package io.hawt.system;

import io.hawt.util.Strings;
import io.hawt.web.auth.AuthenticationConfiguration;
import io.hawt.web.auth.AuthenticationThrottler;
import jakarta.servlet.http.HttpServletRequest;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.List;
import java.util.Optional;
import java.util.function.BiConsumer;
import java.util.function.Consumer;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.login.AccountException;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.commons.codec.binary.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.actuate.endpoint.SanitizableData;

/* loaded from: input_file:BOOT-INF/lib/hawtio-system-4.0.0.jar:io/hawt/system/Authenticator.class */
public class Authenticator {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) Authenticator.class);
    public static final String HEADER_AUTHORIZATION = "Authorization";
    public static final String AUTHENTICATION_SCHEME_BASIC = "Basic";
    public static final String AUTHENTICATION_SCHEME_BEARER = "Bearer";
    public static final String ATTRIBUTE_X509_CERTIFICATE = "jakarta.servlet.request.X509Certificate";
    private static Boolean websphereDetected;
    private static Method websphereGetGroupsMethod;
    private static Boolean jbosseapDetected;
    private static Method jbosseapGetGroupsMethod;
    private final AuthenticationConfiguration authConfiguration;
    private String username;
    private String password;
    private X509Certificate[] certificates;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/hawtio-system-4.0.0.jar:io/hawt/system/Authenticator$CertificateCallbackHandler.class */
    public static final class CertificateCallbackHandler implements CallbackHandler {
        private static final String ARTEMIS_CALLBACK = "org.apache.activemq.artemis.spi.core.security.jaas.CertificateCallback";
        private static final String ARTEMIS_CALLBACK_METHOD = "setCertificates";
        private final X509Certificate[] certificates;

        private CertificateCallbackHandler(X509Certificate[] x509CertificateArr) {
            this.certificates = x509CertificateArr;
        }

        /* JADX WARN: Failed to find 'out' block for switch in B:8:0x0042. Please report as an issue. */
        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) {
            for (Callback callback : callbackArr) {
                if (Authenticator.LOG.isTraceEnabled()) {
                    Authenticator.LOG.trace("Callback type {} -> {}", callback.getClass(), callback);
                }
                String name = callback.getClass().getName();
                boolean z = -1;
                switch (name.hashCode()) {
                    case 239182527:
                        if (name.equals(ARTEMIS_CALLBACK)) {
                            z = false;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case false:
                        setCertificates(callback);
                        break;
                    default:
                        Authenticator.LOG.warn("Callback class not supported: {}", callback.getClass().getName());
                        break;
                }
            }
        }

        private void setCertificates(Callback callback) {
            try {
                callback.getClass().getDeclaredMethod(ARTEMIS_CALLBACK_METHOD, X509Certificate[].class).invoke(callback, this.certificates);
            } catch (IllegalAccessException | NoSuchMethodException | InvocationTargetException e) {
                Authenticator.LOG.error("Setting certificates to callback failed", e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/hawtio-system-4.0.0.jar:io/hawt/system/Authenticator$UsernamePasswordCallbackHandler.class */
    public static final class UsernamePasswordCallbackHandler implements CallbackHandler {
        private final String username;
        private final String password;

        private UsernamePasswordCallbackHandler(String str, String str2) {
            this.username = str;
            this.password = str2;
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) {
            for (Callback callback : callbackArr) {
                if (Authenticator.LOG.isTraceEnabled()) {
                    Authenticator.LOG.trace("Callback type {} -> {}", callback.getClass(), callback);
                }
                if (callback instanceof NameCallback) {
                    ((NameCallback) callback).setName(this.username);
                } else if (callback instanceof PasswordCallback) {
                    ((PasswordCallback) callback).setPassword(this.password.toCharArray());
                } else {
                    Authenticator.LOG.debug("Unknown callback class [{}]", callback.getClass().getName());
                }
            }
        }
    }

    public Authenticator(AuthenticationConfiguration authenticationConfiguration, String str, String str2) {
        this.authConfiguration = authenticationConfiguration;
        this.username = str;
        this.password = str2;
    }

    public Authenticator(HttpServletRequest httpServletRequest, AuthenticationConfiguration authenticationConfiguration) {
        this.authConfiguration = authenticationConfiguration;
        extractAuthHeader(httpServletRequest, (str, str2) -> {
            this.username = str;
            this.password = str2;
        });
        Object attribute = httpServletRequest.getAttribute(ATTRIBUTE_X509_CERTIFICATE);
        if (attribute != null) {
            this.certificates = (X509Certificate[]) attribute;
        }
    }

    public static void extractAuthHeader(HttpServletRequest httpServletRequest, BiConsumer<String, String> biConsumer) {
        String header = httpServletRequest.getHeader("Authorization");
        if (Strings.isBlank(header)) {
            return;
        }
        String[] split = header.trim().split(" ");
        if (split.length != 2) {
            return;
        }
        String str = split[0];
        String str2 = split[1];
        if (str.equalsIgnoreCase("Basic")) {
            String str3 = new String(Base64.decodeBase64(str2));
            int indexOf = str3.indexOf(58);
            if (indexOf < 0) {
                return;
            } else {
                biConsumer.accept(str3.substring(0, indexOf), str3.substring(indexOf + 1));
            }
        }
        if (str.equalsIgnoreCase(AUTHENTICATION_SCHEME_BEARER)) {
            biConsumer.accept("token", str2);
        }
    }

    public boolean isUsernamePasswordSet() {
        return Strings.isNotBlank(this.username) && Strings.isNotBlank(this.password);
    }

    public boolean hasNoCredentials() {
        return (!isUsernamePasswordSet() || this.username.equals("public")) && this.certificates == null;
    }

    public static void logout(AuthenticationConfiguration authenticationConfiguration, Subject subject) {
        try {
            new LoginContext(authenticationConfiguration.getRealm(), subject).logout();
        } catch (Exception e) {
            LOG.warn("Error occurred while logging out", (Throwable) e);
        }
    }

    public AuthenticateResult authenticate(Consumer<Subject> consumer) {
        if (hasNoCredentials()) {
            return AuthenticateResult.noCredentials();
        }
        Optional<AuthenticationThrottler> throttler = this.authConfiguration.getThrottler();
        AuthenticationThrottler.Attempt attempt = (AuthenticationThrottler.Attempt) throttler.map(authenticationThrottler -> {
            return authenticationThrottler.attempt(this.username);
        }).filter((v0) -> {
            return v0.isBlocked();
        }).orElse(null);
        if (attempt != null) {
            LOG.debug("Authentication throttled: {}", attempt);
            return AuthenticateResult.throttled(attempt.retryAfter());
        }
        Subject doAuthenticate = doAuthenticate();
        if (doAuthenticate == null) {
            throttler.ifPresent(authenticationThrottler2 -> {
                authenticationThrottler2.increase(this.username);
            });
            return AuthenticateResult.notAuthorized();
        }
        throttler.ifPresent(authenticationThrottler3 -> {
            authenticationThrottler3.reset(this.username);
        });
        if (consumer != null) {
            try {
                consumer.accept(doAuthenticate);
            } catch (Exception e) {
                LOG.warn("Failed to execute privileged action:", (Throwable) e);
            }
        }
        return AuthenticateResult.authorized();
    }

    protected Subject doAuthenticate() {
        String realm = this.authConfiguration.getRealm();
        String roles = this.authConfiguration.getRoles();
        String rolePrincipalClasses = this.authConfiguration.getRolePrincipalClasses();
        Configuration configuration = this.authConfiguration.getConfiguration();
        try {
            LOG.debug("doAuthenticate[realm={}, role={}, rolePrincipalClasses={}, configuration={}, username={}, password={}]", realm, roles, rolePrincipalClasses, configuration, this.username, SanitizableData.SANITIZED_VALUE);
            Subject subject = new Subject();
            login(subject, realm, configuration);
            if (checkRoles(subject, roles, rolePrincipalClasses)) {
                return subject;
            }
            return null;
        } catch (LoginException e) {
            LOG.warn("Login failed due to: {}", e.getMessage());
            LOG.debug("Failed stacktrace:", (Throwable) e);
            return null;
        } catch (AccountException e2) {
            LOG.warn("Account failure", e2);
            return null;
        }
    }

    protected void login(Subject subject, String str, Configuration configuration) throws LoginException {
        CallbackHandler createCallbackHandler = createCallbackHandler();
        (configuration != null ? new LoginContext(str, subject, createCallbackHandler, configuration) : new LoginContext(str, subject, createCallbackHandler)).login();
    }

    private CallbackHandler createCallbackHandler() {
        return isUsernamePasswordSet() ? new UsernamePasswordCallbackHandler(this.username, this.password) : new CertificateCallbackHandler(this.certificates);
    }

    protected boolean checkRoles(Subject subject, String str, String str2) {
        boolean checkIfSubjectHasRequiredRole;
        if (Strings.isBlank(str)) {
            LOG.debug("Skipping role check, no role configured");
            return true;
        }
        if (str.equals("*")) {
            LOG.debug("Skipping role check, all roles allowed");
            return true;
        }
        if (isRunningOnWebsphere(subject)) {
            checkIfSubjectHasRequiredRole = checkIfSubjectHasRequiredRoleOnWebsphere(subject, str);
        } else if (isRunningOnJbossEAP(subject)) {
            checkIfSubjectHasRequiredRole = checkIfSubjectHasRequiredRoleOnJbossEAP(subject, str);
        } else {
            if (Strings.isBlank(str2)) {
                LOG.debug("Skipping role check, no rolePrincipalClasses configured");
                return true;
            }
            checkIfSubjectHasRequiredRole = checkIfSubjectHasRequiredRole(subject, str, str2);
        }
        if (!checkIfSubjectHasRequiredRole) {
            LOG.debug("User {} does not have the required role {}", this.username, str);
        }
        return checkIfSubjectHasRequiredRole;
    }

    private boolean checkIfSubjectHasRequiredRole(Subject subject, String str, String str2) {
        String[] split = str.split(",");
        boolean z = false;
        for (String str3 : str2.split(",")) {
            LOG.debug("Looking for rolePrincipalClass: {}", str3);
            for (Principal principal : subject.getPrincipals()) {
                LOG.debug("Checking principal, classname: {} toString: {}", principal.getClass().getName(), principal);
                if (principal.getClass().getName().equals(str3.trim())) {
                    int length = split.length;
                    int i = 0;
                    while (true) {
                        if (i >= length) {
                            break;
                        }
                        String str4 = split[i];
                        if (str4 != null && principal.getName().equals(str4.trim())) {
                            LOG.debug("Matched role and role principal class");
                            z = true;
                            break;
                        }
                        LOG.debug("role {} doesn't match {}, continuing", principal.getName(), str4);
                        i++;
                    }
                    if (z) {
                        break;
                    }
                } else {
                    LOG.debug("principal class {} doesn't match {}, continuing", principal.getClass().getName(), str3.trim());
                }
            }
            if (z) {
                break;
            }
        }
        return z;
    }

    private static boolean isRunningOnWebsphere(Subject subject) {
        if (websphereDetected == null) {
            boolean z = false;
            for (Principal principal : subject.getPrincipals()) {
                LOG.trace("Checking principal for IBM specific interfaces: {}", principal);
                z = implementsInterface(principal, "com.ibm.websphere.security.auth.WSPrincipal");
            }
            LOG.trace("Checking if we are running using a IBM Websphere specific LoginModule: {}", Boolean.valueOf(z));
            websphereDetected = Boolean.valueOf(z);
        }
        return websphereDetected.booleanValue();
    }

    private static boolean isRunningOnJbossEAP(Subject subject) {
        if (jbosseapDetected == null) {
            boolean z = false;
            for (Principal principal : subject.getPrincipals()) {
                LOG.trace("Checking principal for JBoss EAP specific interfaces: {} {}", principal, principal.getClass().getName());
                z = "org.jboss.security.SimplePrincipal".equals(principal.getClass().getName());
                if (z) {
                    break;
                }
            }
            LOG.trace("Checking if we are running using a Jboss EAP specific LoginModule: {}", Boolean.valueOf(z));
            jbosseapDetected = Boolean.valueOf(z);
        }
        return jbosseapDetected.booleanValue();
    }

    private static boolean checkIfSubjectHasRequiredRoleOnWebsphere(Subject subject, String str) {
        LOG.debug("Running on websphere: checking if the Role {} is in the set of groups in WSCredential", str);
        for (Object obj : subject.getPublicCredentials()) {
            LOG.debug("Checking credential {} if it is a WebSphere specific WSCredential containing group info", obj);
            if (implementsInterface(obj, "com.ibm.websphere.security.cred.WSCredential")) {
                try {
                    List list = (List) getWebSphereGetGroupsMethod(obj).invoke(obj, new Object[0]);
                    if (list != null) {
                        LOG.debug("Found a total of {} groups in the IBM WebSphere Credentials", Integer.valueOf(list.size()));
                        for (Object obj2 : list) {
                            LOG.debug("Matching IBM Websphere group name {} to required role {}", obj2, str);
                            for (String str2 : str.split(",")) {
                                if (str2.equals(obj2.toString())) {
                                    LOG.debug("Required role {} found in IBM WebSphere specific credentials", str2);
                                    return true;
                                }
                                LOG.debug("role {} doesn't match {}, continuing", str2, obj2);
                            }
                        }
                    } else {
                        LOG.debug("The IBM Websphere groups list is null");
                    }
                } catch (IllegalAccessException | IllegalArgumentException | NoSuchMethodException | SecurityException | InvocationTargetException e) {
                    LOG.debug("Caught exception trying to read groups from WebSphere specific WSCredentials class", e);
                }
            }
        }
        return false;
    }

    private static boolean checkIfSubjectHasRequiredRoleOnJbossEAP(Subject subject, String str) {
        LOG.debug("Running on Jboss EAP: checking if the Role {} is in the set of groups in SimpleGroup", str);
        for (Principal principal : subject.getPrincipals()) {
            LOG.debug("Checking principal {} if it is a Jboss specific SimpleGroup containing group info", principal);
            if ("org.jboss.security.SimpleGroup".equals(principal.getClass().getName()) && "Roles".equals(principal.getName())) {
                try {
                    Enumeration enumeration = (Enumeration) getJbossEAPGetGroupsMethod(principal).invoke(principal, new Object[0]);
                    if (enumeration != null) {
                        while (enumeration.hasMoreElements()) {
                            Principal principal2 = (Principal) enumeration.nextElement();
                            LOG.debug("Matching Jboss EAP group name {} to required role(s) {}", principal2, str);
                            for (String str2 : str.split(",")) {
                                if (str2.equals(principal2.toString())) {
                                    LOG.debug("Required role {} found in Jboss EAP specific credentials", str2);
                                    return true;
                                }
                                LOG.debug("role {} doesn't match {}, continuing", str2, principal2);
                            }
                        }
                    } else {
                        LOG.debug("The Jboss EAP groups list is null");
                    }
                } catch (IllegalAccessException | IllegalArgumentException | NoSuchMethodException | SecurityException | InvocationTargetException e) {
                    LOG.debug("Caught exception trying to read groups from JBoss EAP specific SimpleGroup class", e);
                }
            }
        }
        return false;
    }

    private static Method getWebSphereGetGroupsMethod(Object obj) throws NoSuchMethodException {
        if (websphereGetGroupsMethod == null) {
            websphereGetGroupsMethod = obj.getClass().getMethod("getGroupIds", new Class[0]);
        }
        return websphereGetGroupsMethod;
    }

    private static Method getJbossEAPGetGroupsMethod(Object obj) throws NoSuchMethodException {
        if (jbosseapGetGroupsMethod == null) {
            jbosseapGetGroupsMethod = obj.getClass().getMethod("members", new Class[0]);
        }
        return jbosseapGetGroupsMethod;
    }

    private static boolean implementsInterface(Object obj, String str) {
        boolean z = false;
        Class<?>[] interfaces = obj.getClass().getInterfaces();
        int length = interfaces.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            Class<?> cls = interfaces[i];
            LOG.trace("Checking interface {} if it matches {}", cls, str);
            if (cls.getName().equals(str)) {
                z = true;
                break;
            }
            i++;
        }
        return z;
    }
}
