package io.undertow.security.impl;

import io.undertow.UndertowLogger;
import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.GSSAPIServerSubjectFactory;
import io.undertow.security.api.SecurityContext;
import io.undertow.security.idm.Account;
import io.undertow.security.idm.GSSContextCredential;
import io.undertow.security.idm.IdentityManager;
import io.undertow.server.HttpServerExchange;
import io.undertow.server.handlers.proxy.ExclusivityChecker;
import io.undertow.util.AttachmentKey;
import io.undertow.util.FlexBase64;
import io.undertow.util.HeaderValues;
import io.undertow.util.Headers;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Iterator;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import org.apache.commons.cli.HelpFormatter;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:io/undertow/security/impl/GSSAPIAuthenticationMechanism.class */
public class GSSAPIAuthenticationMechanism implements AuthenticationMechanism {
    public static final ExclusivityChecker EXCLUSIVITY_CHECKER = new ExclusivityChecker() { // from class: io.undertow.security.impl.GSSAPIAuthenticationMechanism.1
        @Override // io.undertow.server.handlers.proxy.ExclusivityChecker
        public boolean isExclusivityRequired(HttpServerExchange httpServerExchange) {
            HeaderValues headerValues = httpServerExchange.getRequestHeaders().get(Headers.AUTHORIZATION);
            if (headerValues == null) {
                return false;
            }
            Iterator<String> it = headerValues.iterator();
            while (it.hasNext()) {
                if (it.next().startsWith(GSSAPIAuthenticationMechanism.NEGOTIATE_PREFIX)) {
                    return true;
                }
            }
            return false;
        }
    };
    private static final String NEGOTIATION_PLAIN = Headers.NEGOTIATE.toString();
    private static final String NEGOTIATE_PREFIX = Headers.NEGOTIATE + HelpFormatter.DEFAULT_LONG_OPT_SEPARATOR;
    private static final Oid[] DEFAULT_MECHANISMS;
    private static final String name = "SPNEGO";
    private final IdentityManager identityManager;
    private final GSSAPIServerSubjectFactory subjectFactory;
    private final Oid[] mechanisms;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/undertow/security/impl/GSSAPIAuthenticationMechanism$AcceptSecurityContext.class */
    public class AcceptSecurityContext implements PrivilegedExceptionAction<AuthenticationMechanism.AuthenticationMechanismOutcome> {
        private final HttpServerExchange exchange;
        private final ByteBuffer challenge;
        private final SecurityContext securityContext;

        private AcceptSecurityContext(HttpServerExchange httpServerExchange, ByteBuffer byteBuffer, SecurityContext securityContext) {
            this.exchange = httpServerExchange;
            this.challenge = byteBuffer;
            this.securityContext = securityContext;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedExceptionAction
        public AuthenticationMechanism.AuthenticationMechanismOutcome run() throws GSSException {
            NegotiationContext negotiationContext = (NegotiationContext) this.exchange.getAttachment(NegotiationContext.ATTACHMENT_KEY);
            if (negotiationContext == null) {
                negotiationContext = new NegotiationContext();
                this.exchange.putAttachment(NegotiationContext.ATTACHMENT_KEY, negotiationContext);
                this.exchange.getConnection().putAttachment(NegotiationContext.ATTACHMENT_KEY, negotiationContext);
            }
            GSSContext gssContext = negotiationContext.getGssContext();
            if (gssContext == null) {
                GSSManager gSSManager = GSSManager.getInstance();
                gssContext = gSSManager.createContext(gSSManager.createCredential((GSSName) null, Integer.MAX_VALUE, GSSAPIAuthenticationMechanism.this.mechanisms, 2));
                negotiationContext.setGssContext(gssContext);
            }
            byte[] acceptSecContext = gssContext.acceptSecContext(this.challenge.array(), this.challenge.arrayOffset(), this.challenge.limit());
            negotiationContext.setResponseToken(acceptSecContext);
            if (!negotiationContext.isEstablished()) {
                return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
            }
            if (acceptSecContext != null) {
                this.exchange.getResponseHeaders().add(Headers.WWW_AUTHENTICATE, GSSAPIAuthenticationMechanism.NEGOTIATE_PREFIX + FlexBase64.encodeString(acceptSecContext, false));
            }
            Account verify = this.securityContext.getIdentityManager().verify(new GSSContextCredential(negotiationContext.getGssContext()));
            if (verify == null) {
                return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
            }
            this.securityContext.authenticationComplete(verify, GSSAPIAuthenticationMechanism.name, false);
            return AuthenticationMechanism.AuthenticationMechanismOutcome.AUTHENTICATED;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/undertow/security/impl/GSSAPIAuthenticationMechanism$NegotiationContext.class */
    public static class NegotiationContext {
        static final AttachmentKey<NegotiationContext> ATTACHMENT_KEY = AttachmentKey.create(NegotiationContext.class);
        private GSSContext gssContext;
        private byte[] responseToken;
        private Principal principal;

        private NegotiationContext() {
        }

        GSSContext getGssContext() {
            return this.gssContext;
        }

        void setGssContext(GSSContext gSSContext) {
            this.gssContext = gSSContext;
        }

        byte[] useResponseToken() {
            try {
                return this.responseToken;
            } finally {
                this.responseToken = null;
            }
        }

        void setResponseToken(byte[] bArr) {
            this.responseToken = bArr;
        }

        boolean isEstablished() {
            if (this.gssContext != null) {
                return this.gssContext.isEstablished();
            }
            return false;
        }

        Principal getPrincipal() {
            if (!isEstablished()) {
                throw new IllegalStateException("No established GSSContext to use for the Principal.");
            }
            if (this.principal == null) {
                try {
                    this.principal = new KerberosPrincipal(this.gssContext.getSrcName().toString());
                } catch (GSSException e) {
                    throw new IllegalStateException("Unable to create Principal", e);
                }
            }
            return this.principal;
        }
    }

    public GSSAPIAuthenticationMechanism(GSSAPIServerSubjectFactory gSSAPIServerSubjectFactory, IdentityManager identityManager, Oid... oidArr) {
        this.subjectFactory = gSSAPIServerSubjectFactory;
        this.identityManager = identityManager;
        this.mechanisms = oidArr;
    }

    public GSSAPIAuthenticationMechanism(GSSAPIServerSubjectFactory gSSAPIServerSubjectFactory, Oid... oidArr) {
        this(gSSAPIServerSubjectFactory, null, oidArr);
    }

    public GSSAPIAuthenticationMechanism(GSSAPIServerSubjectFactory gSSAPIServerSubjectFactory) {
        this(gSSAPIServerSubjectFactory, DEFAULT_MECHANISMS);
    }

    private IdentityManager getIdentityManager(SecurityContext securityContext) {
        return this.identityManager != null ? this.identityManager : securityContext.getIdentityManager();
    }

    @Override // io.undertow.security.api.AuthenticationMechanism
    public AuthenticationMechanism.AuthenticationMechanismOutcome authenticate(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        NegotiationContext negotiationContext = (NegotiationContext) httpServerExchange.getConnection().getAttachment(NegotiationContext.ATTACHMENT_KEY);
        if (negotiationContext != null) {
            UndertowLogger.SECURITY_LOGGER.debugf("Existing negotiation context found for %s", httpServerExchange);
            httpServerExchange.putAttachment(NegotiationContext.ATTACHMENT_KEY, negotiationContext);
            if (negotiationContext.isEstablished()) {
                Account verify = getIdentityManager(securityContext).verify(new GSSContextCredential(negotiationContext.getGssContext()));
                if (verify == null) {
                    UndertowLogger.SECURITY_LOGGER.debugf("Failed to authenticate with existing GSSAPI negotiation context for %s", httpServerExchange);
                    return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
                }
                securityContext.authenticationComplete(verify, name, false);
                UndertowLogger.SECURITY_LOGGER.debugf("Authenticated as user %s with existing GSSAPI negotiation context for %s", verify.getPrincipal().getName(), httpServerExchange);
                return AuthenticationMechanism.AuthenticationMechanismOutcome.AUTHENTICATED;
            }
        }
        HeaderValues headerValues = httpServerExchange.getRequestHeaders().get(Headers.AUTHORIZATION);
        if (headerValues != null) {
            for (String str : headerValues) {
                if (str.startsWith(NEGOTIATE_PREFIX)) {
                    try {
                        return runGSSAPI(httpServerExchange, FlexBase64.decode(str.substring(NEGOTIATE_PREFIX.length())), securityContext);
                    } catch (IOException e) {
                        return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
                    }
                }
            }
        }
        return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
    }

    @Override // io.undertow.security.api.AuthenticationMechanism
    public AuthenticationMechanism.ChallengeResult sendChallenge(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        NegotiationContext negotiationContext = (NegotiationContext) httpServerExchange.getAttachment(NegotiationContext.ATTACHMENT_KEY);
        String str = NEGOTIATION_PLAIN;
        if (negotiationContext != null) {
            byte[] useResponseToken = negotiationContext.useResponseToken();
            httpServerExchange.putAttachment(NegotiationContext.ATTACHMENT_KEY, null);
            if (useResponseToken != null) {
                str = NEGOTIATE_PREFIX + FlexBase64.encodeString(useResponseToken, false);
            }
        } else {
            Subject subject = null;
            try {
                subject = this.subjectFactory.getSubjectForHost(getHostName(httpServerExchange));
            } catch (GeneralSecurityException e) {
            }
            if (subject == null) {
                return AuthenticationMechanism.ChallengeResult.NOT_SENT;
            }
        }
        httpServerExchange.getResponseHeaders().add(Headers.WWW_AUTHENTICATE, str);
        UndertowLogger.SECURITY_LOGGER.debugf("Sending GSSAPI challenge for %s", httpServerExchange);
        return new AuthenticationMechanism.ChallengeResult(true, 401);
    }

    public AuthenticationMechanism.AuthenticationMechanismOutcome runGSSAPI(HttpServerExchange httpServerExchange, ByteBuffer byteBuffer, SecurityContext securityContext) {
        try {
            return (AuthenticationMechanism.AuthenticationMechanismOutcome) Subject.doAs(this.subjectFactory.getSubjectForHost(getHostName(httpServerExchange)), new AcceptSecurityContext(httpServerExchange, byteBuffer, securityContext));
        } catch (GeneralSecurityException e) {
            e.printStackTrace();
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
        } catch (PrivilegedActionException e2) {
            e2.printStackTrace();
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
        }
    }

    private String getHostName(HttpServerExchange httpServerExchange) {
        String first = httpServerExchange.getRequestHeaders().getFirst(Headers.HOST);
        if (first == null) {
            return null;
        }
        if (first.startsWith("[") && first.contains("]")) {
            first = first.substring(0, first.indexOf(93) + 1);
        } else if (first.contains(":")) {
            first = first.substring(0, first.indexOf(":"));
        }
        return first;
    }

    static {
        try {
            DEFAULT_MECHANISMS = new Oid[]{new Oid("1.3.6.1.5.5.2"), new Oid("1.2.840.113554.1.2.2")};
        } catch (GSSException e) {
            throw new RuntimeException((Throwable) e);
        }
    }
}
