package org.codelibs.spnego;

import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.URISyntaxException;
import java.security.PrivilegedActionException;
import java.util.Collections;
import java.util.Enumeration;
import java.util.Map;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
import org.codelibs.spnego.SpnegoHttpFilter;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;

/* loaded from: input_file:org/codelibs/spnego/SpnegoAuthenticator.class */
public final class SpnegoAuthenticator {
    private static final Logger LOGGER = Logger.getLogger(SpnegoHttpFilter.Constants.LOGGER_NAME);
    private static final Lock LOCK = new ReentrantLock();
    private static final GSSManager MANAGER = GSSManager.getInstance();
    private final transient boolean allowBasic;
    private final transient boolean allowDelegation;
    private final transient boolean allowLocalhost;
    private final transient boolean allowUnsecure;
    private final transient boolean promptIfNtlm;
    private final transient String clientModuleName;
    private final transient LoginContext loginContext;
    private final transient GSSCredential serverCredentials;
    private final transient KerberosPrincipal serverPrincipal;

    public SpnegoAuthenticator(SpnegoFilterConfig spnegoFilterConfig) throws LoginException, GSSException, PrivilegedActionException {
        LOGGER.fine("config=" + spnegoFilterConfig);
        this.allowBasic = spnegoFilterConfig.isBasicAllowed();
        this.allowUnsecure = spnegoFilterConfig.isUnsecureAllowed();
        this.clientModuleName = spnegoFilterConfig.getClientLoginModule();
        this.allowLocalhost = spnegoFilterConfig.isLocalhostAllowed();
        this.promptIfNtlm = spnegoFilterConfig.downgradeNtlm();
        this.allowDelegation = spnegoFilterConfig.isDelegationAllowed();
        if (spnegoFilterConfig.useKeyTab()) {
            this.loginContext = new LoginContext(spnegoFilterConfig.getServerLoginModule());
        } else {
            this.loginContext = new LoginContext(spnegoFilterConfig.getServerLoginModule(), SpnegoProvider.getUsernamePasswordHandler(spnegoFilterConfig.getPreauthUsername(), spnegoFilterConfig.getPreauthPassword()));
        }
        this.loginContext.login();
        this.serverCredentials = SpnegoProvider.getServerCredential(this.loginContext.getSubject());
        this.serverPrincipal = new KerberosPrincipal(this.serverCredentials.getName().toString());
    }

    public SpnegoAuthenticator(final Map<String, String> map) throws LoginException, GSSException, PrivilegedActionException, FileNotFoundException, URISyntaxException {
        this(SpnegoFilterConfig.getInstance(new FilterConfig() { // from class: org.codelibs.spnego.SpnegoAuthenticator.1
            private final Map<String, String> map;

            {
                this.map = Collections.unmodifiableMap(map);
            }

            public String getFilterName() {
                throw new UnsupportedOperationException();
            }

            public String getInitParameter(String str) {
                if (null == this.map.get(str)) {
                    throw new NullPointerException("Config missing param value for: " + str);
                }
                return this.map.get(str);
            }

            public Enumeration<String> getInitParameterNames() {
                throw new UnsupportedOperationException();
            }

            public ServletContext getServletContext() {
                throw new UnsupportedOperationException();
            }
        }));
    }

    public SpnegoPrincipal authenticate(HttpServletRequest httpServletRequest, SpnegoHttpServletResponse spnegoHttpServletResponse) throws GSSException, IOException {
        SpnegoPrincipal doBasicAuth;
        boolean z = this.allowBasic && (this.allowUnsecure || httpServletRequest.isSecure());
        String realm = this.serverPrincipal.getRealm();
        if (this.allowLocalhost && isLocalhost(httpServletRequest)) {
            return doLocalhost();
        }
        SpnegoAuthScheme negotiate = SpnegoProvider.negotiate(httpServletRequest, spnegoHttpServletResponse, z, this.promptIfNtlm, realm);
        if (null == negotiate) {
            LOGGER.finer("scheme null.");
            return null;
        }
        if (negotiate.isNegotiateScheme()) {
            doBasicAuth = doSpnegoAuth(negotiate, spnegoHttpServletResponse);
        } else {
            if (!negotiate.isBasicScheme()) {
                throw new UnsupportedOperationException("scheme=" + negotiate);
            }
            if (!z) {
                LOGGER.severe("allowBasic=" + this.allowBasic + "; allowUnsecure=" + this.allowUnsecure + "; req.isSecure()=" + httpServletRequest.isSecure());
                throw new UnsupportedOperationException("Basic Auth not allowed or SSL required.");
            }
            doBasicAuth = doBasicAuth(negotiate, spnegoHttpServletResponse);
        }
        return doBasicAuth;
    }

    public void dispose() {
        if (null != this.serverCredentials) {
            try {
                this.serverCredentials.dispose();
            } catch (GSSException e) {
                LOGGER.log(Level.WARNING, "Dispose failed.", e);
            }
        }
        if (null != this.loginContext) {
            try {
                this.loginContext.logout();
            } catch (LoginException e2) {
                LOGGER.log(Level.WARNING, "Logout failed.", (Throwable) e2);
            }
        }
    }

    private SpnegoPrincipal doBasicAuth(SpnegoAuthScheme spnegoAuthScheme, SpnegoHttpServletResponse spnegoHttpServletResponse) throws IOException {
        byte[] token = spnegoAuthScheme.getToken();
        if (0 == token.length) {
            LOGGER.finer("Basic Auth data was NULL.");
            return null;
        }
        String[] split = new String(token).split(":", 2);
        if (split.length != 2) {
            throw new IllegalArgumentException("Username/Password may have contained an invalid character. basicData.length=" + split.length);
        }
        String substring = split[0].substring(split[0].indexOf(92) + 1);
        String str = split[1];
        CallbackHandler usernamePasswordHandler = SpnegoProvider.getUsernamePasswordHandler(substring, str);
        SpnegoPrincipal spnegoPrincipal = null;
        if (null != substring) {
            try {
            } catch (LoginException e) {
                LOGGER.info(e.getMessage() + ": Login failed. username=" + substring + "; password.hashCode()=" + str.hashCode());
                spnegoHttpServletResponse.setHeader(SpnegoHttpFilter.Constants.AUTHN_HEADER, SpnegoHttpFilter.Constants.NEGOTIATE_HEADER);
                spnegoHttpServletResponse.addHeader(SpnegoHttpFilter.Constants.AUTHN_HEADER, "Basic realm=\"" + this.serverPrincipal.getRealm() + '\"');
                spnegoHttpServletResponse.setStatus(401, true);
            }
            if (!substring.isEmpty()) {
                LoginContext loginContext = new LoginContext(this.clientModuleName, usernamePasswordHandler);
                loginContext.login();
                loginContext.logout();
                spnegoPrincipal = new SpnegoPrincipal(substring + '@' + this.serverPrincipal.getRealm(), 1);
                return spnegoPrincipal;
            }
        }
        throw new LoginException("Username is required.");
    }

    private SpnegoPrincipal doLocalhost() {
        String property = System.getProperty("user.name");
        return (null == property || property.isEmpty()) ? new SpnegoPrincipal(this.serverPrincipal.getName() + '@' + this.serverPrincipal.getRealm(), this.serverPrincipal.getNameType()) : new SpnegoPrincipal(property + '@' + this.serverPrincipal.getRealm(), 1);
    }

    private SpnegoPrincipal doSpnegoAuth(SpnegoAuthScheme spnegoAuthScheme, SpnegoHttpServletResponse spnegoHttpServletResponse) throws GSSException, IOException {
        byte[] token = spnegoAuthScheme.getToken();
        if (0 == token.length) {
            LOGGER.finer("GSS data was NULL.");
            return null;
        }
        GSSContext gSSContext = null;
        GSSCredential gSSCredential = null;
        try {
            try {
                gSSContext = MANAGER.createContext(this.serverCredentials);
                byte[] acceptSecContext = gSSContext.acceptSecContext(token, 0, token.length);
                LOCK.unlock();
                if (null == acceptSecContext) {
                    LOGGER.finer("Token was NULL.");
                    if (null != gSSContext) {
                        LOCK.lock();
                        try {
                            gSSContext.dispose();
                            LOCK.unlock();
                        } finally {
                        }
                    }
                    return null;
                }
                spnegoHttpServletResponse.setHeader(SpnegoHttpFilter.Constants.AUTHN_HEADER, "Negotiate " + Base64.encode(acceptSecContext));
                if (!gSSContext.isEstablished()) {
                    LOGGER.fine("context not established");
                    spnegoHttpServletResponse.setStatus(401, true);
                    if (null != gSSContext) {
                        LOCK.lock();
                        try {
                            gSSContext.dispose();
                            LOCK.unlock();
                        } finally {
                            LOCK.unlock();
                        }
                    }
                    return null;
                }
                String gSSName = gSSContext.getSrcName().toString();
                if (this.allowDelegation && gSSContext.getCredDelegState()) {
                    gSSCredential = gSSContext.getDelegCred();
                }
                if (null != gSSContext) {
                    LOCK.lock();
                    try {
                        gSSContext.dispose();
                        LOCK.unlock();
                    } finally {
                        LOCK.unlock();
                    }
                }
                return new SpnegoPrincipal(gSSName, 1, gSSCredential);
            } finally {
            }
        } catch (Throwable th) {
            if (null != gSSContext) {
                LOCK.lock();
                try {
                    gSSContext.dispose();
                    LOCK.unlock();
                } finally {
                    LOCK.unlock();
                }
            }
            throw th;
        }
    }

    private boolean isLocalhost(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getLocalAddr().equals(httpServletRequest.getRemoteAddr());
    }
}
