package org.sakaiproject.component.kerberos.user;

import java.io.File;
import java.util.Collection;
import java.util.Iterator;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.sakaiproject.component.cover.ServerConfigurationService;
import org.sakaiproject.user.api.UserDirectoryProvider;
import org.sakaiproject.user.api.UserEdit;
import org.sakaiproject.util.StringUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/sakaiproject/component/kerberos/user/KerberosUserDirectoryProvider.class */
public class KerberosUserDirectoryProvider implements UserDirectoryProvider {
    private static final Logger log = LoggerFactory.getLogger(KerberosUserDirectoryProvider.class);
    private boolean m_verifyTicket;
    protected String m_serviceprincipal;
    protected String m_domain = null;
    protected String m_logincontext = "KerberosAuthentication";
    protected String m_servicelogincontext = "ServiceKerberosAuthentication";
    protected boolean m_requirelocalaccount = true;
    protected String m_knownusermsg = "Integrity check on decrypted field failed";

    public void setDomain(String str) {
        this.m_domain = str;
    }

    public void setLoginContext(String str) {
        this.m_logincontext = str;
    }

    public void setServiceLoginContext(String str) {
        this.m_servicelogincontext = str;
    }

    public void setServicePrincipal(String str) {
        this.m_serviceprincipal = str;
    }

    public void setRequireLocalAccount(Boolean bool) {
        this.m_requirelocalaccount = bool.booleanValue();
    }

    public void setKnownUserMsg(String str) {
        this.m_knownusermsg = str;
    }

    public void setCachettl(int i) {
        log.warn(this + ".init(): Internal caching DEPRECATED -  Using standard cache settings instead.");
    }

    public void init() {
        String string = ServerConfigurationService.getString("provider.kerberos.krb5.conf", (String) null);
        String string2 = ServerConfigurationService.getString("provider.kerberos.auth.login.config", (String) null);
        boolean z = ServerConfigurationService.getBoolean("provider.kerberos.showconfig", false);
        String property = System.getProperty("sakai.home");
        if (string != null) {
            if (new File(string).canRead()) {
                System.setProperty("java.security.krb5.conf", string);
            } else if (new File(property, string).canRead()) {
                System.setProperty("java.security.krb5.conf", property + string);
            } else {
                log.warn(this + ".init(): Cannot find krb5.conf at specified location - Using default rules for krb5.conf location.");
                string = null;
            }
        }
        if (string2 != null) {
            if (new File(string2).canRead()) {
                System.setProperty("java.security.auth.login.config", string2);
            } else if (new File(property, string2).canRead()) {
                System.setProperty("java.security.auth.login.config", property + string2);
            } else {
                log.warn(this + ".init(): Cannot set kerberosauthloginconfig location");
                string2 = null;
            }
        }
        this.m_verifyTicket = (this.m_serviceprincipal == null || this.m_servicelogincontext == null) ? false : true;
        log.info(this + ".init() Domain=" + this.m_domain + " LoginContext=" + this.m_logincontext + " RequireLocalAccount=" + this.m_requirelocalaccount + " KnownUserMsg=" + this.m_knownusermsg + " VerifyServiceTicket=" + this.m_verifyTicket);
        if (z) {
            log.info(this + ".init() SakaiHome=" + property + " SakaiPropertyKrb5Conf=" + string + " SakaiPropertyAuthLoginConfig=" + string2 + " SystemPropertyKrb5Conf=" + System.getProperty("java.security.krb5.conf") + " SystemPropertyAuthLoginConfig=" + System.getProperty("java.security.auth.login.config") + " ServicePrincipal=" + this.m_serviceprincipal + " ServiceLoginContext=" + this.m_servicelogincontext);
        }
        if (!this.m_requirelocalaccount && this.m_domain == null) {
            throw new IllegalStateException("If you don't require local accounts, you must set the domain for e-mail addresses. See docs/INSTALL.txt in the Kerberos provider source for more information.");
        }
    }

    public void destroy() {
        log.info(this + ".destroy()");
    }

    public boolean getUser(UserEdit userEdit) {
        if (this.m_requirelocalaccount || !userKnownToKerberos(userEdit.getEid())) {
            return false;
        }
        userEdit.setEmail(userEdit.getEid() + "@" + this.m_domain);
        userEdit.setType("kerberos");
        return true;
    }

    public void getUsers(Collection<UserEdit> collection) {
        Iterator<UserEdit> it = collection.iterator();
        while (it.hasNext()) {
            if (!getUser(it.next())) {
                it.remove();
            }
        }
    }

    public boolean findUserByEmail(UserEdit userEdit, String str) {
        if (this.m_requirelocalaccount) {
            return false;
        }
        String trim = str.toLowerCase().trim();
        if (!trim.endsWith(this.m_domain)) {
            return false;
        }
        userEdit.setEid(StringUtil.splitFirst(trim, "@")[0]);
        return getUser(userEdit);
    }

    public boolean authenticateUser(String str, UserEdit userEdit, String str2) {
        try {
            return (this.m_verifyTicket ? new JassAuthenticate(this.m_serviceprincipal, this.m_servicelogincontext, this.m_logincontext) : new JassAuthenticate(this.m_logincontext)).attemptAuthentication(str, str2);
        } catch (Exception e) {
            log.warn("authenticateUser(): exception: ", e);
            return false;
        }
    }

    private boolean userKnownToKerberos(String str) {
        try {
            LoginContext loginContext = new LoginContext(this.m_logincontext, new UsernamePasswordCallback(str, "dummy"));
            try {
                loginContext.login();
                loginContext.logout();
                if (!log.isDebugEnabled()) {
                    return true;
                }
                log.debug("useKnownToKerberos(" + str + "): Kerberos auth success");
                return true;
            } catch (LoginException e) {
                if (e.getMessage().startsWith(this.m_knownusermsg)) {
                    if (!log.isDebugEnabled()) {
                        return true;
                    }
                    log.debug("userKnownToKerberos(" + str + "): Kerberos user known (bad pw)");
                    return true;
                }
                if (!log.isDebugEnabled()) {
                    return false;
                }
                log.debug("userKnownToKerberos(" + str + "): Kerberos user unknown or invalid");
                return false;
            }
        } catch (SecurityException e2) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("useKnownToKerberos(): " + e2.toString());
            return false;
        } catch (LoginException e3) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            log.debug("useKnownToKerberos(): " + e3.toString());
            return false;
        }
    }

    public boolean authenticateWithProviderFirst(String str) {
        return false;
    }
}
