package com.ibm.ws.security.spnego;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.ws.common.internal.encoder.Base64Coder;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.authentication.AuthenticationException;
import com.ibm.ws.security.krb5.SpnegoUtil;
import com.ibm.ws.security.spnego.internal.Krb5Util;
import com.ibm.ws.security.spnego.internal.SpnegoConfigImpl;
import com.ibm.ws.webcontainer.security.AuthResult;
import com.ibm.ws.webcontainer.security.AuthenticationResult;
import com.ibm.wsspi.webcontainer.WebContainerRequestState;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.HashMap;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@TraceOptions
/* loaded from: input_file:com/ibm/ws/security/spnego/SpnegoAuthenticator.class */
public class SpnegoAuthenticator {
    public static final TraceComponent tc = Tr.register(SpnegoAuthenticator.class, "spnego", "com.ibm.ws.security.spnego.internal.resources.SpnegoMessages");
    private HashMap<String, String> hostMap = new HashMap<>();
    private final Krb5Util krb5Util = new Krb5Util();
    private final AuthenticationResult CONTINUE = new AuthenticationResult(AuthResult.CONTINUE, "SPNEGO authenticator said continue...");
    private final SpnegoUtil spnegoUtil = new SpnegoUtil();
    static final long serialVersionUID = -8907961848765809679L;

    public AuthenticationResult authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, SpnegoConfig spnegoConfig) {
        AuthenticationResult authenticationResult;
        byte[] base64Decode;
        AuthenticationResult authenticationResult2 = this.CONTINUE;
        try {
            base64Decode = Base64Coder.base64Decode(Base64Coder.getBytes(this.spnegoUtil.extractAuthzTokenString(str)));
        } catch (AuthenticationException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.spnego.SpnegoAuthenticator", "54", this, new Object[]{httpServletRequest, httpServletResponse, str, spnegoConfig});
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Unexpected exception:", new Object[]{e});
            }
            authenticationResult = new AuthenticationResult(AuthResult.FAILURE, "SPNEGO authentication failure");
        }
        if (!this.spnegoUtil.isSpnegoOrKrb5Token(base64Decode)) {
            return notSpnegoAndKerberosTokenError(httpServletResponse, spnegoConfig);
        }
        authenticationResult = this.krb5Util.processSpnegoToken(httpServletResponse, base64Decode, getReqHostName(httpServletRequest, spnegoConfig), spnegoConfig);
        return authenticationResult;
    }

    protected AuthenticationResult notSpnegoAndKerberosTokenError(HttpServletResponse httpServletResponse, SpnegoConfig spnegoConfig) {
        if (!spnegoConfig.getDisableFailOverToAppAuthType()) {
            return this.CONTINUE;
        }
        httpServletResponse.setStatus(401);
        httpServletResponse.setContentType(spnegoConfig.getErrorPageConfig().getNtlmTokenReceivedPageContentType());
        httpServletResponse.setCharacterEncoding(spnegoConfig.getErrorPageConfig().getNtlmTokenReceivedPageCharset());
        try {
            httpServletResponse.getWriter().println(spnegoConfig.getErrorPageConfig().getNTLMTokenReceivedPage());
            WebContainerRequestState.getInstance(true).setAttribute("spnego.error.page", "true");
        } catch (IOException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.spnego.SpnegoAuthenticator", "83", this, new Object[]{httpServletResponse, spnegoConfig});
            Tr.error(tc, "SPNEGO_FAIL_TO_GET_WRITER", new Object[]{"NTLMTokenReceivedPage", e.getMessage()});
        }
        return new AuthenticationResult(AuthResult.SEND_401, "The token included in the HttpServletRequest is not a valid SPNEGO token");
    }

    public AuthenticationResult createNegotiateHeader(HttpServletResponse httpServletResponse, SpnegoConfig spnegoConfig) {
        httpServletResponse.setStatus(401);
        httpServletResponse.setHeader("WWW-Authenticate", "Negotiate");
        httpServletResponse.setContentType(spnegoConfig.getErrorPageConfig().getSpnegoNotSupportedPageContentType());
        String spnegoNotSupportedPageCharset = spnegoConfig.getErrorPageConfig().getSpnegoNotSupportedPageCharset();
        if (spnegoNotSupportedPageCharset != null) {
            httpServletResponse.setCharacterEncoding(spnegoNotSupportedPageCharset);
        }
        try {
            httpServletResponse.getWriter().println(spnegoConfig.getErrorPageConfig().getSpnegoNotSupportedPage());
            WebContainerRequestState.getInstance(true).setAttribute("spnego.error.page", "true");
        } catch (IOException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.spnego.SpnegoAuthenticator", "109", this, new Object[]{httpServletResponse, spnegoConfig});
            Tr.error(tc, "SPNEGO_FAIL_TO_GET_WRITER", new Object[]{"SpnegoNotSupportedPage", e.getMessage()});
        }
        return new AuthenticationResult(AuthResult.TAI_CHALLENGE, "Create negotiation Http header");
    }

    protected String getReqHostName(HttpServletRequest httpServletRequest, SpnegoConfig spnegoConfig) {
        String serverName = httpServletRequest.getServerName();
        if ((!spnegoConfig.getAllowLocalHost() || !SpnegoConfigImpl.LOCAL_HOST.equalsIgnoreCase(serverName)) && spnegoConfig.isCanonicalHostName()) {
            return getCanonicalHostname(spnegoConfig, serverName);
        }
        return serverName;
    }

    protected String getCanonicalHostname(SpnegoConfig spnegoConfig, String str) {
        String str2 = this.hostMap.get(str);
        if (str2 != null) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "CanonicalSupport has converted " + str2 + " to " + str2, new Object[0]);
            }
            return str2;
        }
        try {
            str = cacheHostName(str, InetAddress.getByName(str).getCanonicalHostName());
        } catch (UnknownHostException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.spnego.SpnegoAuthenticator", "155", this, new Object[]{spnegoConfig, str});
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(tc, "Canonical support specified but error when looking up - " + str + "failed. Aliases will not work.", new Object[0]);
                Tr.debug(tc, "getCanonicalHostname got unexpected exception: " + e, new Object[0]);
            }
        }
        return str;
    }

    protected String cacheHostName(String str, String str2) {
        this.hostMap.put(str, str2);
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(tc, "Canonicalization support will map " + str + " to " + str2, new Object[0]);
        }
        return str2;
    }

    protected void setHostMap(HashMap<String, String> hashMap) {
        this.hostMap = hashMap;
    }
}
