package com.zimbra.cs.mailclient.auth;

import com.zimbra.cs.dav.DavElements;
import com.zimbra.cs.mailclient.MailConfig;
import com.zimbra.cs.security.sasl.SaslInputStream;
import com.zimbra.cs.security.sasl.SaslOutputStream;
import com.zimbra.cs.security.sasl.SaslSecurityLayer;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.security.sasl.RealmCallback;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;

/* loaded from: input_file:com/zimbra/cs/mailclient/auth/SaslAuthenticator.class */
public final class SaslAuthenticator extends Authenticator {
    private MailConfig config;
    private String password;
    private LoginContext loginContext;
    private Subject subject;
    private SaslClient saslClient;
    public static final String GSSAPI = "GSSAPI";
    public static final String PLAIN = "PLAIN";
    public static final String CRAM_MD5 = "CRAM-MD5";
    public static final String DIGEST_MD5 = "DIGEST-MD5";
    public static final String XOAUTH2 = "XOAUTH2";
    public static final String QOP_AUTH = "auth";
    public static final String QOP_AUTH_CONF = "auth-conf";
    public static final String QOP_AUTH_INT = "auth-int";
    private static final String LOGIN_MODULE_NAME = "com.sun.security.auth.module.Krb5LoginModule";

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/zimbra/cs/mailclient/auth/SaslAuthenticator$SaslCallbackHandler.class */
    public class SaslCallbackHandler implements CallbackHandler {
        private SaslCallbackHandler() {
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            for (Callback callback : callbackArr) {
                if (callback instanceof NameCallback) {
                    ((NameCallback) callback).setName(SaslAuthenticator.this.config.getAuthenticationId());
                } else if (callback instanceof PasswordCallback) {
                    if (SaslAuthenticator.this.password == null) {
                        throw new IllegalStateException("Password missing but required");
                    }
                    ((PasswordCallback) callback).setPassword(SaslAuthenticator.this.password.toCharArray());
                    SaslAuthenticator.this.password = null;
                } else {
                    if (!(callback instanceof RealmCallback)) {
                        throw new UnsupportedCallbackException(callback);
                    }
                    String realm = SaslAuthenticator.this.config.getRealm();
                    if (realm == null) {
                        throw new IllegalStateException("Realm missing but required");
                    }
                    ((RealmCallback) callback).setText(realm);
                }
            }
        }
    }

    @Override // com.zimbra.cs.mailclient.auth.Authenticator
    public void init(MailConfig mailConfig, String str) throws LoginException, SaslException {
        this.config = mailConfig;
        this.password = str;
        String mechanism = mailConfig.getMechanism();
        checkRequired("mechanism", mechanism);
        checkRequired("host", mailConfig.getHost());
        checkRequired("protocol", mailConfig.getProtocol());
        checkRequired("authentication id", mailConfig.getAuthenticationId());
        this.saslClient = mechanism.equals("GSSAPI") ? createGssSaslClient() : createSaslClient();
        Map<String, String> saslProperties = mailConfig.getSaslProperties();
        String str2 = saslProperties != null ? saslProperties.get("javax.security.sasl.qop") : "auth";
        Object[] objArr = new Object[1];
        objArr[0] = str2 != null ? str2 : "auth";
        debug("Requested QOP is %s", objArr);
    }

    @Override // com.zimbra.cs.mailclient.auth.Authenticator
    public String getMechanism() {
        return this.config.getMechanism();
    }

    private static void checkRequired(String str, String str2) {
        if (str2 == null) {
            throw new IllegalArgumentException("Missing required " + str);
        }
    }

    private SaslClient createGssSaslClient() throws LoginException, SaslException {
        this.loginContext = getLoginContext();
        this.loginContext.login();
        this.subject = this.loginContext.getSubject();
        debug("GSS subject = %s", this.subject);
        try {
            return (SaslClient) Subject.doAs(this.subject, new PrivilegedExceptionAction<SaslClient>() { // from class: com.zimbra.cs.mailclient.auth.SaslAuthenticator.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public SaslClient run() throws SaslException {
                    return SaslAuthenticator.this.createSaslClient();
                }
            });
        } catch (PrivilegedActionException e) {
            dispose();
            SaslException exception = e.getException();
            if (exception instanceof SaslException) {
                throw exception;
            }
            if (exception instanceof LoginException) {
                throw ((LoginException) exception);
            }
            throw new IllegalStateException("Error initialization GSS authenticator", e);
        }
    }

    private LoginContext getLoginContext() throws LoginException {
        HashMap hashMap = new HashMap();
        hashMap.put("debug", Boolean.toString(this.config.getLogger().isDebugEnabled()));
        hashMap.put(DavElements.P_PRINCIPAL, getPrincipal());
        final AppConfigurationEntry appConfigurationEntry = new AppConfigurationEntry(LOGIN_MODULE_NAME, AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap);
        return new LoginContext("krb5", (Subject) null, new SaslCallbackHandler(), new Configuration() { // from class: com.zimbra.cs.mailclient.auth.SaslAuthenticator.2
            public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
                return new AppConfigurationEntry[]{appConfigurationEntry};
            }

            public void refresh() {
            }
        });
    }

    private String getPrincipal() {
        String realm = this.config.getRealm();
        String authenticationId = this.config.getAuthenticationId();
        return (realm == null || authenticationId.indexOf(64) != -1) ? authenticationId : authenticationId + '@' + realm;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public SaslClient createSaslClient() throws SaslException {
        return Sasl.createSaslClient(new String[]{this.config.getMechanism()}, this.config.getAuthorizationId(), this.config.getProtocol(), this.config.getHost(), this.config.getSaslProperties(), new SaslCallbackHandler());
    }

    @Override // com.zimbra.cs.mailclient.auth.Authenticator
    public byte[] evaluateChallenge(byte[] bArr) throws SaslException {
        if (!isComplete()) {
            return this.subject != null ? evaluateGssChallenge(bArr) : this.saslClient.evaluateChallenge(bArr);
        }
        if (XOAUTH2.equalsIgnoreCase(this.config.getMechanism())) {
            return this.saslClient.evaluateChallenge(bArr);
        }
        throw new IllegalStateException("Authentication already completed");
    }

    private byte[] evaluateGssChallenge(final byte[] bArr) throws SaslException {
        try {
            return (byte[]) Subject.doAs(this.subject, new PrivilegedExceptionAction<byte[]>() { // from class: com.zimbra.cs.mailclient.auth.SaslAuthenticator.3
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public byte[] run() throws SaslException {
                    return SaslAuthenticator.this.saslClient.evaluateChallenge(bArr);
                }
            });
        } catch (PrivilegedActionException e) {
            dispose();
            SaslException cause = e.getCause();
            if (cause instanceof SaslException) {
                throw cause;
            }
            throw new IllegalStateException("Unknown authentication error", cause);
        }
    }

    @Override // com.zimbra.cs.mailclient.auth.Authenticator
    public byte[] getInitialResponse() throws SaslException {
        if (hasInitialResponse()) {
            return this.saslClient.evaluateChallenge(new byte[0]);
        }
        throw new IllegalStateException("Mechanism does not support initial response");
    }

    @Override // com.zimbra.cs.mailclient.auth.Authenticator
    public boolean hasInitialResponse() {
        return this.saslClient.hasInitialResponse();
    }

    @Override // com.zimbra.cs.mailclient.auth.Authenticator
    public boolean isComplete() {
        return this.saslClient.isComplete();
    }

    @Override // com.zimbra.cs.mailclient.auth.Authenticator
    public boolean isEncryptionEnabled() {
        return SaslSecurityLayer.getInstance(this.saslClient).isEnabled();
    }

    @Override // com.zimbra.cs.mailclient.auth.Authenticator
    public OutputStream wrap(OutputStream outputStream) {
        return isEncryptionEnabled() ? new SaslOutputStream(outputStream, this.saslClient) : outputStream;
    }

    @Override // com.zimbra.cs.mailclient.auth.Authenticator
    public InputStream unwrap(InputStream inputStream) {
        return isEncryptionEnabled() ? new SaslInputStream(inputStream, this.saslClient) : inputStream;
    }

    @Override // com.zimbra.cs.mailclient.auth.Authenticator
    public String getNegotiatedProperty(String str) {
        return (String) this.saslClient.getNegotiatedProperty(str);
    }

    @Override // com.zimbra.cs.mailclient.auth.Authenticator
    public void dispose() throws SaslException {
        this.saslClient.dispose();
        if (this.loginContext != null) {
            try {
                this.loginContext.logout();
            } catch (LoginException e) {
                e.printStackTrace();
            }
            this.loginContext = null;
        }
    }

    private void debug(String str, Object... objArr) {
        if (this.config.getLogger().isDebugEnabled()) {
            this.config.getLogger().debug("[SaslAuthenticator] " + str + "\n", objArr);
        }
    }
}
