package com.feth.play.module.pa.providers.wwwauth.negotiate;

import com.feth.play.module.pa.exceptions.AuthException;
import com.feth.play.module.pa.providers.wwwauth.WWWAuthenticateProvider;
import com.feth.play.module.pa.user.AuthUser;
import com.ning.http.util.Base64;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import play.Application;
import play.Logger;
import play.core.enhancers.PropertiesEnhancer;
import play.mvc.Http;

@PropertiesEnhancer.GeneratedAccessor
@PropertiesEnhancer.RewrittenAccessor
/* loaded from: input_file:com/feth/play/module/pa/providers/wwwauth/negotiate/SpnegoAuthProvider.class */
public class SpnegoAuthProvider extends WWWAuthenticateProvider {
    static final String PROVIDER_KEY = "spnego";
    private static Oid SPNEGO_MECH_OID;

    @PropertiesEnhancer.GeneratedAccessor
    @PropertiesEnhancer.RewrittenAccessor
    /* loaded from: input_file:com/feth/play/module/pa/providers/wwwauth/negotiate/SpnegoAuthProvider$SettingKeys.class */
    public static abstract class SettingKeys {
        public static final String REALM = "realm";
        public static final String KDC = "kdc";
    }

    public SpnegoAuthProvider(Application application) {
        super(application);
        String string = getConfiguration().getString("realm");
        String string2 = getConfiguration().getString(SettingKeys.KDC);
        if (string != null && string2 != null) {
            System.setProperty("java.security.krb5.realm", string);
            System.setProperty("java.security.krb5.kdc", string2);
        } else {
            if (string == null && string2 == null) {
                return;
            }
            Logger.error("Both realm and kdc must be given, falling back to krb5.conf");
        }
    }

    @Override // com.feth.play.module.pa.providers.wwwauth.WWWAuthenticateProvider
    protected String authScheme() {
        return "Negotiate";
    }

    @Override // com.feth.play.module.pa.providers.wwwauth.WWWAuthenticateProvider
    protected String challenge(Http.Context context) {
        return null;
    }

    protected AuthUser makeAuthUser(GSSContext gSSContext) {
        try {
            return new SpnegoAuthUser(gSSContext);
        } catch (GSSException e) {
            Logger.warn("Error creating SpnegoAuthUser", e);
            return null;
        }
    }

    @Override // com.feth.play.module.pa.providers.wwwauth.WWWAuthenticateProvider
    protected AuthUser authenticateResponse(String str) throws AuthException {
        if (str.startsWith("TlRMTVNTU")) {
            Logger.warn("Discarding deprecated NTLMSSP authentication attempt");
            return null;
        }
        byte[] decode = Base64.decode(str);
        try {
            GSSManager gSSManager = GSSManager.getInstance();
            GSSContext createContext = gSSManager.createContext(gSSManager.createCredential((GSSName) null, 0, SPNEGO_MECH_OID, 2));
            byte[] acceptSecContext = createContext.acceptSecContext(decode, 0, decode.length);
            if (!createContext.isEstablished()) {
                throw new AuthException("Couldn't establish GSS context");
            }
            if (acceptSecContext != null) {
                Logger.warn("Ignoring token for peer");
            }
            Logger.debug("Authenticated " + createContext.getSrcName() + " with " + createContext.getTargName());
            return makeAuthUser(createContext);
        } catch (GSSException e) {
            throw new AuthException("SPNEGO authentication failed: " + e);
        }
    }

    @Override // com.feth.play.module.pa.providers.AuthProvider
    public String getKey() {
        return PROVIDER_KEY;
    }

    static {
        try {
            SPNEGO_MECH_OID = new Oid("1.3.6.1.5.5.2");
        } catch (GSSException e) {
            Logger.error("SPNEGO Oid is undefined");
        }
    }
}
