package net.sf.michaelo.tomcat.authenticator;

import internal.org.apache.commons.lang3.ArrayUtils;
import internal.org.apache.commons.lang3.StringUtils;
import java.io.IOException;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import net.sf.michaelo.tomcat.realm.GssAwareRealmBase;
import net.sf.michaelo.tomcat.utils.Base64;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.LoginConfig;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:net/sf/michaelo/tomcat/authenticator/SpnegoAuthenticator.class */
public class SpnegoAuthenticator extends GssAwareAuthenticatorBase {
    protected static final String SPNEGO_METHOD = "SPNEGO";
    protected static final String NEGOTIATE_AUTH_SCHEME = "Negotiate";
    protected boolean storeDelegatedCredential;

    public void setStoreDelegatedCredential(boolean z) {
        this.storeDelegatedCredential = z;
    }

    public boolean isStoreDelegatedCredential() {
        return this.storeDelegatedCredential;
    }

    public String getInfo() {
        return "net.sf.michaelo.tomcat.authenticator.SpnegoAuthenticator/0.9";
    }

    protected void sendUnauthorizedHeader(Response response) throws IOException {
        response.setHeader("WWW-Authenticate", NEGOTIATE_AUTH_SCHEME);
        response.sendError(401);
    }

    protected void sendUnauthorizedHeader(Response response, String str) throws IOException {
        response.setHeader("WWW-Authenticate", NEGOTIATE_AUTH_SCHEME);
        response.sendError(401, str);
    }

    protected boolean authenticate(Request request, Response response, LoginConfig loginConfig) throws IOException {
        Principal userPrincipal = request.getUserPrincipal();
        if (userPrincipal != null) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug(String.format("Already authenticated '%s'", userPrincipal));
            }
            String str = (String) request.getNote("org.apache.catalina.request.SSOID");
            if (str == null) {
                return true;
            }
            associate(str, request.getSessionInternal(true));
            return true;
        }
        String header = request.getHeader("Authorization");
        if (!StringUtils.startsWithIgnoreCase(header, NEGOTIATE_AUTH_SCHEME)) {
            sendUnauthorizedHeader(response);
            return false;
        }
        String trim = StringUtils.trim(StringUtils.substringAfter(header, NEGOTIATE_AUTH_SCHEME));
        if (StringUtils.isEmpty(trim)) {
            sendUnauthorizedHeader(response);
            return false;
        }
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("Processing Negotiate authentication token " + trim);
        }
        try {
            byte[] decode = Base64.decode(trim);
            LoginContext loginContext = null;
            GSSContext gSSContext = null;
            try {
                try {
                    loginContext = new LoginContext(getLoginEntryName());
                    loginContext.login();
                    final GSSManager gSSManager = GSSManager.getInstance();
                    try {
                        gSSContext = gSSManager.createContext((GSSCredential) Subject.doAs(loginContext.getSubject(), new PrivilegedExceptionAction<GSSCredential>() { // from class: net.sf.michaelo.tomcat.authenticator.SpnegoAuthenticator.1
                            /* JADX WARN: Can't rename method to resolve collision */
                            @Override // java.security.PrivilegedExceptionAction
                            public GSSCredential run() throws GSSException {
                                return gSSManager.createCredential((GSSName) null, 0, new Oid("1.3.6.1.5.5.2"), 2);
                            }
                        }));
                        try {
                            byte[] acceptSecContext = gSSContext.acceptSecContext(decode, 0, decode.length);
                            if (!gSSContext.isEstablished()) {
                                if (this.logger.isDebugEnabled()) {
                                    this.logger.debug("Security context not yet established, continuing");
                                }
                                response.setHeader("WWW-Authenticate", "Negotiate " + Base64.encode(acceptSecContext));
                                response.sendError(401);
                                if (gSSContext != null) {
                                    try {
                                        gSSContext.dispose();
                                    } catch (GSSException e) {
                                    }
                                }
                                if (loginContext != null) {
                                    try {
                                        loginContext.logout();
                                    } catch (LoginException e2) {
                                    }
                                }
                                return false;
                            }
                            GssAwareRealmBase realm = this.context.getRealm();
                            GSSName srcName = gSSContext.getSrcName();
                            Oid mech = gSSContext.getMech();
                            GSSCredential gSSCredential = null;
                            if (this.storeDelegatedCredential) {
                                if (gSSContext.getCredDelegState()) {
                                    gSSCredential = gSSContext.getDelegCred();
                                } else {
                                    this.logger.debug(String.format("Credential of '%s' is not delegable though storing was requested", srcName));
                                }
                            }
                            Principal authenticate = realm.authenticate(srcName, mech, gSSCredential);
                            if (gSSContext != null) {
                                try {
                                    gSSContext.dispose();
                                } catch (GSSException e3) {
                                }
                            }
                            if (loginContext != null) {
                                try {
                                    loginContext.logout();
                                } catch (LoginException e4) {
                                }
                            }
                            if (authenticate == null) {
                                sendUnauthorizedHeader(response);
                                return false;
                            }
                            register(request, response, authenticate, SPNEGO_METHOD, authenticate.getName(), null);
                            if (!ArrayUtils.isNotEmpty(acceptSecContext)) {
                                return true;
                            }
                            response.setHeader("WWW-Authenticate", "Negotiate " + Base64.encode(acceptSecContext));
                            response.addHeader("Connection", "close");
                            return true;
                        } catch (GSSException e5) {
                            this.logger.warn("Failed to accept security context with client-supplied service ticket: " + trim, e5);
                            sendException(request, response, new AuthenticationException("Failed to accept security context with client-supplied service ticket", e5));
                            if (gSSContext != null) {
                                try {
                                    gSSContext.dispose();
                                } catch (GSSException e6) {
                                }
                            }
                            if (loginContext != null) {
                                try {
                                    loginContext.logout();
                                } catch (LoginException e7) {
                                }
                            }
                            return false;
                        } catch (RuntimeException e8) {
                            sendException(request, response, new AuthenticationException("Unable to perform user principal search", e8));
                            if (gSSContext != null) {
                                try {
                                    gSSContext.dispose();
                                } catch (GSSException e9) {
                                }
                            }
                            if (loginContext != null) {
                                try {
                                    loginContext.logout();
                                } catch (LoginException e10) {
                                }
                            }
                            return false;
                        }
                    } catch (GSSException e11) {
                        this.logger.error("Failed to create a security context", e11);
                        sendException(request, response, new AuthenticationException("Failed to create a security context", e11));
                        if (gSSContext != null) {
                            try {
                                gSSContext.dispose();
                            } catch (GSSException e12) {
                            }
                        }
                        if (loginContext != null) {
                            try {
                                loginContext.logout();
                            } catch (LoginException e13) {
                            }
                        }
                        return false;
                    } catch (PrivilegedActionException e14) {
                        this.logger.error("Unable to obtain the server credential", e14.getException());
                        sendException(request, response, new AuthenticationException("Unable to obtain the server credential", e14.getException()));
                        if (gSSContext != null) {
                            try {
                                gSSContext.dispose();
                            } catch (GSSException e15) {
                            }
                        }
                        if (loginContext != null) {
                            try {
                                loginContext.logout();
                            } catch (LoginException e16) {
                            }
                        }
                        return false;
                    }
                } catch (Throwable th) {
                    if (gSSContext != null) {
                        try {
                            gSSContext.dispose();
                        } catch (GSSException e17) {
                        }
                    }
                    if (loginContext != null) {
                        try {
                            loginContext.logout();
                        } catch (LoginException e18) {
                        }
                    }
                    throw th;
                }
            } catch (LoginException e19) {
                this.logger.error("Unable to login as the service principal", e19);
                sendException(request, response, new AuthenticationException("Unable to login as the service principal", e19));
                if (0 != 0) {
                    try {
                        gSSContext.dispose();
                    } catch (GSSException e20) {
                    }
                }
                if (loginContext != null) {
                    try {
                        loginContext.logout();
                    } catch (LoginException e21) {
                    }
                }
                return false;
            }
        } catch (Exception e22) {
            this.logger.error("The Negotiate authorization header value sent by the client was invalid: " + trim, e22);
            sendUnauthorizedHeader(response, "The Negotiate authorization header value was invalid");
            return false;
        }
    }

    @Override // net.sf.michaelo.tomcat.authenticator.GssAwareAuthenticatorBase
    public /* bridge */ /* synthetic */ String getLoginEntryName() {
        return super.getLoginEntryName();
    }

    @Override // net.sf.michaelo.tomcat.authenticator.GssAwareAuthenticatorBase
    public /* bridge */ /* synthetic */ void setLoginEntryName(String str) {
        super.setLoginEntryName(str);
    }
}
