package org.jasig.cas.support.spnego.web.flow;

import java.nio.charset.Charset;
import javax.servlet.http.HttpServletResponse;
import org.jasig.cas.authentication.Credential;
import org.jasig.cas.support.spnego.authentication.principal.SpnegoCredential;
import org.jasig.cas.support.spnego.util.SpnegoConstants;
import org.jasig.cas.util.CompressionUtils;
import org.jasig.cas.web.flow.AbstractNonInteractiveCredentialsAction;
import org.jasig.cas.web.support.WebUtils;
import org.springframework.util.StringUtils;
import org.springframework.webflow.execution.RequestContext;

/* loaded from: input_file:org/jasig/cas/support/spnego/web/flow/SpnegoCredentialsAction.class */
public final class SpnegoCredentialsAction extends AbstractNonInteractiveCredentialsAction {
    private boolean ntlm;
    private String messageBeginPrefix = constructMessagePrefix();
    private boolean send401OnAuthenticationFailure = true;

    protected Credential constructCredentialsFromRequest(RequestContext requestContext) {
        String header = WebUtils.getHttpServletRequest(requestContext).getHeader(SpnegoConstants.HEADER_AUTHORIZATION);
        if (!StringUtils.hasText(header) || !header.startsWith(this.messageBeginPrefix) || header.length() <= this.messageBeginPrefix.length()) {
            return null;
        }
        this.logger.debug("SPNEGO Authorization header found with {} bytes", Integer.valueOf(header.length() - this.messageBeginPrefix.length()));
        byte[] decodeBase64ToByteArray = CompressionUtils.decodeBase64ToByteArray(header.substring(this.messageBeginPrefix.length()));
        if (decodeBase64ToByteArray == null) {
            this.logger.warn("Could not compress authorization header in base64");
            return null;
        }
        this.logger.debug("Obtained token: {}", new String(decodeBase64ToByteArray, Charset.defaultCharset()));
        return new SpnegoCredential(decodeBase64ToByteArray);
    }

    protected String constructMessagePrefix() {
        return (this.ntlm ? SpnegoConstants.NTLM : SpnegoConstants.NEGOTIATE) + ' ';
    }

    protected void onError(RequestContext requestContext, Credential credential) {
        setResponseHeader(requestContext, credential);
    }

    protected void onSuccess(RequestContext requestContext, Credential credential) {
        setResponseHeader(requestContext, credential);
    }

    private void setResponseHeader(RequestContext requestContext, Credential credential) {
        if (credential == null) {
            return;
        }
        HttpServletResponse httpServletResponse = WebUtils.getHttpServletResponse(requestContext);
        SpnegoCredential spnegoCredential = (SpnegoCredential) credential;
        byte[] nextToken = spnegoCredential.getNextToken();
        if (nextToken != null) {
            this.logger.debug("Obtained output token: {}", new String(nextToken, Charset.defaultCharset()));
            httpServletResponse.setHeader(SpnegoConstants.HEADER_AUTHENTICATE, (this.ntlm ? SpnegoConstants.NTLM : SpnegoConstants.NEGOTIATE) + ' ' + CompressionUtils.encodeBase64(nextToken));
        } else {
            this.logger.debug("Unable to obtain the output token required.");
        }
        if (spnegoCredential.getPrincipal() == null && this.send401OnAuthenticationFailure) {
            this.logger.debug("Setting HTTP Status to 401");
            httpServletResponse.setStatus(401);
        }
    }

    public void setNtlm(boolean z) {
        this.ntlm = z;
        this.messageBeginPrefix = constructMessagePrefix();
    }

    public void setSend401OnAuthenticationFailure(boolean z) {
        this.send401OnAuthenticationFailure = z;
    }
}
