package com.zimbra.cs.service.authenticator;

import com.zimbra.common.account.Key;
import com.zimbra.common.account.ZAttrProvisioning;
import com.zimbra.common.service.ServiceException;
import com.zimbra.common.util.StringUtil;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.Account;
import com.zimbra.cs.account.AccountServiceException;
import com.zimbra.cs.account.Domain;
import com.zimbra.cs.account.GuestAccount;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.account.krb5.Krb5Principal;
import com.zimbra.cs.service.authenticator.SSOAuthenticator;
import com.zimbra.cs.servlet.util.AuthUtil;
import java.io.IOException;
import java.net.MalformedURLException;
import java.security.Principal;
import java.util.Arrays;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.eclipse.jetty.http.HttpHeader;
import org.eclipse.jetty.security.LoginService;
import org.eclipse.jetty.security.SpnegoLoginService;
import org.eclipse.jetty.security.SpnegoUserIdentity;
import org.eclipse.jetty.security.SpnegoUserPrincipal;
import org.eclipse.jetty.security.UserAuthentication;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.UserIdentity;

/* loaded from: input_file:com/zimbra/cs/service/authenticator/SpnegoAuthenticator.class */
public class SpnegoAuthenticator extends SSOAuthenticator {
    private SpnegoLoginService spnegoUserRealm;
    private String error401Page;

    /* loaded from: input_file:com/zimbra/cs/service/authenticator/SpnegoAuthenticator$MockSpnegoUser.class */
    private static class MockSpnegoUser implements Principal {
        String name;
        String token;

        private static SSOAuthenticator.ZimbraPrincipal getMockPrincipal() throws IOException {
            SSOAuthenticator.ZimbraPrincipal zimbraPrincipal = null;
            try {
                zimbraPrincipal = new SSOAuthenticator.ZimbraPrincipal(new MockSpnegoUser("spnego@SPNEGO.LOCAL", "blah").getName(), GuestAccount.ANONYMOUS_ACCT);
            } catch (ServiceException e) {
            }
            return zimbraPrincipal;
        }

        MockSpnegoUser(String str, String str2) {
            this.name = str;
            this.token = str2;
        }

        @Override // java.security.Principal
        public String getName() {
            return this.name;
        }

        public String getToken() {
            return this.token;
        }
    }

    public SpnegoAuthenticator(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SpnegoLoginService spnegoLoginService) {
        super(httpServletRequest, httpServletResponse);
        this.spnegoUserRealm = spnegoLoginService;
    }

    public SpnegoAuthenticator(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SpnegoLoginService spnegoLoginService, String str) {
        this(httpServletRequest, httpServletResponse, spnegoLoginService);
        this.error401Page = str;
    }

    @Override // com.zimbra.cs.service.authenticator.SSOAuthenticator
    public String getAuthType() {
        return "Spnego";
    }

    @Override // com.zimbra.cs.service.authenticator.SSOAuthenticator
    public SSOAuthenticator.ZimbraPrincipal authenticate() throws ServiceException {
        Request request = this.req instanceof Request ? (Request) this.req : null;
        if (request == null) {
            throw ServiceException.FAILURE("not supported", (Throwable) null);
        }
        return getPrincipal(request);
    }

    private SSOAuthenticator.ZimbraPrincipal getPrincipal(Request request) throws ServiceException {
        try {
            SSOAuthenticator.ZimbraPrincipal authenticate = authenticate(this.spnegoUserRealm, request, this.resp);
            if (authenticate == null) {
                throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED("spnego authenticate failed", (Throwable) null);
            }
            return authenticate;
        } catch (IOException e) {
            throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED("spnego authenticate failed", e);
        }
    }

    private Account getAccountByPrincipal(Principal principal) throws ServiceException {
        Domain domainByKrb5Principal;
        String name = principal.getName();
        Provisioning provisioning = Provisioning.getInstance();
        Account account = provisioning.get(Key.AccountBy.krb5Principal, name);
        if (account == null && (domainByKrb5Principal = Krb5Principal.getDomainByKrb5Principal(name)) != null) {
            account = provisioning.autoProvAccountLazy(domainByKrb5Principal, name, null, ZAttrProvisioning.AutoProvAuthMech.SPNEGO);
        }
        return account;
    }

    private SSOAuthenticator.ZimbraPrincipal authenticate(LoginService loginService, Request request, HttpServletResponse httpServletResponse) throws ServiceException, IOException {
        String header = request.getHeader(HttpHeader.AUTHORIZATION.toString());
        if (header == null) {
            sendChallenge(loginService, request, httpServletResponse);
            throw SSOAuthenticator.SSOAuthenticatorServiceException.SENT_CHALLENGE();
        }
        if (header == null || !header.startsWith(HttpHeader.NEGOTIATE.toString())) {
            throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED("SpengoAuthenticator: authentication failed, unknown header (browser is likely misconfigured for SPNEGO)", (Throwable) null);
        }
        UserIdentity login = loginService.login((String) null, header.substring(10), request);
        if (login == null) {
            throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED("SpengoAuthenticator: unable to login", (Throwable) null);
        }
        SpnegoUserPrincipal userPrincipal = login.getUserPrincipal();
        if (userPrincipal == null) {
            ZimbraLog.account.debug("SpengoAuthenticator: no user found, authentication failed");
            throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED("SpengoAuthenticator: no user found, authentication failed", (Throwable) null);
        }
        ZimbraLog.account.debug("SpengoAuthenticator: obtained principal: " + userPrincipal.getName());
        SSOAuthenticator.ZimbraPrincipal zimbraPrincipal = new SSOAuthenticator.ZimbraPrincipal(userPrincipal.getName(), getAccountByPrincipal(userPrincipal));
        String name = userPrincipal.getName();
        request.setAuthentication(new UserAuthentication(getAuthType(), new SpnegoUserIdentity(login.getSubject(), zimbraPrincipal, Arrays.asList(name.substring(name.indexOf(64) + 1)))));
        httpServletResponse.addHeader(HttpHeader.WWW_AUTHENTICATE.toString(), HttpHeader.NEGOTIATE.toString() + " " + userPrincipal.getToken());
        return zimbraPrincipal;
    }

    public void sendChallenge(LoginService loginService, Request request, HttpServletResponse httpServletResponse) throws IOException {
        ZimbraLog.account.debug("SpengoAuthenticator: sending challenge");
        httpServletResponse.setHeader(HttpHeader.WWW_AUTHENTICATE.toString(), HttpHeader.NEGOTIATE.toString());
        try {
            String spnegoAuthErrorURL = Provisioning.getInstance().getConfig().getSpnegoAuthErrorURL();
            httpServletResponse.setStatus(401);
            if (!StringUtil.isNullOrEmpty(spnegoAuthErrorURL)) {
                request.setAttribute("spnego.auto.redirect", true);
            }
            if (StringUtil.isNullOrEmpty(this.error401Page)) {
                httpServletResponse.sendError(401);
            } else {
                request.setAttribute("spnego.redirect.url", getErrorRedirectUrl(request));
                request.getRequestDispatcher(this.error401Page).forward(request, httpServletResponse);
            }
        } catch (Exception e) {
            httpServletResponse.sendError(401);
        }
    }

    private String getErrorRedirectUrl(HttpServletRequest httpServletRequest) throws ServiceException, MalformedURLException {
        String spnegoAuthErrorURL = Provisioning.getInstance().getConfig().getSpnegoAuthErrorURL();
        if (spnegoAuthErrorURL == null) {
            String redirectURL = AuthUtil.getRedirectURL(httpServletRequest, Provisioning.getInstance().getLocalServer(), AuthUtil.isAdminRequest(httpServletRequest), true);
            spnegoAuthErrorURL = (redirectURL.endsWith("/") ? redirectURL : redirectURL + "/") + AuthUtil.IGNORE_LOGIN_URL;
        }
        return spnegoAuthErrorURL;
    }
}
