package net.shibboleth.idp.authn.spnego.impl;

import ch.qos.logback.core.CoreConstants;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Arrays;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import net.shibboleth.idp.attribute.transcoding.AttributeTranscoderRegistry;
import net.shibboleth.idp.authn.AuthnEventIds;
import net.shibboleth.idp.authn.ExternalAuthentication;
import net.shibboleth.idp.authn.ExternalAuthenticationException;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.principal.UsernamePrincipal;
import net.shibboleth.shared.annotation.constraint.NotEmpty;
import net.shibboleth.shared.codec.HTMLEncoder;
import net.shibboleth.shared.codec.StringDigester;
import net.shibboleth.shared.primitive.LoggerFactory;
import net.shibboleth.shared.security.IdentifierGenerationStrategy;
import org.apache.commons.codec.binary.Base64;
import org.apache.hc.client5.http.auth.StandardAuthScheme;
import org.apache.hc.core5.http.HttpStatus;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSName;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestHeader;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.servlet.ModelAndView;

@RequestMapping({"%{idp.authn.spnego.externalAuthnPath:/Authn/SPNEGO}"})
@Controller
/* loaded from: input_file:WEB-INF/lib/idp-authn-impl-5.1.3.jar:net/shibboleth/idp/authn/spnego/impl/SPNEGOAuthnController.class */
public class SPNEGOAuthnController {

    @Nonnull
    @NotEmpty
    public static final String SPNEGO_NOT_AVAILABLE = "SPNEGONotAvailable";

    @Nonnull
    @NotEmpty
    public static final String NTLM_UNSUPPORTED = "NTLMUnsupported";

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) SPNEGOAuthnController.class);

    @Nullable
    private StringDigester cspDigester;

    @Nullable
    private IdentifierGenerationStrategy cspNonceGenerator;
    static final /* synthetic */ boolean $assertionsDisabled;

    public void setCSPDigester(@Nullable StringDigester stringDigester) {
        this.cspDigester = stringDigester;
    }

    public void setCSPNonceGenerator(@Nullable IdentifierGenerationStrategy identifierGenerationStrategy) {
        this.cspNonceGenerator = identifierGenerationStrategy;
    }

    @RequestMapping(value = {"/{conversationKey}"}, method = {RequestMethod.GET})
    @Nullable
    public ModelAndView startSPNEGO(@PathVariable @Nonnull @NotEmpty String str, @Nonnull HttpServletRequest httpServletRequest, @Nonnull HttpServletResponse httpServletResponse) throws ExternalAuthenticationException, IOException {
        String startExternalAuthentication = ExternalAuthentication.startExternalAuthentication(httpServletRequest);
        if (!startExternalAuthentication.equals(str)) {
            throw new ExternalAuthenticationException("Conversation key on query string doesn't match URL path");
        }
        ProfileRequestContext profileRequestContext = ExternalAuthentication.getProfileRequestContext(startExternalAuthentication, httpServletRequest);
        SPNEGOContext sPNEGOContext = getSPNEGOContext(profileRequestContext);
        if (sPNEGOContext != null && sPNEGOContext.getKerberosSettings() != null) {
            this.log.trace("SPNEGO negotiation started, answering request with 401 (WWW-Authenticate: Negotiate)");
            return replyUnauthorizedNegotiate(profileRequestContext, httpServletRequest, httpServletResponse);
        }
        this.log.error("Kerberos settings not found in profile request context");
        finishWithError(str, httpServletRequest, httpServletResponse, AuthnEventIds.INVALID_AUTHN_CTX);
        return null;
    }

    @RequestMapping(value = {"/{conversationKey}"}, method = {RequestMethod.GET}, headers = {"Authorization"})
    @Nullable
    public ModelAndView continueSPNEGO(@PathVariable @Nonnull @NotEmpty String str, @RequestHeader("Authorization") @Nonnull @NotEmpty String str2, @Nonnull HttpServletRequest httpServletRequest, @Nonnull HttpServletResponse httpServletResponse) throws ExternalAuthenticationException, IOException {
        ProfileRequestContext profileRequestContext = ExternalAuthentication.getProfileRequestContext(str, httpServletRequest);
        if (!str2.startsWith("Negotiate ")) {
            return replyUnauthorizedNegotiate(profileRequestContext, httpServletRequest, httpServletResponse);
        }
        SPNEGOContext sPNEGOContext = getSPNEGOContext(profileRequestContext);
        if (sPNEGOContext == null || sPNEGOContext.getKerberosSettings() == null) {
            this.log.error("Kerberos settings not found in profile request context");
            finishWithError(str, httpServletRequest, httpServletResponse, AuthnEventIds.INVALID_AUTHN_CTX);
            return null;
        }
        GSSContextAcceptor contextAcceptor = sPNEGOContext.getContextAcceptor();
        if (contextAcceptor == null) {
            try {
                contextAcceptor = createGSSContextAcceptor(sPNEGOContext);
                sPNEGOContext.setContextAcceptor(contextAcceptor);
            } catch (GSSException e) {
                this.log.error("Unable to create GSSContextAcceptor", (Throwable) e);
                finishWithException(str, httpServletRequest, httpServletResponse, new ExternalAuthenticationException(SPNEGO_NOT_AVAILABLE, e));
                return null;
            }
        }
        if (!$assertionsDisabled && contextAcceptor == null) {
            throw new AssertionError();
        }
        byte[] decodeBase64 = Base64.decodeBase64(str2.substring(10).getBytes());
        if (!$assertionsDisabled && decodeBase64 == null) {
            throw new AssertionError();
        }
        this.log.trace("SPNEGO negotiation, Authorization header received, gssapi-data: {}", decodeBase64);
        if (isNTLMMechanism(decodeBase64)) {
            this.log.warn("NTLM is unsupported, failing context negotiation");
            contextAcceptor.logout();
            finishWithError(str, httpServletRequest, httpServletResponse, NTLM_UNSUPPORTED);
            return null;
        }
        try {
            byte[] acceptSecContext = contextAcceptor.acceptSecContext(decodeBase64, 0, decodeBase64.length);
            this.log.trace("GSS token accepted");
            GSSContext context = contextAcceptor.getContext();
            if (context == null || !context.isEstablished()) {
                this.log.trace("SPNEGO negotiation in process, output token: {}", acceptSecContext);
                String encodeBase64String = Base64.encodeBase64String(acceptSecContext);
                if ($assertionsDisabled || encodeBase64String != null) {
                    return replyUnauthorizedNegotiate(profileRequestContext, httpServletRequest, httpServletResponse, encodeBase64String);
                }
                throw new AssertionError();
            }
            this.log.debug("GSS security context is complete");
            try {
                GSSName srcName = context.getSrcName();
                if (srcName == null) {
                    this.log.error("Error extracting principal name from security context, check for hostname mismatch or other causes of a missing service ticket");
                    contextAcceptor.logout();
                    finishWithException(str, httpServletRequest, httpServletResponse, new ExternalAuthenticationException(SPNEGO_NOT_AVAILABLE));
                    return null;
                }
                KerberosPrincipal kerberosPrincipal = new KerberosPrincipal(srcName.toString());
                this.log.info("SPNEGO/Kerberos authentication succeeded for principal: {}", srcName.toString());
                contextAcceptor.logout();
                finishWithSuccess(str, httpServletRequest, httpServletResponse, kerberosPrincipal);
                return null;
            } catch (GSSException e2) {
                this.log.error("Error extracting principal name from security context", (Throwable) e2);
                contextAcceptor.logout();
                finishWithException(str, httpServletRequest, httpServletResponse, new ExternalAuthenticationException(SPNEGO_NOT_AVAILABLE, e2));
                return null;
            }
        } catch (Exception e3) {
            this.log.debug("Exception processing GSS token", (Throwable) e3);
            contextAcceptor.logout();
            finishWithException(str, httpServletRequest, httpServletResponse, new ExternalAuthenticationException(SPNEGO_NOT_AVAILABLE, e3));
            return null;
        }
    }

    @RequestMapping(value = {"/{conversationKey}/error"}, method = {RequestMethod.GET})
    public void handleError(@PathVariable @Nonnull String str, @Nonnull HttpServletRequest httpServletRequest, @Nonnull HttpServletResponse httpServletResponse) throws ExternalAuthenticationException, IOException {
        this.log.warn("SPNEGO authentication problem signaled by client");
        finishWithError(str, httpServletRequest, httpServletResponse, SPNEGO_NOT_AVAILABLE);
    }

    private void finishWithSuccess(@Nonnull @NotEmpty String str, @Nonnull HttpServletRequest httpServletRequest, @Nonnull HttpServletResponse httpServletResponse, @Nonnull KerberosPrincipal kerberosPrincipal) throws ExternalAuthenticationException, IOException {
        Subject subject = new Subject();
        String name = kerberosPrincipal.getName();
        if (!$assertionsDisabled && name == null) {
            throw new AssertionError();
        }
        subject.getPrincipals().add(new UsernamePrincipal(name));
        subject.getPrincipals().add(kerberosPrincipal);
        httpServletRequest.setAttribute(ExternalAuthentication.SUBJECT_KEY, subject);
        ExternalAuthentication.finishExternalAuthentication(str, httpServletRequest, httpServletResponse);
    }

    private void finishWithError(@Nonnull @NotEmpty String str, @Nonnull HttpServletRequest httpServletRequest, @Nonnull HttpServletResponse httpServletResponse, @Nonnull @NotEmpty String str2) throws ExternalAuthenticationException, IOException {
        httpServletRequest.setAttribute(ExternalAuthentication.AUTHENTICATION_ERROR_KEY, str2);
        ExternalAuthentication.finishExternalAuthentication(str, httpServletRequest, httpServletResponse);
    }

    private void finishWithException(@Nonnull @NotEmpty String str, @Nonnull HttpServletRequest httpServletRequest, @Nonnull HttpServletResponse httpServletResponse, @Nonnull Exception exc) throws ExternalAuthenticationException, IOException {
        httpServletRequest.setAttribute(ExternalAuthentication.AUTHENTICATION_EXCEPTION_KEY, exc);
        ExternalAuthentication.finishExternalAuthentication(str, httpServletRequest, httpServletResponse);
    }

    @Nullable
    private SPNEGOContext getSPNEGOContext(@Nonnull ProfileRequestContext profileRequestContext) {
        AuthenticationContext authenticationContext = (AuthenticationContext) profileRequestContext.getSubcontext(AuthenticationContext.class);
        if (authenticationContext != null) {
            return (SPNEGOContext) authenticationContext.getSubcontext(SPNEGOContext.class);
        }
        return null;
    }

    @Nonnull
    protected GSSContextAcceptor createGSSContextAcceptor(@Nonnull SPNEGOContext sPNEGOContext) throws GSSException {
        KerberosSettings kerberosSettings = sPNEGOContext.getKerberosSettings();
        if ($assertionsDisabled || kerberosSettings != null) {
            return new GSSContextAcceptor(kerberosSettings);
        }
        throw new AssertionError();
    }

    @Nonnull
    private ModelAndView replyUnauthorizedNegotiate(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull HttpServletRequest httpServletRequest, @Nonnull HttpServletResponse httpServletResponse) {
        return replyUnauthorizedNegotiate(profileRequestContext, httpServletRequest, httpServletResponse, "");
    }

    @Nonnull
    private ModelAndView replyUnauthorizedNegotiate(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull HttpServletRequest httpServletRequest, @Nonnull HttpServletResponse httpServletResponse, @Nonnull String str) {
        StringBuilder sb = new StringBuilder(StandardAuthScheme.SPNEGO);
        if (!str.isEmpty()) {
            sb.append(" " + str);
        }
        httpServletResponse.addHeader("WWW-Authenticate", sb.toString());
        httpServletResponse.setStatus(HttpStatus.SC_UNAUTHORIZED);
        return createModelAndView(profileRequestContext, httpServletRequest, httpServletResponse);
    }

    @Nonnull
    private ModelAndView createModelAndView(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull HttpServletRequest httpServletRequest, @Nonnull HttpServletResponse httpServletResponse) {
        ModelAndView modelAndView = new ModelAndView("spnego-unavailable");
        modelAndView.addObject("profileRequestContext", profileRequestContext);
        modelAndView.addObject("request", httpServletRequest);
        modelAndView.addObject("response", httpServletResponse);
        modelAndView.addObject(AttributeTranscoderRegistry.PROP_ENCODER, HTMLEncoder.class);
        modelAndView.addObject("cspDigester", this.cspDigester);
        modelAndView.addObject("cspNonce", this.cspNonceGenerator);
        StringBuffer requestURL = httpServletRequest.getRequestURL();
        requestURL.append("/error");
        String queryString = httpServletRequest.getQueryString();
        if (queryString != null) {
            requestURL.append(CoreConstants.NA).append(queryString);
        }
        modelAndView.addObject("errorUrl", requestURL.toString());
        return modelAndView;
    }

    private boolean isNTLMMechanism(@Nonnull byte[] bArr) {
        return Arrays.equals(new byte[]{78, 84, 76, 77, 83, 83, 80}, Arrays.copyOfRange(bArr, 0, 7));
    }

    static {
        $assertionsDisabled = !SPNEGOAuthnController.class.desiredAssertionStatus();
    }
}
