package com.fr.third.jgroups.auth;

import com.fr.third.jgroups.Message;
import com.fr.third.jgroups.annotations.Experimental;
import com.fr.third.jgroups.annotations.Property;
import com.fr.third.jgroups.util.Util;
import java.io.DataInput;
import java.io.DataOutput;
import java.io.IOException;
import java.util.Properties;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSException;

@Experimental
/* loaded from: input_file:fine-core-10.0.jar:com/fr/third/jgroups/auth/Krb5Token.class */
public class Krb5Token extends AuthToken {
    private static final String JASS_SECURITY_CONFIG = "JGoupsKrb5TokenSecurityConf";
    public static final String CLIENT_PRINCIPAL_NAME = "client_principal_name";
    public static final String CLIENT_PASSWORD = "client_password";
    public static final String SERVICE_PRINCIPAL_NAME = "service_principal_name";
    private static final Krb5TokenUtils kerb5Utils = new Krb5TokenUtils();

    @Property
    protected String client_principal_name;

    @Property(exposeAsManagedAttribute = false)
    protected String client_password;

    @Property
    protected String service_principal_name;
    private Subject subject;
    private byte[] krbServiceTicket;
    private byte[] remoteKrbServiceTicket;

    public void setValue(Properties properties) {
        String property = properties.getProperty(CLIENT_PRINCIPAL_NAME);
        if (property != null) {
            this.client_principal_name = property;
            properties.remove(CLIENT_PRINCIPAL_NAME);
        }
        String property2 = properties.getProperty(CLIENT_PASSWORD);
        if (property2 != null) {
            this.client_password = property2;
            properties.remove(CLIENT_PASSWORD);
        }
        String property3 = properties.getProperty(SERVICE_PRINCIPAL_NAME);
        if (property3 != null) {
            this.service_principal_name = property3;
            properties.remove(SERVICE_PRINCIPAL_NAME);
        }
        try {
            authenticateClientPrincipal();
        } catch (Exception e) {
            this.log.warn("Krb5Token failed to authenticate", e);
            this.subject = null;
        }
    }

    @Override // com.fr.third.jgroups.auth.AuthToken
    public String getName() {
        return Krb5Token.class.getName();
    }

    @Override // com.fr.third.jgroups.auth.AuthToken
    public boolean authenticate(AuthToken authToken, Message message) {
        if (!isAuthenticated()) {
            this.log.error(Util.getMessage("Krb5TokenFailedToSetupCorrectlyCannotAuthenticateAnyPeers"));
            return false;
        }
        if (authToken == null || !(authToken instanceof Krb5Token)) {
            return false;
        }
        try {
            validateRemoteServiceTicket((Krb5Token) authToken);
            return true;
        } catch (Exception e) {
            this.log.error(Util.getMessage("Krb5TokenServiceTicketValidationFailed"), e);
            return false;
        }
    }

    @Override // com.fr.third.jgroups.util.Streamable
    public void writeTo(DataOutput dataOutput) throws IOException {
        if (isAuthenticated()) {
            generateServiceTicket();
            writeServiceTicketToSream(dataOutput);
        }
    }

    @Override // com.fr.third.jgroups.util.Streamable
    public void readFrom(DataInput dataInput) throws IOException, IllegalAccessException, InstantiationException {
        readRemoteServiceTicketFromStream(dataInput);
    }

    @Override // com.fr.third.jgroups.auth.AuthToken
    public int size() {
        return Util.size(this.krbServiceTicket);
    }

    private boolean isAuthenticated() {
        return this.subject != null;
    }

    private void authenticateClientPrincipal() throws LoginException {
        this.subject = kerb5Utils.generateSecuritySubject(JASS_SECURITY_CONFIG, this.client_principal_name, this.client_password);
    }

    private void generateServiceTicket() throws IOException {
        try {
            Krb5TokenUtils krb5TokenUtils = kerb5Utils;
            this.krbServiceTicket = Krb5TokenUtils.initiateSecurityContext(this.subject, this.service_principal_name);
        } catch (GSSException e) {
            throw new IOException("Failed to generate serviceticket", e);
        }
    }

    private void validateRemoteServiceTicket(Krb5Token krb5Token) throws Exception {
        byte[] bArr = krb5Token.remoteKrbServiceTicket;
        Krb5TokenUtils krb5TokenUtils = kerb5Utils;
        if (!Krb5TokenUtils.validateSecurityContext(this.subject, bArr).equals(this.client_principal_name)) {
            throw new Exception("Client Principal Names did not match");
        }
    }

    private void writeServiceTicketToSream(DataOutput dataOutput) throws IOException {
        try {
            Krb5TokenUtils krb5TokenUtils = kerb5Utils;
            Krb5TokenUtils.encodeDataToStream(this.krbServiceTicket, dataOutput);
        } catch (IOException e) {
            throw e;
        } catch (Exception e2) {
            throw new IOException(e2);
        }
    }

    private void readRemoteServiceTicketFromStream(DataInput dataInput) throws IOException {
        try {
            Krb5TokenUtils krb5TokenUtils = kerb5Utils;
            this.remoteKrbServiceTicket = Krb5TokenUtils.decodeDataFromStream(dataInput);
        } catch (IOException e) {
            throw e;
        } catch (Exception e2) {
            throw new IOException(e2);
        }
    }
}
