package org.wildfly.security.http.impl;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.List;
import java.util.Optional;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.wildfly.security._private.ElytronMessages;
import org.wildfly.security.auth.callback.AuthenticationCompleteCallback;
import org.wildfly.security.auth.callback.IdentityCredentialCallback;
import org.wildfly.security.auth.callback.ServerCredentialCallback;
import org.wildfly.security.credential.GSSCredentialCredential;
import org.wildfly.security.http.HttpAuthenticationException;
import org.wildfly.security.http.HttpConstants;
import org.wildfly.security.http.HttpScope;
import org.wildfly.security.http.HttpServerAuthenticationMechanism;
import org.wildfly.security.http.HttpServerRequest;
import org.wildfly.security.http.HttpServerResponse;
import org.wildfly.security.http.Scope;
import org.wildfly.security.mechanism.AuthenticationMechanismException;
import org.wildfly.security.mechanism.MechanismUtil;
import org.wildfly.security.util.ByteIterator;

/* loaded from: input_file:org/wildfly/security/http/impl/SpnegoAuthenticationMechanism.class */
public class SpnegoAuthenticationMechanism implements HttpServerAuthenticationMechanism {
    private static final String CHALLENGE_PREFIX = "Negotiate ";
    private static final String GSS_CONTEXT_KEY;
    private final CallbackHandler callbackHandler;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SpnegoAuthenticationMechanism(CallbackHandler callbackHandler) {
        this.callbackHandler = callbackHandler;
    }

    @Override // org.wildfly.security.http.HttpServerAuthenticationMechanism
    public String getMechanismName() {
        return "SPNEGO";
    }

    @Override // org.wildfly.security.http.HttpServerAuthenticationMechanism
    public void evaluateRequest(HttpServerRequest httpServerRequest) throws HttpAuthenticationException {
        HttpScope scope = httpServerRequest.getScope(Scope.CONNECTION);
        GSSContext gSSContext = scope != null ? (GSSContext) scope.getAttachment(GSS_CONTEXT_KEY, GSSContext.class) : null;
        ElytronMessages.log.tracef("Evaluating SPNEGO request: cached GSSContext = %s", gSSContext);
        if (gSSContext != null && gSSContext.isEstablished() && authorizeEstablishedContext(gSSContext)) {
            ElytronMessages.log.trace("Successfully authorized using cached identity");
            httpServerRequest.authenticationComplete();
            return;
        }
        if (gSSContext == null) {
            ServerCredentialCallback serverCredentialCallback = new ServerCredentialCallback(GSSCredentialCredential.class);
            try {
                ElytronMessages.log.trace("Obtaining GSSCredential for the service from callback handler...");
                this.callbackHandler.handle(new Callback[]{serverCredentialCallback});
                GSSCredential gSSCredential = (GSSCredential) serverCredentialCallback.applyToCredential(GSSCredentialCredential.class, (v0) -> {
                    return v0.getGssCredential();
                });
                if (gSSCredential == null) {
                    ElytronMessages.log.trace("GSSCredential for the service from callback handler is null - cannot perform SPNEGO authentication");
                    httpServerRequest.noAuthenticationInProgress();
                    return;
                }
                try {
                    gSSContext = GSSManager.getInstance().createContext(gSSCredential);
                    if (scope != null) {
                        scope.setAttachment(GSS_CONTEXT_KEY, gSSContext);
                        ElytronMessages.log.tracef("Caching GSSContext %s", gSSContext);
                    }
                } catch (GSSException e) {
                    throw ElytronMessages.log.mechUnableToCreateGssContext("SPNEGO", e).toHttpAuthenticationException();
                }
            } catch (IOException | UnsupportedCallbackException e2) {
                throw ElytronMessages.log.mechCallbackHandlerFailedForUnknownReason("SPNEGO", e2).toHttpAuthenticationException();
            }
        }
        List<String> requestHeaderValues = httpServerRequest.getRequestHeaderValues(HttpConstants.AUTHORIZATION);
        Optional findFirst = requestHeaderValues != null ? requestHeaderValues.stream().filter(str -> {
            return str.startsWith(CHALLENGE_PREFIX);
        }).limit(1L).map(str2 -> {
            return str2.substring(CHALLENGE_PREFIX.length());
        }).findFirst() : Optional.empty();
        if (ElytronMessages.log.isTraceEnabled()) {
            ElytronMessages.log.tracef("Sent HTTP authorizations: [%s]", requestHeaderValues == null ? "null" : String.join(", ", requestHeaderValues));
        }
        if (findFirst.isPresent()) {
            ElytronMessages.log.trace("Processing incoming response to a challenge...");
            byte[] drain = ByteIterator.ofBytes(((String) findFirst.get()).getBytes(StandardCharsets.UTF_8)).base64Decode().drain();
            try {
                byte[] acceptSecContext = gSSContext.acceptSecContext(drain, 0, drain.length);
                if (gSSContext.isEstablished()) {
                    ElytronMessages.log.trace("GSSContext established, authorizing...");
                    if (!authorizeEstablishedContext(gSSContext)) {
                        ElytronMessages.log.trace("Authorization of established GSSContext failed");
                        GSSName srcName = gSSContext.getSrcName();
                        httpServerRequest.authenticationFailed(ElytronMessages.log.authorizationFailed(srcName == null ? null : srcName.toString(), "SPNEGO"));
                        return;
                    } else {
                        ElytronMessages.log.trace("GSSContext established and authorized - authentication complete");
                        if (acceptSecContext != null) {
                            httpServerRequest.authenticationComplete(httpServerResponse -> {
                                sendIntermediateChallenge(acceptSecContext, httpServerResponse, true);
                            });
                            return;
                        } else {
                            httpServerRequest.authenticationComplete();
                            return;
                        }
                    }
                }
                if (acceptSecContext != null) {
                    ElytronMessages.log.trace("Sending negotiation token to the peer");
                    httpServerRequest.authenticationInProgress(httpServerResponse2 -> {
                        sendIntermediateChallenge(acceptSecContext, httpServerResponse2, false);
                    });
                    return;
                }
            } catch (GSSException e3) {
                ElytronMessages.log.trace("GSSContext message exchange failed", e3);
                try {
                    MechanismUtil.handleCallbacks("SPNEGO", this.callbackHandler, AuthenticationCompleteCallback.FAILED);
                } catch (UnsupportedCallbackException | AuthenticationMechanismException e4) {
                }
                httpServerRequest.authenticationFailed(ElytronMessages.log.authenticationFailed("SPNEGO"), this::sendBareChallenge);
                return;
            }
        }
        ElytronMessages.log.trace("Request lacks valid authentication credentials");
        if (scope != null) {
            scope.setAttachment(GSS_CONTEXT_KEY, null);
        }
        httpServerRequest.noAuthenticationInProgress(this::sendBareChallenge);
    }

    private void sendBareChallenge(HttpServerResponse httpServerResponse) {
        httpServerResponse.addResponseHeader(HttpConstants.WWW_AUTHENTICATE, HttpConstants.NEGOTIATE);
        httpServerResponse.setStatusCode(HttpConstants.UNAUTHORIZED);
    }

    private void sendIntermediateChallenge(byte[] bArr, HttpServerResponse httpServerResponse, boolean z) {
        httpServerResponse.addResponseHeader(HttpConstants.WWW_AUTHENTICATE, CHALLENGE_PREFIX + ByteIterator.ofBytes(bArr).base64Encode().drainToString());
        if (z) {
            return;
        }
        httpServerResponse.setStatusCode(HttpConstants.UNAUTHORIZED);
    }

    private boolean authorizeEstablishedContext(GSSContext gSSContext) throws HttpAuthenticationException {
        GSSName srcName;
        if (!$assertionsDisabled && !gSSContext.isEstablished()) {
            throw new AssertionError();
        }
        boolean z = false;
        try {
            srcName = gSSContext.getSrcName();
        } catch (GSSException e) {
            try {
                MechanismUtil.handleCallbacks("SPNEGO", this.callbackHandler, AuthenticationCompleteCallback.FAILED);
            } catch (UnsupportedCallbackException | AuthenticationMechanismException e2) {
            }
            throw ElytronMessages.log.mechServerSideAuthenticationFailed("SPNEGO", e).toHttpAuthenticationException();
        } catch (IOException e3) {
            throw ElytronMessages.log.mechServerSideAuthenticationFailed("SPNEGO", e3).toHttpAuthenticationException();
        } catch (UnsupportedCallbackException e4) {
        }
        if (srcName == null) {
            ElytronMessages.log.trace("Authorization failed - clientName (name of GSSContext initiator) is null - wrong realm or kdc?");
            return false;
        }
        String gSSName = srcName.toString();
        Callback authorizeCallback = new AuthorizeCallback(gSSName, gSSName);
        this.callbackHandler.handle(new Callback[]{authorizeCallback});
        z = authorizeCallback.isAuthorized();
        ElytronMessages.log.tracef("Authorized by callback handler = %b  clientName = [%s]", Boolean.valueOf(z), gSSName);
        if (z) {
            if (gSSContext.getCredDelegState()) {
                try {
                    GSSCredential delegCred = gSSContext.getDelegCred();
                    ElytronMessages.log.tracef("Credential delegation enabled, delegated credential = %s", delegCred);
                    MechanismUtil.handleCallbacks("SPNEGO", this.callbackHandler, new IdentityCredentialCallback(new GSSCredentialCredential(delegCred), true));
                } catch (GSSException e5) {
                    throw new HttpAuthenticationException((Throwable) e5);
                } catch (UnsupportedCallbackException e6) {
                } catch (AuthenticationMechanismException e7) {
                    throw e7.toHttpAuthenticationException();
                }
            } else {
                ElytronMessages.log.trace("Credential delegation not enabled");
            }
        }
        try {
            CallbackHandler callbackHandler = this.callbackHandler;
            Callback[] callbackArr = new Callback[1];
            callbackArr[0] = z ? AuthenticationCompleteCallback.SUCCEEDED : AuthenticationCompleteCallback.FAILED;
            MechanismUtil.handleCallbacks("SPNEGO", callbackHandler, callbackArr);
        } catch (UnsupportedCallbackException e8) {
        } catch (AuthenticationMechanismException e9) {
            throw e9.toHttpAuthenticationException();
        }
        return z;
    }

    static {
        $assertionsDisabled = !SpnegoAuthenticationMechanism.class.desiredAssertionStatus();
        GSS_CONTEXT_KEY = SpnegoAuthenticationMechanism.class.getName() + ".GSSContext";
    }
}
