package com.floragunn.dlic.auth.kerberos;

import com.floragunn.searchguard.TypedComponent;
import com.floragunn.searchguard.authc.legacy.LegacyHTTPAuthenticator;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchsupport.cstate.ComponentState;
import com.google.common.base.Strings;
import java.io.Serializable;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Base64;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ExceptionsHelper;
import org.elasticsearch.SpecialPermission;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.env.Environment;
import org.elasticsearch.rest.BytesRestResponse;
import org.elasticsearch.rest.RestChannel;
import org.elasticsearch.rest.RestRequest;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.xcontent.XContentBuilder;
import org.elasticsearch.xcontent.XContentFactory;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:com/floragunn/dlic/auth/kerberos/HTTPSpnegoAuthenticator.class */
public class HTTPSpnegoAuthenticator implements LegacyHTTPAuthenticator {
    private static final String EMPTY_STRING = "";
    private boolean stripRealmFromPrincipalName;
    private Set<String> acceptorPrincipal;
    private Path acceptorKeyTabPath;
    private static final Oid[] KRB_OIDS = {KrbConstants.SPNEGO, KrbConstants.KRB5MECH};
    public static TypedComponent.Info<LegacyHTTPAuthenticator> INFO = new TypedComponent.Info<LegacyHTTPAuthenticator>() { // from class: com.floragunn.dlic.auth.kerberos.HTTPSpnegoAuthenticator.4
        public Class<LegacyHTTPAuthenticator> getType() {
            return LegacyHTTPAuthenticator.class;
        }

        public String getName() {
            return "kerberos";
        }

        public TypedComponent.Factory<LegacyHTTPAuthenticator> getFactory() {
            return (docNode, context) -> {
                Settings.Builder loadFromMap = Settings.builder().loadFromMap(docNode.toMap());
                if (context.getStaticSettings() != null) {
                    loadFromMap.put(context.getStaticSettings().getPlatformSettings());
                }
                return new HTTPSpnegoAuthenticator(loadFromMap.build(), context.getStaticSettings() != null ? context.getStaticSettings().getConfigPath() : null);
            };
        }
    };
    protected final Logger log = LogManager.getLogger(getClass());
    private final ComponentState componentState = new ComponentState(0, "authentication_frontend", "kerberos", HTTPSpnegoAuthenticator.class).initialized().requiresEnterpriseLicense();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/floragunn/dlic/auth/kerberos/HTTPSpnegoAuthenticator$AcceptAction.class */
    public static class AcceptAction implements PrivilegedExceptionAction<byte[]> {
        GSSContext gssContext;
        byte[] decoded;

        AcceptAction(GSSContext gSSContext, byte[] bArr) {
            this.gssContext = gSSContext;
            this.decoded = bArr;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedExceptionAction
        public byte[] run() throws GSSException {
            return this.gssContext.acceptSecContext(this.decoded, 0, this.decoded.length);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/floragunn/dlic/auth/kerberos/HTTPSpnegoAuthenticator$AuthenticateAction.class */
    public static class AuthenticateAction implements PrivilegedAction<Principal> {
        private final Logger logger;
        private final GSSContext gssContext;
        private final boolean strip;

        private AuthenticateAction(Logger logger, GSSContext gSSContext, boolean z) {
            this.logger = logger;
            this.gssContext = gSSContext;
            this.strip = z;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedAction
        public Principal run() {
            return new SimpleUserPrincipal(HTTPSpnegoAuthenticator.getUsernameFromGSSContext(this.gssContext, this.strip, this.logger));
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/floragunn/dlic/auth/kerberos/HTTPSpnegoAuthenticator$SimpleUserPrincipal.class */
    public static class SimpleUserPrincipal implements Principal, Serializable {
        private static final long serialVersionUID = -1;
        private final String username;

        SimpleUserPrincipal(String str) {
            this.username = str;
        }

        @Override // java.security.Principal
        public int hashCode() {
            return (31 * 1) + (this.username == null ? 0 : this.username.hashCode());
        }

        @Override // java.security.Principal
        public boolean equals(Object obj) {
            if (this == obj) {
                return true;
            }
            if (obj == null || getClass() != obj.getClass()) {
                return false;
            }
            SimpleUserPrincipal simpleUserPrincipal = (SimpleUserPrincipal) obj;
            return this.username == null ? simpleUserPrincipal.username == null : this.username.equals(simpleUserPrincipal.username);
        }

        @Override // java.security.Principal
        public String getName() {
            return this.username;
        }

        @Override // java.security.Principal
        public String toString() {
            return "[principal: " + this.username + "]";
        }
    }

    public HTTPSpnegoAuthenticator(final Settings settings, Path path) {
        try {
            final Path configFile = new Environment(settings, path).configFile();
            final String str = settings.get("searchguard.kerberos.krb5_filepath");
            SecurityManager securityManager = System.getSecurityManager();
            if (securityManager != null) {
                securityManager.checkPermission(new SpecialPermission());
            }
            AccessController.doPrivileged(new PrivilegedAction<Void>() { // from class: com.floragunn.dlic.auth.kerberos.HTTPSpnegoAuthenticator.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedAction
                public Void run() {
                    try {
                        if (settings.getAsBoolean("krb_debug", false).booleanValue()) {
                            JaasKrbUtil.setDebug(true);
                            System.setProperty("sun.security.krb5.debug", "true");
                            System.setProperty("java.security.debug", "gssloginconfig,logincontext,configparser,configfile");
                            System.setProperty("sun.security.spnego.debug", "true");
                            System.out.println("Kerberos debug is enabled");
                            System.err.println("Kerberos debug is enabled");
                            HTTPSpnegoAuthenticator.this.log.info("Kerberos debug is enabled on stdout");
                        } else {
                            HTTPSpnegoAuthenticator.this.log.debug("Kerberos debug is NOT enabled");
                        }
                    } catch (Throwable th) {
                        HTTPSpnegoAuthenticator.this.log.error("Unable to enable krb_debug due to ", th);
                        System.err.println("Unable to enable krb_debug due to " + ExceptionsHelper.stackTrace(th));
                        System.out.println("Unable to enable krb_debug due to " + ExceptionsHelper.stackTrace(th));
                    }
                    System.setProperty(KrbConstants.USE_SUBJECT_CREDS_ONLY_PROP, "false");
                    String str2 = str;
                    if (!Strings.isNullOrEmpty(str2)) {
                        if (Paths.get(str2, new String[0]).isAbsolute()) {
                            HTTPSpnegoAuthenticator.this.log.debug("krb5_filepath: {}", str2);
                            System.setProperty(KrbConstants.KRB5_CONF_PROP, str2);
                        } else {
                            str2 = configFile.resolve(str2).toAbsolutePath().toString();
                            HTTPSpnegoAuthenticator.this.log.debug("krb5_filepath (resolved from {}): {}", configFile, str2);
                        }
                        System.setProperty(KrbConstants.KRB5_CONF_PROP, str2);
                    } else if (Strings.isNullOrEmpty(System.getProperty(KrbConstants.KRB5_CONF_PROP))) {
                        System.setProperty(KrbConstants.KRB5_CONF_PROP, "/etc/krb5.conf");
                        HTTPSpnegoAuthenticator.this.log.debug("krb5_filepath (was not set or configured, set to default): /etc/krb5.conf");
                    }
                    HTTPSpnegoAuthenticator.this.stripRealmFromPrincipalName = settings.getAsBoolean("strip_realm_from_principal", true).booleanValue();
                    HTTPSpnegoAuthenticator.this.acceptorPrincipal = new HashSet(settings.getAsList("searchguard.kerberos.acceptor_principal", Collections.emptyList()));
                    String str3 = settings.get("searchguard.kerberos.acceptor_keytab_filepath");
                    if (HTTPSpnegoAuthenticator.this.acceptorPrincipal == null || HTTPSpnegoAuthenticator.this.acceptorPrincipal.size() == 0) {
                        HTTPSpnegoAuthenticator.this.log.error("acceptor_principal must not be null or empty. Kerberos authentication will not work");
                        HTTPSpnegoAuthenticator.this.acceptorPrincipal = null;
                    }
                    if (str3 == null || str3.length() == 0) {
                        HTTPSpnegoAuthenticator.this.log.error("searchguard.kerberos.acceptor_keytab_filepath must not be null or empty. Kerberos authentication will not work");
                        HTTPSpnegoAuthenticator.this.acceptorKeyTabPath = null;
                        return null;
                    }
                    HTTPSpnegoAuthenticator.this.acceptorKeyTabPath = configFile.resolve(settings.get("searchguard.kerberos.acceptor_keytab_filepath"));
                    if (Files.exists(HTTPSpnegoAuthenticator.this.acceptorKeyTabPath, new LinkOption[0])) {
                        return null;
                    }
                    HTTPSpnegoAuthenticator.this.log.error("Unable to read keytab from {} - Maybe the file does not exist or is not readable. Kerberos authentication will not work", HTTPSpnegoAuthenticator.this.acceptorKeyTabPath);
                    HTTPSpnegoAuthenticator.this.acceptorKeyTabPath = null;
                    return null;
                }
            });
            this.log.debug("strip_realm_from_principal {}", Boolean.valueOf(this.stripRealmFromPrincipalName));
            this.log.debug("acceptor_principal {}", this.acceptorPrincipal);
            this.log.debug("acceptor_keytab_filepath {}", this.acceptorKeyTabPath);
        } catch (Throwable th) {
            this.log.error("Cannot construct HTTPSpnegoAuthenticator due to {}", th.getMessage(), th);
            this.log.error("Please make sure you configured 'searchguard.kerberos.acceptor_keytab_filepath' realtive to the ES config/ dir!");
            throw th;
        }
    }

    public AuthCredentials extractCredentials(final RestRequest restRequest, ThreadContext threadContext) {
        SecurityManager securityManager = System.getSecurityManager();
        if (securityManager != null) {
            securityManager.checkPermission(new SpecialPermission());
        }
        return (AuthCredentials) AccessController.doPrivileged(new PrivilegedAction<AuthCredentials>() { // from class: com.floragunn.dlic.auth.kerberos.HTTPSpnegoAuthenticator.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public AuthCredentials run() {
                return HTTPSpnegoAuthenticator.this.extractCredentials0(restRequest);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public AuthCredentials extractCredentials0(RestRequest restRequest) {
        if (this.acceptorPrincipal == null || this.acceptorKeyTabPath == null) {
            this.log.error("Missing acceptor principal or keytab configuration. Kerberos authentication will not work");
            return null;
        }
        String header = restRequest.header("Authorization");
        if (header == null) {
            this.log.trace("No 'Authorization' header, send 401 and 'WWW-Authenticate Negotiate'");
            return null;
        }
        if (!header.trim().toLowerCase().startsWith("negotiate ")) {
            this.log.warn("No 'Negotiate Authorization' header, send 401 and 'WWW-Authenticate Negotiate'");
            return null;
        }
        byte[] decode = Base64.getDecoder().decode(header.substring(10));
        GSSContext gSSContext = null;
        try {
            try {
                try {
                    Subject loginUsingKeytab = JaasKrbUtil.loginUsingKeytab(this.acceptorPrincipal, this.acceptorKeyTabPath, false);
                    final GSSManager gSSManager = GSSManager.getInstance();
                    GSSContext createContext = gSSManager.createContext((GSSCredential) Subject.doAs(loginUsingKeytab, new PrivilegedExceptionAction<GSSCredential>() { // from class: com.floragunn.dlic.auth.kerberos.HTTPSpnegoAuthenticator.3
                        /* JADX WARN: Can't rename method to resolve collision */
                        @Override // java.security.PrivilegedExceptionAction
                        public GSSCredential run() throws GSSException {
                            return gSSManager.createCredential((GSSName) null, Integer.MAX_VALUE, HTTPSpnegoAuthenticator.KRB_OIDS, 2);
                        }
                    }));
                    byte[] bArr = (byte[]) Subject.doAs(loginUsingKeytab, new AcceptAction(createContext, decode));
                    if (bArr == null) {
                        this.log.warn("Ticket validation not successful, outToken is null");
                        if (createContext != null) {
                            try {
                                createContext.dispose();
                            } catch (GSSException e) {
                            }
                        }
                        return null;
                    }
                    Principal principal = (Principal) Subject.doAs(loginUsingKeytab, new AuthenticateAction(this.log, createContext, this.stripRealmFromPrincipalName));
                    if (createContext != null) {
                        try {
                            createContext.dispose();
                        } catch (GSSException e2) {
                        }
                    }
                    if (principal == null) {
                        return AuthCredentials.forUser("_incomplete_").authenticatorType(getType()).nativeCredentials(bArr).build();
                    }
                    String name = ((SimpleUserPrincipal) principal).getName();
                    if (name == null || name.length() == 0) {
                        return null;
                    }
                    return AuthCredentials.forUser(name).authenticatorType(getType()).nativeCredentials(bArr).complete().build();
                } catch (Throwable th) {
                    if (0 != 0) {
                        try {
                            gSSContext.dispose();
                        } catch (GSSException e3) {
                        }
                    }
                    throw th;
                }
            } catch (PrivilegedActionException e4) {
                if (e4.getCause() instanceof GSSException) {
                    this.log.info("Service login not successful due to", e4);
                } else {
                    this.log.error("Service login not successful due to", e4);
                }
                if (0 != 0) {
                    try {
                        gSSContext.dispose();
                    } catch (GSSException e5) {
                    }
                }
                return null;
            }
        } catch (LoginException e6) {
            this.log.error("Login exception due to", e6);
            if (0 != 0) {
                try {
                    gSSContext.dispose();
                } catch (GSSException e7) {
                }
            }
            return null;
        } catch (GSSException e8) {
            this.log.error("Ticket validation not successful due to", e8);
            if (0 != 0) {
                try {
                    gSSContext.dispose();
                } catch (GSSException e9) {
                }
            }
            return null;
        }
    }

    public boolean reRequestAuthentication(RestChannel restChannel, AuthCredentials authCredentials) {
        XContentBuilder negotiateResponseBody = getNegotiateResponseBody();
        BytesRestResponse bytesRestResponse = negotiateResponseBody != null ? new BytesRestResponse(RestStatus.UNAUTHORIZED, negotiateResponseBody) : new BytesRestResponse(RestStatus.UNAUTHORIZED, EMPTY_STRING);
        if (authCredentials == null || authCredentials.getNativeCredentials() == null) {
            bytesRestResponse.addHeader(KrbConstants.WWW_AUTHENTICATE, KrbConstants.NEGOTIATE);
        } else {
            bytesRestResponse.addHeader(KrbConstants.WWW_AUTHENTICATE, "Negotiate " + Base64.getEncoder().encodeToString((byte[]) authCredentials.getNativeCredentials()));
        }
        restChannel.sendResponse(bytesRestResponse);
        return true;
    }

    public String getType() {
        return "spnego";
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String getUsernameFromGSSContext(GSSContext gSSContext, boolean z, Logger logger) {
        if (!gSSContext.isEstablished()) {
            logger.error("GSS context not established");
            return null;
        }
        GSSName gSSName = null;
        try {
            gSSName = gSSContext.getSrcName();
        } catch (GSSException e) {
            logger.error("Unable to get src name from gss context", e);
        }
        if (gSSName != null) {
            return stripRealmName(gSSName.toString(), z);
        }
        logger.error("GSS name is null");
        return null;
    }

    private XContentBuilder getNegotiateResponseBody() {
        try {
            XContentBuilder jsonBuilder = XContentFactory.jsonBuilder();
            jsonBuilder.startObject();
            jsonBuilder.field("error");
            jsonBuilder.startObject();
            jsonBuilder.field("header");
            jsonBuilder.startObject();
            jsonBuilder.field(KrbConstants.WWW_AUTHENTICATE, KrbConstants.NEGOTIATE);
            jsonBuilder.endObject();
            jsonBuilder.endObject();
            jsonBuilder.endObject();
            return jsonBuilder;
        } catch (Exception e) {
            this.log.error("Can't construct response body", e);
            return null;
        }
    }

    private static String stripRealmName(String str, boolean z) {
        int indexOf;
        if (z && str != null && (indexOf = str.indexOf(64)) > 0) {
            str = str.substring(0, indexOf);
        }
        return str;
    }

    public String getChallenge(AuthCredentials authCredentials) {
        return (authCredentials == null || authCredentials.getNativeCredentials() == null) ? KrbConstants.NEGOTIATE : "Negotiate " + Base64.getEncoder().encodeToString((byte[]) authCredentials.getNativeCredentials());
    }

    public ComponentState getComponentState() {
        return this.componentState;
    }
}
