package org.simplericity.serberuhs;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.charset.Charset;
import java.security.PrivilegedAction;
import java.util.Enumeration;
import javax.security.auth.Subject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.Oid;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import shaded.org.apache.commons.codec.binary.Base64;
import shaded.org.bouncycastle.asn1.ASN1OctetString;
import shaded.org.bouncycastle.asn1.ASN1Sequence;
import shaded.org.bouncycastle.asn1.ASN1TaggedObject;
import shaded.org.bouncycastle.asn1.DERInputStream;
import shaded.org.bouncycastle.asn1.DERObjectIdentifier;
import shaded.org.bouncycastle.asn1.DERUnknownTag;

/* loaded from: input_file:org/simplericity/serberuhs/SpNego.class */
public class SpNego {
    private Logger log = LoggerFactory.getLogger(getClass());
    private SpNegoResult result;
    private String authorizedPrincipal;
    private Exception exception;
    private static final byte[] NTLMSSP_PREFIX = {78, 84, 76, 77, 83, 83, 80, 0};
    private static final String KERBEROS_OID = "1.2.840.113554.1.2.2";

    public void negotiate(Subject subject, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("Authorization header is missing, initiating Negotiate");
            }
            httpServletResponse.setHeader("WWW-Authenticate", "Negotiate");
            httpServletResponse.setStatus(401);
            this.result = SpNegoResult.MISSING_AUTHORIZATION_HEADER;
            return;
        }
        if (header.startsWith("Basic ")) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("Client sent a Basic token instead of SPNEGO / Kerberos: " + header);
            }
            this.result = SpNegoResult.WRONG_TOKEN_BASIC;
            return;
        }
        if (!isNegotiate(header)) {
            this.log.debug("Client sent a WWW-Authenticate header that does not start with 'Negotiate ': " + header);
            this.result = SpNegoResult.WRONG_TOKEN_NOT_NEGOTIATE;
            return;
        }
        if (isNtlm(header)) {
            this.log.debug("Client sent an NTLM token instead of SPNEGO / Kerberos: " + header);
            this.result = SpNegoResult.WRONG_TOKEN_NTLM;
            return;
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("Authorization header is: " + header);
        }
        try {
            final byte[] kerberosToken = getKerberosToken(Base64.decodeBase64(Charset.availableCharsets().get("utf-8").encode(header.substring("Negotiate ".length())).array()));
            final String name = subject.getPrincipals().iterator().next().getName();
            Subject.doAs(subject, new PrivilegedAction() { // from class: org.simplericity.serberuhs.SpNego.1
                @Override // java.security.PrivilegedAction
                public Object run() {
                    try {
                        GSSManager gSSManager = GSSManager.getInstance();
                        GSSContext createContext = gSSManager.createContext(gSSManager.createCredential(gSSManager.createName(name, (Oid) null), Integer.MAX_VALUE, new Oid(SpNego.KERBEROS_OID), 2));
                        createContext.acceptSecContext(kerberosToken, 0, kerberosToken.length);
                        if (createContext.isEstablished()) {
                            SpNego.this.log.info("Logged in " + createContext.getSrcName());
                            SpNego.this.authorizedPrincipal = createContext.getSrcName().toString();
                        }
                        SpNego.this.result = SpNegoResult.AUTHORIZED;
                        return null;
                    } catch (GSSException e) {
                        if (SpNego.this.log.isDebugEnabled()) {
                            SpNego.this.log.debug("SPNEGO authorization failed with a GSSException", e);
                        }
                        SpNego.this.result = SpNegoResult.AUTHORIZATION_FAILED;
                        SpNego.this.exception = e;
                        return null;
                    }
                }
            });
        } catch (IOException e) {
            if (this.log.isDebugEnabled()) {
                this.log.debug("Failed parsing token", e);
            }
            this.result = SpNegoResult.FAILED_PARSING_TOKEN;
            this.exception = e;
        }
    }

    private boolean isNegotiate(String str) {
        return str != null && str.startsWith("Negotiate ");
    }

    byte[] getKerberosToken(byte[] bArr) throws IOException {
        byte[] bArr2 = null;
        DERUnknownTag dERUnknownTag = (DERUnknownTag) new DERInputStream(new ByteArrayInputStream(bArr)).readObject();
        if (dERUnknownTag.getTag() != 96) {
            throw new IOException("Malformed token did not start with 0x60");
        }
        DERInputStream dERInputStream = new DERInputStream(new ByteArrayInputStream(dERUnknownTag.getData()));
        if (!KERBEROS_OID.equals(((DERObjectIdentifier) dERInputStream.readObject()).getId())) {
            Enumeration objects = ASN1Sequence.getInstance((ASN1TaggedObject) dERInputStream.readObject(), true).getObjects();
            while (true) {
                if (!objects.hasMoreElements()) {
                    break;
                }
                ASN1TaggedObject aSN1TaggedObject = (ASN1TaggedObject) objects.nextElement();
                if (aSN1TaggedObject.getTagNo() == 2) {
                    bArr2 = ASN1OctetString.getInstance(aSN1TaggedObject, true).getOctets();
                    break;
                }
            }
        } else {
            bArr2 = bArr;
        }
        return bArr2;
    }

    private boolean isNtlm(String str) {
        byte[] decodeBase64 = Base64.decodeBase64(Charset.availableCharsets().get("utf-8").encode(str.substring("Negotiate ".length())).array());
        if (decodeBase64.length < NTLMSSP_PREFIX.length) {
            return false;
        }
        for (int i = 0; i < NTLMSSP_PREFIX.length; i++) {
            if (decodeBase64[i] != NTLMSSP_PREFIX[i]) {
                return false;
            }
        }
        return true;
    }

    public SpNegoResult getResult() {
        return this.result;
    }

    public Exception getException() {
        return this.exception;
    }

    public String getAuthorizedPrincipal() {
        return this.authorizedPrincipal;
    }
}
