package com.universe.mdm.sso.kerberos.service.security.interceptor;

import java.io.IOException;
import java.io.OutputStream;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Map;
import java.util.TreeMap;
import org.apache.cxf.endpoint.Endpoint;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.message.Exchange;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.transport.Conduit;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.crypto.codec.Base64;
import org.springframework.security.kerberos.authentication.KerberosServiceRequestToken;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:com/universe/mdm/sso/kerberos/service/security/interceptor/KerberosAuthenticationRequestInterceptor.class */
public class KerberosAuthenticationRequestInterceptor extends AbstractPhaseInterceptor<Message> {
    private static final String URI_LOGIN = "/login";
    private static final String EMPTY = "";
    private static final String PROTOCOL_HEADERS = "org.apache.cxf.message.Message.PROTOCOL_HEADERS";
    private static final String SSO_HEADER = "Single-Sign-On";
    private static final String WWW_AUTHENTICATE = "WWW-Authenticate";
    private static final String NEGOTIATE_SCHEME = "Negotiate";
    private static final String KERBEROS = "Kerberos ";
    private static final String NTLMSSP_PREFIX = "Negotiate TlRMTVNTUA";
    private final AuthenticationProvider authenticationProvider;

    public KerberosAuthenticationRequestInterceptor(@Autowired @Qualifier("kerberosServiceAuthenticationProvider") AuthenticationProvider authenticationProvider) {
        super("receive");
        this.authenticationProvider = authenticationProvider;
    }

    public void handleMessage(Message message) {
        ArrayList arrayList;
        if (!((String) message.get("org.apache.cxf.request.uri")).contains(URI_LOGIN) || negotiateIfSso(message) || (arrayList = (ArrayList) ((TreeMap) message.get(PROTOCOL_HEADERS)).get("Authorization")) == null) {
            return;
        }
        arrayList.stream().filter(str -> {
            return !str.startsWith(NTLMSSP_PREFIX);
        }).filter(str2 -> {
            return str2.startsWith(NEGOTIATE_SCHEME) || str2.startsWith(KERBEROS);
        }).findAny().ifPresent(this::validateTicketOrElseThrow);
    }

    private boolean negotiateIfSso(Message message) {
        TreeMap treeMap = (TreeMap) message.get(PROTOCOL_HEADERS);
        ArrayList arrayList = (ArrayList) treeMap.get(SSO_HEADER);
        if (!(arrayList != null && arrayList.contains(Boolean.TRUE.toString()) && treeMap.get("Authorization") == null)) {
            return false;
        }
        Message outMessage = getOutMessage(message);
        outMessage.put(Message.RESPONSE_CODE, 401);
        CastUtils.cast((Map) outMessage.get(Message.PROTOCOL_HEADERS)).put(WWW_AUTHENTICATE, Collections.singletonList(NEGOTIATE_SCHEME));
        stopChain(message, outMessage);
        return true;
    }

    private void validateTicketOrElseThrow(String str) {
        SecurityContextHolder.getContext().setAuthentication(this.authenticationProvider.authenticate(new KerberosServiceRequestToken(Base64.decode(str.replace(NEGOTIATE_SCHEME, EMPTY).trim().getBytes(StandardCharsets.UTF_8)))));
    }

    private Message getOutMessage(Message message) {
        Exchange exchange = message.getExchange();
        Message outMessage = exchange.getOutMessage();
        if (outMessage == null) {
            outMessage = ((Endpoint) exchange.get(Endpoint.class)).getBinding().createMessage();
            exchange.setOutMessage(outMessage);
        }
        outMessage.putAll(message);
        return outMessage;
    }

    private void stopChain(Message message, Message message2) {
        message.getInterceptorChain().abort();
        try {
            getConduit(message).prepare(message2);
            close(message2);
        } catch (IOException e) {
            throw new Fault(e);
        }
    }

    private Conduit getConduit(Message message) throws IOException {
        Exchange exchange = message.getExchange();
        Conduit backChannel = exchange.getDestination().getBackChannel(message);
        exchange.setConduit(backChannel);
        return backChannel;
    }

    private void close(Message message) throws IOException {
        OutputStream outputStream = (OutputStream) message.getContent(OutputStream.class);
        outputStream.flush();
        outputStream.close();
    }
}
