package com.hazelcast.security.impl;

import com.hazelcast.config.LoginModuleConfig;
import com.hazelcast.config.security.JaasAuthenticationConfig;
import com.hazelcast.config.security.RealmConfig;
import com.hazelcast.logging.ILogger;
import com.hazelcast.logging.Logger;
import com.hazelcast.security.RealmConfigCallback;
import java.io.File;
import java.io.IOException;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;

/* loaded from: input_file:com/hazelcast/security/impl/SecurityUtil.class */
public final class SecurityUtil {
    private static final String TEMP_LOGIN_CONTEXT_NAME = "realmConfigLogin";
    private static final String FQCN_KRB5LOGINMODULE_SUN = "com.sun.security.auth.module.Krb5LoginModule";
    private static final String FQCN_KRB5LOGINMODULE_IBM = "com.ibm.security.auth.module.Krb5LoginModule";
    private static final ILogger LOGGER = Logger.getLogger((Class<?>) SecurityUtil.class);
    private static final ThreadLocal<Boolean> SECURE_CALL = new ThreadLocal<>();

    private SecurityUtil() {
    }

    public static Subject getRunAsSubject(CallbackHandler callbackHandler, String str) {
        if (str == null) {
            if (!LOGGER.isFineEnabled()) {
                return null;
            }
            LOGGER.fine("No RunAs Subject created for callbackHandler=" + callbackHandler + ", realm is not provided");
            return null;
        }
        RealmConfigCallback realmConfigCallback = new RealmConfigCallback(str);
        try {
            callbackHandler.handle(new Callback[]{realmConfigCallback});
            return getRunAsSubject(callbackHandler, realmConfigCallback.getRealmConfig());
        } catch (IOException | UnsupportedCallbackException e) {
            LOGGER.info("Unable to retrieve the RealmConfig", e);
            return null;
        }
    }

    public static Subject getRunAsSubject(CallbackHandler callbackHandler, RealmConfig realmConfig) {
        if (realmConfig == null) {
            if (!LOGGER.isFineEnabled()) {
                return null;
            }
            LOGGER.fine("The realmConfig is not provided.");
            return null;
        }
        try {
            LoginContext loginContext = new LoginContext(TEMP_LOGIN_CONTEXT_NAME, new Subject(), callbackHandler, new LoginConfigurationDelegate(realmConfig.asLoginModuleConfigs()));
            loginContext.login();
            return loginContext.getSubject();
        } catch (LoginException e) {
            LOGGER.info("Authentication failed.", e);
            return null;
        }
    }

    public static RealmConfig createKerberosJaasRealmConfig(String str, String str2, boolean z) {
        LoginModuleConfig property;
        if (str2 == null) {
            if (!LOGGER.isFineEnabled()) {
                return null;
            }
            LOGGER.fine("The keytab path is not provided.");
            return null;
        }
        if (hasLoginModuleClass(FQCN_KRB5LOGINMODULE_SUN)) {
            property = new LoginModuleConfig(FQCN_KRB5LOGINMODULE_SUN, LoginModuleConfig.LoginModuleUsage.REQUIRED).setOrClear("keyTab", str2).setProperty("doNotPrompt", "true").setProperty("useKeyTab", "true").setProperty("storeKey", "true").setProperty("isInitiator", Boolean.toString(z));
        } else {
            if (!hasLoginModuleClass(FQCN_KRB5LOGINMODULE_IBM)) {
                throw new UnsupportedOperationException("No supported Krb5LoginModule was found in the current Java runtime. The JAAS security realm configurations can't be created automatically. You have to explicitly configure the realms.");
            }
            property = new LoginModuleConfig(FQCN_KRB5LOGINMODULE_IBM, LoginModuleConfig.LoginModuleUsage.REQUIRED).setProperty("useKeytab", new File(str2).toURI().toString()).setProperty("credsType", z ? "both" : "acceptor");
        }
        property.setOrClear(KerberosCredentialsFactory.PROPERTY_PRINCIPAL, str).setProperty("refreshKrb5Config", "true");
        RealmConfig jaasAuthenticationConfig = new RealmConfig().setJaasAuthenticationConfig(new JaasAuthenticationConfig().addLoginModuleConfig(property));
        if (LOGGER.isFineEnabled()) {
            LOGGER.fine("A helper security realm for Kerberos keytab-based authentication was generated: " + jaasAuthenticationConfig);
        }
        return jaasAuthenticationConfig;
    }

    private static boolean hasLoginModuleClass(String str) {
        try {
            Class.forName(str);
            return true;
        } catch (Throwable th) {
            if (!LOGGER.isFinestEnabled()) {
                return false;
            }
            LOGGER.finest("Login module class not found: " + str, th);
            return false;
        }
    }
}
