package org.wildfly.security.http.impl;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.List;
import java.util.Optional;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.wildfly.security._private.ElytronMessages;
import org.wildfly.security.auth.callback.AuthenticationCompleteCallback;
import org.wildfly.security.auth.callback.ServerCredentialCallback;
import org.wildfly.security.credential.GSSCredentialCredential;
import org.wildfly.security.http.HttpAuthenticationException;
import org.wildfly.security.http.HttpConstants;
import org.wildfly.security.http.HttpScope;
import org.wildfly.security.http.HttpServerAuthenticationMechanism;
import org.wildfly.security.http.HttpServerRequest;
import org.wildfly.security.http.HttpServerResponse;
import org.wildfly.security.http.Scope;
import org.wildfly.security.mechanism.AuthenticationMechanismException;
import org.wildfly.security.mechanism.MechanismUtil;
import org.wildfly.security.util.ByteIterator;

/* loaded from: input_file:org/wildfly/security/http/impl/SpnegoAuthenticationMechanism.class */
public class SpnegoAuthenticationMechanism implements HttpServerAuthenticationMechanism {
    private static final String CHALLENGE_PREFIX = "Negotiate ";
    private static final String GSS_CONTEXT_KEY;
    private final CallbackHandler callbackHandler;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SpnegoAuthenticationMechanism(CallbackHandler callbackHandler) {
        this.callbackHandler = callbackHandler;
    }

    @Override // org.wildfly.security.http.HttpServerAuthenticationMechanism
    public String getMechanismName() {
        return "SPNEGO";
    }

    @Override // org.wildfly.security.http.HttpServerAuthenticationMechanism
    public void evaluateRequest(HttpServerRequest httpServerRequest) throws HttpAuthenticationException {
        HttpScope scope = httpServerRequest.getScope(Scope.CONNECTION);
        GSSContext gSSContext = scope != null ? (GSSContext) scope.getAttachment(GSS_CONTEXT_KEY, GSSContext.class) : null;
        if (gSSContext != null && gSSContext.isEstablished() && authorizeEstablishedContext(gSSContext)) {
            httpServerRequest.authenticationComplete();
            return;
        }
        if (gSSContext == null) {
            ServerCredentialCallback serverCredentialCallback = new ServerCredentialCallback(GSSCredentialCredential.class);
            try {
                this.callbackHandler.handle(new Callback[]{serverCredentialCallback});
                GSSCredentialCredential gSSCredentialCredential = (GSSCredentialCredential) serverCredentialCallback.getCredential();
                GSSCredential gssCredential = gSSCredentialCredential != null ? gSSCredentialCredential.getGssCredential() : null;
                if (gssCredential == null) {
                    httpServerRequest.noAuthenticationInProgress();
                    return;
                }
                List<String> requestHeaderValues = httpServerRequest.getRequestHeaderValues(HttpConstants.AUTHORIZATION);
                Optional findFirst = requestHeaderValues != null ? requestHeaderValues.stream().filter(str -> {
                    return str.startsWith(CHALLENGE_PREFIX);
                }).limit(1L).map(str2 -> {
                    return str2.substring(CHALLENGE_PREFIX.length());
                }).findFirst() : Optional.ofNullable(null);
                if (findFirst.isPresent()) {
                    if (gSSContext == null) {
                        try {
                            gSSContext = GSSManager.getInstance().createContext(gssCredential);
                            if (scope != null) {
                                scope.setAttachment(GSS_CONTEXT_KEY, gSSContext);
                            }
                        } catch (GSSException e) {
                            throw ElytronMessages.log.mechUnableToCreateGssContext("SPNEGO", e).toHttpAuthenticationException();
                        }
                    }
                    byte[] drain = ByteIterator.ofBytes(((String) findFirst.get()).getBytes(StandardCharsets.UTF_8)).base64Decode().drain();
                    try {
                        byte[] acceptSecContext = gSSContext.acceptSecContext(drain, 0, drain.length);
                        if (gSSContext.isEstablished()) {
                            if (authorizeEstablishedContext(gSSContext)) {
                                if (acceptSecContext != null) {
                                    httpServerRequest.authenticationComplete(httpServerResponse -> {
                                        sendIntermediateChallenge(acceptSecContext, httpServerResponse, true);
                                    });
                                    return;
                                } else {
                                    httpServerRequest.authenticationComplete();
                                    return;
                                }
                            }
                            httpServerRequest.authenticationFailed(ElytronMessages.log.authorizationFailed(gSSContext.getSrcName().toString(), "SPNEGO"));
                        } else if (acceptSecContext != null) {
                            httpServerRequest.authenticationInProgress(httpServerResponse2 -> {
                                sendIntermediateChallenge(acceptSecContext, httpServerResponse2, false);
                            });
                            return;
                        }
                    } catch (GSSException e2) {
                        try {
                            MechanismUtil.handleCallbacks("SPNEGO", this.callbackHandler, AuthenticationCompleteCallback.FAILED);
                        } catch (UnsupportedCallbackException | AuthenticationMechanismException e3) {
                        }
                        httpServerRequest.authenticationFailed(ElytronMessages.log.authenticationFailed("SPNEGO"), this::sendBareChallenge);
                        return;
                    }
                }
            } catch (IOException | UnsupportedCallbackException e4) {
                throw ElytronMessages.log.mechCallbackHandlerFailedForUnknownReason("SPNEGO", e4).toHttpAuthenticationException();
            }
        }
        httpServerRequest.noAuthenticationInProgress(this::sendBareChallenge);
    }

    private void sendBareChallenge(HttpServerResponse httpServerResponse) {
        httpServerResponse.addResponseHeader(HttpConstants.WWW_AUTHENTICATE, HttpConstants.NEGOTIATE);
        httpServerResponse.setStatusCode(HttpConstants.UNAUTHORIZED);
    }

    private void sendIntermediateChallenge(byte[] bArr, HttpServerResponse httpServerResponse, boolean z) {
        httpServerResponse.addResponseHeader(HttpConstants.WWW_AUTHENTICATE, CHALLENGE_PREFIX + ByteIterator.ofBytes(bArr).base64Encode().drainToString());
        if (z) {
            return;
        }
        httpServerResponse.setStatusCode(HttpConstants.UNAUTHORIZED);
    }

    private boolean authorizeEstablishedContext(GSSContext gSSContext) throws HttpAuthenticationException {
        if (!$assertionsDisabled && !gSSContext.isEstablished()) {
            throw new AssertionError();
        }
        boolean z = false;
        try {
            String gSSName = gSSContext.getSrcName().toString();
            Callback authorizeCallback = new AuthorizeCallback(gSSName, gSSName);
            this.callbackHandler.handle(new Callback[]{authorizeCallback});
            z = authorizeCallback.isAuthorized();
        } catch (UnsupportedCallbackException e) {
        } catch (GSSException e2) {
            try {
                MechanismUtil.handleCallbacks("SPNEGO", this.callbackHandler, AuthenticationCompleteCallback.FAILED);
            } catch (UnsupportedCallbackException | AuthenticationMechanismException e3) {
            }
            throw ElytronMessages.log.mechServerSideAuthenticationFailed("SPNEGO", e2).toHttpAuthenticationException();
        } catch (IOException e4) {
            throw ElytronMessages.log.mechServerSideAuthenticationFailed("SPNEGO", e4).toHttpAuthenticationException();
        }
        try {
            CallbackHandler callbackHandler = this.callbackHandler;
            Callback[] callbackArr = new Callback[1];
            callbackArr[0] = z ? AuthenticationCompleteCallback.SUCCEEDED : AuthenticationCompleteCallback.FAILED;
            MechanismUtil.handleCallbacks("SPNEGO", callbackHandler, callbackArr);
        } catch (UnsupportedCallbackException e5) {
        } catch (AuthenticationMechanismException e6) {
            throw e6.toHttpAuthenticationException();
        }
        return z;
    }

    static {
        $assertionsDisabled = !SpnegoAuthenticationMechanism.class.desiredAssertionStatus();
        GSS_CONTEXT_KEY = SpnegoAuthenticationMechanism.class.getName() + ".GSSContext";
    }
}
