package uk.ac.ceh.components.userstore.springsecurity;

import java.beans.ConstructorProperties;
import java.io.File;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.HashSet;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSManager;
import org.springframework.security.authentication.BadCredentialsException;

/* loaded from: input_file:uk/ac/ceh/components/userstore/springsecurity/GSSKerberosTicketValidator.class */
public class GSSKerberosTicketValidator implements KerberosTicketValidator {
    private final Subject serviceSubject;
    private final String servicePrincipalDomain;

    /* loaded from: input_file:uk/ac/ceh/components/userstore/springsecurity/GSSKerberosTicketValidator$KerberosValidateAction.class */
    private static class KerberosValidateAction implements PrivilegedExceptionAction<String> {
        byte[] kerberosTicket;

        public KerberosValidateAction(byte[] bArr) {
            this.kerberosTicket = bArr;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedExceptionAction
        public String run() throws Exception {
            GSSContext createContext = GSSManager.getInstance().createContext((GSSCredential) null);
            createContext.acceptSecContext(this.kerberosTicket, 0, this.kerberosTicket.length);
            String gSSName = createContext.getSrcName().toString();
            createContext.dispose();
            return gSSName;
        }
    }

    /* loaded from: input_file:uk/ac/ceh/components/userstore/springsecurity/GSSKerberosTicketValidator$LoginConfig.class */
    private static class LoginConfig extends Configuration {
        private final File keyTabLocation;
        private final String servicePrincipalName;

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            HashMap hashMap = new HashMap();
            hashMap.put("useKeyTab", "true");
            hashMap.put("keyTab", this.keyTabLocation.getAbsolutePath());
            hashMap.put("principal", this.servicePrincipalName);
            hashMap.put("storeKey", "true");
            hashMap.put("doNotPrompt", "true");
            hashMap.put("isInitiator", "false");
            return new AppConfigurationEntry[]{new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap)};
        }

        @ConstructorProperties({"keyTabLocation", "servicePrincipalName"})
        public LoginConfig(File file, String str) {
            this.keyTabLocation = file;
            this.servicePrincipalName = str;
        }

        public File getKeyTabLocation() {
            return this.keyTabLocation;
        }

        public String getServicePrincipalName() {
            return this.servicePrincipalName;
        }

        public String toString() {
            return "GSSKerberosTicketValidator.LoginConfig(keyTabLocation=" + getKeyTabLocation() + ", servicePrincipalName=" + getServicePrincipalName() + ")";
        }

        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof LoginConfig)) {
                return false;
            }
            LoginConfig loginConfig = (LoginConfig) obj;
            if (!loginConfig.canEqual(this)) {
                return false;
            }
            File keyTabLocation = getKeyTabLocation();
            File keyTabLocation2 = loginConfig.getKeyTabLocation();
            if (keyTabLocation == null) {
                if (keyTabLocation2 != null) {
                    return false;
                }
            } else if (!keyTabLocation.equals(keyTabLocation2)) {
                return false;
            }
            String servicePrincipalName = getServicePrincipalName();
            String servicePrincipalName2 = loginConfig.getServicePrincipalName();
            return servicePrincipalName == null ? servicePrincipalName2 == null : servicePrincipalName.equals(servicePrincipalName2);
        }

        protected boolean canEqual(Object obj) {
            return obj instanceof LoginConfig;
        }

        public int hashCode() {
            File keyTabLocation = getKeyTabLocation();
            int hashCode = (1 * 59) + (keyTabLocation == null ? 0 : keyTabLocation.hashCode());
            String servicePrincipalName = getServicePrincipalName();
            return (hashCode * 59) + (servicePrincipalName == null ? 0 : servicePrincipalName.hashCode());
        }
    }

    public GSSKerberosTicketValidator(File file, String str) throws LoginException {
        LoginConfig loginConfig = new LoginConfig(file, str);
        HashSet hashSet = new HashSet(1);
        hashSet.add(new KerberosPrincipal(str));
        LoginContext loginContext = new LoginContext("", new Subject(false, hashSet, new HashSet(), new HashSet()), (CallbackHandler) null, loginConfig);
        loginContext.login();
        this.serviceSubject = loginContext.getSubject();
        this.servicePrincipalDomain = getServicePrincipalDomain(str);
    }

    @Override // uk.ac.ceh.components.userstore.springsecurity.KerberosTicketValidator
    public String validateTicket(byte[] bArr) throws BadCredentialsException {
        try {
            return (String) Subject.doAs(this.serviceSubject, new KerberosValidateAction(bArr));
        } catch (PrivilegedActionException e) {
            throw new BadCredentialsException("Kerberos validation not successful", e);
        }
    }

    @Override // uk.ac.ceh.components.userstore.springsecurity.KerberosTicketValidator
    public String getServicePrincipalHostname() {
        return this.servicePrincipalDomain;
    }

    private static String getServicePrincipalDomain(String str) {
        int indexOf = str.indexOf(47);
        int indexOf2 = str.indexOf(64);
        if (indexOf == -1 || indexOf2 == -1 || indexOf >= indexOf2) {
            throw new IllegalArgumentException("The service principal is not in the form 'HTTP/some.domain@AD.DOMAIN");
        }
        return str.substring(indexOf + 1, indexOf2);
    }
}
