package ru.org.openam.auth.modules;

import com.sun.identity.authentication.spi.AMLoginModule;
import com.sun.identity.authentication.spi.AuthLoginException;
import com.sun.identity.authentication.spi.HttpCallback;
import com.sun.identity.shared.datastruct.CollectionHelper;
import java.io.IOException;
import java.lang.reflect.Field;
import java.security.Principal;
import java.security.SecureRandom;
import java.text.MessageFormat;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import jcifs.ntlmssp.Type1Message;
import jcifs.ntlmssp.Type2Message;
import jcifs.ntlmssp.Type3Message;
import jcifs.util.Base64;
import org.apache.commons.lang3.StringUtils;
import org.apache.hc.client5.http.auth.StandardAuthScheme;
import org.ntlmv2.liferay.NtlmManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/ntlm-14.8.1.0-classes.jar:ru/org/openam/auth/modules/Ntlm.class */
public class Ntlm extends AMLoginModule {
    public static Logger logger = LoggerFactory.getLogger((Class<?>) Ntlm.class);
    static Field AMIdentity_isSharedStateField;
    public static NtlmManager ntlmManager;
    Principal userPrincipal = null;
    public String schema = StandardAuthScheme.NTLM;
    public static SecureRandom rnd;

    public void init(Subject subject, Map map, Map map2) {
        setForceCallbacksRead(true);
        setSharedStateEnabled(true);
        setAuthLevel(Integer.parseInt(CollectionHelper.getMapAttr(map2, "ru.org.openam.auth.modules.ntlm.authlevel", "0")));
        if (logger.isDebugEnabled()) {
            System.setProperty("jcifs.util.loglevel", "4");
        }
        System.setProperty("jcifs.smb.client.connTimeout", "3000");
        System.setProperty("jcifs.smb.client.soTimeout", "1800000");
        System.setProperty("jcifs.netbios.cachePolicy", "1200");
        if (ntlmManager != null && StringUtils.equals(ntlmManager.getDomain(), CollectionHelper.getMapAttr(map2, "ru.org.openam.auth.modules.ntlm.domain")) && StringUtils.equals(ntlmManager.getDomainController(), CollectionHelper.getMapAttr(map2, "ru.org.openam.auth.modules.ntlm.domainController")) && StringUtils.equals(ntlmManager.getDomainControllerName(), CollectionHelper.getMapAttr(map2, "ru.org.openam.auth.modules.ntlm.domainControllerHostName")) && StringUtils.equals(ntlmManager.getServiceAccount(), CollectionHelper.getMapAttr(map2, "ru.org.openam.auth.modules.ntlm.serviceAccount")) && StringUtils.equals(ntlmManager.getServicePassword(), CollectionHelper.getMapAttr(map2, "ru.org.openam.auth.modules.ntlm.servicePassword"))) {
            return;
        }
        synchronized (Ntlm.class) {
            ntlmManager = new NtlmManager(CollectionHelper.getMapAttr(map2, "ru.org.openam.auth.modules.ntlm.domain"), CollectionHelper.getMapAttr(map2, "ru.org.openam.auth.modules.ntlm.domainController"), CollectionHelper.getMapAttr(map2, "ru.org.openam.auth.modules.ntlm.domainControllerHostName"), CollectionHelper.getMapAttr(map2, "ru.org.openam.auth.modules.ntlm.serviceAccount"), CollectionHelper.getMapAttr(map2, "ru.org.openam.auth.modules.ntlm.servicePassword"));
        }
    }

    public Principal getPrincipal() {
        return this.userPrincipal;
    }

    public int returnCallback(String str) throws IOException, UnsupportedCallbackException, AuthLoginException {
        try {
            replaceCallback(1, 0, new HttpCallback("X-Authorization", "WWW-Authenticate", this.schema.concat(str == null ? "" : " ".concat(str)), 401));
            return 1;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public int process(Callback[] callbackArr, int i) throws AuthLoginException {
        HttpServletRequest httpServletRequest = getHttpServletRequest();
        if ((callbackArr.length == 1 && (callbackArr[0] instanceof HttpCallback) && ((HttpCallback) callbackArr[0]).getNegotiationCode() > 0) || httpServletRequest == null) {
            return 0;
        }
        if ("true".equals(httpServletRequest.getParameter("skipKerberos")) && httpServletRequest.getHeader("Authorization") == null) {
            return 0;
        }
        String header = httpServletRequest.getHeader("Authorization");
        try {
            if (StringUtils.isBlank(header)) {
                return returnCallback(null);
            }
            HttpSession session = httpServletRequest.getSession(false);
            if (!StringUtils.startsWith(header, "NTLM ") && !StringUtils.startsWith(header, "Negotiate ")) {
                throw new AuthLoginException(MessageFormat.format("Unsupported: schema={0}", header));
            }
            byte[] decode = StringUtils.startsWith(header, "NTLM ") ? Base64.decode(header.substring(5)) : Base64.decode(header.substring(10));
            this.schema = StringUtils.startsWith(header, "NTLM ") ? StandardAuthScheme.NTLM : StandardAuthScheme.SPNEGO;
            if (decode[8] == 1) {
                Type1Message type1Message = new Type1Message(decode);
                byte[] bArr = new byte[8];
                rnd.nextBytes(bArr);
                Type2Message negotiateType2Message = ntlmManager.negotiateType2Message(decode, bArr);
                logger.info("type1=[{}] -> type2=[{}]", type1Message, negotiateType2Message);
                session.setAttribute("challenge", bArr);
                return returnCallback(Base64.encode(negotiateType2Message.toByteArray()));
            }
            if (decode[8] != 3 || session.getAttribute("challenge") == null) {
                if (decode[8] != 3 || session.getAttribute("challenge") != null) {
                    throw new AuthLoginException(MessageFormat.format("Unsupported: type={0}", Byte.valueOf(decode[8])));
                }
                logger.warn("type3={}: empty secret", new Type3Message(decode));
                return returnCallback(null);
            }
            Type3Message type3Message = new Type3Message(decode);
            try {
                try {
                    this.userPrincipal = new NtlmPrincipal(ntlmManager.authenticate(decode, (byte[]) session.getAttribute("challenge")).getUserName());
                    setUserSessionProperty("UserTokenDomain", (StringUtils.isBlank(type3Message.getDomain()) ? ntlmManager.getDomain() : type3Message.getDomain()).toUpperCase());
                    session.removeAttribute("challenge");
                    return -1;
                } catch (Exception e) {
                    logger.warn("type3={}: {}", type3Message, e.getMessage());
                    int returnCallback = returnCallback(null);
                    session.removeAttribute("challenge");
                    return returnCallback;
                }
            } catch (Throwable th) {
                session.removeAttribute("challenge");
                throw th;
            }
        } catch (Exception e2) {
            if (logger.isDebugEnabled()) {
                logger.debug("error", e2);
            }
            if (e2 instanceof AuthLoginException) {
                throw ((AuthLoginException) e2);
            }
            throw new AuthLoginException("Ntlm", e2);
        }
    }

    static {
        try {
            AMIdentity_isSharedStateField = AMLoginModule.class.getDeclaredField("isSharedState");
            AMIdentity_isSharedStateField.setAccessible(true);
        } catch (Exception e) {
            logger.error("AMIdentity_isSharedStateField", (Throwable) e);
        }
        ntlmManager = null;
        rnd = new SecureRandom();
    }
}
