package org.alfresco.repo.webdav.auth;

import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.PrivilegedAction;
import java.util.Vector;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.security.sasl.RealmCallback;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.alfresco.jlan.server.auth.kerberos.KerberosDetails;
import org.alfresco.jlan.server.auth.kerberos.SessionSetupPrivilegedAction;
import org.alfresco.jlan.server.auth.spnego.NegTokenInit;
import org.alfresco.jlan.server.auth.spnego.NegTokenTarg;
import org.alfresco.jlan.server.auth.spnego.OID;
import org.alfresco.jlan.server.auth.spnego.SPNEGO;
import org.alfresco.repo.SessionUser;
import org.alfresco.repo.security.authentication.AuthenticationException;
import org.apache.commons.codec.binary.Base64;

/* loaded from: input_file:org/alfresco/repo/webdav/auth/BaseKerberosAuthenticationFilter.class */
public abstract class BaseKerberosAuthenticationFilter extends BaseSSOAuthenticationFilter implements CallbackHandler {
    private static final String LoginConfigEntry = "AlfrescoHTTP";
    private String m_accountName;
    private String m_password;
    private String m_krbRealm;
    private String m_krbKDC;
    private String m_loginEntryName = LoginConfigEntry;
    private LoginContext m_loginContext;
    private byte[] m_negTokenInit;

    @Override // org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter
    public void init(FilterConfig filterConfig) throws ServletException {
        super.init(filterConfig);
        String initParameter = filterConfig.getInitParameter("KDC");
        if (initParameter == null || initParameter.length() <= 0) {
            return;
        }
        this.m_krbKDC = initParameter;
        String initParameter2 = filterConfig.getInitParameter("Realm");
        if (initParameter2 == null || initParameter2.length() <= 0) {
            throw new ServletException("Kerberos realm not specified");
        }
        this.m_krbRealm = initParameter2;
        String initParameter3 = filterConfig.getInitParameter("Password");
        if (initParameter3 == null || initParameter3.length() <= 0) {
            throw new ServletException("HTTP service account password not specified");
        }
        this.m_password = initParameter3;
        String initParameter4 = filterConfig.getInitParameter("LoginEntry");
        if (initParameter4 != null) {
            if (initParameter4.length() <= 0) {
                throw new ServletException("Invalid login entry specified");
            }
            this.m_loginEntryName = initParameter4;
        }
        try {
            String canonicalHostName = InetAddress.getLocalHost().getCanonicalHostName();
            try {
                this.m_loginContext = new LoginContext(this.m_loginEntryName, this);
                this.m_loginContext.login();
                if (getLogger().isDebugEnabled()) {
                    getLogger().debug("HTTP Kerberos login successful");
                }
                this.m_accountName = this.m_loginContext.getSubject().getPrincipals().iterator().next().getName();
                if (getLogger().isDebugEnabled()) {
                    getLogger().debug("Logged on using principal " + this.m_accountName);
                }
                Vector vector = new Vector();
                vector.add(OID.KERBEROS5);
                vector.add(OID.MSKERBEROS5);
                try {
                    this.m_negTokenInit = new NegTokenInit(vector, canonicalHostName + "$@" + this.m_krbRealm).encode();
                } catch (IOException e) {
                    if (getLogger().isErrorEnabled()) {
                        getLogger().error("Error creating SPNEGO NegTokenInit blob", e);
                    }
                    throw new ServletException("Failed to create SPNEGO NegTokenInit blob");
                }
            } catch (LoginException e2) {
                if (getLogger().isErrorEnabled()) {
                    getLogger().error("HTTP Kerberos web filter error", e2);
                }
                throw new ServletException("Failed to login HTTP server service");
            }
        } catch (UnknownHostException e3) {
            throw new ServletException("Failed to get local host name");
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        HttpSession session = httpServletRequest.getSession(true);
        if (httpServletRequest.getAttribute("alfNoAuthRequired") != null) {
            if (getLogger().isDebugEnabled()) {
                getLogger().debug("Authentication not required (filter), chaining ...");
            }
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        String header = httpServletRequest.getHeader("Authorization");
        boolean z = false;
        if (header != null) {
            if (header.startsWith("Negotiate")) {
                z = true;
            } else if (header.startsWith("NTLM")) {
                if (getLogger().isDebugEnabled()) {
                    getLogger().debug("Received NTLM logon from client");
                }
                restartLoginChallenge(httpServletResponse, session);
                filterChain.doFilter(servletRequest, servletResponse);
                return;
            }
        }
        SessionUser sessionUser = getSessionUser(session);
        if (sessionUser != null && !z) {
            try {
                if (getLogger().isDebugEnabled()) {
                    getLogger().debug("User " + sessionUser.getUserName() + " validate ticket");
                }
                this.m_authService.validate(sessionUser.getTicket());
                z = false;
                onValidate(httpServletRequest, session);
            } catch (AuthenticationException e) {
                if (getLogger().isErrorEnabled()) {
                    getLogger().error("Failed to validate user " + sessionUser.getUserName(), e);
                }
                removeSessionUser(session);
                z = true;
            }
        }
        if (!z && sessionUser != null) {
            if (getLogger().isDebugEnabled()) {
                getLogger().debug("Authentication not required (user), chaining ...");
            }
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        if (header == null) {
            if (allowsTicketLogons() && checkForTicketParameter(httpServletRequest, session)) {
                filterChain.doFilter(servletRequest, servletResponse);
                return;
            }
            if (getLogger().isDebugEnabled()) {
                getLogger().debug("New Kerberos auth request from " + httpServletRequest.getRemoteHost() + " (" + httpServletRequest.getRemoteAddr() + ":" + httpServletRequest.getRemotePort() + ")");
            }
            restartLoginChallenge(httpServletResponse, session);
            return;
        }
        byte[] decodeBase64 = Base64.decodeBase64(header.substring(10).getBytes());
        if (isNTLMSSPBlob(decodeBase64, 0)) {
            if (getLogger().isDebugEnabled()) {
                getLogger().debug("Client sent an NTLMSSP security blob");
            }
            restartLoginChallenge(httpServletResponse, session);
            return;
        }
        int i = -1;
        try {
            i = SPNEGO.checkTokenType(decodeBase64, 0, decodeBase64.length);
        } catch (IOException e2) {
        }
        if (i != 0) {
            if (getLogger().isDebugEnabled()) {
                getLogger().debug("Unknown SPNEGO token type");
            }
            restartLoginChallenge(httpServletResponse, session);
            return;
        }
        NegTokenInit negTokenInit = new NegTokenInit();
        try {
            negTokenInit.decode(decodeBase64, 0, decodeBase64.length);
            String str = null;
            if (negTokenInit.numberOfOids() > 0) {
                str = negTokenInit.getOidAt(0).toString();
            }
            if (str != null && (str.equals("1.2.840.48018.1.2.2") || str.equals("1.2.840.113554.1.2.2"))) {
                if (doKerberosLogon(negTokenInit, httpServletRequest, httpServletResponse, session) != null) {
                    filterChain.doFilter(httpServletRequest, httpServletResponse);
                } else {
                    restartLoginChallenge(httpServletResponse, session);
                }
            }
        } catch (IOException e3) {
            if (getLogger().isDebugEnabled()) {
                getLogger().debug(e3);
            }
        }
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
        for (int i = 0; i < callbackArr.length; i++) {
            if (callbackArr[i] instanceof NameCallback) {
                ((NameCallback) callbackArr[i]).setName(this.m_accountName);
            } else if (callbackArr[i] instanceof PasswordCallback) {
                ((PasswordCallback) callbackArr[i]).setPassword(this.m_password.toCharArray());
            } else {
                if (!(callbackArr[i] instanceof RealmCallback)) {
                    throw new UnsupportedCallbackException(callbackArr[i]);
                }
                ((RealmCallback) callbackArr[i]).setText(this.m_krbRealm);
            }
        }
    }

    private final NegTokenTarg doKerberosLogon(NegTokenInit negTokenInit, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpSession httpSession) {
        NegTokenTarg negTokenTarg = null;
        try {
            Object doAs = Subject.doAs(this.m_loginContext.getSubject(), (PrivilegedAction<Object>) new SessionSetupPrivilegedAction(this.m_accountName, negTokenInit.getMechtoken()));
            if (doAs != null) {
                KerberosDetails kerberosDetails = (KerberosDetails) doAs;
                negTokenTarg = new NegTokenTarg(0, OID.KERBEROS5, kerberosDetails.getResponseToken());
                if (negTokenTarg != null) {
                    SessionUser createUserEnvironment = createUserEnvironment(httpSession, kerberosDetails.getUserName());
                    httpSession.setAttribute("_alfAuthTicket", createUserEnvironment);
                    if (getLogger().isDebugEnabled()) {
                        getLogger().debug("User " + createUserEnvironment.getUserName() + " logged on via Kerberos");
                    }
                }
            } else if (getLogger().isDebugEnabled()) {
                getLogger().debug("No SPNEGO response, Kerberos logon failed");
            }
        } catch (Exception e) {
            if (getLogger().isDebugEnabled()) {
                getLogger().debug("Kerberos logon error", e);
            }
        }
        return negTokenTarg;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void restartLoginChallenge(HttpServletResponse httpServletResponse, HttpSession httpSession) throws IOException {
        httpServletResponse.setHeader("WWW-Authenticate", "Negotiate");
        httpServletResponse.setStatus(401);
        httpServletResponse.flushBuffer();
    }
}
