package org.jboss.security.negotiation;

import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.Principal;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.Realm;
import org.apache.catalina.Session;
import org.apache.catalina.Valve;
import org.apache.catalina.authenticator.FormAuthenticator;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.util.Base64;
import org.apache.tomcat.util.buf.ByteChunk;
import org.apache.tomcat.util.buf.CharChunk;
import org.apache.tomcat.util.buf.MessageBytes;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.jboss.logging.Logger;
import org.jboss.security.negotiation.common.MessageTrace;
import org.jboss.security.negotiation.common.NegotiationContext;
import org.jboss.servlet.http.HttpEvent;

/* loaded from: input_file:org/jboss/security/negotiation/NegotiationAuthenticator.class */
public class NegotiationAuthenticator extends FormAuthenticator {
    public static final String BASIC_KEY = NegotiationAuthenticator.class.getName() + ".BasicAuthFallBack";
    private static final Logger log = Logger.getLogger(NegotiationAuthenticator.class);
    private static final String NEGOTIATE = "Negotiate";
    private static final String BASIC = "Basic";
    private static final String NEGOTIATION_CONTEXT = "NEGOTIATION_CONTEXT";
    private static final String DELEGATION_CREDENTIAL = "DELEGATION_CREDENTIAL";
    private static final String FORM_METHOD = "FORM";

    /* loaded from: input_file:org/jboss/security/negotiation/NegotiationAuthenticator$DelegationCredentialManager.class */
    private static class DelegationCredentialManager extends DelegationCredentialContext {
        private DelegationCredentialManager() {
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static void setDelegationCredential(GSSCredential gSSCredential) {
            currentCredential.set(gSSCredential);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public static void removeDelegationCredential() {
            currentCredential.remove();
        }
    }

    /* loaded from: input_file:org/jboss/security/negotiation/NegotiationAuthenticator$WrapperValve.class */
    private static class WrapperValve implements Valve {
        private Valve nextValve;

        private WrapperValve(Valve valve) {
            this.nextValve = valve;
        }

        public String getInfo() {
            return this.nextValve.getInfo();
        }

        public Valve getNext() {
            return this.nextValve;
        }

        public void setNext(Valve valve) {
            this.nextValve = valve;
        }

        public void backgroundProcess() {
            this.nextValve.backgroundProcess();
        }

        public void invoke(Request request, Response response) throws IOException, ServletException {
            Session sessionInternal = request.getSessionInternal(false);
            try {
                DelegationCredentialManager.setDelegationCredential(sessionInternal != null ? (GSSCredential) sessionInternal.getNote(NegotiationAuthenticator.DELEGATION_CREDENTIAL) : null);
                this.nextValve.invoke(request, response);
            } finally {
                DelegationCredentialManager.removeDelegationCredential();
            }
        }

        public void event(Request request, Response response, HttpEvent httpEvent) throws IOException, ServletException {
            this.nextValve.event(request, response, httpEvent);
        }
    }

    protected String getNegotiateScheme() {
        return NEGOTIATE;
    }

    protected String getBasicScheme() {
        return BASIC;
    }

    /* JADX WARN: Finally extract failed */
    public boolean authenticate(Request request, HttpServletResponse httpServletResponse, LoginConfig loginConfig) throws IOException {
        boolean isDebugEnabled = log.isDebugEnabled();
        log.trace("Authenticating user");
        Principal userPrincipal = request.getUserPrincipal();
        String str = (String) request.getNote("org.apache.catalina.request.SSOID");
        if (userPrincipal != null) {
            if (log.isTraceEnabled()) {
                log.trace("Already authenticated '" + userPrincipal.getName() + "'");
            }
            if (str != null) {
                associate(str, request.getSessionInternal(true));
            }
            if (!matchRequest(request)) {
                return true;
            }
            Session sessionInternal = request.getSessionInternal(true);
            log.trace("Restore request from session '" + sessionInternal.getIdInternal() + "'");
            restoreRequest(request, sessionInternal);
            return true;
        }
        if (str != null) {
            log.trace("SSO Id " + str + " set; attempting reauthentication");
            if (reauthenticateFromSSO(str, request)) {
                return true;
            }
        }
        String contextPath = request.getContextPath();
        String decodedRequestURI = request.getDecodedRequestURI();
        if (decodedRequestURI.startsWith(contextPath) && decodedRequestURI.endsWith("/j_security_check")) {
            Realm realm = this.context.getRealm();
            String parameter = request.getParameter("j_username");
            String parameter2 = request.getParameter("j_password");
            Principal authenticate = realm.authenticate(parameter, parameter2);
            if (authenticate == null) {
                try {
                    this.context.getServletContext().getRequestDispatcher(loginConfig.getErrorPage()).forward(request.getRequest(), httpServletResponse);
                    return false;
                } catch (ServletException e) {
                    IOException iOException = new IOException("Unable to forward to error page.");
                    iOException.initCause(e);
                    throw iOException;
                }
            }
            Session sessionInternal2 = request.getSessionInternal();
            String savedRequestURL = savedRequestURL(sessionInternal2);
            sessionInternal2.setNote("org.apache.catalina.authenticator.PRINCIPAL", authenticate);
            sessionInternal2.setNote("org.apache.catalina.session.USERNAME", parameter);
            sessionInternal2.setNote("org.apache.catalina.session.PASSWORD", parameter2);
            register(request, httpServletResponse, authenticate, FORM_METHOD, parameter, parameter2);
            httpServletResponse.sendRedirect(httpServletResponse.encodeRedirectURL(savedRequestURL));
            return false;
        }
        String negotiateScheme = getNegotiateScheme();
        if (isDebugEnabled) {
            log.debug("Header - " + request.getHeader("Authorization"));
        }
        String header = request.getHeader("Authorization");
        if (header == null) {
            log.debug("No Authorization Header, initiating negotiation");
            initiateNegotiation(request, httpServletResponse, loginConfig);
            return false;
        }
        if (!header.startsWith(negotiateScheme + " ")) {
            String basicScheme = getBasicScheme();
            if (header.startsWith(basicScheme + " ")) {
                MessageBytes value = request.getCoyoteRequest().getMimeHeaders().getValue("Authorization");
                value.toBytes();
                ByteChunk byteChunk = value.getByteChunk();
                if (byteChunk.startsWithIgnoreCase(basicScheme + " ", 0)) {
                    int length = basicScheme.length() + 1;
                    byteChunk.setOffset(byteChunk.getOffset() + length);
                    CharChunk charChunk = value.getCharChunk();
                    Base64.decode(byteChunk, charChunk);
                    boolean handleBasic = handleBasic(request, httpServletResponse, charChunk);
                    byteChunk.setOffset(byteChunk.getOffset() - length);
                    return handleBasic;
                }
            }
            throw new IOException("Invalid 'Authorization' header.");
        }
        String substring = header.substring(negotiateScheme.length() + 1);
        byte[] decode = org.picketbox.commons.cipher.Base64.decode(substring);
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(decode);
        MessageTrace.logRequestBase64(substring);
        MessageTrace.logRequestHex(decode);
        Session sessionInternal3 = request.getSessionInternal();
        NegotiationContext negotiationContext = (NegotiationContext) sessionInternal3.getNote(NEGOTIATION_CONTEXT);
        if (negotiationContext == null) {
            log.debug("Creating new NegotiationContext");
            negotiationContext = new NegotiationContext();
            sessionInternal3.setNote(NEGOTIATION_CONTEXT, negotiationContext);
        }
        String username = negotiationContext.getUsername();
        if (username == null || username.length() == 0) {
            username = sessionInternal3.getId() + "_" + String.valueOf(System.currentTimeMillis());
            negotiationContext.setUsername(username);
        }
        try {
            try {
                negotiationContext.associate();
                MessageFactory newInstance = MessageFactory.newInstance();
                if (!newInstance.accepts(byteArrayInputStream)) {
                    if (!basicSupported()) {
                        throw new IOException("Unsupported negotiation mechanism.");
                    }
                    initiateBasic(request, httpServletResponse, loginConfig);
                    httpServletResponse.sendError(401);
                    httpServletResponse.flushBuffer();
                    negotiationContext.isContinuationRequired();
                    negotiationContext.clear();
                    return false;
                }
                NegotiationMessage createMessage = newInstance.createMessage(byteArrayInputStream);
                if ("NTLM".equals(createMessage.getMessageType()) && basicSupported()) {
                    initiateBasic(request, httpServletResponse, loginConfig);
                    httpServletResponse.sendError(401);
                    httpServletResponse.flushBuffer();
                    negotiationContext.isContinuationRequired();
                    negotiationContext.clear();
                    return false;
                }
                negotiationContext.setRequestMessage(createMessage);
                Principal authenticate2 = this.context.getRealm().authenticate(username, (String) null);
                String authenticationMethod = negotiationContext.getAuthenticationMethod();
                if (isDebugEnabled && authenticate2 != null) {
                    log.debug("authenticated principal = " + authenticate2);
                }
                NegotiationMessage responseMessage = negotiationContext.getResponseMessage();
                if (responseMessage != null) {
                    ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                    responseMessage.writeTo(byteArrayOutputStream, true);
                    String byteArrayOutputStream2 = byteArrayOutputStream.toString();
                    MessageTrace.logResponseBase64(byteArrayOutputStream2);
                    httpServletResponse.setHeader("WWW-Authenticate", negotiateScheme + " " + byteArrayOutputStream2);
                }
                boolean isContinuationRequired = negotiationContext.isContinuationRequired();
                negotiationContext.clear();
                if (authenticate2 != null) {
                    Object schemeContext = negotiationContext.getSchemeContext();
                    if (schemeContext instanceof GSSContext) {
                        GSSContext gSSContext = (GSSContext) schemeContext;
                        if (gSSContext.getCredDelegState()) {
                            try {
                                sessionInternal3.setNote(DELEGATION_CREDENTIAL, gSSContext.getDelegCred());
                            } catch (GSSException e2) {
                                log.warn("Unable to obtain delegation credential.", e2);
                            }
                        }
                    }
                    register(request, httpServletResponse, authenticate2, authenticationMethod, username, null);
                } else if (isContinuationRequired) {
                    log.debug("Continuation required...sendError(SC_UNAUTHORIZED)");
                    httpServletResponse.sendError(401);
                } else {
                    log.debug("SPNEGO based authentication failed...initiating negotiation");
                    initiateNegotiation(request, httpServletResponse, loginConfig);
                }
                return authenticate2 != null;
            } catch (NegotiationException e3) {
                IOException iOException2 = new IOException("Error processing " + negotiateScheme + " header.");
                iOException2.initCause(e3);
                throw iOException2;
            }
        } catch (Throwable th) {
            negotiationContext.isContinuationRequired();
            negotiationContext.clear();
            throw th;
        }
    }

    private boolean basicSupported() {
        return Boolean.parseBoolean(this.context.findParameter(BASIC_KEY));
    }

    private void initiateBasic(Request request, HttpServletResponse httpServletResponse, LoginConfig loginConfig) throws IOException {
        StringBuilder sb = new StringBuilder();
        sb.append(getBasicScheme());
        sb.append(" realm=\"");
        if (loginConfig.getRealmName() == null) {
            sb.append(request.getServerName());
            sb.append(':');
            sb.append(Integer.toString(request.getServerPort()));
        } else {
            sb.append(loginConfig.getRealmName().toUpperCase());
        }
        sb.append("\"");
        httpServletResponse.addHeader("WWW-Authenticate", sb.toString());
    }

    protected boolean handleBasic(Request request, HttpServletResponse httpServletResponse, CharChunk charChunk) {
        String str;
        String str2 = null;
        int indexOf = charChunk.indexOf(':');
        if (indexOf < 0) {
            str = charChunk.toString();
        } else {
            char[] buffer = charChunk.getBuffer();
            str = new String(buffer, 0, indexOf);
            str2 = new String(buffer, indexOf + 1, (charChunk.getEnd() - indexOf) - 1);
        }
        try {
            Principal authenticate = this.context.getRealm().authenticate(str, str2);
            if (authenticate == null) {
                httpServletResponse.sendError(401);
                return false;
            }
            register(request, httpServletResponse, authenticate, getBasicScheme(), str, str2);
            return true;
        } catch (Exception e) {
            log.info("Could not verify password - wrong password given or maybe LoginModule is misconfigured!", e);
            return false;
        }
    }

    private void initiateNegotiation(Request request, HttpServletResponse httpServletResponse, LoginConfig loginConfig) throws IOException {
        String loginPage = loginConfig.getLoginPage();
        if (loginPage != null) {
            RequestDispatcher requestDispatcher = this.context.getServletContext().getRequestDispatcher(loginPage);
            try {
                saveRequest(request, request.getSessionInternal());
                requestDispatcher.include(request.getRequest(), httpServletResponse);
                httpServletResponse.setHeader("WWW-Authenticate", getNegotiateScheme());
                httpServletResponse.setStatus(401);
                httpServletResponse.setContentType("text/html");
            } catch (ServletException e) {
                IOException iOException = new IOException("Unable to include loginPage");
                iOException.initCause(e);
                throw iOException;
            }
        } else {
            httpServletResponse.setHeader("WWW-Authenticate", getNegotiateScheme());
            if (basicSupported()) {
                initiateBasic(request, httpServletResponse, loginConfig);
            }
            httpServletResponse.sendError(401);
        }
        httpServletResponse.flushBuffer();
    }

    public void setNext(Valve valve) {
        super.setNext(new WrapperValve(valve));
    }
}
