package org.apache.nifi.web.security.kerberos;

import jakarta.servlet.http.HttpServletRequest;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.core.Authentication;
import org.springframework.security.kerberos.authentication.KerberosServiceAuthenticationProvider;
import org.springframework.security.kerberos.authentication.KerberosServiceRequestToken;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;

/* loaded from: input_file:org/apache/nifi/web/security/kerberos/KerberosService.class */
public class KerberosService {
    public static final String AUTHORIZATION_HEADER_NAME = "Authorization";
    public static final String AUTHENTICATION_CHALLENGE_HEADER_NAME = "WWW-Authenticate";
    public static final String AUTHORIZATION_NEGOTIATE = "Negotiate";
    private KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider;
    private final AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();
    private static final Logger logger = LoggerFactory.getLogger(KerberosService.class);
    private static final Base64.Decoder decoder = Base64.getDecoder();

    public void setKerberosServiceAuthenticationProvider(KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider) {
        this.kerberosServiceAuthenticationProvider = kerberosServiceAuthenticationProvider;
    }

    public Authentication validateKerberosTicket(HttpServletRequest httpServletRequest) {
        if (!httpServletRequest.isSecure()) {
            return null;
        }
        String header = httpServletRequest.getHeader(AUTHORIZATION_HEADER_NAME);
        if (!isValidKerberosHeader(header)) {
            return null;
        }
        if (logger.isDebugEnabled()) {
            logger.debug("Received Negotiate Header for request " + String.valueOf(httpServletRequest.getRequestURL()) + ": " + header);
        }
        KerberosServiceRequestToken kerberosServiceRequestToken = new KerberosServiceRequestToken(decoder.decode(header.substring(header.indexOf(" ") + 1).getBytes(StandardCharsets.UTF_8)));
        kerberosServiceRequestToken.setDetails(this.authenticationDetailsSource.buildDetails(httpServletRequest));
        return this.kerberosServiceAuthenticationProvider.authenticate(kerberosServiceRequestToken);
    }

    public boolean isValidKerberosHeader(String str) {
        return str != null && (str.startsWith("Negotiate ") || str.startsWith("Kerberos "));
    }
}
