package org.apache.kerby.kerberos.kerb.server.preauth.token;

import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.util.List;
import org.apache.kerby.kerberos.kerb.KrbCodec;
import org.apache.kerby.kerberos.kerb.KrbErrorCode;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.KrbRuntime;
import org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
import org.apache.kerby.kerberos.kerb.common.PrivateKeyReader;
import org.apache.kerby.kerberos.kerb.common.PublicKeyReader;
import org.apache.kerby.kerberos.kerb.preauth.PluginRequestContext;
import org.apache.kerby.kerberos.kerb.preauth.token.TokenPreauthMeta;
import org.apache.kerby.kerberos.kerb.provider.TokenDecoder;
import org.apache.kerby.kerberos.kerb.server.preauth.AbstractPreauthPlugin;
import org.apache.kerby.kerberos.kerb.server.request.KdcRequest;
import org.apache.kerby.kerberos.kerb.type.base.AuthToken;
import org.apache.kerby.kerberos.kerb.type.base.EncryptedData;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
import org.apache.kerby.kerberos.kerb.type.base.KeyUsage;
import org.apache.kerby.kerberos.kerb.type.base.KrbTokenBase;
import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
import org.apache.kerby.kerberos.kerb.type.pa.PaDataEntry;
import org.apache.kerby.kerberos.kerb.type.pa.PaDataType;
import org.apache.kerby.kerberos.kerb.type.pa.token.PaTokenRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/kerby/kerberos/kerb/server/preauth/token/TokenPreauth.class */
public class TokenPreauth extends AbstractPreauthPlugin {
    private static final Logger LOG = LoggerFactory.getLogger(TokenPreauth.class);

    public TokenPreauth() {
        super(new TokenPreauthMeta());
    }

    @Override // org.apache.kerby.kerberos.kerb.server.preauth.AbstractPreauthPlugin, org.apache.kerby.kerberos.kerb.server.preauth.KdcPreauth
    public boolean verify(KdcRequest kdcRequest, PluginRequestContext pluginRequestContext, PaDataEntry paDataEntry) throws KrbException {
        PaTokenRequest unseal;
        if (!kdcRequest.getKdcContext().getConfig().isAllowTokenPreauth()) {
            throw new KrbException(KrbErrorCode.TOKEN_PREAUTH_NOT_ALLOWED, "Token preauth is not allowed.");
        }
        if (paDataEntry.getPaDataType() != PaDataType.TOKEN_REQUEST) {
            return false;
        }
        if (kdcRequest.isHttps()) {
            unseal = (PaTokenRequest) KrbCodec.decode(paDataEntry.getPaDataValue(), PaTokenRequest.class);
        } else {
            EncryptedData decode = KrbCodec.decode(paDataEntry.getPaDataValue(), EncryptedData.class);
            EncryptionKey armorKey = kdcRequest.getArmorKey();
            kdcRequest.setClientKey(armorKey);
            unseal = EncryptionUtil.unseal(decode, armorKey, KeyUsage.PA_TOKEN, PaTokenRequest.class);
        }
        KrbTokenBase token = unseal.getToken();
        List<String> issuers = kdcRequest.getKdcContext().getConfig().getIssuers();
        String tokenVendor = unseal.getTokenInfo().getTokenVendor();
        if (!issuers.contains(tokenVendor)) {
            throw new KrbException("Unconfigured issuer: " + tokenVendor);
        }
        TokenDecoder createTokenDecoder = KrbRuntime.getTokenProvider().createTokenDecoder();
        configureKeys(createTokenDecoder, kdcRequest, tokenVendor);
        try {
            AuthToken decodeFromBytes = createTokenDecoder.decodeFromBytes(token.getTokenValue());
            if (!createTokenDecoder.isSigned() && !kdcRequest.isHttps()) {
                throw new KrbException("Token should be signed.");
            }
            if (decodeFromBytes == null) {
                throw new KrbException("Token Decoding failed");
            }
            List audiences = decodeFromBytes.getAudiences();
            PrincipalName sname = kdcRequest.getKdcReq().getReqBody().getSname();
            sname.setRealm(kdcRequest.getKdcReq().getReqBody().getRealm());
            kdcRequest.setServerPrincipal(sname);
            if (audiences == null || !audiences.contains(sname.getName())) {
                throw new KrbException("The token audience does not match with the target server principal!");
            }
            kdcRequest.setToken(decodeFromBytes);
            return true;
        } catch (IOException e) {
            throw new KrbException("Decoding failed", e);
        }
    }

    private void configureKeys(TokenDecoder tokenDecoder, KdcRequest kdcRequest, String str) {
        String verifyKeyConfig = kdcRequest.getKdcContext().getConfig().getVerifyKeyConfig();
        if (verifyKeyConfig != null) {
            try {
                InputStream keyFileStream = getKeyFileStream(verifyKeyConfig, str);
                if (keyFileStream != null) {
                    tokenDecoder.setVerifyKey(PublicKeyReader.loadPublicKey(keyFileStream));
                }
            } catch (FileNotFoundException e) {
                LOG.error("The verify key path is wrong. " + e);
            } catch (Exception e2) {
                LOG.error("Fail to load public key. " + e2);
            }
        }
        String decryptionKeyConfig = kdcRequest.getKdcContext().getConfig().getDecryptionKeyConfig();
        if (decryptionKeyConfig != null) {
            try {
                InputStream keyFileStream2 = getKeyFileStream(decryptionKeyConfig, str);
                if (keyFileStream2 != null) {
                    tokenDecoder.setDecryptionKey(PrivateKeyReader.loadPrivateKey(keyFileStream2));
                }
            } catch (FileNotFoundException e3) {
                LOG.error("The decryption key path is wrong. " + e3);
            } catch (Exception e4) {
                LOG.error("Fail to load private key. " + e4);
            }
        }
    }

    private InputStream getKeyFileStream(String str, String str2) throws IOException {
        File file = new File(str);
        if (!file.isDirectory()) {
            return file.isFile() ? Files.newInputStream(file.toPath(), new OpenOption[0]) : getClass().getClassLoader().getResourceAsStream(str);
        }
        File[] listFiles = file.listFiles();
        File file2 = null;
        if (listFiles == null) {
            throw new FileNotFoundException("The key path is incorrect");
        }
        int i = 0;
        while (true) {
            if (i < listFiles.length) {
                if (listFiles[i].isFile() && listFiles[i].getName().contains(str2)) {
                    file2 = listFiles[i];
                    break;
                }
                i++;
            } else {
                break;
            }
        }
        if (file2 == null) {
            throw new FileNotFoundException("No key found that matches the issuer name");
        }
        return Files.newInputStream(file2.toPath(), new OpenOption[0]);
    }
}
