package org.apache.seatunnel.shade.org.eclipse.jetty.security;

import java.io.Serializable;
import java.net.InetAddress;
import java.nio.file.Path;
import java.security.PrivilegedAction;
import java.util.Base64;
import java.util.HashMap;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.apache.seatunnel.shade.org.eclipse.jetty.security.authentication.AuthorizationService;
import org.apache.seatunnel.shade.org.eclipse.jetty.server.UserIdentity;
import org.apache.seatunnel.shade.org.eclipse.jetty.util.component.ContainerLifeCycle;
import org.apache.seatunnel.shade.org.eclipse.jetty.util.log.Log;
import org.apache.seatunnel.shade.org.eclipse.jetty.util.log.Logger;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;

/* loaded from: input_file:org/apache/seatunnel/shade/org/eclipse/jetty/security/ConfigurableSpnegoLoginService.class */
public class ConfigurableSpnegoLoginService extends ContainerLifeCycle implements LoginService {
    private static final Logger LOG = Log.getLogger((Class<?>) ConfigurableSpnegoLoginService.class);
    private final String _realm;
    private final AuthorizationService _authorizationService;
    private String _serviceName;
    private Path _keyTabPath;
    private String _hostName;
    private SpnegoContext _context;
    private final GSSManager _gssManager = GSSManager.getInstance();
    private IdentityService _identityService = new DefaultIdentityService();

    /* loaded from: input_file:org/apache/seatunnel/shade/org/eclipse/jetty/security/ConfigurableSpnegoLoginService$GSSContextHolder.class */
    private static class GSSContextHolder implements Serializable {
        public static final String ATTRIBUTE = GSSContextHolder.class.getName();
        private final transient GSSContext gssContext;

        private GSSContextHolder(GSSContext gSSContext) {
            this.gssContext = gSSContext;
        }
    }

    /* loaded from: input_file:org/apache/seatunnel/shade/org/eclipse/jetty/security/ConfigurableSpnegoLoginService$SpnegoConfiguration.class */
    private class SpnegoConfiguration extends Configuration {
        private SpnegoConfiguration() {
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            String str2 = ConfigurableSpnegoLoginService.this.getServiceName() + "/" + ConfigurableSpnegoLoginService.this.getHostName();
            HashMap hashMap = new HashMap();
            if (ConfigurableSpnegoLoginService.LOG.isDebugEnabled()) {
                hashMap.put("debug", "true");
            }
            hashMap.put("doNotPrompt", "true");
            hashMap.put("refreshKrb5Config", "true");
            hashMap.put("principal", str2);
            hashMap.put("useKeyTab", "true");
            Path keyTabPath = ConfigurableSpnegoLoginService.this.getKeyTabPath();
            if (keyTabPath != null) {
                hashMap.put("keyTab", keyTabPath.toAbsolutePath().toString());
            }
            hashMap.put("storeKey", "true");
            hashMap.put("isInitiator", "false");
            return new AppConfigurationEntry[]{new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap)};
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/seatunnel/shade/org/eclipse/jetty/security/ConfigurableSpnegoLoginService$SpnegoContext.class */
    public static class SpnegoContext {
        private Subject _subject;
        private GSSCredential _serviceCredential;

        private SpnegoContext() {
        }
    }

    public ConfigurableSpnegoLoginService(String str, AuthorizationService authorizationService) {
        this._realm = str;
        this._authorizationService = authorizationService;
    }

    @Override // org.apache.seatunnel.shade.org.eclipse.jetty.security.LoginService
    public String getName() {
        return this._realm;
    }

    public Path getKeyTabPath() {
        return this._keyTabPath;
    }

    public void setKeyTabPath(Path path) {
        this._keyTabPath = path;
    }

    public String getServiceName() {
        return this._serviceName;
    }

    public void setServiceName(String str) {
        this._serviceName = str;
    }

    public String getHostName() {
        return this._hostName;
    }

    public void setHostName(String str) {
        this._hostName = str;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.seatunnel.shade.org.eclipse.jetty.util.component.ContainerLifeCycle, org.apache.seatunnel.shade.org.eclipse.jetty.util.component.AbstractLifeCycle
    public void doStart() throws Exception {
        if (this._hostName == null) {
            this._hostName = InetAddress.getLocalHost().getCanonicalHostName();
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Retrieving credentials for service {}/{}", getServiceName(), getHostName());
        }
        LoginContext loginContext = new LoginContext("", (Subject) null, (CallbackHandler) null, new SpnegoConfiguration());
        loginContext.login();
        Subject subject = loginContext.getSubject();
        this._context = (SpnegoContext) Subject.doAs(subject, newSpnegoContext(subject));
        super.doStart();
    }

    private PrivilegedAction<SpnegoContext> newSpnegoContext(Subject subject) {
        return () -> {
            try {
                GSSCredential createCredential = this._gssManager.createCredential(this._gssManager.createName(getServiceName() + "@" + getHostName(), GSSName.NT_HOSTBASED_SERVICE), 0, new Oid[]{new Oid("1.2.840.113554.1.2.2"), new Oid("1.3.6.1.5.5.2")}, 2);
                SpnegoContext spnegoContext = new SpnegoContext();
                spnegoContext._subject = subject;
                spnegoContext._serviceCredential = createCredential;
                return spnegoContext;
            } catch (GSSException e) {
                throw new RuntimeException((Throwable) e);
            }
        };
    }

    @Override // org.apache.seatunnel.shade.org.eclipse.jetty.security.LoginService
    public UserIdentity login(String str, Object obj, ServletRequest servletRequest) {
        Subject subject = this._context._subject;
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpSession session = httpServletRequest.getSession(false);
        GSSContext gSSContext = null;
        if (session != null) {
            GSSContextHolder gSSContextHolder = (GSSContextHolder) session.getAttribute(GSSContextHolder.ATTRIBUTE);
            gSSContext = gSSContextHolder == null ? null : gSSContextHolder.gssContext;
        }
        if (gSSContext == null) {
            gSSContext = (GSSContext) Subject.doAs(subject, newGSSContext());
        }
        String encodeToString = Base64.getEncoder().encodeToString((byte[]) Subject.doAs(this._context._subject, acceptGSSContext(gSSContext, Base64.getDecoder().decode((String) obj))));
        String userName = toUserName(gSSContext);
        SpnegoUserPrincipal spnegoUserPrincipal = new SpnegoUserPrincipal(userName, encodeToString);
        if (gSSContext.isEstablished()) {
            if (session != null) {
                session.removeAttribute(GSSContextHolder.ATTRIBUTE);
            }
            return new SpnegoUserIdentity(subject, spnegoUserPrincipal, this._authorizationService.getUserIdentity(httpServletRequest, userName));
        }
        if (session == null) {
            session = httpServletRequest.getSession(true);
        }
        session.setAttribute(GSSContextHolder.ATTRIBUTE, new GSSContextHolder(gSSContext));
        return new SpnegoUserIdentity(subject, spnegoUserPrincipal, null);
    }

    private PrivilegedAction<GSSContext> newGSSContext() {
        return () -> {
            try {
                return this._gssManager.createContext(this._context._serviceCredential);
            } catch (GSSException e) {
                throw new RuntimeException((Throwable) e);
            }
        };
    }

    private PrivilegedAction<byte[]> acceptGSSContext(GSSContext gSSContext, byte[] bArr) {
        return () -> {
            try {
                return gSSContext.acceptSecContext(bArr, 0, bArr.length);
            } catch (GSSException e) {
                throw new RuntimeException((Throwable) e);
            }
        };
    }

    private String toUserName(GSSContext gSSContext) {
        try {
            String gSSName = gSSContext.getSrcName().toString();
            int indexOf = gSSName.indexOf(64);
            return indexOf < 0 ? gSSName : gSSName.substring(0, indexOf);
        } catch (GSSException e) {
            throw new RuntimeException((Throwable) e);
        }
    }

    @Override // org.apache.seatunnel.shade.org.eclipse.jetty.security.LoginService
    public boolean validate(UserIdentity userIdentity) {
        return false;
    }

    @Override // org.apache.seatunnel.shade.org.eclipse.jetty.security.LoginService
    public IdentityService getIdentityService() {
        return this._identityService;
    }

    @Override // org.apache.seatunnel.shade.org.eclipse.jetty.security.LoginService
    public void setIdentityService(IdentityService identityService) {
        this._identityService = identityService;
    }

    @Override // org.apache.seatunnel.shade.org.eclipse.jetty.security.LoginService
    public void logout(UserIdentity userIdentity) {
    }
}
