package org.apache.directory.server.core.kerberos;

import java.nio.ByteBuffer;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.directory.api.asn1.EncoderException;
import org.apache.directory.api.ldap.model.constants.Loggers;
import org.apache.directory.api.ldap.model.entry.Attribute;
import org.apache.directory.api.ldap.model.entry.DefaultAttribute;
import org.apache.directory.api.ldap.model.entry.DefaultModification;
import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.directory.api.ldap.model.entry.Modification;
import org.apache.directory.api.ldap.model.entry.ModificationOperation;
import org.apache.directory.api.ldap.model.entry.Value;
import org.apache.directory.api.ldap.model.exception.LdapAuthenticationException;
import org.apache.directory.api.ldap.model.exception.LdapException;
import org.apache.directory.api.ldap.model.name.Dn;
import org.apache.directory.api.ldap.model.schema.AttributeType;
import org.apache.directory.api.util.Strings;
import org.apache.directory.server.core.api.DirectoryService;
import org.apache.directory.server.core.api.entry.ClonedServerEntry;
import org.apache.directory.server.core.api.interceptor.BaseInterceptor;
import org.apache.directory.server.core.api.interceptor.context.AddOperationContext;
import org.apache.directory.server.core.api.interceptor.context.LookupOperationContext;
import org.apache.directory.server.core.api.interceptor.context.ModifyOperationContext;
import org.apache.directory.server.i18n.I18n;
import org.apache.directory.server.kerberos.shared.crypto.encryption.KerberosKeyFactory;
import org.apache.directory.server.kerberos.shared.crypto.encryption.RandomKeyFactory;
import org.apache.directory.shared.kerberos.codec.types.EncryptionType;
import org.apache.directory.shared.kerberos.components.EncryptionKey;
import org.apache.directory.shared.kerberos.exceptions.KerberosException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/directory/server/core/kerberos/KeyDerivationInterceptor.class */
public class KeyDerivationInterceptor extends BaseInterceptor {
    private static final Logger LOG = LoggerFactory.getLogger(KeyDerivationInterceptor.class);
    private static final Logger LOG_KRB = LoggerFactory.getLogger(Loggers.KERBEROS_LOG.getName());
    private static final String NAME = "keyDerivationService";
    private AttributeType krb5KeyAT;
    private AttributeType krb5PrincipalNameAT;
    private AttributeType krb5KeyVersionNumberAT;
    private AttributeType userPasswordAT;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.directory.server.core.kerberos.KeyDerivationInterceptor$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/directory/server/core/kerberos/KeyDerivationInterceptor$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$directory$api$ldap$model$entry$ModificationOperation = new int[ModificationOperation.values().length];

        static {
            try {
                $SwitchMap$org$apache$directory$api$ldap$model$entry$ModificationOperation[ModificationOperation.ADD_ATTRIBUTE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$directory$api$ldap$model$entry$ModificationOperation[ModificationOperation.REMOVE_ATTRIBUTE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$directory$api$ldap$model$entry$ModificationOperation[ModificationOperation.REPLACE_ATTRIBUTE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/directory/server/core/kerberos/KeyDerivationInterceptor$ModifySubContext.class */
    public static class ModifySubContext {
        private String principalName;
        private String userPassword;
        private boolean isPrincipal = false;
        private int newKeyVersionNumber = -1;

        ModifySubContext() {
        }

        boolean isPrincipal() {
            return this.isPrincipal;
        }

        void isPrincipal(boolean z) {
            this.isPrincipal = z;
        }

        String getPrincipalName() {
            return this.principalName;
        }

        void setPrincipalName(String str) {
            this.principalName = str;
        }

        String getUserPassword() {
            return this.userPassword;
        }

        void setUserPassword(String str) {
            this.userPassword = str;
        }

        int getNewKeyVersionNumber() {
            return this.newKeyVersionNumber;
        }

        void setNewKeyVersionNumber(int i) {
            this.newKeyVersionNumber = i;
        }

        boolean hasValues() {
            return (this.userPassword == null || this.principalName == null || this.newKeyVersionNumber <= -1) ? false : true;
        }
    }

    public KeyDerivationInterceptor() {
        super(NAME);
    }

    public void init(DirectoryService directoryService) throws LdapException {
        super.init(directoryService);
        this.krb5KeyAT = this.schemaManager.lookupAttributeTypeRegistry("krb5Key");
        this.krb5PrincipalNameAT = this.schemaManager.lookupAttributeTypeRegistry("krb5PrincipalName");
        this.krb5KeyVersionNumberAT = this.schemaManager.lookupAttributeTypeRegistry("krb5KeyVersionNumber");
        this.userPasswordAT = this.schemaManager.lookupAttributeTypeRegistry("userPassword");
        LOG_KRB.info("KeyDerivation Interceptor initialized");
    }

    public void add(AddOperationContext addOperationContext) throws LdapException {
        if (addOperationContext.isReplEvent()) {
            next(addOperationContext);
            return;
        }
        Dn dn = addOperationContext.getDn();
        Entry entry = addOperationContext.getEntry();
        if (entry.get(this.userPasswordAT) != null && entry.get(this.krb5PrincipalNameAT) != null) {
            LOG.debug("Adding the entry '{}' for Dn '{}'.", entry, dn.getName());
            Value value = entry.get(this.userPasswordAT).get();
            String value2 = value.getValue();
            if (LOG.isDebugEnabled()) {
                StringBuilder sb = new StringBuilder();
                sb.append("'" + value2 + "' ( ");
                sb.append(value);
                sb.append(" )");
                LOG.debug("Adding Attribute id : 'userPassword',  Values : [ {} ]", sb.toString());
            }
            String string = entry.get(this.krb5PrincipalNameAT).getString();
            LOG.debug("Got principal '{}' with userPassword '{}'.", string, value2);
            LOG_KRB.debug("Got principal '{}' with userPassword '{}'.", string, value2);
            Map<EncryptionType, EncryptionKey> generateKeys = generateKeys(string, value2);
            entry.put(this.krb5KeyVersionNumberAT, new String[]{"0"});
            entry.put(new Attribute[]{getKeyAttribute(generateKeys)});
            LOG.debug("Adding modified entry '{}' for Dn '{}'.", entry, dn.getName());
            LOG_KRB.debug("Adding modified entry '{}' for Dn '{}'.", entry, dn.getName());
        }
        next(addOperationContext);
    }

    public void modify(ModifyOperationContext modifyOperationContext) throws LdapException {
        if (modifyOperationContext.isReplEvent()) {
            next(modifyOperationContext);
            return;
        }
        ModifySubContext modifySubContext = new ModifySubContext();
        detectPasswordModification(modifyOperationContext, modifySubContext);
        if (modifySubContext.getUserPassword() != null) {
            lookupPrincipalAttributes(modifyOperationContext, modifySubContext);
        }
        if (modifySubContext.isPrincipal() && modifySubContext.hasValues()) {
            deriveKeys(modifyOperationContext, modifySubContext);
        }
        next(modifyOperationContext);
    }

    private void detectPasswordModification(ModifyOperationContext modifyOperationContext, ModifySubContext modifySubContext) throws LdapException {
        String utf8ToString;
        Object obj = null;
        for (Modification modification : modifyOperationContext.getModItems()) {
            if (LOG.isDebugEnabled()) {
                switch (AnonymousClass1.$SwitchMap$org$apache$directory$api$ldap$model$entry$ModificationOperation[modification.getOperation().ordinal()]) {
                    case 1:
                        obj = "Adding";
                        break;
                    case 2:
                        obj = "Removing";
                        break;
                    case 3:
                        obj = "Replacing";
                        break;
                    default:
                        throw new IllegalArgumentException("Unexpected modify operation " + modification.getOperation());
                }
            }
            Attribute attribute = modification.getAttribute();
            if (this.userPasswordAT.equals(attribute.getAttributeType())) {
                Value value = attribute.get();
                if (value.isHumanReadable()) {
                    utf8ToString = value.getValue();
                    LOG.debug("{} Attribute id : 'userPassword',  Values : [ '{}' ]", obj, utf8ToString);
                    LOG_KRB.debug("{} Attribute id : 'userPassword',  Values : [ '{}' ]", obj, utf8ToString);
                } else {
                    utf8ToString = Strings.utf8ToString(value.getBytes());
                    if (LOG.isDebugEnabled()) {
                        StringBuffer stringBuffer = new StringBuffer();
                        stringBuffer.append("'" + utf8ToString + "' ( ");
                        stringBuffer.append(Strings.dumpBytes(value.getBytes()).trim());
                        stringBuffer.append(" )");
                        LOG.debug("{} Attribute id : 'userPassword',  Values : [ {} ]", obj, stringBuffer.toString());
                        LOG_KRB.debug("{} Attribute id : 'userPassword',  Values : [ {} ]", obj, stringBuffer.toString());
                    }
                }
                modifySubContext.setUserPassword(utf8ToString);
                LOG.debug("Got userPassword '{}'.", modifySubContext.getUserPassword());
                LOG_KRB.debug("Got userPassword '{}'.", modifySubContext.getUserPassword());
            }
            if (this.krb5PrincipalNameAT.equals(attribute.getAttributeType())) {
                modifySubContext.setPrincipalName(attribute.getString());
                LOG.debug("Got principal '{}'.", modifySubContext.getPrincipalName());
                LOG_KRB.debug("Got principal '{}'.", modifySubContext.getPrincipalName());
            }
        }
    }

    private void lookupPrincipalAttributes(ModifyOperationContext modifyOperationContext, ModifySubContext modifySubContext) throws LdapException {
        Dn dn = modifyOperationContext.getDn();
        LookupOperationContext newLookupContext = modifyOperationContext.newLookupContext(dn, new String[]{"objectClass", "krb5PrincipalName", "krb5KeyVersionNumber"});
        newLookupContext.setPartition(modifyOperationContext.getPartition());
        newLookupContext.setTransaction(modifyOperationContext.getTransaction());
        ClonedServerEntry lookup = this.directoryService.getPartitionNexus().lookup(newLookupContext);
        if (lookup == null) {
            throw new LdapAuthenticationException(I18n.err(I18n.ERR_512, new Object[]{dn}));
        }
        if (lookup.getOriginalEntry().contains(this.directoryService.getAtProvider().getObjectClass(), new String[]{"krb5Principal"})) {
            modifySubContext.isPrincipal(true);
            LOG.debug("Dn {} is a Kerberos principal.  Will attempt key derivation.", dn.getName());
            LOG_KRB.debug("Dn {} is a Kerberos principal.  Will attempt key derivation.", dn.getName());
            if (modifySubContext.getPrincipalName() == null) {
                String string = lookup.getOriginalEntry().get(this.krb5PrincipalNameAT).getString();
                modifySubContext.setPrincipalName(string);
                LOG.debug("Found principal '{}' from lookup.", string);
                LOG_KRB.debug("Found principal '{}' from lookup.", string);
            }
            Attribute attribute = lookup.getOriginalEntry().get(this.krb5KeyVersionNumberAT);
            if (attribute == null) {
                modifySubContext.setNewKeyVersionNumber(0);
                LOG.debug("Key version number was null, setting to 0.");
                LOG_KRB.debug("Key version number was null, setting to 0.");
            } else {
                int intValue = Integer.valueOf(attribute.getString()).intValue();
                int i = intValue + 1;
                modifySubContext.setNewKeyVersionNumber(i);
                LOG.debug("Found key version number '{}', setting to '{}'.", Integer.valueOf(intValue), Integer.valueOf(i));
                LOG_KRB.debug("Found key version number '{}', setting to '{}'.", Integer.valueOf(intValue), Integer.valueOf(i));
            }
        }
    }

    void deriveKeys(ModifyOperationContext modifyOperationContext, ModifySubContext modifySubContext) throws LdapException {
        List modItems = modifyOperationContext.getModItems();
        String principalName = modifySubContext.getPrincipalName();
        String userPassword = modifySubContext.getUserPassword();
        int newKeyVersionNumber = modifySubContext.getNewKeyVersionNumber();
        LOG.debug("Got principal '{}' with userPassword '{}'.", principalName, userPassword);
        LOG_KRB.debug("Got principal '{}' with userPassword '{}'.", principalName, userPassword);
        Map<EncryptionType, EncryptionKey> generateKeys = generateKeys(principalName, userPassword);
        ArrayList arrayList = new ArrayList();
        Iterator it = modItems.iterator();
        while (it.hasNext()) {
            arrayList.add((Modification) it.next());
        }
        DefaultModification defaultModification = new DefaultModification(ModificationOperation.REPLACE_ATTRIBUTE, new DefaultAttribute(this.krb5PrincipalNameAT, new String[]{principalName}));
        arrayList.add(defaultModification);
        DefaultModification defaultModification2 = new DefaultModification(ModificationOperation.REPLACE_ATTRIBUTE, new DefaultAttribute(this.krb5KeyVersionNumberAT, new String[]{Integer.toString(newKeyVersionNumber)}));
        arrayList.add(defaultModification2);
        arrayList.add(new DefaultModification(ModificationOperation.REPLACE_ATTRIBUTE, getKeyAttribute(generateKeys)));
        LOG.debug("Added two modifications to the current request : {} and {}", defaultModification, defaultModification2);
        LOG_KRB.debug("Added two modifications to the current request : {} and {}", defaultModification, defaultModification2);
        modifyOperationContext.setModItems(arrayList);
    }

    /* JADX WARN: Type inference failed for: r1v7, types: [byte[], byte[][]] */
    private Attribute getKeyAttribute(Map<EncryptionType, EncryptionKey> map) throws LdapException {
        DefaultAttribute defaultAttribute = new DefaultAttribute(this.krb5KeyAT);
        for (EncryptionKey encryptionKey : map.values()) {
            try {
                ByteBuffer allocate = ByteBuffer.allocate(encryptionKey.computeLength());
                encryptionKey.encode(allocate);
                defaultAttribute.add((byte[][]) new byte[]{allocate.array()});
            } catch (EncoderException e) {
                LOG.error(I18n.err(I18n.ERR_122, new Object[0]), e);
                LOG_KRB.error(I18n.err(I18n.ERR_122, new Object[0]), e);
            }
        }
        return defaultAttribute;
    }

    private Map<EncryptionType, EncryptionKey> generateKeys(String str, String str2) {
        if (!str2.equalsIgnoreCase("randomKey")) {
            return KerberosKeyFactory.getKerberosKeys(str, str2);
        }
        try {
            return RandomKeyFactory.getRandomKeys();
        } catch (KerberosException e) {
            LOG.debug(e.getLocalizedMessage(), e);
            LOG_KRB.debug(e.getLocalizedMessage(), e);
            return null;
        }
    }
}
