package org.apache.catalina.authenticator;

import java.io.File;
import java.io.IOException;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.regex.Pattern;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.Globals;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.Realm;
import org.apache.catalina.connector.Request;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.startup.Bootstrap;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.buf.ByteChunk;
import org.apache.tomcat.util.buf.MessageBytes;
import org.apache.tomcat.util.codec.binary.Base64;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* JADX WARN: Classes with same name are omitted:
  input_file:jars/1.7/rmsis-launcher-0.1.jar:org/apache/catalina/authenticator/SpnegoAuthenticator.class
 */
/* loaded from: input_file:jars/1.8/rmsis-launcher-0.1.jar:org/apache/catalina/authenticator/SpnegoAuthenticator.class */
public class SpnegoAuthenticator extends AuthenticatorBase {
    private static final Log log = LogFactory.getLog((Class<?>) SpnegoAuthenticator.class);
    private String loginConfigName = Constants.DEFAULT_LOGIN_MODULE_NAME;
    private boolean storeDelegatedCredential = true;
    private Pattern noKeepAliveUserAgents = null;

    /* JADX WARN: Classes with same name are omitted:
      input_file:jars/1.7/rmsis-launcher-0.1.jar:org/apache/catalina/authenticator/SpnegoAuthenticator$AcceptAction.class
     */
    /* loaded from: input_file:jars/1.8/rmsis-launcher-0.1.jar:org/apache/catalina/authenticator/SpnegoAuthenticator$AcceptAction.class */
    private static class AcceptAction implements PrivilegedExceptionAction<byte[]> {
        GSSContext gssContext;
        byte[] decoded;

        AcceptAction(GSSContext gSSContext, byte[] bArr) {
            this.gssContext = gSSContext;
            this.decoded = bArr;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedExceptionAction
        public byte[] run() throws GSSException {
            return this.gssContext.acceptSecContext(this.decoded, 0, this.decoded.length);
        }
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:jars/1.7/rmsis-launcher-0.1.jar:org/apache/catalina/authenticator/SpnegoAuthenticator$AuthenticateAction.class
     */
    /* loaded from: input_file:jars/1.8/rmsis-launcher-0.1.jar:org/apache/catalina/authenticator/SpnegoAuthenticator$AuthenticateAction.class */
    private static class AuthenticateAction implements PrivilegedAction<Principal> {
        private final Realm realm;
        private final GSSContext gssContext;
        private final boolean storeDelegatedCredential;

        public AuthenticateAction(Realm realm, GSSContext gSSContext, boolean z) {
            this.realm = realm;
            this.gssContext = gSSContext;
            this.storeDelegatedCredential = z;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedAction
        public Principal run() {
            return this.realm.authenticate(this.gssContext, this.storeDelegatedCredential);
        }
    }

    public String getLoginConfigName() {
        return this.loginConfigName;
    }

    public void setLoginConfigName(String str) {
        this.loginConfigName = str;
    }

    public boolean isStoreDelegatedCredential() {
        return this.storeDelegatedCredential;
    }

    public void setStoreDelegatedCredential(boolean z) {
        this.storeDelegatedCredential = z;
    }

    public String getNoKeepAliveUserAgents() {
        Pattern pattern = this.noKeepAliveUserAgents;
        if (pattern == null) {
            return null;
        }
        return pattern.pattern();
    }

    public void setNoKeepAliveUserAgents(String str) {
        if (str == null || str.length() == 0) {
            this.noKeepAliveUserAgents = null;
        } else {
            this.noKeepAliveUserAgents = Pattern.compile(str);
        }
    }

    @Override // org.apache.catalina.authenticator.AuthenticatorBase
    protected String getAuthMethod() {
        return Constants.SPNEGO_METHOD;
    }

    @Override // org.apache.catalina.authenticator.AuthenticatorBase, org.apache.catalina.valves.ValveBase, org.apache.catalina.Valve
    public String getInfo() {
        return "org.apache.catalina.authenticator.SpnegoAuthenticator/1.0";
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.catalina.valves.ValveBase, org.apache.catalina.util.LifecycleMBeanBase, org.apache.catalina.util.LifecycleBase
    public void initInternal() throws LifecycleException {
        super.initInternal();
        if (System.getProperty(Constants.KRB5_CONF_PROPERTY) == null) {
            System.setProperty(Constants.KRB5_CONF_PROPERTY, new File(Bootstrap.getCatalinaBase(), Constants.DEFAULT_KRB5_CONF).getAbsolutePath());
        }
        if (System.getProperty(Constants.JAAS_CONF_PROPERTY) == null) {
            System.setProperty(Constants.JAAS_CONF_PROPERTY, new File(Bootstrap.getCatalinaBase(), Constants.DEFAULT_JAAS_CONF).getAbsolutePath());
        }
    }

    @Override // org.apache.catalina.authenticator.AuthenticatorBase, org.apache.catalina.Authenticator
    public boolean authenticate(Request request, HttpServletResponse httpServletResponse, LoginConfig loginConfig) throws IOException {
        MessageBytes value;
        Principal userPrincipal = request.getUserPrincipal();
        String str = (String) request.getNote(Constants.REQ_SSOID_NOTE);
        if (userPrincipal != null) {
            if (log.isDebugEnabled()) {
                log.debug("Already authenticated '" + userPrincipal.getName() + "'");
            }
            if (str == null) {
                return true;
            }
            associate(str, request.getSessionInternal(true));
            return true;
        }
        if (str != null) {
            if (log.isDebugEnabled()) {
                log.debug("SSO Id " + str + " set; attempting reauthentication");
            }
            if (reauthenticateFromSSO(str, request)) {
                return true;
            }
        }
        MessageBytes value2 = request.getCoyoteRequest().getMimeHeaders().getValue("authorization");
        if (value2 == null) {
            if (log.isDebugEnabled()) {
                log.debug(sm.getString("authenticator.noAuthHeader"));
            }
            httpServletResponse.setHeader("WWW-Authenticate", "Negotiate");
            httpServletResponse.sendError(401);
            return false;
        }
        value2.toBytes();
        ByteChunk byteChunk = value2.getByteChunk();
        if (!byteChunk.startsWithIgnoreCase("negotiate ", 0)) {
            if (log.isDebugEnabled()) {
                log.debug(sm.getString("spnegoAuthenticator.authHeaderNotNego"));
            }
            httpServletResponse.setHeader("WWW-Authenticate", "Negotiate");
            httpServletResponse.sendError(401);
            return false;
        }
        byteChunk.setOffset(byteChunk.getOffset() + 10);
        byte[] decodeBase64 = Base64.decodeBase64(byteChunk.getBuffer(), byteChunk.getOffset(), byteChunk.getLength());
        if (decodeBase64.length == 0) {
            if (log.isDebugEnabled()) {
                log.debug(sm.getString("spnegoAuthenticator.authHeaderNoToken"));
            }
            httpServletResponse.setHeader("WWW-Authenticate", "Negotiate");
            httpServletResponse.sendError(401);
            return false;
        }
        LoginContext loginContext = null;
        GSSContext gSSContext = null;
        try {
            try {
                try {
                    try {
                        loginContext = new LoginContext(getLoginConfigName());
                        loginContext.login();
                        Subject subject = loginContext.getSubject();
                        final GSSManager gSSManager = GSSManager.getInstance();
                        final int i = Globals.IS_IBM_JVM ? Integer.MAX_VALUE : 0;
                        GSSContext createContext = gSSManager.createContext((GSSCredential) Subject.doAs(subject, new PrivilegedExceptionAction<GSSCredential>() { // from class: org.apache.catalina.authenticator.SpnegoAuthenticator.1
                            /* JADX WARN: Can't rename method to resolve collision */
                            @Override // java.security.PrivilegedExceptionAction
                            public GSSCredential run() throws GSSException {
                                return gSSManager.createCredential((GSSName) null, i, new Oid("1.3.6.1.5.5.2"), 2);
                            }
                        }));
                        byte[] bArr = (byte[]) Subject.doAs(loginContext.getSubject(), new AcceptAction(createContext, decodeBase64));
                        if (bArr == null) {
                            if (log.isDebugEnabled()) {
                                log.debug(sm.getString("spnegoAuthenticator.ticketValidateFail"));
                            }
                            httpServletResponse.setHeader("WWW-Authenticate", "Negotiate");
                            httpServletResponse.sendError(401);
                            if (createContext != null) {
                                try {
                                    createContext.dispose();
                                } catch (GSSException e) {
                                }
                            }
                            if (loginContext != null) {
                                try {
                                    loginContext.logout();
                                } catch (LoginException e2) {
                                }
                            }
                            return false;
                        }
                        Principal principal = (Principal) Subject.doAs(subject, new AuthenticateAction(this.context.getRealm(), createContext, this.storeDelegatedCredential));
                        if (createContext != null) {
                            try {
                                createContext.dispose();
                            } catch (GSSException e3) {
                            }
                        }
                        if (loginContext != null) {
                            try {
                                loginContext.logout();
                            } catch (LoginException e4) {
                            }
                        }
                        httpServletResponse.setHeader("WWW-Authenticate", "Negotiate " + Base64.encodeBase64String(bArr));
                        if (principal == null) {
                            httpServletResponse.sendError(401);
                            return false;
                        }
                        register(request, httpServletResponse, principal, Constants.SPNEGO_METHOD, principal.getName(), null);
                        Pattern pattern = this.noKeepAliveUserAgents;
                        if (pattern == null || (value = request.getCoyoteRequest().getMimeHeaders().getValue("user-agent")) == null || !pattern.matcher(value.toString()).matches()) {
                            return true;
                        }
                        httpServletResponse.setHeader("Connection", "close");
                        return true;
                    } catch (Throwable th) {
                        if (0 != 0) {
                            try {
                                gSSContext.dispose();
                            } catch (GSSException e5) {
                            }
                        }
                        if (0 != 0) {
                            try {
                                loginContext.logout();
                            } catch (LoginException e6) {
                            }
                        }
                        throw th;
                    }
                } catch (LoginException e7) {
                    log.error(sm.getString("spnegoAuthenticator.serviceLoginFail"), e7);
                    httpServletResponse.sendError(500);
                    if (0 != 0) {
                        try {
                            gSSContext.dispose();
                        } catch (GSSException e8) {
                        }
                    }
                    if (loginContext != null) {
                        try {
                            loginContext.logout();
                        } catch (LoginException e9) {
                        }
                    }
                    return false;
                }
            } catch (PrivilegedActionException e10) {
                if (!(e10.getCause() instanceof GSSException)) {
                    log.error(sm.getString("spnegoAuthenticator.serviceLoginFail"), e10);
                } else if (log.isDebugEnabled()) {
                    log.debug(sm.getString("spnegoAuthenticator.serviceLoginFail"), e10);
                }
                httpServletResponse.setHeader("WWW-Authenticate", "Negotiate");
                httpServletResponse.sendError(401);
                if (0 != 0) {
                    try {
                        gSSContext.dispose();
                    } catch (GSSException e11) {
                    }
                }
                if (0 != 0) {
                    try {
                        loginContext.logout();
                    } catch (LoginException e12) {
                    }
                }
                return false;
            }
        } catch (GSSException e13) {
            if (log.isDebugEnabled()) {
                log.debug(sm.getString("spnegoAuthenticator.ticketValidateFail"), e13);
            }
            httpServletResponse.setHeader("WWW-Authenticate", "Negotiate");
            httpServletResponse.sendError(401);
            if (0 != 0) {
                try {
                    gSSContext.dispose();
                } catch (GSSException e14) {
                }
            }
            if (0 != 0) {
                try {
                    loginContext.logout();
                } catch (LoginException e15) {
                }
            }
            return false;
        }
    }
}
