package com.kerb4j.server.spring.jaas.sun;

import com.kerb4j.client.SpnegoClient;
import com.kerb4j.client.SpnegoContext;
import com.kerb4j.server.SpnegoTokenFixer;
import com.kerb4j.server.spring.KerberosTicketValidator;
import com.kerb4j.server.spring.SpnegoAuthenticationToken;
import java.io.IOException;
import java.security.PrivilegedActionException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSName;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.core.io.ClassPathResource;
import org.springframework.core.io.Resource;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.util.Assert;

/* loaded from: input_file:com/kerb4j/server/spring/jaas/sun/SunJaasKerberosTicketValidator.class */
public class SunJaasKerberosTicketValidator implements KerberosTicketValidator, InitializingBean {
    private static final Log LOG = LogFactory.getLog(SunJaasKerberosTicketValidator.class);
    private String servicePrincipal;
    private Resource keyTabLocation;
    private SpnegoClient spnegoClient;
    private boolean holdOnToGSSContext;

    @Override // com.kerb4j.server.spring.KerberosTicketValidator
    public SpnegoAuthenticationToken validateTicket(byte[] bArr) {
        SpnegoTokenFixer.fix(bArr);
        try {
            SpnegoContext createAcceptContext = this.spnegoClient.createAcceptContext();
            byte[] acceptToken = createAcceptContext.acceptToken(bArr);
            GSSName srcName = createAcceptContext.getSrcName();
            if (null == srcName) {
                throw new BadCredentialsException("Kerberos validation not successful");
            }
            if (!this.holdOnToGSSContext) {
                createAcceptContext.close();
            }
            return new SpnegoAuthenticationToken(bArr, srcName.toString(), acceptToken, this.spnegoClient.getSubject(), this.spnegoClient.getKerberosKeys());
        } catch (IOException | GSSException | PrivilegedActionException e) {
            throw new BadCredentialsException("Kerberos validation not successful", e);
        }
    }

    public void afterPropertiesSet() throws Exception {
        Assert.notNull(this.servicePrincipal, "servicePrincipal must be specified");
        Assert.notNull(this.keyTabLocation, "keyTab must be specified");
        if (this.keyTabLocation instanceof ClassPathResource) {
            LOG.warn("Your keytab is in the classpath. This file needs special protection and shouldn't be in the classpath. JAAS may also not be able to load this file from classpath.");
        }
        String externalForm = this.keyTabLocation.getURL().toExternalForm();
        if (externalForm.startsWith("file:")) {
            externalForm = externalForm.substring(5);
        }
        this.spnegoClient = SpnegoClient.loginWithKeyTab(this.servicePrincipal, externalForm);
    }

    public void setServicePrincipal(String str) {
        this.servicePrincipal = str;
    }

    public void setKeyTabLocation(Resource resource) {
        this.keyTabLocation = resource;
    }

    public void setHoldOnToGSSContext(boolean z) {
        this.holdOnToGSSContext = z;
    }
}
