package org.eclipse.jetty.ee8.security.authentication;

import java.io.IOException;
import java.io.Serializable;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.eclipse.jetty.ee8.nested.Authentication;
import org.eclipse.jetty.ee8.nested.Request;
import org.eclipse.jetty.ee8.nested.SessionHandler;
import org.eclipse.jetty.ee8.security.ServerAuthException;
import org.eclipse.jetty.ee8.security.UserAuthentication;
import org.eclipse.jetty.http.HttpHeader;
import org.eclipse.jetty.http.HttpMethod;
import org.eclipse.jetty.security.RoleDelegateUserIdentity;
import org.eclipse.jetty.security.SPNEGOUserPrincipal;
import org.eclipse.jetty.security.UserIdentity;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/jetty/ee8/security/authentication/ConfigurableSpnegoAuthenticator.class */
public class ConfigurableSpnegoAuthenticator extends LoginAuthenticator {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) ConfigurableSpnegoAuthenticator.class);
    private final String _authMethod;
    private Duration _authenticationDuration;

    /* loaded from: input_file:org/eclipse/jetty/ee8/security/authentication/ConfigurableSpnegoAuthenticator$UserIdentityHolder.class */
    private static class UserIdentityHolder implements Serializable {
        private static final String ATTRIBUTE = UserIdentityHolder.class.getName();
        private final transient Instant _validFrom = Instant.now();
        private final transient UserIdentity _userIdentity;

        private UserIdentityHolder(UserIdentity userIdentity) {
            this._userIdentity = userIdentity;
        }
    }

    public ConfigurableSpnegoAuthenticator() {
        this("SPNEGO");
    }

    public ConfigurableSpnegoAuthenticator(String str) {
        this._authenticationDuration = Duration.ofNanos(-1L);
        this._authMethod = str;
    }

    @Override // org.eclipse.jetty.ee8.security.Authenticator
    public String getAuthMethod() {
        return this._authMethod;
    }

    public Duration getAuthenticationDuration() {
        return this._authenticationDuration;
    }

    public void setAuthenticationDuration(Duration duration) {
        this._authenticationDuration = duration;
    }

    @Override // org.eclipse.jetty.ee8.security.authentication.LoginAuthenticator
    public UserIdentity login(String str, Object obj, ServletRequest servletRequest) {
        Request baseRequest = Request.getBaseRequest(servletRequest);
        if (baseRequest == null) {
            return null;
        }
        RoleDelegateUserIdentity roleDelegateUserIdentity = (RoleDelegateUserIdentity) this._loginService.login(str, obj, baseRequest.getCoreRequest(), SessionHandler.ServletSessionApi.getOrCreateSession(servletRequest));
        if (roleDelegateUserIdentity != null && roleDelegateUserIdentity.isEstablished()) {
            renewSession(baseRequest, baseRequest.getResponse());
        }
        return roleDelegateUserIdentity;
    }

    @Override // org.eclipse.jetty.ee8.security.Authenticator
    public Authentication validateRequest(ServletRequest servletRequest, ServletResponse servletResponse, boolean z) throws ServerAuthException {
        UserIdentityHolder userIdentityHolder;
        UserIdentity userIdentity;
        if (!z) {
            return new DeferredAuthentication(this);
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        String header = httpServletRequest.getHeader(HttpHeader.AUTHORIZATION.asString());
        String spnegoToken = getSpnegoToken(header);
        HttpSession session = httpServletRequest.getSession(false);
        if (header == null || spnegoToken == null) {
            if (session != null && (userIdentityHolder = (UserIdentityHolder) session.getAttribute(UserIdentityHolder.ATTRIBUTE)) != null && (userIdentity = userIdentityHolder._userIdentity) != null) {
                Duration authenticationDuration = getAuthenticationDuration();
                if (!authenticationDuration.isNegative()) {
                    if (!(!authenticationDuration.isZero() && Instant.now().isAfter(userIdentityHolder._validFrom.plus((TemporalAmount) authenticationDuration))) || !HttpMethod.GET.is(httpServletRequest.getMethod())) {
                        return new UserAuthentication(getAuthMethod(), userIdentity);
                    }
                }
            }
            if (DeferredAuthentication.isDeferred(httpServletResponse)) {
                return Authentication.UNAUTHENTICATED;
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("Sending initial challenge");
            }
            sendChallenge(httpServletResponse, null);
            return Authentication.SEND_CONTINUE;
        }
        RoleDelegateUserIdentity roleDelegateUserIdentity = (RoleDelegateUserIdentity) login(null, spnegoToken, httpServletRequest);
        if (!roleDelegateUserIdentity.isEstablished()) {
            if (DeferredAuthentication.isDeferred(httpServletResponse)) {
                return Authentication.UNAUTHENTICATED;
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("Sending intermediate challenge");
            }
            sendChallenge(httpServletResponse, ((SPNEGOUserPrincipal) roleDelegateUserIdentity.getUserPrincipal()).getEncodedToken());
            return Authentication.SEND_CONTINUE;
        }
        if (!DeferredAuthentication.isDeferred(httpServletResponse)) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Sending final token");
            }
            setSpnegoToken(httpServletResponse, ((SPNEGOUserPrincipal) roleDelegateUserIdentity.getUserPrincipal()).getEncodedToken());
        }
        if (!getAuthenticationDuration().isNegative()) {
            if (session == null) {
                session = httpServletRequest.getSession(true);
            }
            session.setAttribute(UserIdentityHolder.ATTRIBUTE, new UserIdentityHolder(roleDelegateUserIdentity));
        }
        return new UserAuthentication(getAuthMethod(), roleDelegateUserIdentity);
    }

    private void sendChallenge(HttpServletResponse httpServletResponse, String str) throws ServerAuthException {
        try {
            setSpnegoToken(httpServletResponse, str);
            httpServletResponse.sendError(401);
        } catch (IOException e) {
            throw new ServerAuthException(e);
        }
    }

    private void setSpnegoToken(HttpServletResponse httpServletResponse, String str) {
        String asString = HttpHeader.NEGOTIATE.asString();
        if (str != null) {
            asString = asString + " " + str;
        }
        httpServletResponse.setHeader(HttpHeader.WWW_AUTHENTICATE.asString(), asString);
    }

    private String getSpnegoToken(String str) {
        if (str == null) {
            return null;
        }
        String str2 = HttpHeader.NEGOTIATE.asString() + " ";
        if (str.regionMatches(true, 0, str2, 0, str2.length())) {
            return str.substring(str2.length()).trim();
        }
        return null;
    }

    @Override // org.eclipse.jetty.ee8.security.Authenticator
    public boolean secureResponse(ServletRequest servletRequest, ServletResponse servletResponse, boolean z, Authentication.User user) {
        return true;
    }
}
