package com.zimbra.cs.security.sasl;

import com.zimbra.common.account.Key;
import com.zimbra.common.localconfig.LC;
import com.zimbra.common.service.ServiceException;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.Account;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.account.auth.AuthContext;
import com.zimbra.cs.security.kerberos.Krb5Keytab;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.kerberos.KerberosKey;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.apache.commons.codec.binary.Base64;

/* loaded from: input_file:com/zimbra/cs/security/sasl/GssAuthenticator.class */
public class GssAuthenticator extends Authenticator {
    private SaslServer mSaslServer;
    private boolean mEncryptionEnabled;
    private static final String QOP_AUTH = "auth";
    private static final String QOP_AUTH_INT = "auth-int";
    private static final String QOP_AUTH_CONF = "auth-conf";
    private static final int MAX_RECEIVE_SIZE = 4096;
    private static final int MAX_SEND_SIZE = 4096;
    public static final String KRB5_DEBUG_ENABLED_PROP = "ZimbraKrb5DebugEnabled";
    private static final boolean DEBUG;
    public static final String MECHANISM = "GSSAPI";
    private static final Boolean GSS_ENABLED;
    private static final Map<String, String> ENCRYPTION_PROPS;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* loaded from: input_file:com/zimbra/cs/security/sasl/GssAuthenticator$GssCallbackHandler.class */
    private class GssCallbackHandler implements CallbackHandler {
        GssCallbackHandler() {
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            if (callbackArr == null || callbackArr.length != 1) {
                throw new IOException("Bad callback");
            }
            if (!(callbackArr[0] instanceof AuthorizeCallback)) {
                throw new UnsupportedCallbackException(callbackArr[0]);
            }
            AuthorizeCallback authorizeCallback = (AuthorizeCallback) callbackArr[0];
            GssAuthenticator.debug("gss authorization_id = %s", authorizeCallback.getAuthorizationID());
            GssAuthenticator.debug("gss authentication_id = %s", authorizeCallback.getAuthenticationID());
            authorizeCallback.setAuthorized(GssAuthenticator.this.authenticate(authorizeCallback.getAuthorizationID(), authorizeCallback.getAuthenticationID(), null));
        }
    }

    public GssAuthenticator(AuthenticatorUser authenticatorUser) {
        super("GSSAPI", authenticatorUser);
    }

    @Override // com.zimbra.cs.security.sasl.Authenticator
    protected boolean isSupported() {
        if (!GSS_ENABLED.booleanValue() && !this.mAuthUser.isGssapiAvailable()) {
            return false;
        }
        try {
            if (!this.mAuthUser.isSSLEnabled()) {
                if (Provisioning.getInstance().getLocalServer().getBooleanAttr("zimbraSaslGssapiRequiresTls", false)) {
                    return false;
                }
            }
            return true;
        } catch (ServiceException e) {
            ZimbraLog.security.warn("could not determine whether TLS encryption is required for GSSAPI auth; defaulting to FALSE", e);
            return false;
        }
    }

    @Override // com.zimbra.cs.security.sasl.Authenticator
    public boolean initialize() throws IOException {
        String value;
        Krb5Keytab keytab = getKeytab(LC.krb5_keytab.value());
        if (keytab == null) {
            sendFailed("mechanism not supported");
            return false;
        }
        debug("keytab file = %s", keytab.getFile());
        if (LC.krb5_service_principal_from_interface_address.booleanValue()) {
            String lowerCase = this.localAddress.getCanonicalHostName().toLowerCase();
            if (lowerCase.length() == 0 || Character.isDigit(lowerCase.charAt(0))) {
                lowerCase = LC.zimbra_server_hostname.value();
            }
            value = lowerCase;
        } else {
            value = LC.zimbra_server_hostname.value();
        }
        KerberosPrincipal kerberosPrincipal = new KerberosPrincipal(getProtocol() + '/' + value);
        debug("kerberos principal = %s", kerberosPrincipal);
        Subject subject = getSubject(keytab, kerberosPrincipal);
        if (subject == null) {
            sendFailed();
            return false;
        }
        debug("subject = %s", subject);
        final Map<String, String> saslProperties = getSaslProperties();
        if (DEBUG && saslProperties != null) {
            String str = saslProperties.get("javax.security.sasl.qop");
            debug("Sent QOP = " + (str != null ? str : "auth"), new Object[0]);
        }
        try {
            final String str2 = value;
            this.mSaslServer = (SaslServer) Subject.doAs(subject, new PrivilegedExceptionAction<Object>() { // from class: com.zimbra.cs.security.sasl.GssAuthenticator.1
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws SaslException {
                    return Sasl.createSaslServer(GssAuthenticator.this.getMechanism(), GssAuthenticator.this.getProtocol(), str2, saslProperties, new GssCallbackHandler());
                }
            });
            return true;
        } catch (PrivilegedActionException e) {
            sendFailed();
            getLog().warn("Could not create SaslServer", e.getCause());
            return false;
        }
    }

    private Krb5Keytab getKeytab(String str) {
        try {
            return Krb5Keytab.getInstance(str);
        } catch (IOException e) {
            getLog().warn("Keytab file '" + str + "' not found");
            return null;
        }
    }

    private Subject getSubject(Krb5Keytab krb5Keytab, KerberosPrincipal kerberosPrincipal) throws IOException {
        List<KerberosKey> keys = krb5Keytab.getKeys(kerberosPrincipal);
        if (keys == null) {
            getLog().warn("Key not found in keystore for service principal '" + kerberosPrincipal + "'");
            return null;
        }
        Subject subject = new Subject();
        subject.getPrincipals().add(kerberosPrincipal);
        subject.getPrivateCredentials().addAll(keys);
        return subject;
    }

    @Override // com.zimbra.cs.security.sasl.Authenticator
    public void handle(byte[] bArr) throws IOException {
        if (isComplete()) {
            throw new IllegalStateException("Authentication already completed");
        }
        try {
            byte[] evaluateResponse = this.mSaslServer.evaluateResponse(bArr);
            if (!isComplete()) {
                if (!$assertionsDisabled && this.mSaslServer.isComplete()) {
                    throw new AssertionError();
                }
                sendContinuation(new String(Base64.encodeBase64(evaluateResponse), "US-ASCII"));
                return;
            }
            if (!$assertionsDisabled && !this.mSaslServer.isComplete()) {
                throw new AssertionError();
            }
            if (DEBUG) {
                dumpNegotiatedProperties();
            }
            if (!isAuthenticated()) {
                debug("Authentication failed", new Object[0]);
                dispose();
                return;
            }
            String str = (String) this.mSaslServer.getNegotiatedProperty("javax.security.sasl.qop");
            if (!"auth-int".equals(str) && !"auth-conf".equals(str)) {
                dispose();
            } else {
                debug("SASL encryption enabled (%s)", str);
                this.mEncryptionEnabled = true;
            }
        } catch (SaslException e) {
            getLog().warn("SaslServer.evaluateResponse() failed", e);
            if (isComplete()) {
                return;
            }
            sendBadRequest();
        }
    }

    @Override // com.zimbra.cs.security.sasl.Authenticator
    public Account authenticate(String str, String str2, String str3, AuthContext.Protocol protocol, String str4, String str5, String str6) throws ServiceException {
        Provisioning provisioning = Provisioning.getInstance();
        Account account = provisioning.get(Key.AccountBy.krb5Principal, str2);
        if (account == null) {
            ZimbraLog.account.warn("authentication failed (no account associated with Kerberos principal " + str2 + ')');
            return null;
        }
        if (!isProtocolEnabled(account, protocol)) {
            ZimbraLog.account.info("Authentication failed - %s not enabled for %s", new Object[]{protocol, account.getName()});
            return null;
        }
        Account authorize = authorize(account, str, true);
        if (authorize != null) {
            provisioning.accountAuthed(account);
        }
        return authorize;
    }

    private Map<String, String> getSaslProperties() {
        if (this.mAuthUser.isSSLEnabled()) {
            return null;
        }
        return ENCRYPTION_PROPS;
    }

    @Override // com.zimbra.cs.security.sasl.Authenticator
    public boolean isEncryptionEnabled() {
        return this.mEncryptionEnabled;
    }

    @Override // com.zimbra.cs.security.sasl.Authenticator
    public InputStream unwrap(InputStream inputStream) {
        return new SaslInputStream(inputStream, this.mSaslServer);
    }

    @Override // com.zimbra.cs.security.sasl.Authenticator
    public OutputStream wrap(OutputStream outputStream) {
        return new SaslOutputStream(outputStream, this.mSaslServer);
    }

    @Override // com.zimbra.cs.security.sasl.Authenticator
    public SaslServer getSaslServer() {
        return this.mSaslServer;
    }

    @Override // com.zimbra.cs.security.sasl.Authenticator
    public void dispose() {
        debug("dispose called", new Object[0]);
        try {
            this.mSaslServer.dispose();
        } catch (SaslException e) {
            getLog().warn("SaslServer.dispose() failed", e);
        }
    }

    private void dumpNegotiatedProperties() {
        pp("QOP", "javax.security.sasl.qop");
        pp("MAX_BUFFER", "javax.security.sasl.maxbuffer");
        pp("MAX_RECEIVE_SIZE", "javax.security.sasl.rawsendsize");
        pp("STRENGTH", "javax.security.sasl.strength");
    }

    private void pp(String str, String str2) {
        Object negotiatedProperty = this.mSaslServer.getNegotiatedProperty(str2);
        if (negotiatedProperty != null) {
            debug("Negotiated property %s = %s", str, negotiatedProperty);
        }
    }

    static void debug(String str, Object... objArr) {
        if (DEBUG) {
            System.out.printf("[DEBUG GssAuthenticator] " + str + "\n", objArr);
        }
    }

    static {
        $assertionsDisabled = !GssAuthenticator.class.desiredAssertionStatus();
        DEBUG = LC.krb5_debug_enabled.booleanValue() || Boolean.getBoolean(KRB5_DEBUG_ENABLED_PROP);
        GSS_ENABLED = Boolean.valueOf(Boolean.getBoolean("ZimbraGssEnabled"));
        ENCRYPTION_PROPS = new HashMap();
        ENCRYPTION_PROPS.put("javax.security.sasl.qop", "auth,auth-int,auth-conf");
        ENCRYPTION_PROPS.put("javax.security.sasl.maxbuffer", String.valueOf(4096));
        ENCRYPTION_PROPS.put("javax.security.sasl.rawsendsize", String.valueOf(4096));
        if (DEBUG) {
            System.setProperty("sun.security.krb5.debug", "true");
            System.setProperty("sun.security.jgss.debug", "true");
        }
    }
}
