package org.apache.directory.server.changepw.service;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import javax.naming.NamingException;
import javax.security.auth.kerberos.KerberosPrincipal;
import org.apache.commons.lang.CharEncoding;
import org.apache.directory.server.changepw.ChangePasswordServer;
import org.apache.directory.server.changepw.exceptions.ChangePasswordException;
import org.apache.directory.server.changepw.exceptions.ErrorType;
import org.apache.directory.server.changepw.io.ChangePasswordDataDecoder;
import org.apache.directory.server.changepw.messages.ChangePasswordReply;
import org.apache.directory.server.changepw.messages.ChangePasswordReplyModifier;
import org.apache.directory.server.changepw.messages.ChangePasswordRequest;
import org.apache.directory.server.changepw.value.ChangePasswordData;
import org.apache.directory.server.changepw.value.ChangePasswordDataModifier;
import org.apache.directory.server.i18n.I18n;
import org.apache.directory.server.kerberos.shared.KerberosUtils;
import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
import org.apache.directory.server.kerberos.shared.crypto.encryption.EncryptionType;
import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
import org.apache.directory.server.kerberos.shared.messages.ApplicationRequest;
import org.apache.directory.server.kerberos.shared.messages.application.ApplicationReply;
import org.apache.directory.server.kerberos.shared.messages.application.PrivateMessage;
import org.apache.directory.server.kerberos.shared.messages.components.Authenticator;
import org.apache.directory.server.kerberos.shared.messages.components.EncApRepPartModifier;
import org.apache.directory.server.kerberos.shared.messages.components.EncKrbPrivPart;
import org.apache.directory.server.kerberos.shared.messages.components.EncKrbPrivPartModifier;
import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
import org.apache.directory.server.kerberos.shared.messages.value.HostAddress;
import org.apache.directory.server.kerberos.shared.messages.value.HostAddresses;
import org.apache.directory.server.kerberos.shared.replay.InMemoryReplayCache;
import org.apache.directory.server.kerberos.shared.replay.ReplayCache;
import org.apache.directory.server.kerberos.shared.store.PrincipalStore;
import org.apache.directory.server.kerberos.shared.store.PrincipalStoreEntry;
import org.apache.mina.core.session.IoSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:apacheds-protocol-changepw-1.5.7.jar:org/apache/directory/server/changepw/service/ChangePasswordService.class */
public class ChangePasswordService {
    private static final Logger LOG = LoggerFactory.getLogger(ChangePasswordService.class);
    private static final ReplayCache replayCache = new InMemoryReplayCache();
    private static final CipherTextHandler cipherTextHandler = new CipherTextHandler();

    public static void execute(IoSession ioSession, ChangePasswordContext changePasswordContext) throws KerberosException, IOException {
        if (LOG.isDebugEnabled()) {
            monitorRequest(changePasswordContext);
        }
        configureChangePassword(changePasswordContext);
        getAuthHeader(ioSession, changePasswordContext);
        verifyServiceTicket(changePasswordContext);
        getServerEntry(changePasswordContext);
        verifyServiceTicketAuthHeader(changePasswordContext);
        extractPassword(changePasswordContext);
        if (LOG.isDebugEnabled()) {
            monitorContext(changePasswordContext);
        }
        processPasswordChange(changePasswordContext);
        buildReply(changePasswordContext);
        if (LOG.isDebugEnabled()) {
            monitorReply(changePasswordContext);
        }
    }

    private static void processPasswordChange(ChangePasswordContext changePasswordContext) throws KerberosException {
        PrincipalStore store = changePasswordContext.getStore();
        Authenticator authenticator = changePasswordContext.getAuthenticator();
        try {
            LOG.debug("Successfully modified principal {}.", store.changePassword(authenticator.getClientPrincipal(), changePasswordContext.getPassword()));
        } catch (NamingException e) {
            throw new ChangePasswordException(ErrorType.KRB5_KPASSWD_SOFTERROR, e.getExplanation().getBytes(), e);
        } catch (Exception e2) {
            throw new ChangePasswordException(ErrorType.KRB5_KPASSWD_HARDERROR, e2);
        }
    }

    private static void monitorRequest(ChangePasswordContext changePasswordContext) throws KerberosException {
        try {
            short versionNumber = ((ChangePasswordRequest) changePasswordContext.getRequest()).getVersionNumber();
            StringBuffer stringBuffer = new StringBuffer();
            stringBuffer.append("Responding to change password request:");
            stringBuffer.append("\n\tversionNumber    " + ((int) versionNumber));
            LOG.debug(stringBuffer.toString());
        } catch (Exception e) {
            LOG.error(I18n.err(I18n.ERR_152, new Object[0]), (Throwable) e);
        }
    }

    private static void configureChangePassword(ChangePasswordContext changePasswordContext) {
        changePasswordContext.setReplayCache(replayCache);
        changePasswordContext.setCipherTextHandler(cipherTextHandler);
    }

    private static void getAuthHeader(IoSession ioSession, ChangePasswordContext changePasswordContext) throws KerberosException {
        ChangePasswordRequest changePasswordRequest = (ChangePasswordRequest) changePasswordContext.getRequest();
        if (changePasswordRequest.getVersionNumber() != 1) {
            throw new ChangePasswordException(ErrorType.KRB5_KPASSWD_BAD_VERSION);
        }
        if (changePasswordRequest.getAuthHeader() == null || changePasswordRequest.getAuthHeader().getTicket() == null) {
            throw new ChangePasswordException(ErrorType.KRB5_KPASSWD_AUTHERROR);
        }
        ApplicationRequest authHeader = changePasswordRequest.getAuthHeader();
        Ticket ticket = authHeader.getTicket();
        changePasswordContext.setAuthHeader(authHeader);
        changePasswordContext.setTicket(ticket);
    }

    private static void verifyServiceTicket(ChangePasswordContext changePasswordContext) throws KerberosException {
        ChangePasswordServer config = changePasswordContext.getConfig();
        Ticket ticket = changePasswordContext.getTicket();
        String primaryRealm = config.getPrimaryRealm();
        KerberosPrincipal servicePrincipal = config.getServicePrincipal();
        KerberosPrincipal serverPrincipal = ticket.getServerPrincipal();
        if (!ticket.getRealm().equals(primaryRealm) || !serverPrincipal.equals(servicePrincipal)) {
            throw new KerberosException(org.apache.directory.server.kerberos.shared.exceptions.ErrorType.KRB_AP_ERR_NOT_US);
        }
    }

    private static void getServerEntry(ChangePasswordContext changePasswordContext) throws KerberosException {
        changePasswordContext.setServerEntry(KerberosUtils.getEntry(changePasswordContext.getTicket().getServerPrincipal(), changePasswordContext.getStore(), org.apache.directory.server.kerberos.shared.exceptions.ErrorType.KDC_ERR_S_PRINCIPAL_UNKNOWN));
    }

    private static void verifyServiceTicketAuthHeader(ChangePasswordContext changePasswordContext) throws KerberosException {
        ApplicationRequest authHeader = changePasswordContext.getAuthHeader();
        Ticket ticket = changePasswordContext.getTicket();
        Authenticator verifyAuthHeader = KerberosUtils.verifyAuthHeader(authHeader, ticket, changePasswordContext.getServerEntry().getKeyMap().get(ticket.getEncPart().getEType()), changePasswordContext.getConfig().getAllowableClockSkew(), changePasswordContext.getReplayCache(), changePasswordContext.getConfig().isEmptyAddressesAllowed(), changePasswordContext.getClientAddress(), changePasswordContext.getCipherTextHandler(), KeyUsage.NUMBER11, false);
        if (((ChangePasswordRequest) changePasswordContext.getRequest()).getVersionNumber() == 1 && !ticket.getEncTicketPart().getFlags().isInitial()) {
            throw new ChangePasswordException(ErrorType.KRB5_KPASSWD_INITIAL_FLAG_NEEDED);
        }
        changePasswordContext.setAuthenticator(verifyAuthHeader);
    }

    private static void extractPassword(ChangePasswordContext changePasswordContext) throws KerberosException, IOException {
        ChangePasswordData decodeChangePasswordData;
        ChangePasswordRequest changePasswordRequest = (ChangePasswordRequest) changePasswordContext.getRequest();
        Authenticator authenticator = changePasswordContext.getAuthenticator();
        try {
            EncKrbPrivPart encKrbPrivPart = (EncKrbPrivPart) changePasswordContext.getCipherTextHandler().unseal(EncKrbPrivPart.class, authenticator.getSubSessionKey(), changePasswordRequest.getPrivateMessage().getEncryptedPart(), KeyUsage.NUMBER13);
            if (changePasswordRequest.getVersionNumber() == 1) {
                ChangePasswordDataModifier changePasswordDataModifier = new ChangePasswordDataModifier();
                changePasswordDataModifier.setNewPassword(encKrbPrivPart.getUserData());
                decodeChangePasswordData = changePasswordDataModifier.getChangePasswdData();
            } else {
                decodeChangePasswordData = new ChangePasswordDataDecoder().decodeChangePasswordData(encKrbPrivPart.getUserData());
            }
            try {
                changePasswordContext.setPassword(new String(decodeChangePasswordData.getPassword(), CharEncoding.UTF_8));
            } catch (UnsupportedEncodingException e) {
                throw new ChangePasswordException(ErrorType.KRB5_KPASSWD_SOFTERROR, e);
            }
        } catch (KerberosException e2) {
            throw new ChangePasswordException(ErrorType.KRB5_KPASSWD_SOFTERROR, e2);
        }
    }

    private static void monitorContext(ChangePasswordContext changePasswordContext) throws KerberosException {
        try {
            PrincipalStore store = changePasswordContext.getStore();
            ApplicationRequest authHeader = changePasswordContext.getAuthHeader();
            Ticket ticket = changePasswordContext.getTicket();
            ReplayCache replayCache2 = changePasswordContext.getReplayCache();
            long allowableClockSkew = changePasswordContext.getConfig().getAllowableClockSkew();
            KerberosPrincipal clientPrincipal = changePasswordContext.getAuthenticator().getClientPrincipal();
            String password = changePasswordContext.getPassword();
            InetAddress clientAddress = changePasswordContext.getClientAddress();
            HostAddresses clientAddresses = ticket.getEncTicketPart().getClientAddresses();
            boolean z = false;
            if (ticket.getEncTicketPart().getClientAddresses() != null) {
                z = ticket.getEncTicketPart().getClientAddresses().contains(new HostAddress(clientAddress));
            }
            StringBuffer stringBuffer = new StringBuffer();
            stringBuffer.append("Monitoring context:");
            stringBuffer.append("\n\tstore                  " + store);
            stringBuffer.append("\n\tauthHeader             " + authHeader);
            stringBuffer.append("\n\tticket                 " + ticket);
            stringBuffer.append("\n\treplayCache            " + replayCache2);
            stringBuffer.append("\n\tclockSkew              " + allowableClockSkew);
            stringBuffer.append("\n\tclientPrincipal        " + clientPrincipal);
            stringBuffer.append("\n\tdesiredPassword        " + password);
            stringBuffer.append("\n\tclientAddress          " + clientAddress);
            stringBuffer.append("\n\tclientAddresses        " + clientAddresses);
            stringBuffer.append("\n\tcaddr contains sender  " + z);
            stringBuffer.append("\n\tTicket principal       " + ticket.getServerPrincipal());
            PrincipalStoreEntry serverEntry = changePasswordContext.getServerEntry();
            stringBuffer.append("\n\tcn                     " + serverEntry.getCommonName());
            stringBuffer.append("\n\trealm                  " + serverEntry.getRealmName());
            stringBuffer.append("\n\tService principal      " + serverEntry.getPrincipal());
            stringBuffer.append("\n\tSAM type               " + serverEntry.getSamType());
            EncryptionType eType = ticket.getEncPart().getEType();
            int keyVersion = serverEntry.getKeyMap().get(eType).getKeyVersion();
            stringBuffer.append("\n\tTicket key type        " + eType);
            stringBuffer.append("\n\tService key version    " + keyVersion);
            LOG.debug(stringBuffer.toString());
        } catch (Exception e) {
            LOG.error(I18n.err(I18n.ERR_154, new Object[0]), (Throwable) e);
        }
    }

    private static void buildReply(ChangePasswordContext changePasswordContext) throws KerberosException, UnknownHostException {
        Authenticator authenticator = changePasswordContext.getAuthenticator();
        Ticket ticket = changePasswordContext.getTicket();
        CipherTextHandler cipherTextHandler2 = changePasswordContext.getCipherTextHandler();
        EncKrbPrivPartModifier encKrbPrivPartModifier = new EncKrbPrivPartModifier();
        encKrbPrivPartModifier.setUserData(new byte[]{0, 0});
        encKrbPrivPartModifier.setSenderAddress(new HostAddress(InetAddress.getLocalHost()));
        try {
            PrivateMessage privateMessage = new PrivateMessage(cipherTextHandler2.seal(authenticator.getSubSessionKey(), encKrbPrivPartModifier.getEncKrbPrivPart(), KeyUsage.NUMBER13));
            EncApRepPartModifier encApRepPartModifier = new EncApRepPartModifier();
            encApRepPartModifier.setClientTime(authenticator.getClientTime());
            encApRepPartModifier.setClientMicroSecond(authenticator.getClientMicroSecond());
            encApRepPartModifier.setSequenceNumber(new Integer(authenticator.getSequenceNumber()));
            encApRepPartModifier.setSubSessionKey(authenticator.getSubSessionKey());
            try {
                ApplicationReply applicationReply = new ApplicationReply(cipherTextHandler2.seal(ticket.getEncTicketPart().getSessionKey(), encApRepPartModifier.getEncApRepPart(), KeyUsage.NUMBER12));
                ChangePasswordReplyModifier changePasswordReplyModifier = new ChangePasswordReplyModifier();
                changePasswordReplyModifier.setApplicationReply(applicationReply);
                changePasswordReplyModifier.setPrivateMessage(privateMessage);
                changePasswordContext.setReply(changePasswordReplyModifier.getChangePasswordReply());
            } catch (KerberosException e) {
                throw new ChangePasswordException(ErrorType.KRB5_KPASSWD_SOFTERROR, e);
            }
        } catch (KerberosException e2) {
            throw new ChangePasswordException(ErrorType.KRB5_KPASSWD_SOFTERROR, e2);
        }
    }

    private static void monitorReply(ChangePasswordContext changePasswordContext) throws KerberosException {
        try {
            ChangePasswordReply changePasswordReply = (ChangePasswordReply) changePasswordContext.getReply();
            ApplicationReply applicationReply = changePasswordReply.getApplicationReply();
            PrivateMessage privateMessage = changePasswordReply.getPrivateMessage();
            StringBuilder sb = new StringBuilder();
            sb.append("Responding with change password reply:");
            sb.append("\n\tappReply               " + applicationReply);
            sb.append("\n\tpriv                   " + privateMessage);
            LOG.debug(sb.toString());
        } catch (Exception e) {
            LOG.error(I18n.err(I18n.ERR_155, new Object[0]), (Throwable) e);
        }
    }
}
