package org.apache.hadoop.security.authentication.server;

import java.io.IOException;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Map;
import java.util.Properties;
import javax.security.auth.Subject;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.configuration2.tree.DefaultExpressionEngineSymbols;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.apache.kerby.kerberos.kerb.client.jaas.TokenAuthLoginModule;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/hadoop-auth-3.3.5.201-eep-921.jar:org/apache/hadoop/security/authentication/server/KerberosAuthHandler.class */
public class KerberosAuthHandler extends MultiMechsAuthenticationHandler {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) KerberosAuthHandler.class);
    protected GSSManager gssManager;
    protected LoginContext loginContext;
    protected String principal;
    protected String keytab;

    @Override // org.apache.hadoop.security.authentication.server.MultiMechsAuthenticationHandler, org.apache.hadoop.security.authentication.server.AuthenticationHandler
    public void init(Properties properties) throws ServletException {
        if (this.loginContext != null) {
            return;
        }
        try {
            this.loginContext = new LoginContext("MAPR_WEBSERVER_KERBEROS");
            this.loginContext.login();
            for (AppConfigurationEntry appConfigurationEntry : Configuration.getConfiguration().getAppConfigurationEntry("MAPR_WEBSERVER_KERBEROS")) {
                Map options = appConfigurationEntry.getOptions();
                this.principal = (String) options.get(TokenAuthLoginModule.PRINCIPAL);
                this.keytab = (String) options.get("keyTab");
            }
            try {
                this.gssManager = (GSSManager) Subject.doAs(this.loginContext.getSubject(), new PrivilegedExceptionAction<GSSManager>() { // from class: org.apache.hadoop.security.authentication.server.KerberosAuthHandler.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public GSSManager run() throws Exception {
                        return GSSManager.getInstance();
                    }
                });
                LOG.info("Initialized, principal [" + this.principal + "] from keytab [" + this.keytab + DefaultExpressionEngineSymbols.DEFAULT_ATTRIBUTE_END);
            } catch (PrivilegedActionException e) {
                throw e.getException();
            }
        } catch (Exception e2) {
            KerberosUtil.checkJCEKeyStrength();
            LOG.warn("Failed to obtain kerberos identity... If no Kerberos configuration was intended no further action is needed otherwise turn on DEBUG to see full exception trace");
            if (LOG.isDebugEnabled()) {
                LOG.debug("Full stacktrace", (Throwable) e2);
            }
            this.loginContext = null;
            throw new ServletException(e2);
        }
    }

    @Override // org.apache.hadoop.security.authentication.server.MultiMechsAuthenticationHandler
    public AuthenticationToken postauthenticate(HttpServletRequest httpServletRequest, final HttpServletResponse httpServletResponse) throws IOException, AuthenticationException {
        String header = httpServletRequest.getHeader("Authorization");
        if (header != null && header.startsWith("Negotiate")) {
            header = header.substring("Negotiate".length()).trim();
        }
        final Base64 base64 = new Base64(0);
        final byte[] decode = base64.decode(header);
        if (new String(decode).startsWith("NTLM")) {
            httpServletResponse.sendError(412, "NTLM Authentication not supported, please try a different browser");
            LOG.info("No support for NTLM tokens is provided");
            return null;
        }
        try {
            return (AuthenticationToken) Subject.doAs(this.loginContext.getSubject(), new PrivilegedExceptionAction<AuthenticationToken>() { // from class: org.apache.hadoop.security.authentication.server.KerberosAuthHandler.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public AuthenticationToken run() throws Exception {
                    AuthenticationToken authenticationToken = null;
                    GSSContext gSSContext = null;
                    try {
                        GSSContext createContext = KerberosAuthHandler.this.gssManager.createContext((GSSCredential) null);
                        byte[] acceptSecContext = createContext.acceptSecContext(decode, 0, decode.length);
                        if (acceptSecContext != null && acceptSecContext.length > 0) {
                            httpServletResponse.setHeader("WWW-Authenticate", "Negotiate " + base64.encodeToString(acceptSecContext));
                        }
                        if (createContext.isEstablished()) {
                            String gSSName = createContext.getSrcName().toString();
                            authenticationToken = new AuthenticationToken(new KerberosName(gSSName).getShortName(), gSSName, KerberosAuthHandler.this.getType());
                            httpServletResponse.setStatus(200);
                            KerberosAuthHandler.LOG.trace("SPNEGO completed for principal [" + gSSName + DefaultExpressionEngineSymbols.DEFAULT_ATTRIBUTE_END);
                        } else {
                            httpServletResponse.setStatus(401);
                            KerberosAuthHandler.LOG.trace("SPNEGO in progress");
                        }
                        if (createContext != null) {
                            createContext.dispose();
                        }
                        return authenticationToken;
                    } catch (Throwable th) {
                        if (0 != 0) {
                            gSSContext.dispose();
                        }
                        throw th;
                    }
                }
            });
        } catch (PrivilegedActionException e) {
            if (e.getException() instanceof IOException) {
                throw ((IOException) e.getException());
            }
            throw new AuthenticationException(e.getException());
        } catch (Exception e2) {
            throw new AuthenticationException("Authorization is failed, please check your config files settings", e2);
        }
    }

    @Override // org.apache.hadoop.security.authentication.server.MultiMechsAuthenticationHandler, org.apache.hadoop.security.authentication.server.AuthenticationHandler
    public void destroy() {
        try {
            if (this.loginContext != null) {
                this.loginContext.logout();
                this.loginContext = null;
            }
        } catch (LoginException e) {
            LOG.warn(e.getMessage(), (Throwable) e);
        }
    }

    @Override // org.apache.hadoop.security.authentication.server.MultiMechsAuthenticationHandler
    public void addHeader(HttpServletResponse httpServletResponse) {
        httpServletResponse.addHeader("WWW-Authenticate", "Negotiate");
    }

    @Override // org.apache.hadoop.security.authentication.server.MultiMechsAuthenticationHandler
    public MultiMechsAuthenticationHandler getAuthBasedEntity(String str) {
        if (str == null || !str.startsWith("Negotiate")) {
            return null;
        }
        return this;
    }

    protected String getPrincipal() {
        return this.principal;
    }

    protected String getKeytab() {
        return this.keytab;
    }
}
