyWithKey(reqChecksum, KrbCodec.encode(getKdcReq().getReqBody()), getArmorKey().getKeyData(), KeyUsage.FAST_REQ_CHKSUM)) {
                                                LOG.error("Verify the KdcReqBody failed.");
                                                throw new KrbException("Verify the KdcReqBody failed. ");
                                            }
                                        } catch (KrbException e) {
                                            String str = "Verify the KdcReqBody failed. " + e.getMessage();
                                            LOG.error(str);
                                            throw new KrbException(str);
                                        }
                                    } catch (KrbException e2) {
                                        String str2 = "Encode the ReqBody failed. " + e2.getMessage();
                                        LOG.error(str2);
                                        throw new KrbException(str2);
                                    }
                                } catch (KrbException e3) {
                                    String str3 = "Encode KdcReqBody failed. " + e3.getMessage();
                                    LOG.error(str3);
                                    throw new KrbException(str3);
                                }
                            } catch (KrbException e4) {
                                String str4 = "Decode KrbFastReq failed. " + e4.getMessage();
                                LOG.error(str4);
                                throw new KrbException(str4);
                            }
                        } catch (KrbException e5) {
                            String str5 = "Get armor key failed. " + e5.getMessage();
                            LOG.error(str5);
                            throw new KrbException(str5);
                        }
                    } catch (KrbException e6) {
                        String str6 = "Decode PaFxFastRequest failed. " + e6.getMessage();
                        LOG.error(str6);
                        throw new KrbException(str6);
                    }
                }
            }
        }
    }

    private void armorApRequest(KrbFastArmor krbFastArmor) throws KrbException {
        if (krbFastArmor.getArmorType() == ArmorType.ARMOR_AP_REQUEST) {
            try {
                ApReq apReq = (ApReq) KrbCodec.decode(krbFastArmor.getArmorValue(), ApReq.class);
                Ticket ticket = apReq.getTicket();
                EncryptionKey encryptionKey = getTgsEntry().getKeys().get(ticket.getEncryptedEncPart().getEType());
                if (ticket.getTktvno() != 5) {
                    LOG.error(KrbErrorCode.KRB_AP_ERR_BADVERSION.getMessage());
                    throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADVERSION);
                }
                try {
                    ticket.setEncPart((EncTicketPart) EncryptionUtil.unseal(ticket.getEncryptedEncPart(), encryptionKey, KeyUsage.KDC_REP_TICKET, EncTicketPart.class));
                    EncryptionKey key = ticket.getEncPart().getKey();
                    setSessionKey(key);
                    try {
                        try {
                            setArmorKey(FastUtil.cf2(((Authenticator) EncryptionUtil.unseal(apReq.getEncryptedAuthenticator(), key, KeyUsage.AP_REQ_AUTH, Authenticator.class)).getSubKey(), "subkeyarmor", key, "ticketarmor"));
                        } catch (KrbException e) {
                            String str = "Create armor key failed. " + e.getMessage();
                            LOG.error(str);
                            throw new KrbException(str);
                        }
                    } catch (KrbException e2) {
                        String str2 = "Unseal Authenticator failed. " + e2.getMessage();
                        LOG.error(str2);
                        throw new KrbException(str2);
                    }
                } catch (KrbException e3) {
                    String str3 = "Unseal EncTicketPart failed. " + e3.getMessage();
                    LOG.error(str3);
                    throw new KrbException(str3);
                }
            } catch (KrbException e4) {
                String str4 = "Decode ApReq failed. " + e4.getMessage();
                LOG.error(str4);
                throw new KrbException(str4);
            }
        }
    }

    public KrbIdentity getTgsEntry() {
        return this.tgsEntry;
    }

    public void setTgsEntry(KrbIdentity krbIdentity) {
        this.tgsEntry = krbIdentity;
    }

    public boolean isTcp() {
        return this.isTcp;
    }

    public void isTcp(boolean z) {
        this.isTcp = z;
    }

    public KrbMessage getReply() {
        return this.reply;
    }

    public void setReply(KdcRep kdcRep) {
        this.reply = kdcRep;
    }

    public InetAddress getClientAddress() {
        return this.clientAddress;
    }

    public void setClientAddress(InetAddress inetAddress) {
        this.clientAddress = inetAddress;
    }

    public EncryptionType getEncryptionType() {
        return this.encryptionType;
    }

    public void setEncryptionType(EncryptionType encryptionType) {
        this.encryptionType = encryptionType;
    }

    public Ticket getTicket() {
        return this.ticket;
    }

    public void setTicket(Ticket ticket) {
        this.ticket = ticket;
    }

    public boolean isPreAuthenticated() {
        return this.isPreAuthenticated;
    }

    public void setPreAuthenticated(boolean z) {
        this.isPreAuthenticated = z;
    }

    public KrbIdentity getServerEntry() {
        return this.serverEntry;
    }

    public void setServerEntry(KrbIdentity krbIdentity) {
        this.serverEntry = krbIdentity;
    }

    public KrbIdentity getClientEntry() {
        return this.clientEntry;
    }

    public void setClientEntry(KrbIdentity krbIdentity) {
        this.clientEntry = krbIdentity;
    }

    public EncryptionKey getClientKey(EncryptionType encryptionType) throws KrbException {
        return getClientEntry().getKey(encryptionType);
    }

    public EncryptionKey getClientKey() {
        return this.clientKey;
    }

    public void setClientKey(EncryptionKey encryptionKey) {
        this.clientKey = encryptionKey;
    }

    public EncryptionKey getServerKey() {
        return this.serverKey;
    }

    public void setServerKey(EncryptionKey encryptionKey) {
        this.serverKey = encryptionKey;
    }

    public PrincipalName getTgsPrincipal() {
        return KrbUtil.makeTgsPrincipal(this.kdcContext.getKdcRealm());
    }

    public PrincipalName getCrossRealmTgsPrincipal(String str) {
        return KrbUtil.makeCrossRealmPrincipal(this.kdcContext.getKdcRealm(), str);
    }

    public KrbIdentity getCrossRealmTgsEntry(String str) throws KrbException {
        PrincipalName crossRealmTgsPrincipal = getCrossRealmTgsPrincipal(str);
        KrbIdentity krbIdentity = null;
        if (crossRealmTgsPrincipal != null) {
            krbIdentity = getEntry(crossRealmTgsPrincipal.getName());
        }
        return krbIdentity;
    }

    public boolean checkCrossRealm(String str) throws KrbException {
        if (str == null || this.kdcContext.getKdcRealm() == null) {
            throw new KrbException("Missing the realm.");
        }
        this.isCrossRealm = !this.kdcContext.getKdcRealm().equals(str);
        this.remoteRealm = str;
        return this.isCrossRealm;
    }

    public boolean isCrossRealm() {
        return this.isCrossRealm;
    }

    public String getRemoteRealm() {
        return this.remoteRealm;
    }

    protected abstract void makeReply() throws KrbException;

    protected void checkVersion() throws KrbException {
        int pvno = getKdcReq().getPvno();
        if (pvno != 5) {
            LOG.warn("Kerberos version: " + pvno + " should equal to 5");
            throw new KrbException(KrbErrorCode.KDC_ERR_BAD_PVNO);
        }
    }

    protected void checkPolicy() throws KrbException {
        KrbIdentity clientEntry = getClientEntry();
        if (clientEntry == null) {
            LOG.info("Client entry is empty, token preauth or cross realm.");
            return;
        }
        if (clientEntry.isDisabled()) {
            LOG.warn("Client entry " + clientEntry.getPrincipalName() + " is disabled.");
            throw new KrbException(KrbErrorCode.KDC_ERR_CLIENT_REVOKED);
        }
        if (clientEntry.isLocked()) {
            LOG.warn("Client entry " + clientEntry.getPrincipalName() + " is expired.");
            throw new KrbException(KrbErrorCode.KDC_ERR_CLIENT_REVOKED);
        }
        if (clientEntry.getExpireTime().lessThan(new Date().getTime())) {
            throw new KrbException(KrbErrorCode.KDC_ERR_CLIENT_REVOKED);
        }
    }

    protected abstract void checkClient() throws KrbException;

    protected void preauth() throws KrbException {
        KdcReq kdcReq = getKdcReq();
        PaData paData = kdcReq.getPaData();
        if (this.isAnonymous && !this.isPkinit) {
            LOG.info("Need PKINIT.");
            throw new KdcRecoverableException(makePreAuthenticationError(this.kdcContext, kdcReq, KrbErrorCode.KDC_ERR_PREAUTH_REQUIRED, true));
        }
        if (paData == null || paData.isEmpty()) {
            LOG.info("The preauth data is empty.");
            throw new KdcRecoverableException(makePreAuthenticationError(this.kdcContext, kdcReq, KrbErrorCode.KDC_ERR_PREAUTH_REQUIRED, false));
        }
        getPreauthHandler().verify(this, paData);
        setPreAuthenticated(true);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void setPreauthRequired(boolean z) {
        this.preauthContext.setPreauthRequired(z);
    }

    protected boolean isPreauthRequired() {
        return this.preauthContext.isPreauthRequired();
    }

    protected PreauthHandler getPreauthHandler() {
        return this.kdcContext.getPreauthHandler();
    }

    protected void checkEncryptionType() throws KrbException {
        EncryptionType bestEncryptionType = EncryptionUtil.getBestEncryptionType(getKdcReq().getReqBody().getEtypes(), this.kdcContext.getConfig().getEncryptionTypes());
        if (bestEncryptionType == null) {
            LOG.error("Can't get the best encryption type.");
            throw new KrbException(KrbErrorCode.KDC_ERR_ETYPE_NOSUPP);
        }
        setEncryptionType(bestEncryptionType);
    }

    protected void authenticate() throws KrbException {
        checkEncryptionType();
        checkPolicy();
    }

    protected abstract void issueTicket() throws KrbException;

    private void checkServer() throws KrbException {
        KdcReq kdcReq = getKdcReq();
        PrincipalName sname = kdcReq.getReqBody().getSname();
        String realm = kdcReq.getReqBody().getRealm();
        if (realm == null || realm.isEmpty()) {
            LOG.info("Can't get the server realm from request, and try to get from kdcContext.");
            realm = this.kdcContext.getKdcRealm();
        }
        sname.setRealm(realm);
        KrbIdentity entry = getEntry(sname.getName());
        if (entry == null) {
            LOG.error("Principal: " + sname.getName() + " is not known");
            throw new KrbException(KrbErrorCode.KDC_ERR_S_PRINCIPAL_UNKNOWN);
        }
        setServerEntry(entry);
        for (EncryptionType encryptionType : kdcReq.getReqBody().getEtypes()) {
            if (entry.getKeys().containsKey(encryptionType)) {
                setServerKey(entry.getKeys().get(encryptionType));
                return;
            }
        }
    }

    protected KrbError makePreAuthenticationError(KdcContext kdcContext, KdcReq kdcReq, KrbErrorCode krbErrorCode, boolean z) throws KrbException {
        List<EncryptionType> encryptionTypes = kdcContext.getConfig().getEncryptionTypes();
        List<EncryptionType> etypes = kdcReq.getReqBody().getEtypes();
        EtypeInfo2 etypeInfo2 = new EtypeInfo2();
        EtypeInfo etypeInfo = new EtypeInfo();
        for (EncryptionType encryptionType : encryptionTypes) {
            if (etypes.contains(encryptionType)) {
                if (1 == 0) {
                    EtypeInfoEntry etypeInfoEntry = new EtypeInfoEntry();
                    etypeInfoEntry.setEtype(encryptionType);
                    etypeInfoEntry.setSalt(null);
                    etypeInfo.add(etypeInfoEntry);
                }
                EtypeInfo2Entry etypeInfo2Entry = new EtypeInfo2Entry();
                etypeInfo2Entry.setEtype(encryptionType);
                etypeInfo2.add(etypeInfo2Entry);
            }
        }
        byte[] encode = 1 == 0 ? KrbCodec.encode(etypeInfo) : null;
        byte[] encode2 = KrbCodec.encode(etypeInfo2);
        MethodData methodData = new MethodData();
        if (1 == 0) {
            methodData.add(new PaDataEntry(PaDataType.ETYPE_INFO, encode));
        }
        methodData.add(new PaDataEntry(PaDataType.ETYPE_INFO2, encode2));
        if (z) {
            methodData.add(new PaDataEntry(PaDataType.PK_AS_REQ, "empty".getBytes()));
            methodData.add(new PaDataEntry(PaDataType.PK_AS_REP, "empty".getBytes()));
        }
        KrbError krbError = new KrbError();
        krbError.setErrorCode(krbErrorCode);
        krbError.setEdata(KrbCodec.encode(methodData));
        return krbError;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public KrbIdentity getEntry(String str) throws KrbException {
        return this.kdcContext.getIdentityService().getIdentity(str);
    }

    protected ByteBuffer getRequestBody() throws KrbException {
        return null;
    }

    public EncryptionKey getArmorKey() throws KrbException {
        return this.fastContext.getArmorKey();
    }

    protected void setArmorKey(EncryptionKey encryptionKey) {
        this.fastContext.setArmorKey(encryptionKey);
    }

    public PrincipalName getClientPrincipal() {
        return this.clientPrincipal;
    }

    public void setClientPrincipal(PrincipalName principalName) {
        this.clientPrincipal = principalName;
    }

    public PrincipalName getServerPrincipal() {
        return this.serverPrincipal;
    }

    public void setServerPrincipal(PrincipalName principalName) {
        this.serverPrincipal = principalName;
    }

    protected byte[] getInnerBodyout() {
        return this.innerBodyout;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isToken() {
        return this.isToken;
    }

    public boolean isHttps() {
        return this.isHttps;
    }

    public void setHttps(boolean z) {
        this.isHttps = z;
    }

    public void setToken(AuthToken authToken) {
        this.token = authToken;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthToken getToken() {
        return this.token;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isPkinit() {
        return this.isPkinit;
    }

    public boolean isAnonymous() {
        return getKdcOptions().isFlagSet(KdcOption.REQUEST_ANONYMOUS);
    }

    public KdcOptions getKdcOptions() {
        return this.kdcReq.getReqBody().getKdcOptions();
    }

    public void setReqPackage(ByteBuffer byteBuffer) {
        this.reqPackage = byteBuffer;
    }

    public ByteBuffer getReqPackage() {
        return this.reqPackage;
    }
}
