package org.apache.dubbo.mw.sgp.security.kerb5;

import java.security.PrivilegedActionException;
import java.util.Date;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.core.Response;
import org.apache.cxf.common.util.Base64Exception;
import org.apache.cxf.common.util.Base64Utility;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.jaxrs.impl.HttpHeadersImpl;
import org.apache.cxf.jaxrs.security.KerberosAuthenticationFilter;
import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
import org.apache.dubbo.common.logger.Logger;
import org.apache.dubbo.common.logger.LoggerFactory;
import org.apache.dubbo.mw.sgp.protocol.restful.RESTfulConstants;
import org.apache.dubbo.mw.sgp.security.authority.AuthorityCheck;
import org.apache.dubbo.mw.sgp.security.authority.AuthorityCheckException;
import org.apache.dubbo.mw.sgp.security.authority.AuthorityCheckHelper;
import org.apache.dubbo.mw.sgp.security.kerb5.KerberosConfiguration;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:org/apache/dubbo/mw/sgp/security/kerb5/Kerb5AuthProviderInFilter.class */
public class Kerb5AuthProviderInFilter extends KerberosAuthenticationFilter {
    private static final Logger LOGGER = LoggerFactory.getLogger(Kerb5AuthProviderInFilter.class);
    private static final String NEGOTIATE_SCHEME = "Negotiate";
    private static final int AUTHORIZATION_SECTION_NUM = 2;
    private static final String KERBEROS_OID = "1.2.840.113554.1.2.2";
    private Configuration loginConfig;
    private CallbackHandler callbackHandler;
    private Subject serviceSubject;
    String principalName = null;
    String keytabFile = null;
    String krb5confPath = null;
    private String loginContextName = "";
    private ConcurrentMap<String, Date> authValueCache = new ConcurrentHashMap();

    private static Response getFaultResponse() {
        return JAXRSUtils.toResponseBuilder(401).header("WWW-Authenticate", NEGOTIATE_SCHEME).build();
    }

    public void sweep(Date date) {
        LOGGER.info("start clean old cache in Kerb5AuthProviderInFilter.consumerAuthValueCache, start.size:" + this.authValueCache.size());
        for (Map.Entry<String, Date> entry : this.authValueCache.entrySet()) {
            Date value = entry.getValue();
            if (value == null) {
                this.authValueCache.remove(entry.getKey());
            } else if (value.before(date)) {
                LOGGER.info("try to remove key[" + Kerb5AuthHelper.getHash(entry.getKey()) + "] ,value[" + entry.getValue() + "]");
                if (!this.authValueCache.remove(entry.getKey(), entry.getValue())) {
                    LOGGER.info("before remove key[" + Kerb5AuthHelper.getHash(entry.getKey()) + "] ,value[" + entry.getValue() + "], the value have change.");
                }
            }
        }
        LOGGER.info("end clean old cache in Kerb5AuthProviderInFilter.consumerAuthValueCache, end.size:" + this.authValueCache.size());
    }

    public void filter(ContainerRequestContext containerRequestContext) {
        Message currentMessage = JAXRSUtils.getCurrentMessage();
        if (Objects.equals(((HttpServletRequest) currentMessage.get("HTTP.REQUEST")).getAttribute("blu-authenticated"), true)) {
            return;
        }
        HttpHeadersImpl httpHeadersImpl = new HttpHeadersImpl(currentMessage);
        String userName = getUserName(httpHeadersImpl);
        String serviceName = getServiceName(currentMessage);
        if (!isRequestFromSDK(currentMessage)) {
            CheckAuthority(userName, serviceName);
            return;
        }
        String headerString = httpHeadersImpl.getHeaderString("Authorization");
        if (StringUtils.isEmpty(headerString)) {
            LOGGER.error("the value of 'Authorization' in the header is empty!");
            throw ExceptionUtils.toNotAuthorizedException((Throwable) null, getFaultResponse());
        }
        if (!this.authValueCache.containsKey(headerString)) {
            synchronized (this) {
                if (!this.authValueCache.containsKey(headerString)) {
                    checkPermissions(currentMessage);
                    this.authValueCache.put(headerString, new Date());
                    LOGGER.info("authHead[" + Kerb5AuthHelper.getHash(headerString) + "] be cache");
                }
            }
        }
        CheckAuthority(userName, serviceName);
    }

    private void checkPermissions(Message message) {
        if (this.serviceSubject == null) {
            this.serviceSubject = loginAndGetSubject();
        }
        HttpHeadersImpl httpHeadersImpl = new HttpHeadersImpl(message);
        byte[] parseServiceTicket = parseServiceTicket(httpHeadersImpl.getHeaderString("Authorization"));
        try {
            GSSManager gSSManager = GSSManager.getInstance();
            GSSContext createContext = gSSManager.createContext(gSSManager.createName(getCompleteServicePrincipalName(), (Oid) null).canonicalize(new Oid(KERBEROS_OID)), new Oid(KERBEROS_OID), (GSSCredential) null, 0);
            Subject.doAs(this.serviceSubject, new ValidateServiceTicketAction(createContext, parseServiceTicket));
            GSSName srcName = createContext.getSrcName();
            if (srcName == null) {
                throw ExceptionUtils.toNotAuthorizedException((Throwable) null, getFaultResponse());
            }
            String gSSName = srcName.toString();
            String headerString = httpHeadersImpl.getHeaderString(RESTfulConstants.SYSTEM_PARAMETER_KEY);
            if (headerString == null || headerString.isEmpty() || headerString.equalsIgnoreCase(gSSName)) {
                return;
            }
            LOGGER.warn("consumer name:[" + headerString + "], consumer name from provider:[" + gSSName + "]");
        } catch (PrivilegedActionException e) {
            LOGGER.warn("PrivilegedActionException: " + e.getMessage());
            throw ExceptionUtils.toNotAuthorizedException(e, getFaultResponse());
        } catch (GSSException e2) {
            LOGGER.warn("GSS API exception: " + e2.getMessage());
            throw ExceptionUtils.toNotAuthorizedException(e2, getFaultResponse());
        }
    }

    protected Subject loginAndGetSubject() {
        try {
            if (StringUtils.isEmpty(this.loginContextName) && this.loginConfig == null) {
                LOGGER.error("LoginContext can not be initialized");
                throw new LoginException();
            }
            this.callbackHandler = new NameOrKeytabErrorCallback(this.loginConfig);
            AppConfigurationEntry[] appConfigurationEntry = this.loginConfig.getAppConfigurationEntry(RESTfulConstants.JAAS_KERB5_PROVIDER_ENTRYNAME);
            if (appConfigurationEntry != null && appConfigurationEntry.length == 1) {
                Map options = appConfigurationEntry[0].getOptions();
                this.principalName = (String) options.get(RESTfulConstants.JAAS_KERB5_PRINCIPAL_KEY);
                this.keytabFile = (String) options.get(RESTfulConstants.JAAS_KERB5_KEYTABPATH_KEY);
                this.krb5confPath = (String) options.get(RESTfulConstants.JAAS_KERB5_CONFPATH_KEY);
            }
            LoginContext loginContext = new LoginContext(this.loginContextName, (Subject) null, this.callbackHandler, new KerberosConfiguration(this.krb5confPath, this.keytabFile, this.principalName, "", new KerberosConfiguration.ExtraArgs(false, true, true, AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, false, false)));
            loginContext.login();
            return loginContext.getSubject();
        } catch (LoginException e) {
            LOGGER.error("Unsuccessful JAAS login for the service principal: " + e.getMessage());
            throw ExceptionUtils.toNotAuthorizedException(e, getFaultResponse());
        }
    }

    private static byte[] parseServiceTicket(String str) {
        return getServiceTicket(parseAuthValue(str));
    }

    public static String parseAuthValue(String str) {
        String[] split = split(str, " ");
        if (split.length == 2 && NEGOTIATE_SCHEME.equalsIgnoreCase(split[0])) {
            return split[1];
        }
        LOGGER.warn("Negotiate Authorization scheme is expected. but authHead is " + str);
        throw ExceptionUtils.toNotAuthorizedException((Throwable) null, getFaultResponse());
    }

    private static String[] split(String str, String str2) {
        return str == null ? new String[0] : str.split(str2);
    }

    private static byte[] getServiceTicket(String str) {
        try {
            return Base64Utility.decode(str);
        } catch (Base64Exception e) {
            LOGGER.warn(e);
            throw ExceptionUtils.toNotAuthorizedException((Throwable) null, getFaultResponse());
        }
    }

    public void setLoginContextName(String str) {
        this.loginContextName = str;
    }

    public void setLoginConfig(Configuration configuration) {
        this.loginConfig = configuration;
    }

    public void setCallbackHandler(CallbackHandler callbackHandler) {
        this.callbackHandler = callbackHandler;
    }

    public ConcurrentMap<String, Date> getAuthValueCache() {
        return this.authValueCache;
    }

    public void cleanAuthValueCache() {
        if (this.authValueCache != null) {
            this.authValueCache.clear();
        }
    }

    private boolean isRequestFromSDK(Message message) {
        return "true".equals(new HttpHeadersImpl(message).getHeaderString(RESTfulConstants.SDK_CLIENT_KEY));
    }

    private Response CheckAuthority(String str, String str2) {
        boolean z = false;
        String str3 = "";
        try {
            z = AuthorityCheck.getInstence().isAuthorized(str, str2, false);
            if (!z) {
                z = AuthorityCheck.getInstence().isAuthorized(str, str2, true);
                if (!z) {
                    str3 = "user [" + str + "] is not authorized to use service:[" + str2 + "]";
                }
            }
        } catch (AuthorityCheckException e) {
            str3 = e.getDesc();
        }
        if (z) {
            return null;
        }
        LOGGER.error(str3);
        throw ExceptionUtils.toNotAuthorizedException((Throwable) null, getFaultResponse());
    }

    private final String getUserName(HttpHeadersImpl httpHeadersImpl) {
        return httpHeadersImpl.getHeaderString(RESTfulConstants.AUTH_USERNAME);
    }

    private final String getServiceName(Message message) {
        return AuthorityCheckHelper.getServiceName((String) message.get(Message.BASE_PATH));
    }
}
