package org.ametys.plugins.core.impl.authentication;

import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ametys.core.authentication.AbstractCredentialProvider;
import org.ametys.core.authentication.BlockingCredentialProvider;
import org.ametys.core.authentication.Credentials;
import org.ametys.core.datasource.ConnectionHelper;
import org.ametys.core.observation.Observer;
import org.ametys.runtime.authentication.AuthorizationRequiredException;
import org.apache.avalon.framework.context.Context;
import org.apache.avalon.framework.context.ContextException;
import org.apache.avalon.framework.context.Contextualizable;
import org.apache.cocoon.components.ContextHelper;
import org.apache.cocoon.environment.Redirector;
import org.apache.commons.codec.binary.Base64;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:org/ametys/plugins/core/impl/authentication/KerberosCredentialProvider.class */
public class KerberosCredentialProvider extends AbstractCredentialProvider implements BlockingCredentialProvider, Contextualizable {
    protected static final String __PARAM_KDC = "runtime.authentication.kerberos.kdc";
    protected static final String __PARAM_REALM = "runtime.authentication.kerberos.realm";
    protected static final String __PARAM_LOGIN = "runtime.authentication.kerberos.login";
    protected static final String __PARAM_PASSWORD = "runtime.authentication.kerberos.password";
    protected static final String __LOGIN_CONF_FILE = "login.conf";
    private Context _context;
    private GSSCredential _gssCredential;

    public void contextualize(Context context) throws ContextException {
        this._context = context;
    }

    @Override // org.ametys.core.authentication.AbstractCredentialProvider, org.ametys.core.authentication.CredentialProvider
    public void init(String str, Map<String, Object> map) {
        super.init(str, map);
        String str2 = (String) map.get(__PARAM_KDC);
        String str3 = (String) map.get(__PARAM_REALM);
        final String str4 = (String) map.get(__PARAM_LOGIN);
        final String str5 = (String) map.get(__PARAM_PASSWORD);
        try {
            System.setProperty("java.security.krb5.kdc", str2);
            System.setProperty("java.security.krb5.realm", str3);
            System.setProperty("java.security.auth.login.config", ((org.apache.cocoon.environment.Context) this._context.get("environment-context")).getRealPath("/WEB-INF/param/login.conf"));
            LoginContext loginContext = new LoginContext("kerberos", new CallbackHandler() { // from class: org.ametys.plugins.core.impl.authentication.KerberosCredentialProvider.1
                @Override // javax.security.auth.callback.CallbackHandler
                public void handle(Callback[] callbackArr) {
                    for (Callback callback : callbackArr) {
                        if (callback instanceof NameCallback) {
                            ((NameCallback) callback).setName(str4);
                        } else {
                            if (!(callback instanceof PasswordCallback)) {
                                throw new RuntimeException("Invalid callback received during KerberosCredentialProvider initialization");
                            }
                            ((PasswordCallback) callback).setPassword(str5.toCharArray());
                        }
                    }
                }
            });
            loginContext.login();
            final GSSManager gSSManager = GSSManager.getInstance();
            this._gssCredential = (GSSCredential) Subject.doAs(loginContext.getSubject(), new PrivilegedExceptionAction<GSSCredential>() { // from class: org.ametys.plugins.core.impl.authentication.KerberosCredentialProvider.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public GSSCredential run() throws GSSException {
                    return gSSManager.createCredential((GSSName) null, Observer.MIN_PRIORITY, new Oid("1.3.6.1.5.5.2"), 2);
                }
            });
        } catch (PrivilegedActionException | LoginException | ContextException e) {
            throw new RuntimeException("Unable to initialize the KerberosCredentialProvider", e);
        }
    }

    @Override // org.ametys.core.authentication.BlockingCredentialProvider
    public boolean validateBlocking(Redirector redirector) throws Exception {
        return true;
    }

    @Override // org.ametys.core.authentication.BlockingCredentialProvider
    public boolean acceptBlocking() {
        return false;
    }

    @Override // org.ametys.core.authentication.BlockingCredentialProvider
    public Credentials getCredentialsBlocking(Redirector redirector) throws Exception {
        String header = ContextHelper.getRequest(this._context).getHeader("Authorization");
        if (header == null || !header.startsWith("Negotiate ")) {
            return null;
        }
        byte[] decodeBase64 = Base64.decodeBase64(header.substring("Negotiate ".length()));
        GSSContext createContext = GSSManager.getInstance().createContext(this._gssCredential);
        byte[] acceptSecContext = createContext.acceptSecContext(decodeBase64, 0, decodeBase64.length);
        String encodeBase64String = acceptSecContext != null ? Base64.encodeBase64String(acceptSecContext) : null;
        if (!createContext.isEstablished()) {
            throw new AuthorizationRequiredException(true, encodeBase64String);
        }
        if (encodeBase64String != null) {
            ContextHelper.getResponse(this._context).setHeader("WWW-Authenticate", "Negotiate " + encodeBase64String);
        }
        GSSName srcName = createContext.getSrcName();
        if (srcName == null) {
            return null;
        }
        String gSSName = srcName.toString();
        if (gSSName.indexOf(64) > 0) {
            gSSName = gSSName.substring(0, gSSName.indexOf(64));
        }
        return new Credentials(gSSName, ConnectionHelper.DATABASE_UNKNOWN);
    }

    @Override // org.ametys.core.authentication.BlockingCredentialProvider
    public void notAllowedBlocking(Redirector redirector) throws Exception {
        throw new AuthorizationRequiredException(true, null);
    }

    @Override // org.ametys.core.authentication.BlockingCredentialProvider
    public void allowedBlocking(Redirector redirector) {
    }
}
