package org.apache.dubbo.mw.sgp.security.kerb5;

import java.net.URI;
import java.net.URISyntaxException;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.atomic.AtomicLong;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.cxf.common.util.Base64Utility;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.configuration.security.AuthorizationPolicy;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.jaxrs.security.KerberosAuthOutInterceptor;
import org.apache.cxf.message.Exchange;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
import org.apache.dubbo.common.logger.Logger;
import org.apache.dubbo.common.logger.LoggerFactory;
import org.apache.dubbo.mw.sgp.protocol.restful.RESTfulConstants;
import org.apache.dubbo.rpc.RpcException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:org/apache/dubbo/mw/sgp/security/kerb5/Kerb5AuthConsumerOutInterceptor.class */
public class Kerb5AuthConsumerOutInterceptor extends KerberosAuthOutInterceptor {
    private static final Logger LOGGER = LoggerFactory.getLogger(Kerb5AuthConsumerOutInterceptor.class);
    private static final String PROPERTY_USE_KERBEROS_OID = "auth.spnego.useKerberosOid";
    private static final String KERBEROS_OID = "1.2.840.113554.1.2.2";
    private static final String SPNEGO_OID = "1.3.6.1.5.5.2";
    private Configuration loginConfig;
    private String krb5confPath;
    private String authUserName;
    private LoginContext lc;
    private AtomicLong loginEndTime;
    CallbackHandler saslClientCallbackHandler;
    private ConcurrentMap<String, String> authValueCache;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/dubbo/mw/sgp/security/kerb5/Kerb5AuthConsumerOutInterceptor$CreateServiceTicketAction.class */
    public final class CreateServiceTicketAction implements PrivilegedExceptionAction<byte[]> {
        private final GSSContext context;
        private final byte[] token;

        private CreateServiceTicketAction(GSSContext gSSContext, byte[] bArr) {
            this.context = gSSContext;
            this.token = bArr;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedExceptionAction
        public byte[] run() throws GSSException {
            return this.context.initSecContext(this.token, 0, this.token.length);
        }
    }

    public Kerb5AuthConsumerOutInterceptor() {
        this.loginEndTime = new AtomicLong();
        this.saslClientCallbackHandler = null;
        this.authValueCache = new ConcurrentHashMap();
    }

    public Kerb5AuthConsumerOutInterceptor(String str) {
        super(str);
        this.loginEndTime = new AtomicLong();
        this.saslClientCallbackHandler = null;
        this.authValueCache = new ConcurrentHashMap();
    }

    public void handleMessage(Message message) {
        checkExpiredLogin();
        URI currentURI = getCurrentURI(message);
        String cacheUrlKey = getCacheUrlKey(currentURI);
        Exchange exchange = message.getExchange();
        exchange.put(RESTfulConstants.CONSUMER_AUTHVALUE_CACHEKEY, cacheUrlKey);
        exchange.put(RESTfulConstants.CONSUMER_AUTHVALUE_CACHEMAP, this.authValueCache);
        String str = this.authValueCache.get(cacheUrlKey);
        if (str == null) {
            synchronized (this) {
                str = this.authValueCache.get(cacheUrlKey);
                if (str == null) {
                    str = getAuthorization(getPolicy(), currentURI, message);
                    exchange.put(RESTfulConstants.CONSUMER_AUTHVALUE_CACHEVALUE, str);
                }
            }
        }
        Map cast = CastUtils.cast((Map) message.get(Message.PROTOCOL_HEADERS));
        if (cast == null) {
            cast = new HashMap();
            message.put(Message.PROTOCOL_HEADERS, cast);
        }
        cast.put("Authorization", Collections.singletonList(str));
        cast.put(RESTfulConstants.AUTH_USERNAME, Collections.singletonList(this.authUserName));
    }

    private void checkExpiredLogin() {
        long j = this.loginEndTime.get();
        if (j == 0 || j <= new Date().getTime()) {
            synchronized (this) {
                long j2 = this.loginEndTime.get();
                if (j2 != 0) {
                    if (j2 > new Date().getTime()) {
                        return;
                    } else {
                        this.loginEndTime.set(0L);
                    }
                }
                LOGGER.info("Need re login, last end time:" + new Date(j2) + ", last authValueCache.size:" + this.authValueCache.size());
                if (!this.authValueCache.isEmpty()) {
                    this.authValueCache.clear();
                }
            }
        }
    }

    private URI getCurrentURI(Message message) {
        try {
            return new URI((String) message.get(Message.ENDPOINT_ADDRESS));
        } catch (URISyntaxException e) {
            throw new RpcException(e);
        }
    }

    public String getAuthorization(AuthorizationPolicy authorizationPolicy, URI uri, Message message) {
        if (!"Negotiate".equals(authorizationPolicy.getAuthorizationType())) {
            return null;
        }
        try {
            return "Negotiate " + Base64Utility.encode(getToken(authorizationPolicy, getCompleteServicePrincipalName(uri), new Oid(KERBEROS_OID), message));
        } catch (LoginException e) {
            throw new RpcException(e.getMessage(), e);
        } catch (GSSException e2) {
            throw new RpcException(e2.getMessage(), e2);
        }
    }

    private byte[] getToken(AuthorizationPolicy authorizationPolicy, String str, Oid oid, Message message) throws GSSException, LoginException {
        AppConfigurationEntry[] appConfigurationEntry = this.loginConfig.getAppConfigurationEntry(RESTfulConstants.JAAS_KERB5_CONSUMER_ENTRYNAME);
        if (appConfigurationEntry != null && appConfigurationEntry.length == 1) {
            Map options = appConfigurationEntry[0].getOptions();
        }
        GSSManager gSSManager = GSSManager.getInstance();
        GSSName createName = gSSManager.createName(str, (Oid) null);
        GSSCredential gSSCredential = (GSSCredential) message.getContextualProperty(GSSCredential.class.getName());
        int i = Integer.MAX_VALUE;
        if (MessageUtils.isTrue(message.getContextualProperty(PROPERTY_USE_KERBEROS_OID))) {
            i = 0;
        }
        GSSContext createContext = gSSManager.createContext(createName.canonicalize(oid), oid, gSSCredential, i);
        createContext.requestCredDeleg(isCredDelegationRequired(message));
        return getToken(gSSCredential == null ? authorizationPolicy : null, createContext);
    }

    private byte[] getToken(AuthorizationPolicy authorizationPolicy, GSSContext gSSContext) throws GSSException, LoginException {
        byte[] bArr = new byte[0];
        if (authorizationPolicy == null) {
            return gSSContext.initSecContext(bArr, 0, bArr.length);
        }
        String authorization = authorizationPolicy.getAuthorization();
        if (authorization == null) {
            authorization = "";
        }
        if (StringUtils.isEmpty(authorizationPolicy.getUserName()) && StringUtils.isEmpty(authorization) && this.loginConfig == null) {
            return gSSContext.initSecContext(bArr, 0, bArr.length);
        }
        NameOrKeytabErrorCallback nameOrKeytabErrorCallback = new NameOrKeytabErrorCallback(this.loginConfig);
        if (this.loginEndTime.longValue() == 0) {
            this.lc = new LoginContext(authorization, (Subject) null, nameOrKeytabErrorCallback, this.loginConfig);
            this.lc.login();
            this.loginEndTime.set(Kerb5AuthHelper.getEndTime(this.lc.getSubject()));
        }
        try {
            return (byte[]) Subject.doAs(this.lc.getSubject(), new CreateServiceTicketAction(Kerb5AuthHelper.tryToGetTestGSSContext(gSSContext), bArr));
        } catch (PrivilegedActionException e) {
            if (e.getCause() instanceof GSSException) {
                throw e.getCause();
            }
            LOGGER.error("initSecContext", e);
            return null;
        }
    }

    public void setLoginConfig(Configuration configuration) {
        this.loginConfig = configuration;
    }

    public void setKrb5ConfPath(String str) {
        this.krb5confPath = str;
    }

    public void setAuthUserName(String str) {
        this.authUserName = str;
    }

    private String getCacheUrlKey(URI uri) {
        StringBuilder sb = new StringBuilder();
        sb.append(uri.getHost()).append(':').append(uri.getPort());
        String path = uri.getPath();
        int indexOf = path.indexOf(RESTfulConstants.URLPATTERNS_PREFIX);
        if (indexOf == -1) {
            throw new IllegalStateException("provider url[" + uri.toString() + "] does not include " + RESTfulConstants.URLPATTERNS_PREFIX);
        }
        sb.append(path.substring(0, indexOf));
        return sb.toString();
    }

    public ConcurrentMap<String, String> getAuthValueCache() {
        return this.authValueCache;
    }

    public void cleanAuthValueCache() {
        if (this.authValueCache != null) {
            this.authValueCache.clear();
        }
        this.loginEndTime.set(0L);
    }
}
