package net.sf.michaelo.tomcat.authenticator;

import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.security.Principal;
import java.security.PrivilegedActionException;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import net.sf.michaelo.tomcat.internal.org.apache.commons.lang3.StringUtils;
import org.apache.catalina.connector.Request;
import org.apache.tomcat.util.codec.binary.Base64;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;

/* loaded from: input_file:net/sf/michaelo/tomcat/authenticator/SpnegoAuthenticator.class */
public class SpnegoAuthenticator extends GSSAuthenticatorBase {
    protected static final String SPNEGO_METHOD = "SPNEGO";
    protected static final String SPNEGO_AUTH_SCHEME = "Negotiate";
    private static final byte[] NTLM_TYPE1_MESSAGE_START = {78, 84, 76, 77, 83, 83, 80, 0, 1, 0, 0, 0};

    protected boolean doAuthenticate(Request request, HttpServletResponse httpServletResponse) throws IOException {
        if (checkForCachedAuthentication(request, httpServletResponse, true)) {
            return true;
        }
        String header = request.getHeader("Authorization");
        if (!StringUtils.startsWithIgnoreCase(header, SPNEGO_AUTH_SCHEME)) {
            sendUnauthorized(request, httpServletResponse, SPNEGO_AUTH_SCHEME);
            return false;
        }
        String substring = StringUtils.substring(header, SPNEGO_AUTH_SCHEME.length() + 1);
        if (StringUtils.isEmpty(substring)) {
            sendUnauthorized(request, httpServletResponse, SPNEGO_AUTH_SCHEME);
            return false;
        }
        if (this.logger.isDebugEnabled()) {
            this.logger.debug(this.sm.getString("spnegoAuthenticator.processingToken", new Object[]{substring}));
        }
        try {
            byte[] decodeBase64 = Base64.decodeBase64(substring);
            if (decodeBase64.length >= NTLM_TYPE1_MESSAGE_START.length) {
                boolean z = false;
                for (int i = 0; i < NTLM_TYPE1_MESSAGE_START.length; i++) {
                    z = decodeBase64[i] == NTLM_TYPE1_MESSAGE_START[i];
                    if (!z) {
                        break;
                    }
                }
                if (z) {
                    this.logger.warn(this.sm.getString("spnegoAuthenticator.ntlmNotSupported"));
                    sendUnauthorized(request, httpServletResponse, SPNEGO_AUTH_SCHEME, "spnegoAuthenticator.ntlmNotSupported.responseMessage", new Object[0]);
                    return false;
                }
            }
            LoginContext loginContext = null;
            GSSContext gSSContext = null;
            try {
                try {
                    loginContext = new LoginContext(getLoginEntryName());
                    loginContext.login();
                    GSSManager gSSManager = GSSManager.getInstance();
                    try {
                        gSSContext = gSSManager.createContext((GSSCredential) Subject.doAs(loginContext.getSubject(), () -> {
                            return gSSManager.createCredential((GSSName) null, Integer.MAX_VALUE, SPNEGO_MECHANISM, 2);
                        }));
                        try {
                            byte[] acceptSecContext = gSSContext.acceptSecContext(decodeBase64, 0, decodeBase64.length);
                            try {
                                if (!gSSContext.isEstablished()) {
                                    this.logger.error(this.sm.getString("spnegoAuthenticator.continueContextNotSupported"));
                                    sendInternalServerError(request, httpServletResponse, "spnegoAuthenticator.continueContextNotSupported.responseMessage", new Object[0]);
                                    if (gSSContext != null) {
                                        try {
                                            gSSContext.dispose();
                                        } catch (GSSException e) {
                                        }
                                    }
                                    if (loginContext != null) {
                                        try {
                                            loginContext.logout();
                                        } catch (LoginException e2) {
                                        }
                                    }
                                    return false;
                                }
                                if (this.logger.isDebugEnabled()) {
                                    this.logger.debug(this.sm.getString("spnegoAuthenticator.contextSuccessfullyEstablished"));
                                }
                                Principal authenticate = this.context.getRealm().authenticate(gSSContext, isStoreDelegatedCredential());
                                if (authenticate == null) {
                                    sendUnauthorized(request, httpServletResponse, SPNEGO_AUTH_SCHEME, "gssAuthenticatorBase.userNotFound", gSSContext.getSrcName());
                                    if (gSSContext != null) {
                                        try {
                                            gSSContext.dispose();
                                        } catch (GSSException e3) {
                                        }
                                    }
                                    if (loginContext != null) {
                                        try {
                                            loginContext.logout();
                                        } catch (LoginException e4) {
                                        }
                                    }
                                    return false;
                                }
                                if (gSSContext != null) {
                                    try {
                                        gSSContext.dispose();
                                    } catch (GSSException e5) {
                                    }
                                }
                                if (loginContext != null) {
                                    try {
                                        loginContext.logout();
                                    } catch (LoginException e6) {
                                    }
                                }
                                register(request, httpServletResponse, authenticate, SPNEGO_METHOD, authenticate.getName(), null);
                                if (acceptSecContext == null) {
                                    return true;
                                }
                                String encodeBase64String = Base64.encodeBase64String(acceptSecContext);
                                if (this.logger.isDebugEnabled()) {
                                    this.logger.debug(this.sm.getString("spnegoAuthenticator.respondingWithToken", new Object[]{encodeBase64String}));
                                }
                                httpServletResponse.setHeader("WWW-Authenticate", "Negotiate " + encodeBase64String);
                                return true;
                            } catch (GSSException e7) {
                                this.logger.error(this.sm.getString("gssAuthenticatorBase.inquireNameFailed"), e7);
                                sendInternalServerError(request, httpServletResponse, "gssAuthenticatorBase.inquireNameFailed", new Object[0]);
                                if (gSSContext != null) {
                                    try {
                                        gSSContext.dispose();
                                    } catch (GSSException e8) {
                                    }
                                }
                                if (loginContext != null) {
                                    try {
                                        loginContext.logout();
                                    } catch (LoginException e9) {
                                    }
                                }
                                return false;
                            }
                        } catch (GSSException e10) {
                            this.logger.warn(this.sm.getString("spnegoAuthenticator.invalidToken", new Object[]{substring}), e10);
                            sendUnauthorized(request, httpServletResponse, SPNEGO_AUTH_SCHEME, "spnegoAuthenticator.invalidToken.responseMessage", new Object[0]);
                            if (gSSContext != null) {
                                try {
                                    gSSContext.dispose();
                                } catch (GSSException e11) {
                                }
                            }
                            if (loginContext != null) {
                                try {
                                    loginContext.logout();
                                } catch (LoginException e12) {
                                }
                            }
                            return false;
                        }
                    } catch (PrivilegedActionException e13) {
                        this.logger.error(this.sm.getString("spnegoAuthenticator.obtainFailed"), e13.getException());
                        sendInternalServerError(request, httpServletResponse, "spnegoAuthenticator.obtainFailed", new Object[0]);
                        if (gSSContext != null) {
                            try {
                                gSSContext.dispose();
                            } catch (GSSException e14) {
                            }
                        }
                        if (loginContext != null) {
                            try {
                                loginContext.logout();
                            } catch (LoginException e15) {
                            }
                        }
                        return false;
                    } catch (GSSException e16) {
                        this.logger.error(this.sm.getString("spnegoAuthenticator.createContextFailed"), e16);
                        sendInternalServerError(request, httpServletResponse, "spnegoAuthenticator.createContextFailed", new Object[0]);
                        if (gSSContext != null) {
                            try {
                                gSSContext.dispose();
                            } catch (GSSException e17) {
                            }
                        }
                        if (loginContext != null) {
                            try {
                                loginContext.logout();
                            } catch (LoginException e18) {
                            }
                        }
                        return false;
                    }
                } catch (LoginException e19) {
                    this.logger.error(this.sm.getString("spnegoAuthenticator.obtainFailed"), e19);
                    sendInternalServerError(request, httpServletResponse, "spnegoAuthenticator.obtainFailed", new Object[0]);
                    if (0 != 0) {
                        try {
                            gSSContext.dispose();
                        } catch (GSSException e20) {
                        }
                    }
                    if (loginContext != null) {
                        try {
                            loginContext.logout();
                        } catch (LoginException e21) {
                        }
                    }
                    return false;
                }
            } catch (Throwable th) {
                if (gSSContext != null) {
                    try {
                        gSSContext.dispose();
                    } catch (GSSException e22) {
                    }
                }
                if (loginContext != null) {
                    try {
                        loginContext.logout();
                    } catch (LoginException e23) {
                    }
                }
                throw th;
            }
        } catch (Exception e24) {
            this.logger.warn(this.sm.getString("spnegoAuthenticator.incorrectlyEncodedToken", new Object[]{substring}), e24);
            sendUnauthorized(request, httpServletResponse, SPNEGO_AUTH_SCHEME, "spnegoAuthenticator.incorrectlyEncodedToken.responseMessage", new Object[0]);
            return false;
        }
    }

    protected boolean isPreemptiveAuthPossible(Request request) {
        return StringUtils.startsWithIgnoreCase(request.getHeader("Authorization"), SPNEGO_AUTH_SCHEME);
    }

    protected String getAuthMethod() {
        return SPNEGO_METHOD;
    }

    @Override // net.sf.michaelo.tomcat.authenticator.GSSAuthenticatorBase
    public /* bridge */ /* synthetic */ void setStoreDelegatedCredential(boolean z) {
        super.setStoreDelegatedCredential(z);
    }

    @Override // net.sf.michaelo.tomcat.authenticator.GSSAuthenticatorBase
    public /* bridge */ /* synthetic */ boolean isStoreDelegatedCredential() {
        return super.isStoreDelegatedCredential();
    }

    @Override // net.sf.michaelo.tomcat.authenticator.GSSAuthenticatorBase
    public /* bridge */ /* synthetic */ void setErrorMessagesAsHeaders(boolean z) {
        super.setErrorMessagesAsHeaders(z);
    }

    @Override // net.sf.michaelo.tomcat.authenticator.GSSAuthenticatorBase
    public /* bridge */ /* synthetic */ boolean isErrorMessagesAsHeaders() {
        return super.isErrorMessagesAsHeaders();
    }

    @Override // net.sf.michaelo.tomcat.authenticator.GSSAuthenticatorBase
    public /* bridge */ /* synthetic */ void setOmitErrorMessages(boolean z) {
        super.setOmitErrorMessages(z);
    }

    @Override // net.sf.michaelo.tomcat.authenticator.GSSAuthenticatorBase
    public /* bridge */ /* synthetic */ boolean isOmitErrorMessages() {
        return super.isOmitErrorMessages();
    }

    @Override // net.sf.michaelo.tomcat.authenticator.GSSAuthenticatorBase
    public /* bridge */ /* synthetic */ String getLoginEntryName() {
        return super.getLoginEntryName();
    }

    @Override // net.sf.michaelo.tomcat.authenticator.GSSAuthenticatorBase
    public /* bridge */ /* synthetic */ void setLoginEntryName(String str) {
        super.setLoginEntryName(str);
    }
}
