package org.elasticsearch.xpack.security.authc.kerberos;

import java.util.Arrays;
import java.util.Base64;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.common.Strings;
import org.elasticsearch.rest.RestStatus;
import org.elasticsearch.xpack.core.security.authc.AuthenticationToken;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/kerberos/KerberosAuthenticationToken.class */
public final class KerberosAuthenticationToken implements AuthenticationToken {
    public static final String WWW_AUTHENTICATE = "WWW-Authenticate";
    public static final String AUTH_HEADER = "Authorization";
    public static final String NEGOTIATE_SCHEME_NAME = "Negotiate";
    public static final String NEGOTIATE_AUTH_HEADER_PREFIX = "Negotiate ";
    private static final boolean IGNORE_CASE_AUTH_HEADER_MATCH = true;
    private final byte[] decodedToken;
    static final /* synthetic */ boolean $assertionsDisabled;

    public KerberosAuthenticationToken(byte[] bArr) {
        this.decodedToken = bArr;
    }

    public static KerberosAuthenticationToken extractToken(String str) {
        if (Strings.isNullOrEmpty(str) || !str.regionMatches(true, 0, NEGOTIATE_AUTH_HEADER_PREFIX, 0, NEGOTIATE_AUTH_HEADER_PREFIX.length())) {
            return null;
        }
        String trim = str.substring(NEGOTIATE_AUTH_HEADER_PREFIX.length()).trim();
        if (Strings.isEmpty(trim)) {
            throw unauthorized("invalid negotiate authentication header value, expected base64 encoded token but value is empty", null, new Object[0]);
        }
        try {
            return new KerberosAuthenticationToken(Base64.getDecoder().decode(trim));
        } catch (IllegalArgumentException e) {
            throw unauthorized("invalid negotiate authentication header value, could not decode base64 token {}", e, trim);
        }
    }

    public String principal() {
        return "<Kerberos Token>";
    }

    public Object credentials() {
        return this.decodedToken;
    }

    public void clearCredentials() {
        Arrays.fill(this.decodedToken, (byte) 0);
    }

    public int hashCode() {
        return Arrays.hashCode(this.decodedToken);
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (obj != null && getClass() == obj.getClass()) {
            return Arrays.equals(((KerberosAuthenticationToken) obj).decodedToken, this.decodedToken);
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ElasticsearchSecurityException unauthorized(String str, Throwable th, Object... objArr) {
        ElasticsearchSecurityException elasticsearchSecurityException = new ElasticsearchSecurityException(str, RestStatus.UNAUTHORIZED, th, objArr);
        elasticsearchSecurityException.addHeader(WWW_AUTHENTICATE, new String[]{NEGOTIATE_SCHEME_NAME});
        return elasticsearchSecurityException;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ElasticsearchSecurityException unauthorizedWithOutputToken(ElasticsearchSecurityException elasticsearchSecurityException, String str) {
        if (!$assertionsDisabled && elasticsearchSecurityException.status() != RestStatus.UNAUTHORIZED) {
            throw new AssertionError();
        }
        if (Strings.hasText(str)) {
            elasticsearchSecurityException.addHeader(WWW_AUTHENTICATE, new String[]{NEGOTIATE_AUTH_HEADER_PREFIX + str});
        }
        return elasticsearchSecurityException;
    }

    static {
        $assertionsDisabled = !KerberosAuthenticationToken.class.desiredAssertionStatus();
    }
}
