package com.ibm.ws.security.spnego.internal;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.krb5.Krb5Common;
import com.ibm.ws.security.spnego.SpnegoConfig;
import java.util.HashMap;
import java.util.List;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@TraceOptions
/* loaded from: input_file:com/ibm/ws/security/spnego/internal/SpnGssCredential.class */
public class SpnGssCredential {
    private static final TraceComponent tc = Tr.register(SpnGssCredential.class, "spnego", "com.ibm.ws.security.spnego.internal.resources.SpnegoMessages");
    private HashMap<String, GSSCredential> spnGssCredentials = null;
    private SpnegoConfig spnegoConfig = null;
    Krb5Util krb5Util = new Krb5Util();
    static final long serialVersionUID = 464042328079164150L;

    public void init(List<String> list, SpnegoConfig spnegoConfig) {
        this.spnegoConfig = spnegoConfig;
        if (list != null && !list.isEmpty()) {
            this.spnGssCredentials = new HashMap<>();
            this.krb5Util.setKrb5ConfigAndKeytabProps(spnegoConfig);
            String propertyAsNeeded = Krb5Common.setPropertyAsNeeded("javax.security.auth.useSubjectCredsOnly", "false");
            for (String str : list) {
                GSSCredential createSpnGSSCredential = createSpnGSSCredential(str);
                if (createSpnGSSCredential != null) {
                    String extractHostName = extractHostName(str);
                    if (tc.isDebugEnabled()) {
                        Tr.debug(tc, "host name: " + extractHostName + " spn: " + str + " gssCred: " + createSpnGSSCredential, new Object[0]);
                    }
                    if (this.spnGssCredentials.get(extractHostName) != null) {
                        Tr.warning(tc, "SPNEGO_MULTIPLE_SPNS_WITH_SAME_HOST_NAME", new Object[]{extractHostName});
                    } else {
                        this.spnGssCredentials.put(extractHostName, createSpnGSSCredential);
                    }
                }
            }
            Krb5Common.restorePropertyAsNeeded("javax.security.auth.useSubjectCredsOnly", propertyAsNeeded, "true");
        }
        if (this.spnGssCredentials == null || this.spnGssCredentials.isEmpty()) {
            Tr.error(tc, "SPNEGO_NO_SPN_GSS_CREDENTIAL", new Object[0]);
        }
    }

    public boolean isEmpty() {
        if (this.spnGssCredentials != null) {
            return this.spnGssCredentials.isEmpty();
        }
        return true;
    }

    public int howManySpns() {
        if (this.spnGssCredentials != null) {
            return this.spnGssCredentials.size();
        }
        return 0;
    }

    protected String extractHostName(String str) {
        String str2 = str;
        if (str.indexOf("@") != -1) {
            str2 = str.substring(0, str.indexOf("@"));
        }
        if (str2.indexOf("/") != -1) {
            str2 = str2.split("/")[1];
        }
        return str2;
    }

    public GSSCredential getSpnGSSCredential(String str) {
        if (this.spnGssCredentials != null) {
            return this.spnGssCredentials.get(str);
        }
        return null;
    }

    protected GSSCredential createSpnGSSCredential(String str) {
        GSSCredential gSSCredential = null;
        GSSName gSSName = null;
        try {
            GSSManager gSSManager = GSSManager.getInstance();
            gSSName = createGSSName(gSSManager, str);
            gSSCredential = createGSSCredential(gSSName, gSSManager, str);
        } catch (GSSException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.spnego.internal.SpnGssCredential", "113", this, new Object[]{str});
            TraceComponent traceComponent = tc;
            Object[] objArr = new Object[2];
            objArr[0] = gSSName != null ? gSSName.toString() : str;
            objArr[1] = e;
            Tr.error(traceComponent, "SPNEGO_CAN_NOT_CREATE_GSSCRED_FOR_SPN", objArr);
        }
        return gSSCredential;
    }

    private GSSCredential createGSSCredential(GSSName gSSName, GSSManager gSSManager, String str) throws GSSException {
        String str2 = null;
        if (!Krb5Common.IBM_KRB5_LOGIN_MODULE_AVAILABLE && !Krb5Common.OTHER_KRB5_LOGIN_MODULE_AVAILABLE) {
            return gSSManager.createCredential(gSSName, Integer.MAX_VALUE, Krb5Common.SPNEGO_MECH_OID, 2);
        }
        if (Krb5Common.OTHER_KRB5_LOGIN_MODULE_AVAILABLE) {
            str2 = Krb5Common.getSystemProperty(Krb5Common.KRB5_PRINCIPAL);
            Krb5Common.setPropertyAsNeeded(Krb5Common.KRB5_PRINCIPAL, str);
            Krb5Common.setPropertyAsNeeded("javax.security.auth.login.name", str);
        }
        GSSCredential createCredential = gSSManager.createCredential(gSSName, 0, Krb5Common.KRB5_MECH_OID, 2);
        createCredential.add(gSSName, Integer.MAX_VALUE, Integer.MAX_VALUE, Krb5Common.SPNEGO_MECH_OID, 2);
        if (Krb5Common.OTHER_KRB5_LOGIN_MODULE_AVAILABLE) {
            Krb5Common.restorePropertyAsNeeded(Krb5Common.KRB5_PRINCIPAL, str2, str);
            Krb5Common.restorePropertyAsNeeded("javax.security.auth.login.name", str2, str);
        }
        return createCredential;
    }

    private GSSName createGSSName(GSSManager gSSManager, String str) throws GSSException {
        GSSName createName = gSSManager.createName(str, GSSName.NT_USER_NAME, Krb5Common.SPNEGO_MECH_OID);
        if (this.spnegoConfig.isCanonicalHostName() && !str.startsWith(SpnegoConfigImpl.LOCAL_HOST)) {
            createName = createName.canonicalize(Krb5Common.KRB5_MECH_OID);
        }
        return createName;
    }
}
