package oracle.security.jazn.oc4j;

import com.evermind.server.http.HttpAuthenticator;
import java.io.IOException;
import java.net.PasswordAuthentication;
import java.util.ResourceBundle;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import oracle.ldap.util.Util;
import oracle.security.jazn.ApplicationServerProxy;
import oracle.security.jazn.JAZNConfig;
import oracle.security.jazn.JAZNException;
import oracle.security.jazn.spi.ldap.LDAPRealmManager;
import oracle.security.jazn.spi.ldap.SubRealm;
import oracle.security.jazn.util.DbgWriter;
import oracle.security.jazn.util.Env;
import oracle.security.jazn.util.Misc;
import oracle.security.spnego.HttpSPNEGO;
import oracle.security.spnego.SPNEGOException;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:oracle/security/jazn/oc4j/KerberosAuthenticator.class */
public class KerberosAuthenticator implements HttpAuthenticator {
    static final String spnegoOID = "1.3.6.1.5.5.2";
    public static final String KERBE_DUMMY_USER = "{{UNAUTH_USER}}";
    public static final String SSO_KERBE_AUTH_METHOD = "KERBEROS";
    public static final String NTLM_AUTH_METHOD = "NTLM";
    public static final String SSO_REALM = "SSO";
    private static final String GSS_CONTEXT = "GSSContext";
    private static final String SP_INCOMPLETE_TOKEN = "SPNEGOIncompleteToken";
    private static final String AUTH_FAILED = "AuthFailed";
    private static final String AUTH_FAILED_TRUE = "true";
    private static final String NO_FALLBACK_REQD = "NoFallbackReqd";
    private static final String NO_FALLBACK_REQD_TRUE = "true";
    private static final String NTLM_UNAUTH_REQ = "NTLMWorkaround";
    private static final String NTLM_UNAUTH_REQ_TRUE = "true";
    private static final String REPLACE_DOMAIN_SEPARATOR_CHAR = "$";
    private static final String DOMAIN_SEPARATOR_CHAR = "\\";
    GSSName gssname;
    private static GSSCredential gsscred;
    private String httpServiceName;
    JAZNConfig jaznConfig;
    private static boolean initiated = false;
    private static GSSManager gssmgr = null;
    public static final int WINDOWS_KERBE_USER = Util.IDTYPE_KERB_PRINCIPAL;
    private static String domainSeparatorChar = null;
    private static boolean ssoFallback = true;
    private static LDAPRealmManager realmMgr = null;
    private static String USER_NICKNAME_ATTR = null;
    private static ResourceBundle _errMsg = Misc.getResourceBundle();

    public KerberosAuthenticator(String str, String str2, String str3, JAZNConfig jAZNConfig) {
        this.httpServiceName = null;
        this.jaznConfig = null;
        if (initiated) {
            return;
        }
        try {
            Oid oid = new Oid("1.2.840.113554.1.2.2");
            gssmgr = GSSManager.getInstance();
            this.httpServiceName = str2;
            if (str3 == null || str3.equals("")) {
                domainSeparatorChar = REPLACE_DOMAIN_SEPARATOR_CHAR;
            } else {
                domainSeparatorChar = str3;
            }
            if (str == null || str.equals("")) {
                ssoFallback = true;
            } else if (str.equals("false")) {
                ssoFallback = false;
            } else {
                ssoFallback = true;
            }
            this.gssname = gssmgr.createName(gssmgr.createName(str2, GSSName.NT_HOSTBASED_SERVICE, oid).export(), GSSName.NT_EXPORT_NAME);
            System.out.println(new StringBuffer().append("Getting creds for ").append(this.gssname.toString()).append("...").toString());
            gsscred = gssmgr.createCredential(this.gssname, 0, oid, 2);
            System.out.println(new StringBuffer().append("Getting creds for ").append(this.gssname.toString()).append(" done").toString());
            this.jaznConfig = jAZNConfig;
            realmMgr = this.jaznConfig.getRealmManager();
            initiated = true;
        } catch (Exception e) {
            System.out.println(new StringBuffer().append("KerberosAuthenticator: Exception raised in constructor: ").append(e.getMessage()).toString());
            e.printStackTrace();
            System.out.println("KerberosAuthenticator: Please check the error messages and fix it. Restart OC4J server");
        } catch (GSSException e2) {
            System.out.println(new StringBuffer().append("KerberosAuthenticator: GSSException raised in constructor - ").append(e2.getMessage()).toString());
            e2.printStackTrace();
            System.out.println("KerberosAuthenticator: Please check the error messages and fix it. Restart OC4J (OC4J_SECURITY instance) server");
            System.out.println("KerberosAuthenticator: Possible errors may be: HTTP service name in jazn-data.xml is wrong or KDC is down");
        }
    }

    public String getAuthType() {
        return "WINDOWS-KERBEROS-AUTH";
    }

    public PasswordAuthentication getAuthentication(HttpServletRequest httpServletRequest) {
        HttpSession session = httpServletRequest.getSession(true);
        String str = (String) session.getAttribute(NTLM_UNAUTH_REQ);
        if (str != null && str.equals("true")) {
            return new PasswordAuthentication(KERBE_DUMMY_USER, new char[0]);
        }
        if (!kerberosEnabledBrowser(httpServletRequest)) {
            if (ssoFallback) {
                return new PasswordAuthentication(KERBE_DUMMY_USER, new char[0]);
            }
            session.setAttribute(NO_FALLBACK_REQD, "true");
            return null;
        }
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null) {
            return null;
        }
        if (ssoFallback && header.substring(0, header.indexOf(32)).equalsIgnoreCase("Basic")) {
            return getBasicAuthentication(httpServletRequest);
        }
        try {
            String gssAuthenticate = gssAuthenticate(session, header);
            if (gssAuthenticate == null) {
                return null;
            }
            if (gssAuthenticate.equals(KERBE_DUMMY_USER)) {
                if (ssoFallback) {
                    return new PasswordAuthentication(KERBE_DUMMY_USER, new char[0]);
                }
                session.setAttribute(NO_FALLBACK_REQD, "true");
                return null;
            }
            try {
                SubRealm userManager = realmMgr.getDefaultSubscriberRealm().getUserManager();
                if (USER_NICKNAME_ATTR == null) {
                    USER_NICKNAME_ATTR = userManager.getUserNamingAttribute("orclcommonnicknameattribute");
                }
                if (USER_NICKNAME_ATTR == null) {
                    DbgWriter.getDbgWriter();
                    DbgWriter.writeln("User nickname attribute value returned null");
                }
                String[] strArr = (String[]) userManager.getUser(gssAuthenticate, WINDOWS_KERBE_USER, new String[]{USER_NICKNAME_ATTR}).getProperties(USER_NICKNAME_ATTR);
                if (strArr != null && !strArr[0].equals("")) {
                    JAZNUserManager.putThrAttr(Env.AUTH_STATUS, Env.AUTH_STATUS_AUTHENTICATED);
                    return new PasswordAuthentication(strArr[0], new char[0]);
                }
                session.setAttribute(AUTH_FAILED, "true");
                System.out.println(new StringBuffer().append("Value for user mapping attribute , ").append(USER_NICKNAME_ATTR).append(" not found in OID for kerberos user: ").append(gssAuthenticate).toString());
                return null;
            } catch (Exception e) {
                System.out.println(new StringBuffer().append("Error while getting user attributes from OID for the kerberos user: ").append(gssAuthenticate).toString());
                e.printStackTrace();
                session.setAttribute(AUTH_FAILED, "true");
                return null;
            } catch (JAZNException e2) {
                System.out.println(new StringBuffer().append("Error while getting user attributes from OID for the kerberos user: ").append(gssAuthenticate).toString());
                e2.printStackTrace();
                session.setAttribute(AUTH_FAILED, "true");
                return null;
            }
        } catch (IOException e3) {
            System.out.println(new StringBuffer().append("IOException raised: ").append(e3.getMessage()).toString());
            e3.printStackTrace();
            session.setAttribute(AUTH_FAILED, "true");
            return null;
        } catch (GSSException e4) {
            System.out.println(new StringBuffer().append("GSSException raised: ").append(e4.getMessage()).toString());
            e4.printStackTrace();
            session.setAttribute(AUTH_FAILED, "true");
            return null;
        } catch (SPNEGOException e5) {
            System.out.println(new StringBuffer().append("SPNEGOException raised: ").append(e5.getMessage()).toString());
            e5.printStackTrace();
            session.setAttribute(AUTH_FAILED, "true");
            return null;
        }
    }

    public void reject(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, int i) throws IOException {
        if (!initiated) {
            System.out.println("KerberosAuthenticator: KerberosAuthenticator object not initialized properly");
            System.out.println("KerberosAuthenticator: Check the opmn log file and restart OC4J server");
            httpServletResponse.sendError(500, _errMsg.getString("Internal Server Error. Please contact your administrator."));
            return;
        }
        HttpSession session = httpServletRequest.getSession(false);
        String str = null;
        if (session != null) {
            String str2 = (String) session.getAttribute(NO_FALLBACK_REQD);
            if (str2 != null && str2.equals("true")) {
                httpServletResponse.sendError(403, _errMsg.getString("Your browser does not support the windows kerberos authentication or not configured properly. Please contact your administrator."));
                return;
            }
            String str3 = (String) session.getAttribute(AUTH_FAILED);
            if (str3 != null && str3.equals("true")) {
                httpServletResponse.sendError(403, _errMsg.getString("Windows Native Authentication Failed. Please contact your administrator."));
                return;
            }
            str = (String) session.getAttribute(SP_INCOMPLETE_TOKEN);
        }
        if (str != null) {
            httpServletResponse.addHeader("WWW-Authenticate", str);
            if (ssoFallback) {
                httpServletResponse.addHeader("WWW-Authenticate", "Basic realm=\"SSO\"");
            }
        } else {
            httpServletResponse.addHeader("WWW-Authenticate", "Negotiate");
            if (ssoFallback) {
                httpServletResponse.addHeader("WWW-Authenticate", "Basic realm=\"SSO\"");
            }
        }
        httpServletResponse.setStatus(401);
    }

    private String gssAuthenticate(HttpSession httpSession, String str) throws IOException, GSSException, SPNEGOException {
        HttpSPNEGO httpSPNEGO = new HttpSPNEGO();
        httpSPNEGO.initiate();
        if (httpSPNEGO.decodeRequest(str) == 2) {
            httpSession.setAttribute(NTLM_UNAUTH_REQ, "true");
            return KERBE_DUMMY_USER;
        }
        GSSContext createContext = gssmgr.createContext(gsscred);
        byte[] reqMechToken = httpSPNEGO.getReqMechToken();
        byte[] acceptSecContext = createContext.acceptSecContext(reqMechToken, 0, reqMechToken.length);
        if (createContext.isEstablished()) {
            String obj = createContext.getSrcName().toString();
            createContext.dispose();
            return obj;
        }
        if (acceptSecContext != null) {
            httpSession.setAttribute(SP_INCOMPLETE_TOKEN, httpSPNEGO.encodeResponse(1, acceptSecContext, (byte[]) null));
            return null;
        }
        httpSPNEGO.encodeResponse(2, (byte[]) null, (byte[]) null);
        return null;
    }

    public boolean kerberosEnabledBrowser(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("User-Agent");
        if (header.toLowerCase().indexOf("windows nt 5") <= -1 || header.toLowerCase().indexOf("msie") <= -1) {
            return false;
        }
        String substring = header.toLowerCase().substring(header.toLowerCase().indexOf("msie") + 5);
        String substring2 = substring.substring(0, substring.indexOf(";"));
        String substring3 = substring2.substring(0, substring2.indexOf("."));
        substring2.substring(substring2.indexOf(".") + 1).trim();
        return substring3.compareTo("5") >= 0;
    }

    public PasswordAuthentication getBasicAuthentication(HttpServletRequest httpServletRequest) {
        int indexOf;
        String header = httpServletRequest.getHeader("AUTHORIZATION");
        if (header == null || (indexOf = header.indexOf(32)) <= 0 || !header.substring(0, indexOf).equalsIgnoreCase("Basic")) {
            return null;
        }
        try {
            byte[] base64Decode = ApplicationServerProxy.base64Decode(header.substring(indexOf + 1, header.length()).toCharArray());
            for (int i = 0; i < base64Decode.length; i++) {
                if (base64Decode[i] == 58) {
                    String str = new String(base64Decode, 0, i);
                    int i2 = i + 1;
                    char[] cArr = new char[base64Decode.length - i2];
                    for (int i3 = 0; i3 < base64Decode.length - i2; i3++) {
                        cArr[i3] = (char) base64Decode[i2 + i3];
                    }
                    return new PasswordAuthentication(str.replace(DOMAIN_SEPARATOR_CHAR.charAt(0), domainSeparatorChar.charAt(0)), cArr);
                }
            }
            return null;
        } catch (IllegalArgumentException e) {
            return null;
        }
    }
}
