package net.sf.michaelo.tomcat.authenticator;

import internal.org.apache.commons.lang3.ArrayUtils;
import internal.org.apache.commons.lang3.StringUtils;
import java.io.IOException;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import net.sf.michaelo.tomcat.realm.GssAwareRealmBase;
import net.sf.michaelo.tomcat.utils.Base64;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.LoginConfig;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:net/sf/michaelo/tomcat/authenticator/SpnegoAuthenticator.class */
public class SpnegoAuthenticator extends GssAwareAuthenticatorBase {
    protected static final String SPNEGO_METHOD = "SPNEGO";
    protected static final String NEGOTIATE_AUTH_SCHEME = "Negotiate";
    protected static final String[] SUPPORTED_SCHEMES = {NEGOTIATE_AUTH_SCHEME};
    private static final byte[] NTLM_TYPE1_MESSAGE_START = {78, 84, 76, 77, 83, 83, 80, 0, 1, 0, 0, 0};
    protected boolean storeDelegatedCredential;

    public void setStoreDelegatedCredential(boolean z) {
        this.storeDelegatedCredential = z;
    }

    public boolean isStoreDelegatedCredential() {
        return this.storeDelegatedCredential;
    }

    public String getInfo() {
        return "net.sf.michaelo.tomcat.authenticator.SpnegoAuthenticator/1.0";
    }

    protected void sendUnauthorizedToken(Request request, Response response, String str, byte[] bArr, String str2, Object... objArr) throws IOException {
        response.setHeader("WWW-Authenticate", str + StringUtils.SPACE + Base64.encode(bArr));
        respondErrorMessage(request, response, 401, str2, objArr);
    }

    protected boolean authenticate(Request request, Response response, LoginConfig loginConfig) throws IOException {
        Principal userPrincipal = request.getUserPrincipal();
        if (userPrincipal != null) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug(this.sm.getString("authenticator.alreadyAuthenticated", userPrincipal));
            }
            String str = (String) request.getNote("org.apache.catalina.request.SSOID");
            if (str == null) {
                return true;
            }
            associate(str, request.getSessionInternal(true));
            return true;
        }
        String header = request.getHeader("Authorization");
        if (!StringUtils.startsWithIgnoreCase(header, NEGOTIATE_AUTH_SCHEME)) {
            sendUnauthorized(request, response, SUPPORTED_SCHEMES);
            return false;
        }
        String trim = StringUtils.trim(StringUtils.substringAfter(header, NEGOTIATE_AUTH_SCHEME));
        if (StringUtils.isEmpty(trim)) {
            sendUnauthorized(request, response, SUPPORTED_SCHEMES);
            return false;
        }
        if (this.logger.isDebugEnabled()) {
            this.logger.debug(this.sm.getString("spnegoAuthenticator.processingToken", trim));
        }
        try {
            byte[] decode = Base64.decode(trim);
            if (decode.length >= NTLM_TYPE1_MESSAGE_START.length) {
                boolean z = false;
                for (int i = 0; i < NTLM_TYPE1_MESSAGE_START.length; i++) {
                    z = decode[i] == NTLM_TYPE1_MESSAGE_START[i];
                }
                if (z) {
                    this.logger.warn(this.sm.getString("spnegoAuthenticator.ntlmNotSupported"));
                    sendUnauthorized(request, response, SUPPORTED_SCHEMES, "spnegoAuthenticator.ntlmNotSupported.responseMessage", new Object[0]);
                    return false;
                }
            }
            LoginContext loginContext = null;
            GSSContext gSSContext = null;
            try {
                try {
                    loginContext = new LoginContext(getLoginEntryName());
                    loginContext.login();
                    final GSSManager gSSManager = GSSManager.getInstance();
                    try {
                        gSSContext = gSSManager.createContext((GSSCredential) Subject.doAs(loginContext.getSubject(), new PrivilegedExceptionAction<GSSCredential>() { // from class: net.sf.michaelo.tomcat.authenticator.SpnegoAuthenticator.1
                            /* JADX WARN: Can't rename method to resolve collision */
                            @Override // java.security.PrivilegedExceptionAction
                            public GSSCredential run() throws GSSException {
                                return gSSManager.createCredential((GSSName) null, Integer.MAX_VALUE, GssAwareAuthenticatorBase.SPNEGO_MECHANISM, 2);
                            }
                        }));
                        try {
                            byte[] acceptSecContext = gSSContext.acceptSecContext(decode, 0, decode.length);
                            try {
                                if (!gSSContext.isEstablished()) {
                                    if (this.logger.isDebugEnabled()) {
                                        this.logger.debug(this.sm.getString("spnegoAuthenticator.continueContextNeeded"));
                                    }
                                    sendUnauthorizedToken(request, response, NEGOTIATE_AUTH_SCHEME, acceptSecContext, "spnegoAuthenticator.continueContextNeeded", new Object[0]);
                                    if (gSSContext != null) {
                                        try {
                                            gSSContext.dispose();
                                        } catch (GSSException e) {
                                        }
                                    }
                                    if (loginContext != null) {
                                        try {
                                            loginContext.logout();
                                        } catch (LoginException e2) {
                                        }
                                    }
                                    return false;
                                }
                                GssAwareRealmBase realm = this.context.getRealm();
                                GSSName srcName = gSSContext.getSrcName();
                                Oid mech = gSSContext.getMech();
                                GSSCredential gSSCredential = null;
                                if (this.storeDelegatedCredential) {
                                    if (gSSContext.getCredDelegState()) {
                                        gSSCredential = gSSContext.getDelegCred();
                                    } else if (this.logger.isDebugEnabled()) {
                                        this.logger.debug(this.sm.getString("spnegoAuthenticator.credentialNotDelegable", srcName));
                                    }
                                }
                                Principal authenticate = realm.authenticate(srcName, mech, gSSCredential);
                                if (authenticate == null) {
                                    sendUnauthorized(request, response, SUPPORTED_SCHEMES, "authenticator.userNotFound", srcName);
                                    if (gSSContext != null) {
                                        try {
                                            gSSContext.dispose();
                                        } catch (GSSException e3) {
                                        }
                                    }
                                    if (loginContext != null) {
                                        try {
                                            loginContext.logout();
                                        } catch (LoginException e4) {
                                        }
                                    }
                                    return false;
                                }
                                if (gSSContext != null) {
                                    try {
                                        gSSContext.dispose();
                                    } catch (GSSException e5) {
                                    }
                                }
                                if (loginContext != null) {
                                    try {
                                        loginContext.logout();
                                    } catch (LoginException e6) {
                                    }
                                }
                                register(request, response, authenticate, SPNEGO_METHOD, authenticate.getName(), null);
                                if (!ArrayUtils.isNotEmpty(acceptSecContext)) {
                                    return true;
                                }
                                response.setHeader("WWW-Authenticate", "Negotiate " + Base64.encode(acceptSecContext));
                                response.addHeader("Connection", "close");
                                return true;
                            } catch (GSSException e7) {
                                this.logger.error(this.sm.getString("spnegoAuthenticator.inquireFailed"), e7);
                                sendInternalServerError(request, response, "spnegoAuthenticator.inquireFailed", new Object[0]);
                                if (gSSContext != null) {
                                    try {
                                        gSSContext.dispose();
                                    } catch (GSSException e8) {
                                    }
                                }
                                if (loginContext != null) {
                                    try {
                                        loginContext.logout();
                                    } catch (LoginException e9) {
                                    }
                                }
                                return false;
                            }
                        } catch (GSSException e10) {
                            this.logger.warn(this.sm.getString("spnegoAuthenticator.invalidToken", trim), e10);
                            sendUnauthorized(request, response, SUPPORTED_SCHEMES, "spnegoAuthenticator.invalidToken.responseMessage", new Object[0]);
                            if (gSSContext != null) {
                                try {
                                    gSSContext.dispose();
                                } catch (GSSException e11) {
                                }
                            }
                            if (loginContext != null) {
                                try {
                                    loginContext.logout();
                                } catch (LoginException e12) {
                                }
                            }
                            return false;
                        }
                    } catch (PrivilegedActionException e13) {
                        this.logger.error(this.sm.getString("spnegoAuthenticator.obtainFailed"), e13.getException());
                        sendInternalServerError(request, response, "spnegoAuthenticator.obtainFailed", new Object[0]);
                        if (gSSContext != null) {
                            try {
                                gSSContext.dispose();
                            } catch (GSSException e14) {
                            }
                        }
                        if (loginContext != null) {
                            try {
                                loginContext.logout();
                            } catch (LoginException e15) {
                            }
                        }
                        return false;
                    } catch (GSSException e16) {
                        this.logger.error(this.sm.getString("spnegoAuthenticator.createContextFailed"), e16);
                        sendInternalServerError(request, response, "spnegoAuthenticator.createContextFailed", new Object[0]);
                        if (gSSContext != null) {
                            try {
                                gSSContext.dispose();
                            } catch (GSSException e17) {
                            }
                        }
                        if (loginContext != null) {
                            try {
                                loginContext.logout();
                            } catch (LoginException e18) {
                            }
                        }
                        return false;
                    }
                } catch (LoginException e19) {
                    this.logger.error(this.sm.getString("spnegoAuthenticator.obtainFailed"), e19);
                    sendInternalServerError(request, response, "spnegoAuthenticator.obtainFailed", new Object[0]);
                    if (0 != 0) {
                        try {
                            gSSContext.dispose();
                        } catch (GSSException e20) {
                        }
                    }
                    if (loginContext != null) {
                        try {
                            loginContext.logout();
                        } catch (LoginException e21) {
                        }
                    }
                    return false;
                }
            } catch (Throwable th) {
                if (gSSContext != null) {
                    try {
                        gSSContext.dispose();
                    } catch (GSSException e22) {
                    }
                }
                if (loginContext != null) {
                    try {
                        loginContext.logout();
                    } catch (LoginException e23) {
                    }
                }
                throw th;
            }
        } catch (Exception e24) {
            this.logger.warn(this.sm.getString("spnegoAuthenticator.incorrectlyEncodedToken", trim), e24);
            sendUnauthorized(request, response, SUPPORTED_SCHEMES, "spnegoAuthenticator.incorrectlyEncodedToken.responseMessage", new Object[0]);
            return false;
        }
    }

    @Override // net.sf.michaelo.tomcat.authenticator.GssAwareAuthenticatorBase
    public /* bridge */ /* synthetic */ void setErrorMessagesAsHeaders(boolean z) {
        super.setErrorMessagesAsHeaders(z);
    }

    @Override // net.sf.michaelo.tomcat.authenticator.GssAwareAuthenticatorBase
    public /* bridge */ /* synthetic */ boolean isErrorMessagesAsHeaders() {
        return super.isErrorMessagesAsHeaders();
    }

    @Override // net.sf.michaelo.tomcat.authenticator.GssAwareAuthenticatorBase
    public /* bridge */ /* synthetic */ void setOmitErrorMessages(boolean z) {
        super.setOmitErrorMessages(z);
    }

    @Override // net.sf.michaelo.tomcat.authenticator.GssAwareAuthenticatorBase
    public /* bridge */ /* synthetic */ boolean isOmitErrorMessages() {
        return super.isOmitErrorMessages();
    }

    @Override // net.sf.michaelo.tomcat.authenticator.GssAwareAuthenticatorBase
    public /* bridge */ /* synthetic */ String getLoginEntryName() {
        return super.getLoginEntryName();
    }

    @Override // net.sf.michaelo.tomcat.authenticator.GssAwareAuthenticatorBase
    public /* bridge */ /* synthetic */ void setLoginEntryName(String str) {
        super.setLoginEntryName(str);
    }
}
