package com.mapr.admin.security;

import com.ibm.icu.text.PluralRules;
import com.mapr.admin.Constants;
import com.mapr.security.ClusterServerTicketGeneration;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.crypto.codec.Base64;
import org.springframework.security.kerberos.authentication.KerberosServiceRequestToken;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.util.Assert;
import org.springframework.web.filter.GenericFilterBean;

/* loaded from: input_file:com/mapr/admin/security/MultiAuthProcessingFilter.class */
public class MultiAuthProcessingFilter extends GenericFilterBean {
    private static final Logger log = LogManager.getLogger((Class<?>) MultiAuthProcessingFilter.class);
    private static final String IMPERSONATED_USER_HEADER = "X-MAPR-IMPERSONATED-USER";
    private AuthenticationManager authenticationManager;
    private AuthenticationFailureHandler failureHandler;
    private AuthenticationSuccessHandler successHandler;
    private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();
    private SessionAuthenticationStrategy sessionStrategy = new NullAuthenticatedSessionStrategy();
    private boolean skipIfAlreadyAuthenticated = true;

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) {
        Authentication authentication;
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        log.debug("requestURL:{}", httpServletRequest.getRequestURL().toString());
        if (this.skipIfAlreadyAuthenticated && (authentication = SecurityContextHolder.getContext().getAuthentication()) != null && !(authentication instanceof AnonymousAuthenticationToken) && authentication.isAuthenticated()) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        String header = httpServletRequest.getHeader("Authorization");
        if (header != null && (header.startsWith("Negotiate ") || header.startsWith("Kerberos "))) {
            if (log.isDebugEnabled()) {
                log.debug("Received Negotiate Header for request " + ((Object) httpServletRequest.getRequestURL()) + PluralRules.KEYWORD_RULE_SEPARATOR + header);
            }
            KerberosServiceRequestToken kerberosServiceRequestToken = new KerberosServiceRequestToken(Base64.decode(header.substring(header.indexOf(32) + 1).getBytes("UTF-8")));
            kerberosServiceRequestToken.setDetails(this.authenticationDetailsSource.buildDetails(httpServletRequest));
            try {
                Authentication authenticate = this.authenticationManager.authenticate(kerberosServiceRequestToken);
                this.sessionStrategy.onAuthentication(authenticate, httpServletRequest, httpServletResponse);
                SecurityContextHolder.getContext().setAuthentication(authenticate);
                if (this.successHandler != null) {
                    this.successHandler.onAuthenticationSuccess(httpServletRequest, httpServletResponse, authenticate);
                }
                filterChain.doFilter(httpServletRequest, httpServletResponse);
            } catch (AuthenticationException e) {
                log.warn("Negotiate Header was invalid: " + header, (Throwable) e);
                SecurityContextHolder.clearContext();
                if (this.failureHandler != null) {
                    this.failureHandler.onAuthenticationFailure(httpServletRequest, httpServletResponse, e);
                    return;
                } else {
                    httpServletResponse.setStatus(500);
                    httpServletResponse.flushBuffer();
                    return;
                }
            }
        }
        if (header == null || !header.startsWith("MAPR-Negotiate")) {
            if (header != null && header.startsWith("Bearer ") && !httpServletRequest.getRequestURL().toString().contains(Constants.MOSS_SERVICE_NAME)) {
                if (log.isDebugEnabled()) {
                    log.debug("Received Bearer Header for request " + ((Object) httpServletRequest.getRequestURL()) + PluralRules.KEYWORD_RULE_SEPARATOR + header);
                }
                try {
                    JwtAuthToken jwtAuthToken = new JwtAuthToken(header.substring(header.indexOf(32) + 1));
                    jwtAuthToken.setDetails(this.authenticationDetailsSource.buildDetails(httpServletRequest));
                    Authentication authenticate2 = this.authenticationManager.authenticate(jwtAuthToken);
                    this.sessionStrategy.onAuthentication(authenticate2, httpServletRequest, httpServletResponse);
                    SecurityContextHolder.getContext().setAuthentication(authenticate2);
                    if (this.successHandler != null) {
                        this.successHandler.onAuthenticationSuccess(httpServletRequest, httpServletResponse, authenticate2);
                    }
                } catch (AuthenticationException e2) {
                    httpServletResponse.setStatus(401);
                    log.error("Bearer Header is invalid: ", (Throwable) e2);
                    SecurityContextHolder.clearContext();
                    if (this.failureHandler != null) {
                        this.failureHandler.onAuthenticationFailure(httpServletRequest, httpServletResponse, e2);
                        return;
                    } else {
                        httpServletResponse.sendError(401, e2.getMessage());
                        httpServletResponse.flushBuffer();
                        return;
                    }
                }
            }
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        }
        if (log.isDebugEnabled()) {
            log.debug("Received MAPR-Negotiate Header for request " + ((Object) httpServletRequest.getRequestURL()) + PluralRules.KEYWORD_RULE_SEPARATOR + header);
        }
        ClusterServerTicketGeneration.getInstance().generateTicketAndSetServerKey();
        MapRTicketToken mapRTicketToken = new MapRTicketToken(header.substring("MAPR-Negotiate".length()).trim().getBytes(), StringUtils.isNotBlank(httpServletRequest.getHeader(IMPERSONATED_USER_HEADER)));
        mapRTicketToken.setDetails(this.authenticationDetailsSource.buildDetails(httpServletRequest));
        try {
            Authentication authenticate3 = this.authenticationManager.authenticate(mapRTicketToken);
            httpServletResponse.setHeader("Authorization", "MAPR-Negotiate " + ((MapRTicketToken) authenticate3).getRespEncrypted());
            this.sessionStrategy.onAuthentication(authenticate3, httpServletRequest, httpServletResponse);
            SecurityContextHolder.getContext().setAuthentication(authenticate3);
            if (this.successHandler != null) {
                this.successHandler.onAuthenticationSuccess(httpServletRequest, httpServletResponse, authenticate3);
            }
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        } catch (AuthenticationException e3) {
            httpServletResponse.setHeader("WWW-MAPR-Err-Authenticate", e3.getMessage());
            httpServletResponse.setStatus(401);
            log.warn("MAPR-Negotiate Header was invalid: " + header, (Throwable) e3);
            SecurityContextHolder.clearContext();
            if (this.failureHandler != null) {
                this.failureHandler.onAuthenticationFailure(httpServletRequest, httpServletResponse, e3);
            } else {
                httpServletResponse.setStatus(500);
                httpServletResponse.flushBuffer();
            }
        }
    }

    @Override // org.springframework.web.filter.GenericFilterBean, org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() throws ServletException {
        super.afterPropertiesSet();
        Assert.notNull(this.authenticationManager, "authenticationManager required");
    }

    public void setAuthenticationDetailsSource(AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource) {
        Assert.notNull(authenticationDetailsSource, "authenticationDetailsSource required");
        this.authenticationDetailsSource = authenticationDetailsSource;
    }

    public AuthenticationManager getAuthenticationManager() {
        return this.authenticationManager;
    }

    public void setAuthenticationManager(AuthenticationManager authenticationManager) {
        this.authenticationManager = authenticationManager;
    }

    public AuthenticationFailureHandler getFailureHandler() {
        return this.failureHandler;
    }

    public void setFailureHandler(AuthenticationFailureHandler authenticationFailureHandler) {
        this.failureHandler = authenticationFailureHandler;
    }

    public AuthenticationSuccessHandler getSuccessHandler() {
        return this.successHandler;
    }

    public void setSuccessHandler(AuthenticationSuccessHandler authenticationSuccessHandler) {
        this.successHandler = authenticationSuccessHandler;
    }

    public boolean isSkipIfAlreadyAuthenticated() {
        return this.skipIfAlreadyAuthenticated;
    }

    public void setSkipIfAlreadyAuthenticated(boolean z) {
        this.skipIfAlreadyAuthenticated = z;
    }
}
