package org.alfresco.repo.webdav.auth;

import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.PrivilegedAction;
import java.util.Vector;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.security.sasl.RealmCallback;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.alfresco.jlan.server.auth.kerberos.KerberosDetails;
import org.alfresco.jlan.server.auth.kerberos.SessionSetupPrivilegedAction;
import org.alfresco.jlan.server.auth.spnego.NegTokenInit;
import org.alfresco.jlan.server.auth.spnego.NegTokenTarg;
import org.alfresco.jlan.server.auth.spnego.OID;
import org.alfresco.jlan.server.auth.spnego.SPNEGO;
import org.alfresco.repo.SessionUser;
import org.alfresco.repo.security.authentication.AuthenticationException;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.web.auth.KerberosCredentials;
import org.alfresco.repo.web.auth.TicketCredentials;
import org.apache.commons.codec.binary.Base64;

/* loaded from: input_file:org/alfresco/repo/webdav/auth/BaseKerberosAuthenticationFilter.class */
public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthenticationFilter implements CallbackHandler {
    private static final String LoginConfigEntry = "AlfrescoHTTP";
    private String m_accountName;
    private String m_password;
    private String m_krbRealm;
    private LoginContext m_loginContext;
    private String m_loginEntryName = LoginConfigEntry;
    private boolean m_stripKerberosUsernameSuffix = true;

    public void setPassword(String str) {
        this.m_password = str;
    }

    public void setRealm(String str) {
        this.m_krbRealm = str;
    }

    public void setJaasConfigEntryName(String str) {
        this.m_loginEntryName = str;
    }

    public void setStripKerberosUsernameSuffix(boolean z) {
        this.m_stripKerberosUsernameSuffix = z;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter
    public void init() throws ServletException {
        super.init();
        if (this.m_krbRealm == null) {
            throw new ServletException("Kerberos realm not specified");
        }
        if (this.m_password == null) {
            throw new ServletException("HTTP service account password not specified");
        }
        if (this.m_loginEntryName == null) {
            throw new ServletException("Invalid login entry specified");
        }
        try {
            String canonicalHostName = InetAddress.getLocalHost().getCanonicalHostName();
            try {
                this.m_loginContext = new LoginContext(this.m_loginEntryName, this);
                this.m_loginContext.login();
                if (getLogger().isDebugEnabled()) {
                    getLogger().debug("HTTP Kerberos login successful");
                }
                this.m_accountName = this.m_loginContext.getSubject().getPrincipals().iterator().next().getName();
                if (getLogger().isDebugEnabled()) {
                    getLogger().debug("Logged on using principal " + this.m_accountName);
                }
                Vector vector = new Vector();
                vector.add(OID.KERBEROS5);
                vector.add(OID.MSKERBEROS5);
                try {
                    new NegTokenInit(vector, canonicalHostName + "$@" + this.m_krbRealm).encode();
                } catch (IOException e) {
                    if (getLogger().isErrorEnabled()) {
                        getLogger().error("Error creating SPNEGO NegTokenInit blob", e);
                    }
                    throw new ServletException("Failed to create SPNEGO NegTokenInit blob");
                }
            } catch (LoginException e2) {
                if (getLogger().isErrorEnabled()) {
                    getLogger().error("HTTP Kerberos web filter error", e2);
                }
                throw new ServletException("Failed to login HTTP server service");
            }
        } catch (UnknownHostException e3) {
            throw new ServletException("Failed to get local host name");
        }
    }

    @Override // org.alfresco.repo.webdav.auth.AuthenticationDriver
    public boolean authenticateRequest(ServletContext servletContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        String header = httpServletRequest.getHeader("Authorization");
        boolean z = false;
        if (header != null) {
            if (header.startsWith("Negotiate")) {
                z = true;
            } else {
                if (header.startsWith("NTLM")) {
                    if (getLogger().isDebugEnabled()) {
                        getLogger().debug("Received NTLM logon from client");
                    }
                    restartLoginChallenge(servletContext, httpServletRequest, httpServletResponse);
                    return false;
                }
                if (isFallbackEnabled()) {
                    return performFallbackAuthentication(servletContext, httpServletRequest, httpServletResponse);
                }
            }
        }
        SessionUser sessionUser = getSessionUser(servletContext, httpServletRequest, httpServletResponse, true);
        HttpSession session = httpServletRequest.getSession(true);
        if (sessionUser == null) {
            sessionUser = (SessionUser) session.getAttribute(AuthenticationDriver.AUTHENTICATION_USER);
            if (sessionUser != null) {
                AuthenticationUtil.setFullyAuthenticatedUser(sessionUser.getUserName());
            }
        }
        if (sessionUser != null && !z) {
            onValidate(servletContext, httpServletRequest, httpServletResponse, new TicketCredentials(sessionUser.getTicket()));
            if (!getLogger().isDebugEnabled()) {
                return true;
            }
            getLogger().debug("Authentication not required (user), chaining ...");
            return true;
        }
        if (checkLoginPage(httpServletRequest, httpServletResponse)) {
            if (!getLogger().isDebugEnabled()) {
                return true;
            }
            getLogger().debug("Login page requested, chaining ...");
            return true;
        }
        if (header == null) {
            if (!allowsTicketLogons() || !checkForTicketParameter(servletContext, httpServletRequest, httpServletResponse)) {
                if (getLogger().isDebugEnabled()) {
                    getLogger().debug("New Kerberos auth request from " + httpServletRequest.getRemoteHost() + " (" + httpServletRequest.getRemoteAddr() + ":" + httpServletRequest.getRemotePort() + ")");
                }
                logonStartAgain(servletContext, httpServletRequest, httpServletResponse, true);
                return false;
            }
            if (getLogger().isDebugEnabled()) {
                getLogger().debug("Authenticated with a ticket parameter.");
            }
            if (sessionUser == null) {
                sessionUser = (SessionUser) session.getAttribute(getUserAttributeName());
            }
            onValidate(servletContext, httpServletRequest, httpServletResponse, new TicketCredentials(sessionUser.getTicket()));
            return true;
        }
        byte[] decodeBase64 = Base64.decodeBase64(header.substring(10).getBytes());
        if (isNTLMSSPBlob(decodeBase64, 0)) {
            if (getLogger().isDebugEnabled()) {
                getLogger().debug("Client sent an NTLMSSP security blob");
            }
            restartLoginChallenge(servletContext, httpServletRequest, httpServletResponse);
            return false;
        }
        int i = -1;
        try {
            i = SPNEGO.checkTokenType(decodeBase64, 0, decodeBase64.length);
        } catch (IOException e) {
        }
        if (i != 0) {
            if (getLogger().isDebugEnabled()) {
                getLogger().debug("Unknown SPNEGO token type");
            }
            restartLoginChallenge(servletContext, httpServletRequest, httpServletResponse);
            return false;
        }
        NegTokenInit negTokenInit = new NegTokenInit();
        try {
            negTokenInit.decode(decodeBase64, 0, decodeBase64.length);
            String str = null;
            if (negTokenInit.numberOfOids() > 0) {
                str = negTokenInit.getOidAt(0).toString();
            }
            if (str == null || !(str.equals("1.2.840.48018.1.2.2") || str.equals("1.2.840.113554.1.2.2"))) {
                if (getLogger().isDebugEnabled()) {
                    getLogger().debug("Unsupported SPNEGO mechanism " + str);
                }
                restartLoginChallenge(servletContext, httpServletRequest, httpServletResponse);
                return false;
            }
            try {
                NegTokenTarg doKerberosLogon = doKerberosLogon(negTokenInit, httpServletRequest, httpServletResponse, session);
                if (doKerberosLogon == null) {
                    if (getLogger().isDebugEnabled()) {
                        getLogger().debug("Failed SPNEGO authentication.");
                    }
                    restartLoginChallenge(servletContext, httpServletRequest, httpServletResponse);
                    return false;
                }
                onValidate(servletContext, httpServletRequest, httpServletResponse, new KerberosCredentials(negTokenInit, doKerberosLogon));
                if (!getLogger().isDebugEnabled()) {
                    return true;
                }
                getLogger().debug("Authenticated through Kerberos.");
                return true;
            } catch (AuthenticationException e2) {
                if (getLogger().isDebugEnabled()) {
                    getLogger().debug("Validate failed.", e2);
                }
                onValidateFailed(servletContext, httpServletRequest, httpServletResponse, session, new TicketCredentials(sessionUser.getTicket()));
                return false;
            }
        } catch (IOException e3) {
            if (!getLogger().isDebugEnabled()) {
                return false;
            }
            getLogger().debug(e3);
            return false;
        }
    }

    protected boolean checkLoginPage(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return hasLoginPage() && httpServletRequest.getRequestURI().endsWith(getLoginPage());
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
        if (getLogger().isDebugEnabled()) {
            getLogger().debug("Processing the JAAS callback list of " + callbackArr.length + " items.");
        }
        for (int i = 0; i < callbackArr.length; i++) {
            if (callbackArr[i] instanceof NameCallback) {
                if (getLogger().isDebugEnabled()) {
                    getLogger().debug("Request for user name.");
                }
                ((NameCallback) callbackArr[i]).setName(this.m_accountName);
            } else if (callbackArr[i] instanceof PasswordCallback) {
                if (getLogger().isDebugEnabled()) {
                    getLogger().debug("Request for password.");
                }
                ((PasswordCallback) callbackArr[i]).setPassword(this.m_password.toCharArray());
            } else {
                if (!(callbackArr[i] instanceof RealmCallback)) {
                    throw new UnsupportedCallbackException(callbackArr[i]);
                }
                if (getLogger().isDebugEnabled()) {
                    getLogger().debug("Request for realm.");
                }
                ((RealmCallback) callbackArr[i]).setText(this.m_krbRealm);
            }
        }
    }

    private final NegTokenTarg doKerberosLogon(NegTokenInit negTokenInit, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpSession httpSession) {
        NegTokenTarg negTokenTarg = null;
        try {
            Object doAs = Subject.doAs(this.m_loginContext.getSubject(), (PrivilegedAction<Object>) new SessionSetupPrivilegedAction(this.m_accountName, negTokenInit.getMechtoken()));
            if (doAs != null) {
                KerberosDetails kerberosDetails = (KerberosDetails) doAs;
                String userName = this.m_stripKerberosUsernameSuffix ? kerberosDetails.getUserName() : kerberosDetails.getSourceName();
                negTokenTarg = new NegTokenTarg(0, OID.KERBEROS5, kerberosDetails.getResponseToken());
                if (negTokenTarg != null) {
                    SessionUser createUserEnvironment = createUserEnvironment(httpSession, userName);
                    if (getLogger().isDebugEnabled()) {
                        getLogger().debug("User " + createUserEnvironment.getUserName() + " logged on via Kerberos");
                    }
                }
            } else if (getLogger().isDebugEnabled()) {
                getLogger().debug("No SPNEGO response, Kerberos logon failed");
            }
        } catch (AuthenticationException e) {
            if (getLogger().isDebugEnabled()) {
                getLogger().debug("Failed to validate user " + ((String) null), e);
            }
            throw e;
        } catch (Exception e2) {
            if (getLogger().isDebugEnabled()) {
                getLogger().debug("Kerberos logon error", e2);
            }
        }
        return negTokenTarg;
    }

    @Override // org.alfresco.repo.webdav.auth.AuthenticationDriver
    public void restartLoginChallenge(ServletContext servletContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        HttpSession session = httpServletRequest.getSession(false);
        if (session != null) {
            if (getLogger().isDebugEnabled()) {
                getLogger().debug("Clearing session.");
            }
            session.invalidate();
        }
        logonStartAgain(servletContext, httpServletRequest, httpServletResponse);
    }

    public void logonStartAgain(ServletContext servletContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        logonStartAgain(servletContext, httpServletRequest, httpServletResponse, false);
    }

    private void logonStartAgain(ServletContext servletContext, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z) throws IOException {
        if (getLogger().isDebugEnabled()) {
            getLogger().debug("Issuing login challenge to browser.");
        }
        httpServletResponse.setHeader("WWW-Authenticate", "Negotiate");
        if (!z && isFallbackEnabled()) {
            includeFallbackAuth(servletContext, httpServletRequest, httpServletResponse);
        }
        httpServletResponse.setStatus(401);
        writeLoginPageLink(servletContext, httpServletRequest, httpServletResponse);
        httpServletResponse.flushBuffer();
    }
}
