package org.elasticsearch.hadoop.rest.commonshttp.auth.spnego;

import java.io.Closeable;
import java.io.IOException;
import java.net.InetAddress;
import java.net.URI;
import java.net.UnknownHostException;
import javax.security.auth.kerberos.KerberosPrincipal;
import org.elasticsearch.hadoop.EsHadoopIllegalArgumentException;
import org.elasticsearch.hadoop.rest.commonshttp.auth.EsHadoopAuthPolicies;
import org.elasticsearch.hadoop.thirdparty.apache.commons.httpclient.Credentials;
import org.elasticsearch.hadoop.thirdparty.apache.commons.httpclient.HttpMethod;
import org.elasticsearch.hadoop.thirdparty.apache.commons.httpclient.URIException;
import org.elasticsearch.hadoop.thirdparty.apache.commons.httpclient.auth.AuthScheme;
import org.elasticsearch.hadoop.thirdparty.apache.commons.httpclient.auth.AuthenticationException;
import org.elasticsearch.hadoop.thirdparty.apache.commons.httpclient.auth.MalformedChallengeException;
import org.elasticsearch.hadoop.util.StringUtils;
import org.ietf.jgss.GSSException;

/* loaded from: input_file:org/elasticsearch/hadoop/rest/commonshttp/auth/spnego/SpnegoAuthScheme.class */
public class SpnegoAuthScheme implements AuthScheme, Closeable {
    private static final String HOSTNAME_PATTERN = "_HOST";
    private String challenge;
    private SpnegoNegotiator spnegoNegotiator;

    @Override // org.elasticsearch.hadoop.thirdparty.apache.commons.httpclient.auth.AuthScheme
    public boolean isConnectionBased() {
        return false;
    }

    @Override // org.elasticsearch.hadoop.thirdparty.apache.commons.httpclient.auth.AuthScheme
    public String getSchemeName() {
        return EsHadoopAuthPolicies.NEGOTIATE;
    }

    @Override // org.elasticsearch.hadoop.thirdparty.apache.commons.httpclient.auth.AuthScheme
    public void processChallenge(String str) throws MalformedChallengeException {
        if (StringUtils.hasText(str)) {
            this.challenge = str.substring(EsHadoopAuthPolicies.NEGOTIATE.length()).trim();
        }
    }

    protected String getFQDN(URI uri) throws UnknownHostException {
        return InetAddress.getByName(uri.getHost()).getCanonicalHostName();
    }

    private void initializeNegotiator(URI uri, SpnegoCredentials spnegoCredentials) throws UnknownHostException, AuthenticationException, GSSException {
        if (this.spnegoNegotiator == null) {
            String servicePrincipalName = spnegoCredentials.getServicePrincipalName();
            if (spnegoCredentials.getServicePrincipalName().contains(HOSTNAME_PATTERN)) {
                String fqdn = getFQDN(uri);
                String[] split = spnegoCredentials.getServicePrincipalName().split("[/@]");
                if (split.length != 3 || !split[1].equals(HOSTNAME_PATTERN)) {
                    throw new AuthenticationException("Malformed service principal name [" + spnegoCredentials.getServicePrincipalName() + "]. To use host substitution, the principal must be of the format [serviceName/_HOST@REALM.NAME].");
                }
                servicePrincipalName = split[0] + "/" + fqdn.toLowerCase() + "@" + split[2];
            }
            KerberosPrincipal kerberosPrincipal = spnegoCredentials.getUserProvider().getUser().getKerberosPrincipal();
            if (kerberosPrincipal == null) {
                throw new EsHadoopIllegalArgumentException("Could not locate Kerberos Principal on currently logged in user.");
            }
            this.spnegoNegotiator = new SpnegoNegotiator(kerberosPrincipal.getName(), servicePrincipalName);
        }
    }

    private String getNegotiateToken() throws GSSException {
        if (this.spnegoNegotiator == null) {
            throw new IllegalStateException("Negotiator not yet initialized.");
        }
        String send = StringUtils.hasText(this.challenge) ? this.spnegoNegotiator.send(this.challenge) : this.spnegoNegotiator.send();
        this.challenge = null;
        if (send != null) {
            send = "Negotiate " + send;
        }
        return send;
    }

    private String authenticate(Credentials credentials, URI uri) throws AuthenticationException {
        if (!(credentials instanceof SpnegoCredentials)) {
            throw new AuthenticationException("Invalid credentials type provided to " + getClass().getName() + ".Expected " + SpnegoCredentials.class.getName() + " but got " + credentials.getClass().getName());
        }
        try {
            initializeNegotiator(uri, (SpnegoCredentials) credentials);
            return getNegotiateToken();
        } catch (GSSException e) {
            throw new AuthenticationException("Could not authenticate", e);
        } catch (UnknownHostException e2) {
            throw new AuthenticationException("Could not authenticate", e2);
        }
    }

    @Override // org.elasticsearch.hadoop.thirdparty.apache.commons.httpclient.auth.AuthScheme
    public String authenticate(Credentials credentials, HttpMethod httpMethod) throws AuthenticationException {
        try {
            return authenticate(credentials, URI.create(httpMethod.getURI().getURI()));
        } catch (URIException e) {
            throw new AuthenticationException("Could not determine request URI", e);
        }
    }

    @Override // org.elasticsearch.hadoop.thirdparty.apache.commons.httpclient.auth.AuthScheme
    public String authenticate(Credentials credentials, String str, String str2) throws AuthenticationException {
        return authenticate(credentials, URI.create(str2));
    }

    public void ensureMutualAuth(String str) throws AuthenticationException {
        try {
            processChallenge(str);
            try {
                String negotiateToken = getNegotiateToken();
                if (this.spnegoNegotiator.established() && negotiateToken == null) {
                } else {
                    throw new AuthenticationException("Could not complete SPNEGO Authentication, Mutual Authentication Failed");
                }
            } catch (GSSException e) {
                throw new AuthenticationException("Could not complete SPNEGO Authentication", e);
            }
        } catch (MalformedChallengeException e2) {
            throw new AuthenticationException("Received invalid response header for mutual authentication", e2);
        }
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() throws IOException {
        if (this.spnegoNegotiator != null) {
            this.spnegoNegotiator.close();
        }
        this.challenge = null;
    }

    @Override // org.elasticsearch.hadoop.thirdparty.apache.commons.httpclient.auth.AuthScheme
    public boolean isComplete() {
        return this.spnegoNegotiator.established();
    }

    @Override // org.elasticsearch.hadoop.thirdparty.apache.commons.httpclient.auth.AuthScheme
    public String getRealm() {
        return null;
    }

    @Override // org.elasticsearch.hadoop.thirdparty.apache.commons.httpclient.auth.AuthScheme
    public String getParameter(String str) {
        return null;
    }

    @Override // org.elasticsearch.hadoop.thirdparty.apache.commons.httpclient.auth.AuthScheme
    public String getID() {
        return getSchemeName();
    }
}
