package eu.openanalytics.containerproxy.auth.impl;

import eu.openanalytics.containerproxy.auth.IAuthenticationBackend;
import eu.openanalytics.containerproxy.auth.impl.kerberos.KRBClientCacheRegistry;
import eu.openanalytics.containerproxy.auth.impl.kerberos.KRBTicketRenewalManager;
import eu.openanalytics.containerproxy.model.spec.ContainerSpec;
import eu.openanalytics.containerproxy.service.EventService;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import javax.inject.Inject;
import javax.servlet.Filter;
import org.springframework.core.env.Environment;
import org.springframework.core.io.FileSystemResource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider;
import org.springframework.security.kerberos.authentication.KerberosServiceRequestToken;
import org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator;
import org.springframework.security.kerberos.web.authentication.SpnegoAuthenticationProcessingFilter;
import org.springframework.security.kerberos.web.authentication.SpnegoEntryPoint;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;

/* loaded from: input_file:BOOT-INF/lib/containerproxy-0.8.1.jar:eu/openanalytics/containerproxy/auth/impl/KerberosAuthenticationBackend.class */
public class KerberosAuthenticationBackend implements IAuthenticationBackend {
    public static final String NAME = "kerberos";
    private KRBClientCacheRegistry ccacheReg;

    @Inject
    Environment environment;

    @Inject
    AuthenticationManager authenticationManager;

    @Inject
    EventService eventService;

    /* loaded from: input_file:BOOT-INF/lib/containerproxy-0.8.1.jar:eu/openanalytics/containerproxy/auth/impl/KerberosAuthenticationBackend$SimpleUserDetailsService.class */
    private static class SimpleUserDetailsService implements UserDetailsService {
        private SimpleUserDetailsService() {
        }

        @Override // org.springframework.security.core.userdetails.UserDetailsService
        public UserDetails loadUserByUsername(String str) throws UsernameNotFoundException {
            return new User(str, "", Collections.emptyList());
        }
    }

    @Override // eu.openanalytics.containerproxy.auth.IAuthenticationBackend
    public String getName() {
        return "kerberos";
    }

    @Override // eu.openanalytics.containerproxy.auth.IAuthenticationBackend
    public boolean hasAuthorization() {
        return true;
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // eu.openanalytics.containerproxy.auth.IAuthenticationBackend
    public void configureHttpSecurity(HttpSecurity httpSecurity) throws Exception {
        SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter = new SpnegoAuthenticationProcessingFilter();
        spnegoAuthenticationProcessingFilter.setAuthenticationManager(this.authenticationManager);
        ((HttpSecurity) httpSecurity.exceptionHandling().authenticationEntryPoint(new SpnegoEntryPoint("/login")).and()).addFilterBefore((Filter) spnegoAuthenticationProcessingFilter, BasicAuthenticationFilter.class);
    }

    @Override // eu.openanalytics.containerproxy.auth.IAuthenticationBackend
    public void configureAuthenticationManagerBuilder(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        this.ccacheReg = new KRBClientCacheRegistry(this.environment.getProperty("proxy.kerberos.client-ccache-path"));
        String property = this.environment.getProperty("proxy.kerberos.auth-service-principal", this.environment.getProperty("proxy.kerberos.service-principal"));
        String property2 = this.environment.getProperty("proxy.kerberos.auth-service-keytab", this.environment.getProperty("proxy.kerberos.service-keytab"));
        String property3 = this.environment.getProperty("proxy.kerberos.deleg-service-principal", property);
        String property4 = this.environment.getProperty("proxy.kerberos.deleg-service-keytab", property2);
        ArrayList arrayList = new ArrayList();
        String property5 = this.environment.getProperty("proxy.kerberos.backend-principal", (String) null);
        if (property5 != null) {
            arrayList.add(property5);
        }
        for (String str : (String[]) this.environment.getProperty("proxy.kerberos.backend-principals", String[].class, new String[0])) {
            arrayList.add(str);
        }
        String[] strArr = (String[]) arrayList.stream().toArray(i -> {
            return new String[i];
        });
        long longValue = ((Long) this.environment.getProperty("proxy.kerberos.ticket-renew-interval", Long.class, new Long(28800000L))).longValue();
        SunJaasKerberosTicketValidator sunJaasKerberosTicketValidator = new SunJaasKerberosTicketValidator();
        sunJaasKerberosTicketValidator.setServicePrincipal(property);
        sunJaasKerberosTicketValidator.setKeyTabLocation(new FileSystemResource(property2));
        sunJaasKerberosTicketValidator.setDebug(true);
        sunJaasKerberosTicketValidator.afterPropertiesSet();
        final KRBTicketRenewalManager kRBTicketRenewalManager = new KRBTicketRenewalManager(property3, property4, strArr, this.ccacheReg, longValue);
        this.eventService.addListener(event -> {
            if (EventService.EventType.Logout.toString().equals(event.type)) {
                kRBTicketRenewalManager.stop(event.user);
            }
        });
        KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider = new KerberosServiceAuthenticationProvider() { // from class: eu.openanalytics.containerproxy.auth.impl.KerberosAuthenticationBackend.1
            @Override // org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider, org.springframework.security.authentication.AuthenticationProvider
            public Authentication authenticate(Authentication authentication) throws AuthenticationException {
                KerberosServiceRequestToken kerberosServiceRequestToken = (KerberosServiceRequestToken) super.authenticate(authentication);
                kRBTicketRenewalManager.start(kerberosServiceRequestToken.getName());
                return kerberosServiceRequestToken;
            }
        };
        kerberosServiceAuthenticationProvider.setTicketValidator(sunJaasKerberosTicketValidator);
        kerberosServiceAuthenticationProvider.setUserDetailsService(new SimpleUserDetailsService());
        kerberosServiceAuthenticationProvider.afterPropertiesSet();
        authenticationManagerBuilder.authenticationProvider((AuthenticationProvider) kerberosServiceAuthenticationProvider);
    }

    @Override // eu.openanalytics.containerproxy.auth.IAuthenticationBackend
    public void customizeContainer(ContainerSpec containerSpec) {
        String str = this.ccacheReg.get(getCurrentPrincipal());
        ArrayList arrayList = new ArrayList();
        if (containerSpec.getVolumes() != null) {
            for (int i = 0; i < containerSpec.getVolumes().length; i++) {
                arrayList.add(containerSpec.getVolumes()[i]);
            }
        }
        arrayList.add(Paths.get(str, new String[0]).getParent().toString() + ":/tmp/kerberos");
        containerSpec.setVolumes((String[]) arrayList.toArray(new String[arrayList.size()]));
    }

    @Override // eu.openanalytics.containerproxy.auth.IAuthenticationBackend
    public void customizeContainerEnv(List<String> list) {
        list.add("REMOTE_USER=" + getCurrentPrincipal());
        list.add("KRB5CCNAME=FILE:/tmp/kerberos/ccache");
    }

    private String getCurrentPrincipal() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication instanceof KerberosServiceRequestToken) {
            return authentication.getName();
        }
        return null;
    }
}
