package org.gatein.security.sso.spnego;

import java.io.IOException;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.UUID;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.gatein.common.logging.Logger;
import org.gatein.common.logging.LoggerFactory;
import org.gatein.common.util.Base64;
import org.gatein.sso.agent.filter.api.AbstractSSOInterceptor;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:org/gatein/security/sso/spnego/SPNEGOSSOFilter.class */
public class SPNEGOSSOFilter extends AbstractSSOInterceptor {
    private static final Logger log = LoggerFactory.getLogger(AbstractSSOInterceptor.class);
    private static final GSSManager MANAGER = GSSManager.getInstance();
    private LoginContext loginContext;
    private String[] patterns = {"/login", "/spnegosso"};
    private String loginServletPath = "/login";
    private String securityDomain = "spnego-server";

    protected void initImpl() {
        String initParameter = getInitParameter("patterns");
        if (initParameter != null && !initParameter.isEmpty()) {
            this.patterns = initParameter.split(",");
        }
        String initParameter2 = getInitParameter("loginServletPath");
        if (initParameter2 != null && !initParameter2.isEmpty()) {
            this.loginServletPath = initParameter2;
        }
        String initParameter3 = getInitParameter("securityDomain");
        if (initParameter3 != null && !initParameter3.isEmpty()) {
            this.securityDomain = initParameter3;
        }
        try {
            this.loginContext = new LoginContext(this.securityDomain);
        } catch (LoginException e) {
            log.warn("Exception while init LoginContext, so SPNEGO SSO will not work", e);
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (!isSpnegoLoginRequest(httpServletRequest)) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        SPNEGOSSOContext.setCurrentRequest(httpServletRequest);
        String str = httpServletRequest.getContextPath() + this.loginServletPath;
        String requestURI = httpServletRequest.getRequestURI();
        String parameter = httpServletRequest.getParameter("username");
        String remoteUser = httpServletRequest.getRemoteUser();
        if (parameter != null || remoteUser != null) {
            if (str.equalsIgnoreCase(requestURI)) {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return;
            }
            StringBuilder sb = new StringBuilder(str);
            if (httpServletRequest.getQueryString() != null) {
                sb.append("?").append(httpServletRequest.getQueryString());
            }
            httpServletResponse.sendRedirect(sb.toString());
            return;
        }
        String str2 = null;
        String header = httpServletRequest.getHeader("Authorization");
        if (header != null) {
            try {
                str2 = login(httpServletRequest, httpServletResponse, header);
            } catch (Exception e) {
                log.error("Exception occur when trying to login with SPNEGO", e);
            }
        }
        if (str2 == null || str2.isEmpty()) {
            if (str.equals(requestURI)) {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
            } else {
                httpServletRequest.getRequestDispatcher("/login").include(httpServletRequest, httpServletResponse);
            }
            httpServletResponse.setHeader("WWW-Authenticate", "Negotiate");
            httpServletResponse.setStatus(401);
            return;
        }
        String substring = str2.substring(0, str2.indexOf(64));
        String uuid = UUID.randomUUID().toString();
        httpServletRequest.getSession().setAttribute("SPNEGO_PRINCIPAL", substring);
        StringBuilder append = new StringBuilder(str).append("?username=").append(substring).append("&password=").append(uuid);
        String parameter2 = httpServletRequest.getParameter("initialURI");
        if (parameter2 != null) {
            append.append("&initialURI=").append(parameter2);
        }
        httpServletResponse.sendRedirect(append.toString());
    }

    private boolean isSpnegoLoginRequest(HttpServletRequest httpServletRequest) {
        String requestURI = httpServletRequest.getRequestURI();
        String contextPath = httpServletRequest.getContextPath();
        for (String str : this.patterns) {
            if (requestURI.equals(contextPath.concat(str))) {
                return true;
            }
        }
        return false;
    }

    private String login(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws Exception {
        if (this.loginContext == null) {
            return null;
        }
        this.loginContext.login();
        byte[] decode = Base64.decode(str.substring("Negotiate".length() + 1));
        GSSContext createContext = MANAGER.createContext(getServerCredential(this.loginContext.getSubject()));
        byte[] acceptSecContext = createContext.acceptSecContext(decode, 0, decode.length);
        if (null == acceptSecContext) {
            return null;
        }
        httpServletResponse.setHeader("WWW-Authenticate", "Negotiate " + Base64.encodeBytes(acceptSecContext));
        if (!createContext.isEstablished()) {
            httpServletResponse.setStatus(401);
            return null;
        }
        String gSSName = createContext.getSrcName().toString();
        createContext.dispose();
        this.loginContext.logout();
        return gSSName;
    }

    static GSSCredential getServerCredential(Subject subject) throws PrivilegedActionException {
        return (GSSCredential) Subject.doAs(subject, new PrivilegedExceptionAction<GSSCredential>() { // from class: org.gatein.security.sso.spnego.SPNEGOSSOFilter.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public GSSCredential run() throws GSSException {
                return SPNEGOSSOFilter.MANAGER.createCredential((GSSName) null, Integer.MAX_VALUE, SPNEGOSSOFilter.access$000(), 2);
            }
        });
    }

    private static Oid getOid() {
        Oid oid = null;
        try {
            oid = new Oid("1.3.6.1.5.5.2");
        } catch (GSSException e) {
            e.printStackTrace();
        }
        return oid;
    }

    public void destroy() {
    }

    static /* synthetic */ Oid access$000() {
        return getOid();
    }
}
