package com.zimbra.cs.service.authenticator;

import com.zimbra.common.service.ServiceException;
import com.zimbra.common.util.ZimbraLog;
import com.zimbra.cs.account.Account;
import com.zimbra.cs.account.AccountServiceException;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.service.authenticator.SSOAuthenticator;
import com.zimbra.cs.servlet.util.AuthUtil;
import java.io.IOException;
import java.security.Principal;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.mortbay.jetty.Request;
import org.mortbay.jetty.security.SpnegoUserRealm;
import org.mortbay.jetty.security.UserRealm;

/* loaded from: input_file:com/zimbra/cs/service/authenticator/SpnegoAuthenticator.class */
public class SpnegoAuthenticator extends SSOAuthenticator {
    private SpnegoUserRealm spnegoUserRealm;

    /* loaded from: input_file:com/zimbra/cs/service/authenticator/SpnegoAuthenticator$MockSpnegoUser.class */
    private static class MockSpnegoUser implements Principal {
        String name;
        String token;

        private static MockSpnegoUser getMockPrincipal() throws IOException {
            return new MockSpnegoUser("spnego@SPNEGO.LOCAL", "blah");
        }

        MockSpnegoUser(String str, String str2) {
            this.name = str;
            this.token = str2;
        }

        @Override // java.security.Principal
        public String getName() {
            return this.name;
        }

        public String getToken() {
            return this.token;
        }
    }

    public SpnegoAuthenticator(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, SpnegoUserRealm spnegoUserRealm) {
        super(httpServletRequest, httpServletResponse);
        this.spnegoUserRealm = spnegoUserRealm;
    }

    @Override // com.zimbra.cs.service.authenticator.SSOAuthenticator
    public String getAuthType() {
        return "Spnego";
    }

    @Override // com.zimbra.cs.service.authenticator.SSOAuthenticator
    public SSOAuthenticator.ZimbraPrincipal authenticate() throws ServiceException {
        Request request = this.req instanceof Request ? (Request) this.req : null;
        if (request == null) {
            throw ServiceException.FAILURE("not supported", (Throwable) null);
        }
        Principal principal = getPrincipal(request);
        SSOAuthenticator.ZimbraPrincipal zimbraPrincipal = new SSOAuthenticator.ZimbraPrincipal(principal.getName(), getAccountByPrincipal(principal));
        request.setUserPrincipal(zimbraPrincipal);
        return zimbraPrincipal;
    }

    private Principal getPrincipal(Request request) throws ServiceException {
        try {
            Principal authenticate = authenticate(this.spnegoUserRealm, request, this.resp);
            if (authenticate == null) {
                throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED("spnego authenticate failed", (Throwable) null);
            }
            return authenticate;
        } catch (IOException e) {
            throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED("spnego authenticate failed", e);
        }
    }

    private Account getAccountByPrincipal(Principal principal) throws ServiceException {
        return Provisioning.getInstance().get(Provisioning.AccountBy.krb5Principal, principal.getName());
    }

    private Principal authenticate(UserRealm userRealm, Request request, HttpServletResponse httpServletResponse) throws ServiceException, IOException {
        String header = request.getHeader("Authorization");
        if (header == null) {
            sendChallenge(userRealm, request, httpServletResponse);
            throw SSOAuthenticator.SSOAuthenticatorServiceException.SENT_CHALLENGE();
        }
        if (header == null || !header.startsWith("Negotiate")) {
            throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED("SpengoAuthenticator: authentication failed, unknown header (browser is likely misconfigured for SPNEGO)", (Throwable) null);
        }
        SpnegoUserRealm.SpnegoUser authenticate = userRealm.authenticate(header.substring(10), (Object) null, request);
        if (authenticate == null) {
            ZimbraLog.account.debug("SpengoAuthenticator: no user found, authentication failed");
            throw AccountServiceException.AuthFailedServiceException.AUTH_FAILED("SpengoAuthenticator: no user found, authentication failed", (Throwable) null);
        }
        ZimbraLog.account.debug("SpengoAuthenticator: obtained principal: " + authenticate.getName());
        request.setAuthType(getAuthType());
        httpServletResponse.addHeader(AuthUtil.WWW_AUTHENTICATE_HEADER, "Negotiate " + authenticate.getToken());
        return authenticate;
    }

    public void sendChallenge(UserRealm userRealm, Request request, HttpServletResponse httpServletResponse) throws IOException {
        ZimbraLog.account.debug("SpengoAuthenticator: sending challenge");
        httpServletResponse.setHeader(AuthUtil.WWW_AUTHENTICATE_HEADER, "Negotiate");
        httpServletResponse.sendError(401);
    }
}
