package org.asynchttpclient.netty.handler.intercept;

import io.netty.channel.Channel;
import io.netty.handler.codec.http.DefaultHttpHeaders;
import io.netty.handler.codec.http.HttpHeaderNames;
import io.netty.handler.codec.http.HttpHeaders;
import io.netty.handler.codec.http.HttpRequest;
import io.netty.handler.codec.http.HttpResponse;
import io.netty.handler.codec.http.HttpUtil;
import java.util.List;
import org.asynchttpclient.Dsl;
import org.asynchttpclient.Realm;
import org.asynchttpclient.Request;
import org.asynchttpclient.netty.NettyResponseFuture;
import org.asynchttpclient.netty.channel.ChannelManager;
import org.asynchttpclient.netty.channel.ChannelState;
import org.asynchttpclient.netty.request.NettyRequestSender;
import org.asynchttpclient.ntlm.NtlmEngine;
import org.asynchttpclient.spnego.SpnegoEngine;
import org.asynchttpclient.spnego.SpnegoEngineException;
import org.asynchttpclient.util.AuthenticatorUtils;
import org.asynchttpclient.util.MiscUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/asynchttpclient/netty/handler/intercept/Unauthorized401Interceptor.class */
public class Unauthorized401Interceptor {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) Unauthorized401Interceptor.class);
    private final ChannelManager channelManager;
    private final NettyRequestSender requestSender;

    /* JADX INFO: Access modifiers changed from: package-private */
    public Unauthorized401Interceptor(ChannelManager channelManager, NettyRequestSender nettyRequestSender) {
        this.channelManager = channelManager;
        this.requestSender = nettyRequestSender;
    }

    public boolean exitAfterHandling401(Channel channel, NettyResponseFuture<?> nettyResponseFuture, HttpResponse httpResponse, Request request, Realm realm, HttpRequest httpRequest) {
        if (realm == null) {
            LOGGER.debug("Can't handle 401 as there's no realm");
            return false;
        }
        if (nettyResponseFuture.isAndSetInAuth(true)) {
            LOGGER.info("Can't handle 401 as auth was already performed");
            return false;
        }
        List all = httpResponse.headers().getAll(HttpHeaderNames.WWW_AUTHENTICATE);
        if (all.isEmpty()) {
            LOGGER.info("Can't handle 401 as response doesn't contain WWW-Authenticate headers");
            return false;
        }
        nettyResponseFuture.setChannelState(ChannelState.NEW);
        HttpHeaders add = new DefaultHttpHeaders().add(request.getHeaders());
        switch (realm.getScheme()) {
            case BASIC:
                if (AuthenticatorUtils.getHeaderWithPrefix(all, "Basic") != null) {
                    if (!realm.isUsePreemptiveAuth()) {
                        nettyResponseFuture.setRealm(Dsl.realm(realm).setUsePreemptiveAuth(true).build());
                        break;
                    } else {
                        LOGGER.info("Can't handle 401 with Basic realm as auth was preemptive and already performed");
                        return false;
                    }
                } else {
                    LOGGER.info("Can't handle 401 with Basic realm as WWW-Authenticate headers don't match");
                    return false;
                }
            case DIGEST:
                String headerWithPrefix = AuthenticatorUtils.getHeaderWithPrefix(all, "Digest");
                if (headerWithPrefix != null) {
                    nettyResponseFuture.setRealm(Dsl.realm(realm).setUri(request.getUri()).setMethodName(request.getMethod()).setUsePreemptiveAuth(true).parseWWWAuthenticateHeader(headerWithPrefix).build());
                    break;
                } else {
                    LOGGER.info("Can't handle 401 with Digest realm as WWW-Authenticate headers don't match");
                    return false;
                }
            case NTLM:
                String headerWithPrefix2 = AuthenticatorUtils.getHeaderWithPrefix(all, "NTLM");
                if (headerWithPrefix2 != null) {
                    ntlmChallenge(headerWithPrefix2, add, realm, nettyResponseFuture);
                    nettyResponseFuture.setRealm(Dsl.realm(realm).setUsePreemptiveAuth(true).build());
                    break;
                } else {
                    LOGGER.info("Can't handle 401 with NTLM realm as WWW-Authenticate headers don't match");
                    return false;
                }
            case KERBEROS:
            case SPNEGO:
                if (AuthenticatorUtils.getHeaderWithPrefix(all, "Negotiate") == null) {
                    LOGGER.info("Can't handle 401 with Kerberos or Spnego realm as WWW-Authenticate headers don't match");
                    return false;
                }
                try {
                    kerberosChallenge(realm, request, add);
                    break;
                } catch (SpnegoEngineException e) {
                    String headerWithPrefix3 = AuthenticatorUtils.getHeaderWithPrefix(all, "NTLM");
                    if (headerWithPrefix3 == null) {
                        this.requestSender.abort(channel, nettyResponseFuture, e);
                        return false;
                    }
                    LOGGER.warn("Kerberos/Spnego auth failed, proceeding with NTLM");
                    ntlmChallenge(headerWithPrefix3, add, realm, nettyResponseFuture);
                    nettyResponseFuture.setRealm(Dsl.realm(realm).setScheme(Realm.AuthScheme.NTLM).setUsePreemptiveAuth(true).build());
                    break;
                }
            default:
                throw new IllegalStateException("Invalid Authentication scheme " + realm.getScheme());
        }
        Request build = nettyResponseFuture.getCurrentRequest().toBuilder().setHeaders(add).build();
        LOGGER.debug("Sending authentication to {}", request.getUri());
        if (!nettyResponseFuture.isKeepAlive() || HttpUtil.isTransferEncodingChunked(httpRequest) || HttpUtil.isTransferEncodingChunked(httpResponse)) {
            this.channelManager.closeChannel(channel);
            this.requestSender.sendNextRequest(build, nettyResponseFuture);
            return true;
        }
        nettyResponseFuture.setReuseChannel(true);
        this.requestSender.drainChannelAndExecuteNextRequest(channel, nettyResponseFuture, build);
        return true;
    }

    private void ntlmChallenge(String str, HttpHeaders httpHeaders, Realm realm, NettyResponseFuture<?> nettyResponseFuture) {
        if (str.equals("NTLM")) {
            httpHeaders.set(HttpHeaderNames.AUTHORIZATION, "NTLM " + NtlmEngine.INSTANCE.generateType1Msg());
            nettyResponseFuture.setInAuth(false);
        } else {
            httpHeaders.set(HttpHeaderNames.AUTHORIZATION, "NTLM " + NtlmEngine.INSTANCE.generateType3Msg(realm.getPrincipal(), realm.getPassword(), realm.getNtlmDomain(), realm.getNtlmHost(), str.substring("NTLM ".length()).trim()));
        }
    }

    private void kerberosChallenge(Realm realm, Request request, HttpHeaders httpHeaders) throws SpnegoEngineException {
        httpHeaders.set(HttpHeaderNames.AUTHORIZATION, "Negotiate " + SpnegoEngine.instance(realm.getPrincipal(), realm.getPassword(), realm.getServicePrincipalName(), realm.getRealmName(), realm.isUseCanonicalHostname(), realm.getCustomLoginConfig(), realm.getLoginContextName()).generateToken((String) MiscUtils.withDefault(request.getVirtualHost(), request.getUri().getHost())));
    }
}
