package org.apache.qpid.server.management.plugin.servlet.rest;

import java.io.IOException;
import java.io.PrintWriter;
import java.security.Principal;
import java.security.SecureRandom;
import java.util.LinkedHashMap;
import java.util.Random;
import javax.security.auth.Subject;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.codec.binary.Base64;
import org.apache.log4j.Logger;
import org.apache.qpid.server.management.plugin.HttpManagementConfiguration;
import org.apache.qpid.server.management.plugin.HttpManagementUtil;
import org.apache.qpid.server.management.plugin.servlet.ServletConnectionPrincipal;
import org.apache.qpid.server.security.SubjectCreator;
import org.apache.qpid.server.security.auth.AuthenticatedPrincipal;
import org.apache.qpid.server.util.ConnectionScopedRuntimeException;
import org.codehaus.jackson.map.ObjectMapper;
import org.codehaus.jackson.map.SerializationConfig;

/* loaded from: input_file:org/apache/qpid/server/management/plugin/servlet/rest/SaslServlet.class */
public class SaslServlet extends AbstractServlet {
    private static final Logger LOGGER = Logger.getLogger(SaslServlet.class);
    private static final SecureRandom SECURE_RANDOM = new SecureRandom();
    private static final String ATTR_RANDOM = "SaslServlet.Random";
    private static final String ATTR_ID = "SaslServlet.ID";
    private static final String ATTR_SASL_SERVER = "SaslServlet.SaslServer";
    private static final String ATTR_EXPIRY = "SaslServlet.Expiry";
    private static final long SASL_EXCHANGE_EXPIRY = 1000;

    @Override // org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet
    protected void doGetWithSubjectAndActor(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        httpServletResponse.setContentType("application/json");
        httpServletResponse.setStatus(200);
        httpServletResponse.setHeader("Cache-Control", "no-cache");
        httpServletResponse.setHeader("Pragma", "no-cache");
        httpServletResponse.setDateHeader("Expires", 0L);
        getRandom(httpServletRequest.getSession());
        String[] split = getSubjectCreator(httpServletRequest).getMechanisms().split(" ");
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        Subject authorisedSubject = getAuthorisedSubject(httpServletRequest);
        if (authorisedSubject != null) {
            linkedHashMap.put("user", AuthenticatedPrincipal.getAuthenticatedPrincipalFromSubject(authorisedSubject).getName());
        } else if (httpServletRequest.getRemoteUser() != null) {
            linkedHashMap.put("user", httpServletRequest.getRemoteUser());
        }
        linkedHashMap.put("mechanisms", split);
        PrintWriter writer = httpServletResponse.getWriter();
        ObjectMapper objectMapper = new ObjectMapper();
        objectMapper.configure(SerializationConfig.Feature.INDENT_OUTPUT, true);
        objectMapper.writeValue(writer, linkedHashMap);
    }

    private Random getRandom(HttpSession httpSession) {
        Random random = (Random) httpSession.getAttribute(ATTR_RANDOM);
        if (random == null) {
            synchronized (SECURE_RANDOM) {
                random = new Random(SECURE_RANDOM.nextLong());
            }
            httpSession.setAttribute(ATTR_RANDOM, random);
        }
        return random;
    }

    @Override // org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet
    protected void doPostWithSubjectAndActor(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        checkSaslAuthEnabled(httpServletRequest);
        try {
            httpServletResponse.setContentType("application/json");
            httpServletResponse.setHeader("Cache-Control", "no-cache");
            httpServletResponse.setHeader("Pragma", "no-cache");
            httpServletResponse.setDateHeader("Expires", 0L);
            HttpSession session = httpServletRequest.getSession();
            String parameter = httpServletRequest.getParameter("mechanism");
            String parameter2 = httpServletRequest.getParameter("id");
            String parameter3 = httpServletRequest.getParameter("response");
            SubjectCreator subjectCreator = getSubjectCreator(httpServletRequest);
            if (parameter != null) {
                if (parameter2 == null) {
                    if (LOGGER.isDebugEnabled()) {
                        LOGGER.debug("Creating SaslServer for mechanism: " + parameter);
                    }
                    evaluateSaslResponse(httpServletRequest, httpServletResponse, session, parameter3, subjectCreator.createSaslServer(parameter, httpServletRequest.getServerName(), (Principal) null), subjectCreator);
                } else {
                    httpServletResponse.setStatus(417);
                    session.removeAttribute(ATTR_ID);
                    session.removeAttribute(ATTR_SASL_SERVER);
                    session.removeAttribute(ATTR_EXPIRY);
                }
            } else if (parameter2 == null) {
                httpServletResponse.setStatus(417);
                session.removeAttribute(ATTR_ID);
                session.removeAttribute(ATTR_SASL_SERVER);
                session.removeAttribute(ATTR_EXPIRY);
            } else if (!parameter2.equals(session.getAttribute(ATTR_ID)) || System.currentTimeMillis() >= ((Long) session.getAttribute(ATTR_EXPIRY)).longValue()) {
                httpServletResponse.setStatus(417);
                session.removeAttribute(ATTR_ID);
                session.removeAttribute(ATTR_SASL_SERVER);
                session.removeAttribute(ATTR_EXPIRY);
            } else {
                evaluateSaslResponse(httpServletRequest, httpServletResponse, session, parameter3, (SaslServer) session.getAttribute(ATTR_SASL_SERVER), subjectCreator);
            }
        } catch (IOException e) {
            LOGGER.error("Error processing SASL request", e);
            throw e;
        } catch (RuntimeException e2) {
            LOGGER.error("Error processing SASL request", e2);
            throw e2;
        }
    }

    private void checkSaslAuthEnabled(HttpServletRequest httpServletRequest) {
        HttpManagementConfiguration managementConfiguration = getManagementConfiguration();
        if (!(httpServletRequest.isSecure() ? managementConfiguration.isHttpsSaslAuthenticationEnabled() : managementConfiguration.isHttpSaslAuthenticationEnabled())) {
            throw new ConnectionScopedRuntimeException("Sasl authentication disabled.");
        }
    }

    private void evaluateSaslResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpSession httpSession, String str, SaslServer saslServer, SubjectCreator subjectCreator) throws IOException {
        try {
            byte[] evaluateResponse = saslServer.evaluateResponse(str == null ? new byte[0] : Base64.decodeBase64(str.getBytes()));
            if (saslServer.isComplete()) {
                Subject createSubjectWithGroups = subjectCreator.createSubjectWithGroups(saslServer.getAuthorizationID());
                Subject subject = new Subject(false, createSubjectWithGroups.getPrincipals(), createSubjectWithGroups.getPublicCredentials(), createSubjectWithGroups.getPrivateCredentials());
                subject.getPrincipals().add(new ServletConnectionPrincipal(httpServletRequest));
                subject.setReadOnly();
                try {
                    HttpManagementUtil.assertManagementAccess(getBroker().getSecurityManager(), subject);
                    HttpManagementUtil.saveAuthorisedSubject(httpServletRequest.getSession(), subject);
                    httpSession.removeAttribute(ATTR_ID);
                    httpSession.removeAttribute(ATTR_SASL_SERVER);
                    httpSession.removeAttribute(ATTR_EXPIRY);
                    httpServletResponse.setStatus(200);
                    return;
                } catch (SecurityException e) {
                    sendError(httpServletResponse, 403);
                    return;
                }
            }
            String valueOf = String.valueOf(getRandom(httpSession).nextLong());
            httpSession.setAttribute(ATTR_ID, valueOf);
            httpSession.setAttribute(ATTR_SASL_SERVER, saslServer);
            httpSession.setAttribute(ATTR_EXPIRY, Long.valueOf(System.currentTimeMillis() + SASL_EXCHANGE_EXPIRY));
            httpServletResponse.setStatus(200);
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            linkedHashMap.put("id", valueOf);
            linkedHashMap.put("challenge", new String(Base64.encodeBase64(evaluateResponse)));
            PrintWriter writer = httpServletResponse.getWriter();
            ObjectMapper objectMapper = new ObjectMapper();
            objectMapper.configure(SerializationConfig.Feature.INDENT_OUTPUT, true);
            objectMapper.writeValue(writer, linkedHashMap);
        } catch (SaslException e2) {
            httpSession.removeAttribute(ATTR_ID);
            httpSession.removeAttribute(ATTR_SASL_SERVER);
            httpSession.removeAttribute(ATTR_EXPIRY);
            httpServletResponse.setStatus(401);
        }
    }

    private SubjectCreator getSubjectCreator(HttpServletRequest httpServletRequest) {
        return HttpManagementUtil.getManagementConfiguration(getServletContext()).getAuthenticationProvider(HttpManagementUtil.getSocketAddress(httpServletRequest)).getSubjectCreator();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet
    public Subject getAuthorisedSubject(HttpServletRequest httpServletRequest) {
        Subject authorisedSubject = HttpManagementUtil.getAuthorisedSubject(httpServletRequest.getSession());
        if (authorisedSubject == null) {
            authorisedSubject = HttpManagementUtil.tryToAuthenticate(httpServletRequest, HttpManagementUtil.getManagementConfiguration(getServletContext()));
        }
        return authorisedSubject;
    }
}
