package com.bea.common.security.internal.service;

import com.bea.common.engine.ServiceConfigurationException;
import com.bea.common.engine.ServiceInitializationException;
import com.bea.common.engine.ServiceLifecycleSpi;
import com.bea.common.engine.Services;
import com.bea.common.logger.service.LoggerService;
import com.bea.common.logger.spi.LoggerSpi;
import com.bea.common.security.internal.utils.Delegator;
import com.bea.common.security.internal.utils.negotiate.NegotiateToken;
import com.bea.common.security.internal.utils.negotiate.SPNEGONegotiateToken;
import com.bea.common.security.service.ChallengeIdentityAssertionService;
import com.bea.common.security.service.Identity;
import com.bea.common.security.service.NegotiateIdentityAsserterService;
import com.bea.common.security.service.SessionService;
import com.bea.common.security.servicecfg.NegotiateIdentityAsserterServiceConfig;
import com.bea.security.utils.negotiate.CredentialObject;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.List;
import java.util.StringTokenizer;
import javax.security.auth.login.LoginException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import weblogic.security.spi.IdentityAssertionException;

/* loaded from: input_file:com/bea/common/security/internal/service/NegotiateIdentityAsserterServiceImpl.class */
public class NegotiateIdentityAsserterServiceImpl implements ServiceLifecycleSpi, NegotiateIdentityAsserterService {
    private LoggerSpi logger;
    private ChallengeIdentityAssertionService ciaService;
    private SessionService sessionService;
    private boolean formBasedAuthEnabled;
    private static final String WEBAPP_AUTHBASIC_NAME = "BASIC";
    private static final String WEBAPP_AUTHFORM_NAME = "FORM";
    private static final String WEBAPP_AUTHCERT_NAME = "CLIENT_CERT";
    private static final String WEBAPP_AUTHDIGEST_NAME = "DIGEST";
    private static final int WEBAPP_UNKNOWNAUTH = -1;
    private static final int WEBAPP_NOAUTH = 0;
    private static final int WEBAPP_AUTHBASIC = 1;
    private static final int WEBAPP_AUTHFORM = 2;
    private static final int WEBAPP_AUTHCERT = 3;
    private static final int WEBAPP_AUTHDIGEST = 4;
    private static final String ATTRIBUTE_NEGOTIATING = NegotiateIdentityAsserterServiceImpl.class.getName() + ".negotiateRequested";
    private static final String ATTRIBUTE_CONTEXT = NegotiateIdentityAsserterServiceImpl.class.getName() + ".negotiateContext";
    private static final String HEADER_AUTHORIZATION = "Authorization";
    private static final String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate";
    private static final String BASIC = "Basic";
    private static final String NEGOTIATE = "Negotiate";

    /* loaded from: input_file:com/bea/common/security/internal/service/NegotiateIdentityAsserterServiceImpl$DefaultNegotiateIdentityAsserterCallback.class */
    private class DefaultNegotiateIdentityAsserterCallback implements NegotiateIdentityAsserterService.NegotiateIdentityAsserterCallback {
        private HttpSession session;

        public DefaultNegotiateIdentityAsserterCallback(HttpSession httpSession) {
            this.session = httpSession;
        }

        @Override // com.bea.common.security.service.NegotiateIdentityAsserterService.NegotiateIdentityAsserterCallback
        public String getWebAppAuthType(HttpServletRequest httpServletRequest) {
            return null;
        }

        @Override // com.bea.common.security.service.NegotiateIdentityAsserterService.NegotiateIdentityAsserterCallback
        public boolean isAlreadyAuthenticated() {
            return NegotiateIdentityAsserterServiceImpl.this.sessionService.getIdentity(this.session) != null;
        }

        @Override // com.bea.common.security.service.NegotiateIdentityAsserterService.NegotiateIdentityAsserterCallback
        public void userAuthenticated(Identity identity, HttpServletRequest httpServletRequest) {
            NegotiateIdentityAsserterServiceImpl.this.sessionService.setIdentity(this.session, identity);
        }
    }

    /* loaded from: input_file:com/bea/common/security/internal/service/NegotiateIdentityAsserterServiceImpl$NegotiateHandler.class */
    private class NegotiateHandler {
        private HttpServletRequest hreq;
        private HttpServletResponse hres;
        private HttpSession session;
        private NegotiateIdentityAsserterService.NegotiateIdentityAsserterCallback callback;
        private boolean hasAuthorizationHeader = false;
        private NegotiateToken negotiateToken = null;
        private List<Integer> webAppAuthTypes = new ArrayList();

        public NegotiateHandler(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, NegotiateIdentityAsserterService.NegotiateIdentityAsserterCallback negotiateIdentityAsserterCallback) {
            this.hreq = null;
            this.hres = null;
            this.session = null;
            this.hreq = httpServletRequest;
            this.hres = httpServletResponse;
            this.session = httpServletRequest.getSession();
            if (negotiateIdentityAsserterCallback == null) {
                this.callback = new DefaultNegotiateIdentityAsserterCallback(this.session);
            } else {
                this.callback = negotiateIdentityAsserterCallback;
            }
        }

        public boolean process() throws IOException, ServletException {
            if (this.callback.isAlreadyAuthenticated()) {
                return false;
            }
            updateWebAppAuthTypes();
            if (!NegotiateIdentityAsserterServiceImpl.this.formBasedAuthEnabled && this.webAppAuthTypes.contains(2)) {
                if (!NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                    return false;
                }
                NegotiateIdentityAsserterServiceImpl.this.logger.debug("WebApp uses FORM auth and Negotiate filter is configured to skip FORM auth requests");
                return false;
            }
            processHeaders();
            if (isNegotiating() && (!this.hasAuthorizationHeader || this.negotiateToken == null)) {
                if (!NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                    return false;
                }
                NegotiateIdentityAsserterServiceImpl.this.logger.debug("Request doesn't have Negotiate response, Negotiate filter ignoring");
                return false;
            }
            if (!this.hasAuthorizationHeader) {
                return sendInitialChallenge();
            }
            if (this.negotiateToken != null) {
                return assertChallengeContext();
            }
            return false;
        }

        private void logRequestHeaders() {
            if (NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                NegotiateIdentityAsserterServiceImpl.this.logger.debug("All request headers:");
                Enumeration<String> headerNames = this.hreq.getHeaderNames();
                if (headerNames == null) {
                    NegotiateIdentityAsserterServiceImpl.this.logger.debug("No request header names were found");
                    return;
                }
                while (headerNames.hasMoreElements()) {
                    String nextElement = headerNames.nextElement();
                    if (nextElement != null) {
                        String header = this.hreq.getHeader(nextElement);
                        NegotiateIdentityAsserterServiceImpl.this.logger.debug("  Header: " + nextElement + " : " + (header == null ? "" : header));
                    } else {
                        NegotiateIdentityAsserterServiceImpl.this.logger.debug("  null headerName found");
                    }
                }
            }
        }

        private void processHeaders() {
            logRequestHeaders();
            Enumeration<String> headers = this.hreq.getHeaders("Authorization");
            if (headers == null) {
                if (NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                    NegotiateIdentityAsserterServiceImpl.this.logger.debug("Authorization Header not found.");
                    return;
                }
                return;
            }
            while (headers.hasMoreElements()) {
                String nextElement = headers.nextElement();
                if (nextElement != null) {
                    if (NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                        NegotiateIdentityAsserterServiceImpl.this.logger.debug("    processing header: " + nextElement);
                    }
                    StringTokenizer stringTokenizer = new StringTokenizer(nextElement);
                    String nextToken = stringTokenizer.nextToken();
                    if (NegotiateIdentityAsserterServiceImpl.NEGOTIATE.equalsIgnoreCase(nextToken)) {
                        this.hasAuthorizationHeader = true;
                        if (stringTokenizer.hasMoreTokens()) {
                            this.negotiateToken = NegotiateToken.getInstance(stringTokenizer.nextToken(), NegotiateIdentityAsserterServiceImpl.this.logger);
                        }
                        if (this.negotiateToken == null) {
                            continue;
                        } else if (this.negotiateToken.getTokenType() == 1) {
                            if (NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                                NegotiateIdentityAsserterServiceImpl.this.logger.debug("Found Negotiate with SPNEGO token");
                                return;
                            }
                            return;
                        } else {
                            if (NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                                NegotiateIdentityAsserterServiceImpl.this.logger.debug("Token not supported by Negotiate Filter, ignoring: " + this.negotiateToken.getTokenTypeName());
                            }
                            this.negotiateToken = null;
                        }
                    } else if (NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                        NegotiateIdentityAsserterServiceImpl.this.logger.debug("Authorization header for " + nextToken + " not supported by Negotiate filter, ignoring");
                    }
                }
            }
        }

        private boolean sendInitialChallenge() throws IOException {
            if (this.hres.isCommitted()) {
                if (!NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                    return false;
                }
                NegotiateIdentityAsserterServiceImpl.this.logger.debug("Response was already committed, not responding with WWW-Authenticate: Negotiate");
                return false;
            }
            try {
                NegotiateIdentityAsserterServiceImpl.this.ciaService.getChallengeToken("WWW-Authenticate.Negotiate");
                if (NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                    NegotiateIdentityAsserterServiceImpl.this.logger.debug("Unauthorized, sending WWW-Authenticate: Negotiate");
                }
                this.session.setAttribute(NegotiateIdentityAsserterServiceImpl.ATTRIBUTE_NEGOTIATING, Boolean.TRUE);
                this.hres.addHeader("WWW-Authenticate", NegotiateIdentityAsserterServiceImpl.NEGOTIATE);
                if (this.webAppAuthTypes.contains(1)) {
                    if (NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                        NegotiateIdentityAsserterServiceImpl.this.logger.debug("Including header for basic auth for enabling fallback if negotiate not supported");
                    }
                    this.hres.addHeader("WWW-Authenticate", "Basic");
                }
                this.hres.sendError(401);
                return true;
            } catch (IllegalStateException e) {
                if (!NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                    return false;
                }
                NegotiateIdentityAsserterServiceImpl.this.logger.debug("Failure setting session attribute or response", e);
                return false;
            } catch (IdentityAssertionException e2) {
                if (!NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                    return false;
                }
                NegotiateIdentityAsserterServiceImpl.this.logger.debug("Failure getting the initial Challenge Token", e2);
                return false;
            }
        }

        private boolean assertChallengeContext() throws IOException {
            ChallengeIdentityAssertionService.ChallengeContext challengeContext = (ChallengeIdentityAssertionService.ChallengeContext) this.session.getAttribute(NegotiateIdentityAsserterServiceImpl.ATTRIBUTE_CONTEXT);
            try {
                if (challengeContext == null) {
                    challengeContext = NegotiateIdentityAsserterServiceImpl.this.ciaService.assertChallengeIdentity("Authorization.Negotiate", this.negotiateToken, null);
                } else {
                    challengeContext.continueChallengeIdentity("Authorization.Negotiate", this.negotiateToken, null);
                }
                if (challengeContext == null) {
                    if (!NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                        return false;
                    }
                    NegotiateIdentityAsserterServiceImpl.this.logger.debug("No ChallengeContext");
                    return false;
                }
                if (!challengeContext.hasChallengeIdentityCompleted()) {
                    if (this.hres.isCommitted()) {
                        if (!NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                            return false;
                        }
                        NegotiateIdentityAsserterServiceImpl.this.logger.debug("Unable to continue challenge, response already was committed");
                        return false;
                    }
                    if (NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                        NegotiateIdentityAsserterServiceImpl.this.logger.debug("continuing challenge, sending WWW-Authenticate: Negotiate");
                    }
                    Object challengeToken = challengeContext.getChallengeToken();
                    this.session.setAttribute(NegotiateIdentityAsserterServiceImpl.ATTRIBUTE_CONTEXT, challengeContext);
                    this.hres.addHeader("WWW-Authenticate", "Negotiate " + challengeToken);
                    if (this.webAppAuthTypes.contains(1)) {
                        if (NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                            NegotiateIdentityAsserterServiceImpl.this.logger.debug("Including header for basic auth for enabling fallback if negotiate not supported");
                        }
                        this.hres.addHeader("WWW-Authenticate", "Basic");
                    }
                    this.hres.sendError(401);
                    return true;
                }
                if (NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                    NegotiateIdentityAsserterServiceImpl.this.logger.debug("Challenge Identity has completed");
                }
                try {
                    Identity identity = challengeContext.getIdentity();
                    SPNEGONegotiateToken sPNEGONegotiateToken = (SPNEGONegotiateToken) this.negotiateToken;
                    CredentialObject delegatedCredential = sPNEGONegotiateToken.getDelegatedCredential();
                    if (delegatedCredential != null) {
                        identity.getSubject().getPrivateCredentials().add(delegatedCredential);
                    } else if (NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                        NegotiateIdentityAsserterServiceImpl.this.logger.debug("No delegated subject was stored to the user identity.");
                    }
                    this.callback.userAuthenticated(challengeContext.getIdentity(), this.hreq);
                    if (sPNEGONegotiateToken.getContextFlagMutual()) {
                        if (NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                            NegotiateIdentityAsserterServiceImpl.this.logger.debug("Context was marked for mutual auth, looking for output token to send");
                        }
                        String outputToken = sPNEGONegotiateToken.getOutputToken();
                        if (outputToken != null) {
                            if (NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                                NegotiateIdentityAsserterServiceImpl.this.logger.debug("Context was marked for mutual auth, sending trailing SPNEGO NegTokenTarg token in WWW-Authenticate: Negotiate");
                            }
                            this.session.setAttribute(NegotiateIdentityAsserterServiceImpl.ATTRIBUTE_CONTEXT, challengeContext);
                            this.hres.addHeader("WWW-Authenticate", "Negotiate " + outputToken);
                        } else if (NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                            NegotiateIdentityAsserterServiceImpl.this.logger.debug("Mutual auth was indicated, but no trailing token was found to send. Initiator may reject results");
                        }
                    } else if (NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                        NegotiateIdentityAsserterServiceImpl.this.logger.debug("Mutual auth is not set, no trailing token needs to be sent");
                    }
                    return false;
                } catch (IllegalStateException e) {
                    if (!NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                        return false;
                    }
                    NegotiateIdentityAsserterServiceImpl.this.logger.debug("Failed to get the authenticated subject", e);
                    return false;
                }
            } catch (LoginException e2) {
                if (!NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                    return false;
                }
                NegotiateIdentityAsserterServiceImpl.this.logger.debug("Exception when asserting ChallengeIdentity", e2);
                return false;
            }
        }

        private void updateWebAppAuthTypes() {
            String webAppAuthType = this.callback.getWebAppAuthType(this.hreq);
            if (webAppAuthType == null || webAppAuthType.isEmpty()) {
                if (NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                    NegotiateIdentityAsserterServiceImpl.this.logger.debug("No auth type found for webapp");
                }
                this.webAppAuthTypes.add(0);
                return;
            }
            for (String str : webAppAuthType.split(",")) {
                if (str.equals("FORM")) {
                    if (NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                        NegotiateIdentityAsserterServiceImpl.this.logger.debug("FORM auth type found for webapp");
                    }
                    this.webAppAuthTypes.add(2);
                } else if (str.equals("BASIC")) {
                    if (NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                        NegotiateIdentityAsserterServiceImpl.this.logger.debug("BASIC auth type found for webapp");
                    }
                    this.webAppAuthTypes.add(1);
                } else if (str.equals("CLIENT_CERT")) {
                    if (NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                        NegotiateIdentityAsserterServiceImpl.this.logger.debug("CERT auth type found for webapp");
                    }
                    this.webAppAuthTypes.add(3);
                } else if (str.equals("DIGEST")) {
                    if (NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                        NegotiateIdentityAsserterServiceImpl.this.logger.debug("DIGEST auth type found for webapp");
                    }
                    this.webAppAuthTypes.add(4);
                } else {
                    if (NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                        NegotiateIdentityAsserterServiceImpl.this.logger.debug("Auth type found for webapp didn't match known types: " + str);
                    }
                    this.webAppAuthTypes.add(-1);
                }
            }
        }

        private boolean isNegotiating() {
            Boolean bool = (Boolean) this.session.getAttribute(NegotiateIdentityAsserterServiceImpl.ATTRIBUTE_NEGOTIATING);
            if (NegotiateIdentityAsserterServiceImpl.this.logger.isDebugEnabled()) {
                NegotiateIdentityAsserterServiceImpl.this.logger.debug("Negotiate filter:" + (bool == null ? " new session, no negotiation has started" : " existing session, negotiation was started"));
            }
            return bool != null;
        }
    }

    @Override // com.bea.common.engine.ServiceLifecycleSpi
    public Object init(Object obj, Services services) throws ServiceInitializationException {
        this.logger = ((LoggerService) services.getService(LoggerService.SERVICE_NAME)).getLogger("com.bea.common.security.service.NegotiateIdentityAsserterService");
        String str = getClass().getName() + ".init()";
        if (this.logger.isDebugEnabled()) {
            this.logger.debug(str);
        }
        if (obj == null || !(obj instanceof NegotiateIdentityAsserterServiceConfig)) {
            throw new ServiceConfigurationException(ServiceLogger.getExpectedConfigurationNotSupplied(str, "NegotiateIdentityAsserterServiceConfig"));
        }
        NegotiateIdentityAsserterServiceConfig negotiateIdentityAsserterServiceConfig = (NegotiateIdentityAsserterServiceConfig) obj;
        this.ciaService = (ChallengeIdentityAssertionService) safeGetService(services, negotiateIdentityAsserterServiceConfig.getChallengeIdentityAssertionServiceName(), str);
        this.sessionService = (SessionService) safeGetService(services, negotiateIdentityAsserterServiceConfig.getSessionServiceName(), str);
        return Delegator.getProxy(NegotiateIdentityAsserterService.class, this);
    }

    private Object safeGetService(Services services, String str, String str2) throws ServiceInitializationException {
        Object service = services.getService(str);
        if (service == null) {
            throw new ServiceConfigurationException(ServiceLogger.getServiceNotFound(str, str2));
        }
        return service;
    }

    @Override // com.bea.common.engine.ServiceLifecycleSpi
    public void shutdown() {
        if (this.logger.isDebugEnabled()) {
            this.logger.debug(getClass().getName() + ".shutdown()");
        }
    }

    @Override // com.bea.common.security.service.NegotiateIdentityAsserterService
    public void process(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain, NegotiateIdentityAsserterService.NegotiateIdentityAsserterCallback negotiateIdentityAsserterCallback) throws IOException, ServletException {
        if (this.logger.isDebugEnabled()) {
            this.logger.debug("NegotiateIdentityAsserterServiceImpl.process() called");
        }
        if ((servletRequest instanceof HttpServletRequest) && (servletResponse instanceof HttpServletResponse)) {
            if (new NegotiateHandler((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse, negotiateIdentityAsserterCallback).process()) {
                return;
            }
            callChain(servletRequest, servletResponse, filterChain);
        } else {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("Not HTTP request/response Negotiate filter skipping");
            }
            callChain(servletRequest, servletResponse, filterChain);
        }
    }

    @Override // com.bea.common.security.service.NegotiateIdentityAsserterService
    public void setFormBasedAuthEnabled(boolean z) {
        this.formBasedAuthEnabled = z;
    }

    private void callChain(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (filterChain != null) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("Passing to next filter in the chain");
            }
            filterChain.doFilter(servletRequest, servletResponse);
        } else if (this.logger.isDebugEnabled()) {
            this.logger.debug("No filter chain to pass to");
        }
    }
}
