package io.split.service;

import java.io.IOException;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.util.Base64;
import java.util.Date;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import okhttp3.Authenticator;
import okhttp3.Request;
import okhttp3.Response;
import okhttp3.Route;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.Oid;

/* loaded from: input_file:io/split/service/HTTPKerberosAuthInterceptor.class */
public class HTTPKerberosAuthInterceptor implements Authenticator {
    String host;
    Map<String, String> krbOptions;
    LoginContext loginContext;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/split/service/HTTPKerberosAuthInterceptor$CreateAuthorizationHeaderAction.class */
    public static class CreateAuthorizationHeaderAction implements PrivilegedAction {
        String clientPrincipalName;
        String serverPrincipalName;
        private StringBuffer outputToken;

        private CreateAuthorizationHeaderAction(String str, String str2) {
            this.outputToken = new StringBuffer();
            this.clientPrincipalName = str;
            this.serverPrincipalName = str2;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public String getNegotiateToken() {
            return this.outputToken.toString();
        }

        @Override // java.security.PrivilegedAction
        public Object run() {
            try {
                Oid oid = new Oid("1.2.840.113554.1.2.2");
                Oid oid2 = new Oid("1.2.840.113554.1.2.2.1");
                GSSManager gSSManager = GSSManager.getInstance();
                GSSContext createContext = gSSManager.createContext(gSSManager.createName(this.serverPrincipalName, oid2), oid, gSSManager.createCredential(gSSManager.createName(this.clientPrincipalName, oid2), 28800, oid, 1), 0);
                byte[] bArr = new byte[0];
                byte[] initSecContext = createContext.initSecContext(bArr, 0, bArr.length);
                if (initSecContext == null) {
                    throw new IOException("could not initialize the security context");
                }
                createContext.requestMutualAuth(true);
                this.outputToken.append(new String(Base64.getEncoder().encode(initSecContext)));
                createContext.dispose();
                return null;
            } catch (GSSException | IOException e) {
                throw new RuntimeException(e.getMessage(), e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/split/service/HTTPKerberosAuthInterceptor$KerberosLoginConfiguration.class */
    public static class KerberosLoginConfiguration extends Configuration {
        Map<String, String> krbOptions;

        public KerberosLoginConfiguration() {
            this.krbOptions = null;
        }

        KerberosLoginConfiguration(Map<String, String> map) {
            this.krbOptions = null;
            this.krbOptions = map;
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            return new AppConfigurationEntry[]{new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, this.krbOptions)};
        }
    }

    public HTTPKerberosAuthInterceptor(String str, Map<String, String> map) throws IOException {
        this.host = str;
        this.krbOptions = map;
        try {
            buildSubjectCredentials();
        } catch (LoginException e) {
            throw new IOException(e.getMessage(), e);
        }
    }

    private void buildSubjectCredentials() throws LoginException {
        LoginContext loginContext = new LoginContext("Krb5LoginContext", new Subject(), (CallbackHandler) null, this.krbOptions != null ? new KerberosLoginConfiguration(this.krbOptions) : new KerberosLoginConfiguration());
        loginContext.login();
        this.loginContext = loginContext;
    }

    private String getClientPrincipalName() {
        Set<Principal> principals = getContextSubject().getPrincipals();
        if (principals.size() != 1) {
            throw new IllegalStateException("Only one principal is expected. Found 0 or more than one principals :" + principals);
        }
        return principals.iterator().next().getName();
    }

    private Subject getContextSubject() {
        Subject subject = this.loginContext.getSubject();
        if (subject == null) {
            throw new IllegalStateException("Kerberos login context without subject");
        }
        return subject;
    }

    private String buildAuthorizationHeader(String str) throws LoginException {
        CreateAuthorizationHeaderAction createAuthorizationHeaderAction = new CreateAuthorizationHeaderAction(getClientPrincipalName(), str);
        Iterator<Object> it = getContextSubject().getPrivateCredentials().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Object next = it.next();
            if ((next instanceof KerberosTicket) && ((KerberosTicket) next).getServer().getName().startsWith("krbtgt") && ((KerberosTicket) next).getEndTime().compareTo(new Date()) == -1) {
                buildSubjectCredentials();
                break;
            }
        }
        Subject.doAs(this.loginContext.getSubject(), createAuthorizationHeaderAction);
        return createAuthorizationHeaderAction.getNegotiateToken();
    }

    public Request authenticate(Route route, Response response) throws IOException {
        System.out.println("Using principal: HTTP/" + this.host);
        try {
            return response.request().newBuilder().header("Proxy-authorization", "Negotiate " + buildAuthorizationHeader("HTTP/" + this.host)).build();
        } catch (Exception e) {
            throw new IOException(e.getMessage(), e);
        }
    }
}
