package org.yamcs.security;

import com.sun.security.auth.callback.TextCallbackHandler;
import io.netty.buffer.Unpooled;
import io.netty.channel.ChannelFutureListener;
import io.netty.channel.ChannelHandlerContext;
import io.netty.handler.codec.http.DefaultFullHttpResponse;
import io.netty.handler.codec.http.FullHttpRequest;
import io.netty.handler.codec.http.HttpHeaderNames;
import io.netty.handler.codec.http.HttpResponseStatus;
import io.netty.handler.codec.http.HttpUtil;
import io.netty.handler.codec.http.HttpVersion;
import io.netty.util.CharsetUtil;
import java.io.IOException;
import java.security.SecureRandom;
import java.util.Base64;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AccountNotFoundException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.yamcs.ConfigurationException;
import org.yamcs.YConfiguration;
import org.yamcs.utils.StringConverter;
import org.yamcs.web.AuthModuleHttpHandler;
import org.yamcs.web.HttpRequestHandler;

/* loaded from: input_file:org/yamcs/security/SpnegoAuthModule.class */
public class SpnegoAuthModule implements AuthModule, AuthModuleHttpHandler {
    final String krbRealm;
    final boolean stripRealm;
    Map<String, SpnegoAuthenticationInfo> code2info = new ConcurrentHashMap();
    final long AUTH_CODE_VALIDITY = 10000;
    private final LoginContext yamcsLogin;
    final GSSManager gssManager;
    GSSCredential yamcsCred;
    static final String NEGOTIATE = "Negotiate";
    static Oid krb5Oid;
    static Oid spnegoOid;
    private static final Logger log = LoggerFactory.getLogger(SpnegoAuthModule.class);
    static final SecureRandom secureRandom = new SecureRandom();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/yamcs/security/SpnegoAuthModule$SpnegoAuthenticationInfo.class */
    public static class SpnegoAuthenticationInfo extends AuthenticationInfo {
        long created;

        public SpnegoAuthenticationInfo(AuthModule authModule, String str) {
            super(authModule, str);
            this.created = System.currentTimeMillis();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/yamcs/security/SpnegoAuthModule$UserPassCallbackHandler.class */
    public static class UserPassCallbackHandler implements CallbackHandler {
        private char[] password;
        private String username;

        public UserPassCallbackHandler(String str, char[] cArr) {
            this.username = str;
            this.password = cArr;
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            for (Callback callback : callbackArr) {
                if ((callback instanceof NameCallback) && this.username != null) {
                    ((NameCallback) callback).setName(this.username);
                } else if (callback instanceof PasswordCallback) {
                    ((PasswordCallback) callback).setPassword(this.password);
                } else {
                    SpnegoAuthModule.log.warn("Unrecognized callback " + callback);
                }
            }
        }
    }

    public SpnegoAuthModule(Map<String, Object> map) {
        if (map.containsKey("krb5.conf")) {
            System.setProperty("java.security.krb5.conf", YConfiguration.getString(map, "krb5.conf"));
        }
        if (map.containsKey("jaas.conf")) {
            System.setProperty("java.security.auth.login.config", YConfiguration.getString(map, "jaas.conf"));
        }
        this.stripRealm = YConfiguration.getBoolean(map, "stripRealm", false);
        this.krbRealm = YConfiguration.getString(map, "krbRealm", (String) null);
        try {
            this.yamcsLogin = new LoginContext("Yamcs", new TextCallbackHandler());
            this.yamcsLogin.login();
            this.gssManager = GSSManager.getInstance();
        } catch (Exception e) {
            throw new ConfigurationException("Cannot login to kerberos", e);
        }
    }

    @Override // org.yamcs.security.AuthModule
    public AuthenticationInfo getAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        if (authenticationToken instanceof UsernamePasswordToken) {
            return authenticateByPassword((UsernamePasswordToken) authenticationToken);
        }
        if (authenticationToken instanceof ThirdPartyAuthorizationCode) {
            return authenticateByCode((ThirdPartyAuthorizationCode) authenticationToken);
        }
        return null;
    }

    private AuthenticationInfo authenticateByPassword(UsernamePasswordToken usernamePasswordToken) throws AuthenticationException {
        String principal = usernamePasswordToken.getPrincipal();
        try {
            new LoginContext("UserAuth", new UserPassCallbackHandler(principal, usernamePasswordToken.getPassword())).login();
            return new AuthenticationInfo(this, principal);
        } catch (LoginException e) {
            throw new AuthenticationException(e);
        } catch (AccountNotFoundException e2) {
            return null;
        }
    }

    private AuthenticationInfo authenticateByCode(ThirdPartyAuthorizationCode thirdPartyAuthorizationCode) throws AuthenticationException {
        SpnegoAuthenticationInfo spnegoAuthenticationInfo = this.code2info.get(thirdPartyAuthorizationCode.getPrincipal());
        long currentTimeMillis = System.currentTimeMillis();
        if (spnegoAuthenticationInfo == null || currentTimeMillis - spnegoAuthenticationInfo.created > 10000) {
            throw new AuthenticationException("Invalid authorization code");
        }
        return spnegoAuthenticationInfo;
    }

    @Override // org.yamcs.security.AuthModule
    public boolean verifyValidity(User user) {
        return true;
    }

    @Override // org.yamcs.security.AuthModule
    public AuthorizationInfo getAuthorizationInfo(AuthenticationInfo authenticationInfo) {
        return new AuthorizationInfo();
    }

    @Override // org.yamcs.web.AuthModuleHttpHandler
    public String path() {
        return "spnego";
    }

    private static String generateAuthCode() {
        byte[] bArr = new byte[16];
        secureRandom.nextBytes(bArr);
        return StringConverter.arrayToHexString(bArr);
    }

    private synchronized GSSCredential getGSSCredential() throws GSSException {
        if (this.yamcsCred == null || this.yamcsCred.getRemainingLifetime() == 0) {
            this.yamcsCred = (GSSCredential) Subject.doAs(this.yamcsLogin.getSubject(), () -> {
                try {
                    return this.gssManager.createCredential((GSSName) null, 3600, spnegoOid, 2);
                } catch (Exception e) {
                    log.warn("Failed to get GSS credential", e);
                    return null;
                }
            });
        }
        return this.yamcsCred;
    }

    @Override // org.yamcs.web.AuthModuleHttpHandler
    public void handle(ChannelHandlerContext channelHandlerContext, FullHttpRequest fullHttpRequest) {
        if (!fullHttpRequest.headers().contains(HttpHeaderNames.AUTHORIZATION)) {
            DefaultFullHttpResponse defaultFullHttpResponse = new DefaultFullHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.UNAUTHORIZED, Unpooled.copiedBuffer(HttpResponseStatus.UNAUTHORIZED.toString() + "\r\n", CharsetUtil.UTF_8));
            HttpUtil.setContentLength(defaultFullHttpResponse, r0.readableBytes());
            defaultFullHttpResponse.headers().set(HttpHeaderNames.WWW_AUTHENTICATE, NEGOTIATE);
            log.info("{} {} {} Sending WWW-Authenticate: Negotiate", new Object[]{fullHttpRequest.method(), fullHttpRequest.uri(), Integer.valueOf(defaultFullHttpResponse.status().code())});
            channelHandlerContext.writeAndFlush(defaultFullHttpResponse).addListener(ChannelFutureListener.CLOSE);
            return;
        }
        String str = fullHttpRequest.headers().get(HttpHeaderNames.AUTHORIZATION);
        if (str.startsWith(NEGOTIATE)) {
            try {
                byte[] decode = Base64.getDecoder().decode(str.substring(NEGOTIATE.length() + 1));
                GSSCredential gSSCredential = getGSSCredential();
                if (gSSCredential == null) {
                    HttpRequestHandler.sendPlainTextError(channelHandlerContext, fullHttpRequest, HttpResponseStatus.INTERNAL_SERVER_ERROR);
                    return;
                }
                GSSContext createContext = this.gssManager.createContext(gSSCredential);
                createContext.acceptSecContext(decode, 0, decode.length);
                if (createContext.isEstablished()) {
                    String gSSName = createContext.getSrcName().toString();
                    log.debug("Got GSS Src Name {}", gSSName);
                    if (this.krbRealm != null && !gSSName.endsWith("@" + this.krbRealm)) {
                        log.warn("User {} does not match the defined realm {}", gSSName, this.krbRealm);
                        HttpRequestHandler.sendPlainTextError(channelHandlerContext, fullHttpRequest, HttpResponseStatus.UNAUTHORIZED);
                        return;
                    }
                    if (this.stripRealm) {
                        gSSName = gSSName.substring(0, (gSSName.length() - this.krbRealm.length()) - 1);
                    }
                    SpnegoAuthenticationInfo spnegoAuthenticationInfo = new SpnegoAuthenticationInfo(this, gSSName);
                    String generateAuthCode = generateAuthCode();
                    this.code2info.put(generateAuthCode, spnegoAuthenticationInfo);
                    DefaultFullHttpResponse defaultFullHttpResponse2 = new DefaultFullHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.OK, Unpooled.copiedBuffer(generateAuthCode, CharsetUtil.UTF_8));
                    HttpUtil.setContentLength(defaultFullHttpResponse2, r0.readableBytes());
                    log.info("{} {} {} Sending authorization code {}", new Object[]{fullHttpRequest.method(), fullHttpRequest.uri(), Integer.valueOf(defaultFullHttpResponse2.status().code()), generateAuthCode});
                    channelHandlerContext.writeAndFlush(defaultFullHttpResponse2).addListener(ChannelFutureListener.CLOSE);
                } else {
                    log.warn("Context is not established, multiple rounds needed???");
                    HttpRequestHandler.sendPlainTextError(channelHandlerContext, fullHttpRequest, HttpResponseStatus.UNAUTHORIZED);
                }
            } catch (IllegalArgumentException e) {
                log.warn("Failed to base64 decode the SPNEGO token: {}", e.getMessage());
                HttpRequestHandler.sendPlainTextError(channelHandlerContext, fullHttpRequest, HttpResponseStatus.BAD_REQUEST);
            } catch (GSSException e2) {
                log.warn("Failed to establish context with the SPNEGO token from header '{}': ", str, e2);
                HttpRequestHandler.sendPlainTextError(channelHandlerContext, fullHttpRequest, HttpResponseStatus.UNAUTHORIZED);
            }
        }
    }

    static {
        try {
            spnegoOid = new Oid("1.3.6.1.5.5.2");
            krb5Oid = new Oid("1.2.840.113554.1.2.2");
        } catch (GSSException e) {
            throw new ConfigurationException(e);
        }
    }
}
