package org.keycloak.authentication.authenticators.browser;

import java.net.URI;
import java.util.Map;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import org.jboss.logging.Logger;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.Authenticator;
import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.models.CredentialValidationOutput;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.Cors;

/* loaded from: input_file:org/keycloak/authentication/authenticators/browser/SpnegoAuthenticator.class */
public class SpnegoAuthenticator extends AbstractUsernameFormAuthenticator implements Authenticator {
    public static final String KERBEROS_DISABLED = "kerberos_disabled";
    private static final Logger logger = Logger.getLogger(SpnegoAuthenticator.class);
    public static boolean bypassChallengeJavascript = false;

    public boolean requiresUser() {
        return false;
    }

    @Override // org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator
    public void action(AuthenticationFlowContext authenticationFlowContext) {
        authenticationFlowContext.attempted();
    }

    public void authenticate(AuthenticationFlowContext authenticationFlowContext) {
        String str = (String) authenticationFlowContext.getHttpRequest().getHttpHeaders().getRequestHeaders().getFirst(Cors.AUTHORIZATION_HEADER);
        if (str == null) {
            authenticationFlowContext.forceChallenge(challengeNegotiation(authenticationFlowContext, null));
            return;
        }
        String[] split = str.split(" ");
        if (split.length == 0) {
            logger.debug("Invalid length of tokens: " + split.length);
            authenticationFlowContext.attempted();
            return;
        }
        if (!"Negotiate".equalsIgnoreCase(split[0])) {
            logger.debug("Unknown scheme " + split[0]);
            authenticationFlowContext.attempted();
            return;
        }
        if (split.length != 2) {
            authenticationFlowContext.failure(AuthenticationFlowError.INVALID_CREDENTIALS);
            return;
        }
        CredentialValidationOutput userByCredential = authenticationFlowContext.getSession().users().getUserByCredential(authenticationFlowContext.getRealm(), UserCredentialModel.kerberos(split[1]));
        if (userByCredential == null) {
            logger.warn("Received kerberos token, but there is no user storage provider that handles kerberos credentials.");
            authenticationFlowContext.attempted();
            return;
        }
        if (userByCredential.getAuthStatus() != CredentialValidationOutput.Status.AUTHENTICATED) {
            if (userByCredential.getAuthStatus() == CredentialValidationOutput.Status.CONTINUE) {
                authenticationFlowContext.challenge(challengeNegotiation(authenticationFlowContext, (String) userByCredential.getState().get("SpnegoResponseToken")));
                return;
            } else {
                authenticationFlowContext.getEvent().error("invalid_user_credentials");
                authenticationFlowContext.failure(AuthenticationFlowError.INVALID_CREDENTIALS);
                return;
            }
        }
        authenticationFlowContext.setUser(userByCredential.getAuthenticatedUser());
        if (userByCredential.getState() != null && !userByCredential.getState().isEmpty()) {
            for (Map.Entry entry : userByCredential.getState().entrySet()) {
                authenticationFlowContext.getAuthenticationSession().setUserSessionNote((String) entry.getKey(), (String) entry.getValue());
            }
        }
        authenticationFlowContext.success();
    }

    private Response challengeNegotiation(AuthenticationFlowContext authenticationFlowContext, String str) {
        String str2 = str == null ? "Negotiate" : "Negotiate " + str;
        if (logger.isTraceEnabled()) {
            logger.trace("Sending back WWW-Authenticate: " + str2);
        }
        return authenticationFlowContext.getExecution().isRequired() ? authenticationFlowContext.getSession().getProvider(LoginFormsProvider.class).setAuthenticationSession(authenticationFlowContext.getAuthenticationSession()).setResponseHeader("WWW-Authenticate", str2).setError(Messages.KERBEROS_NOT_ENABLED, new Object[0]).createErrorPage(Response.Status.UNAUTHORIZED) : optionalChallengeRedirect(authenticationFlowContext, str2);
    }

    protected Response optionalChallengeRedirect(AuthenticationFlowContext authenticationFlowContext, String str) {
        URI actionUrl = authenticationFlowContext.getActionUrl(authenticationFlowContext.generateAccessCode());
        StringBuilder sb = new StringBuilder();
        sb.append("<HTML>");
        sb.append("<HEAD>");
        sb.append("<TITLE>Kerberos Unsupported</TITLE>");
        sb.append("</HEAD>");
        if (bypassChallengeJavascript) {
            sb.append("<BODY>");
        } else {
            sb.append("<BODY Onload=\"document.forms[0].submit()\">");
        }
        sb.append("<FORM METHOD=\"POST\" ACTION=\"" + actionUrl.toString() + "\">");
        sb.append("<NOSCRIPT>");
        sb.append("<P>JavaScript is disabled. We strongly recommend to enable it. You were unable to login via Kerberos.  Click the button below to login via an alternative method .</P>");
        sb.append("<INPUT name=\"continue\" TYPE=\"SUBMIT\" VALUE=\"CONTINUE\" />");
        sb.append("</NOSCRIPT>");
        sb.append("</FORM></BODY></HTML>");
        return Response.status(Response.Status.UNAUTHORIZED).header("WWW-Authenticate", str).type(MediaType.TEXT_HTML_TYPE).entity(sb.toString()).build();
    }

    public boolean configuredFor(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
        return true;
    }

    public void setRequiredActions(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel) {
    }

    @Override // org.keycloak.authentication.AbstractFormAuthenticator
    public void close() {
    }
}
