package org.eclipse.jetty.security.authentication;

import java.io.Serializable;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Objects;
import org.eclipse.jetty.http.HttpHeader;
import org.eclipse.jetty.http.HttpMethod;
import org.eclipse.jetty.security.AuthenticationState;
import org.eclipse.jetty.security.Authenticator;
import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.security.RoleDelegateUserIdentity;
import org.eclipse.jetty.security.SPNEGOUserPrincipal;
import org.eclipse.jetty.security.ServerAuthException;
import org.eclipse.jetty.security.UserIdentity;
import org.eclipse.jetty.security.authentication.LoginAuthenticator;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Response;
import org.eclipse.jetty.server.Session;
import org.eclipse.jetty.util.Callback;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/jetty/security/authentication/SPNEGOAuthenticator.class */
public class SPNEGOAuthenticator extends LoginAuthenticator {
    private static final Logger LOG = LoggerFactory.getLogger(SPNEGOAuthenticator.class);
    private final String _type;
    private Duration _authenticationDuration;

    /* loaded from: input_file:org/eclipse/jetty/security/authentication/SPNEGOAuthenticator$UserIdentityHolder.class */
    private static class UserIdentityHolder implements Serializable {
        private static final String ATTRIBUTE = UserIdentityHolder.class.getName();
        private final transient Instant _validFrom = Instant.now();
        private final transient UserIdentity _userIdentity;

        private UserIdentityHolder(UserIdentity userIdentity) {
            this._userIdentity = userIdentity;
        }
    }

    public SPNEGOAuthenticator() {
        this(Authenticator.SPNEGO_AUTH);
    }

    public SPNEGOAuthenticator(String str) {
        this._authenticationDuration = Duration.ofNanos(-1L);
        this._type = str;
    }

    @Override // org.eclipse.jetty.security.Authenticator
    public String getAuthenticationType() {
        return this._type;
    }

    public Duration getAuthenticationDuration() {
        return this._authenticationDuration;
    }

    public void setAuthenticationDuration(Duration duration) {
        this._authenticationDuration = duration;
    }

    @Override // org.eclipse.jetty.security.authentication.LoginAuthenticator
    public UserIdentity login(String str, Object obj, Request request, Response response) {
        LoginService loginService = this._loginService;
        Objects.requireNonNull(request);
        RoleDelegateUserIdentity roleDelegateUserIdentity = (RoleDelegateUserIdentity) loginService.login(str, obj, request, (v1) -> {
            return r4.getSession(v1);
        });
        if (roleDelegateUserIdentity != null && roleDelegateUserIdentity.isEstablished()) {
            renewSession(request, response);
        }
        return roleDelegateUserIdentity;
    }

    @Override // org.eclipse.jetty.security.Authenticator
    public AuthenticationState validateRequest(Request request, Response response, Callback callback) throws ServerAuthException {
        UserIdentityHolder userIdentityHolder;
        UserIdentity userIdentity;
        String str = request.getHeaders().get(HttpHeader.AUTHORIZATION);
        String spnegoToken = getSpnegoToken(str);
        Session session = request.getSession(false);
        if (str == null || spnegoToken == null) {
            if (session != null && (userIdentityHolder = (UserIdentityHolder) session.getAttribute(UserIdentityHolder.ATTRIBUTE)) != null && (userIdentity = userIdentityHolder._userIdentity) != null) {
                Duration authenticationDuration = getAuthenticationDuration();
                if (!authenticationDuration.isNegative()) {
                    if (!(!authenticationDuration.isZero() && Instant.now().isAfter(userIdentityHolder._validFrom.plus((TemporalAmount) authenticationDuration))) || !HttpMethod.GET.is(request.getMethod())) {
                        return new LoginAuthenticator.UserAuthenticationSucceeded(getAuthenticationType(), userIdentity);
                    }
                }
            }
            if (AuthenticationState.Deferred.isDeferred(response)) {
                return null;
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("Sending initial challenge");
            }
            sendChallenge(request, response, callback, null);
            return AuthenticationState.CHALLENGE;
        }
        RoleDelegateUserIdentity roleDelegateUserIdentity = (RoleDelegateUserIdentity) login(null, spnegoToken, request, response);
        if (!roleDelegateUserIdentity.isEstablished()) {
            if (AuthenticationState.Deferred.isDeferred(response)) {
                return null;
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("Sending intermediate challenge");
            }
            sendChallenge(request, response, callback, ((SPNEGOUserPrincipal) roleDelegateUserIdentity.getUserPrincipal()).getEncodedToken());
            return AuthenticationState.CHALLENGE;
        }
        if (!AuthenticationState.Deferred.isDeferred(response)) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Sending final token");
            }
            setSpnegoToken(response, ((SPNEGOUserPrincipal) roleDelegateUserIdentity.getUserPrincipal()).getEncodedToken());
        }
        if (!getAuthenticationDuration().isNegative()) {
            if (session == null) {
                session = request.getSession(true);
            }
            session.setAttribute(UserIdentityHolder.ATTRIBUTE, new UserIdentityHolder(roleDelegateUserIdentity));
        }
        return new LoginAuthenticator.UserAuthenticationSucceeded(getAuthenticationType(), roleDelegateUserIdentity);
    }

    private void sendChallenge(Request request, Response response, Callback callback, String str) {
        setSpnegoToken(response, str);
        Response.writeError(request, response, callback, 401);
    }

    private void setSpnegoToken(Response response, String str) {
        String asString = HttpHeader.NEGOTIATE.asString();
        if (str != null) {
            asString = asString + " " + str;
        }
        response.getHeaders().put(HttpHeader.WWW_AUTHENTICATE.asString(), asString);
    }

    private String getSpnegoToken(String str) {
        if (str == null) {
            return null;
        }
        String str2 = HttpHeader.NEGOTIATE.asString() + " ";
        if (str.regionMatches(true, 0, str2, 0, str2.length())) {
            return str.substring(str2.length()).trim();
        }
        return null;
    }
}
