package org.apache.knox.gateway.topology.discovery.cm.auth;

import com.squareup.okhttp.Authenticator;
import com.squareup.okhttp.Interceptor;
import com.squareup.okhttp.Request;
import com.squareup.okhttp.Response;
import java.io.IOException;
import java.net.InetAddress;
import java.net.Proxy;
import java.net.UnknownHostException;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.util.Base64;
import java.util.Locale;
import java.util.Objects;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:org/apache/knox/gateway/topology/discovery/cm/auth/SpnegoAuthInterceptor.class */
public class SpnegoAuthInterceptor implements Interceptor, Authenticator {
    private static final String NEGOTIATE = "Negotiate";
    private static final GSSManager GSS_MANAGER = GSSManager.getInstance();
    private static final Oid SPNEGO_OID = createOid("1.3.6.1.5.5.2");
    private static final Oid KERBEROS_OID = createOid("1.2.840.113554.1.2.2");
    private static final String DEFAULT_REMOTE_SERVICE_NAME = "HTTP";
    private static final int CREDENTIAL_EXPIRATION_THRESHOLD = 60;
    private final String remoteServiceName;
    private final boolean useCanonicalHostname;
    private Subject subject;
    private GSSCredentialSession credentialSession;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/knox/gateway/topology/discovery/cm/auth/SpnegoAuthInterceptor$GSSCredentialSession.class */
    public static class GSSCredentialSession {
        private final GSSCredential clientCredential;

        GSSCredentialSession(GSSCredential gSSCredential) {
            Objects.requireNonNull(gSSCredential, "gssCredential is null");
            this.clientCredential = gSSCredential;
        }

        GSSCredential getClientCredential() {
            return this.clientCredential;
        }

        public boolean needsRefresh() throws GSSException {
            return this.clientCredential.getRemainingLifetime() < SpnegoAuthInterceptor.CREDENTIAL_EXPIRATION_THRESHOLD;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/knox/gateway/topology/discovery/cm/auth/SpnegoAuthInterceptor$GssSupplier.class */
    public interface GssSupplier<T> {
        T get() throws GSSException;
    }

    public SpnegoAuthInterceptor(Subject subject) {
        this(subject, DEFAULT_REMOTE_SERVICE_NAME);
    }

    public SpnegoAuthInterceptor(Subject subject, String str) {
        this(subject, str, true);
    }

    public SpnegoAuthInterceptor(Subject subject, String str, boolean z) {
        this.subject = subject;
        this.remoteServiceName = str;
        this.useCanonicalHostname = z;
    }

    public Response intercept(Interceptor.Chain chain) throws IOException {
        try {
            return chain.proceed(authenticate(chain.request()));
        } catch (Exception e) {
            return chain.proceed(chain.request());
        }
    }

    private static boolean isNegotiate(String str) {
        String[] split = str.split("\\s+");
        return split.length == 2 && split[1].equalsIgnoreCase(NEGOTIATE);
    }

    public Request authenticate(Proxy proxy, Response response) throws IOException {
        if (response.request().headers("Authorization").stream().anyMatch(SpnegoAuthInterceptor::isNegotiate) || response.headers("WWW-Authenticate").stream().noneMatch(SpnegoAuthInterceptor::isNegotiate)) {
            return null;
        }
        return authenticate(response.request());
    }

    public Request authenticateProxy(Proxy proxy, Response response) throws IOException {
        return null;
    }

    private Request authenticate(Request request) {
        return request.newBuilder().header("Authorization", String.format(Locale.getDefault(), "%s %s", NEGOTIATE, Base64.getEncoder().encodeToString(generateToken(defineServicePrincipal(this.remoteServiceName, request.url().getHost(), this.useCanonicalHostname))))).build();
    }

    private byte[] generateToken(String str) {
        GSSContext gSSContext = null;
        try {
            try {
                GSSCredentialSession credentialSession = getCredentialSession();
                gSSContext = (GSSContext) doAs(this.subject, () -> {
                    GSSContext createContext = GSS_MANAGER.createContext(GSS_MANAGER.createName(str, GSSName.NT_HOSTBASED_SERVICE), SPNEGO_OID, credentialSession.getClientCredential(), Integer.MAX_VALUE);
                    createContext.requestMutualAuth(true);
                    createContext.requestConf(true);
                    createContext.requestInteg(true);
                    createContext.requestCredDeleg(false);
                    return createContext;
                });
                byte[] initSecContext = gSSContext.initSecContext(new byte[0], 0, 0);
                if (initSecContext == null) {
                    throw new LoginException("No token generated from GSS context");
                }
                if (gSSContext != null) {
                    try {
                        gSSContext.dispose();
                    } catch (GSSException e) {
                    }
                }
                return initSecContext;
            } catch (GSSException | LoginException e2) {
                throw new RuntimeException(String.format(Locale.getDefault(), "Kerberos error for [%s]: %s", str, e2.getMessage()), e2);
            }
        } catch (Throwable th) {
            if (gSSContext != null) {
                try {
                    gSSContext.dispose();
                } catch (GSSException e3) {
                    throw th;
                }
            }
            throw th;
        }
    }

    private synchronized GSSCredentialSession getCredentialSession() throws GSSException {
        if (this.credentialSession == null || this.credentialSession.needsRefresh()) {
            this.credentialSession = createCredentialSession();
        }
        return this.credentialSession;
    }

    private GSSCredentialSession createCredentialSession() throws GSSException {
        Principal next = this.subject.getPrincipals().iterator().next();
        return new GSSCredentialSession((GSSCredential) doAs(this.subject, () -> {
            return GSS_MANAGER.createCredential(GSS_MANAGER.createName(next.getName(), GSSName.NT_USER_NAME), 0, KERBEROS_OID, 1);
        }));
    }

    private static String defineServicePrincipal(String str, String str2, boolean z) {
        return String.format(Locale.getDefault(), "%s@%s", str, (z ? getCanonicalHostName(str2) : str2).toLowerCase(Locale.US));
    }

    private static String getCanonicalHostName(String str) {
        try {
            InetAddress byName = InetAddress.getByName(str);
            return "localhost".equalsIgnoreCase(byName.getHostName()) ? InetAddress.getLocalHost().getCanonicalHostName() : byName.getCanonicalHostName();
        } catch (UnknownHostException e) {
            throw new RuntimeException("Failed to resolve host: " + str, e);
        }
    }

    private static <T> T doAs(Subject subject, GssSupplier<T> gssSupplier) throws GSSException {
        try {
            gssSupplier.getClass();
            return (T) Subject.doAs(subject, gssSupplier::get);
        } catch (PrivilegedActionException e) {
            GSSException cause = e.getCause();
            if (cause instanceof GSSException) {
                throw cause;
            }
            if (cause instanceof Error) {
                throw ((Error) cause);
            }
            if (cause instanceof RuntimeException) {
                throw ((RuntimeException) cause);
            }
            throw new RuntimeException((Throwable) cause);
        }
    }

    private static Oid createOid(String str) {
        try {
            return new Oid(str);
        } catch (GSSException e) {
            throw new AssertionError(e);
        }
    }
}
