package org.apache.directory.server.kerberos.kdc.authentication;

import javax.security.auth.kerberos.KerberosPrincipal;
import org.apache.directory.server.kerberos.kdc.KdcConfiguration;
import org.apache.directory.server.kerberos.shared.crypto.encryption.CipherTextHandler;
import org.apache.directory.server.kerberos.shared.crypto.encryption.KeyUsage;
import org.apache.directory.server.kerberos.shared.crypto.encryption.RandomKeyFactory;
import org.apache.directory.server.kerberos.shared.exceptions.ErrorType;
import org.apache.directory.server.kerberos.shared.exceptions.KerberosException;
import org.apache.directory.server.kerberos.shared.messages.KdcRequest;
import org.apache.directory.server.kerberos.shared.messages.components.EncTicketPart;
import org.apache.directory.server.kerberos.shared.messages.components.EncTicketPartModifier;
import org.apache.directory.server.kerberos.shared.messages.components.Ticket;
import org.apache.directory.server.kerberos.shared.messages.value.EncryptionKey;
import org.apache.directory.server.kerberos.shared.messages.value.KerberosTime;
import org.apache.directory.server.kerberos.shared.messages.value.TransitedEncoding;
import org.apache.mina.common.IoSession;
import org.apache.mina.handler.chain.IoHandlerCommand;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/directory/server/kerberos/kdc/authentication/GenerateTicket.class */
public class GenerateTicket implements IoHandlerCommand {
    private static final Logger log = LoggerFactory.getLogger(GenerateTicket.class);
    private String contextKey = "context";

    public void execute(IoHandlerCommand.NextCommand nextCommand, IoSession ioSession, Object obj) throws Exception {
        AuthenticationContext authenticationContext = (AuthenticationContext) ioSession.getAttribute(getContextKey());
        KdcRequest request = authenticationContext.getRequest();
        CipherTextHandler cipherTextHandler = authenticationContext.getCipherTextHandler();
        KerberosPrincipal serverPrincipal = request.getServerPrincipal();
        EncryptionKey encryptionKey = (EncryptionKey) authenticationContext.getServerEntry().getKeyMap().get(authenticationContext.getEncryptionType());
        KerberosPrincipal serverPrincipal2 = request.getServerPrincipal();
        EncTicketPartModifier encTicketPartModifier = new EncTicketPartModifier();
        KdcConfiguration config = authenticationContext.getConfig();
        encTicketPartModifier.setFlag(9);
        if (authenticationContext.isPreAuthenticated()) {
            encTicketPartModifier.setFlag(10);
        }
        if (request.getOption(1)) {
            if (!config.isForwardableAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            encTicketPartModifier.setFlag(1);
        }
        if (request.getOption(3)) {
            if (!config.isProxiableAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            encTicketPartModifier.setFlag(3);
        }
        if (request.getOption(5)) {
            if (!config.isPostdatedAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            encTicketPartModifier.setFlag(5);
        }
        if (request.getOption(30) || request.getOption(31) || request.getOption(4) || request.getOption(2) || request.getOption(28)) {
            throw new KerberosException(ErrorType.KDC_ERR_BADOPTION);
        }
        encTicketPartModifier.setSessionKey(RandomKeyFactory.getRandomKey(authenticationContext.getEncryptionType()));
        encTicketPartModifier.setClientPrincipal(request.getClientPrincipal());
        encTicketPartModifier.setTransitedEncoding(new TransitedEncoding());
        KerberosTime kerberosTime = new KerberosTime();
        encTicketPartModifier.setAuthTime(kerberosTime);
        KerberosTime from = request.getFrom();
        if (from == null || from.lessThan(kerberosTime) || (from.isInClockSkew(config.getAllowableClockSkew()) && !request.getOption(6))) {
            from = kerberosTime;
        }
        if (from != null && from.greaterThan(kerberosTime) && !from.isInClockSkew(config.getAllowableClockSkew()) && !request.getOption(6)) {
            throw new KerberosException(ErrorType.KDC_ERR_CANNOT_POSTDATE);
        }
        if (request.getOption(6)) {
            if (!config.isPostdatedAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            encTicketPartModifier.setFlag(6);
            encTicketPartModifier.setFlag(7);
            encTicketPartModifier.setStartTime(from);
        }
        KerberosTime kerberosTime2 = new KerberosTime(Math.min(request.getTill().getTime() == 0 ? Long.MAX_VALUE : request.getTill().getTime(), from.getTime() + config.getMaximumTicketLifetime()));
        encTicketPartModifier.setEndTime(kerberosTime2);
        if (kerberosTime2.lessThan(from)) {
            throw new KerberosException(ErrorType.KDC_ERR_NEVER_VALID);
        }
        if (Math.abs(from.getTime() - kerberosTime2.getTime()) < config.getAllowableClockSkew()) {
            throw new KerberosException(ErrorType.KDC_ERR_NEVER_VALID);
        }
        KerberosTime rtime = request.getRtime();
        if (request.getOption(27) && request.getTill().greaterThan(kerberosTime2)) {
            if (!config.isRenewableAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            request.setOption(8);
            rtime = request.getTill();
        }
        if (request.getOption(8)) {
            if (!config.isRenewableAllowed()) {
                throw new KerberosException(ErrorType.KDC_ERR_POLICY);
            }
            encTicketPartModifier.setFlag(8);
            if (rtime == null || rtime.isZero()) {
                rtime = KerberosTime.INFINITY;
            }
            encTicketPartModifier.setRenewTill(new KerberosTime(Math.min(rtime.getTime(), from.getTime() + config.getMaximumRenewableLifetime())));
        }
        if (request.getAddresses() != null && request.getAddresses().getAddresses() != null && request.getAddresses().getAddresses().length > 0) {
            encTicketPartModifier.setClientAddresses(request.getAddresses());
        } else if (!config.isEmptyAddressesAllowed()) {
            throw new KerberosException(ErrorType.KDC_ERR_POLICY);
        }
        EncTicketPart encTicketPart = encTicketPartModifier.getEncTicketPart();
        Ticket ticket = new Ticket(serverPrincipal2, cipherTextHandler.seal(encryptionKey, encTicketPart, KeyUsage.NUMBER2));
        ticket.setEncTicketPart(encTicketPart);
        if (log.isDebugEnabled()) {
            log.debug("Ticket will be issued for access to {}.", serverPrincipal.toString());
        }
        authenticationContext.setTicket(ticket);
        nextCommand.execute(ioSession, obj);
    }

    protected String getContextKey() {
        return this.contextKey;
    }
}
