package org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.server.request;

import java.nio.ByteBuffer;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.KrbCodec;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.KrbErrorCode;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.common.EncryptionUtil;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.server.KdcContext;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.KerberosTime;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.ap.ApOption;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.ap.ApReq;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.ap.Authenticator;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.base.HostAddresses;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.base.KeyUsage;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.base.KrbMessageType;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.base.LastReq;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.base.LastReqEntry;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.base.LastReqType;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.kdc.EncKdcRepPart;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.kdc.EncTgsRepPart;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.kdc.KdcReq;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.kdc.TgsRep;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.kdc.TgsReq;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.pa.PaDataEntry;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.ticket.EncTicketPart;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.ticket.Ticket;
import org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.type.ticket.TicketFlag;
import org.apache.hadoop.util.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/shaded/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.class */
public class TgsRequest extends KdcRequest {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) TgsRequest.class);
    private EncryptionKey tgtSessionKey;
    private Ticket tgtTicket;

    public TgsRequest(TgsReq tgsReq, KdcContext kdcContext) {
        super(tgsReq, kdcContext);
        setPreauthRequired(true);
    }

    public EncryptionKey getTgtSessionKey() {
        return this.tgtSessionKey;
    }

    public void setTgtSessionKey(EncryptionKey encryptionKey) {
        this.tgtSessionKey = encryptionKey;
    }

    @Override // org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.server.request.KdcRequest
    protected void checkClient() throws KrbException {
    }

    public Ticket getTgtTicket() {
        return this.tgtTicket;
    }

    @Override // org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.server.request.KdcRequest
    protected void issueTicket() throws KrbException {
        Ticket issueTicket = new ServiceTicketIssuer(this).issueTicket();
        LOG.info("TGS_REQ ISSUE: authtime " + issueTicket.getEncPart().getAuthTime().getTime() + StringUtils.COMMA_STR + issueTicket.getEncPart().getCname() + " for " + issueTicket.getSname());
        setTicket(issueTicket);
    }

    public void verifyAuthenticator(PaDataEntry paDataEntry) throws KrbException {
        ApReq apReq = (ApReq) KrbCodec.decode(paDataEntry.getPaDataValue(), ApReq.class);
        if (apReq.getPvno() != 5) {
            throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADVERSION);
        }
        if (apReq.getMsgType() != KrbMessageType.AP_REQ) {
            throw new KrbException(KrbErrorCode.KRB_AP_ERR_MSG_TYPE);
        }
        this.tgtTicket = apReq.getTicket();
        EncryptionKey encryptionKey = getTgsEntry().getKeys().get(this.tgtTicket.getEncryptedEncPart().getEType());
        if (this.tgtTicket.getTktvno() != 5) {
            throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADVERSION);
        }
        this.tgtTicket.setEncPart((EncTicketPart) EncryptionUtil.unseal(this.tgtTicket.getEncryptedEncPart(), encryptionKey, KeyUsage.KDC_REP_TICKET, EncTicketPart.class));
        EncryptionKey key = this.tgtTicket.getEncPart().getKey();
        if (key == null) {
            throw new KrbException(KrbErrorCode.KRB_AP_ERR_NOKEY);
        }
        Authenticator authenticator = (Authenticator) EncryptionUtil.unseal(apReq.getEncryptedAuthenticator(), key, KeyUsage.TGS_REQ_AUTH, Authenticator.class);
        if (!authenticator.getCname().equals(this.tgtTicket.getEncPart().getCname())) {
            throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADMATCH);
        }
        HostAddresses clientAddresses = this.tgtTicket.getEncPart().getClientAddresses();
        if (clientAddresses == null || clientAddresses.isEmpty()) {
            if (!getKdcContext().getConfig().isEmptyAddressesAllowed()) {
                throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADADDR);
            }
        } else if (!clientAddresses.contains(getClientAddress())) {
            throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADADDR);
        }
        this.tgtTicket.getSname().setRealm(this.tgtTicket.getRealm());
        PrincipalName cname = authenticator.getCname();
        cname.setRealm(authenticator.getCrealm());
        setClientEntry(getEntry(cname.getName()));
        if (!authenticator.getCtime().isInClockSkew(getKdcContext().getConfig().getAllowableClockSkew() * 1000)) {
            throw new KrbException(KrbErrorCode.KRB_AP_ERR_SKEW);
        }
        KerberosTime now = KerberosTime.now();
        KerberosTime startTime = this.tgtTicket.getEncPart().getStartTime();
        if (startTime == null) {
            startTime = this.tgtTicket.getEncPart().getAuthTime();
        }
        if (!startTime.lessThan(now)) {
            throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_NYV);
        }
        if (!this.tgtTicket.getEncPart().getEndTime().greaterThan(now)) {
            throw new KrbException(KrbErrorCode.KRB_AP_ERR_TKT_EXPIRED);
        }
        apReq.getApOptions().setFlag(ApOption.MUTUAL_REQUIRED);
        setTgtSessionKey(this.tgtTicket.getEncPart().getKey());
    }

    @Override // org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.server.request.KdcRequest
    protected void makeReply() throws KrbException {
        Ticket ticket = getTicket();
        TgsRep tgsRep = new TgsRep();
        if (getClientEntry() == null) {
            tgsRep.setCname(ticket.getEncPart().getCname());
        } else {
            tgsRep.setCname(getClientEntry().getPrincipal());
        }
        tgsRep.setCrealm(getKdcContext().getKdcRealm());
        tgsRep.setTicket(ticket);
        EncKdcRepPart makeEncKdcRepPart = makeEncKdcRepPart();
        tgsRep.setEncPart(makeEncKdcRepPart);
        tgsRep.setEncryptedEncPart(EncryptionUtil.seal(makeEncKdcRepPart, getToken() != null ? getSessionKey() : getTgtSessionKey(), KeyUsage.TGS_REP_ENCPART_SESSKEY));
        setReply(tgsRep);
    }

    private EncKdcRepPart makeEncKdcRepPart() {
        KdcReq kdcReq = getKdcReq();
        Ticket ticket = getTicket();
        EncTgsRepPart encTgsRepPart = new EncTgsRepPart();
        encTgsRepPart.setKey(ticket.getEncPart().getKey());
        LastReq lastReq = new LastReq();
        LastReqEntry lastReqEntry = new LastReqEntry();
        lastReqEntry.setLrType(LastReqType.THE_LAST_INITIAL);
        lastReqEntry.setLrValue(new KerberosTime());
        lastReq.add(lastReqEntry);
        encTgsRepPart.setLastReq(lastReq);
        encTgsRepPart.setNonce(kdcReq.getReqBody().getNonce());
        encTgsRepPart.setFlags(ticket.getEncPart().getFlags());
        encTgsRepPart.setAuthTime(ticket.getEncPart().getAuthTime());
        encTgsRepPart.setStartTime(ticket.getEncPart().getStartTime());
        encTgsRepPart.setEndTime(ticket.getEncPart().getEndTime());
        if (ticket.getEncPart().getFlags().isFlagSet(TicketFlag.RENEWABLE)) {
            encTgsRepPart.setRenewTill(ticket.getEncPart().getRenewtill());
        }
        encTgsRepPart.setSname(ticket.getSname());
        encTgsRepPart.setSrealm(ticket.getRealm());
        encTgsRepPart.setCaddr(ticket.getEncPart().getClientAddresses());
        return encTgsRepPart;
    }

    @Override // org.apache.hadoop.shaded.org.apache.kerby.kerberos.kerb.server.request.KdcRequest
    public ByteBuffer getRequestBody() throws KrbException {
        return null;
    }
}
