package org.apache.catalina.authenticator;

import com.google.common.primitives.UnsignedBytes;
import java.io.File;
import java.io.IOException;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.LinkedHashMap;
import java.util.regex.Pattern;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.Realm;
import org.apache.catalina.connector.Request;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.buf.ByteChunk;
import org.apache.tomcat.util.buf.MessageBytes;
import org.apache.tomcat.util.codec.binary.Base64;
import org.apache.tomcat.util.compat.JreVendor;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:BOOT-INF/lib/tomcat-embed-core-9.0.65.jar:org/apache/catalina/authenticator/SpnegoAuthenticator.class */
public class SpnegoAuthenticator extends AuthenticatorBase {
    private static final String AUTH_HEADER_VALUE_NEGOTIATE = "Negotiate";
    private final Log log = LogFactory.getLog((Class<?>) SpnegoAuthenticator.class);
    private String loginConfigName = Constants.DEFAULT_LOGIN_MODULE_NAME;
    private boolean storeDelegatedCredential = true;
    private Pattern noKeepAliveUserAgents = null;
    private boolean applyJava8u40Fix = true;

    /* loaded from: input_file:BOOT-INF/lib/tomcat-embed-core-9.0.65.jar:org/apache/catalina/authenticator/SpnegoAuthenticator$AcceptAction.class */
    public static class AcceptAction implements PrivilegedExceptionAction<byte[]> {
        GSSContext gssContext;
        byte[] decoded;

        public AcceptAction(GSSContext gSSContext, byte[] bArr) {
            this.gssContext = gSSContext;
            this.decoded = bArr;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedExceptionAction
        public byte[] run() throws GSSException {
            return this.gssContext.acceptSecContext(this.decoded, 0, this.decoded.length);
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/tomcat-embed-core-9.0.65.jar:org/apache/catalina/authenticator/SpnegoAuthenticator$AuthenticateAction.class */
    public static class AuthenticateAction implements PrivilegedAction<Principal> {
        private final Realm realm;
        private final GSSContext gssContext;
        private final boolean storeDelegatedCredential;

        public AuthenticateAction(Realm realm, GSSContext gSSContext, boolean z) {
            this.realm = realm;
            this.gssContext = gSSContext;
            this.storeDelegatedCredential = z;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedAction
        public Principal run() {
            return this.realm.authenticate(this.gssContext, this.storeDelegatedCredential);
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/tomcat-embed-core-9.0.65.jar:org/apache/catalina/authenticator/SpnegoAuthenticator$SpnegoTokenFixer.class */
    public static class SpnegoTokenFixer {
        private final byte[] token;
        private int pos = 0;

        public static void fix(byte[] bArr) {
            new SpnegoTokenFixer(bArr).fix();
        }

        private SpnegoTokenFixer(byte[] bArr) {
            this.token = bArr;
        }

        private void fix() {
            if (tag(96) && length() && oid("1.3.6.1.5.5.2") && tag(160) && length() && tag(48) && length() && tag(160)) {
                lengthAsInt();
                if (tag(48)) {
                    int lengthAsInt = lengthAsInt();
                    int i = this.pos;
                    LinkedHashMap linkedHashMap = new LinkedHashMap();
                    while (this.pos < i + lengthAsInt) {
                        String oidAsString = oidAsString();
                        int[] iArr = {this.pos, this.pos - iArr[0]};
                        linkedHashMap.put(oidAsString, iArr);
                    }
                    byte[] bArr = new byte[lengthAsInt];
                    int i2 = 0;
                    int[] iArr2 = (int[]) linkedHashMap.remove("1.2.840.113554.1.2.2");
                    if (iArr2 != null) {
                        System.arraycopy(this.token, iArr2[0], bArr, 0, iArr2[1]);
                        i2 = 0 + iArr2[1];
                    }
                    for (int[] iArr3 : linkedHashMap.values()) {
                        System.arraycopy(this.token, iArr3[0], bArr, i2, iArr3[1]);
                        i2 += iArr3[1];
                    }
                    System.arraycopy(bArr, 0, this.token, i, lengthAsInt);
                }
            }
        }

        private boolean tag(int i) {
            byte[] bArr = this.token;
            int i2 = this.pos;
            this.pos = i2 + 1;
            return (bArr[i2] & 255) == i;
        }

        private boolean length() {
            return this.pos + lengthAsInt() == this.token.length;
        }

        private int lengthAsInt() {
            byte[] bArr = this.token;
            int i = this.pos;
            this.pos = i + 1;
            int i2 = bArr[i] & 255;
            if (i2 > 127) {
                int i3 = i2 - 128;
                i2 = 0;
                for (int i4 = 0; i4 < i3; i4++) {
                    byte[] bArr2 = this.token;
                    int i5 = this.pos;
                    this.pos = i5 + 1;
                    i2 = (i2 << 8) + (bArr2[i5] & 255);
                }
            }
            return i2;
        }

        private boolean oid(String str) {
            return str.equals(oidAsString());
        }

        private String oidAsString() {
            if (!tag(6)) {
                return null;
            }
            StringBuilder sb = new StringBuilder();
            int lengthAsInt = lengthAsInt();
            byte[] bArr = this.token;
            int i = this.pos;
            this.pos = i + 1;
            int i2 = bArr[i] & 255;
            int i3 = i2 % 40;
            sb.append((i2 - i3) / 40);
            sb.append('.');
            sb.append(i3);
            int i4 = 0;
            boolean z = false;
            for (int i5 = 1; i5 < lengthAsInt; i5++) {
                byte[] bArr2 = this.token;
                int i6 = this.pos;
                this.pos = i6 + 1;
                int i7 = bArr2[i6] & 255;
                if (i7 > 127) {
                    i7 += UnsignedBytes.MAX_POWER_OF_TWO;
                } else {
                    z = true;
                }
                i4 = (i4 << 7) + i7;
                if (z) {
                    sb.append('.');
                    sb.append(i4);
                    i4 = 0;
                    z = false;
                }
            }
            return sb.toString();
        }
    }

    public String getLoginConfigName() {
        return this.loginConfigName;
    }

    public void setLoginConfigName(String str) {
        this.loginConfigName = str;
    }

    public boolean isStoreDelegatedCredential() {
        return this.storeDelegatedCredential;
    }

    public void setStoreDelegatedCredential(boolean z) {
        this.storeDelegatedCredential = z;
    }

    public String getNoKeepAliveUserAgents() {
        Pattern pattern = this.noKeepAliveUserAgents;
        if (pattern == null) {
            return null;
        }
        return pattern.pattern();
    }

    public void setNoKeepAliveUserAgents(String str) {
        if (str == null || str.length() == 0) {
            this.noKeepAliveUserAgents = null;
        } else {
            this.noKeepAliveUserAgents = Pattern.compile(str);
        }
    }

    public boolean getApplyJava8u40Fix() {
        return this.applyJava8u40Fix;
    }

    public void setApplyJava8u40Fix(boolean z) {
        this.applyJava8u40Fix = z;
    }

    @Override // org.apache.catalina.authenticator.AuthenticatorBase
    protected String getAuthMethod() {
        return Constants.SPNEGO_METHOD;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.catalina.valves.ValveBase, org.apache.catalina.util.LifecycleMBeanBase, org.apache.catalina.util.LifecycleBase
    public void initInternal() throws LifecycleException {
        super.initInternal();
        if (System.getProperty(Constants.KRB5_CONF_PROPERTY) == null) {
            System.setProperty(Constants.KRB5_CONF_PROPERTY, new File(this.container.getCatalinaBase(), Constants.DEFAULT_KRB5_CONF).getAbsolutePath());
        }
        if (System.getProperty(Constants.JAAS_CONF_PROPERTY) == null) {
            System.setProperty(Constants.JAAS_CONF_PROPERTY, new File(this.container.getCatalinaBase(), Constants.DEFAULT_JAAS_CONF).getAbsolutePath());
        }
    }

    @Override // org.apache.catalina.authenticator.AuthenticatorBase
    protected boolean doAuthenticate(Request request, HttpServletResponse httpServletResponse) throws IOException {
        MessageBytes value;
        if (checkForCachedAuthentication(request, httpServletResponse, true)) {
            return true;
        }
        MessageBytes value2 = request.getCoyoteRequest().getMimeHeaders().getValue("authorization");
        if (value2 == null) {
            if (this.log.isDebugEnabled()) {
                this.log.debug(sm.getString("authenticator.noAuthHeader"));
            }
            httpServletResponse.setHeader("WWW-Authenticate", AUTH_HEADER_VALUE_NEGOTIATE);
            httpServletResponse.sendError(401);
            return false;
        }
        value2.toBytes();
        ByteChunk byteChunk = value2.getByteChunk();
        if (!byteChunk.startsWithIgnoreCase("negotiate ", 0)) {
            if (this.log.isDebugEnabled()) {
                this.log.debug(sm.getString("spnegoAuthenticator.authHeaderNotNego"));
            }
            httpServletResponse.setHeader("WWW-Authenticate", AUTH_HEADER_VALUE_NEGOTIATE);
            httpServletResponse.sendError(401);
            return false;
        }
        byteChunk.setOffset(byteChunk.getOffset() + 10);
        byte[] decodeBase64 = Base64.decodeBase64(byteChunk.getBuffer(), byteChunk.getOffset(), byteChunk.getLength());
        if (getApplyJava8u40Fix()) {
            SpnegoTokenFixer.fix(decodeBase64);
        }
        if (decodeBase64.length == 0) {
            if (this.log.isDebugEnabled()) {
                this.log.debug(sm.getString("spnegoAuthenticator.authHeaderNoToken"));
            }
            httpServletResponse.setHeader("WWW-Authenticate", AUTH_HEADER_VALUE_NEGOTIATE);
            httpServletResponse.sendError(401);
            return false;
        }
        LoginContext loginContext = null;
        GSSContext gSSContext = null;
        try {
            try {
                try {
                    loginContext = new LoginContext(getLoginConfigName());
                    loginContext.login();
                    Subject subject = loginContext.getSubject();
                    GSSManager gSSManager = GSSManager.getInstance();
                    int i = JreVendor.IS_IBM_JVM ? Integer.MAX_VALUE : 0;
                    GSSContext createContext = gSSManager.createContext((GSSCredential) Subject.doAs(subject, () -> {
                        return gSSManager.createCredential((GSSName) null, i, new Oid("1.3.6.1.5.5.2"), 2);
                    }));
                    byte[] bArr = (byte[]) Subject.doAs(loginContext.getSubject(), new AcceptAction(createContext, decodeBase64));
                    if (bArr == null) {
                        if (this.log.isDebugEnabled()) {
                            this.log.debug(sm.getString("spnegoAuthenticator.ticketValidateFail"));
                        }
                        httpServletResponse.setHeader("WWW-Authenticate", AUTH_HEADER_VALUE_NEGOTIATE);
                        httpServletResponse.sendError(401);
                        if (createContext != null) {
                            try {
                                createContext.dispose();
                            } catch (GSSException e) {
                            }
                        }
                        if (loginContext != null) {
                            try {
                                loginContext.logout();
                            } catch (LoginException e2) {
                            }
                        }
                        return false;
                    }
                    Principal principal = (Principal) Subject.doAs(subject, new AuthenticateAction(this.context.getRealm(), createContext, this.storeDelegatedCredential));
                    if (createContext != null) {
                        try {
                            createContext.dispose();
                        } catch (GSSException e3) {
                        }
                    }
                    if (loginContext != null) {
                        try {
                            loginContext.logout();
                        } catch (LoginException e4) {
                        }
                    }
                    httpServletResponse.setHeader("WWW-Authenticate", "Negotiate " + Base64.encodeBase64String(bArr));
                    if (principal == null) {
                        httpServletResponse.sendError(401);
                        return false;
                    }
                    register(request, httpServletResponse, principal, Constants.SPNEGO_METHOD, principal.getName(), null);
                    Pattern pattern = this.noKeepAliveUserAgents;
                    if (pattern == null || (value = request.getCoyoteRequest().getMimeHeaders().getValue("user-agent")) == null || !pattern.matcher(value.toString()).matches()) {
                        return true;
                    }
                    httpServletResponse.setHeader("Connection", "close");
                    return true;
                } catch (Throwable th) {
                    if (0 != 0) {
                        try {
                            gSSContext.dispose();
                        } catch (GSSException e5) {
                        }
                    }
                    if (0 != 0) {
                        try {
                            loginContext.logout();
                        } catch (LoginException e6) {
                        }
                    }
                    throw th;
                }
            } catch (LoginException e7) {
                this.log.error(sm.getString("spnegoAuthenticator.serviceLoginFail"), e7);
                httpServletResponse.sendError(500);
                if (0 != 0) {
                    try {
                        gSSContext.dispose();
                    } catch (GSSException e8) {
                    }
                }
                if (loginContext != null) {
                    try {
                        loginContext.logout();
                    } catch (LoginException e9) {
                    }
                }
                return false;
            }
        } catch (GSSException e10) {
            if (this.log.isDebugEnabled()) {
                this.log.debug(sm.getString("spnegoAuthenticator.ticketValidateFail"), e10);
            }
            httpServletResponse.setHeader("WWW-Authenticate", AUTH_HEADER_VALUE_NEGOTIATE);
            httpServletResponse.sendError(401);
            if (0 != 0) {
                try {
                    gSSContext.dispose();
                } catch (GSSException e11) {
                }
            }
            if (0 != 0) {
                try {
                    loginContext.logout();
                } catch (LoginException e12) {
                }
            }
            return false;
        } catch (PrivilegedActionException e13) {
            if (!(e13.getCause() instanceof GSSException)) {
                this.log.error(sm.getString("spnegoAuthenticator.serviceLoginFail"), e13);
            } else if (this.log.isDebugEnabled()) {
                this.log.debug(sm.getString("spnegoAuthenticator.serviceLoginFail"), e13);
            }
            httpServletResponse.setHeader("WWW-Authenticate", AUTH_HEADER_VALUE_NEGOTIATE);
            httpServletResponse.sendError(401);
            if (0 != 0) {
                try {
                    gSSContext.dispose();
                } catch (GSSException e14) {
                }
            }
            if (0 != 0) {
                try {
                    loginContext.logout();
                } catch (LoginException e15) {
                }
            }
            return false;
        }
    }

    @Override // org.apache.catalina.authenticator.AuthenticatorBase
    protected boolean isPreemptiveAuthPossible(Request request) {
        MessageBytes value = request.getCoyoteRequest().getMimeHeaders().getValue("authorization");
        return value != null && value.startsWithIgnoreCase("negotiate ", 0);
    }
}
