package io.undertow.server.security;

import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.GSSAPIServerSubjectFactory;
import io.undertow.security.api.SecurityNotification;
import io.undertow.security.impl.GSSAPIAuthenticationMechanism;
import io.undertow.testutils.AjpIgnore;
import io.undertow.testutils.DefaultServer;
import io.undertow.testutils.HttpClientUtils;
import io.undertow.testutils.TestHttpClient;
import io.undertow.util.FlexBase64;
import io.undertow.util.Headers;
import java.security.GeneralSecurityException;
import java.security.PrivilegedExceptionAction;
import java.util.Collections;
import java.util.List;
import javax.security.auth.Subject;
import org.apache.http.Header;
import org.apache.http.HttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.Oid;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.runner.RunWith;

@RunWith(DefaultServer.class)
@AjpIgnore(apacheOnly = true, value = "SPNEGO requires a single connection to the server, and apache cannot guarantee that")
/* loaded from: input_file:io/undertow/server/security/SpnegoAuthenticationTestCase.class */
public class SpnegoAuthenticationTestCase extends AuthenticationTestBase {
    private static Oid SPNEGO;

    /* loaded from: input_file:io/undertow/server/security/SpnegoAuthenticationTestCase$SubjectFactory.class */
    private class SubjectFactory implements GSSAPIServerSubjectFactory {
        private SubjectFactory() {
        }

        public Subject getSubjectForHost(String str) throws GeneralSecurityException {
            return KerberosKDCUtil.login("HTTP/" + str, "servicepwd".toCharArray());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // io.undertow.server.security.AuthenticationTestBase
    public List<AuthenticationMechanism> getTestMechanisms() {
        return Collections.singletonList(new GSSAPIAuthenticationMechanism(new SubjectFactory()));
    }

    @BeforeClass
    public static void startServers() throws Exception {
        KerberosKDCUtil.startServer();
        SPNEGO = new Oid("1.3.6.1.5.5.2");
    }

    @AfterClass
    public static void stopServers() {
    }

    @Test
    public void testSpnegoSuccess() throws Exception {
        final TestHttpClient testHttpClient = new TestHttpClient();
        HttpResponse execute = testHttpClient.execute(new HttpGet(DefaultServer.getDefaultServerURL()));
        Assert.assertEquals(401L, execute.getStatusLine().getStatusCode());
        Assert.assertEquals(Headers.NEGOTIATE.toString(), getAuthHeader(Headers.NEGOTIATE, execute.getHeaders(Headers.WWW_AUTHENTICATE.toString())));
        HttpClientUtils.readResponse(execute);
        Subject.doAs(KerberosKDCUtil.login("jduke", "theduke".toCharArray()), new PrivilegedExceptionAction<Void>() { // from class: io.undertow.server.security.SpnegoAuthenticationTestCase.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                GSSManager gSSManager = GSSManager.getInstance();
                GSSContext createContext = gSSManager.createContext(gSSManager.createName("HTTP/" + DefaultServer.getDefaultServerAddress().getHostString(), (Oid) null), SpnegoAuthenticationTestCase.SPNEGO, (GSSCredential) null, 0);
                byte[] bArr = new byte[0];
                boolean z = false;
                while (!createContext.isEstablished()) {
                    bArr = createContext.initSecContext(bArr, 0, bArr.length);
                    if (bArr != null && bArr.length > 0) {
                        HttpGet httpGet = new HttpGet(DefaultServer.getDefaultServerURL());
                        httpGet.addHeader(Headers.AUTHORIZATION.toString(), Headers.NEGOTIATE + " " + FlexBase64.encodeString(bArr, false));
                        HttpResponse execute2 = testHttpClient.execute(httpGet);
                        Header[] headers = execute2.getHeaders(Headers.WWW_AUTHENTICATE.toString());
                        if (headers.length > 0) {
                            byte[] bytes = AuthenticationTestBase.getAuthHeader(Headers.NEGOTIATE, headers).getBytes("UTF-8");
                            bArr = FlexBase64.decode(bytes, Headers.NEGOTIATE.toString().length() + 1, bytes.length).array();
                        }
                        if (execute2.getStatusLine().getStatusCode() == 200) {
                            Header[] headers2 = execute2.getHeaders("ProcessedBy");
                            Assert.assertEquals(1L, headers2.length);
                            Assert.assertEquals("ResponseHandler", headers2[0].getValue());
                            HttpClientUtils.readResponse(execute2);
                            AuthenticationTestBase.assertSingleNotificationType(SecurityNotification.EventType.AUTHENTICATED);
                            z = true;
                        } else if (execute2.getStatusLine().getStatusCode() == 401) {
                            Assert.assertTrue("We did get a header.", headers.length > 0);
                            HttpClientUtils.readResponse(execute2);
                        } else {
                            Assert.fail(String.format("Unexpected status code %d", Integer.valueOf(execute2.getStatusLine().getStatusCode())));
                        }
                    }
                }
                Assert.assertTrue(z);
                Assert.assertTrue(createContext.isEstablished());
                return null;
            }
        });
    }
}
