package org.yamcs.security;

import io.netty.buffer.Unpooled;
import io.netty.channel.ChannelFutureListener;
import io.netty.handler.codec.http.DefaultFullHttpResponse;
import io.netty.handler.codec.http.HttpHeaderNames;
import io.netty.handler.codec.http.HttpResponseStatus;
import io.netty.handler.codec.http.HttpUtil;
import io.netty.handler.codec.http.HttpVersion;
import io.netty.util.CharsetUtil;
import java.io.IOException;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.yamcs.ConfigurationException;
import org.yamcs.InitException;
import org.yamcs.Spec;
import org.yamcs.YConfiguration;
import org.yamcs.http.BadRequestException;
import org.yamcs.http.Handler;
import org.yamcs.http.HandlerContext;
import org.yamcs.http.InternalServerErrorException;
import org.yamcs.http.UnauthorizedException;

/* loaded from: input_file:org/yamcs/security/SpnegoAuthModule.class */
public class SpnegoAuthModule extends Handler implements AuthModule {
    private static final Logger log = LoggerFactory.getLogger(SpnegoAuthModule.class);
    private static final String JAAS_ENTRY_NAME = "YamcsHTTP";
    private static final String JAAS_KRB5 = "com.sun.security.auth.module.Krb5LoginModule";
    private static final String NEGOTIATE = "Negotiate";
    private static final long AUTH_CODE_VALIDITY = 10000;
    private static Oid spnegoOid;
    private static Oid krb5Oid;
    private static Oid[] SUPPORTED_OIDS;
    private String realm;
    private boolean stripRealm;
    private Map<String, SpnegoAuthenticationInfo> code2info = new ConcurrentHashMap();
    private LoginContext yamcsLogin;
    private GSSManager gssManager;
    private GSSCredential yamcsCred;

    /* loaded from: input_file:org/yamcs/security/SpnegoAuthModule$DummyCallbackHandler.class */
    private static class DummyCallbackHandler implements CallbackHandler {
        private DummyCallbackHandler() {
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/yamcs/security/SpnegoAuthModule$SpnegoAuthenticationInfo.class */
    public static class SpnegoAuthenticationInfo extends AuthenticationInfo {
        long created;

        public SpnegoAuthenticationInfo(AuthModule authModule, String str) {
            super(authModule, str);
            this.created = System.currentTimeMillis();
        }
    }

    @Override // org.yamcs.security.AuthModule
    public Spec getSpec() {
        Spec spec = new Spec();
        spec.addOption("keytab", Spec.OptionType.STRING).withRequired(true);
        spec.addOption("principal", Spec.OptionType.STRING).withRequired(true);
        spec.addOption("stripRealm", Spec.OptionType.BOOLEAN).withDefault(true);
        spec.addOption("debug", Spec.OptionType.BOOLEAN).withDefault(false);
        return spec;
    }

    @Override // org.yamcs.security.AuthModule
    public void init(YConfiguration yConfiguration) throws InitException {
        String string = yConfiguration.getString("principal");
        int lastIndexOf = string.lastIndexOf(64);
        if (lastIndexOf < 0) {
            throw new InitException("SPNEGO principal should take the form HTTP/<host>.<domain>@<REALM>");
        }
        String substring = string.substring(0, lastIndexOf);
        this.realm = string.substring(lastIndexOf + 1);
        this.stripRealm = yConfiguration.getBoolean("stripRealm");
        HashMap hashMap = new HashMap();
        hashMap.put("useKeyTab", "true");
        hashMap.put("storeKey", "true");
        hashMap.put("keyTab", yConfiguration.getString("keytab"));
        hashMap.put("useTicketCache", "true");
        hashMap.put("principal", substring);
        hashMap.put("debug", Boolean.toString(yConfiguration.getBoolean("debug")));
        JaasConfiguration.addEntry(JAAS_ENTRY_NAME, new AppConfigurationEntry(JAAS_KRB5, AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap));
        try {
            this.yamcsLogin = new LoginContext(JAAS_ENTRY_NAME, new DummyCallbackHandler());
            this.yamcsLogin.login();
            this.gssManager = GSSManager.getInstance();
        } catch (LoginException e) {
            throw new InitException(String.format("Cannot login %s to Kerberos", string), e);
        }
    }

    @Override // org.yamcs.security.AuthModule
    public AuthenticationInfo getAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
        if (authenticationToken instanceof ThirdPartyAuthorizationCode) {
            return authenticateByCode((ThirdPartyAuthorizationCode) authenticationToken);
        }
        return null;
    }

    private AuthenticationInfo authenticateByCode(ThirdPartyAuthorizationCode thirdPartyAuthorizationCode) throws AuthenticationException {
        SpnegoAuthenticationInfo spnegoAuthenticationInfo = this.code2info.get(thirdPartyAuthorizationCode.getPrincipal());
        long currentTimeMillis = System.currentTimeMillis();
        if (spnegoAuthenticationInfo == null || currentTimeMillis - spnegoAuthenticationInfo.created > 10000) {
            throw new AuthenticationException("Invalid authorization code");
        }
        return spnegoAuthenticationInfo;
    }

    @Override // org.yamcs.security.AuthModule
    public boolean verifyValidity(AuthenticationInfo authenticationInfo) {
        return true;
    }

    @Override // org.yamcs.security.AuthModule
    public AuthorizationInfo getAuthorizationInfo(AuthenticationInfo authenticationInfo) {
        return new AuthorizationInfo();
    }

    private synchronized GSSCredential getGSSCredential() throws GSSException {
        if (this.yamcsCred == null || this.yamcsCred.getRemainingLifetime() == 0) {
            this.yamcsCred = (GSSCredential) Subject.doAs(this.yamcsLogin.getSubject(), () -> {
                try {
                    return this.gssManager.createCredential((GSSName) null, 3600, SUPPORTED_OIDS, 2);
                } catch (Exception e) {
                    log.warn("Failed to get GSS credential", e);
                    return null;
                }
            });
        }
        return this.yamcsCred;
    }

    @Override // org.yamcs.http.Handler
    public void handle(HandlerContext handlerContext) {
        String credentials = handlerContext.getCredentials(NEGOTIATE);
        if (credentials == null) {
            DefaultFullHttpResponse defaultFullHttpResponse = new DefaultFullHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.UNAUTHORIZED, Unpooled.copiedBuffer(HttpResponseStatus.UNAUTHORIZED.toString() + "\r\n", CharsetUtil.UTF_8));
            HttpUtil.setContentLength(defaultFullHttpResponse, r0.readableBytes());
            defaultFullHttpResponse.headers().set(HttpHeaderNames.WWW_AUTHENTICATE, NEGOTIATE);
            handlerContext.sendResponse(defaultFullHttpResponse).addListener(ChannelFutureListener.CLOSE);
            return;
        }
        try {
            byte[] decode = Base64.getDecoder().decode(credentials);
            GSSCredential gSSCredential = getGSSCredential();
            if (gSSCredential == null) {
                throw new InternalServerErrorException("Unexpected GSS error");
            }
            GSSContext createContext = this.gssManager.createContext(gSSCredential);
            createContext.acceptSecContext(decode, 0, decode.length);
            if (!createContext.isEstablished()) {
                log.warn("Context is not established, multiple rounds needed???");
                throw new UnauthorizedException();
            }
            if (createContext.getSrcName() == null) {
                log.warn("Unknown user. No TGT?");
                throw new UnauthorizedException();
            }
            String gSSName = createContext.getSrcName().toString();
            log.debug("GSS context initiator {}", gSSName);
            if (!gSSName.endsWith("@" + this.realm)) {
                log.warn("User {} does not match realm {}", gSSName, this.realm);
                throw new UnauthorizedException();
            }
            String str = gSSName;
            if (this.stripRealm) {
                str = gSSName.substring(0, (gSSName.length() - this.realm.length()) - 1);
            }
            SpnegoAuthenticationInfo spnegoAuthenticationInfo = new SpnegoAuthenticationInfo(this, str);
            spnegoAuthenticationInfo.addExternalIdentity(getClass().getName(), gSSName);
            String generateRandomPassword = CryptoUtils.generateRandomPassword(10);
            this.code2info.put(generateRandomPassword, spnegoAuthenticationInfo);
            DefaultFullHttpResponse defaultFullHttpResponse2 = new DefaultFullHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.OK, Unpooled.copiedBuffer(generateRandomPassword, CharsetUtil.UTF_8));
            HttpUtil.setContentLength(defaultFullHttpResponse2, r0.readableBytes());
            handlerContext.sendResponse(defaultFullHttpResponse2).addListener(ChannelFutureListener.CLOSE);
        } catch (IllegalArgumentException e) {
            throw new BadRequestException("Failed to base64 decode the SPNEGO token");
        } catch (GSSException e2) {
            log.warn("Failed to establish context with the SPNEGO token from header '{}': ", credentials, e2);
            throw new UnauthorizedException();
        }
    }

    static {
        try {
            spnegoOid = new Oid("1.3.6.1.5.5.2");
            krb5Oid = new Oid("1.2.840.113554.1.2.2");
            SUPPORTED_OIDS = new Oid[]{spnegoOid, krb5Oid};
        } catch (GSSException e) {
            throw new ConfigurationException((Exception) e);
        }
    }
}
