package com.ibm.ws.security.spnego;

import com.ibm.websphere.security.WebTrustAssociationFailedException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.security.auth.kerberos.Krb5Utils;
import com.ibm.ws.security.config.AuthMechanismConfig;
import com.ibm.ws.security.config.SecurityConfig;
import com.ibm.ws.security.config.SecurityObjectLocator;
import com.ibm.ws.security.util.Base64Coder;
import com.ibm.ws.webservices.engine.transport.http.HTTPConstants;
import com.ibm.wsspi.security.tai.TAIResult;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.StringTokenizer;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.kerberos.KerberosTicket;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;

/* loaded from: input_file:wasJars/securityimpl.jar:com/ibm/ws/security/spnego/SpnegoHandler.class */
public final class SpnegoHandler {
    private static final String USER_PRINCIPAL = "com.ibm.ws.security.spnego.UserPrincipal";
    private static final String ME = SpnegoHandler.class.getName();
    private static final Logger logger = Logger.getLogger(ME, Constants.MSGS_BUNDLE);
    protected static final byte[] _SPNEGO_IOD = {6, 6, 43, 6, 1, 5, 5, 2};

    public static void initializeServerCreds(AllServerConfigs allServerConfigs) throws TAIConfigurationException {
        logger.entering(ME, "initializeServerCreds");
        ServerCredentialsFactory.initializeServerCreds(allServerConfigs);
        logger.exiting(ME, "initializeServerCreds");
    }

    public static TAIResult handleRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AllServerConfigs allServerConfigs) throws WebTrustAssociationFailedException {
        String str;
        if (logger.isLoggable(Level.FINER)) {
            logger.entering(ME, "handleRequest");
        }
        SecurityConfig securityConfig = SecurityObjectLocator.getSecurityConfig();
        Boolean valueOf = Boolean.valueOf(securityConfig.getTrustAssociation().getBoolean("enabled"));
        boolean z = securityConfig.getAuthMechanism(AuthMechanismConfig.TYPE_SPNEGO).getBoolean(AuthMechanismConfig.SPNEGO_ENABLED);
        boolean z2 = securityConfig.getAuthMechanism(AuthMechanismConfig.TYPE_SPNEGO).getBoolean(AuthMechanismConfig.SPNEGO_ALLOW_APP_AUTH_METHOD_FALLBACK);
        try {
            String header = httpServletRequest.getHeader("Authorization");
            String serverName = httpServletRequest.getServerName();
            if (Boolean.valueOf(securityConfig.getPropertyBool(SecurityConfig.CANONICAL_HOST)).booleanValue()) {
                try {
                    str = InetAddress.getByName(serverName).getCanonicalHostName().toLowerCase();
                } catch (UnknownHostException e) {
                    str = serverName;
                }
            } else {
                str = serverName;
            }
            if (allServerConfigs.isIncludePortInSPN()) {
                Integer num = new Integer(httpServletRequest.getServerPort());
                if (num.intValue() != 80) {
                    str = str + ":" + num.toString();
                }
            }
            if (header == null) {
                if (logger.isLoggable(Level.FINER)) {
                    logger.logp(Level.FINER, ME, "handleRequest", "No Authorization header found, sending 401 challenge to the client");
                }
                httpServletResponse.setStatus(401);
                httpServletResponse.setHeader("WWW-Authenticate", HTTPConstants.SPNEGO_NEGOTIATE);
                httpServletResponse.setContentType(allServerConfigs.getServerConfig(str).getSpnegoNotSupportedPageContentType());
                try {
                    httpServletResponse.getWriter().println(allServerConfigs.getServerConfig(str).getSpnegoNotSupportedPage());
                    httpServletResponse.getWriter().close();
                } catch (IOException e2) {
                    logger.logp(Level.FINER, ME, "handleRequest", "Error getting the HttpServletResponse's getWriter for SpnegoNotSupportedPage");
                }
                if (logger.isLoggable(Level.FINER)) {
                    logger.exiting(ME, "handleRequest: Handshake not finished");
                }
                return TAIResult.create(401);
            }
            if (isAuthHeaderNotSPNEGO(header)) {
                httpServletResponse.setStatus(401);
                try {
                    if (valueOf.booleanValue() || (!z2 && z)) {
                        httpServletResponse.setContentType(allServerConfigs.getServerConfig(str).getNtlmTokenReceivedPageContentType());
                        httpServletResponse.getWriter().println(allServerConfigs.getServerConfig(str).getNTLMTokenReceivedPage());
                        httpServletResponse.getWriter().close();
                    }
                } catch (IOException e3) {
                    if (logger.isLoggable(Level.FINER)) {
                        logger.logp(Level.FINER, ME, "handleRequest", "Error getting the HttpServletResponse's getWriter for NTLMTokenReceivedPage");
                    }
                }
                if (logger.isLoggable(Level.FINER)) {
                    logger.exiting(ME, "handleRequest: Received a non-SPNEGO Authorization Header");
                }
                return TAIResult.create(401);
            }
            if (logger.isLoggable(Level.FINER)) {
                logger.logp(Level.FINER, ME, "handleRequest", "Found Authorization header, processing SPNEGO request token..");
            }
            StringTokenizer stringTokenizer = new StringTokenizer(header);
            stringTokenizer.nextToken();
            String nextToken = stringTokenizer.nextToken();
            if (logger.isLoggable(Level.FINER)) {
                logger.logp(Level.FINER, ME, "handleRequest", "Client request token before decoding:" + Util.showHex(nextToken.getBytes()));
            }
            final byte[] base64Decode = Base64Coder.base64Decode(nextToken.getBytes());
            if (logger.isLoggable(Level.FINER)) {
                logger.logp(Level.FINER, ME, "handleRequest", "Client request token as follows...\r\n" + Util.showHex(base64Decode));
            }
            Context createContext = ServerCredentialsFactory.hasServerCredentialsFor(str) ? ServerCredentialsFactory.createContext(str) : ServerCredentialsFactory.createContext(serverName);
            if (logger.isLoggable(Level.FINER)) {
                logger.logp(Level.FINER, ME, "handleRequest", "Context.begin started.");
            }
            Subject subject = new Subject();
            final Context context = createContext;
            try {
                try {
                    byte[] bArr = (byte[]) Subject.doAsPrivileged(subject, new PrivilegedExceptionAction() { // from class: com.ibm.ws.security.spnego.SpnegoHandler.1
                        @Override // java.security.PrivilegedExceptionAction
                        public Object run() throws Exception {
                            return Context.this.begin(base64Decode);
                        }
                    }, AccessController.getContext());
                    if (logger.isLoggable(Level.FINER)) {
                        logger.logp(Level.FINER, ME, "handleRequest", "Context.begin completed.");
                    }
                    if (!createContext.isEstablished()) {
                        httpServletResponse.setStatus(401);
                        createContext.dispose();
                        if (logger.isLoggable(Level.FINER)) {
                            logger.logp(Level.FINER, ME, "handleRequest", "Error processing SPNEGO token, server response token as follows...\r\n" + Util.showHex(bArr));
                        }
                        return TAIResult.create(403);
                    }
                    if (logger.isLoggable(Level.FINER)) {
                        logger.logp(Level.FINER, ME, "handleRequest", "SPNEGO request token successfully processed.");
                    }
                    String principalName = createContext.getPrincipalName();
                    logger.logp(Level.INFO, ME, "handleRequest", "security.spnego.login", new Object[]{principalName, new Integer(header.length())});
                    if (logger.isLoggable(Level.FINER)) {
                        logger.logp(Level.FINER, ME, "handleRequest", "Kerberos client principal: " + principalName);
                    }
                    httpServletRequest.setAttribute(USER_PRINCIPAL, principalName);
                    if (bArr != null) {
                        if (logger.isLoggable(Level.FINER)) {
                            logger.logp(Level.FINER, ME, "handleRequest", "handleRequest: Sending back SPNEGO response token\nServer response token as follows...\r\n" + Util.showHex(bArr));
                        }
                        String str2 = new String(Base64Coder.base64Encode(bArr));
                        httpServletResponse.setHeader("WWW-Authenticate", "Negotiate " + str2);
                        if (logger.isLoggable(Level.FINER)) {
                            logger.logp(Level.FINER, ME, "handleRequest", "Encoded response: " + str2);
                        }
                    }
                    GSSCredential gSSCredential = null;
                    subject.getPrincipals().add(new KerberosPrincipal(principalName));
                    String trimUsername = trimUsername(httpServletRequest, principalName, allServerConfigs);
                    if (allServerConfigs.getServerConfig(str).isEnableCredDelegate()) {
                        try {
                            gSSCredential = createContext.getDelegateCred();
                            if (gSSCredential != null) {
                                subject.getPrivateCredentials().add(gSSCredential);
                                if (logger.isLoggable(Level.FINER)) {
                                    logger.logp(Level.FINER, ME, "handleRequest", "clientCredential for Principal = " + trimUsername + " has been stored in Subject = " + subject);
                                }
                            } else {
                                logger.logp(Level.WARNING, ME, "handleRequest", "security.spnego.no.delegated.credentials.found", new Object[]{principalName.toString()});
                            }
                        } catch (GSSException e4) {
                            if (logger.isLoggable(Level.FINER)) {
                                logger.logp(Level.FINER, ME, "handleRequest", "Delegated GSSCredential has not been saved in the HttpSession, GSSException: " + e4.getMessage());
                            }
                        }
                        KerberosTicket krbTicket = createContext.getKrbTicket();
                        if ((gSSCredential != null) || (krbTicket != null)) {
                            Krb5Utils.createKRBAuthnToken(krbTicket, gSSCredential, subject);
                        } else if (logger.isLoggable(Level.FINER)) {
                            logger.logp(Level.FINER, ME, "handleRequest", "No gssCred and Kerberos ticket. Can not create KRBAuthnToken");
                        }
                    }
                    TAIResult create = TAIResult.create(200, trimUsername, subject);
                    createContext.dispose();
                    logger.exiting(ME, "handleRequest", "Successful completion, HttpServletResponse.SC_OK");
                    return create;
                } catch (PrivilegedActionException e5) {
                    FFDCFilter.processException(e5, "com.ibm.ws.security.spnego.SpnegoHandler.handleRequest", "284");
                    throw new WebTrustAssociationFailedException(e5.getMessage());
                }
            } catch (Exception e6) {
                FFDCFilter.processException(e6, "com.ibm.ws.security.spnego.SpnegoHandler.handleRequest", "288");
                throw new WebTrustAssociationFailedException(e6.getMessage());
            }
        } catch (GSSException e7) {
            FFDCFilter.processException(e7, "com.ibm.ws.security.spnego.SpnegoHandler.handleRequest", "400");
            logger.logp(Level.SEVERE, ME, "handleRequest", "security.spnego.bad.token", new Object[]{"GSSException: " + e7});
            return TAIResult.create(403);
        }
        FFDCFilter.processException(e7, "com.ibm.ws.security.spnego.SpnegoHandler.handleRequest", "400");
        logger.logp(Level.SEVERE, ME, "handleRequest", "security.spnego.bad.token", new Object[]{"GSSException: " + e7});
        return TAIResult.create(403);
    }

    private static String trimUsername(HttpServletRequest httpServletRequest, String str, AllServerConfigs allServerConfigs) {
        if (logger.isLoggable(Level.FINER)) {
            logger.entering(ME, "trimUsername", "Kerberos principal name = " + str);
        }
        String serverName = httpServletRequest.getServerName();
        if (allServerConfigs.isIncludePortInSPN()) {
            Integer num = new Integer(httpServletRequest.getServerPort());
            if (num.intValue() != 80) {
                serverName = serverName + ":" + num.toString();
            }
        }
        if (logger.isLoggable(Level.FINER)) {
            logger.logp(Level.FINER, ME, "trimUsername", "serverName = " + serverName);
        }
        String str2 = str;
        boolean isTrimUserName = allServerConfigs.getServerConfig(serverName).isTrimUserName();
        if (logger.isLoggable(Level.FINER)) {
            logger.logp(Level.FINER, ME, "trimUsername", "isTrimUserName() = " + isTrimUserName);
        }
        if (isTrimUserName) {
            int indexOf = str2.indexOf("@");
            if (indexOf >= 0) {
                str2 = str2.substring(0, indexOf);
                if (logger.isLoggable(Level.FINER)) {
                    logger.logp(Level.FINER, ME, "trimUsername", "Principal name was trimmed to: " + str2);
                }
            } else if (logger.isLoggable(Level.FINER)) {
                logger.logp(Level.FINER, ME, "trimUsername", "There is nothing to trim in the principal name.");
            }
        }
        if (logger.isLoggable(Level.FINER)) {
            logger.exiting(ME, "trimUsername: " + str2);
        }
        return str2;
    }

    private static boolean isAuthHeaderNotSPNEGO(String str) {
        boolean z = false;
        if (logger.isLoggable(Level.FINER)) {
            logger.entering(ME, "isAuthHeaderNotSPNEGO", str);
        }
        if (str != null) {
            StringTokenizer stringTokenizer = new StringTokenizer(str);
            stringTokenizer.nextToken();
            String nextToken = stringTokenizer.nextToken();
            byte[] base64Decode = Base64Coder.base64Decode(nextToken.getBytes());
            byte[] bArr = {0, 0, 0, 0, 0, 0, 0, 0};
            if (nextToken.length() >= 12) {
                bArr = new byte[]{base64Decode[4], base64Decode[5], base64Decode[6], base64Decode[7], base64Decode[8], base64Decode[9], base64Decode[10], base64Decode[11]};
            }
            if (!new String(bArr).equals(new String(_SPNEGO_IOD))) {
                if (logger.isLoggable(Level.FINER)) {
                    logger.logp(Level.FINER, ME, "isAuthHeaderNotSPNEGO", "Client sent back a non-SPNEGO authentication header: " + Util.showHex(bArr) + "-" + Util.showHex(_SPNEGO_IOD) + "\nRequest: " + Util.showHex(base64Decode));
                }
                z = true;
            }
        }
        if (logger.isLoggable(Level.FINER)) {
            logger.exiting(ME, "isAuthHeaderNotSPNEGO", Boolean.toString(z));
        }
        return z;
    }
}
