package org.apache.tinkerpop.gremlin.server.auth;

import java.io.File;
import java.net.InetAddress;
import java.security.PrivilegedAction;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslServer;
import org.apache.tinkerpop.gremlin.server.auth.Authenticator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/gremlin-server-3.3.3.jar:org/apache/tinkerpop/gremlin/server/auth/Krb5Authenticator.class */
public class Krb5Authenticator implements Authenticator {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) Krb5Authenticator.class);
    private Subject subject;
    private String principalName;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/gremlin-server-3.3.3.jar:org/apache/tinkerpop/gremlin/server/auth/Krb5Authenticator$Krb5SaslAuthenticator.class */
    public class Krb5SaslAuthenticator implements Authenticator.SaslNegotiator, CallbackHandler {
        private final String mechanism = "GSSAPI";
        private SaslServer saslServer;

        Krb5SaslAuthenticator() {
            HashMap hashMap;
            String[] split;
            try {
                hashMap = new HashMap();
                split = Krb5Authenticator.this.principalName.split("/|@");
            } catch (Exception e) {
                Krb5Authenticator.logger.error("Creating sasl server failed: ", (Throwable) e);
            }
            if (split.length < 3) {
                throw new IllegalArgumentException("Use principal name of format 'service/fqdn@kdcrealm'");
            }
            this.saslServer = Sasl.createSaslServer("GSSAPI", split[0], split[1], hashMap, this);
            Krb5Authenticator.logger.debug("SaslServer created with: " + this.saslServer.getMechanismName());
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
            Krb5Authenticator.logger.debug("Krb5 AuthorizeCallback number: " + callbackArr.length);
            AuthorizeCallback authorizeCallback = null;
            for (Callback callback : callbackArr) {
                if (!(callback instanceof AuthorizeCallback)) {
                    throw new UnsupportedCallbackException(callback, "Unrecognized SASL GSSAPI Callback");
                }
                authorizeCallback = (AuthorizeCallback) callback;
            }
            if (authorizeCallback != null) {
                String authenticationID = authorizeCallback.getAuthenticationID();
                if (authenticationID.equals(authorizeCallback.getAuthorizationID())) {
                    authorizeCallback.setAuthorized(true);
                } else {
                    authorizeCallback.setAuthorized(false);
                }
                if (authorizeCallback.isAuthorized()) {
                    authorizeCallback.setAuthorizedID(authenticationID.split("@")[0]);
                }
            }
        }

        @Override // org.apache.tinkerpop.gremlin.server.auth.Authenticator.SaslNegotiator
        public byte[] evaluateResponse(byte[] bArr) throws AuthenticationException {
            Krb5Authenticator.logger.debug("evaluateResponse() length: " + bArr.length);
            try {
                return this.saslServer.evaluateResponse(bArr);
            } catch (Exception e) {
                Krb5Authenticator.logger.warn("Sasl krb5 evaluateResponse failed: " + e);
                throw new AuthenticationException(e);
            }
        }

        @Override // org.apache.tinkerpop.gremlin.server.auth.Authenticator.SaslNegotiator
        public boolean isComplete() {
            return this.saslServer.isComplete();
        }

        @Override // org.apache.tinkerpop.gremlin.server.auth.Authenticator.SaslNegotiator
        public AuthenticatedUser getAuthenticatedUser() throws AuthenticationException {
            Krb5Authenticator.logger.debug("getAuthenticatedUser called: " + this.saslServer.getAuthorizationID());
            return new AuthenticatedUser(this.saslServer.getAuthorizationID());
        }
    }

    @Override // org.apache.tinkerpop.gremlin.server.auth.Authenticator
    public boolean requireAuthentication() {
        return true;
    }

    @Override // org.apache.tinkerpop.gremlin.server.auth.Authenticator
    public void setup(Map<String, Object> map) {
        logger.info("Config: {}", map);
        if (null == map || !map.containsKey("keytab") || !map.containsKey("principal")) {
            throw new IllegalArgumentException(String.format("Could not configure a %s - provide a 'config' in the 'authentication' settings", Krb5Authenticator.class.getName()));
        }
        try {
            File file = new File((String) map.get("keytab"));
            this.principalName = (String) map.get("principal");
            this.subject = JaasKrbUtil.loginUsingKeytab(this.principalName, file);
        } catch (Exception e) {
            logger.warn("Failed to login to kdc");
        }
        logger.debug("Done logging in to kdc");
    }

    @Override // org.apache.tinkerpop.gremlin.server.auth.Authenticator
    public Authenticator.SaslNegotiator newSaslNegotiator(InetAddress inetAddress) {
        logger.debug("newSaslNegotiator() called");
        return (Authenticator.SaslNegotiator) Subject.doAs(this.subject, new PrivilegedAction<Authenticator.SaslNegotiator>() { // from class: org.apache.tinkerpop.gremlin.server.auth.Krb5Authenticator.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public Authenticator.SaslNegotiator run() {
                return new Krb5SaslAuthenticator();
            }
        });
    }

    @Override // org.apache.tinkerpop.gremlin.server.auth.Authenticator
    public AuthenticatedUser authenticate(Map<String, String> map) throws AuthenticationException {
        logger.error("Authenticate() should not be called. Use getAuthenticatedUser() when isComplete() is true.");
        return null;
    }
}
