package com.kerb4j.client;

import com.kerb4j.common.jaas.sun.Krb5LoginContext;
import com.kerb4j.common.util.JreVendor;
import com.kerb4j.common.util.SpnegoProvider;
import java.net.URL;
import java.security.PrivilegedActionException;
import java.util.ArrayList;
import java.util.Date;
import java.util.Iterator;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.atomic.AtomicReference;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import java.util.function.Supplier;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosKey;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.kerberos.KeyTab;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSName;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/kerb4j/client/SpnegoClient.class */
public final class SpnegoClient {
    private static final Logger LOGGER = LoggerFactory.getLogger(SpnegoClient.class);
    private final Supplier<Subject> subjectSupplier;
    private final AtomicReference<SubjectTgtPair> subjectTgtPairReference = new AtomicReference<>();
    private final Lock authenticateLock = new ReentrantLock();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/kerb4j/client/SpnegoClient$SubjectTgtPair.class */
    public static class SubjectTgtPair {
        private final KerberosTicket tgt;
        private final Subject subject;

        private SubjectTgtPair(KerberosTicket kerberosTicket, Subject subject) {
            this.tgt = kerberosTicket;
            this.subject = subject;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean isExpired() {
            return this.tgt.getEndTime().before(new Date());
        }
    }

    protected SpnegoClient(Supplier<LoginContext> supplier) {
        this.subjectSupplier = () -> {
            LoginContext loginContext = (LoginContext) supplier.get();
            Subject subject = loginContext.getSubject();
            if (null == subject) {
                try {
                    loginContext.login();
                    subject = loginContext.getSubject();
                } catch (LoginException e) {
                    LOGGER.error(e.getMessage(), e);
                    throw new RuntimeException(e);
                }
            }
            return subject;
        };
    }

    public Subject getSubject() {
        SubjectTgtPair subjectTgtPair = this.subjectTgtPairReference.get();
        if (null == subjectTgtPair || subjectTgtPair.isExpired()) {
            this.authenticateLock.lock();
            try {
                subjectTgtPair = this.subjectTgtPairReference.get();
                if (null == subjectTgtPair || subjectTgtPair.isExpired()) {
                    Subject subject = this.subjectSupplier.get();
                    Optional map = subject.getPrivateCredentials(KerberosTicket.class).stream().filter(kerberosTicket -> {
                        return kerberosTicket.getServer().getName().startsWith("krbtgt");
                    }).findAny().map(kerberosTicket2 -> {
                        return new SubjectTgtPair(kerberosTicket2, subject);
                    });
                    AtomicReference<SubjectTgtPair> atomicReference = this.subjectTgtPairReference;
                    atomicReference.getClass();
                    map.ifPresent((v1) -> {
                        r1.set(v1);
                    });
                    subjectTgtPair = this.subjectTgtPairReference.get();
                }
            } finally {
                this.authenticateLock.unlock();
            }
        }
        return subjectTgtPair.subject;
    }

    public KerberosKey[] getKerberosKeys() {
        Set privateCredentials = getSubject().getPrivateCredentials(KerberosKey.class);
        if (!privateCredentials.isEmpty()) {
            return (KerberosKey[]) new ArrayList(privateCredentials).toArray(new KerberosKey[privateCredentials.size()]);
        }
        for (KerberosPrincipal kerberosPrincipal : getSubject().getPrincipals(KerberosPrincipal.class)) {
            Iterator it = getSubject().getPrivateCredentials(KeyTab.class).iterator();
            while (it.hasNext()) {
                KerberosKey[] keys = ((KeyTab) it.next()).getKeys(kerberosPrincipal);
                if (null != keys && keys.length > 0) {
                    return keys;
                }
            }
        }
        return null;
    }

    public static SpnegoClient loginWithUsernamePassword(String str, String str2) throws LoginException {
        return new SpnegoClient(() -> {
            return Krb5LoginContext.loginWithUsernameAndPassword(str, str2);
        });
    }

    public static SpnegoClient loginWithKeyTab(String str, String str2) throws LoginException {
        return new SpnegoClient(() -> {
            return Krb5LoginContext.loginWithKeyTab(str, str2);
        });
    }

    public static SpnegoClient loginWithTicketCache(String str) throws LoginException {
        return new SpnegoClient(() -> {
            return Krb5LoginContext.loginWithTicketCache(str);
        });
    }

    public SpnegoContext createContext(URL url) throws PrivilegedActionException, GSSException {
        return new SpnegoContext(this, getGSSContext(url));
    }

    public SpnegoContext createAcceptContext() throws PrivilegedActionException {
        return new SpnegoContext(this, (GSSContext) Subject.doAs(getSubject(), () -> {
            return SpnegoProvider.GSS_MANAGER.createContext(SpnegoProvider.GSS_MANAGER.createCredential((GSSName) null, JreVendor.IS_IBM_JVM ? Integer.MAX_VALUE : 0, SpnegoProvider.SUPPORTED_OIDS, 2));
        }));
    }

    private GSSContext getGSSContext(URL url) throws GSSException, PrivilegedActionException {
        try {
            Thread.sleep(31L);
        } catch (InterruptedException e) {
        }
        return (GSSContext) Subject.doAs(getSubject(), () -> {
            GSSContext createContext = SpnegoProvider.GSS_MANAGER.createContext(SpnegoProvider.getServerName(url), SpnegoProvider.SPNEGO_OID, SpnegoProvider.GSS_MANAGER.createCredential((GSSName) null, 0, SpnegoProvider.SUPPORTED_OIDS, 1), 0);
            createContext.requestMutualAuth(true);
            createContext.requestConf(true);
            createContext.requestInteg(true);
            createContext.requestReplayDet(true);
            createContext.requestSequenceDet(true);
            return createContext;
        });
    }
}
