package com.huawei.es.security.auth.common;

import com.huawei.es.security.auth.server.transport.common.TransportConstant;
import com.huawei.es.security.author.tool.AuthorityConstants;
import com.huawei.es.security.author.tool.ShellBasedHWUnixGroupsMapping;
import com.huawei.solr.security.auth.common.AuthenticationException;
import com.huawei.solr.security.auth.server.AuthenticationToken;
import io.netty.handler.codec.http.FullHttpRequest;
import io.netty.handler.codec.http.FullHttpResponse;
import io.netty.handler.codec.http.HttpResponseStatus;
import java.io.File;
import java.io.IOException;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Pattern;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.commons.codec.binary.Base64;
import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.solr.common.util.PlatformName;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:com/huawei/es/security/auth/common/KerberosAuthenticationExecutor.class */
public class KerberosAuthenticationExecutor implements AuthenticationExcutor {
    private static final Logger LOG = LogManager.getLogger(KerberosAuthenticationExecutor.class);
    public static final String TYPE = "kerberos";
    public static final String PRINCIPAL = "kerberos.principal";
    public static final String KEYTAB = "kerberos.keytab";
    public static final String NAME_RULES = "kerberos.name.rules";
    private String type;
    private String keytab;
    private GSSManager gssManager;
    private Subject serverSubject;
    private List<LoginContext> loginContexts;

    /* loaded from: input_file:com/huawei/es/security/auth/common/KerberosAuthenticationExecutor$KerberosConfiguration.class */
    private static class KerberosConfiguration extends Configuration {
        private String keytab;
        private String principal;

        public KerberosConfiguration(String str, String str2) {
            this.keytab = str;
            this.principal = str2;
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            HashMap hashMap = new HashMap();
            if (PlatformName.IBM_JAVA) {
                hashMap.put("useKeytab", this.keytab.startsWith("file://") ? this.keytab : "file://" + this.keytab);
                hashMap.put("principal", this.principal);
                hashMap.put("credsType", "acceptor");
            } else {
                hashMap.put("keyTab", this.keytab);
                hashMap.put("principal", this.principal);
                hashMap.put("useKeyTab", "true");
                hashMap.put("storeKey", "true");
                hashMap.put("doNotPrompt", "true");
                hashMap.put("useTicketCache", "true");
                hashMap.put("renewTGT", "true");
                hashMap.put("isInitiator", "false");
            }
            hashMap.put("refreshKrb5Config", "true");
            String str2 = System.getenv("KRB5CCNAME");
            if (str2 != null) {
                if (PlatformName.IBM_JAVA) {
                    hashMap.put("useDefaultCcache", "true");
                    System.setProperty("KRB5CCNAME", str2);
                    hashMap.put("renewTGT", "true");
                    hashMap.put("credsType", "both");
                } else {
                    hashMap.put("ticketCache", str2);
                }
            }
            if (KerberosAuthenticationExecutor.LOG.isDebugEnabled()) {
                hashMap.put("debug", "true");
            }
            return new AppConfigurationEntry[]{new AppConfigurationEntry(org.apache.hadoop.security.authentication.util.KerberosUtil.getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap)};
        }
    }

    public KerberosAuthenticationExecutor() {
        this("kerberos");
    }

    public KerberosAuthenticationExecutor(String str) {
        this.serverSubject = new Subject();
        this.loginContexts = new ArrayList();
        this.type = str;
    }

    @Override // com.huawei.es.security.auth.common.AuthenticationExcutor
    public void init(Settings settings) throws Exception {
        String[] strArr;
        try {
            this.keytab = settings.get(KEYTAB, this.keytab);
            if (this.keytab == null || this.keytab.trim().length() == 0) {
                throw new ConfigException("Keytab not defined in configuration");
            }
            if (!new File(this.keytab).exists()) {
                throw new ConfigException("Keytab does not exist: " + this.keytab);
            }
            if (AuthorityConstants.PATTERN_STAR.equals(AuthorityConstants.PATTERN_STAR)) {
                strArr = org.apache.hadoop.security.authentication.util.KerberosUtil.getPrincipalNames(this.keytab, Pattern.compile(".*"));
                if (strArr.length == 0) {
                    throw new ConfigException("Principals do not exist in the keytab");
                }
            } else {
                strArr = new String[]{AuthorityConstants.PATTERN_STAR};
            }
            KerberosName.setRules("DEFAULT");
            for (String str : strArr) {
                LoginContext loginContext = new LoginContext(AuthorityConstants.EMPYT_STRING, this.serverSubject, (CallbackHandler) null, new KerberosConfiguration(this.keytab, str));
                try {
                    loginContext.login();
                    this.loginContexts.add(loginContext);
                } catch (LoginException e) {
                    LOG.warn("Failed to login", e);
                    throw new AuthenticationException(e);
                }
            }
            try {
                this.gssManager = (GSSManager) Subject.doAs(this.serverSubject, new PrivilegedExceptionAction<GSSManager>() { // from class: com.huawei.es.security.auth.common.KerberosAuthenticationExecutor.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public GSSManager run() {
                        return GSSManager.getInstance();
                    }
                });
            } catch (PrivilegedActionException e2) {
                throw e2.getException();
            }
        } catch (Exception e3) {
            throw new InitHandlerException("The handler could not be initialized.", e3);
        }
    }

    @Override // com.huawei.es.security.auth.common.AuthenticationExcutor
    public void destroy() {
        this.keytab = null;
        this.serverSubject = null;
        Iterator<LoginContext> it = this.loginContexts.iterator();
        while (it.hasNext()) {
            try {
                it.next().logout();
            } catch (LoginException e) {
                LOG.warn("kerberos context logout failed");
            }
        }
        this.loginContexts.clear();
    }

    @Override // com.huawei.es.security.auth.common.AuthenticationExcutor
    public String getType() {
        return this.type;
    }

    @Override // com.huawei.es.security.auth.common.AuthenticationExcutor
    public AuthenticationToken authenticate(FullHttpRequest fullHttpRequest, FullHttpResponse fullHttpResponse) throws IOException, AuthenticationException {
        AuthenticationToken authenticationToken = null;
        String str = fullHttpRequest.headers().get("Authorization");
        if (str == null || !str.startsWith("Negotiate")) {
            fullHttpResponse.headers().set("WWW-Authenticate", "Negotiate");
            fullHttpResponse.setStatus(HttpResponseStatus.UNAUTHORIZED);
            if (str == null) {
                LOG.debug("SPNEGO starting");
            } else {
                LOG.warn("The authorization does not start with the right flag.");
            }
        } else {
            try {
                authenticationToken = getAuthenticationToken(fullHttpResponse, str, HttpHelper.getServerName(fullHttpRequest));
            } catch (PrivilegedActionException e) {
                throwException(e);
            }
        }
        return authenticationToken;
    }

    private AuthenticationToken getAuthenticationToken(final FullHttpResponse fullHttpResponse, String str, final String str2) throws PrivilegedActionException {
        String trim = str.substring("Negotiate".length()).trim();
        final Base64 base64 = new Base64(0);
        final byte[] decode = base64.decode(trim);
        return (AuthenticationToken) Subject.doAs(this.serverSubject, new PrivilegedExceptionAction<AuthenticationToken>() { // from class: com.huawei.es.security.auth.common.KerberosAuthenticationExecutor.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public AuthenticationToken run() throws Exception {
                AuthenticationToken authenticationToken = null;
                try {
                    GSSName createName = KerberosAuthenticationExecutor.this.gssManager.createName("HTTP@" + str2, GSSName.NT_HOSTBASED_SERVICE);
                    Oid oidInstance = org.apache.hadoop.security.authentication.util.KerberosUtil.getOidInstance("GSS_SPNEGO_MECH_OID");
                    GSSContext createContext = KerberosAuthenticationExecutor.this.gssManager.createContext(createName.canonicalize(oidInstance), oidInstance, (GSSCredential) null, 0);
                    byte[] acceptSecContext = createContext.acceptSecContext(decode, 0, decode.length);
                    if (acceptSecContext != null && acceptSecContext.length > 0) {
                        KerberosAuthenticationExecutor.this.setAuthenticateToResponseHeaders(fullHttpResponse, base64.encodeToString(acceptSecContext));
                    }
                    if (createContext.isEstablished()) {
                        String gSSName = createContext.getSrcName().toString();
                        authenticationToken = new AuthenticationToken(ShellBasedHWUnixGroupsMapping.getShortName(new KerberosName(gSSName).getShortName()), gSSName, KerberosAuthenticationExecutor.this.getType());
                        KerberosAuthenticationExecutor.this.setOkStatusToResponse(fullHttpResponse);
                        KerberosAuthenticationExecutor.LOG.debug("SPNEGO completed for principal.");
                    } else {
                        KerberosAuthenticationExecutor.this.setUnauthorizedStatusToResponse(fullHttpResponse);
                        KerberosAuthenticationExecutor.LOG.debug("SPNEGO in progress");
                    }
                    KerberosAuthenticationExecutor.this.disposeGssContext(createContext);
                    return authenticationToken;
                } catch (Throwable th) {
                    KerberosAuthenticationExecutor.this.disposeGssContext(null);
                    throw th;
                }
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void disposeGssContext(GSSContext gSSContext) {
        if (null != gSSContext) {
            try {
                gSSContext.dispose();
            } catch (GSSException e) {
                LOG.warn("failed to dispose gss context.");
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void setOkStatusToResponse(FullHttpResponse fullHttpResponse) {
        if (null != fullHttpResponse) {
            fullHttpResponse.setStatus(HttpResponseStatus.OK);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void setUnauthorizedStatusToResponse(FullHttpResponse fullHttpResponse) {
        if (null != fullHttpResponse) {
            fullHttpResponse.setStatus(HttpResponseStatus.UNAUTHORIZED);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void setAuthenticateToResponseHeaders(FullHttpResponse fullHttpResponse, String str) {
        if (null != fullHttpResponse) {
            fullHttpResponse.headers().set("WWW-Authenticate", "Negotiate " + str);
        }
    }

    @Override // com.huawei.es.security.auth.common.AuthenticationExcutor
    public AuthenticationToken authenticate(ThreadContext threadContext) throws IOException, AuthenticationException {
        String header = threadContext.getHeader(TransportConstant.CUSTOMISED_AUTHORIZATION);
        if (header == null || !header.startsWith("Negotiate")) {
            dealWithWrongAuthorization(threadContext, header);
            throw new AuthenticationException("Invalid client Authentication");
        }
        try {
            return getAuthenticationToken(null, header, HttpHelper.getServerName());
        } catch (PrivilegedActionException e) {
            LOG.debug("catch exception : " + e.getCause());
            return throwException(e);
        }
    }

    @Override // com.huawei.es.security.auth.common.AuthenticationExcutor
    public AuthenticationToken authenticate(String str) throws IOException, AuthenticationException {
        if (str == null || !str.startsWith("Negotiate")) {
            throw new AuthenticationException("Invalid client Authentication");
        }
        try {
            return getAuthenticationToken(null, str, HttpHelper.getServerName());
        } catch (PrivilegedActionException e) {
            LOG.warn("catch exception : " + e.getCause());
            return throwException(e);
        }
    }

    private AuthenticationToken throwException(PrivilegedActionException privilegedActionException) throws IOException, AuthenticationException {
        if (privilegedActionException.getException() instanceof IOException) {
            throw ((IOException) privilegedActionException.getException());
        }
        throw new AuthenticationException(privilegedActionException.getException());
    }

    private void dealWithWrongAuthorization(ThreadContext threadContext, String str) {
        threadContext.putHeader(TransportConstant.CUSTOMISED_COOKIE, "Negotiate");
        if (null == str) {
            LOG.debug("SPNEGO starting");
        } else {
            LOG.warn("The authorization does not start with the right flag.");
        }
    }
}
