package org.wildfly.security.http.impl;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.PrivilegedActionException;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.sasl.AuthorizeCallback;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.wildfly.common.Assert;
import org.wildfly.security._private.ElytronMessages;
import org.wildfly.security.auth.callback.AuthenticationCompleteCallback;
import org.wildfly.security.auth.callback.IdentityCredentialCallback;
import org.wildfly.security.auth.callback.ServerCredentialCallback;
import org.wildfly.security.credential.GSSKerberosCredential;
import org.wildfly.security.http.HttpAuthenticationException;
import org.wildfly.security.http.HttpConstants;
import org.wildfly.security.http.HttpScope;
import org.wildfly.security.http.HttpServerAuthenticationMechanism;
import org.wildfly.security.http.HttpServerRequest;
import org.wildfly.security.http.HttpServerResponse;
import org.wildfly.security.http.Scope;
import org.wildfly.security.mechanism.AuthenticationMechanismException;
import org.wildfly.security.mechanism.MechanismUtil;
import org.wildfly.security.util.ByteIterator;

/* loaded from: input_file:org/wildfly/security/http/impl/SpnegoAuthenticationMechanism.class */
public class SpnegoAuthenticationMechanism implements HttpServerAuthenticationMechanism {
    private static final String CHALLENGE_PREFIX = "Negotiate ";
    private static final String GSS_CONTEXT_KEY = SpnegoAuthenticationMechanism.class.getName() + ".GSSContext";
    private static final String KERBEROS_TICKET = SpnegoAuthenticationMechanism.class.getName() + ".KerberosTicket";
    private final CallbackHandler callbackHandler;
    private final GSSManager gssManager;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SpnegoAuthenticationMechanism(CallbackHandler callbackHandler, Map<String, ?> map) {
        Assert.checkNotNullParam("callbackHandler", callbackHandler);
        Assert.checkNotNullParam("properties", map);
        this.callbackHandler = callbackHandler;
        this.gssManager = map.containsKey(HttpConstants.CONFIG_GSS_MANAGER) ? (GSSManager) map.get(HttpConstants.CONFIG_GSS_MANAGER) : GSSManager.getInstance();
    }

    @Override // org.wildfly.security.http.HttpServerAuthenticationMechanism
    public String getMechanismName() {
        return "SPNEGO";
    }

    @Override // org.wildfly.security.http.HttpServerAuthenticationMechanism
    public void evaluateRequest(HttpServerRequest httpServerRequest) throws HttpAuthenticationException {
        HttpScope scope = httpServerRequest.getScope(Scope.CONNECTION);
        GSSContext gSSContext = scope != null ? (GSSContext) scope.getAttachment(GSS_CONTEXT_KEY, GSSContext.class) : null;
        KerberosTicket kerberosTicket = scope != null ? (KerberosTicket) scope.getAttachment(KERBEROS_TICKET, KerberosTicket.class) : null;
        ElytronMessages.log.tracef("Evaluating SPNEGO request: cached GSSContext = %s", gSSContext);
        if (gSSContext != null && gSSContext.isEstablished() && authorizeCachedGSSContext(gSSContext)) {
            ElytronMessages.log.trace("Successfully authorized using cached identity");
            httpServerRequest.authenticationComplete();
            return;
        }
        if (gSSContext == null) {
            ServerCredentialCallback serverCredentialCallback = new ServerCredentialCallback(GSSKerberosCredential.class);
            try {
                ElytronMessages.log.trace("Obtaining GSSCredential for the service from callback handler...");
                this.callbackHandler.handle(new Callback[]{serverCredentialCallback});
                GSSCredential gSSCredential = (GSSCredential) serverCredentialCallback.applyToCredential(GSSKerberosCredential.class, (v0) -> {
                    return v0.getGssCredential();
                });
                kerberosTicket = (KerberosTicket) serverCredentialCallback.applyToCredential(GSSKerberosCredential.class, (v0) -> {
                    return v0.getKerberosTicket();
                });
                if (gSSCredential == null) {
                    ElytronMessages.log.trace("GSSCredential for the service from callback handler is null - cannot perform SPNEGO authentication");
                    httpServerRequest.noAuthenticationInProgress();
                    return;
                }
                try {
                    gSSContext = this.gssManager.createContext(gSSCredential);
                    ElytronMessages.log.tracef("Using SpnegoAuthenticationMechanism to authenticate %s using the following mechanisms: [%s]", gSSCredential.getName(), gSSCredential.getMechs());
                    if (scope != null) {
                        scope.setAttachment(GSS_CONTEXT_KEY, gSSContext);
                        ElytronMessages.log.tracef("Caching GSSContext %s", gSSContext);
                        scope.setAttachment(KERBEROS_TICKET, kerberosTicket);
                        ElytronMessages.log.tracef("Caching KerberosTicket %s", kerberosTicket);
                    }
                } catch (GSSException e) {
                    throw ElytronMessages.log.mechUnableToCreateGssContext("SPNEGO", e).toHttpAuthenticationException();
                }
            } catch (IOException | UnsupportedCallbackException e2) {
                throw ElytronMessages.log.mechCallbackHandlerFailedForUnknownReason("SPNEGO", e2).toHttpAuthenticationException();
            }
        }
        List<String> requestHeaderValues = httpServerRequest.getRequestHeaderValues("Authorization");
        Optional findFirst = requestHeaderValues != null ? requestHeaderValues.stream().filter(str -> {
            return str.startsWith(CHALLENGE_PREFIX);
        }).limit(1L).map(str2 -> {
            return str2.substring(CHALLENGE_PREFIX.length());
        }).findFirst() : Optional.empty();
        if (ElytronMessages.log.isTraceEnabled()) {
            ElytronMessages.log.tracef("Sent HTTP authorizations: [%s]", requestHeaderValues == null ? "null" : String.join(", ", requestHeaderValues));
        }
        if (findFirst.isPresent()) {
            ElytronMessages.log.trace("Processing incoming response to a challenge...");
            byte[] drain = ByteIterator.ofBytes(((String) findFirst.get()).getBytes(StandardCharsets.UTF_8)).base64Decode().drain();
            try {
                try {
                    GSSContext gSSContext2 = gSSContext;
                    byte[] bArr = (byte[]) Subject.doAs(new Subject(true, Collections.emptySet(), Collections.emptySet(), kerberosTicket != null ? Collections.singleton(kerberosTicket) : Collections.emptySet()), () -> {
                        return gSSContext2.acceptSecContext(drain, 0, drain.length);
                    });
                    if (gSSContext.isEstablished()) {
                        GSSCredential delegCred = gSSContext.getCredDelegState() ? gSSContext.getDelegCred() : null;
                        if (delegCred != null) {
                            ElytronMessages.log.trace("Associating delegated GSSCredential with identity.");
                            handleCallback(new IdentityCredentialCallback(new GSSKerberosCredential(delegCred), true));
                        } else {
                            ElytronMessages.log.trace("No GSSCredential delegated from client.");
                        }
                        ElytronMessages.log.trace("GSSContext established, authorizing...");
                        GSSName srcName = gSSContext.getSrcName();
                        if (srcName == null) {
                            ElytronMessages.log.trace("Authorization failed - srcName of GSSContext (name of initiator) is null - wrong realm or kdc?");
                            if (scope != null) {
                                scope.setAttachment(GSS_CONTEXT_KEY, null);
                            }
                            httpServerRequest.noAuthenticationInProgress(httpServerResponse -> {
                                sendChallenge(bArr, httpServerResponse, HttpConstants.UNAUTHORIZED);
                            });
                            return;
                        }
                        if (authorizeSrcName(srcName, gSSContext)) {
                            ElytronMessages.log.trace("GSSContext established and authorized - authentication complete");
                            httpServerRequest.authenticationComplete(httpServerResponse2 -> {
                                sendChallenge(bArr, httpServerResponse2, 0);
                            });
                            return;
                        } else {
                            ElytronMessages.log.trace("Authorization of established GSSContext failed");
                            handleCallback(AuthenticationCompleteCallback.FAILED);
                            httpServerRequest.authenticationFailed(ElytronMessages.log.authenticationFailed("SPNEGO"), httpServerResponse3 -> {
                                sendChallenge(bArr, httpServerResponse3, HttpConstants.FORBIDDEN);
                            });
                            return;
                        }
                    }
                    if (bArr != null) {
                        ElytronMessages.log.trace("GSSContext establishing - sending negotiation token to the peer");
                        httpServerRequest.authenticationInProgress(httpServerResponse4 -> {
                            sendChallenge(bArr, httpServerResponse4, HttpConstants.UNAUTHORIZED);
                        });
                        return;
                    }
                } catch (PrivilegedActionException e3) {
                    if (!(e3.getCause() instanceof GSSException)) {
                        throw new GeneralSecurityException(e3);
                    }
                    throw e3.getCause();
                }
            } catch (GeneralSecurityException | GSSException e4) {
                ElytronMessages.log.trace("GSSContext message exchange failed", e4);
                handleCallback(AuthenticationCompleteCallback.FAILED);
                httpServerRequest.authenticationFailed(ElytronMessages.log.authenticationFailed("SPNEGO"), this::sendBareChallenge);
                return;
            }
        }
        ElytronMessages.log.trace("Request lacks valid authentication credentials");
        if (scope != null) {
            scope.setAttachment(GSS_CONTEXT_KEY, null);
            scope.setAttachment(KERBEROS_TICKET, null);
        }
        httpServerRequest.noAuthenticationInProgress(this::sendBareChallenge);
    }

    private void sendBareChallenge(HttpServerResponse httpServerResponse) {
        httpServerResponse.addResponseHeader("WWW-Authenticate", HttpConstants.NEGOTIATE);
        httpServerResponse.setStatusCode(HttpConstants.UNAUTHORIZED);
    }

    private void sendChallenge(byte[] bArr, HttpServerResponse httpServerResponse, int i) {
        ElytronMessages.log.tracef("Sending intermediate challenge: %s", bArr);
        if (bArr == null) {
            httpServerResponse.addResponseHeader("WWW-Authenticate", HttpConstants.NEGOTIATE);
        } else {
            httpServerResponse.addResponseHeader("WWW-Authenticate", CHALLENGE_PREFIX + ByteIterator.ofBytes(bArr).base64Encode().drainToString());
        }
        if (i != 0) {
            httpServerResponse.setStatusCode(i);
        }
    }

    private boolean authorizeCachedGSSContext(GSSContext gSSContext) throws HttpAuthenticationException {
        try {
            GSSName srcName = gSSContext.getSrcName();
            boolean z = srcName != null && authorizeSrcName(srcName, gSSContext);
            if (z && gSSContext.getCredDelegState()) {
                GSSCredential delegCred = gSSContext.getDelegCred();
                if (delegCred != null) {
                    ElytronMessages.log.trace("Associating delegated GSSCredential with identity.");
                    handleCallback(new IdentityCredentialCallback(new GSSKerberosCredential(delegCred), true));
                } else {
                    ElytronMessages.log.trace("No GSSCredential delegated from client.");
                }
            }
            return z;
        } catch (GSSException e) {
            ElytronMessages.log.trace("GSSException while obtaining srcName of GSSContext (name of initiator)");
            handleCallback(AuthenticationCompleteCallback.FAILED);
            throw ElytronMessages.log.mechServerSideAuthenticationFailed("SPNEGO", e).toHttpAuthenticationException();
        }
    }

    private boolean authorizeSrcName(GSSName gSSName, GSSContext gSSContext) throws HttpAuthenticationException {
        boolean z = false;
        try {
            String gSSName2 = gSSName.toString();
            Callback authorizeCallback = new AuthorizeCallback(gSSName2, gSSName2);
            this.callbackHandler.handle(new Callback[]{authorizeCallback});
            z = authorizeCallback.isAuthorized();
            ElytronMessages.log.tracef("Authorized by callback handler = %b  clientName = [%s]", Boolean.valueOf(z), gSSName2);
        } catch (IOException e) {
            ElytronMessages.log.trace("IOException during AuthorizeCallback handling", e);
            throw ElytronMessages.log.mechServerSideAuthenticationFailed("SPNEGO", e).toHttpAuthenticationException();
        } catch (UnsupportedCallbackException e2) {
        }
        if (z) {
            if (gSSContext.getCredDelegState()) {
                try {
                    GSSCredential delegCred = gSSContext.getDelegCred();
                    ElytronMessages.log.tracef("Credential delegation enabled, delegated credential = %s", delegCred);
                    MechanismUtil.handleCallbacks("SPNEGO", this.callbackHandler, new IdentityCredentialCallback(new GSSKerberosCredential(delegCred), true));
                } catch (UnsupportedCallbackException e3) {
                } catch (AuthenticationMechanismException e4) {
                    throw e4.toHttpAuthenticationException();
                } catch (GSSException e5) {
                    throw new HttpAuthenticationException((Throwable) e5);
                }
            } else {
                ElytronMessages.log.trace("Credential delegation not enabled");
            }
        }
        handleCallback(z ? AuthenticationCompleteCallback.SUCCEEDED : AuthenticationCompleteCallback.FAILED);
        return z;
    }

    private void handleCallback(Callback callback) throws HttpAuthenticationException {
        try {
            MechanismUtil.handleCallbacks("SPNEGO", this.callbackHandler, callback);
        } catch (UnsupportedCallbackException e) {
        } catch (AuthenticationMechanismException e2) {
            throw e2.toHttpAuthenticationException();
        }
    }
}
