package com.ibm.ws.security.auth.kerberos.admintask;

import com.ibm.ejs.ras.Tr;
import com.ibm.ejs.ras.TraceComponent;
import com.ibm.ffdc.FFDC_OMIT;
import com.ibm.websphere.management.Session;
import com.ibm.websphere.management.cmdframework.CommandException;
import com.ibm.websphere.management.cmdframework.CommandLoadException;
import com.ibm.websphere.management.cmdframework.CommandNotFoundException;
import com.ibm.websphere.management.cmdframework.CommandValidationException;
import com.ibm.websphere.management.cmdframework.commanddata.CommandData;
import com.ibm.websphere.management.cmdframework.commandmetadata.TaskCommandMetadata;
import com.ibm.websphere.management.cmdframework.provider.AbstractTaskCommand;
import com.ibm.websphere.management.cmdframework.provider.TaskCommandResultImpl;
import com.ibm.websphere.management.configservice.ConfigDataId;
import com.ibm.websphere.management.configservice.ConfigService;
import com.ibm.websphere.management.configservice.ConfigServiceFactory;
import com.ibm.websphere.management.configservice.ConfigServiceHelper;
import com.ibm.websphere.security.auth.WSLoginFailedException;
import com.ibm.websphere.security.auth.callback.NonPromptCallbackHandler;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.admintask.securityDomain.SecConfigTaskHelper;
import com.ibm.ws.security.auth.kerberos.Krb5Utils;
import com.ibm.ws.security.config.AuthMechanismConfig;
import com.ibm.ws.security.config.UserRegistryConfig;
import com.ibm.ws.security.jaspi.commands.AdminConstants;
import com.ibm.ws.security.profiletask.MessageFormatHelper;
import com.ibm.ws.security.util.ConfigUtils;
import java.io.File;
import java.util.Locale;
import java.util.ResourceBundle;
import javax.management.ObjectName;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:wasJars/com.ibm.ws.admin.client_9.0.jar:com/ibm/ws/security/auth/kerberos/admintask/ValidateKrbConfig.class */
public class ValidateKrbConfig extends AbstractTaskCommand {
    private static String BUNDLE_NAME = AdminConstants.MSG_BUNDLE_NAME;
    private static ResourceBundle resBundle = ResourceBundle.getBundle(BUNDLE_NAME, Locale.getDefault());
    private static TraceComponent tc = Tr.register((Class<?>) ValidateKrbConfig.class, "ValidateKrbConfig", "com.ibm.ws.security.auth.kerberos.admintask");
    private String secDomain;
    private boolean checkConfigOnly;
    private boolean validateKrbRealm;
    private boolean useGlobalSecurityConfig;
    private String serverId;

    @FFDC_OMIT
    private String serverIdPassword;
    private String krb5Spn;
    private String uxpKrb5Config;
    private String krb5Config;
    private String uxpKrb5Keytab;
    private String krb5Keytab;
    private String krb5Realm;
    private String _uxpKrb5Config;
    private String _krb5Config;
    private String _uxpKrb5Keytab;
    private String _krb5Keytab;
    private String _krb5Realm;
    private String _krb5Spn;
    private String _serverId;
    private boolean _configured;

    @FFDC_OMIT
    private String _serverIdPassword;
    boolean _useRegServerId;

    public ValidateKrbConfig(TaskCommandMetadata taskCommandMetadata) throws CommandNotFoundException {
        super(taskCommandMetadata);
        this.secDomain = null;
        this.checkConfigOnly = false;
        this.validateKrbRealm = false;
        this.useGlobalSecurityConfig = false;
        this.serverId = null;
        this.serverIdPassword = null;
        this.krb5Spn = null;
        this.uxpKrb5Config = null;
        this.krb5Config = null;
        this.uxpKrb5Keytab = null;
        this.krb5Keytab = null;
        this.krb5Realm = null;
        this._uxpKrb5Config = null;
        this._krb5Config = null;
        this._uxpKrb5Keytab = null;
        this._krb5Keytab = null;
        this._krb5Realm = null;
        this._krb5Spn = null;
        this._serverId = null;
        this._configured = false;
        this._serverIdPassword = null;
        this._useRegServerId = false;
    }

    public ValidateKrbConfig(CommandData commandData) throws CommandNotFoundException, CommandLoadException {
        super(commandData);
        this.secDomain = null;
        this.checkConfigOnly = false;
        this.validateKrbRealm = false;
        this.useGlobalSecurityConfig = false;
        this.serverId = null;
        this.serverIdPassword = null;
        this.krb5Spn = null;
        this.uxpKrb5Config = null;
        this.krb5Config = null;
        this.uxpKrb5Keytab = null;
        this.krb5Keytab = null;
        this.krb5Realm = null;
        this._uxpKrb5Config = null;
        this._krb5Config = null;
        this._uxpKrb5Keytab = null;
        this._krb5Keytab = null;
        this._krb5Realm = null;
        this._krb5Spn = null;
        this._serverId = null;
        this._configured = false;
        this._serverIdPassword = null;
        this._useRegServerId = false;
    }

    private String getMsg(ResourceBundle resourceBundle, String str, Object[] objArr) {
        return MessageFormatHelper.getFormattedMessage(resourceBundle, str, objArr);
    }

    @Override // com.ibm.websphere.management.cmdframework.provider.AbstractTaskCommand, com.ibm.websphere.management.cmdframework.provider.AbstractAdminCommand, com.ibm.websphere.management.cmdframework.AdminCommand
    public void validate() throws CommandValidationException {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "validate");
        }
        super.validate();
        this.secDomain = (String) getParameter("securityDomainName");
        this.checkConfigOnly = ((Boolean) getParameter("checkConfigOnly")).booleanValue();
        this.validateKrbRealm = ((Boolean) getParameter("validateKrbRealm")).booleanValue();
        this.useGlobalSecurityConfig = ((Boolean) getParameter("useGlobalSecurityConfig")).booleanValue();
        this.serverId = (String) getParameter(UserRegistryConfig.SERVER_ID);
        this.serverIdPassword = (String) getParameter("serverIdPassword");
        this.krb5Spn = (String) getParameter(AuthMechanismConfig.KRB5_SPN);
        this.uxpKrb5Config = (String) getParameter("krb5Config");
        this.krb5Config = ConfigUtils.expandKrbFile(this.uxpKrb5Config);
        this.uxpKrb5Keytab = (String) getParameter("krb5Keytab");
        this.krb5Keytab = ConfigUtils.expandKrbFile(this.uxpKrb5Keytab);
        this.krb5Realm = (String) getParameter("krb5Realm");
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "*** Input parameters ***");
            Tr.debug(tc, "securityDomainName name is " + this.secDomain);
            Tr.debug(tc, "checkConfigOnly:  " + this.checkConfigOnly);
            Tr.debug(tc, "useGlobalSecurityConfig:  " + this.useGlobalSecurityConfig);
            Tr.debug(tc, "validateKrbRealm:  " + this.validateKrbRealm);
            Tr.debug(tc, "serverId:  " + this.serverId);
            Tr.debug(tc, "serverIdPassword:  " + (this.serverIdPassword == null ? "null" : "*****"));
            Tr.debug(tc, "krb5Spn:  " + this.krb5Spn);
            Tr.debug(tc, "unexpand krb5Config:  " + this.uxpKrb5Config);
            Tr.debug(tc, "krb5Config:  " + this.krb5Config);
            Tr.debug(tc, "unexpand krb5Keytab:  " + this.uxpKrb5Keytab);
            Tr.debug(tc, "krb5Keytab:  " + this.krb5Keytab);
            Tr.debug(tc, "krb5Realm:  " + this.krb5Realm);
        }
        if (this.useGlobalSecurityConfig) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Using global security config instead of input parameters");
            }
            getKrbConfigInThisSession();
        }
        if (!this.checkConfigOnly) {
            if (this.useGlobalSecurityConfig) {
                if (this._useRegServerId) {
                    if (this._serverId == null || this._serverId.length() == 0) {
                        throw new CommandValidationException(getMsg(resBundle, "security.admintask.missingParameter.userRegistry.SECJ7770E", new Object[]{UserRegistryConfig.SERVER_ID}));
                    }
                    this.serverId = this._serverId;
                    if (this._serverIdPassword == null || this._serverIdPassword.length() == 0) {
                        throw new CommandValidationException(getMsg(resBundle, "security.admintask.missingParameter.userRegistry.SECJ7770E", new Object[]{"serverIdPassword"}));
                    }
                    this.serverIdPassword = this._serverIdPassword;
                }
                if (this._krb5Spn == null || this._krb5Spn.length() == 0) {
                    throw new CommandValidationException(getMsg(resBundle, "security.admintask.missingParameter.krb5Auth.SECJ7771E", new Object[]{AuthMechanismConfig.KRB5_SPN}));
                }
                this.krb5Spn = this._krb5Spn;
                if (this.krb5Config == null || this.krb5Config.length() == 0) {
                    if (this._krb5Config == null || this._krb5Config.length() == 0) {
                        throw new CommandValidationException(getMsg(resBundle, "security.admintask.missingParameter.krb5Auth.SECJ7771E", new Object[]{"krb5Config"}));
                    }
                    this.krb5Config = this._krb5Config;
                }
                if (this.krb5Config != null && this.krb5Config.length() > 0) {
                    if (this.krb5Keytab == null || this.krb5Keytab.length() == 0) {
                        if (this._krb5Keytab == null || this._krb5Keytab.length() == 0) {
                            throw new CommandValidationException(getMsg(resBundle, "security.admintask.missingParameter.krb5ConfigAndSecurity.SECJ7785E", new Object[]{"Keytab", this.krb5Config}));
                        }
                        this.krb5Keytab = this._krb5Keytab;
                    }
                    if (this.krb5Realm == null || this.krb5Realm.length() == 0) {
                        if (this._krb5Realm == null || this._krb5Realm.length() == 0) {
                            throw new CommandValidationException(getMsg(resBundle, "security.admintask.missingParameter.krb5ConfigAndSecurity.SECJ7785E", new Object[]{"krb5Realm", this.krb5Config}));
                        }
                        this.krb5Realm = this._krb5Realm;
                    }
                }
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "*** use security.xml instead of input parameters ***");
                    Tr.debug(tc, "securityDomainName name is " + this.secDomain);
                    Tr.debug(tc, "useGlobalSecurityConfig:  " + this.useGlobalSecurityConfig);
                    Tr.debug(tc, "validateKrbRealm:  " + this.validateKrbRealm);
                    Tr.debug(tc, "serverId:  " + this.serverId);
                    Tr.debug(tc, "serverIdPassword:  " + (this.serverIdPassword == null ? "null" : "*****"));
                    Tr.debug(tc, "krb5Spn:  " + this.krb5Spn);
                    Tr.debug(tc, "unexpand krb5Config:  " + this.uxpKrb5Config);
                    Tr.debug(tc, "krb5Config:  " + this.krb5Config);
                    Tr.debug(tc, "unexpand krb5Keytab:  " + this.uxpKrb5Keytab);
                    Tr.debug(tc, "krb5Keytab:  " + this.krb5Keytab);
                    Tr.debug(tc, "krb5Realm:  " + this.krb5Realm);
                }
            }
            if (this.krb5Spn != null && !this.krb5Spn.contains("/")) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "The format of the Kerberos service principal name " + this.krb5Spn + "is invalid");
                }
                throw new CommandValidationException(getMsg(resBundle, "security.admintask.invalid.SPN.SECJ7767E", new Object[]{this.krb5Spn}));
            }
            if (this.krb5Config != null && this.krb5Config.length() > 0 && !new File(this.krb5Config).exists()) {
                throw new CommandValidationException(getMsg(resBundle, "security.admintask.fileNotExist", new Object[]{this.krb5Config}));
            }
            if (this.krb5Keytab != null && this.krb5Keytab.length() > 0 && !new File(this.krb5Keytab).exists()) {
                throw new CommandValidationException(getMsg(resBundle, "security.admintask.fileNotExist", new Object[]{this.krb5Keytab}));
            }
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "validate");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.ibm.websphere.management.cmdframework.provider.AbstractTaskCommand
    public void afterStepsExecuted() {
        if (tc.isEntryEnabled()) {
            Tr.entry(tc, "afterStepsExecuted");
        }
        super.afterStepsExecuted();
        TaskCommandResultImpl taskCommandResultImpl = (TaskCommandResultImpl) getTaskCommandResult();
        if (!taskCommandResultImpl.isSuccessful()) {
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "afterStepsExecuted");
                return;
            }
            return;
        }
        try {
        } catch (Exception e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.kerberos.admintask.CreateKrbAuthMechanism.afterStepsExecuted", "439", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, e.getMessage(), new Object[]{e});
            }
            taskCommandResultImpl.setException(new CommandException(e, e.getMessage()));
        }
        if (this.checkConfigOnly) {
            if (this._configured) {
                taskCommandResultImpl.setResult(new Boolean(true));
            } else {
                taskCommandResultImpl.setResult(new Boolean(false));
            }
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "afterStepsExecuted");
                return;
            }
            return;
        }
        if (!this.useGlobalSecurityConfig) {
            if (this.krb5Spn == null || this.krb5Spn.length() == 0) {
                throw new CommandValidationException(getMsg(resBundle, "security.admintask.missingParameter.krb5Auth.SECJ7771E", new Object[]{AuthMechanismConfig.KRB5_SPN}));
            }
            if (this.krb5Config == null || this.krb5Config.length() == 0) {
                throw new CommandValidationException(getMsg(resBundle, "security.admintask.missingParameter.krb5Auth.SECJ7771E", new Object[]{"krb5Config"}));
            }
            if (this.krb5Keytab == null || this.krb5Keytab.length() == 0) {
                throw new CommandValidationException(getMsg(resBundle, "security.admintask.missingParameter.krb5ConfigAndSecurity.SECJ7785E", new Object[]{"Keytab", this.krb5Config}));
            }
        }
        String defaultRealm = Krb5Utils.getDefaultRealm(this.krb5Config);
        if (defaultRealm == null || defaultRealm.length() == 0) {
            throw new CommandValidationException(getMsg(resBundle, "security.admintask.missingParameter.krb5Config.SECJ7772E", new Object[]{"Kerberos realm", this.krb5Config}));
        }
        if (this.validateKrbRealm && this.krb5Realm != null && this.krb5Realm.length() > 0 && !this.krb5Realm.equals(defaultRealm)) {
            throw new CommandValidationException(getMsg(resBundle, "security.admintask.mismatch.krbRealm.SECJ7768E", new Object[]{this.krb5Realm, this.krb5Config, defaultRealm}));
        }
        if (this._useRegServerId && this.serverId != null && this.serverId.length() > 0 && this.serverIdPassword != null && this.serverIdPassword.length() > 0) {
            try {
                LoginContext loginContext = new LoginContext("WSKRB5Login", new NonPromptCallbackHandler(this.krb5Realm, this.serverId, this.serverIdPassword));
                loginContext.login();
                loginContext.getSubject();
            } catch (WSLoginFailedException e2) {
                FFDCFilter.processException(e2, "com.ibm.ws.security.auth.kerberos.admintask.CreateKrbAuthMechanism.afterStepsExecuted", "368", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, e2.getMessage(), new Object[]{e2});
                }
                throw e2;
            } catch (LoginException e3) {
                FFDCFilter.processException(e3, "com.ibm.ws.security.auth.kerberos.admintask.CreateKrbAuthMechanism.afterStepsExecuted", "372", this);
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, e3.getMessage(), new Object[]{e3});
                }
                throw e3;
            }
        }
        if (this.krb5Keytab == null || this.krb5Keytab.length() == 0) {
            this.krb5Keytab = Krb5Utils.getDefaultKeytab(this.krb5Config);
        }
        if (this.krb5Keytab == null && this.krb5Keytab.length() == 0) {
            throw new CommandValidationException(getMsg(resBundle, "security.admintask.missingParameter.krb5Config.SECJ7772E", new Object[]{"Kerberos keytab", this.krb5Config}));
        }
        try {
            Oid krb5MechOid = Krb5Utils.getKrb5MechOid();
            Oid spnegoMechOid = Krb5Utils.getSpnegoMechOid();
            Krb5Utils.setUseSubjectCredsOnly(false);
            Krb5Utils.setKrbKeytabProp(this.krb5Keytab);
            GSSManager gSSManager = GSSManager.getInstance();
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "krb5Spn: " + this.krb5Spn);
            }
            GSSName createName = gSSManager.createName(this.krb5Spn.replace("/", "@"), GSSName.NT_HOSTBASED_SERVICE, krb5MechOid);
            gSSManager.createCredential(createName.canonicalize(krb5MechOid), Integer.MAX_VALUE, krb5MechOid, 2).add(createName.canonicalize(spnegoMechOid), Integer.MAX_VALUE, Integer.MAX_VALUE, spnegoMechOid, 2);
            Krb5Utils.setUseSubjectCredsOnly(true);
            taskCommandResultImpl.setResult(new Boolean(true));
            if (tc.isEntryEnabled()) {
                Tr.exit(tc, "afterStepsExecuted");
            }
        } catch (Exception e4) {
            FFDCFilter.processException(e4, "com.ibm.ws.security.auth.kerberos.admintask.CreateKrbAuthMechanism.afterStepsExecuted", "431", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, e4.getMessage(), new Object[]{e4});
            }
            throw e4;
        } catch (GSSException e5) {
            FFDCFilter.processException((Throwable) e5, "com.ibm.ws.security.auth.kerberos.admintask.CreateKrbAuthMechanism.afterStepsExecuted", "427", (Object) this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, e5.getMessage(), new Object[]{e5});
            }
            throw e5;
        }
    }

    public void getKrbConfigInThisSession() {
        ConfigService configService;
        Session configSession;
        ObjectName secDomain;
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getKrbConfigInThisSession");
        }
        try {
            ConfigServiceHelper.createObjectName((ConfigDataId) null, "Security");
            configService = ConfigServiceFactory.getConfigService();
            configSession = getConfigSession();
            secDomain = this.secDomain != null ? SecConfigTaskHelper.getSecDomain(configSession, configService, this.secDomain) : SecConfigTaskHelper.getSecurityObjectName(configSession, configService);
        } catch (CommandValidationException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.auth.kerberos.admintask.CreateKrbAuthMechanism.afterStepsExecuted", "519", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Command validation exception occurred.", new Object[]{e});
            }
        } catch (Exception e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.auth.kerberos.admintask.CreateKrbAuthMechanism.afterStepsExecuted", "524", this);
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Exception occurred.", new Object[]{e2});
            }
        }
        if (secDomain == null) {
            throw new CommandValidationException(getMsg(resBundle, "security.admintask.config.does.not.exist.SECJ7702E", new Object[]{this.secDomain}));
        }
        ObjectName authMechObj = Krb5Utils.getAuthMechObj(configSession, configService, secDomain, AuthMechanismConfig.TYPE_KERBEROS);
        if (authMechObj != null) {
            this._uxpKrb5Config = (String) configService.getAttribute(configSession, authMechObj, "krb5Config", false);
            this._krb5Config = ConfigUtils.expandKrbFile(this._uxpKrb5Config);
            if (this._krb5Config != null && this._krb5Config.length() > 0) {
                this._uxpKrb5Keytab = (String) configService.getAttribute(configSession, authMechObj, "krb5Keytab", false);
                this._krb5Keytab = ConfigUtils.expandKrbFile(this._uxpKrb5Keytab);
                if (this._krb5Keytab == null || this._krb5Keytab.length() == 0) {
                    this._krb5Keytab = Krb5Utils.getDefaultKeytab(this._krb5Config);
                }
                this._krb5Realm = (String) configService.getAttribute(configSession, authMechObj, "krb5Realm", false);
                if (this._krb5Realm == null || this._krb5Realm.length() == 0) {
                    this._krb5Realm = Krb5Utils.getDefaultRealm(this._krb5Config);
                }
            }
            this._krb5Spn = ConfigUtils.expandHost((String) configService.getAttribute(configSession, authMechObj, AuthMechanismConfig.KRB5_SPN, false), null);
            this._configured = ((Boolean) configService.getAttribute(configSession, authMechObj, "configured", false)).booleanValue();
        }
        ObjectName objectName = (ObjectName) configService.getAttribute(configSession, secDomain, "activeUserRegistry");
        if (objectName != null) {
            this._useRegServerId = ((Boolean) configService.getAttribute(configSession, objectName, "useRegistryServerId", false)).booleanValue();
            this._serverId = (String) configService.getAttribute(configSession, objectName, UserRegistryConfig.SERVER_ID, false);
            this._serverIdPassword = (String) configService.getAttribute(configSession, objectName, UserRegistryConfig.SERVER_PASSWORD, false);
        }
        if (tc.isDebugEnabled()) {
            Tr.debug(tc, "_uxpKrb5Config: " + this._uxpKrb5Config);
            Tr.debug(tc, "_krb5Config: " + this._krb5Config);
            Tr.debug(tc, "_uxpKrb5Keytab: " + this._uxpKrb5Keytab);
            Tr.debug(tc, "_krb5Keytab: " + this._krb5Keytab);
            Tr.debug(tc, "_krb5Realm: " + this._krb5Realm);
            Tr.debug(tc, "_useRegServerId: " + this._useRegServerId);
            Tr.debug(tc, "_serverId: " + this._serverId);
            Tr.debug(tc, "_serverIdPassword: " + (this._serverIdPassword == null ? "null" : "*****"));
            Tr.debug(tc, "_configured: " + this._configured);
        }
        if (tc.isEntryEnabled()) {
            Tr.exit(tc, "getKrbConfigInThisSession");
        }
    }
}
