package org.apache.directory.server.kerberos.kdc.ticketgrant;

import java.util.ArrayList;
import java.util.Collections;
import javax.security.auth.kerberos.KerberosPrincipal;
import org.apache.directory.server.kerberos.kdc.KdcConfiguration;
import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
import org.apache.directory.server.kerberos.shared.messages.components.Authenticator;
import org.apache.directory.server.kerberos.shared.messages.components.EncTicketPart;
import org.apache.directory.server.kerberos.shared.messages.components.EncTicketPartModifier;
import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
import org.apache.directory.server.kerberos.shared.messages.value.AuthorizationData;
import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
import org.apache.directory.server.kerberos.shared.messages.value.KerberosTime;
import org.apache.directory.server.kerberos.shared.service.LockBox;
import org.apache.mina.common.IoSession;
import org.apache.mina.handler.chain.IoHandlerCommand;

/* loaded from: input_file:BOOT-INF/lib/apacheds-protocol-kerberos-1.0.2.jar:org/apache/directory/server/kerberos/kdc/ticketgrant/GenerateTicket.class */
public class GenerateTicket implements IoHandlerCommand {
    private String contextKey = "context";
    static Class class$org$apache$directory$server$kerberos$shared$messages$value$AuthorizationData;

    @Override // org.apache.mina.handler.chain.IoHandlerCommand
    public void execute(IoHandlerCommand.NextCommand nextCommand, IoSession ioSession, Object obj) throws Exception {
        Class cls;
        TicketGrantingContext ticketGrantingContext = (TicketGrantingContext) ioSession.getAttribute(getContextKey());
        KdcRequest request = ticketGrantingContext.getRequest();
        Ticket tgt = ticketGrantingContext.getTgt();
        Authenticator authenticator = ticketGrantingContext.getAuthenticator();
        LockBox lockBox = ticketGrantingContext.getLockBox();
        KerberosPrincipal serverPrincipal = request.getServerPrincipal();
        EncryptionKey encryptionKey = ticketGrantingContext.getRequestPrincipalEntry().getEncryptionKey();
        KdcConfiguration config = ticketGrantingContext.getConfig();
        EncryptionKey sessionKey = ticketGrantingContext.getSessionKey();
        EncTicketPartModifier encTicketPartModifier = new EncTicketPartModifier();
        encTicketPartModifier.setClientAddresses(tgt.getClientAddresses());
        processFlags(config, request, tgt, encTicketPartModifier);
        encTicketPartModifier.setSessionKey(sessionKey);
        encTicketPartModifier.setClientPrincipal(tgt.getClientPrincipal());
        if (request.getEncAuthorizationData() != null) {
            if (class$org$apache$directory$server$kerberos$shared$messages$value$AuthorizationData == null) {
                cls = class$("org.apache.directory.server.kerberos.shared.messages.value.AuthorizationData");
                class$org$apache$directory$server$kerberos$shared$messages$value$AuthorizationData = cls;
            } else {
                cls = class$org$apache$directory$server$kerberos$shared$messages$value$AuthorizationData;
            }
            AuthorizationData authorizationData = (AuthorizationData) lockBox.unseal(cls, authenticator.getSubSessionKey(), request.getEncAuthorizationData());
            authorizationData.add(tgt.getAuthorizationData());
            encTicketPartModifier.setAuthorizationData(authorizationData);
        }
        processTransited(encTicketPartModifier, tgt);
        processTimes(config, request, encTicketPartModifier, tgt);
        EncTicketPart encTicketPart = encTicketPartModifier.getEncTicketPart();
        if (request.getOption(28)) {
            throw new KerberosException(ErrorType.KDC_ERR_SVC_UNAVAILABLE);
        }
        Ticket ticket = new Ticket(serverPrincipal, lockBox.seal(encryptionKey, encTicketPart));
        ticket.setEncTicketPart(encTicketPart);
        ticketGrantingContext.setNewTicket(ticket);
        nextCommand.execute(ioSession, obj);
    }

    public String getContextKey() {
        return this.contextKey;
    }

    private void processFlags(KdcConfiguration kdcConfiguration, KdcRequest kdcRequest, Ticket ticket, EncTicketPartModifier encTicketPartModifier) throws KerberosException {
        if (kdcRequest.getOption(1)) {
            if (!ticket.getFlag(1)) {
                throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
            }
            encTicketPartModifier.setFlag(1);
        }
        if (kdcRequest.getOption(2)) {
            if (!ticket.getFlag(1)) {
                throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
            }
            encTicketPartModifier.setFlag(2);
            encTicketPartModifier.setClientAddresses(kdcRequest.getAddresses());
        }
        if (ticket.getFlag(2)) {
            encTicketPartModifier.setFlag(2);
        }
        if (kdcRequest.getOption(3)) {
            if (!ticket.getFlag(3)) {
                throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
            }
            encTicketPartModifier.setFlag(3);
        }
        if (kdcRequest.getOption(4)) {
            if (!ticket.getFlag(3)) {
                throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
            }
            encTicketPartModifier.setFlag(4);
            encTicketPartModifier.setClientAddresses(kdcRequest.getAddresses());
        }
        if (kdcRequest.getOption(5)) {
            if (!ticket.getFlag(5)) {
                throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
            }
            encTicketPartModifier.setFlag(5);
        }
        if (kdcRequest.getOption(6)) {
            if (!ticket.getFlag(5)) {
                throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
            }
            encTicketPartModifier.setFlag(6);
            encTicketPartModifier.setFlag(7);
            if (!kdcConfiguration.isPostdateAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            encTicketPartModifier.setStartTime(kdcRequest.getFrom());
        }
        if (kdcRequest.getOption(31)) {
            if (!ticket.getFlag(7)) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            if (ticket.getStartTime().greaterThan(new KerberosTime())) {
                throw new KerberosException(ErrorType.KRB_AP_ERR_TKT_NYV);
            }
            echoTicket(encTicketPartModifier, ticket);
            encTicketPartModifier.clearFlag(7);
        }
        if (kdcRequest.getOption(0) || kdcRequest.getOption(27)) {
            throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
        }
    }

    private void processTimes(KdcConfiguration kdcConfiguration, KdcRequest kdcRequest, EncTicketPartModifier encTicketPartModifier, Ticket ticket) throws KerberosException {
        KerberosTime kerberosTime = new KerberosTime();
        encTicketPartModifier.setAuthTime(ticket.getAuthTime());
        KerberosTime kerberosTime2 = null;
        if (!kdcRequest.getOption(30)) {
            encTicketPartModifier.setStartTime(kerberosTime);
            KerberosTime till = kdcRequest.getTill().isZero() ? KerberosTime.INFINITY : kdcRequest.getTill();
            ArrayList arrayList = new ArrayList();
            arrayList.add(till);
            arrayList.add(new KerberosTime(kerberosTime.getTime() + kdcConfiguration.getMaximumTicketLifetime()));
            arrayList.add(ticket.getEndTime());
            KerberosTime kerberosTime3 = (KerberosTime) Collections.min(arrayList);
            encTicketPartModifier.setEndTime(kerberosTime3);
            if (kdcRequest.getOption(27) && kerberosTime3.lessThan(kdcRequest.getTill()) && ticket.getFlag(8)) {
                kdcRequest.setOption(8);
                kerberosTime2 = new KerberosTime(Math.min(kdcRequest.getTill().getTime(), ticket.getRenewTill().getTime()));
            }
        } else {
            if (!ticket.getFlag(8)) {
                throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
            }
            if (ticket.getRenewTill().greaterThan(kerberosTime)) {
                throw new KerberosException(ErrorType.KRB_AP_ERR_TKT_EXPIRED);
            }
            echoTicket(encTicketPartModifier, ticket);
            encTicketPartModifier.setStartTime(kerberosTime);
            encTicketPartModifier.setEndTime(new KerberosTime(Math.min(ticket.getRenewTill().getTime(), kerberosTime.getTime() + (ticket.getEndTime().getTime() - ticket.getStartTime().getTime()))));
        }
        if (kerberosTime2 == null) {
            kerberosTime2 = kdcRequest.getRtime();
        }
        KerberosTime kerberosTime4 = (kerberosTime2 == null || !kerberosTime2.isZero()) ? kerberosTime2 : KerberosTime.INFINITY;
        if (kdcRequest.getOption(8) && ticket.getFlag(8)) {
            encTicketPartModifier.setFlag(8);
            ArrayList arrayList2 = new ArrayList();
            if (kerberosTime4 != null) {
                arrayList2.add(kerberosTime4);
            }
            arrayList2.add(new KerberosTime(kerberosTime.getTime() + kdcConfiguration.getMaximumRenewableLifetime()));
            arrayList2.add(ticket.getRenewTill());
            encTicketPartModifier.setRenewTill((KerberosTime) Collections.min(arrayList2));
        }
    }

    private void processTransited(EncTicketPartModifier encTicketPartModifier, Ticket ticket) {
        encTicketPartModifier.setTransitedEncoding(ticket.getTransitedEncoding());
    }

    protected void echoTicket(EncTicketPartModifier encTicketPartModifier, Ticket ticket) {
        encTicketPartModifier.setAuthorizationData(ticket.getAuthorizationData());
        encTicketPartModifier.setAuthTime(ticket.getAuthTime());
        encTicketPartModifier.setClientAddresses(ticket.getClientAddresses());
        encTicketPartModifier.setClientPrincipal(ticket.getClientPrincipal());
        encTicketPartModifier.setEndTime(ticket.getEndTime());
        encTicketPartModifier.setFlags(ticket.getFlags());
        encTicketPartModifier.setRenewTill(ticket.getRenewTill());
        encTicketPartModifier.setSessionKey(ticket.getSessionKey());
        encTicketPartModifier.setTransitedEncoding(ticket.getTransitedEncoding());
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }
}
