package org.apache.directory.server.kerberos.changepwd.service;

import java.net.InetAddress;
import java.net.UnknownHostException;
import java.nio.ByteBuffer;
import javax.security.auth.kerberos.KerberosPrincipal;
import org.apache.directory.api.asn1.ber.Asn1Decoder;
import org.apache.directory.api.util.Strings;
import org.apache.directory.server.i18n.I18n;
import org.apache.directory.server.kerberos.ChangePasswordConfig;
import org.apache.directory.server.kerberos.changepwd.exceptions.ChangePasswdErrorType;
import org.apache.directory.server.kerberos.changepwd.exceptions.ChangePasswordException;
import org.apache.directory.server.kerberos.changepwd.messages.ChangePasswordReply;
import org.apache.directory.server.kerberos.changepwd.messages.ChangePasswordRequest;
import org.apache.directory.server.kerberos.protocol.codec.KerberosDecoder;
import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
import org.apache.directory.server.kerberos.shared.replay.ReplayCache;
import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
import org.apache.directory.shared.kerberos.KerberosUtils;
import org.apache.directory.shared.kerberos.codec.changePwdData.ChangePasswdDataContainer;
import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
import org.apache.directory.shared.kerberos.codec.types.PrincipalNameType;
import org.apache.directory.shared.kerberos.components.EncKrbPrivPart;
import org.apache.directory.shared.kerberos.components.EncryptedData;
import org.apache.directory.shared.kerberos.components.EncryptionKey;
import org.apache.directory.shared.kerberos.components.HostAddress;
import org.apache.directory.shared.kerberos.components.HostAddresses;
import org.apache.directory.shared.kerberos.components.PrincipalName;
import org.apache.directory.shared.kerberos.exceptions.ErrorType;
import org.apache.directory.shared.kerberos.exceptions.KerberosException;
import org.apache.directory.shared.kerberos.messages.ApRep;
import org.apache.directory.shared.kerberos.messages.ApReq;
import org.apache.directory.shared.kerberos.messages.Authenticator;
import org.apache.directory.shared.kerberos.messages.ChangePasswdData;
import org.apache.directory.shared.kerberos.messages.EncApRepPart;
import org.apache.directory.shared.kerberos.messages.KrbPriv;
import org.apache.directory.shared.kerberos.messages.Ticket;
import org.apache.mina.core.session.IoSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/apacheds-protocol-kerberos-2.0.0-M15.jar:org/apache/directory/server/kerberos/changepwd/service/ChangePasswordService.class */
public class ChangePasswordService {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) ChangePasswordService.class);
    private static final CipherTextHandler cipherTextHandler = new CipherTextHandler();

    public static void execute(IoSession ioSession, ChangePasswordContext changePasswordContext) throws Exception {
        if (LOG.isDebugEnabled()) {
            monitorRequest(changePasswordContext);
        }
        configureChangePassword(changePasswordContext);
        getAuthHeader(changePasswordContext);
        verifyServiceTicket(changePasswordContext);
        getServerEntry(changePasswordContext);
        verifyServiceTicketAuthHeader(changePasswordContext);
        extractPassword(changePasswordContext);
        if (LOG.isDebugEnabled()) {
            monitorContext(changePasswordContext);
        }
        processPasswordChange(changePasswordContext);
        buildReply(changePasswordContext);
        if (LOG.isDebugEnabled()) {
            monitorReply(changePasswordContext);
        }
    }

    private static void processPasswordChange(ChangePasswordContext changePasswordContext) throws KerberosException {
        PrincipalStore store = changePasswordContext.getStore();
        Authenticator authenticator = changePasswordContext.getAuthenticator();
        String utf8ToString = Strings.utf8ToString(changePasswordContext.getPasswordData().getNewPasswd());
        KerberosPrincipal kerberosPrincipal = KerberosUtils.getKerberosPrincipal(authenticator.getCName(), authenticator.getCRealm());
        PrincipalName targName = changePasswordContext.getPasswordData().getTargName();
        KerberosPrincipal kerberosPrincipal2 = targName != null ? new KerberosPrincipal(targName.getNameString(), PrincipalNameType.KRB_NT_PRINCIPAL.getValue()) : kerberosPrincipal;
        store.changePassword(kerberosPrincipal, kerberosPrincipal2, utf8ToString, changePasswordContext.getTicket().getEncTicketPart().getFlags().isInitial());
        LOG.debug("Successfully modified password for {} BY {}.", kerberosPrincipal2, kerberosPrincipal);
    }

    private static void monitorRequest(ChangePasswordContext changePasswordContext) throws KerberosException {
        try {
            short versionNumber = ((ChangePasswordRequest) changePasswordContext.getRequest()).getVersionNumber();
            StringBuffer stringBuffer = new StringBuffer();
            stringBuffer.append("Responding to change password request:");
            stringBuffer.append("\n\tversionNumber    " + ((int) versionNumber));
            LOG.debug(stringBuffer.toString());
        } catch (Exception e) {
            LOG.error(I18n.err(I18n.ERR_152, new Object[0]), (Throwable) e);
        }
    }

    private static void configureChangePassword(ChangePasswordContext changePasswordContext) {
        changePasswordContext.setCipherTextHandler(cipherTextHandler);
    }

    private static void getAuthHeader(ChangePasswordContext changePasswordContext) throws KerberosException {
        ChangePasswordRequest changePasswordRequest = (ChangePasswordRequest) changePasswordContext.getRequest();
        short versionNumber = changePasswordRequest.getVersionNumber();
        if (versionNumber != -128 && versionNumber != 1) {
            throw new ChangePasswordException(ChangePasswdErrorType.KRB5_KPASSWD_BAD_VERSION);
        }
        if (changePasswordRequest.getAuthHeader() == null || changePasswordRequest.getAuthHeader().getTicket() == null) {
            throw new ChangePasswordException(ChangePasswdErrorType.KRB5_KPASSWD_AUTHERROR);
        }
        ApReq authHeader = changePasswordRequest.getAuthHeader();
        Ticket ticket = authHeader.getTicket();
        changePasswordContext.setAuthHeader(authHeader);
        changePasswordContext.setTicket(ticket);
    }

    private static void verifyServiceTicket(ChangePasswordContext changePasswordContext) throws KerberosException {
        ChangePasswordConfig config = changePasswordContext.getConfig();
        Ticket ticket = changePasswordContext.getTicket();
        String primaryRealm = config.getPrimaryRealm();
        KerberosPrincipal servicePrincipal = config.getServicePrincipal();
        KerberosPrincipal kerberosPrincipal = KerberosUtils.getKerberosPrincipal(ticket.getSName(), ticket.getRealm());
        if (!ticket.getRealm().equals(primaryRealm) || !kerberosPrincipal.getName().equals(servicePrincipal.getName())) {
            throw new KerberosException(ErrorType.KRB_AP_ERR_NOT_US);
        }
    }

    private static void getServerEntry(ChangePasswordContext changePasswordContext) throws KerberosException {
        Ticket ticket = changePasswordContext.getTicket();
        changePasswordContext.setServerEntry(KerberosUtils.getEntry(KerberosUtils.getKerberosPrincipal(ticket.getSName(), ticket.getRealm()), changePasswordContext.getStore(), ErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN));
    }

    private static void verifyServiceTicketAuthHeader(ChangePasswordContext changePasswordContext) throws KerberosException {
        ApReq authHeader = changePasswordContext.getAuthHeader();
        Ticket ticket = changePasswordContext.getTicket();
        changePasswordContext.setAuthenticator(KerberosUtils.verifyAuthHeader(authHeader, ticket, changePasswordContext.getServerEntry().getKeyMap().get(ticket.getEncPart().getEType()), changePasswordContext.getConfig().getAllowableClockSkew(), changePasswordContext.getReplayCache(), changePasswordContext.getConfig().isEmptyAddressesAllowed(), changePasswordContext.getClientAddress(), changePasswordContext.getCipherTextHandler(), KeyUsage.AP_REQ_AUTHNT_SESS_KEY, false));
    }

    private static void extractPassword(ChangePasswordContext changePasswordContext) throws Exception {
        ChangePasswdData chngPwdData;
        ChangePasswordRequest changePasswordRequest = (ChangePasswordRequest) changePasswordContext.getRequest();
        Authenticator authenticator = changePasswordContext.getAuthenticator();
        try {
            EncKrbPrivPart decodeEncKrbPrivPart = KerberosDecoder.decodeEncKrbPrivPart(changePasswordContext.getCipherTextHandler().decrypt(authenticator.getSubKey(), changePasswordRequest.getPrivateMessage().getEncPart(), KeyUsage.KRB_PRIV_ENC_PART_CHOSEN_KEY));
            if (authenticator.getSeqNumber().intValue() != decodeEncKrbPrivPart.getSeqNumber()) {
                throw new ChangePasswordException(ChangePasswdErrorType.KRB5_KPASSWD_MALFORMED);
            }
            if (changePasswordRequest.getVersionNumber() == 1) {
                chngPwdData = new ChangePasswdData();
                chngPwdData.setNewPasswd(decodeEncKrbPrivPart.getUserData());
            } else {
                Asn1Decoder asn1Decoder = new Asn1Decoder();
                ByteBuffer wrap = ByteBuffer.wrap(decodeEncKrbPrivPart.getUserData());
                ChangePasswdDataContainer changePasswdDataContainer = new ChangePasswdDataContainer(wrap);
                asn1Decoder.decode(wrap, changePasswdDataContainer);
                chngPwdData = changePasswdDataContainer.getChngPwdData();
            }
            changePasswordContext.setChngPwdData(chngPwdData);
        } catch (KerberosException e) {
            throw new ChangePasswordException(ChangePasswdErrorType.KRB5_KPASSWD_SOFTERROR, e);
        }
    }

    private static void monitorContext(ChangePasswordContext changePasswordContext) throws KerberosException {
        try {
            PrincipalStore store = changePasswordContext.getStore();
            ApReq authHeader = changePasswordContext.getAuthHeader();
            Ticket ticket = changePasswordContext.getTicket();
            ReplayCache replayCache = changePasswordContext.getReplayCache();
            long allowableClockSkew = changePasswordContext.getConfig().getAllowableClockSkew();
            Authenticator authenticator = changePasswordContext.getAuthenticator();
            KerberosPrincipal kerberosPrincipal = KerberosUtils.getKerberosPrincipal(authenticator.getCName(), authenticator.getCRealm());
            InetAddress clientAddress = changePasswordContext.getClientAddress();
            HostAddresses clientAddresses = ticket.getEncTicketPart().getClientAddresses();
            boolean z = false;
            if (ticket.getEncTicketPart().getClientAddresses() != null) {
                z = ticket.getEncTicketPart().getClientAddresses().contains(new HostAddress(clientAddress));
            }
            StringBuffer stringBuffer = new StringBuffer();
            stringBuffer.append("Monitoring context:");
            stringBuffer.append("\n\tstore                  " + store);
            stringBuffer.append("\n\tauthHeader             " + authHeader);
            stringBuffer.append("\n\tticket                 " + ticket);
            stringBuffer.append("\n\treplayCache            " + replayCache);
            stringBuffer.append("\n\tclockSkew              " + allowableClockSkew);
            stringBuffer.append("\n\tclientPrincipal        " + kerberosPrincipal);
            stringBuffer.append("\n\tChangePasswdData        " + changePasswordContext.getPasswordData());
            stringBuffer.append("\n\tclientAddress          " + clientAddress);
            stringBuffer.append("\n\tclientAddresses        " + clientAddresses);
            stringBuffer.append("\n\tcaddr contains sender  " + z);
            stringBuffer.append("\n\tTicket principal       " + ticket.getSName());
            PrincipalStoreEntry serverEntry = changePasswordContext.getServerEntry();
            stringBuffer.append("\n\tcn                     " + serverEntry.getCommonName());
            stringBuffer.append("\n\trealm                  " + serverEntry.getRealmName());
            stringBuffer.append("\n\tService principal      " + serverEntry.getPrincipal());
            stringBuffer.append("\n\tSAM type               " + serverEntry.getSamType());
            EncryptionType eType = ticket.getEncPart().getEType();
            int keyVersion = serverEntry.getKeyMap().get(eType).getKeyVersion();
            stringBuffer.append("\n\tTicket key type        " + eType);
            stringBuffer.append("\n\tService key version    " + keyVersion);
            LOG.debug(stringBuffer.toString());
        } catch (Exception e) {
            LOG.error(I18n.err(I18n.ERR_154, new Object[0]), (Throwable) e);
        }
    }

    private static void buildReply(ChangePasswordContext changePasswordContext) throws KerberosException, UnknownHostException {
        Authenticator authenticator = changePasswordContext.getAuthenticator();
        Ticket ticket = changePasswordContext.getTicket();
        CipherTextHandler cipherTextHandler2 = changePasswordContext.getCipherTextHandler();
        EncKrbPrivPart encKrbPrivPart = new EncKrbPrivPart();
        encKrbPrivPart.setUserData(new byte[]{0, 0, 80, 97, 115, 115, 119, 111, 114, 100, 32, 99, 104, 97, 110, 103, 101, 100, 0});
        encKrbPrivPart.setSenderAddress(new HostAddress(InetAddress.getLocalHost()));
        EncryptionKey subKey = authenticator.getSubKey();
        try {
            EncryptedData seal = cipherTextHandler2.seal(subKey, encKrbPrivPart, KeyUsage.KRB_PRIV_ENC_PART_CHOSEN_KEY);
            KrbPriv krbPriv = new KrbPriv();
            krbPriv.setEncPart(seal);
            EncApRepPart encApRepPart = new EncApRepPart();
            encApRepPart.setCTime(authenticator.getCtime());
            encApRepPart.setCusec(authenticator.getCusec());
            if (authenticator.getSeqNumber() != null) {
                encApRepPart.setSeqNumber(authenticator.getSeqNumber());
            }
            encApRepPart.setSubkey(subKey);
            try {
                EncryptedData seal2 = cipherTextHandler2.seal(ticket.getEncTicketPart().getKey(), encApRepPart, KeyUsage.AP_REP_ENC_PART_SESS_KEY);
                ApRep apRep = new ApRep();
                apRep.setEncPart(seal2);
                changePasswordContext.setReply(new ChangePasswordReply((short) 1, apRep, krbPriv));
            } catch (KerberosException e) {
                throw new ChangePasswordException(ChangePasswdErrorType.KRB5_KPASSWD_SOFTERROR, e);
            }
        } catch (KerberosException e2) {
            throw new ChangePasswordException(ChangePasswdErrorType.KRB5_KPASSWD_SOFTERROR, e2);
        }
    }

    private static void monitorReply(ChangePasswordContext changePasswordContext) throws KerberosException {
        try {
            ChangePasswordReply changePasswordReply = (ChangePasswordReply) changePasswordContext.getReply();
            ApRep applicationReply = changePasswordReply.getApplicationReply();
            KrbPriv privateMessage = changePasswordReply.getPrivateMessage();
            StringBuilder sb = new StringBuilder();
            sb.append("Responding with change password reply:");
            sb.append("\n\tappReply               " + applicationReply);
            sb.append("\n\tpriv                   " + privateMessage);
            LOG.debug(sb.toString());
        } catch (Exception e) {
            LOG.error(I18n.err(I18n.ERR_155, new Object[0]), (Throwable) e);
        }
    }
}
