package com.hortonworks.registries.auth.server;

import com.hortonworks.registries.auth.client.AuthenticationException;
import com.hortonworks.registries.auth.util.KerberosName;
import com.hortonworks.registries.auth.util.Utils;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.Properties;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.kerberos.authentication.KerberosAuthenticationProvider;
import org.springframework.security.kerberos.authentication.sun.SunJaasKerberosClient;

/* loaded from: input_file:com/hortonworks/registries/auth/server/KerberosBasicAuthenticationHandler.class */
public class KerberosBasicAuthenticationHandler extends KerberosAuthenticationHandler {
    public static final String LOGIN_ENABLED_CONFIG = "login.enabled";
    public static final String SPNEGO_ENABLED_CONFIG = "spnego.enabled";
    public static final String TYPE = "kerberos-login";
    public static final String AUTHORIZATION_HEADER = "Authorization";
    public static final String BASIC_AUTHENTICATION = "Basic";
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) KerberosBasicAuthenticationHandler.class);
    private static final String HTTP_LOGIN_METHOD = "POST";
    private KerberosAuthenticationProvider provider;
    private boolean spnegoEnabled;

    /* loaded from: input_file:com/hortonworks/registries/auth/server/KerberosBasicAuthenticationHandler$KerberosUserDetailsService.class */
    class KerberosUserDetailsService implements UserDetailsService {
        KerberosUserDetailsService() {
        }

        @Override // org.springframework.security.core.userdetails.UserDetailsService
        public UserDetails loadUserByUsername(String str) throws UsernameNotFoundException {
            return new User(str, "notUsed", true, true, true, true, AuthorityUtils.createAuthorityList("ROLE_USER"));
        }
    }

    KerberosBasicAuthenticationHandler() {
    }

    @Override // com.hortonworks.registries.auth.server.KerberosAuthenticationHandler, com.hortonworks.registries.auth.server.AuthenticationHandler
    public String getType() {
        return TYPE;
    }

    @Override // com.hortonworks.registries.auth.server.KerberosAuthenticationHandler, com.hortonworks.registries.auth.server.AuthenticationHandler
    public void init(Properties properties) throws ServletException {
        this.spnegoEnabled = Boolean.parseBoolean(properties.getProperty(SPNEGO_ENABLED_CONFIG, Boolean.TRUE.toString()));
        if (this.spnegoEnabled) {
            super.init(properties);
        }
        try {
            this.provider = new KerberosAuthenticationProvider();
            SunJaasKerberosClient sunJaasKerberosClient = new SunJaasKerberosClient();
            if (LOG.isDebugEnabled()) {
                sunJaasKerberosClient.setDebug(true);
            }
            this.provider.setKerberosClient(sunJaasKerberosClient);
            this.provider.setUserDetailsService(new KerberosUserDetailsService());
        } catch (Exception e) {
            LOG.error("Failed to initialize the Kerberos Login Authentication Handler.", (Throwable) e);
            throw new ServletException(e);
        }
    }

    @Override // com.hortonworks.registries.auth.server.KerberosAuthenticationHandler, com.hortonworks.registries.auth.server.AuthenticationHandler
    public void destroy() {
    }

    @Override // com.hortonworks.registries.auth.server.KerberosAuthenticationHandler, com.hortonworks.registries.auth.server.AuthenticationHandler
    public AuthenticationToken authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, AuthenticationException {
        AuthenticationToken authenticationToken = null;
        try {
            authenticationToken = kerberosLogin(httpServletRequest, httpServletResponse);
        } catch (Exception e) {
            LOG.error("Exception while attempting Basic Authentication.", (Throwable) e);
        }
        if (authenticationToken == null && this.spnegoEnabled) {
            LOG.debug("Attempting SPNEGO authentication sequence as kerberos login failed.");
            authenticationToken = super.authenticate(httpServletRequest, httpServletResponse);
        }
        return authenticationToken;
    }

    private AuthenticationToken kerberosLogin(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        if (this.provider == null) {
            LOG.error("The Kerberos authentication provider is not initialized.");
            httpServletResponse.setStatus(401);
            return null;
        }
        String header = httpServletRequest.getHeader("Authorization");
        if (!httpServletRequest.getMethod().equals("POST") || !httpServletRequest.isSecure() || header == null || !header.startsWith(BASIC_AUTHENTICATION)) {
            if (LOG.isDebugEnabled()) {
                Logger logger = LOG;
                Object[] objArr = new Object[3];
                objArr[0] = httpServletRequest.getMethod();
                objArr[1] = Boolean.valueOf(httpServletRequest.isSecure());
                objArr[2] = Boolean.valueOf(header == null || header.isEmpty());
                logger.debug("Kerberos Login is not attempted because method: {}, secure: {}, authorization is empty: {}", objArr);
            }
            httpServletResponse.setStatus(401);
            return null;
        }
        String[] split = new String(Base64.getDecoder().decode(header.split(BASIC_AUTHENTICATION)[1].trim()), StandardCharsets.UTF_8).split(":");
        if (split.length != 2) {
            LOG.error("Login credentials of invalid length is passed to the Authorization header {}.", Integer.valueOf(split.length));
            httpServletResponse.setStatus(401);
            return null;
        }
        String str = split[0];
        String str2 = split[1];
        KerberosName kerberosName = new KerberosName(str);
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(getUserIdentity(kerberosName, str), str2);
        if (LOG.isDebugEnabled()) {
            LOG.debug("Created authentication token for principal {} with name {} and is authenticated {}", usernamePasswordAuthenticationToken.getPrincipal(), usernamePasswordAuthenticationToken.getName(), Boolean.valueOf(usernamePasswordAuthenticationToken.isAuthenticated()));
        }
        Authentication authentication = null;
        try {
            authentication = this.provider.authenticate(usernamePasswordAuthenticationToken);
        } catch (BadCredentialsException e) {
            LOG.debug("Bad credentials provided", (Throwable) e);
        } catch (org.springframework.security.core.AuthenticationException e2) {
            LOG.error("Kerberos login failed.", (Throwable) e2);
        }
        if (authentication == null) {
            httpServletResponse.setStatus(401);
            return null;
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Ran provider.authenticate() and returned authentication for principal {} with name {} and is authenticated {}", authentication.getPrincipal(), authentication.getName(), Boolean.valueOf(authentication.isAuthenticated()));
        }
        httpServletResponse.setStatus(200);
        return new AuthenticationToken(kerberosName.getShortName(), authentication.getName(), getType());
    }

    private String getUserIdentity(KerberosName kerberosName, String str) {
        String str2;
        String defaultRealm = kerberosName.getDefaultRealm();
        if (!Utils.isBlank(kerberosName.getRealm())) {
            str2 = str;
            LOG.debug("Realm was specified in principal {}, default realm was not added to the identity being authenticated", str);
        } else if (Utils.isBlank(defaultRealm)) {
            str2 = str;
            LOG.debug("Realm was not specified in principal {}, default realm is blank and was not added to the identity being authenticated", str);
        } else {
            str2 = str + "@" + defaultRealm;
            LOG.debug("Realm was not specified in principal {}, default realm {} was added to the identity being authenticated", str, defaultRealm);
        }
        return str2;
    }
}
