package org.alfresco.web.sharepoint.auth.ntlm;

import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Map;
import java.util.Random;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import javax.transaction.UserTransaction;
import net.sf.acegisecurity.BadCredentialsException;
import org.alfresco.jlan.server.auth.PasswordEncryptor;
import org.alfresco.jlan.server.auth.ntlm.NTLMLogonDetails;
import org.alfresco.jlan.server.auth.ntlm.NTLMv2Blob;
import org.alfresco.jlan.server.auth.ntlm.TargetInfo;
import org.alfresco.jlan.server.auth.ntlm.Type1NTLMMessage;
import org.alfresco.jlan.server.auth.ntlm.Type2NTLMMessage;
import org.alfresco.jlan.server.auth.ntlm.Type3NTLMMessage;
import org.alfresco.jlan.util.DataPacker;
import org.alfresco.model.ContentModel;
import org.alfresco.repo.SessionUser;
import org.alfresco.repo.security.authentication.AuthenticationException;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.authentication.MD4PasswordEncoder;
import org.alfresco.repo.security.authentication.MD4PasswordEncoderImpl;
import org.alfresco.repo.security.authentication.NTLMMode;
import org.alfresco.repo.security.authentication.ntlm.NLTMAuthenticator;
import org.alfresco.repo.security.authentication.ntlm.NTLMPassthruToken;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.transaction.TransactionService;
import org.alfresco.web.bean.repository.User;
import org.alfresco.web.sharepoint.auth.AbstractAuthenticationHandler;
import org.alfresco.web.sharepoint.auth.AuthenticationHandler;
import org.alfresco.web.sharepoint.auth.SiteMemberMapper;
import org.apache.axiom.om.util.DigestGenerator;
import org.apache.commons.codec.binary.Base64;
import org.springframework.beans.factory.InitializingBean;

/* loaded from: input_file:WEB-INF/lib/alfresco-web-client-3.2r.jar:org/alfresco/web/sharepoint/auth/ntlm/NtlmAuthenticationHandler.class */
public class NtlmAuthenticationHandler extends AbstractAuthenticationHandler implements InitializingBean {
    private static final String NTLM_AUTH_DETAILS = "_alfNTLMDetails";
    private MD4PasswordEncoder md4Encoder = new MD4PasswordEncoderImpl();
    private PasswordEncryptor encryptor = new PasswordEncryptor();
    private Random random = new Random(System.currentTimeMillis());
    private NLTMAuthenticator authenticationComponent;
    private TransactionService transactionService;
    private NodeService nodeService;
    private static final int NTLM_FLAGS_NTLM2 = -1610087807;
    private static final int NTLM_FLAGS_NTLM1 = -2147483005;
    private static int ntlmFlags;

    public void setAuthenticationComponent(NLTMAuthenticator nLTMAuthenticator) {
        this.authenticationComponent = nLTMAuthenticator;
    }

    public void setTransactionService(TransactionService transactionService) {
        this.transactionService = transactionService;
    }

    public void setNodeService(NodeService nodeService) {
        this.nodeService = nodeService;
    }

    @Override // org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() throws Exception {
        if (this.authenticationComponent.getNTLMMode() == NTLMMode.MD4_PROVIDER) {
            ntlmFlags = NTLM_FLAGS_NTLM2;
        } else {
            ntlmFlags = NTLM_FLAGS_NTLM1;
        }
    }

    /* JADX WARN: Removed duplicated region for block: B:78:0x022d  */
    @Override // org.alfresco.web.sharepoint.auth.AuthenticationHandler
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public org.alfresco.repo.SessionUser authenticateRequest(javax.servlet.http.HttpServletRequest r9, javax.servlet.http.HttpServletResponse r10, org.alfresco.web.sharepoint.auth.SiteMemberMapper r11, java.lang.String r12) {
        /*
            Method dump skipped, instructions count: 608
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.alfresco.web.sharepoint.auth.ntlm.NtlmAuthenticationHandler.authenticateRequest(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, org.alfresco.web.sharepoint.auth.SiteMemberMapper, java.lang.String):org.alfresco.repo.SessionUser");
    }

    @Override // org.alfresco.web.sharepoint.auth.AbstractAuthenticationHandler
    public String getWWWAuthenticate() {
        return "NTLM";
    }

    private void processType1(Type1NTLMMessage type1NTLMMessage, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpSession httpSession) throws IOException {
        removeNtlmLogonDetailsFromSession(httpServletRequest);
        NTLMLogonDetails nTLMLogonDetails = new NTLMLogonDetails();
        byte[] bArr = null;
        NTLMPassthruToken nTLMPassthruToken = null;
        if (this.authenticationComponent.getNTLMMode() == NTLMMode.MD4_PROVIDER) {
            bArr = new byte[8];
            DataPacker.putIntelLong(this.random.nextLong(), bArr, 0);
        } else {
            nTLMPassthruToken = new NTLMPassthruToken(type1NTLMMessage.getDomain());
            this.authenticationComponent.authenticate(nTLMPassthruToken);
            if (nTLMPassthruToken.getChallenge() != null) {
                bArr = nTLMPassthruToken.getChallenge().getBytes();
            }
        }
        int flags = type1NTLMMessage.getFlags() & ntlmFlags;
        ArrayList arrayList = new ArrayList();
        String serverName = getServerName();
        arrayList.add(new TargetInfo(1, serverName));
        Type2NTLMMessage type2NTLMMessage = new Type2NTLMMessage();
        type2NTLMMessage.buildType2(flags, serverName, bArr, null, arrayList);
        nTLMLogonDetails.setType2Message(type2NTLMMessage);
        nTLMLogonDetails.setAuthenticationToken(nTLMPassthruToken);
        putNtlmLogonDetailsToSession(httpServletRequest, nTLMLogonDetails);
        httpServletResponse.setHeader("WWW-Authenticate", "NTLM " + new String(Base64.encodeBase64(type2NTLMMessage.getBytes())));
        httpServletResponse.setStatus(401);
        httpServletResponse.flushBuffer();
        httpServletResponse.getOutputStream().close();
    }

    private SessionUser processType3(Type3NTLMMessage type3NTLMMessage, SiteMemberMapper siteMemberMapper, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpSession httpSession, String str) throws IOException, ServletException {
        NTLMLogonDetails nTLMLogonDetails = null;
        SessionUser sessionUser = null;
        if (httpSession != null) {
            nTLMLogonDetails = getNtlmLogonDetailsFromSession(httpServletRequest);
            sessionUser = (SessionUser) httpSession.getAttribute(AuthenticationHandler.USER_SESSION_ATTRIBUTE);
        }
        String userName = type3NTLMMessage.getUserName();
        String workstation = type3NTLMMessage.getWorkstation();
        String domain = type3NTLMMessage.getDomain();
        boolean z = false;
        if (this.authenticationComponent.getNTLMMode() == NTLMMode.MD4_PROVIDER) {
            String mD4Hash = getMD4Hash(userName);
            z = mD4Hash != null ? validateLocalHashedPassword(type3NTLMMessage, nTLMLogonDetails, false, mD4Hash) : false;
        } else if (!(type3NTLMMessage.hasFlag(536870912) && type3NTLMMessage.hasFlag(524288)) && (type3NTLMMessage.getNTLMHash() == null || type3NTLMMessage.getNTLMHash().length <= 24)) {
            NTLMPassthruToken nTLMPassthruToken = (NTLMPassthruToken) nTLMLogonDetails.getAuthenticationToken();
            nTLMPassthruToken.setUserAndPassword(type3NTLMMessage.getUserName(), type3NTLMMessage.getNTLMHash(), 1);
            try {
                try {
                    this.authenticationComponent.authenticate(nTLMPassthruToken);
                    z = true;
                    this.authenticationComponent.setCurrentUser(userName);
                    nTLMLogonDetails.setAuthenticationToken(null);
                } catch (Throwable th) {
                    nTLMLogonDetails.setAuthenticationToken(null);
                    throw th;
                }
            } catch (BadCredentialsException e) {
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("Authentication failed, " + e.getMessage());
                }
                nTLMLogonDetails.setAuthenticationToken(null);
            } catch (AuthenticationException e2) {
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug("Authentication failed, " + e2.getMessage());
                }
                nTLMLogonDetails.setAuthenticationToken(null);
            }
        } else if (this.logger.isErrorEnabled()) {
            this.logger.error("Client " + workstation + " using NTLMv2 logon, not valid with passthru authentication");
        }
        if (!z || !siteMemberMapper.isSiteMember(httpServletRequest, str, userName.toLowerCase())) {
            removeNtlmLogonDetailsFromSession(httpServletRequest);
            httpSession.removeAttribute(AuthenticationHandler.USER_SESSION_ATTRIBUTE);
            return null;
        }
        String requestURI = httpServletRequest.getRequestURI();
        if (httpServletRequest.getMethod().equals("POST") && !requestURI.endsWith(".asmx")) {
            httpServletResponse.setHeader("Connection", "Close");
            httpServletResponse.setContentType("application/x-vermeer-rpc");
        }
        if (sessionUser == null) {
            sessionUser = createUserEnvironment(httpSession, userName);
        } else {
            try {
                this.authenticationService.validate(sessionUser.getTicket());
            } catch (AuthenticationException e3) {
                httpSession.removeAttribute(AuthenticationHandler.USER_SESSION_ATTRIBUTE);
                removeNtlmLogonDetailsFromSession(httpServletRequest);
                return null;
            }
        }
        String serverName = getServerName();
        if (nTLMLogonDetails == null) {
            putNtlmLogonDetailsToSession(httpServletRequest, new NTLMLogonDetails(userName, workstation, domain, false, serverName));
        } else {
            nTLMLogonDetails.setDetails(userName, workstation, domain, false, serverName);
            putNtlmLogonDetailsToSession(httpServletRequest, nTLMLogonDetails);
        }
        return sessionUser;
    }

    private String getServerName() {
        return "Alfresco Server";
    }

    private SessionUser createUserEnvironment(HttpSession httpSession, final String str) throws IOException, ServletException {
        UserTransaction userTransaction = this.transactionService.getUserTransaction();
        try {
            userTransaction.begin();
            NodeRef nodeRef = (NodeRef) AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<NodeRef>() { // from class: org.alfresco.web.sharepoint.auth.ntlm.NtlmAuthenticationHandler.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork
                /* renamed from: doWork */
                public NodeRef doWork2() throws Exception {
                    return NtlmAuthenticationHandler.this.personService.getPerson(str);
                }
            }, AuthenticationUtil.SYSTEM_USER_NAME);
            String str2 = (String) AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<String>() { // from class: org.alfresco.web.sharepoint.auth.ntlm.NtlmAuthenticationHandler.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork
                /* renamed from: doWork */
                public String doWork2() throws Exception {
                    return (String) NtlmAuthenticationHandler.this.nodeService.getProperty(NtlmAuthenticationHandler.this.personService.getPerson(str), ContentModel.PROP_USERNAME);
                }
            }, AuthenticationUtil.SYSTEM_USER_NAME);
            this.authenticationComponent.setCurrentUser(str);
            User user = new User(str2, this.authenticationService.getCurrentTicket(), nodeRef);
            userTransaction.commit();
            httpSession.setAttribute(AuthenticationHandler.USER_SESSION_ATTRIBUTE, user);
            return user;
        } catch (Throwable th) {
            try {
                userTransaction.rollback();
            } catch (Exception e) {
                this.logger.error("Failed to rollback transaction", e);
            }
            if (th instanceof RuntimeException) {
                throw ((RuntimeException) th);
            }
            if (th instanceof IOException) {
                throw ((IOException) th);
            }
            if (th instanceof ServletException) {
                throw th;
            }
            throw new RuntimeException("Authentication setup failed", th);
        }
    }

    protected String getMD4Hash(String str) {
        String str2 = null;
        UserTransaction userTransaction = this.transactionService.getUserTransaction();
        try {
            userTransaction.begin();
            str2 = this.authenticationComponent.getMD4HashedPassword(str);
            userTransaction.commit();
        } catch (Throwable th) {
            try {
                userTransaction.rollback();
            } catch (Exception e) {
            }
        }
        return str2;
    }

    private boolean validateLocalHashedPassword(Type3NTLMMessage type3NTLMMessage, NTLMLogonDetails nTLMLogonDetails, boolean z, String str) {
        boolean checkNTLMv1;
        if (nTLMLogonDetails == null || nTLMLogonDetails.getType2Message() == null) {
            return false;
        }
        if (!type3NTLMMessage.hasFlag(524288)) {
            checkNTLMv1 = checkNTLMv1(str, nTLMLogonDetails.getChallengeKey(), type3NTLMMessage, false);
            if (this.logger.isDebugEnabled()) {
                this.logger.debug((checkNTLMv1 ? "Logged on" : "Logon failed") + " using NTLMSSP/NTLMv1");
            }
        } else if (type3NTLMMessage.getNTLMHashLength() > 24) {
            checkNTLMv1 = checkNTLMv2(str, nTLMLogonDetails.getChallengeKey(), type3NTLMMessage);
            if (this.logger.isDebugEnabled()) {
                this.logger.debug((checkNTLMv1 ? "Logged on" : "Logon failed") + " using NTLMSSP/NTLMv2");
            }
            if (!checkNTLMv1 && type3NTLMMessage.hasFlag(Integer.MIN_VALUE) && type3NTLMMessage.getLMHashLength() == 24) {
                checkNTLMv1 = checkNTLMv1(str, nTLMLogonDetails.getChallengeKey(), type3NTLMMessage, true);
                if (this.logger.isDebugEnabled()) {
                    this.logger.debug((checkNTLMv1 ? "Logged on" : "Logon failed") + " using NTLMSSP/NTLMv1 (via fallback)");
                }
            }
        } else {
            checkNTLMv1 = checkNTLMv2SessionKey(str, nTLMLogonDetails.getChallengeKey(), type3NTLMMessage);
            if (this.logger.isDebugEnabled()) {
                this.logger.debug((checkNTLMv1 ? "Logged on" : "Logon failed") + " using NTLMSSP/NTLMv2SessKey");
            }
        }
        return checkNTLMv1;
    }

    private final boolean checkNTLMv1(String str, byte[] bArr, Type3NTLMMessage type3NTLMMessage, boolean z) {
        byte[] bArr2 = new byte[21];
        System.arraycopy(this.md4Encoder.decodeHash(str), 0, bArr2, 0, 16);
        byte[] bArr3 = null;
        try {
            bArr3 = this.encryptor.doNTLM1Encryption(bArr2, bArr);
        } catch (NoSuchAlgorithmException e) {
        }
        byte[] lMHash = z ? type3NTLMMessage.getLMHash() : type3NTLMMessage.getNTLMHash();
        if (lMHash == null || bArr3 == null || lMHash.length != bArr3.length) {
            return false;
        }
        int i = 0;
        while (i < lMHash.length && lMHash[i] == bArr3[i]) {
            i++;
        }
        return i == lMHash.length;
    }

    private final boolean checkNTLMv2(String str, byte[] bArr, Type3NTLMMessage type3NTLMMessage) {
        boolean z = false;
        boolean z2 = false;
        try {
            byte[] doNTLM2Encryption = this.encryptor.doNTLM2Encryption(this.md4Encoder.decodeHash(str), type3NTLMMessage.getUserName(), type3NTLMMessage.getDomain());
            NTLMv2Blob nTLMv2Blob = new NTLMv2Blob(type3NTLMMessage.getNTLMHash());
            byte[] calculateHMAC = nTLMv2Blob.calculateHMAC(bArr, doNTLM2Encryption);
            byte[] hmac = nTLMv2Blob.getHMAC();
            if (hmac != null && calculateHMAC != null && hmac.length == calculateHMAC.length) {
                int i = 0;
                while (i < hmac.length && hmac[i] == calculateHMAC[i]) {
                    i++;
                }
                if (i == hmac.length) {
                    z = true;
                }
            }
            if (!z) {
                byte[] lMHash = type3NTLMMessage.getLMHash();
                byte[] clientChallenge = nTLMv2Blob.getClientChallenge();
                if (lMHash != null && lMHash.length == 24 && clientChallenge != null && clientChallenge.length == 8) {
                    int i2 = 0;
                    while (i2 < clientChallenge.length && lMHash[i2 + 16] == clientChallenge[i2]) {
                        i2++;
                    }
                    if (i2 == clientChallenge.length) {
                        byte[] calculateLMv2HMAC = nTLMv2Blob.calculateLMv2HMAC(doNTLM2Encryption, bArr, clientChallenge);
                        int i3 = 0;
                        while (i3 < calculateLMv2HMAC.length && lMHash[i3] == calculateLMv2HMAC[i3]) {
                            i3++;
                        }
                        if (i3 == calculateLMv2HMAC.length) {
                            z2 = true;
                        }
                    }
                }
            }
        } catch (Exception e) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug(e);
            }
        }
        return z || z2;
    }

    private final boolean checkNTLMv2SessionKey(String str, byte[] bArr, Type3NTLMMessage type3NTLMMessage) {
        byte[] bArr2 = new byte[16];
        System.arraycopy(bArr, 0, bArr2, 0, 8);
        System.arraycopy(type3NTLMMessage.getLMHash(), 0, bArr2, 8, 8);
        byte[] bArr3 = new byte[8];
        try {
            MessageDigest messageDigest = MessageDigest.getInstance(DigestGenerator.md5DigestAlgorithm);
            messageDigest.update(bArr2);
            System.arraycopy(messageDigest.digest(), 0, bArr3, 0, 8);
        } catch (NoSuchAlgorithmException e) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug(e.getMessage());
            }
        }
        byte[] bArr4 = new byte[21];
        System.arraycopy(this.md4Encoder.decodeHash(str), 0, bArr4, 0, 16);
        byte[] bArr5 = null;
        try {
            bArr5 = this.encryptor.doNTLM1Encryption(bArr4, bArr3);
        } catch (NoSuchAlgorithmException e2) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug(e2.getMessage());
            }
        }
        byte[] nTLMHash = type3NTLMMessage.getNTLMHash();
        if (nTLMHash == null || bArr5 == null || nTLMHash.length != bArr5.length) {
            return false;
        }
        int i = 0;
        while (i < nTLMHash.length && nTLMHash[i] == bArr5[i]) {
            i++;
        }
        return i == nTLMHash.length;
    }

    private void putNtlmLogonDetailsToSession(HttpServletRequest httpServletRequest, NTLMLogonDetails nTLMLogonDetails) {
        Object attribute = httpServletRequest.getSession().getAttribute("_alfNTLMDetails");
        if (attribute != null) {
            ((Map) attribute).put(httpServletRequest.getRequestURI(), nTLMLogonDetails);
            return;
        }
        HashMap hashMap = new HashMap();
        hashMap.put(httpServletRequest.getRequestURI(), nTLMLogonDetails);
        httpServletRequest.getSession().setAttribute("_alfNTLMDetails", hashMap);
    }

    private NTLMLogonDetails getNtlmLogonDetailsFromSession(HttpServletRequest httpServletRequest) {
        Object attribute = httpServletRequest.getSession().getAttribute("_alfNTLMDetails");
        if (attribute != null) {
            return (NTLMLogonDetails) ((Map) attribute).get(httpServletRequest.getRequestURI());
        }
        return null;
    }

    private void removeNtlmLogonDetailsFromSession(HttpServletRequest httpServletRequest) {
        Object attribute = httpServletRequest.getSession().getAttribute("_alfNTLMDetails");
        if (attribute != null) {
            ((Map) attribute).remove(httpServletRequest.getRequestURI());
        }
    }
}
