package io.fabric8.git.http;

import io.fabric8.common.util.ExecParseUtils;
import io.fabric8.utils.Base64Encoder;
import io.fabric8.zookeeper.utils.ZooKeeperUtils;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URL;
import java.security.Principal;
import java.security.acl.Group;
import java.util.Enumeration;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AccountException;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.curator.framework.CuratorFramework;
import org.osgi.service.http.HttpContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/fabric-git-server-1.1.0.CR5.jar:io/fabric8/git/http/GitSecureHttpContext.class */
public class GitSecureHttpContext implements HttpContext {
    private static final Logger LOGGER = LoggerFactory.getLogger(GitSecureHttpContext.class);
    private static final String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate";
    private static final String HEADER_AUTHORIZATION = "Authorization";
    private static final String AUTHENTICATION_SCHEME_BASIC = "Basic";
    private final HttpContext base;
    private final CuratorFramework curator;
    private final String realm;
    private final String role;

    public GitSecureHttpContext(HttpContext httpContext, CuratorFramework curatorFramework, String str, String str2) {
        this.base = httpContext;
        this.curator = curatorFramework;
        this.realm = str;
        this.role = str2;
    }

    @Override // org.osgi.service.http.HttpContext
    public URL getResource(String str) {
        return this.base.getResource(str);
    }

    @Override // org.osgi.service.http.HttpContext
    public String getMimeType(String str) {
        return this.base.getMimeType(str);
    }

    @Override // org.osgi.service.http.HttpContext
    public boolean handleSecurity(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (LOGGER.isTraceEnabled()) {
            LOGGER.trace("handleSecurity: request={}", httpServletRequest);
        }
        String header = httpServletRequest.getHeader("Authorization");
        if (header != null && header.length() > 0) {
            if (LOGGER.isTraceEnabled()) {
                LOGGER.trace("handleSecurity: Header[Authorization={}]", header);
            }
            String trim = header.trim();
            int indexOf = trim.indexOf(32);
            if (indexOf > 0) {
                String substring = trim.substring(0, indexOf);
                String trim2 = trim.substring(indexOf).trim();
                if (substring.equalsIgnoreCase("Basic")) {
                    try {
                        String base64Decode = base64Decode(trim2);
                        int indexOf2 = base64Decode.indexOf(58);
                        String substring2 = base64Decode.substring(0, indexOf2);
                        String substring3 = base64Decode.substring(indexOf2 + 1);
                        if (LOGGER.isTraceEnabled()) {
                            LOGGER.trace("handleSecurity: Username={}", substring2);
                        }
                        if (ZooKeeperUtils.isContainerLogin(substring2)) {
                            String property = ZooKeeperUtils.getContainerTokens(this.curator).getProperty(substring2);
                            if (property == null) {
                                throw new FailedLoginException("Container doesn't exist");
                            }
                            if (!substring3.equals(property)) {
                                throw new FailedLoginException("Tokens do not match");
                            }
                            httpServletRequest.setAttribute(HttpContext.AUTHENTICATION_TYPE, "BASIC");
                            httpServletRequest.setAttribute(HttpContext.REMOTE_USER, substring2);
                            return true;
                        }
                        if (doAuthenticate(substring2, substring3) != null) {
                            httpServletRequest.setAttribute(HttpContext.AUTHENTICATION_TYPE, "BASIC");
                            httpServletRequest.setAttribute(HttpContext.REMOTE_USER, substring2);
                            return true;
                        }
                    } catch (Exception e) {
                    }
                }
            }
        }
        try {
            httpServletResponse.setHeader("WWW-Authenticate", "Basic realm=\"" + this.realm + ExecParseUtils.QUOTE_CHAR);
            httpServletResponse.setStatus(401);
            httpServletResponse.setContentLength(0);
            httpServletResponse.flushBuffer();
            return false;
        } catch (IOException e2) {
            return false;
        }
    }

    private Subject doAuthenticate(final String str, final String str2) {
        try {
            Subject subject = new Subject();
            new LoginContext(this.realm, subject, new CallbackHandler() { // from class: io.fabric8.git.http.GitSecureHttpContext.1
                @Override // javax.security.auth.callback.CallbackHandler
                public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                    for (int i = 0; i < callbackArr.length; i++) {
                        if (callbackArr[i] instanceof NameCallback) {
                            ((NameCallback) callbackArr[i]).setName(str);
                        } else {
                            if (!(callbackArr[i] instanceof PasswordCallback)) {
                                throw new UnsupportedCallbackException(callbackArr[i]);
                            }
                            ((PasswordCallback) callbackArr[i]).setPassword(str2.toCharArray());
                        }
                    }
                }
            }).login();
            if (this.role != null && this.role.length() > 0) {
                boolean z = false;
                for (Principal principal : subject.getPrincipals()) {
                    if (this.role.equals(principal.getName()) || ((principal instanceof Group) && isGroupMember((Group) principal, this.role))) {
                        z = true;
                        break;
                    }
                }
                if (!z) {
                    throw new FailedLoginException("User does not have the required role: " + this.role);
                }
            }
            return subject;
        } catch (AccountException e) {
            LOGGER.warn("Account failure", e);
            return null;
        } catch (LoginException e2) {
            LOGGER.warn("Login failed", e2);
            return null;
        }
    }

    private boolean isGroupMember(Group group, String str) {
        Enumeration<? extends Principal> members = group.members();
        while (members.hasMoreElements()) {
            if (str.equals(members.nextElement().getName())) {
                return true;
            }
        }
        return false;
    }

    private static String base64Decode(String str) {
        byte[] bArr = new byte[0];
        try {
            bArr = Base64Encoder.decode(str.getBytes("ISO-8859-1"));
            return new String(bArr, "ISO-8859-1");
        } catch (UnsupportedEncodingException e) {
            return new String(bArr);
        }
    }
}
