package org.infinispan.client.rest.impl.okhttp.auth;

import java.io.IOException;
import java.security.PrivilegedActionException;
import java.util.Base64;
import java.util.concurrent.atomic.AtomicReference;
import javax.security.auth.Subject;
import okhttp3.Authenticator;
import okhttp3.Request;
import okhttp3.Response;
import okhttp3.Route;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSException;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.infinispan.client.rest.configuration.AuthenticationConfiguration;
import org.infinispan.client.rest.impl.okhttp.auth.AbstractAuthenticator;

/* loaded from: input_file:org/infinispan/client/rest/impl/okhttp/auth/NegotiateAuthenticator.class */
public class NegotiateAuthenticator extends AbstractAuthenticator implements CachingAuthenticator {
    private static final String SPNEGO_OID = "1.3.6.1.5.5.2";
    private final AuthenticationConfiguration configuration;
    private final Oid oid;
    private final AtomicReference<String> token = new AtomicReference<>();
    private final GSSManager gssManager = GSSManager.getInstance();

    public NegotiateAuthenticator(AuthenticationConfiguration authenticationConfiguration) {
        this.configuration = authenticationConfiguration;
        try {
            this.oid = new Oid(SPNEGO_OID);
        } catch (GSSException e) {
            throw new RuntimeException((Throwable) e);
        }
    }

    public Request authenticate(Route route, Response response) {
        return authenticateInternal(route, response.request());
    }

    @Override // org.infinispan.client.rest.impl.okhttp.auth.CachingAuthenticator
    public Request authenticateWithState(Route route, Request request) throws IOException {
        return request.newBuilder().header(AbstractAuthenticator.WWW_AUTH_RESP, "Negotiate " + this.token.get()).build();
    }

    private Request authenticateInternal(Route route, Request request) {
        try {
            this.token.set(generateToken(null, route.address().url().host()));
            return request.newBuilder().header(AbstractAuthenticator.WWW_AUTH_RESP, "Negotiate " + this.token.get()).tag(Authenticator.class, this).build();
        } catch (GSSException e) {
            throw new AbstractAuthenticator.AuthenticationException(e.getMessage(), e);
        }
    }

    protected String generateToken(byte[] bArr, String str) throws GSSException {
        GSSContext createContext = this.gssManager.createContext(this.gssManager.createName("HTTP@" + str, GSSName.NT_HOSTBASED_SERVICE).canonicalize(this.oid), this.oid, (GSSCredential) null, 0);
        createContext.requestMutualAuth(true);
        try {
            return Base64.getEncoder().encodeToString((byte[]) Subject.doAs(this.configuration.clientSubject(), () -> {
                return bArr != null ? createContext.initSecContext(bArr, 0, bArr.length) : createContext.initSecContext(new byte[0], 0, 0);
            }));
        } catch (PrivilegedActionException e) {
            throw new SecurityException(e);
        }
    }
}
