package aurora.plugin.spnego;

import aurora.plugin.spnego.SpnegoConfig;
import java.io.IOException;
import java.security.PrivilegedActionException;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpServletRequest;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;

/* loaded from: input_file:aurora/plugin/spnego/SpnegoAuthenticator.class */
public class SpnegoAuthenticator {
    private static final Lock LOCK = new ReentrantLock();
    private static final GSSManager MANAGER = GSSManager.getInstance();
    private final transient boolean allowBasic;
    private final transient boolean allowDelegation;
    private final transient boolean allowLocalhost;
    private final transient boolean allowUnsecure;
    private final transient boolean promptIfNtlm;
    private final transient String clientModuleName;
    private final transient LoginContext loginContext;
    private final transient GSSCredential serverCredentials;
    private final transient KerberosPrincipal serverPrincipal;

    public SpnegoAuthenticator(SpnegoConfig spnegoConfig) throws LoginException, GSSException, PrivilegedActionException {
        this.allowBasic = spnegoConfig.getAllowBasic();
        this.allowUnsecure = spnegoConfig.getAllowUnsecure();
        this.clientModuleName = spnegoConfig.getClientModuleName();
        this.allowLocalhost = spnegoConfig.getAllowLocalhost();
        this.promptIfNtlm = spnegoConfig.getPromptIfNtlm();
        this.allowDelegation = spnegoConfig.getAllowDelegation();
        this.loginContext = new LoginContext(spnegoConfig.getServerModuleName(), SpnegoProvider.getUsernamePasswordHandler(spnegoConfig.getUsername(), spnegoConfig.getPassword()));
        this.loginContext.login();
        this.serverCredentials = SpnegoProvider.getServerCredential(this.loginContext.getSubject());
        this.serverPrincipal = new KerberosPrincipal(this.serverCredentials.getName().toString());
    }

    public SpnegoPrincipal authenticate(HttpServletRequest httpServletRequest, SpnegoHttpServletResponse spnegoHttpServletResponse) throws GSSException, IOException {
        SpnegoPrincipal doBasicAuth;
        boolean z = this.allowBasic && (this.allowUnsecure || httpServletRequest.isSecure());
        String realm = this.serverPrincipal.getRealm();
        if (this.allowLocalhost && isLocalhost(httpServletRequest)) {
            return doLocalhost();
        }
        SpnegoAuthScheme negotiate = SpnegoProvider.negotiate(httpServletRequest, spnegoHttpServletResponse, z, this.promptIfNtlm, realm);
        if (negotiate == null) {
            return null;
        }
        if (negotiate.isNegotiateScheme()) {
            doBasicAuth = doSpnegoAuth(negotiate, spnegoHttpServletResponse);
        } else {
            if (!negotiate.isBasicScheme()) {
                throw new UnsupportedOperationException("scheme=" + negotiate);
            }
            if (!z) {
                throw new UnsupportedOperationException("Basic Auth not allowed or SSL required.");
            }
            doBasicAuth = doBasicAuth(negotiate, spnegoHttpServletResponse);
        }
        return doBasicAuth;
    }

    public void dispose() {
        if (this.serverCredentials != null) {
            try {
                this.serverCredentials.dispose();
            } catch (GSSException e) {
            }
        }
        if (this.loginContext != null) {
            try {
                this.loginContext.logout();
            } catch (LoginException e2) {
            }
        }
    }

    private SpnegoPrincipal doBasicAuth(SpnegoAuthScheme spnegoAuthScheme, SpnegoHttpServletResponse spnegoHttpServletResponse) throws IOException {
        byte[] token = spnegoAuthScheme.getToken();
        if (token.length == 0) {
            return null;
        }
        String[] split = new String(token).split(":", 2);
        if (split.length != 2) {
            throw new IllegalArgumentException("Username/Password may have contained an invalid character. basicData.length=" + split.length);
        }
        String substring = split[0].substring(split[0].indexOf(92) + 1);
        CallbackHandler usernamePasswordHandler = SpnegoProvider.getUsernamePasswordHandler(substring, split[1]);
        SpnegoPrincipal spnegoPrincipal = null;
        if (substring != null) {
            try {
            } catch (LoginException e) {
                spnegoHttpServletResponse.setHeader(SpnegoConfig.Constants.AUTHN_HEADER, SpnegoConfig.Constants.NEGOTIATE_HEADER);
                spnegoHttpServletResponse.addHeader(SpnegoConfig.Constants.AUTHN_HEADER, "Basic realm=\"" + this.serverPrincipal.getRealm() + '\"');
                spnegoHttpServletResponse.setStatus(401, true);
            }
            if (!substring.isEmpty()) {
                LoginContext loginContext = new LoginContext(this.clientModuleName, usernamePasswordHandler);
                loginContext.login();
                loginContext.logout();
                spnegoPrincipal = new SpnegoPrincipal(String.valueOf(substring) + '@' + this.serverPrincipal.getRealm(), 1);
                return spnegoPrincipal;
            }
        }
        throw new LoginException("Username is required.");
    }

    private SpnegoPrincipal doLocalhost() {
        String property = System.getProperty("user.name");
        return (property == null || property.isEmpty()) ? new SpnegoPrincipal(String.valueOf(this.serverPrincipal.getName()) + '@' + this.serverPrincipal.getRealm(), this.serverPrincipal.getNameType()) : new SpnegoPrincipal(String.valueOf(property) + '@' + this.serverPrincipal.getRealm(), 1);
    }

    private SpnegoPrincipal doSpnegoAuth(SpnegoAuthScheme spnegoAuthScheme, SpnegoHttpServletResponse spnegoHttpServletResponse) throws GSSException, IOException {
        byte[] token = spnegoAuthScheme.getToken();
        if (token.length == 0) {
            return null;
        }
        GSSContext gSSContext = null;
        GSSCredential gSSCredential = null;
        try {
            LOCK.lock();
            try {
                gSSContext = MANAGER.createContext(this.serverCredentials);
                byte[] acceptSecContext = gSSContext.acceptSecContext(token, 0, token.length);
                if (acceptSecContext != null) {
                    spnegoHttpServletResponse.setHeader(SpnegoConfig.Constants.AUTHN_HEADER, "Negotiate " + Base64.encode(acceptSecContext));
                    if (gSSContext.isEstablished()) {
                        String gSSName = gSSContext.getSrcName().toString();
                        if (this.allowDelegation && gSSContext.getCredDelegState()) {
                            gSSCredential = gSSContext.getDelegCred();
                        }
                        if (gSSContext != null) {
                            LOCK.lock();
                            try {
                                gSSContext.dispose();
                            } finally {
                            }
                        }
                        return new SpnegoPrincipal(gSSName, 1, gSSCredential);
                    }
                    spnegoHttpServletResponse.setStatus(401, true);
                }
                if (gSSContext == null) {
                    return null;
                }
                LOCK.lock();
                try {
                    gSSContext.dispose();
                    return null;
                } finally {
                }
            } finally {
            }
        } catch (Throwable th) {
            if (gSSContext != null) {
                LOCK.lock();
                try {
                    gSSContext.dispose();
                } finally {
                }
            }
            throw th;
        }
    }

    private boolean isLocalhost(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getLocalAddr().equals(httpServletRequest.getRemoteAddr());
    }
}
