package com.microsoft.sqlserver.jdbc;

import com.microsoft.sqlserver.jdbc.dns.DNSKerberosLocator;
import java.lang.reflect.Method;
import java.net.IDN;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.text.MessageFormat;
import java.util.Locale;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.naming.NamingException;
import javax.security.auth.Subject;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.cxf.staxutils.PropertiesExpandingStreamReader;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/microsoft/sqlserver/jdbc/KerbAuthentication.class */
public final class KerbAuthentication extends SSPIAuthentication {
    private static final Logger authLogger = Logger.getLogger("com.microsoft.sqlserver.jdbc.internals.KerbAuthentication");
    private final SQLServerConnection con;
    private final String spn;
    private final GSSManager manager;
    private LoginContext lc;
    private boolean isUserCreatedCredential;
    private GSSCredential peerCredentials;
    private GSSContext peerContext;
    private static final Pattern SPN_PATTERN;
    private static RealmValidator validator;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/microsoft/sqlserver/jdbc/KerbAuthentication$RealmValidator.class */
    public interface RealmValidator {
        boolean isRealmValid(String str);
    }

    private void intAuthInit() throws SQLServerException {
        try {
            Oid oid = new Oid("1.2.840.113554.1.2.2");
            GSSName createName = this.manager.createName(this.spn, (Oid) null);
            if (null != this.peerCredentials) {
                this.peerContext = this.manager.createContext(createName, oid, this.peerCredentials, 0);
                this.peerContext.requestCredDeleg(false);
                this.peerContext.requestMutualAuth(true);
                this.peerContext.requestInteg(true);
            } else {
                String property = this.con.activeConnectionProperties.getProperty(SQLServerDriverStringProperty.JAAS_CONFIG_NAME.toString(), SQLServerDriverStringProperty.JAAS_CONFIG_NAME.getDefaultValue());
                KerbCallback kerbCallback = new KerbCallback(this.con);
                try {
                    Subject subject = Subject.getSubject(AccessController.getContext());
                    if (null == subject) {
                        this.lc = new LoginContext(property, kerbCallback);
                        this.lc.login();
                        subject = this.lc.getSubject();
                    }
                    if (authLogger.isLoggable(Level.FINER)) {
                        authLogger.finer(toString() + " Getting client credentials");
                    }
                    this.peerCredentials = getClientCredential(subject, this.manager, oid);
                    if (authLogger.isLoggable(Level.FINER)) {
                        authLogger.finer(toString() + " creating security context");
                    }
                    this.peerContext = this.manager.createContext(createName, oid, this.peerCredentials, 0);
                    this.peerContext.requestCredDeleg(true);
                    this.peerContext.requestMutualAuth(true);
                    this.peerContext.requestInteg(true);
                } catch (LoginException e) {
                    if (authLogger.isLoggable(Level.FINE)) {
                        authLogger.fine(toString() + "Failed to login using Kerberos due to " + e.getClass().getName() + ":" + e.getMessage());
                    }
                    try {
                        this.con.terminate(0, SQLServerException.getErrString("R_integratedAuthenticationFailed"), e);
                    } catch (SQLServerException e2) {
                        String format = MessageFormat.format(SQLServerException.getErrString("R_kerberosLoginFailed"), e2.getMessage(), e.getClass().getName(), e.getMessage());
                        if (kerbCallback.getUsernameRequested() != null) {
                            format = MessageFormat.format(SQLServerException.getErrString("R_kerberosLoginFailedForUsername"), kerbCallback.getUsernameRequested(), format);
                        }
                        throw new SQLServerException(format, e2.getSQLState(), 18456, e);
                    }
                }
            }
        } catch (GSSException e3) {
            authLogger.finer(toString() + "initAuthInit failed GSSException:-" + e3);
            this.con.terminate(0, SQLServerException.getErrString("R_integratedAuthenticationFailed"), e3);
        } catch (PrivilegedActionException e4) {
            authLogger.finer(toString() + "initAuthInit failed privileged exception:-" + e4);
            this.con.terminate(0, SQLServerException.getErrString("R_integratedAuthenticationFailed"), e4);
        }
    }

    private static GSSCredential getClientCredential(Subject subject, final GSSManager gSSManager, final Oid oid) throws PrivilegedActionException {
        return (GSSCredential) Subject.doAs(subject, new PrivilegedExceptionAction<GSSCredential>() { // from class: com.microsoft.sqlserver.jdbc.KerbAuthentication.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public GSSCredential run() throws GSSException {
                return gSSManager.createCredential((GSSName) null, 0, oid, 1);
            }
        });
    }

    private byte[] intAuthHandShake(byte[] bArr, boolean[] zArr) throws SQLServerException {
        try {
            if (authLogger.isLoggable(Level.FINER)) {
                authLogger.finer(toString() + " Sending token to server over secure context");
            }
            byte[] initSecContext = this.peerContext.initSecContext(bArr, 0, bArr.length);
            if (this.peerContext.isEstablished()) {
                zArr[0] = true;
                if (authLogger.isLoggable(Level.FINER)) {
                    authLogger.finer(toString() + "Authentication done.");
                }
            } else if (null == initSecContext) {
                if (authLogger.isLoggable(Level.INFO)) {
                    authLogger.info(toString() + "byteToken is null in initSecContext.");
                }
                this.con.terminate(0, SQLServerException.getErrString("R_integratedAuthenticationFailed"));
            }
            return initSecContext;
        } catch (GSSException e) {
            authLogger.finer(toString() + "initSecContext Failed :-" + e);
            this.con.terminate(0, SQLServerException.getErrString("R_integratedAuthenticationFailed"), e);
            return null;
        }
    }

    private String makeSpn(String str, int i) throws SQLServerException {
        if (authLogger.isLoggable(Level.FINER)) {
            authLogger.finer(toString() + " Server: " + str + " port: " + i);
        }
        StringBuilder sb = new StringBuilder("MSSQLSvc/");
        if (this.con.serverNameAsACE()) {
            sb.append(IDN.toASCII(str));
        } else {
            sb.append(str);
        }
        sb.append(":");
        sb.append(i);
        String sb2 = sb.toString();
        if (authLogger.isLoggable(Level.FINER)) {
            authLogger.finer(toString() + " SPN: " + sb2);
        }
        return sb2;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public KerbAuthentication(SQLServerConnection sQLServerConnection, String str, int i) throws SQLServerException {
        String makeSpn;
        this.manager = GSSManager.getInstance();
        this.lc = null;
        this.isUserCreatedCredential = false;
        this.peerCredentials = null;
        this.peerContext = null;
        this.con = sQLServerConnection;
        String property = sQLServerConnection.activeConnectionProperties.getProperty(SQLServerDriverStringProperty.SERVER_SPN.toString());
        if (null == property) {
            makeSpn = makeSpn(str, i);
        } else if (sQLServerConnection.serverNameAsACE()) {
            int indexOf = property.indexOf("/");
            makeSpn = property.substring(0, indexOf + 1) + IDN.toASCII(property.substring(indexOf + 1));
        } else {
            makeSpn = property;
        }
        this.spn = enrichSpnWithRealm(makeSpn, null == property);
        if (this.spn.equals(makeSpn) || !authLogger.isLoggable(Level.FINER)) {
            return;
        }
        authLogger.finer(toString() + "SPN enriched: " + makeSpn + " := " + this.spn);
    }

    private String enrichSpnWithRealm(String str, boolean z) {
        if (str == null) {
            return str;
        }
        Matcher matcher = SPN_PATTERN.matcher(str);
        if (matcher.matches() && matcher.group(3) == null) {
            String group = matcher.group(1);
            String group2 = matcher.group(2);
            RealmValidator realmValidator = getRealmValidator(group);
            String findRealmFromHostname = findRealmFromHostname(realmValidator, group);
            if (findRealmFromHostname == null && z) {
                try {
                    String canonicalHostName = InetAddress.getByName(group).getCanonicalHostName();
                    findRealmFromHostname = findRealmFromHostname(realmValidator, canonicalHostName);
                    group = canonicalHostName;
                } catch (UnknownHostException e) {
                }
            }
            if (findRealmFromHostname == null) {
                return str;
            }
            StringBuilder sb = new StringBuilder("MSSQLSvc/");
            sb.append(group).append(":").append(group2).append(PropertiesExpandingStreamReader.DELIMITER).append(findRealmFromHostname.toUpperCase(Locale.ENGLISH));
            return sb.toString();
        }
        return str;
    }

    static RealmValidator getRealmValidator(String str) {
        RealmValidator realmValidator;
        if (validator != null) {
            return validator;
        }
        try {
            Class<?> cls = Class.forName("sun.security.krb5.Config");
            Method method = cls.getMethod("getInstance", new Class[0]);
            final Method method2 = cls.getMethod("getKDCList", String.class);
            final Object invoke = method.invoke(null, new Object[0]);
            realmValidator = new RealmValidator() { // from class: com.microsoft.sqlserver.jdbc.KerbAuthentication.2
                @Override // com.microsoft.sqlserver.jdbc.KerbAuthentication.RealmValidator
                public boolean isRealmValid(String str2) {
                    try {
                        return method2.invoke(invoke, str2) != null;
                    } catch (Exception e) {
                        return false;
                    }
                }
            };
            validator = realmValidator;
        } catch (ReflectiveOperationException e) {
            authLogger.fine("Kerberos Realm Validator: No Oracle Realm Validator Available, using DNSKerberosLocator.");
        }
        if (!validator.isRealmValid("this.might.not.exist." + str)) {
            authLogger.fine("Kerberos Realm Validator: Using Built-in Oracle Realm Validation method.");
            return realmValidator;
        }
        authLogger.fine("Kerberos Realm Validator: Detected buggy Oracle Realm Validator, using DNSKerberosLocator.");
        validator = new RealmValidator() { // from class: com.microsoft.sqlserver.jdbc.KerbAuthentication.3
            @Override // com.microsoft.sqlserver.jdbc.KerbAuthentication.RealmValidator
            public boolean isRealmValid(String str2) {
                try {
                    return DNSKerberosLocator.isRealmValid(str2);
                } catch (NamingException e2) {
                    return false;
                }
            }
        };
        return validator;
    }

    private String findRealmFromHostname(RealmValidator realmValidator, String str) {
        if (str == null) {
            return null;
        }
        int i = 0;
        while (i != -1 && i < str.length() - 2) {
            String substring = str.substring(i);
            if (authLogger.isLoggable(Level.FINEST)) {
                authLogger.finest(toString() + " looking up REALM candidate " + substring);
            }
            if (realmValidator.isRealmValid(substring)) {
                return substring.toUpperCase();
            }
            i = str.indexOf(".", i + 1);
            if (i != -1) {
                i++;
            }
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public KerbAuthentication(SQLServerConnection sQLServerConnection, String str, int i, GSSCredential gSSCredential, Boolean bool) throws SQLServerException {
        this(sQLServerConnection, str, i);
        this.peerCredentials = gSSCredential;
        this.isUserCreatedCredential = bool == null ? false : bool.booleanValue();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // com.microsoft.sqlserver.jdbc.SSPIAuthentication
    public byte[] GenerateClientContext(byte[] bArr, boolean[] zArr) throws SQLServerException {
        if (null == this.peerContext) {
            intAuthInit();
        }
        return intAuthHandShake(bArr, zArr);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // com.microsoft.sqlserver.jdbc.SSPIAuthentication
    public int ReleaseClientContext() throws SQLServerException {
        try {
            if (null != this.peerCredentials && !this.isUserCreatedCredential) {
                this.peerCredentials.dispose();
            } else if (null != this.peerCredentials && this.isUserCreatedCredential) {
                this.peerCredentials = null;
            }
            if (null != this.peerContext) {
                this.peerContext.dispose();
            }
            if (null != this.lc) {
                this.lc.logout();
            }
            return 0;
        } catch (LoginException e) {
            authLogger.fine(toString() + " Release of the credentials failed LoginException: " + e);
            return 0;
        } catch (GSSException e2) {
            authLogger.fine(toString() + " Release of the credentials failed GSSException: " + e2);
            return 0;
        }
    }

    static {
        Configuration.setConfiguration(new JaasConfiguration(Configuration.getConfiguration()));
        SPN_PATTERN = Pattern.compile("MSSQLSvc/(.*):([^:@]+)(@.+)?", 2);
    }
}
