package org.dcache.webdav;

import com.google.common.base.Splitter;
import com.google.common.base.Strings;
import com.google.common.base.Throwables;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.Lists;
import com.google.common.net.InetAddresses;
import diskCacheV111.util.CacheException;
import diskCacheV111.util.PermissionDeniedCacheException;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.nio.charset.StandardCharsets;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Base64;
import java.util.Optional;
import java.util.stream.Stream;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import org.dcache.auth.BearerTokenCredential;
import org.dcache.auth.LoginNamePrincipal;
import org.dcache.auth.LoginReply;
import org.dcache.auth.LoginStrategy;
import org.dcache.auth.Origin;
import org.dcache.auth.PasswordCredential;
import org.dcache.auth.Subjects;
import org.dcache.auth.attributes.Restriction;
import org.dcache.auth.attributes.Restrictions;
import org.dcache.util.CertificateFactories;
import org.dcache.util.NetLoggerBuilder;
import org.eclipse.jetty.http.HttpHeader;
import org.eclipse.jetty.security.UserAuthentication;
import org.eclipse.jetty.server.Authentication;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.handler.HandlerWrapper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/dcache/webdav/AuthenticationHandler.class */
public class AuthenticationHandler extends HandlerWrapper {
    public static final String X509_CERTIFICATE_ATTRIBUTE = "javax.servlet.request.X509Certificate";
    public static final String DCACHE_SUBJECT_ATTRIBUTE = "org.dcache.subject";
    public static final String DCACHE_RESTRICTION_ATTRIBUTE = "org.dcache.restriction";
    public static final String DCACHE_LOGIN_ATTRIBUTES = "org.dcache.login";
    private String _realm;
    private Restriction _doorRestriction;
    private boolean _isBasicAuthenticationEnabled;
    private boolean _isSpnegoAuthenticationEnabled;
    private LoginStrategy _loginStrategy;
    private CertificateFactory _cf = CertificateFactories.newX509CertificateFactory();
    private static final Logger LOG = LoggerFactory.getLogger(AuthenticationHandler.class);
    private static final InetAddress UNKNOWN_ADDRESS = InetAddresses.forString("0.0.0.0");

    /* loaded from: input_file:org/dcache/webdav/AuthenticationHandler$AuthHandlerResponse.class */
    private class AuthHandlerResponse extends HttpServletResponseWrapper {
        public AuthHandlerResponse(HttpServletResponse httpServletResponse) {
            super(httpServletResponse);
        }

        public void setStatus(int i) {
            addAuthenticationChallenges(i);
            super.setStatus(i);
        }

        public void setStatus(int i, String str) {
            addAuthenticationChallenges(i);
            super.setStatus(i, str);
        }

        public void sendError(int i) throws IOException {
            addAuthenticationChallenges(i);
            super.sendError(i);
        }

        public void sendError(int i, String str) throws IOException {
            addAuthenticationChallenges(i);
            super.sendError(i, str);
        }

        private void addAuthenticationChallenges(int i) {
            if (i == 401) {
                if (!AuthenticationHandler.this._isSpnegoAuthenticationEnabled) {
                    setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), "Basic realm=\"" + AuthenticationHandler.this.getRealm() + "\"");
                } else {
                    setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), HttpHeader.NEGOTIATE.asString());
                    addHeader(HttpHeader.WWW_AUTHENTICATE.asString(), "Basic realm=\"" + AuthenticationHandler.this.getRealm() + "\"");
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/dcache/webdav/AuthenticationHandler$AuthInfo.class */
    public class AuthInfo {
        private final String _scheme;
        private final String _data;

        AuthInfo(String str, String str2) {
            this._scheme = str;
            this._data = str2;
        }

        public String getScheme() {
            return this._scheme;
        }

        public String getData() {
            return this._data;
        }
    }

    public void handle(String str, Request request, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException, ServletException {
        if (!isStarted() || request.isHandled()) {
            return;
        }
        Subject subject = new Subject();
        AuthHandlerResponse authHandlerResponse = new AuthHandlerResponse(httpServletResponse);
        try {
            addX509ChainToSubject(httpServletRequest, subject);
            addOriginToSubject(httpServletRequest, subject);
            addAuthCredentialsToSubject(httpServletRequest, subject);
            addSpnegoCredentialsToSubject(request, httpServletRequest, subject);
            LoginReply login = this._loginStrategy.login(subject);
            subject = login.getSubject();
            Restriction concat = Restrictions.concat(new Restriction[]{this._doorRestriction, login.getRestriction()});
            httpServletRequest.setAttribute(DCACHE_SUBJECT_ATTRIBUTE, subject);
            httpServletRequest.setAttribute(DCACHE_RESTRICTION_ATTRIBUTE, concat);
            httpServletRequest.setAttribute(DCACHE_LOGIN_ATTRIBUTES, login.getLoginAttributes());
            Exception exc = (Exception) Subject.doAs(subject, () -> {
                try {
                    super.handle(str, request, httpServletRequest, authHandlerResponse);
                    return null;
                } catch (IOException | ServletException e) {
                    return e;
                }
            });
            if (exc != null) {
                Throwables.propagateIfInstanceOf(exc, IOException.class);
                Throwables.propagateIfInstanceOf(exc, ServletException.class);
                throw Throwables.propagate(exc);
            }
        } catch (PermissionDeniedCacheException e) {
            LOG.warn("{} for path {} and user {}", new Object[]{e.getMessage(), httpServletRequest.getPathInfo(), NetLoggerBuilder.describeSubject(subject)});
            authHandlerResponse.sendError(Subjects.isNobody(subject) ? 401 : 403);
            request.setHandled(true);
        } catch (CacheException e2) {
            LOG.error("Internal server error: {}", e2);
            authHandlerResponse.sendError(500);
            request.setHandled(true);
        }
    }

    private void addSpnegoCredentialsToSubject(Request request, HttpServletRequest httpServletRequest, Subject subject) {
        if (this._isSpnegoAuthenticationEnabled) {
            Authentication.Deferred authentication = request.getAuthentication();
            if (authentication instanceof Authentication.Deferred) {
                UserAuthentication authenticate = authentication.authenticate(httpServletRequest);
                if (authenticate instanceof UserAuthentication) {
                    subject.getPrincipals().add(new KerberosPrincipal(authenticate.getUserIdentity().getUserPrincipal().getName()));
                }
            }
        }
    }

    private void addX509ChainToSubject(HttpServletRequest httpServletRequest, Subject subject) throws CacheException {
        Object attribute = httpServletRequest.getAttribute(X509_CERTIFICATE_ATTRIBUTE);
        if (attribute instanceof X509Certificate[]) {
            try {
                subject.getPublicCredentials().add(this._cf.generateCertPath(Arrays.asList((X509Certificate[]) attribute)));
            } catch (CertificateException e) {
                throw new CacheException("Failed to generate X.509 certificate path: " + e.getMessage(), e);
            }
        }
    }

    private void addXForwardForAddresses(ImmutableList.Builder<InetAddress> builder, HttpServletRequest httpServletRequest) {
        String nullToEmpty = Strings.nullToEmpty(httpServletRequest.getHeader("X-Forwarded-For"));
        Stream map = Lists.reverse(Lists.newArrayList(Splitter.on(',').trimResults().omitEmptyStrings().split(nullToEmpty))).stream().map(str -> {
            try {
                return InetAddresses.forString(str);
            } catch (IllegalArgumentException e) {
                LOG.warn("Fail to parse \"{}\" in X-Forwarded-For header \"{}\": {}", new Object[]{str, nullToEmpty, e.getMessage()});
                return UNKNOWN_ADDRESS;
            }
        });
        builder.getClass();
        map.forEach((v1) -> {
            r1.add(v1);
        });
    }

    private void addOriginToSubject(HttpServletRequest httpServletRequest, Subject subject) {
        ImmutableList.Builder<InetAddress> builder = ImmutableList.builder();
        String remoteAddr = httpServletRequest.getRemoteAddr();
        try {
            builder.add(InetAddress.getByName(remoteAddr));
            addXForwardForAddresses(builder, httpServletRequest);
            subject.getPrincipals().add(new Origin(builder.build()));
        } catch (UnknownHostException e) {
            LOG.warn("Failed to resolve " + remoteAddr + ": " + e.getMessage());
        }
    }

    private void addAuthCredentialsToSubject(HttpServletRequest httpServletRequest, Subject subject) {
        if (this._isBasicAuthenticationEnabled) {
            Optional<AuthInfo> parseAuthenticationHeader = parseAuthenticationHeader(httpServletRequest);
            if (parseAuthenticationHeader.isPresent()) {
                AuthInfo authInfo = parseAuthenticationHeader.get();
                String scheme = authInfo.getScheme();
                boolean z = -1;
                switch (scheme.hashCode()) {
                    case 62970894:
                        if (scheme.equals("BASIC")) {
                            z = false;
                            break;
                        }
                        break;
                    case 1955264353:
                        if (scheme.equals("BEARER")) {
                            z = true;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case false:
                        try {
                            String str = new String(Base64.getDecoder().decode(authInfo.getData().getBytes(StandardCharsets.US_ASCII)), StandardCharsets.UTF_8);
                            int indexOf = str.indexOf(":");
                            if (indexOf >= 0) {
                                subject.getPrivateCredentials().add(new PasswordCredential(str.substring(0, indexOf), str.substring(indexOf + 1)));
                            } else {
                                subject.getPrincipals().add(new LoginNamePrincipal(str));
                            }
                            return;
                        } catch (IllegalArgumentException e) {
                            LOG.warn("Authentication Data in the header received is not Base64 encoded {}", httpServletRequest.getHeader("Authorization"));
                            return;
                        }
                    case true:
                        try {
                            subject.getPrivateCredentials().add(new BearerTokenCredential(authInfo.getData()));
                            return;
                        } catch (IllegalArgumentException e2) {
                            LOG.info("Bearer Token in invalid {}", httpServletRequest.getHeader("Authorization"));
                            return;
                        }
                    default:
                        LOG.debug("Unknown authentication scheme {}", authInfo.getScheme());
                        return;
                }
            }
        }
    }

    public String getRealm() {
        return this._realm;
    }

    public void setRealm(String str) {
        this._realm = str;
    }

    public void setReadOnly(boolean z) {
        this._doorRestriction = z ? Restrictions.readOnly() : Restrictions.none();
    }

    public void setEnableBasicAuthentication(boolean z) {
        this._isBasicAuthenticationEnabled = z;
    }

    public void setEnableSpnegoAuthentication(boolean z) {
        this._isSpnegoAuthenticationEnabled = z;
    }

    public void setLoginStrategy(LoginStrategy loginStrategy) {
        this._loginStrategy = loginStrategy;
    }

    private Optional<AuthInfo> parseAuthenticationHeader(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null) {
            LOG.debug("No credentials found in Authorization header");
            return Optional.empty();
        }
        if (header.length() == 0) {
            LOG.debug("Credentials in Authorization header are not-null, but are empty");
            return Optional.empty();
        }
        int indexOf = header.indexOf(" ");
        return Optional.of(new AuthInfo(indexOf >= 0 ? header.substring(0, indexOf).toUpperCase() : "BASIC", indexOf >= 0 ? header.substring(indexOf + 1) : header));
    }
}
