package org.apache.hadoop.security.authentication.server;

import java.io.File;
import java.io.IOException;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Properties;
import java.util.Set;
import java.util.regex.Pattern;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KeyTab;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.Oid;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  input_file:classes/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.class
 */
/* loaded from: input_file:hadoop-auth-2.10.1.jar:org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.class */
public class KerberosAuthenticationHandler implements AuthenticationHandler {
    public static final Logger LOG = LoggerFactory.getLogger(KerberosAuthenticationHandler.class);
    public static final String TYPE = "kerberos";
    public static final String PRINCIPAL = "kerberos.principal";
    public static final String KEYTAB = "kerberos.keytab";
    public static final String NAME_RULES = "kerberos.name.rules";
    private String type;
    private String keytab;
    private GSSManager gssManager;
    private Subject serverSubject;

    public KerberosAuthenticationHandler() {
        this(TYPE);
    }

    public KerberosAuthenticationHandler(String str) {
        this.serverSubject = new Subject();
        this.type = str;
    }

    @Override // org.apache.hadoop.security.authentication.server.AuthenticationHandler
    public void init(Properties properties) throws ServletException {
        String[] strArr;
        try {
            String property = properties.getProperty(PRINCIPAL);
            if (property == null || property.trim().length() == 0) {
                throw new ServletException("Principal not defined in configuration");
            }
            this.keytab = properties.getProperty(KEYTAB, this.keytab);
            if (this.keytab == null || this.keytab.trim().length() == 0) {
                throw new ServletException("Keytab not defined in configuration");
            }
            File file = new File(this.keytab);
            if (!file.exists()) {
                throw new ServletException("Keytab does not exist: " + this.keytab);
            }
            if (property.equals("*")) {
                strArr = KerberosUtil.getPrincipalNames(this.keytab, Pattern.compile("HTTP/.*"));
                if (strArr.length == 0) {
                    throw new ServletException("Principals do not exist in the keytab");
                }
            } else {
                strArr = new String[]{property};
            }
            this.serverSubject.getPrivateCredentials().add(KeyTab.getInstance(file));
            for (String str : strArr) {
                Principal kerberosPrincipal = new KerberosPrincipal(str);
                LOG.info("Using keytab {}, for principal {}", this.keytab, kerberosPrincipal);
                this.serverSubject.getPrincipals().add(kerberosPrincipal);
            }
            String property2 = properties.getProperty(NAME_RULES, null);
            if (property2 != null) {
                KerberosName.setRules(property2);
            }
            try {
                this.gssManager = (GSSManager) Subject.doAs(this.serverSubject, new PrivilegedExceptionAction<GSSManager>() { // from class: org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public GSSManager run() throws Exception {
                        return GSSManager.getInstance();
                    }
                });
            } catch (PrivilegedActionException e) {
                throw e.getException();
            }
        } catch (Exception e2) {
            throw new ServletException(e2);
        }
    }

    @Override // org.apache.hadoop.security.authentication.server.AuthenticationHandler
    public void destroy() {
        this.keytab = null;
        this.serverSubject = null;
    }

    @Override // org.apache.hadoop.security.authentication.server.AuthenticationHandler
    public String getType() {
        return this.type;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Set<KerberosPrincipal> getPrincipals() {
        return this.serverSubject.getPrincipals(KerberosPrincipal.class);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getKeytab() {
        return this.keytab;
    }

    @Override // org.apache.hadoop.security.authentication.server.AuthenticationHandler
    public boolean managementOperation(AuthenticationToken authenticationToken, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, AuthenticationException {
        return true;
    }

    @Override // org.apache.hadoop.security.authentication.server.AuthenticationHandler
    public AuthenticationToken authenticate(HttpServletRequest httpServletRequest, final HttpServletResponse httpServletResponse) throws IOException, AuthenticationException {
        AuthenticationToken authenticationToken = null;
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null || !header.startsWith("Negotiate")) {
            httpServletResponse.setHeader("WWW-Authenticate", "Negotiate");
            httpServletResponse.setStatus(401);
            if (header == null) {
                LOG.trace("SPNEGO starting for url: {}", httpServletRequest.getRequestURL());
            } else {
                LOG.warn("'Authorization' does not start with 'Negotiate' :  {}", header);
            }
        } else {
            String trim = header.substring("Negotiate".length()).trim();
            final Base64 base64 = new Base64(0);
            final byte[] decode = base64.decode(trim);
            try {
                final String tokenServerName = KerberosUtil.getTokenServerName(decode);
                if (!tokenServerName.startsWith("HTTP/")) {
                    throw new IllegalArgumentException("Invalid server principal " + tokenServerName + "decoded from client request");
                }
                authenticationToken = (AuthenticationToken) Subject.doAs(this.serverSubject, new PrivilegedExceptionAction<AuthenticationToken>() { // from class: org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.2
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public AuthenticationToken run() throws Exception {
                        return KerberosAuthenticationHandler.this.runWithPrincipal(tokenServerName, decode, base64, httpServletResponse);
                    }
                });
            } catch (PrivilegedActionException e) {
                if (e.getException() instanceof IOException) {
                    throw ((IOException) e.getException());
                }
                throw new AuthenticationException(e.getException());
            } catch (Exception e2) {
                throw new AuthenticationException(e2);
            }
        }
        return authenticationToken;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public AuthenticationToken runWithPrincipal(String str, byte[] bArr, Base64 base64, HttpServletResponse httpServletResponse) throws IOException, GSSException {
        GSSContext gSSContext = null;
        GSSCredential gSSCredential = null;
        AuthenticationToken authenticationToken = null;
        try {
            LOG.trace("SPNEGO initiated with server principal [{}]", str);
            GSSCredential createCredential = this.gssManager.createCredential(this.gssManager.createName(str, KerberosUtil.NT_GSS_KRB5_PRINCIPAL_OID), Integer.MAX_VALUE, new Oid[]{KerberosUtil.GSS_SPNEGO_MECH_OID, KerberosUtil.GSS_KRB5_MECH_OID}, 2);
            GSSContext createContext = this.gssManager.createContext(createCredential);
            byte[] acceptSecContext = createContext.acceptSecContext(bArr, 0, bArr.length);
            if (acceptSecContext != null && acceptSecContext.length > 0) {
                httpServletResponse.setHeader("WWW-Authenticate", "Negotiate " + base64.encodeToString(acceptSecContext));
            }
            if (createContext.isEstablished()) {
                String gSSName = createContext.getSrcName().toString();
                authenticationToken = new AuthenticationToken(new KerberosName(gSSName).getShortName(), gSSName, getType());
                httpServletResponse.setStatus(200);
                LOG.trace("SPNEGO completed for client principal [{}]", gSSName);
            } else {
                httpServletResponse.setStatus(401);
                LOG.trace("SPNEGO in progress");
            }
            if (createContext != null) {
                createContext.dispose();
            }
            if (createCredential != null) {
                createCredential.dispose();
            }
            return authenticationToken;
        } catch (Throwable th) {
            if (0 != 0) {
                gSSContext.dispose();
            }
            if (0 != 0) {
                gSSCredential.dispose();
            }
            throw th;
        }
    }
}
