package org.wildfly.security.http.impl;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.function.Supplier;
import javax.security.auth.DestroyFailedException;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.RealmCallback;
import org.wildfly.security._private.ElytronMessages;
import org.wildfly.security.auth.callback.AuthenticationCompleteCallback;
import org.wildfly.security.auth.callback.AvailableRealmsCallback;
import org.wildfly.security.auth.callback.CredentialCallback;
import org.wildfly.security.credential.PasswordCredential;
import org.wildfly.security.http.HttpAuthenticationException;
import org.wildfly.security.http.HttpConstants;
import org.wildfly.security.http.HttpServerAuthenticationMechanism;
import org.wildfly.security.http.HttpServerRequest;
import org.wildfly.security.http.HttpServerResponse;
import org.wildfly.security.mechanism.AuthenticationMechanismException;
import org.wildfly.security.mechanism.digest.DigestQuote;
import org.wildfly.security.mechanism.digest.DigestUtil;
import org.wildfly.security.password.TwoWayPassword;
import org.wildfly.security.password.interfaces.DigestPassword;
import org.wildfly.security.password.spec.DigestPasswordAlgorithmSpec;
import org.wildfly.security.util.ByteIterator;

/* loaded from: input_file:WEB-INF/lib/wildfly-elytron-1.1.0.Final.jar:org/wildfly/security/http/impl/DigestAuthenticationMechanism.class */
class DigestAuthenticationMechanism implements HttpServerAuthenticationMechanism {
    private static final String CHALLENGE_PREFIX = "Digest ";
    private static final int PREFIX_LENGTH = CHALLENGE_PREFIX.length();
    private static final String OPAQUE_VALUE = "00000000000000000000000000000000";
    private static final byte COLON = 58;
    private final Supplier<Provider[]> providers;
    private final CallbackHandler callbackHandler;
    private final NonceManager nonceManager;
    private final String configuredRealm;
    private final String domain;

    /* JADX INFO: Access modifiers changed from: package-private */
    public DigestAuthenticationMechanism(CallbackHandler callbackHandler, NonceManager nonceManager, String str, String str2, Supplier<Provider[]> supplier) {
        this.callbackHandler = callbackHandler;
        this.nonceManager = nonceManager;
        this.configuredRealm = str;
        this.domain = str2;
        this.providers = supplier;
    }

    @Override // org.wildfly.security.http.HttpServerAuthenticationMechanism
    public String getMechanismName() {
        return HttpConstants.DIGEST_NAME;
    }

    @Override // org.wildfly.security.http.HttpServerAuthenticationMechanism
    public void evaluateRequest(HttpServerRequest httpServerRequest) throws HttpAuthenticationException {
        List<String> requestHeaderValues = httpServerRequest.getRequestHeaderValues("Authorization");
        if (requestHeaderValues != null) {
            for (String str : requestHeaderValues) {
                if (str.startsWith(CHALLENGE_PREFIX)) {
                    try {
                        validateResponse(DigestUtil.parseResponse(str.substring(CHALLENGE_PREFIX.length()).getBytes(StandardCharsets.UTF_8), StandardCharsets.UTF_8, false, getMechanismName()), httpServerRequest);
                        return;
                    } catch (AuthenticationMechanismException e) {
                        ElytronMessages.log.trace("Failed to parse or validate the response", e);
                        httpServerRequest.badRequest(e.toHttpAuthenticationException(), httpServerResponse -> {
                            prepareResponse(selectRealm(), httpServerResponse, false);
                        });
                        return;
                    }
                }
            }
        }
        httpServerRequest.noAuthenticationInProgress(httpServerResponse2 -> {
            prepareResponse(selectRealm(), httpServerResponse2, false);
        });
    }

    private void validateResponse(HashMap<String, byte[]> hashMap, HttpServerRequest httpServerRequest) throws AuthenticationMechanismException, HttpAuthenticationException {
        String convertToken = convertToken(HttpConstants.NONCE, hashMap.get(HttpConstants.NONCE));
        String convertToken2 = convertToken("realm", hashMap.get("realm"));
        boolean useNonce = this.nonceManager.useNonce(convertToken, convertToken2.getBytes(StandardCharsets.UTF_8));
        String convertToken3 = convertToken("username", hashMap.get("username"));
        if (!hashMap.containsKey("uri")) {
            throw ElytronMessages.log.mechMissingDirective(getMechanismName(), "uri");
        }
        byte[] bArr = hashMap.get("uri");
        if (!hashMap.containsKey(HttpConstants.RESPONSE)) {
            throw ElytronMessages.log.mechMissingDirective(getMechanismName(), HttpConstants.RESPONSE);
        }
        byte[] drain = ByteIterator.ofBytes(hashMap.get(HttpConstants.RESPONSE)).hexDecode().drain();
        String convertToken4 = convertToken("algorithm", hashMap.get("algorithm"));
        if (!"MD5".equals(convertToken4)) {
            throw ElytronMessages.log.mechUnsupportedAlgorithm(getMechanismName(), convertToken4);
        }
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("MD5");
            if (!checkRealm(convertToken2)) {
                throw ElytronMessages.log.mechDisallowedClientRealm(getMechanismName(), convertToken2);
            }
            String selectRealm = selectRealm();
            if (convertToken3.length() == 0) {
                fail();
                httpServerRequest.authenticationFailed(ElytronMessages.log.authenticationFailed(getMechanismName()), httpServerResponse -> {
                    prepareResponse(selectRealm, httpServerResponse, false);
                });
                return;
            }
            byte[] h_a1 = getH_A1(messageDigest, convertToken3, convertToken2);
            if (h_a1 == null) {
                fail();
                httpServerRequest.authenticationFailed(ElytronMessages.log.authenticationFailed(getMechanismName()), httpServerResponse2 -> {
                    prepareResponse(selectRealm, httpServerResponse2, false);
                });
                return;
            }
            if (!Arrays.equals(drain, calculateResponseDigest(messageDigest, h_a1, convertToken, httpServerRequest.getRequestMethod(), bArr))) {
                fail();
                httpServerRequest.authenticationFailed(ElytronMessages.log.mechResponseTokenMismatch(getMechanismName()), httpServerResponse3 -> {
                    prepareResponse(selectRealm, httpServerResponse3, false);
                });
            } else if (!useNonce) {
                httpServerRequest.authenticationInProgress(httpServerResponse4 -> {
                    prepareResponse(selectRealm, httpServerResponse4, true);
                });
            } else if (authorize(convertToken3)) {
                succeed();
                httpServerRequest.authenticationComplete();
            } else {
                fail();
                httpServerRequest.authenticationFailed(ElytronMessages.log.authorizationFailed(convertToken3, getMechanismName()), httpServerResponse5 -> {
                    httpServerResponse5.setStatusCode(403);
                });
            }
        } catch (NoSuchAlgorithmException e) {
            throw ElytronMessages.log.mechMacAlgorithmNotSupported(getMechanismName(), e);
        }
    }

    private boolean checkRealm(String str) throws AuthenticationMechanismException {
        String[] availableRealms = getAvailableRealms();
        if (availableRealms == null) {
            return false;
        }
        for (String str2 : availableRealms) {
            if (str.equals(str2)) {
                return true;
            }
        }
        return false;
    }

    private byte[] calculateResponseDigest(MessageDigest messageDigest, byte[] bArr, String str, String str2, byte[] bArr2) {
        messageDigest.update(str2.getBytes(StandardCharsets.UTF_8));
        messageDigest.update((byte) 58);
        byte[] digest = messageDigest.digest(bArr2);
        messageDigest.update(ByteIterator.ofBytes(bArr).hexEncode().drainToString().getBytes(StandardCharsets.UTF_8));
        messageDigest.update((byte) 58);
        messageDigest.update(str.getBytes(StandardCharsets.UTF_8));
        messageDigest.update((byte) 58);
        return messageDigest.digest(ByteIterator.ofBytes(digest).hexEncode().drainToString().getBytes(StandardCharsets.UTF_8));
    }

    private byte[] getH_A1(MessageDigest messageDigest, String str, String str2) throws AuthenticationMechanismException {
        NameCallback nameCallback = new NameCallback("User name", str);
        RealmCallback realmCallback = new RealmCallback("User realm", str2);
        byte[] predigestedSaltedPassword = getPredigestedSaltedPassword(realmCallback, nameCallback, DigestPassword.ALGORITHM_DIGEST_MD5, getMechanismName());
        if (predigestedSaltedPassword != null) {
            return predigestedSaltedPassword;
        }
        byte[] saltedPasswordFromTwoWay = getSaltedPasswordFromTwoWay(messageDigest, realmCallback, nameCallback);
        return saltedPasswordFromTwoWay != null ? saltedPasswordFromTwoWay : getSaltedPasswordFromPasswordCallback(messageDigest, realmCallback, nameCallback);
    }

    private String convertToken(String str, byte[] bArr) throws AuthenticationMechanismException {
        if (bArr == null) {
            throw ElytronMessages.log.mechMissingDirective(getMechanismName(), str);
        }
        return new String(bArr, StandardCharsets.UTF_8);
    }

    private String selectRealm() throws HttpAuthenticationException {
        try {
            if (this.configuredRealm != null) {
                if (checkRealm(this.configuredRealm)) {
                    return this.configuredRealm;
                }
                throw ElytronMessages.log.digestMechanismInvalidRealm(this.configuredRealm);
            }
            String[] availableRealms = getAvailableRealms();
            if (availableRealms == null || availableRealms.length <= 0) {
                throw ElytronMessages.log.digestMechanismRequireRealm();
            }
            return availableRealms[0];
        } catch (AuthenticationMechanismException e) {
            throw e.toHttpAuthenticationException();
        }
    }

    private String[] getAvailableRealms() throws AuthenticationMechanismException {
        AvailableRealmsCallback availableRealmsCallback = new AvailableRealmsCallback();
        try {
            this.callbackHandler.handle(new Callback[]{availableRealmsCallback});
            return availableRealmsCallback.getRealmNames();
        } catch (AuthenticationMechanismException e) {
            throw e;
        } catch (IOException e2) {
            throw ElytronMessages.log.mechCallbackHandlerFailedForUnknownReason(HttpConstants.DIGEST_NAME, e2);
        } catch (UnsupportedCallbackException e3) {
            return new String[0];
        }
    }

    private void prepareResponse(String str, HttpServerResponse httpServerResponse, boolean z) throws HttpAuthenticationException {
        StringBuilder sb = new StringBuilder(CHALLENGE_PREFIX);
        sb.append("realm").append("=\"").append(DigestQuote.quote(str)).append("\"");
        if (this.domain != null) {
            sb.append(", ").append("domain").append("=\"").append(this.domain).append("\"");
        }
        sb.append(", ").append(HttpConstants.NONCE).append("=\"").append(this.nonceManager.generateNonce(str.getBytes(StandardCharsets.UTF_8))).append("\"");
        sb.append(", ").append(HttpConstants.OPAQUE).append("=\"").append("00000000000000000000000000000000").append("\"");
        if (z) {
            sb.append(", ").append(HttpConstants.STALE).append("=true");
        }
        sb.append(", ").append("algorithm").append("=").append("MD5");
        httpServerResponse.addResponseHeader("WWW-Authenticate", sb.toString());
        httpServerResponse.setStatusCode(401);
    }

    /* JADX WARN: Multi-variable type inference failed */
    public byte[] getPredigestedSaltedPassword(RealmCallback realmCallback, NameCallback nameCallback, String str, String str2) throws AuthenticationMechanismException {
        String defaultText = realmCallback.getDefaultText();
        String defaultName = nameCallback.getDefaultName();
        CredentialCallback credentialCallback = new CredentialCallback(PasswordCredential.class, str, (defaultText == null || defaultName == null) ? null : new DigestPasswordAlgorithmSpec(defaultName, defaultText));
        try {
            this.callbackHandler.handle(new Callback[]{realmCallback, nameCallback, credentialCallback});
            return (byte[]) credentialCallback.applyToCredential(PasswordCredential.class, passwordCredential -> {
                return (byte[]) passwordCredential.getPassword().castAndApply(DigestPassword.class, (v0) -> {
                    return v0.getDigest();
                });
            });
        } catch (UnsupportedCallbackException e) {
            if (e.getCallback() == credentialCallback) {
                return null;
            }
            if (e.getCallback() == nameCallback) {
                throw ElytronMessages.log.mechCallbackHandlerDoesNotSupportUserName(str2, e);
            }
            throw ElytronMessages.log.mechCallbackHandlerFailedForUnknownReason(str2, e);
        } catch (Throwable th) {
            throw ElytronMessages.log.mechCallbackHandlerFailedForUnknownReason(str2, th);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    protected byte[] getSaltedPasswordFromTwoWay(MessageDigest messageDigest, RealmCallback realmCallback, NameCallback nameCallback) throws AuthenticationMechanismException {
        CredentialCallback credentialCallback = new CredentialCallback(PasswordCredential.class, "clear");
        try {
            this.callbackHandler.handle(new Callback[]{realmCallback, nameCallback, credentialCallback});
            TwoWayPassword twoWayPassword = (TwoWayPassword) credentialCallback.applyToCredential(PasswordCredential.class, passwordCredential -> {
                return (TwoWayPassword) passwordCredential.getPassword().castAs(TwoWayPassword.class);
            });
            char[] twoWayPasswordChars = DigestUtil.getTwoWayPasswordChars(getMechanismName(), twoWayPassword, this.providers);
            try {
                twoWayPassword.destroy();
            } catch (DestroyFailedException e) {
                ElytronMessages.log.credentialDestroyingFailed(e);
            }
            byte[] userRealmPasswordDigest = DigestUtil.userRealmPasswordDigest(messageDigest, nameCallback.getDefaultName(), realmCallback.getDefaultText(), twoWayPasswordChars);
            Arrays.fill(twoWayPasswordChars, (char) 0);
            return userRealmPasswordDigest;
        } catch (UnsupportedCallbackException e2) {
            if (e2.getCallback() == credentialCallback) {
                return null;
            }
            if (e2.getCallback() == nameCallback) {
                throw ElytronMessages.log.mechCallbackHandlerDoesNotSupportUserName(getMechanismName(), e2);
            }
            throw ElytronMessages.log.mechCallbackHandlerFailedForUnknownReason(getMechanismName(), e2);
        } catch (Throwable th) {
            throw ElytronMessages.log.mechCallbackHandlerFailedForUnknownReason(getMechanismName(), th);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    protected byte[] getSaltedPasswordFromPasswordCallback(MessageDigest messageDigest, RealmCallback realmCallback, NameCallback nameCallback) throws AuthenticationMechanismException {
        PasswordCallback passwordCallback = new PasswordCallback("User password", false);
        try {
            this.callbackHandler.handle(new Callback[]{realmCallback, nameCallback, passwordCallback});
            char[] password = passwordCallback.getPassword();
            passwordCallback.clearPassword();
            if (password == null) {
                throw ElytronMessages.log.mechNoPasswordGiven(getMechanismName());
            }
            byte[] userRealmPasswordDigest = DigestUtil.userRealmPasswordDigest(messageDigest, nameCallback.getDefaultName(), realmCallback.getDefaultText(), password);
            Arrays.fill(password, (char) 0);
            return userRealmPasswordDigest;
        } catch (UnsupportedCallbackException e) {
            if (e.getCallback() == passwordCallback) {
                return null;
            }
            if (e.getCallback() == nameCallback) {
                throw ElytronMessages.log.mechCallbackHandlerDoesNotSupportUserName(getMechanismName(), e);
            }
            throw ElytronMessages.log.mechCallbackHandlerFailedForUnknownReason(getMechanismName(), e);
        } catch (Throwable th) {
            throw ElytronMessages.log.mechCallbackHandlerFailedForUnknownReason(getMechanismName(), th);
        }
    }

    protected boolean authorize(String str) throws AuthenticationMechanismException {
        Callback authorizeCallback = new AuthorizeCallback(str, str);
        try {
            this.callbackHandler.handle(new Callback[]{authorizeCallback});
            return authorizeCallback.isAuthorized();
        } catch (UnsupportedCallbackException e) {
            return false;
        } catch (Throwable th) {
            throw ElytronMessages.log.mechCallbackHandlerFailedForUnknownReason(getMechanismName(), th);
        }
    }

    protected void succeed() throws AuthenticationMechanismException {
        try {
            this.callbackHandler.handle(new Callback[]{AuthenticationCompleteCallback.SUCCEEDED});
        } catch (Throwable th) {
            throw ElytronMessages.log.mechCallbackHandlerFailedForUnknownReason(getMechanismName(), th);
        }
    }

    protected void fail() throws AuthenticationMechanismException {
        try {
            this.callbackHandler.handle(new Callback[]{AuthenticationCompleteCallback.FAILED});
        } catch (Throwable th) {
            throw ElytronMessages.log.mechCallbackHandlerFailedForUnknownReason(getMechanismName(), th);
        }
    }
}
