package org.nuxeo.ecm.platform.ui.web.auth.krb5;

import java.io.IOException;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.nuxeo.ecm.platform.api.login.UserIdentificationInfo;
import org.nuxeo.ecm.platform.ui.web.auth.interfaces.NuxeoAuthenticationPlugin;
import org.nuxeo.ecm.platform.web.common.vh.VirtualHostHelper;

/* loaded from: input_file:org/nuxeo/ecm/platform/ui/web/auth/krb5/Krb5Authenticator.class */
public class Krb5Authenticator implements NuxeoAuthenticationPlugin {
    private static final String CONTEXT_ATTRIBUTE = "Krb5Authenticator_context";
    private static final String WWW_AUTHENTICATE = "WWW-Authenticate";
    private static final String AUTHORIZATION = "Authorization";
    private static final String NEGOTIATE = "Negotiate";
    private static final String SKIP_KERBEROS = "X-Skip-Kerberos";
    private LoginContext loginContext = null;
    private GSSCredential serverCredential = null;
    private boolean disabled = false;
    private PrivilegedExceptionAction<GSSCredential> getServerCredential = new PrivilegedExceptionAction<GSSCredential>() { // from class: org.nuxeo.ecm.platform.ui.web.auth.krb5.Krb5Authenticator.1
        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedExceptionAction
        public GSSCredential run() throws GSSException {
            return Krb5Authenticator.MANAGER.createCredential((GSSName) null, 0, new Oid[]{new Oid("1.3.6.1.5.5.2"), new Oid("1.2.840.113554.1.2.2")}, 2);
        }
    };
    private static final Log logger = LogFactory.getLog(Krb5Authenticator.class);
    private static final GSSManager MANAGER = GSSManager.getInstance();

    public List<String> getUnAuthenticatedURLPrefix() {
        return null;
    }

    public Boolean handleLoginPrompt(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        logger.debug("Sending login prompt...");
        if (httpServletResponse.getHeader(WWW_AUTHENTICATE) == null) {
            httpServletResponse.setHeader(WWW_AUTHENTICATE, NEGOTIATE);
        }
        httpServletResponse.setHeader("Refresh", String.format("1;url=/%s/login.jsp", VirtualHostHelper.getWebAppName(httpServletRequest)));
        httpServletResponse.setStatus(401);
        httpServletResponse.setContentLength(0);
        try {
            httpServletResponse.flushBuffer();
        } catch (IOException e) {
            logger.warn("Cannot flush response", e);
        }
        return true;
    }

    public UserIdentificationInfo handleRetrieveIdentity(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        GSSContext gSSContext;
        byte[] acceptSecContext;
        String header = httpServletRequest.getHeader(AUTHORIZATION);
        if (header == null) {
            return null;
        }
        if (!header.startsWith(NEGOTIATE)) {
            logger.warn("Received invalid Authorization header (expected: Negotiate then SPNEGO blob): " + header);
            return null;
        }
        byte[] decodeBase64 = Base64.decodeBase64(header.substring(NEGOTIATE.length() + 1));
        try {
            synchronized (this) {
                gSSContext = (GSSContext) httpServletRequest.getSession().getAttribute(CONTEXT_ATTRIBUTE);
                if (gSSContext == null) {
                    gSSContext = MANAGER.createContext(this.serverCredential);
                }
                acceptSecContext = gSSContext.acceptSecContext(decodeBase64, 0, decodeBase64.length);
            }
            if (!gSSContext.isEstablished()) {
                httpServletRequest.getSession().setAttribute(CONTEXT_ATTRIBUTE, gSSContext);
                httpServletResponse.setHeader(WWW_AUTHENTICATE, "Negotiate " + Base64.encodeBase64String(acceptSecContext));
                return null;
            }
            UserIdentificationInfo userIdentificationInfo = new UserIdentificationInfo(gSSContext.getSrcName().toString().split("@")[0], "Trust");
            userIdentificationInfo.setLoginPluginName("Trusting_LM");
            httpServletRequest.getSession().removeAttribute(CONTEXT_ATTRIBUTE);
            return userIdentificationInfo;
        } catch (GSSException e) {
            httpServletRequest.getSession().removeAttribute(CONTEXT_ATTRIBUTE);
            logger.error("Cannot accept provided security token", e);
            return null;
        }
    }

    public void initPlugin(Map<String, String> map) {
        try {
            this.loginContext = new LoginContext("Nuxeo");
            this.loginContext.login();
            this.serverCredential = (GSSCredential) Subject.doAs(this.loginContext.getSubject(), this.getServerCredential);
            logger.debug("Successfully initialized Kerberos auth module");
        } catch (PrivilegedActionException e) {
            logger.error("Cannot get server credentials, disabling Kerberos module", e);
            this.disabled = true;
        } catch (LoginException e2) {
            logger.error("Cannot create LoginContext, disabling Kerberos module", e2);
            this.disabled = true;
        }
    }

    public Boolean needLoginPrompt(HttpServletRequest httpServletRequest) {
        return Boolean.valueOf(!this.disabled && httpServletRequest.getHeader(SKIP_KERBEROS) == null);
    }
}
