package org.ametys.plugins.core.impl.authentication;

import java.io.File;
import java.io.IOException;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Map;
import java.util.regex.Pattern;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ametys.core.authentication.AbstractCredentialProvider;
import org.ametys.core.authentication.NonBlockingCredentialProvider;
import org.ametys.core.user.UserIdentity;
import org.ametys.runtime.util.AmetysHomeHelper;
import org.ametys.runtime.workspace.WorkspaceMatcher;
import org.apache.avalon.framework.context.Context;
import org.apache.avalon.framework.context.ContextException;
import org.apache.avalon.framework.context.Contextualizable;
import org.apache.cocoon.components.ContextHelper;
import org.apache.cocoon.environment.Redirector;
import org.apache.cocoon.environment.Request;
import org.apache.cocoon.environment.Response;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.io.FileUtils;
import org.apache.commons.lang3.StringUtils;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:org/ametys/plugins/core/impl/authentication/KerberosCredentialProvider.class */
public class KerberosCredentialProvider extends AbstractCredentialProvider implements NonBlockingCredentialProvider, Contextualizable {
    protected static final String __PARAM_KDC = "runtime.authentication.kerberos.kdc";
    protected static final String __PARAM_REALM = "runtime.authentication.kerberos.realm";
    protected static final String __PARAM_LOGIN = "runtime.authentication.kerberos.login";
    protected static final String __PARAM_PASSWORD = "runtime.authentication.kerberos.password";
    protected static final String __PARAM_IPRESTRICTION = "runtime.authentication.kerberos.ip-limitation-regexp";
    protected static final String __LOGIN_CONF_FILE = "jaas.conf";
    protected static final String __SKIP_KERBEROS_URL = "cocoon://plugins/core-impl/userpopulations/credentialproviders/kerberos";
    private Context _context;
    private GSSCredential _gssCredential;
    private Pattern _ipRestriction;

    public void contextualize(Context context) throws ContextException {
        this._context = context;
    }

    public static LoginContext createLoginContext(String str, String str2, final String str3, final String str4, Context context) throws IOException, LoginException, ContextException {
        System.setProperty("java.security.krb5.kdc", str);
        System.setProperty("java.security.krb5.realm", str2);
        org.apache.cocoon.environment.Context context2 = (org.apache.cocoon.environment.Context) context.get("environment-context");
        if (System.getProperty("java.security.auth.login.config") == null) {
            String realPath = context2.getRealPath("/WEB-INF/param/jaas.conf");
            if (!new File(realPath).exists()) {
                realPath = AmetysHomeHelper.getAmetysHomeTmp() + File.separator + __LOGIN_CONF_FILE;
                FileUtils.write(new File(realPath), "kerberos {\ncom.sun.security.auth.module.Krb5LoginModule required\nstoreKey=true\nisInitiator=false;\n};");
            }
            System.setProperty("java.security.auth.login.config", realPath);
        }
        LoginContext loginContext = new LoginContext("kerberos", new CallbackHandler() { // from class: org.ametys.plugins.core.impl.authentication.KerberosCredentialProvider.1
            @Override // javax.security.auth.callback.CallbackHandler
            public void handle(Callback[] callbackArr) {
                for (Callback callback : callbackArr) {
                    if (callback instanceof NameCallback) {
                        ((NameCallback) callback).setName(str3);
                    } else {
                        if (!(callback instanceof PasswordCallback)) {
                            throw new RuntimeException("Invalid callback received during KerberosCredentialProvider initialization");
                        }
                        ((PasswordCallback) callback).setPassword(str4.toCharArray());
                    }
                }
            }
        });
        loginContext.login();
        return loginContext;
    }

    @Override // org.ametys.core.authentication.AbstractCredentialProvider, org.ametys.core.authentication.CredentialProvider
    public void init(String str, String str2, Map<String, Object> map, String str3) {
        super.init(str, str2, map, str3);
        String str4 = (String) map.get(__PARAM_IPRESTRICTION);
        if (StringUtils.isNotBlank(str4)) {
            this._ipRestriction = Pattern.compile(str4);
        } else {
            this._ipRestriction = null;
        }
        try {
            LoginContext createLoginContext = createLoginContext((String) map.get(__PARAM_KDC), (String) map.get(__PARAM_REALM), (String) map.get(__PARAM_LOGIN), (String) map.get(__PARAM_PASSWORD), this._context);
            final GSSManager gSSManager = GSSManager.getInstance();
            this._gssCredential = (GSSCredential) Subject.doAs(createLoginContext.getSubject(), new PrivilegedExceptionAction<GSSCredential>() { // from class: org.ametys.plugins.core.impl.authentication.KerberosCredentialProvider.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public GSSCredential run() throws GSSException {
                    return gSSManager.createCredential((GSSName) null, Integer.MAX_VALUE, new Oid("1.3.6.1.5.5.2"), 2);
                }
            });
        } catch (IOException | PrivilegedActionException | LoginException | ContextException e) {
            throw new RuntimeException("Unable to initialize the KerberosCredentialProvider", e);
        }
    }

    @Override // org.ametys.core.authentication.NonBlockingCredentialProvider
    public boolean nonBlockingIsStillConnected(UserIdentity userIdentity, Redirector redirector) throws Exception {
        return true;
    }

    @Override // org.ametys.core.authentication.NonBlockingCredentialProvider
    public boolean nonBlockingGrantAnonymousRequest() {
        return "plugins/core-impl/userpopulations/credentialproviders/kerberos/skip".equals((String) ContextHelper.getRequest(this._context).getAttribute(WorkspaceMatcher.IN_WORKSPACE_URL));
    }

    @Override // org.ametys.core.authentication.NonBlockingCredentialProvider
    public UserIdentity nonBlockingGetUserIdentity(Redirector redirector) throws Exception {
        Request request = ContextHelper.getRequest(this._context);
        Response response = ContextHelper.getResponse(this._context);
        if (!_isIPAuthorized(request)) {
            return null;
        }
        String header = request.getHeader("Authorization");
        if (header == null || !header.startsWith("Negotiate ")) {
            response.setHeader("WWW-Authenticate", "Negotiate");
            redirector.redirect(false, __SKIP_KERBEROS_URL);
            return null;
        }
        String substring = header.substring("Negotiate ".length());
        if (substring.startsWith("TlRMTVNT")) {
            getLogger().debug("A user tried an NTLM token. Let's ignore it.");
            return null;
        }
        getLogger().debug("Received token");
        byte[] decodeBase64 = Base64.decodeBase64(substring);
        GSSContext createContext = GSSManager.getInstance().createContext(this._gssCredential);
        byte[] acceptSecContext = createContext.acceptSecContext(decodeBase64, 0, decodeBase64.length);
        String encodeBase64String = acceptSecContext != null ? Base64.encodeBase64String(acceptSecContext) : null;
        if (!createContext.isEstablished()) {
            response.setHeader("WWW-Authenticate", "Negotiate " + encodeBase64String);
            redirector.redirect(false, __SKIP_KERBEROS_URL);
            getLogger().debug("Need additionnal token");
            return null;
        }
        if (encodeBase64String != null) {
            getLogger().debug("Sending answer token");
            response.setHeader("WWW-Authenticate", "Negotiate " + encodeBase64String);
        }
        GSSName srcName = createContext.getSrcName();
        if (srcName != null) {
            String substringBefore = StringUtils.substringBefore(srcName.toString(), "@");
            getLogger().debug("User successfully identified '" + substringBefore + "'");
            return new UserIdentity(substringBefore, null);
        }
        getLogger().debug("Reseting communication with client");
        response.setHeader("WWW-Authenticate", "Negotiate");
        redirector.redirect(false, __SKIP_KERBEROS_URL);
        return null;
    }

    private boolean _isIPAuthorized(Request request) {
        if (this._ipRestriction == null) {
            getLogger().debug("There is no IP restriction for Kerberos");
            return true;
        }
        String header = request.getHeader("X-Forwarded-For");
        String remoteAddr = header != null ? header.split(",")[0] : request.getRemoteAddr();
        if (this._ipRestriction.matcher(remoteAddr).matches()) {
            return true;
        }
        getLogger().info("Ip '" + remoteAddr + "' was not authorized to use Kerberos authentication with filter " + this._ipRestriction.pattern());
        return false;
    }

    @Override // org.ametys.core.authentication.NonBlockingCredentialProvider
    public void nonBlockingUserNotAllowed(Redirector redirector) throws Exception {
    }

    @Override // org.ametys.core.authentication.NonBlockingCredentialProvider
    public void nonBlockingUserAllowed(UserIdentity userIdentity) {
    }
}
