package com.filenet.apiimpl.authentication.util;

import com.filenet.apiimpl.authentication.FnceCallbackHandler;
import java.security.Principal;
import java.util.HashMap;
import java.util.Iterator;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosKey;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;

/* loaded from: input_file:runtime/Jace.jar:com/filenet/apiimpl/authentication/util/KrbAuthnUtil.class */
public class KrbAuthnUtil {
    private static final long EXPIRATION_FUDGE_MSEC = 120000;
    private static final long NO_TICKET_EXPIRATION = 7200000;
    private static final String FNAME = "[KrbAuthnUtil] ";
    private static HashMap cachedTGTs = new HashMap();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:runtime/Jace.jar:com/filenet/apiimpl/authentication/util/KrbAuthnUtil$LoginInfo.class */
    public static class LoginInfo {
        Subject subject;
        long expires;
        long created;

        private LoginInfo() {
        }
    }

    private KrbAuthnUtil() {
    }

    public static Subject tgtLogin(String str, char[] cArr, String str2, String str3, String str4, boolean z) throws LoginException {
        return tgtLogin(str, cArr, str2, str3, str4, z, false);
    }

    public static synchronized Subject tgtLogin(String str, char[] cArr, String str2, String str3, String str4, boolean z, boolean z2) throws LoginException {
        LoginInfo cacheCheck = cacheCheck(str, str4, z, z2);
        boolean z3 = false;
        boolean z4 = false;
        if (cacheCheck == null) {
            z3 = true;
            z4 = true;
            cacheCheck = new LoginInfo();
        } else if (cacheCheck.subject == null) {
            z3 = true;
        }
        if (z3) {
            if (str2 != null) {
                LoginContext loginContext = new LoginContext(str2, new FnceCallbackHandler(str, cArr));
                loginContext.login();
                cacheCheck.subject = loginContext.getSubject();
            } else {
                cacheCheck.subject = J2EEAuthnUtil.getInstance().defaultTgtLogin(str, cArr, str3, z);
            }
            if (z) {
                AuthnUtil.log("[KrbAuthnUtil] TGT login successful");
            }
            cacheCheck.created = System.currentTimeMillis();
            cacheCheck.expires = -1L;
            if (z4) {
                String name = ((Principal) cacheCheck.subject.getPrincipals().toArray()[0]).getName();
                LoginInfo cacheCheck2 = cacheCheck(name, str4, z, z2);
                if (cacheCheck2 != null) {
                    if (cacheCheck2.subject == null) {
                        if (z) {
                            AuthnUtil.log("[KrbAuthnUtil] linking '" + str + "' with expired cached canonical name entry and using new subject");
                        }
                        cacheCheck2.subject = cacheCheck.subject;
                        cacheCheck2.created = cacheCheck.created;
                        cacheCheck2.expires = -1L;
                    } else if (z) {
                        AuthnUtil.log("[KrbAuthnUtil] linking '" + str + "' with cached canonical name entry and using cached entry's subject");
                    }
                    cacheCheck = cacheCheck2;
                } else if (!name.equals(str)) {
                    cachedTGTs.put(name + '|' + str4, cacheCheck);
                }
                cachedTGTs.put(str + '|' + str4, cacheCheck);
            }
        }
        return cacheCheck.subject;
    }

    public static KerberosTicket findKrbCredentials(Subject subject, String str) {
        for (Object obj : subject.getPrivateCredentials()) {
            if (obj instanceof KerberosTicket) {
                KerberosTicket kerberosTicket = (KerberosTicket) obj;
                String name = kerberosTicket.getServer().getName();
                if (str == null) {
                    if (name.startsWith("krbtgt/")) {
                        return kerberosTicket;
                    }
                } else if (!name.startsWith(str)) {
                    continue;
                } else if (str.indexOf(64) > 0) {
                    if (name.length() == str.length()) {
                        return kerberosTicket;
                    }
                } else if (name.charAt(str.length()) == '@') {
                    return kerberosTicket;
                }
            }
        }
        return null;
    }

    public static KerberosKey findKrbKey(Subject subject, String str) {
        KerberosKey kerberosKey = null;
        Iterator<Object> it = subject.getPrivateCredentials().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Object next = it.next();
            if (next instanceof KerberosKey) {
                KerberosKey kerberosKey2 = (KerberosKey) next;
                if (str.equals(kerberosKey2.getPrincipal().getName())) {
                    kerberosKey = kerberosKey2;
                    break;
                }
            }
        }
        return kerberosKey;
    }

    private static LoginInfo cacheCheck(String str, String str2, boolean z, boolean z2) {
        LoginInfo loginInfo = (LoginInfo) cachedTGTs.get(str + '|' + str2);
        if (loginInfo != null) {
            if (loginInfo.expires == -1 && loginInfo.subject != null) {
                KerberosTicket findKrbCredentials = findKrbCredentials(loginInfo.subject, str2);
                if (findKrbCredentials == null) {
                    loginInfo.expires = loginInfo.created + NO_TICKET_EXPIRATION;
                } else {
                    loginInfo.expires = findKrbCredentials.getEndTime().getTime() - EXPIRATION_FUDGE_MSEC;
                }
            }
            long currentTimeMillis = loginInfo.expires - System.currentTimeMillis();
            if (currentTimeMillis < 0 || z2) {
                if (z) {
                    if (z2) {
                        AuthnUtil.log("[KrbAuthnUtil] cached ticket invalidated because of forced refresh; renewing ticket");
                    } else {
                        AuthnUtil.log("[KrbAuthnUtil] cached ticket expired " + (-currentTimeMillis) + " msec ago; renewing ticket");
                    }
                }
                loginInfo.subject = null;
            } else if (z) {
                AuthnUtil.log("[KrbAuthnUtil] reusing cached ticket with " + currentTimeMillis + " msec remaining");
            }
        }
        return loginInfo;
    }
}
