package org.apache.qpid.server.security.auth.manager;

import com.google.common.base.StandardSystemProperty;
import java.security.PrivilegedActionException;
import java.util.Base64;
import java.util.Collections;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.qpid.server.model.ConfiguredObject;
import org.apache.qpid.server.security.TokenCarryingPrincipal;
import org.apache.qpid.server.security.auth.AuthenticationResult;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/qpid/server/security/auth/manager/SpnegoAuthenticator.class */
public class SpnegoAuthenticator {
    private static final Logger LOGGER = LoggerFactory.getLogger(SpnegoAuthenticator.class);
    public static final String REQUEST_AUTH_HEADER_NAME = "Authorization";
    public static final String RESPONSE_AUTH_HEADER_NAME = "WWW-Authenticate";
    public static final String RESPONSE_AUTH_HEADER_VALUE_NEGOTIATE = "Negotiate";
    public static final String AUTH_TYPE = "SPNEGO";
    static final String NEGOTIATE_PREFIX = "Negotiate ";
    private final KerberosAuthenticationManager _kerberosProvider;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SpnegoAuthenticator(KerberosAuthenticationManager kerberosAuthenticationManager) {
        this._kerberosProvider = kerberosAuthenticationManager;
    }

    public AuthenticationResult authenticate(String str) {
        if (str == null) {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("'Authorization' header is not set");
            }
            return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR);
        }
        if (!hasNegotiatePrefix(str)) {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("'Authorization' header value does not start with '{}'", NEGOTIATE_PREFIX);
            }
            return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR);
        }
        try {
            byte[] decode = Base64.getDecoder().decode(str.substring(NEGOTIATE_PREFIX.length()));
            if (decode.length != 0) {
                return authenticate(decode);
            }
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Empty ticket");
            }
            return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR);
        } catch (RuntimeException e) {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Ticket decoding failed", e);
            }
            return new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR);
        }
    }

    private boolean hasNegotiatePrefix(String str) {
        if (str.length() > NEGOTIATE_PREFIX.length()) {
            return NEGOTIATE_PREFIX.equalsIgnoreCase(str.substring(0, NEGOTIATE_PREFIX.length()));
        }
        return false;
    }

    public AuthenticationResult authenticate(byte[] bArr) {
        LoginContext loginContext = null;
        try {
            try {
                loginContext = new LoginContext(this._kerberosProvider.getSpnegoLoginConfigScope());
                loginContext.login();
                AuthenticationResult doAuthenticate = doAuthenticate(loginContext.getSubject(), bArr);
                if (loginContext != null) {
                    try {
                        loginContext.logout();
                    } catch (LoginException e) {
                    }
                }
                return doAuthenticate;
            } catch (LoginException e2) {
                LOGGER.error("JASS login failed", e2);
                AuthenticationResult authenticationResult = new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, e2);
                if (loginContext != null) {
                    try {
                        loginContext.logout();
                    } catch (LoginException e3) {
                    }
                }
                return authenticationResult;
            }
        } catch (Throwable th) {
            if (loginContext != null) {
                try {
                    loginContext.logout();
                } catch (LoginException e4) {
                }
            }
            throw th;
        }
    }

    private AuthenticationResult doAuthenticate(Subject subject, byte[] bArr) {
        GSSContext gSSContext = null;
        try {
            try {
                int i = String.valueOf(System.getProperty(StandardSystemProperty.JAVA_VENDOR.key())).toUpperCase().contains("IBM") ? Integer.MAX_VALUE : 0;
                GSSManager gSSManager = GSSManager.getInstance();
                int i2 = i;
                GSSContext createContext = gSSManager.createContext((GSSCredential) Subject.doAs(subject, () -> {
                    return gSSManager.createCredential((GSSName) null, i2, new Oid("1.3.6.1.5.5.2"), 2);
                }));
                final byte[] bArr2 = (byte[]) Subject.doAs(subject, () -> {
                    return createContext.acceptSecContext(bArr, 0, bArr.length);
                });
                if (bArr2 == null) {
                    LOGGER.debug("Ticket validation failed");
                    AuthenticationResult authenticationResult = new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR);
                    if (createContext != null) {
                        try {
                            createContext.dispose();
                        } catch (GSSException e) {
                        }
                    }
                    return authenticationResult;
                }
                final String str = (String) Subject.doAs(subject, () -> {
                    if (!createContext.isEstablished()) {
                        return null;
                    }
                    GSSName gSSName = null;
                    try {
                        gSSName = createContext.getSrcName();
                    } catch (GSSException e2) {
                        LOGGER.error("Unable to get src name from gss context", e2);
                    }
                    if (gSSName != null) {
                        return stripRealmNameIfRequired(gSSName.toString());
                    }
                    return null;
                });
                if (str != null) {
                    AuthenticationResult authenticationResult2 = new AuthenticationResult(new TokenCarryingPrincipal() { // from class: org.apache.qpid.server.security.auth.manager.SpnegoAuthenticator.1
                        private final Map<String, String> _tokens;

                        {
                            this._tokens = Collections.singletonMap(SpnegoAuthenticator.RESPONSE_AUTH_HEADER_NAME, "Negotiate " + Base64.getEncoder().encodeToString(bArr2));
                        }

                        @Override // org.apache.qpid.server.security.TokenCarryingPrincipal
                        public Map<String, String> getTokens() {
                            return this._tokens;
                        }

                        @Override // org.apache.qpid.server.security.QpidPrincipal
                        public ConfiguredObject<?> getOrigin() {
                            return SpnegoAuthenticator.this._kerberosProvider;
                        }

                        @Override // java.security.Principal
                        public String getName() {
                            return str;
                        }

                        @Override // java.security.Principal
                        public boolean equals(Object obj) {
                            if (this == obj) {
                                return true;
                            }
                            if (!(obj instanceof TokenCarryingPrincipal)) {
                                return false;
                            }
                            TokenCarryingPrincipal tokenCarryingPrincipal = (TokenCarryingPrincipal) obj;
                            if (getName().equals(tokenCarryingPrincipal.getName()) && getTokens().equals(tokenCarryingPrincipal.getTokens())) {
                                return getOrigin() != null ? getOrigin().equals(tokenCarryingPrincipal.getOrigin()) : tokenCarryingPrincipal.getOrigin() == null;
                            }
                            return false;
                        }

                        @Override // java.security.Principal
                        public int hashCode() {
                            return (31 * ((31 * getName().hashCode()) + (getOrigin() != null ? getOrigin().hashCode() : 0))) + getTokens().hashCode();
                        }
                    });
                    if (createContext != null) {
                        try {
                            createContext.dispose();
                        } catch (GSSException e2) {
                        }
                    }
                    return authenticationResult2;
                }
                AuthenticationResult authenticationResult3 = new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR);
                if (createContext != null) {
                    try {
                        createContext.dispose();
                    } catch (GSSException e3) {
                    }
                }
                return authenticationResult3;
            } catch (Throwable th) {
                if (0 != 0) {
                    try {
                        gSSContext.dispose();
                    } catch (GSSException e4) {
                    }
                }
                throw th;
            }
        } catch (GSSException e5) {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Ticket validation failed", e5);
            }
            AuthenticationResult authenticationResult4 = new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, (Exception) e5);
            if (0 != 0) {
                try {
                    gSSContext.dispose();
                } catch (GSSException e6) {
                }
            }
            return authenticationResult4;
        } catch (PrivilegedActionException e7) {
            if (!(e7.getException() instanceof GSSException)) {
                LOGGER.error("Service login failed", e7);
            } else if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Service login failed", e7);
            }
            AuthenticationResult authenticationResult5 = new AuthenticationResult(AuthenticationResult.AuthenticationStatus.ERROR, e7);
            if (0 != 0) {
                try {
                    gSSContext.dispose();
                } catch (GSSException e8) {
                }
            }
            return authenticationResult5;
        }
    }

    private String stripRealmNameIfRequired(String str) {
        int indexOf;
        if (this._kerberosProvider.isStripRealmFromPrincipalName() && str != null && (indexOf = str.indexOf(64)) > 0) {
            str = str.substring(0, indexOf);
        }
        return str;
    }
}
