package org.jboss.as.domain.http.server.security;

import java.io.IOException;
import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.jboss.as.domain.http.server.Constants;
import org.jboss.as.domain.http.server.HttpServerLogger;
import org.jboss.as.domain.management.AuthenticationMechanism;
import org.jboss.as.domain.management.AuthorizingCallbackHandler;
import org.jboss.as.domain.management.SecurityRealm;
import org.jboss.as.domain.management.SubjectIdentity;
import org.jboss.com.sun.net.httpserver.Authenticator;
import org.jboss.com.sun.net.httpserver.Headers;
import org.jboss.com.sun.net.httpserver.HttpExchange;
import org.jboss.util.Base64;

/* loaded from: input_file:org/jboss/as/domain/http/server/security/SpnegoAuthenticator.class */
public class SpnegoAuthenticator extends Authenticator {
    private static final Oid[] MECHANISMS;
    private static final String HTTP_PROTOCOL = "HTTP";
    private static final String NEGOTIATE_PREFIX = "Negotiate ";
    private final SecurityRealm securityRealm;
    private final Authenticator wrapped;

    /* loaded from: input_file:org/jboss/as/domain/http/server/security/SpnegoAuthenticator$AcceptAction.class */
    private class AcceptAction implements PrivilegedAction<Authenticator.Result> {
        private final HttpExchange exchange;
        private final byte[] request;
        static final /* synthetic */ boolean $assertionsDisabled;

        private AcceptAction(HttpExchange httpExchange, byte[] bArr) {
            this.exchange = httpExchange;
            this.request = bArr;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedAction
        public Authenticator.Result run() {
            NegotiationContext negotiationContext = (NegotiationContext) this.exchange.getAttribute(NegotiationContext.class.getName(), HttpExchange.AttributeScope.CONNECTION);
            if (negotiationContext == null) {
                HttpServerLogger.ROOT_LOGGER.trace("Creating new NegotiationContext");
                negotiationContext = new NegotiationContext();
                this.exchange.setAttribute(NegotiationContext.class.getName(), negotiationContext, HttpExchange.AttributeScope.CONNECTION);
            }
            if (!$assertionsDisabled && negotiationContext.isEstablished()) {
                throw new AssertionError();
            }
            GSSContext gssContext = negotiationContext.getGssContext();
            if (gssContext == null) {
                try {
                    HttpServerLogger.ROOT_LOGGER.trace("Creating new GSSContext");
                    GSSManager gSSManager = GSSManager.getInstance();
                    gssContext = gSSManager.createContext(gSSManager.createCredential((GSSName) null, Integer.MAX_VALUE, SpnegoAuthenticator.MECHANISMS, 2));
                    negotiationContext.setGssContext(gssContext);
                } catch (GSSException e) {
                    HttpServerLogger.ROOT_LOGGER.trace("Unable to authenticate user.", e);
                    return new Authenticator.Failure(Constants.FORBIDDEN);
                }
            }
            byte[] acceptSecContext = gssContext.acceptSecContext(this.request, 0, this.request.length);
            if (acceptSecContext != null) {
                HttpServerLogger.ROOT_LOGGER.trace("Sending response token");
                this.exchange.getResponseHeaders().add(Constants.WWW_AUTHENTICATE_HEADER, SpnegoAuthenticator.NEGOTIATE_PREFIX + Base64.encodeBytes(acceptSecContext, 8));
            }
            return negotiationContext.isEstablished() ? negotiationContext.createSuccess(this.exchange) : new Authenticator.Retry(Constants.UNAUTHORIZED);
        }

        static {
            $assertionsDisabled = !SpnegoAuthenticator.class.desiredAssertionStatus();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/jboss/as/domain/http/server/security/SpnegoAuthenticator$NegotiationContext.class */
    public class NegotiationContext {
        private GSSContext gssContext;
        private Authenticator.Success success;
        static final /* synthetic */ boolean $assertionsDisabled;

        private NegotiationContext() {
        }

        public GSSContext getGssContext() {
            return this.gssContext;
        }

        public void setGssContext(GSSContext gSSContext) {
            this.gssContext = gSSContext;
        }

        public boolean isEstablished() {
            return this.gssContext != null && this.gssContext.isEstablished();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Authenticator.Result createSuccess(HttpExchange httpExchange) {
            Authenticator.Failure failure;
            if (!$assertionsDisabled && !isEstablished()) {
                throw new AssertionError();
            }
            if (this.success != null) {
                HttpServerLogger.ROOT_LOGGER.trace("Returning existing Success and identity");
                return this.success;
            }
            try {
                String obj = this.gssContext.getSrcName().toString();
                SubjectHttpPrincipal subjectHttpPrincipal = new SubjectHttpPrincipal(obj, SpnegoAuthenticator.this.securityRealm.getName());
                Authenticator.Failure success = new Authenticator.Success(subjectHttpPrincipal);
                this.success = success;
                failure = success;
                HashSet hashSet = new HashSet();
                hashSet.add(subjectHttpPrincipal);
                AuthorizingCallbackHandler authorizingCallbackHandler = SpnegoAuthenticator.this.securityRealm.getAuthorizingCallbackHandler(AuthenticationMechanism.KERBEROS);
                Callback authorizeCallback = new AuthorizeCallback(obj, obj);
                authorizingCallbackHandler.handle(new Callback[]{authorizeCallback});
                if (!authorizeCallback.isAuthorized()) {
                    HttpServerLogger.ROOT_LOGGER.debugf("Callback handler denied authorization for '%s'", obj);
                    failure = new Authenticator.Failure(Constants.INTERNAL_SERVER_ERROR);
                }
                Subject subject = authorizingCallbackHandler.createSubjectUserInfo(hashSet).getSubject();
                PrincipalUtil.addInetPrincipal(httpExchange, subject.getPrincipals());
                subjectHttpPrincipal.setSubject(subject);
            } catch (IOException e) {
                HttpServerLogger.ROOT_LOGGER.debug("Unable to create SubjectUserInfo", e);
                failure = new Authenticator.Failure(Constants.INTERNAL_SERVER_ERROR);
            } catch (UnsupportedCallbackException e2) {
                HttpServerLogger.ROOT_LOGGER.debug("Unable to perform authorization check", e2);
                failure = new Authenticator.Failure(Constants.INTERNAL_SERVER_ERROR);
            } catch (GSSException e3) {
                HttpServerLogger.ROOT_LOGGER.debug("Unable to create SubjectUserInfo", e3);
                failure = new Authenticator.Failure(Constants.INTERNAL_SERVER_ERROR);
            }
            return failure;
        }

        static {
            $assertionsDisabled = !SpnegoAuthenticator.class.desiredAssertionStatus();
        }
    }

    public SpnegoAuthenticator(SecurityRealm securityRealm, Authenticator authenticator) {
        this.securityRealm = securityRealm;
        this.wrapped = authenticator;
    }

    public Authenticator.Result authenticate(HttpExchange httpExchange) {
        NegotiationContext negotiationContext = (NegotiationContext) httpExchange.getAttribute(NegotiationContext.class.getName(), HttpExchange.AttributeScope.CONNECTION);
        if (negotiationContext != null && negotiationContext.isEstablished()) {
            HttpServerLogger.ROOT_LOGGER.trace("Using previously authenticated context.");
            return negotiationContext.createSuccess(httpExchange);
        }
        boolean z = false;
        Headers requestHeaders = httpExchange.getRequestHeaders();
        String first = requestHeaders.getFirst(Constants.AUTHORIZATION_HEADER);
        if (first != null && first.startsWith(NEGOTIATE_PREFIX)) {
            List remove = requestHeaders.remove(Constants.AUTHORIZATION_HEADER);
            if (remove.size() > 1) {
                remove.remove(0);
                requestHeaders.put(Constants.AUTHORIZATION_HEADER, remove);
            }
            HttpServerLogger.ROOT_LOGGER.trace("Processing negotiation response.");
            byte[] decode = Base64.decode(first.substring(NEGOTIATE_PREFIX.length()));
            SubjectIdentity subjectIdentity = this.securityRealm.getSubjectIdentity(HTTP_PROTOCOL, getHostName(httpExchange));
            if (subjectIdentity != null) {
                try {
                    Authenticator.Result result = (Authenticator.Result) Subject.doAs(subjectIdentity.getSubject(), new AcceptAction(httpExchange, decode));
                    if (!(result instanceof Authenticator.Success)) {
                        if (!(result instanceof Authenticator.Retry)) {
                            z = true;
                            subjectIdentity.logout();
                        }
                    }
                    return result;
                } finally {
                    subjectIdentity.logout();
                }
            }
        }
        Authenticator.Result result2 = null;
        if (this.wrapped != null) {
            HttpServerLogger.ROOT_LOGGER.trace("Delegating to wrapped authenticator.");
            result2 = this.wrapped.authenticate(httpExchange);
        } else {
            HttpServerLogger.ROOT_LOGGER.trace("No negotiation response, and no wrapped authenticator.");
        }
        if ((result2 instanceof Authenticator.Success) || (result2 instanceof Authenticator.Failure)) {
            return result2;
        }
        if (!z) {
            Headers responseHeaders = httpExchange.getResponseHeaders();
            String hostName = getHostName(httpExchange);
            SubjectIdentity subjectIdentity2 = this.securityRealm.getSubjectIdentity(HTTP_PROTOCOL, hostName);
            if (subjectIdentity2 != null) {
                subjectIdentity2.logout();
                List remove2 = responseHeaders.remove(Constants.WWW_AUTHENTICATE_HEADER);
                if (remove2 == null) {
                    HttpServerLogger.ROOT_LOGGER.trace("No existing WWW-Authenticate header");
                    remove2 = new ArrayList(1);
                }
                HttpServerLogger.ROOT_LOGGER.trace("Adding Negotiate challenge");
                remove2.add(0, Constants.NEGOTIATE);
                responseHeaders.put(Constants.WWW_AUTHENTICATE_HEADER, remove2);
                return new Authenticator.Retry(Constants.UNAUTHORIZED);
            }
            HttpServerLogger.ROOT_LOGGER.tracef("No Subject available for host '%s'", hostName);
        }
        return result2 != null ? result2 : new Authenticator.Failure(Constants.FORBIDDEN);
    }

    private String getHostName(HttpExchange httpExchange) {
        String first = httpExchange.getRequestHeaders().getFirst(Constants.HOST);
        if (first == null) {
            return null;
        }
        if (first.contains(":")) {
            first = first.substring(0, first.indexOf(":"));
        }
        return first;
    }

    static {
        try {
            MECHANISMS = new Oid[]{new Oid("1.3.6.1.5.5.2"), new Oid("1.2.840.113554.1.2.2")};
        } catch (GSSException e) {
            throw new RuntimeException((Throwable) e);
        }
    }
}
