package org.apache.cxf.jaxrs.security;

import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.List;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpServletResponse;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.PreMatching;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.security.SimplePrincipal;
import org.apache.cxf.common.security.SimpleSecurityContext;
import org.apache.cxf.common.util.Base64Exception;
import org.apache.cxf.common.util.Base64Utility;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.jaxrs.ext.MessageContext;
import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.security.SecurityContext;
import org.apache.cxf.staxutils.PropertiesExpandingStreamReader;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

@PreMatching
/* loaded from: input_file:WEB-INF/lib/cxf-rt-frontend-jaxrs-3.1.5.redhat-630343-12.jar:org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter.class */
public class KerberosAuthenticationFilter implements ContainerRequestFilter {
    private static final Logger LOG = LogUtils.getL7dLogger(KerberosAuthenticationFilter.class);
    private static final String NEGOTIATE_SCHEME = "Negotiate";
    private static final String PROPERTY_USE_KERBEROS_OID = "auth.spnego.useKerberosOid";
    private static final String KERBEROS_OID = "1.2.840.113554.1.2.2";
    private static final String SPNEGO_OID = "1.3.6.1.5.5.2";
    private MessageContext messageContext;
    private CallbackHandler callbackHandler;
    private Configuration loginConfig;
    private String loginContextName = "";
    private String servicePrincipalName;
    private String realm;

    /* loaded from: input_file:WEB-INF/lib/cxf-rt-frontend-jaxrs-3.1.5.redhat-630343-12.jar:org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter$KerberosPrincipal.class */
    public static class KerberosPrincipal extends SimplePrincipal {
        private static final long serialVersionUID = 1;
        private String complexName;

        public KerberosPrincipal(String str, String str2) {
            super(str);
            this.complexName = str2;
        }

        public String getKerberosName() {
            return this.complexName;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/cxf-rt-frontend-jaxrs-3.1.5.redhat-630343-12.jar:org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter$KerberosSecurityContext.class */
    public static class KerberosSecurityContext extends SimpleSecurityContext {
        private GSSContext context;

        public KerberosSecurityContext(KerberosPrincipal kerberosPrincipal, GSSContext gSSContext) {
            super(kerberosPrincipal);
            this.context = gSSContext;
        }

        public GSSContext getGSSContext() {
            return this.context;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/cxf-rt-frontend-jaxrs-3.1.5.redhat-630343-12.jar:org/apache/cxf/jaxrs/security/KerberosAuthenticationFilter$ValidateServiceTicketAction.class */
    private final class ValidateServiceTicketAction implements PrivilegedExceptionAction<byte[]> {
        private final GSSContext context;
        private final byte[] token;

        private ValidateServiceTicketAction(GSSContext gSSContext, byte[] bArr) {
            this.context = gSSContext;
            this.token = bArr;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedExceptionAction
        public byte[] run() throws GSSException {
            return this.context.acceptSecContext(this.token, 0, this.token.length);
        }
    }

    @Override // javax.ws.rs.container.ContainerRequestFilter
    public void filter(ContainerRequestContext containerRequestContext) {
        List<String> requestHeader = this.messageContext.getHttpHeaders().getRequestHeader("Authorization");
        if (requestHeader == null || requestHeader.size() != 1) {
            LOG.fine("No Authorization header is available");
            throw ExceptionUtils.toNotAuthorizedException(null, getFaultResponse());
        }
        String[] split = StringUtils.split(requestHeader.get(0), " ");
        if (split.length != 2 || !"Negotiate".equalsIgnoreCase(split[0])) {
            LOG.fine("Negotiate Authorization scheme is expected");
            throw ExceptionUtils.toNotAuthorizedException(null, getFaultResponse());
        }
        byte[] serviceTicket = getServiceTicket(split[1]);
        try {
            Subject loginAndGetSubject = loginAndGetSubject();
            GSSContext createGSSContext = createGSSContext();
            Subject.doAs(loginAndGetSubject, new ValidateServiceTicketAction(createGSSContext, serviceTicket));
            GSSName srcName = createGSSContext.getSrcName();
            if (srcName == null) {
                throw ExceptionUtils.toNotAuthorizedException(null, getFaultResponse());
            }
            String gSSName = srcName.toString();
            String str = gSSName;
            int lastIndexOf = str.lastIndexOf(64);
            if (lastIndexOf > 0) {
                str = str.substring(0, lastIndexOf);
            }
            if (!createGSSContext.getCredDelegState()) {
                createGSSContext.dispose();
                createGSSContext = null;
            }
            JAXRSUtils.getCurrentMessage().put((Class<Class>) SecurityContext.class, (Class) new KerberosSecurityContext(new KerberosPrincipal(str, gSSName), createGSSContext));
        } catch (PrivilegedActionException e) {
            LOG.fine("PrivilegedActionException: " + e.getMessage());
            throw ExceptionUtils.toNotAuthorizedException(e, getFaultResponse());
        } catch (LoginException e2) {
            LOG.fine("Unsuccessful JAAS login for the service principal: " + e2.getMessage());
            throw ExceptionUtils.toNotAuthorizedException(e2, getFaultResponse());
        } catch (GSSException e3) {
            LOG.fine("GSS API exception: " + e3.getMessage());
            throw ExceptionUtils.toNotAuthorizedException(e3, getFaultResponse());
        }
    }

    protected GSSContext createGSSContext() throws GSSException {
        Oid oid = new Oid(MessageUtils.isTrue(this.messageContext.getContextualProperty(PROPERTY_USE_KERBEROS_OID)) ? KERBEROS_OID : SPNEGO_OID);
        GSSManager gSSManager = GSSManager.getInstance();
        return gSSManager.createContext(gSSManager.createName(getCompleteServicePrincipalName(), (Oid) null).canonicalize(oid), oid, (GSSCredential) null, 0);
    }

    protected Subject loginAndGetSubject() throws LoginException {
        if (StringUtils.isEmpty(this.loginContextName) && this.loginConfig == null) {
            LOG.fine("LoginContext can not be initialized");
            throw new LoginException();
        }
        LoginContext loginContext = new LoginContext(this.loginContextName, (Subject) null, this.callbackHandler, this.loginConfig);
        loginContext.login();
        return loginContext.getSubject();
    }

    private byte[] getServiceTicket(String str) {
        try {
            return Base64Utility.decode(str);
        } catch (Base64Exception e) {
            throw ExceptionUtils.toNotAuthorizedException(null, getFaultResponse());
        }
    }

    private static Response getFaultResponse() {
        return JAXRSUtils.toResponseBuilder(HttpServletResponse.SC_UNAUTHORIZED).header(HttpHeaders.WWW_AUTHENTICATE, "Negotiate").build();
    }

    protected String getCompleteServicePrincipalName() {
        String str = this.servicePrincipalName == null ? "HTTP/" + this.messageContext.getUriInfo().getBaseUri().getHost() : this.servicePrincipalName;
        if (this.realm != null) {
            str = str + PropertiesExpandingStreamReader.DELIMITER + this.realm;
        }
        return str;
    }

    @Context
    public void setMessageContext(MessageContext messageContext) {
        this.messageContext = messageContext;
    }

    public void setLoginContextName(String str) {
        this.loginContextName = str;
    }

    public void setServicePrincipalName(String str) {
        this.servicePrincipalName = str;
    }

    public void setRealm(String str) {
        this.realm = str;
    }

    public void setCallbackHandler(CallbackHandler callbackHandler) {
        this.callbackHandler = callbackHandler;
    }
}
