package org.apache.brooklyn.ui.proxy;

import com.google.common.base.Optional;
import java.io.IOException;
import java.net.URL;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang3.StringUtils;
import org.eclipse.jetty.http.HttpHeader;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.http.HttpContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(name = "UiProxyHttpContext", configurationPid = {"org.apache.brooklyn.ui.proxy.security"}, configurationPolicy = ConfigurationPolicy.OPTIONAL, immediate = true, service = {HttpContext.class}, property = {"httpContext.id:String=proxy-context", "ui.proxy.security.realm:String=karaf"})
/* loaded from: input_file:org/apache/brooklyn/ui/proxy/UiProxyHttpContext.class */
public class UiProxyHttpContext implements HttpContext {
    private static final Logger LOG = LoggerFactory.getLogger(UiProxyHttpContext.class);
    private String realm = "webconsole";

    /* loaded from: input_file:org/apache/brooklyn/ui/proxy/UiProxyHttpContext$UsernamePasswordCallbackHandler.class */
    private class UsernamePasswordCallbackHandler implements CallbackHandler {
        private final String username;
        private final String password;

        public UsernamePasswordCallbackHandler(String str, String str2) {
            this.username = str;
            this.password = str2;
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            for (Callback callback : callbackArr) {
                if (callback instanceof NameCallback) {
                    ((NameCallback) callback).setName(this.username);
                } else if (callback instanceof PasswordCallback) {
                    ((PasswordCallback) callback).setPassword(this.password.toCharArray());
                }
            }
        }
    }

    public boolean handleSecurity(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        HttpSession session = httpServletRequest.getSession(true);
        LOG.info("Handling security for session [{}] in realm [{}]", session.getId(), this.realm);
        Optional<String[]> readCredentials = readCredentials(httpServletRequest.getHeader(HttpHeader.AUTHORIZATION.name()));
        if (readCredentials.isPresent()) {
            try {
                LoginContext loginContext = new LoginContext(this.realm, new UsernamePasswordCallbackHandler(((String[]) readCredentials.get())[0], ((String[]) readCredentials.get())[1]));
                loginContext.login();
                httpServletRequest.setAttribute("org.osgi.service.http.authentication.type", "Basic");
                httpServletRequest.setAttribute("org.osgi.service.http.authentication.remote.user", ((String[]) readCredentials.get())[0]);
                Subject subject = loginContext.getSubject();
                subject.setReadOnly();
                session.setAttribute("javax.security.auth.subject", subject);
                return true;
            } catch (LoginException e) {
                LOG.warn("Login attempt failed for user [{}] on session [{}]", ((String[]) readCredentials.get())[0], session.getId());
            }
        }
        httpServletResponse.setHeader("WWW-Authenticate", "Basic realm=\"" + this.realm + "\"");
        httpServletResponse.setStatus(401);
        httpServletResponse.sendError(401, "Must be authenticated to access this resource");
        return false;
    }

    private Optional<String[]> readCredentials(String str) {
        return StringUtils.startsWith(str, "Basic") ? Optional.of(new String(Base64.decodeBase64(StringUtils.substringAfter(str, "Basic").trim())).split(":", 2)) : Optional.absent();
    }

    public URL getResource(String str) {
        return null;
    }

    public String getMimeType(String str) {
        return null;
    }

    @Activate
    public void activate(Map<String, String> map) {
        modified(map);
    }

    public void modified(Map<String, String> map) {
        String str = map.get("ui.proxy.security.realm");
        if (StringUtils.isNotEmpty(str)) {
            this.realm = str;
        }
    }
}
