package com.dbeaver.net.auth.krb5;

import com.sun.security.auth.module.Krb5LoginModule;
import java.io.BufferedWriter;
import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.attribute.FileAttribute;
import java.util.HashMap;
import java.util.Properties;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginException;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.client.KrbClient;
import org.apache.kerby.kerberos.kerb.client.KrbConfig;
import org.jkiss.code.NotNull;
import org.jkiss.dbeaver.DBException;
import org.jkiss.dbeaver.Log;
import org.jkiss.dbeaver.model.DBPDataSource;
import org.jkiss.dbeaver.model.DBPDataSourceContainer;
import org.jkiss.dbeaver.model.connection.DBPConnectionConfiguration;
import org.jkiss.dbeaver.model.connection.DataSourceVariableResolver;
import org.jkiss.dbeaver.model.exec.DBCException;
import org.jkiss.dbeaver.model.impl.auth.AuthModelDatabaseNative;
import org.jkiss.dbeaver.model.runtime.DBRProgressMonitor;
import org.jkiss.dbeaver.runtime.DBWorkbench;
import org.jkiss.dbeaver.utils.GeneralUtils;
import org.jkiss.utils.CommonUtils;

/* loaded from: input_file:com/dbeaver/net/auth/krb5/AuthModelKerberos.class */
public class AuthModelKerberos extends AuthModelDatabaseNative<AuthModelKerberosCredentials> {
    private static final String JAVA_SECURITY_KRB5_CONF = "java.security.krb5.conf";
    private static final String JAVA_SECURITY_AUTH_LOGIN_CONFIG = "java.security.auth.login.config";
    private static final String JAVA_SECURITY_KRB5_REALM = "java.security.krb5.realm";
    private static final String JAVA_SECURITY_KRB5_KDC = "java.security.krb5.kdc";
    private static final String JAVA_SECURITY_KRB5_DEBUG = "sun.security.krb5.debug";
    private static final String JAVA_SECURITY_JGSS_DEBUG = "sun.security.jgss.debug";
    private static final String JAVA_SECURITY_AUTH_USESUBJECTCREDSONLY = "javax.security.auth.useSubjectCredsOnly";
    private static final Log log = Log.getLog(AuthModelKerberos.class);

    @NotNull
    /* renamed from: createCredentials, reason: merged with bridge method [inline-methods] */
    public AuthModelKerberosCredentials m1createCredentials() {
        return new AuthModelKerberosCredentials();
    }

    @NotNull
    /* renamed from: loadCredentials, reason: merged with bridge method [inline-methods] */
    public AuthModelKerberosCredentials m2loadCredentials(@NotNull DBPDataSourceContainer dBPDataSourceContainer, @NotNull DBPConnectionConfiguration dBPConnectionConfiguration) {
        AuthModelKerberosCredentials authModelKerberosCredentials = (AuthModelKerberosCredentials) super.loadCredentials(dBPDataSourceContainer, dBPConnectionConfiguration);
        String commonUtils = CommonUtils.toString(dBPConnectionConfiguration.getAuthProperty(AuthModelKerberosConstants.REALM));
        authModelKerberosCredentials.setKdcServer(CommonUtils.toString(dBPConnectionConfiguration.getAuthProperty(AuthModelKerberosConstants.KDC_SERVER)));
        authModelKerberosCredentials.setKrbUserName(CommonUtils.toString(dBPConnectionConfiguration.getAuthProperty(AuthModelKerberosConstants.KRB5_USER)));
        if (CommonUtils.isEmpty(authModelKerberosCredentials.getKrbUserName())) {
            authModelKerberosCredentials.setKrbUserName(dBPConnectionConfiguration.getUserName());
        }
        if (CommonUtils.isEmpty(dBPConnectionConfiguration.getUserName())) {
            authModelKerberosCredentials.setUserName(authModelKerberosCredentials.getKrbUserName());
        }
        String krbUserName = authModelKerberosCredentials.getKrbUserName();
        if (!CommonUtils.isEmpty(krbUserName)) {
            String userName = authModelKerberosCredentials.getUserName();
            if (CommonUtils.isEmpty(commonUtils)) {
                if (krbUserName.contains("@")) {
                    commonUtils = krbUserName.substring(krbUserName.lastIndexOf(64) + 1);
                } else if (userName.contains("@")) {
                    commonUtils = userName.substring(userName.lastIndexOf(64) + 1);
                }
            } else if (!krbUserName.contains("@")) {
                authModelKerberosCredentials.setKrbUserName(krbUserName + "@" + commonUtils);
            }
        }
        authModelKerberosCredentials.setKrbRealmName(commonUtils);
        authModelKerberosCredentials.setUseKeytab(CommonUtils.getBoolean(dBPConnectionConfiguration.getAuthProperty(AuthModelKerberosConstants.USE_KEYTAB), Boolean.FALSE.booleanValue()));
        authModelKerberosCredentials.setForceTcp(CommonUtils.getBoolean(dBPConnectionConfiguration.getAuthProperty(AuthModelKerberosConstants.KRB5_KDC_OVER_TCP), Boolean.FALSE.booleanValue()));
        authModelKerberosCredentials.setKeytabPath(GeneralUtils.replaceVariables(CommonUtils.toString(dBPConnectionConfiguration.getAuthProperty(AuthModelKerberosConstants.KEYTAB_PATH)), new DataSourceVariableResolver(dBPDataSourceContainer, dBPConnectionConfiguration)));
        authModelKerberosCredentials.setUseKinit(CommonUtils.getBoolean(dBPConnectionConfiguration.getAuthProperty(AuthModelKerberosConstants.USE_KINIT), Boolean.FALSE.booleanValue()));
        authModelKerberosCredentials.setCacheFilePath(dBPConnectionConfiguration.getAuthProperty(AuthModelKerberosConstants.USE_KEY_CACHE_FILE));
        authModelKerberosCredentials.setKrb5ConfPath(dBPConnectionConfiguration.getAuthProperty(AuthModelKerberosConstants.USE_CUSTOM_CONFIG_PATH));
        authModelKerberosCredentials.setServiceName(dBPConnectionConfiguration.getAuthProperty(AuthModelKerberosConstants.SERVICE_NAME));
        authModelKerberosCredentials.setUseSslJks(CommonUtils.getBoolean(dBPConnectionConfiguration.getAuthProperty(AuthModelKerberosConstants.USE_SSL_JKS), Boolean.FALSE.booleanValue()));
        authModelKerberosCredentials.setSslJksPath(dBPConnectionConfiguration.getAuthProperty(AuthModelKerberosConstants.SSL_JKS_PATH));
        authModelKerberosCredentials.setSslJksPassword(dBPConnectionConfiguration.getAuthProperty(AuthModelKerberosConstants.SSL_JKS_PASSWORD));
        authModelKerberosCredentials.setShowDebugInfo(CommonUtils.getBoolean(dBPConnectionConfiguration.getAuthProperty(AuthModelKerberosConstants.KRB5_DEBUG)));
        return authModelKerberosCredentials;
    }

    public void saveCredentials(@NotNull DBPDataSourceContainer dBPDataSourceContainer, @NotNull DBPConnectionConfiguration dBPConnectionConfiguration, @NotNull AuthModelKerberosCredentials authModelKerberosCredentials) {
        dBPConnectionConfiguration.setAuthProperty(AuthModelKerberosConstants.KDC_SERVER, authModelKerberosCredentials.getKdcServer());
        dBPConnectionConfiguration.setAuthProperty(AuthModelKerberosConstants.KRB5_USER, authModelKerberosCredentials.getKrbUserName());
        dBPConnectionConfiguration.setAuthProperty(AuthModelKerberosConstants.REALM, authModelKerberosCredentials.getKrbRealmName());
        dBPConnectionConfiguration.setAuthProperty(AuthModelKerberosConstants.USE_KEYTAB, String.valueOf(authModelKerberosCredentials.isUseKeytab()));
        dBPConnectionConfiguration.setAuthProperty(AuthModelKerberosConstants.KRB5_KDC_OVER_TCP, String.valueOf(authModelKerberosCredentials.isForceTcp()));
        dBPConnectionConfiguration.setAuthProperty(AuthModelKerberosConstants.KEYTAB_PATH, authModelKerberosCredentials.getKeytabPath());
        dBPConnectionConfiguration.setAuthProperty(AuthModelKerberosConstants.USE_KINIT, String.valueOf(authModelKerberosCredentials.isUseKinit()));
        dBPConnectionConfiguration.setAuthProperty(AuthModelKerberosConstants.USE_KEY_CACHE_FILE, authModelKerberosCredentials.getCacheFilePath());
        dBPConnectionConfiguration.setAuthProperty(AuthModelKerberosConstants.USE_CUSTOM_CONFIG_PATH, authModelKerberosCredentials.getKrb5ConfPath());
        dBPConnectionConfiguration.setAuthProperty(AuthModelKerberosConstants.SERVICE_NAME, authModelKerberosCredentials.getServiceName());
        dBPConnectionConfiguration.setAuthProperty(AuthModelKerberosConstants.USE_SSL_JKS, String.valueOf(authModelKerberosCredentials.isUseSslJks()));
        dBPConnectionConfiguration.setAuthProperty(AuthModelKerberosConstants.SSL_JKS_PATH, authModelKerberosCredentials.getSslJksPath());
        dBPConnectionConfiguration.setAuthProperty(AuthModelKerberosConstants.SSL_JKS_PASSWORD, authModelKerberosCredentials.getSslJksPassword());
        super.saveCredentials(dBPDataSourceContainer, dBPConnectionConfiguration, authModelKerberosCredentials);
    }

    public Object initAuthentication(@NotNull DBRProgressMonitor dBRProgressMonitor, @NotNull DBPDataSource dBPDataSource, @NotNull AuthModelKerberosCredentials authModelKerberosCredentials, @NotNull DBPConnectionConfiguration dBPConnectionConfiguration, @NotNull Properties properties) throws DBException {
        try {
            initKerberos(dBRProgressMonitor, dBPDataSource, authModelKerberosCredentials);
            return super.initAuthentication(dBRProgressMonitor, dBPDataSource, authModelKerberosCredentials, dBPConnectionConfiguration, properties);
        } catch (IOException e) {
            throw new DBCException("IO error", e);
        }
    }

    protected boolean isUserNameNeeded(@NotNull DBPDataSource dBPDataSource) {
        return CommonUtils.getBoolean(dBPDataSource.getContainer().getDriver().getDriverParameter(AuthModelKerberosConstants.PARAM_SEND_USER_TO_DATABASE), true);
    }

    protected boolean isUserPasswordNeeded(@NotNull DBPDataSource dBPDataSource) {
        return CommonUtils.getBoolean(dBPDataSource.getContainer().getDriver().getDriverParameter(AuthModelKerberosConstants.PARAM_SEND_PASSWORD_TO_DATABASE), true);
    }

    public void endAuthentication(@NotNull DBPDataSourceContainer dBPDataSourceContainer, @NotNull DBPConnectionConfiguration dBPConnectionConfiguration, @NotNull Properties properties) {
        System.clearProperty(JAVA_SECURITY_AUTH_LOGIN_CONFIG);
        System.clearProperty(JAVA_SECURITY_KRB5_REALM);
        System.clearProperty(JAVA_SECURITY_KRB5_KDC);
        System.clearProperty(JAVA_SECURITY_KRB5_CONF);
        super.endAuthentication(dBPDataSourceContainer, dBPConnectionConfiguration, properties);
    }

    private void initKerberos(DBRProgressMonitor dBRProgressMonitor, DBPDataSource dBPDataSource, AuthModelKerberosCredentials authModelKerberosCredentials) throws IOException, DBCException {
        boolean isUseAuthSubject = isUseAuthSubject(dBPDataSource.getContainer());
        boolean isUseKinit = authModelKerberosCredentials.isUseKinit();
        if (CommonUtils.isEmpty(authModelKerberosCredentials.getKrbUserName()) && !isUseKinit) {
            throw new DBCException("Can't determine Kerberos user");
        }
        if (CommonUtils.isEmpty(authModelKerberosCredentials.getKrbRealmName()) && !isUseKinit) {
            throw new DBCException("Realm must be specified or provided with Kerberos username");
        }
        dBRProgressMonitor.subTask("Initialize Kerberos configuration");
        String userName = authModelKerberosCredentials.getUserName();
        File file = null;
        Path tempFolder = DBWorkbench.getPlatform().getTempFolder(dBRProgressMonitor, AuthModelKerberosConstants.MODEL_ID);
        if (!authModelKerberosCredentials.isUseKinit()) {
            Path createTempFile = Files.createTempFile(tempFolder, "krb5-", ".ccache", new FileAttribute[0]);
            createTempFile.toFile().deleteOnExit();
            file = createTempFile.toFile();
        } else if (!CommonUtils.isEmpty(authModelKerberosCredentials.getCacheFilePath())) {
            file = new File(authModelKerberosCredentials.getCacheFilePath());
        }
        if (CommonUtils.isEmpty(userName) && !isUseKinit) {
            throw new DBCException("Empty user name");
        }
        String krbRealmName = authModelKerberosCredentials.getKrbRealmName();
        String kdcServer = authModelKerberosCredentials.getKdcServer();
        String krbUserName = authModelKerberosCredentials.getKrbUserName();
        if (CommonUtils.isEmpty(krbUserName)) {
            krbUserName = userName;
        }
        if (CommonUtils.isEmpty(krbRealmName)) {
            if (!CommonUtils.isEmpty(krbUserName) && krbUserName.contains("@")) {
                krbRealmName = krbUserName.substring(krbUserName.lastIndexOf(64) + 1);
            } else if (!CommonUtils.isEmpty(userName) && userName.contains("@")) {
                krbRealmName = userName.substring(userName.lastIndexOf(64) + 1);
            } else if (!isUseKinit) {
                throw new DBCException("Realm must be specified or provided with Kerberos username");
            }
        } else if (!CommonUtils.isEmpty(krbUserName) && !krbUserName.contains("@")) {
            krbUserName = userName + "@" + krbRealmName;
        }
        if (!CommonUtils.isEmpty(kdcServer)) {
            System.setProperty(JAVA_SECURITY_KRB5_KDC, kdcServer);
        } else if (!isUseKinit) {
            throw new DBCException("KDC Server must be specified");
        }
        if (!CommonUtils.isEmpty(krbRealmName)) {
            System.setProperty(JAVA_SECURITY_KRB5_REALM, krbRealmName);
        }
        String keytabPath = authModelKerberosCredentials.isUseKeytab() ? authModelKerberosCredentials.getKeytabPath() : null;
        if (authModelKerberosCredentials.isUseKeytab() && CommonUtils.isEmpty(keytabPath)) {
            throw new DBCException("Keytab must be provided.");
        }
        if (authModelKerberosCredentials.isShowDebugInfo()) {
            System.setProperty(JAVA_SECURITY_KRB5_DEBUG, "true");
            System.setProperty(JAVA_SECURITY_JGSS_DEBUG, "true");
        }
        System.setProperty(JAVA_SECURITY_AUTH_USESUBJECTCREDSONLY, String.valueOf(false));
        if (authModelKerberosCredentials.isShowDebugInfo()) {
            log.debug("KRB5: Setting kerberos properties");
        }
        if (!CommonUtils.isEmpty(authModelKerberosCredentials.getKrb5ConfPath())) {
            System.setProperty(JAVA_SECURITY_KRB5_CONF, authModelKerberosCredentials.getKrb5ConfPath());
        }
        if (!authModelKerberosCredentials.isUseKinit()) {
            callKinit(authModelKerberosCredentials, file);
        }
        if (isUseAuthSubject) {
            authModelKerberosCredentials.setAuthSubject(authenticateSubject(dBPDataSource, authModelKerberosCredentials, file, krbUserName, krbRealmName));
        } else {
            Path createJaasFile = createJaasFile(tempFolder, dBPDataSource, authModelKerberosCredentials, file, krbUserName, krbRealmName);
            createJaasFile.toFile().deleteOnExit();
            System.setProperty(JAVA_SECURITY_AUTH_LOGIN_CONFIG, createJaasFile.toAbsolutePath().toString());
            Configuration.getConfiguration().refresh();
        }
        CommonUtils.isEmpty(authModelKerberosCredentials.getCacheFilePath());
    }

    protected boolean isUseAuthSubject(@NotNull DBPDataSourceContainer dBPDataSourceContainer) {
        return false;
    }

    private void callKinit(AuthModelKerberosCredentials authModelKerberosCredentials, File file) throws DBCException {
        KrbClient krbClient = null;
        try {
            if (authModelKerberosCredentials.getKrb5ConfPath() != null) {
                KrbConfig krbConfig = new KrbConfig();
                File file2 = new File(authModelKerberosCredentials.getKrb5ConfPath());
                if (file2.exists()) {
                    krbConfig.addKrb5Config(file2);
                }
                krbClient = new KrbClient(krbConfig);
            }
            if (krbClient == null) {
                krbClient = new KrbClient();
            }
        } catch (Exception e) {
            log.warn("Kerberos config was ignored, using empty config", e);
            krbClient = new KrbClient(new KrbConfig());
        }
        try {
            krbClient.setKdcRealm(authModelKerberosCredentials.getKrbRealmName());
            krbClient.setKdcHost(authModelKerberosCredentials.getKdcServer());
            if (authModelKerberosCredentials.isForceTcp()) {
                krbClient.setAllowUdp(false);
                krbClient.setAllowTcp(true);
            }
            krbClient.init();
            krbClient.storeTicket(authModelKerberosCredentials.isUseKeytab() ? krbClient.requestTgt(authModelKerberosCredentials.getKrbUserName(), new File(authModelKerberosCredentials.getKeytabPath())) : krbClient.requestTgt(authModelKerberosCredentials.getKrbUserName(), CommonUtils.notEmpty(authModelKerberosCredentials.getUserPassword())), file);
        } catch (KrbException e2) {
            throw new DBCException("KerberosException", e2);
        }
    }

    private Path createJaasFile(Path path, DBPDataSource dBPDataSource, AuthModelKerberosCredentials authModelKerberosCredentials, File file, String str, String str2) throws IOException {
        boolean isShowDebugInfo = authModelKerberosCredentials.isShowDebugInfo();
        String loginModuleName = getLoginModuleName(dBPDataSource, authModelKerberosCredentials);
        Path createTempFile = Files.createTempFile(path, "jaas-", ".conf", new FileAttribute[0]);
        Throwable th = null;
        try {
            BufferedWriter newBufferedWriter = Files.newBufferedWriter(createTempFile, new OpenOption[0]);
            try {
                newBufferedWriter.write(loginModuleName);
                newBufferedWriter.write(" {\n");
                newBufferedWriter.write("  com.sun.security.auth.module.Krb5LoginModule required\n");
                newBufferedWriter.write("  doNotPrompt=true\n");
                newBufferedWriter.write("  useTicketCache=true\n");
                newBufferedWriter.write("  refreshKrb5Config=true\n");
                newBufferedWriter.write("  renewTGT=true\n");
                if (!CommonUtils.isEmpty(str)) {
                    newBufferedWriter.write(String.format("  principal=\"%s\"\n", str));
                }
                if (!CommonUtils.isEmpty(str2)) {
                    newBufferedWriter.write(String.format("  realm=\"%s\"\n", str2));
                }
                if (file != null) {
                    newBufferedWriter.write(String.format("  ticketCache=\"%s\"\n", file.getAbsolutePath().replace("\\", "/")));
                }
                newBufferedWriter.write("  debug=" + isShowDebugInfo + ";\n");
                newBufferedWriter.write("};\n");
                newBufferedWriter.flush();
                if (newBufferedWriter != null) {
                    newBufferedWriter.close();
                }
                return createTempFile;
            } catch (Throwable th2) {
                if (newBufferedWriter != null) {
                    newBufferedWriter.close();
                }
                throw th2;
            }
        } catch (Throwable th3) {
            if (0 == 0) {
                th = th3;
            } else if (null != th3) {
                th.addSuppressed(th3);
            }
            throw th;
        }
    }

    private Subject authenticateSubject(DBPDataSource dBPDataSource, AuthModelKerberosCredentials authModelKerberosCredentials, File file, String str, String str2) throws IOException {
        Krb5LoginModule krb5LoginModule = new Krb5LoginModule();
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        if (authModelKerberosCredentials.isShowDebugInfo()) {
            hashMap2.put("debug", "true");
        }
        hashMap2.put("doNotPrompt", "true");
        hashMap2.put("useTicketCache", "true");
        hashMap2.put("refreshKrb5Config", "true");
        if (file != null) {
            hashMap2.put("ticketCache", file.getAbsolutePath().replace("\\", "/"));
        }
        if (!CommonUtils.isEmpty(str) && !CommonUtils.isEmpty(str2)) {
            hashMap2.put("principal", str + "@" + str2);
        }
        Subject subject = new Subject();
        krb5LoginModule.initialize(subject, (CallbackHandler) null, hashMap, hashMap2);
        try {
            boolean login = krb5LoginModule.login();
            krb5LoginModule.commit();
            if (login) {
                return subject;
            }
            throw new IOException("Kerberos adaptor couldn't retrieve credentials (TGT) from the cache");
        } catch (LoginException unused) {
            throw new IOException("Kerberos adaptor couldn't retrieve credentials (TGT) from the cache");
        }
    }

    protected String getLoginModuleName(DBPDataSource dBPDataSource, AuthModelKerberosCredentials authModelKerberosCredentials) {
        return CommonUtils.toString(dBPDataSource.getContainer().getDriver().getDriverParameter(AuthModelKerberosConstants.PARAM_KRB5_LOGIN_MODULE), AuthModelKerberosConstants.DEFAULT_LOGIN_MODULE_NAME);
    }
}
