package org.alfresco.web.app.servlet;

import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.PrivilegedAction;
import java.util.List;
import java.util.Locale;
import java.util.Random;
import java.util.Vector;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.security.sasl.RealmCallback;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import javax.transaction.UserTransaction;
import org.alfresco.config.ConfigService;
import org.alfresco.filesys.ServerConfigurationBean;
import org.alfresco.i18n.I18NUtil;
import org.alfresco.jlan.server.auth.kerberos.KerberosDetails;
import org.alfresco.jlan.server.auth.kerberos.SessionSetupPrivilegedAction;
import org.alfresco.jlan.server.auth.spnego.NegTokenInit;
import org.alfresco.jlan.server.auth.spnego.NegTokenTarg;
import org.alfresco.jlan.server.auth.spnego.OID;
import org.alfresco.jlan.server.auth.spnego.SPNEGO;
import org.alfresco.model.ContentModel;
import org.alfresco.repo.security.authentication.AuthenticationComponent;
import org.alfresco.repo.security.authentication.AuthenticationException;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.authentication.NTLMMode;
import org.alfresco.service.ServiceRegistry;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.cmr.security.AuthenticationService;
import org.alfresco.service.cmr.security.PersonService;
import org.alfresco.service.transaction.TransactionService;
import org.alfresco.web.app.AlfrescoNavigationHandler;
import org.alfresco.web.app.Application;
import org.alfresco.web.bean.LoginBean;
import org.alfresco.web.bean.repository.User;
import org.alfresco.web.config.LanguagesConfigElement;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.web.context.WebApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils;

/* loaded from: input_file:org/alfresco/web/app/servlet/KerberosAuthenticationFilter.class */
public class KerberosAuthenticationFilter extends AbstractAuthenticationFilter implements Filter, CallbackHandler {
    private static final String LoginConfigEntry = "AlfrescoHTTP";
    private static final String LOCALE = "locale";
    public static final String MESSAGE_BUNDLE = "alfresco.messages.webclient";
    private static Log logger = LogFactory.getLog(KerberosAuthenticationFilter.class);
    private ServletContext m_context;
    private ServerConfigurationBean m_srvConfig;
    private AuthenticationService m_authService;
    private AuthenticationComponent m_authComponent;
    private PersonService m_personService;
    private NodeService m_nodeService;
    private TransactionService m_transactionService;
    private ConfigService m_configService;
    private boolean m_allowGuest;
    private String m_loginPage;
    private String m_srvName;
    private List<String> m_languages;
    private String m_accountName;
    private String m_password;
    private String m_krbRealm;
    private String m_krbKDC;
    private LoginContext m_loginContext;
    private byte[] m_negTokenInit;
    private Random m_random = new Random(System.currentTimeMillis());
    private String m_loginEntryName = LoginConfigEntry;

    public void init(FilterConfig filterConfig) throws ServletException {
        this.m_context = filterConfig.getServletContext();
        WebApplicationContext requiredWebApplicationContext = WebApplicationContextUtils.getRequiredWebApplicationContext(this.m_context);
        ServiceRegistry serviceRegistry = (ServiceRegistry) requiredWebApplicationContext.getBean("ServiceRegistry");
        this.m_nodeService = serviceRegistry.getNodeService();
        this.m_transactionService = serviceRegistry.getTransactionService();
        this.m_authService = (AuthenticationService) requiredWebApplicationContext.getBean("AuthenticationService");
        this.m_authComponent = (AuthenticationComponent) requiredWebApplicationContext.getBean("AuthenticationComponent");
        this.m_personService = (PersonService) requiredWebApplicationContext.getBean("personService");
        this.m_configService = (ConfigService) requiredWebApplicationContext.getBean(Application.BEAN_CONFIG_SERVICE);
        this.m_srvConfig = (ServerConfigurationBean) requiredWebApplicationContext.getBean("fileServerConfiguration");
        if (this.m_authComponent.getNTLMMode() != NTLMMode.MD4_PROVIDER && this.m_authComponent.getNTLMMode() != NTLMMode.PASS_THROUGH) {
            throw new ServletException("Required authentication mode not available");
        }
        if (this.m_srvConfig != null) {
            this.m_srvName = this.m_srvConfig.getServerName();
            if (this.m_srvName == null) {
                this.m_srvName = this.m_srvConfig.getLocalServerName(true) + "_A";
            }
        } else {
            try {
                this.m_srvName = InetAddress.getLocalHost().getHostName();
                int indexOf = this.m_srvName.indexOf(".");
                if (indexOf != -1) {
                    this.m_srvName = this.m_srvName.substring(0, indexOf - 1);
                }
            } catch (UnknownHostException e) {
                if (logger.isErrorEnabled()) {
                    logger.error("Kerberos filter, error getting local host name", e);
                }
            }
        }
        if (this.m_srvName == null || this.m_srvName.length() == 0) {
            throw new ServletException("Failed to get local server name");
        }
        this.m_languages = this.m_configService.getConfig("Languages").getConfigElement(LanguagesConfigElement.CONFIG_ELEMENT_ID).getLanguages();
        String initParameter = filterConfig.getInitParameter("KDC");
        if (initParameter == null || initParameter.length() <= 0) {
            return;
        }
        this.m_krbKDC = initParameter;
        String initParameter2 = filterConfig.getInitParameter("Realm");
        if (initParameter2 == null || initParameter2.length() <= 0) {
            throw new ServletException("Kerberos realm not specified");
        }
        this.m_krbRealm = initParameter2;
        String initParameter3 = filterConfig.getInitParameter("Password");
        if (initParameter3 == null || initParameter3.length() <= 0) {
            throw new ServletException("HTTP service account password not specified");
        }
        this.m_password = initParameter3;
        String initParameter4 = filterConfig.getInitParameter("LoginEntry");
        if (initParameter4 != null) {
            if (initParameter4.length() <= 0) {
                throw new ServletException("Invalid login entry specified");
            }
            this.m_loginEntryName = initParameter4;
        }
        try {
            String canonicalHostName = InetAddress.getLocalHost().getCanonicalHostName();
            String initParameter5 = filterConfig.getInitParameter("Principal");
            if (initParameter5 != null) {
                StringBuffer stringBuffer = new StringBuffer();
                stringBuffer.append(initParameter5);
                stringBuffer.append("@");
                stringBuffer.append(this.m_krbRealm);
                this.m_accountName = stringBuffer.toString();
            } else {
                this.m_accountName = "HTTP/" + canonicalHostName + "@" + this.m_krbRealm;
            }
            try {
                if (logger.isDebugEnabled()) {
                    logger.debug("HTTP Kerberos login using account " + this.m_accountName);
                }
                this.m_loginContext = new LoginContext(this.m_loginEntryName, this);
                this.m_loginContext.login();
                if (logger.isDebugEnabled()) {
                    logger.debug("HTTP Kerberos login successful");
                }
                Vector vector = new Vector();
                vector.add(OID.KERBEROS5);
                vector.add(OID.MSKERBEROS5);
                try {
                    this.m_negTokenInit = new NegTokenInit(vector, canonicalHostName + "$@" + this.m_krbRealm).encode();
                } catch (IOException e2) {
                    if (logger.isErrorEnabled()) {
                        logger.error("Error creating SPNEGO NegTokenInit blob", e2);
                    }
                    throw new ServletException("Failed to create SPNEGO NegTokenInit blob");
                }
            } catch (LoginException e3) {
                if (logger.isErrorEnabled()) {
                    logger.error("HTTP Kerberos web filter error", e3);
                }
                throw new ServletException("Failed to login HTTP server service");
            }
        } catch (UnknownHostException e4) {
            throw new ServletException("Failed to get local host name");
        }
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        HttpSession session = httpServletRequest.getSession(true);
        String header = httpServletRequest.getHeader("Authorization");
        boolean z = false;
        if (header != null && header.startsWith("Negotiate")) {
            z = true;
        }
        User user = (User) session.getAttribute(AuthenticationHelper.AUTHENTICATION_USER);
        if (user != null && !z) {
            try {
                if (logger.isDebugEnabled()) {
                    logger.debug("User " + user.getUserName() + " validate ticket");
                }
                this.m_authService.validate(user.getTicket());
                z = false;
                I18NUtil.setLocale(Application.getLanguage(session));
            } catch (AuthenticationException e) {
                if (logger.isErrorEnabled()) {
                    logger.error("Failed to validate user " + user.getUserName(), e);
                }
                z = true;
            }
        }
        if (!z && user != null) {
            if (logger.isDebugEnabled()) {
                logger.debug("Authentication not required, chaining ...");
            }
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        if (httpServletRequest.getRequestURI().endsWith(getLoginPage())) {
            if (logger.isDebugEnabled()) {
                logger.debug("Login page requested, chaining ...");
            }
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        String header2 = httpServletRequest.getHeader("user-agent");
        if (header2 != null && header2.indexOf("Opera ") != -1) {
            if (logger.isDebugEnabled()) {
                logger.debug("Opera detected, redirecting to login page");
            }
            httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + BaseServlet.FACES_SERVLET + getLoginPage());
            return;
        }
        if (header == null) {
            if (logger.isDebugEnabled()) {
                logger.debug("New Kerberos auth request from " + httpServletRequest.getRemoteHost() + " (" + httpServletRequest.getRemoteAddr() + AlfrescoNavigationHandler.OUTCOME_SEPARATOR + httpServletRequest.getRemotePort() + ")");
            }
            httpServletResponse.setHeader("WWW-Authenticate", "Negotiate");
            httpServletResponse.setStatus(401);
            httpServletResponse.flushBuffer();
            return;
        }
        byte[] decodeBase64 = Base64.decodeBase64(header.substring(10).getBytes());
        int i = -1;
        try {
            i = SPNEGO.checkTokenType(decodeBase64, 0, decodeBase64.length);
        } catch (IOException e2) {
        }
        if (i != 0) {
            if (logger.isDebugEnabled()) {
                logger.debug("Unknown SPNEGO token type");
            }
            httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + BaseServlet.FACES_SERVLET + getLoginPage());
            return;
        }
        NegTokenInit negTokenInit = new NegTokenInit();
        try {
            negTokenInit.decode(decodeBase64, 0, decodeBase64.length);
            String str = null;
            if (negTokenInit.numberOfOids() > 0) {
                str = negTokenInit.getOidAt(0).toString();
            }
            if (str != null && (str.equals("1.2.840.48018.1.2.2") || str.equals("1.2.840.113554.1.2.2"))) {
                if (doKerberosLogon(negTokenInit, httpServletRequest, httpServletResponse, session) == null) {
                    httpServletResponse.setHeader("WWW-Authenticate", "Negotiate");
                    httpServletResponse.setStatus(401);
                    httpServletResponse.flushBuffer();
                } else if (httpServletRequest.getRequestURI().endsWith(getLoginPage())) {
                    if (logger.isDebugEnabled()) {
                        logger.debug("Login page requested, redirecting to browse page");
                    }
                    httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + "/faces/jsp/browse/browse.jsp");
                } else {
                    filterChain.doFilter(httpServletRequest, httpServletResponse);
                }
            }
        } catch (IOException e3) {
            if (logger.isDebugEnabled()) {
                logger.debug(e3);
            }
        }
    }

    private String getLoginPage() {
        if (this.m_loginPage == null) {
            this.m_loginPage = Application.getLoginPage(this.m_context);
        }
        return this.m_loginPage;
    }

    public void destroy() {
    }

    @Override // javax.security.auth.callback.CallbackHandler
    public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
        for (int i = 0; i < callbackArr.length; i++) {
            if (callbackArr[i] instanceof NameCallback) {
                ((NameCallback) callbackArr[i]).setName(this.m_accountName);
            } else if (callbackArr[i] instanceof PasswordCallback) {
                ((PasswordCallback) callbackArr[i]).setPassword(this.m_password.toCharArray());
            } else {
                if (!(callbackArr[i] instanceof RealmCallback)) {
                    throw new UnsupportedCallbackException(callbackArr[i]);
                }
                ((RealmCallback) callbackArr[i]).setText(this.m_krbRealm);
            }
        }
    }

    private final NegTokenTarg doKerberosLogon(NegTokenInit negTokenInit, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpSession httpSession) {
        NegTokenTarg negTokenTarg = null;
        try {
            Object doAs = Subject.doAs(this.m_loginContext.getSubject(), (PrivilegedAction<Object>) new SessionSetupPrivilegedAction(this.m_accountName, negTokenInit.getMechtoken()));
            if (doAs != null) {
                KerberosDetails kerberosDetails = (KerberosDetails) doAs;
                negTokenTarg = new NegTokenTarg(0, OID.KERBEROS5, kerberosDetails.getResponseToken());
                if (negTokenTarg != null) {
                    UserTransaction userTransaction = this.m_transactionService.getUserTransaction();
                    try {
                        userTransaction.begin();
                        NodeRef person = this.m_personService.getPerson(kerberosDetails.getUserName());
                        this.m_authComponent.setSystemUserAsCurrentUser();
                        String str = (String) this.m_nodeService.getProperty(person, ContentModel.PROP_USERNAME);
                        AuthenticationUtil.setCurrentUser(str);
                        User user = new User(str, this.m_authService.getCurrentTicket(), person);
                        user.setHomeSpaceId(this.m_nodeService.getProperty(person, ContentModel.PROP_HOMEFOLDER).getId());
                        userTransaction.commit();
                        httpSession.setAttribute(AuthenticationHelper.AUTHENTICATION_USER, user);
                        httpSession.setAttribute(LoginBean.LOGIN_EXTERNAL_AUTH, Boolean.TRUE);
                        Locale parseAcceptLanguageHeader = parseAcceptLanguageHeader(httpServletRequest, this.m_languages);
                        if (parseAcceptLanguageHeader != null) {
                            httpSession.setAttribute("locale", parseAcceptLanguageHeader);
                            httpSession.removeAttribute("alfresco.messages.webclient");
                        }
                        I18NUtil.setLocale(Application.getLanguage(httpSession));
                        if (logger.isDebugEnabled()) {
                            logger.debug("User " + str + " logged on via Kerberos");
                        }
                    } catch (Throwable th) {
                        try {
                            userTransaction.rollback();
                        } catch (Exception e) {
                            logger.error("Failed to rollback transaction", e);
                        }
                        if (th instanceof RuntimeException) {
                            throw ((RuntimeException) th);
                        }
                        if (th instanceof IOException) {
                            throw ((IOException) th);
                        }
                        if (th instanceof ServletException) {
                            throw th;
                        }
                        throw new RuntimeException("Authentication setup failed", th);
                    }
                }
            } else if (logger.isDebugEnabled()) {
                logger.debug("No SPNEGO response, Kerberos logon failed");
            }
        } catch (Exception e2) {
            if (logger.isDebugEnabled()) {
                logger.debug("Kerberos logon error", e2);
            }
        }
        return negTokenTarg;
    }

    protected final String mapUserNameToPerson(String str) {
        UserTransaction userTransaction = this.m_transactionService.getUserTransaction();
        try {
            userTransaction.begin();
            String userIdentifier = this.m_personService.getUserIdentifier(str);
            userTransaction.commit();
            return userIdentifier;
        } catch (Throwable th) {
            try {
                userTransaction.rollback();
            } catch (Throwable th2) {
                logger.error("Failed to rollback transaction", th2);
            }
            if (th instanceof RuntimeException) {
                throw ((RuntimeException) th);
            }
            throw new RuntimeException("Error during execution of transaction.", th);
        }
    }
}
