package org.jboss.as.domain.management.security;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.KeySpec;
import java.util.Arrays;
import java.util.Collections;
import java.util.LinkedList;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.Consumer;
import java.util.function.Supplier;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.RealmCallback;
import org.jboss.as.domain.management.AuthMechanism;
import org.jboss.as.domain.management.RealmConfigurationConstants;
import org.jboss.as.domain.management.SecurityRealm;
import org.jboss.as.domain.management.logging.DomainManagementLogger;
import org.jboss.as.domain.management.plugin.AuthenticationPlugIn;
import org.jboss.as.domain.management.plugin.Credential;
import org.jboss.as.domain.management.plugin.DigestCredential;
import org.jboss.as.domain.management.plugin.Identity;
import org.jboss.as.domain.management.plugin.PlugInConfigurationSupport;
import org.jboss.as.domain.management.plugin.ValidatePasswordCredential;
import org.jboss.as.domain.management.security.SecurityRealmService;
import org.jboss.msc.Service;
import org.jboss.msc.service.ServiceName;
import org.jboss.msc.service.StartContext;
import org.jboss.msc.service.StopContext;
import org.wildfly.common.Assert;
import org.wildfly.common.iteration.ByteIterator;
import org.wildfly.security.auth.SupportLevel;
import org.wildfly.security.auth.callback.CredentialCallback;
import org.wildfly.security.auth.callback.EvidenceVerifyCallback;
import org.wildfly.security.auth.server.RealmIdentity;
import org.wildfly.security.auth.server.RealmUnavailableException;
import org.wildfly.security.auth.server.SecurityRealm;
import org.wildfly.security.evidence.Evidence;
import org.wildfly.security.evidence.PasswordGuessEvidence;
import org.wildfly.security.password.PasswordFactory;
import org.wildfly.security.password.interfaces.DigestPassword;
import org.wildfly.security.password.spec.ClearPasswordSpec;
import org.wildfly.security.password.spec.DigestPasswordAlgorithmSpec;
import org.wildfly.security.password.spec.DigestPasswordSpec;
import org.wildfly.security.sasl.util.UsernamePasswordHashUtil;

/* loaded from: input_file:WEB-INF/lib/wildfly-domain-management-15.0.1.Final.jar:org/jboss/as/domain/management/security/PlugInAuthenticationCallbackHandler.class */
public class PlugInAuthenticationCallbackHandler extends AbstractPlugInService implements Service, CallbackHandlerService {
    private static final String SERVICE_SUFFIX = "plug-in-authentication";
    private static UsernamePasswordHashUtil hashUtil = null;
    private final Consumer<CallbackHandlerService> callbackHandlerServiceConsumer;
    private final AuthMechanism mechanism;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/wildfly-domain-management-15.0.1.Final.jar:org/jboss/as/domain/management/security/PlugInAuthenticationCallbackHandler$SecurityRealmImpl.class */
    public class SecurityRealmImpl implements SecurityRealm {

        /* loaded from: input_file:WEB-INF/lib/wildfly-domain-management-15.0.1.Final.jar:org/jboss/as/domain/management/security/PlugInAuthenticationCallbackHandler$SecurityRealmImpl$RealmIdentityImpl.class */
        private class RealmIdentityImpl implements RealmIdentity {
            private final String name;
            private final AuthenticationPlugIn<Credential> ap;
            private final Principal principal;
            private final Credential credential;

            private RealmIdentityImpl(Principal principal) throws RealmUnavailableException {
                this.name = PlugInAuthenticationCallbackHandler.this.getPlugInName();
                this.ap = PlugInAuthenticationCallbackHandler.this.getPlugInLoader().loadAuthenticationPlugIn(this.name);
                if (this.ap instanceof PlugInConfigurationSupport) {
                    try {
                        ((PlugInConfigurationSupport) this.ap).init(PlugInAuthenticationCallbackHandler.this.getConfiguration(), SecurityRealmService.SharedStateSecurityRealm.getSharedState());
                    } catch (IOException e) {
                        throw DomainManagementLogger.ROOT_LOGGER.unableToInitialisePlugIn(this.name, e.getMessage());
                    }
                }
                this.principal = principal;
                try {
                    Identity<Credential> loadIdentity = this.ap.loadIdentity(principal.getName(), PlugInAuthenticationCallbackHandler.this.getRealmName());
                    this.credential = loadIdentity != null ? loadIdentity.getCredential() : null;
                } catch (IOException e2) {
                    throw new RealmUnavailableException(e2);
                }
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public Principal getRealmIdentityPrincipal() {
                return this.principal;
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public SupportLevel getCredentialAcquireSupport(Class<? extends org.wildfly.security.credential.Credential> cls, String str) throws RealmUnavailableException {
                return getCredential(cls, str) != null ? SupportLevel.SUPPORTED : SupportLevel.UNSUPPORTED;
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public SupportLevel getCredentialAcquireSupport(Class<? extends org.wildfly.security.credential.Credential> cls, String str, AlgorithmParameterSpec algorithmParameterSpec) throws RealmUnavailableException {
                return getCredential(cls, str, algorithmParameterSpec) != null ? SupportLevel.SUPPORTED : SupportLevel.UNSUPPORTED;
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public <C extends org.wildfly.security.credential.Credential> C getCredential(Class<C> cls) throws RealmUnavailableException {
                return (C) getCredential(cls, null);
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public <C extends org.wildfly.security.credential.Credential> C getCredential(Class<C> cls, String str) throws RealmUnavailableException {
                return (C) getCredential(cls, str, null);
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public <C extends org.wildfly.security.credential.Credential> C getCredential(Class<C> cls, String str, AlgorithmParameterSpec algorithmParameterSpec) throws RealmUnavailableException {
                PasswordFactory passwordFactory;
                KeySpec clearPasswordSpec;
                if (this.credential == null || !org.wildfly.security.credential.PasswordCredential.class.isAssignableFrom(cls)) {
                    return null;
                }
                String realmName = PlugInAuthenticationCallbackHandler.this.getRealmName();
                String name = this.principal.getName();
                if ((this.credential instanceof DigestCredential) && (str == null || DigestPassword.ALGORITHM_DIGEST_MD5.equals(str))) {
                    if (algorithmParameterSpec != null) {
                        if (!(algorithmParameterSpec instanceof DigestPasswordAlgorithmSpec)) {
                            return null;
                        }
                        DigestPasswordAlgorithmSpec digestPasswordAlgorithmSpec = (DigestPasswordAlgorithmSpec) algorithmParameterSpec;
                        if (!Objects.equals(digestPasswordAlgorithmSpec.getRealm(), realmName) || !Objects.equals(digestPasswordAlgorithmSpec.getUsername(), name)) {
                            return null;
                        }
                    }
                    passwordFactory = PlugInAuthenticationCallbackHandler.getPasswordFactory(DigestPassword.ALGORITHM_DIGEST_MD5);
                    clearPasswordSpec = new DigestPasswordSpec(name, realmName, ByteIterator.ofBytes(((DigestCredential) this.credential).getHash().getBytes(StandardCharsets.UTF_8)).asUtf8String().hexDecode().drain());
                } else {
                    if (!(this.credential instanceof org.jboss.as.domain.management.plugin.PasswordCredential)) {
                        return null;
                    }
                    if (str == null || "clear".equals(str)) {
                        passwordFactory = PlugInAuthenticationCallbackHandler.getPasswordFactory("clear");
                        clearPasswordSpec = new ClearPasswordSpec(((org.jboss.as.domain.management.plugin.PasswordCredential) this.credential).getPassword());
                    } else {
                        if (!DigestPassword.ALGORITHM_DIGEST_MD5.equals(str)) {
                            return null;
                        }
                        passwordFactory = PlugInAuthenticationCallbackHandler.getPasswordFactory(DigestPassword.ALGORITHM_DIGEST_MD5);
                        UsernamePasswordHashUtil access$100 = PlugInAuthenticationCallbackHandler.access$100();
                        synchronized (access$100) {
                            clearPasswordSpec = new DigestPasswordSpec(name, realmName, access$100.generateHashedHexURP(name, realmName, ((org.jboss.as.domain.management.plugin.PasswordCredential) this.credential).getPassword()).getBytes(StandardCharsets.UTF_8));
                        }
                    }
                }
                try {
                    return cls.cast(new org.wildfly.security.credential.PasswordCredential(passwordFactory.generatePassword(clearPasswordSpec)));
                } catch (InvalidKeySpecException e) {
                    throw new RealmUnavailableException(e);
                }
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> cls, String str) throws RealmUnavailableException {
                return SecurityRealmImpl.this.getEvidenceVerifySupport(cls, str);
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public boolean verifyEvidence(Evidence evidence) throws RealmUnavailableException {
                String generateHashedHexURP;
                if (this.credential == null || !(evidence instanceof PasswordGuessEvidence)) {
                    return false;
                }
                char[] guess = ((PasswordGuessEvidence) evidence).getGuess();
                if (this.credential instanceof org.jboss.as.domain.management.plugin.PasswordCredential) {
                    boolean equals = Arrays.equals(((org.jboss.as.domain.management.plugin.PasswordCredential) this.credential).getPassword(), guess);
                    if (!equals) {
                        DomainManagementLogger.SECURITY_LOGGER.tracef("Password verification failed for user '%s'", this.principal.getName());
                    }
                    return equals;
                }
                if (!(this.credential instanceof DigestCredential)) {
                    if (!(this.credential instanceof ValidatePasswordCredential)) {
                        return false;
                    }
                    boolean validatePassword = ((ValidatePasswordCredential) this.credential).validatePassword(guess);
                    if (!validatePassword) {
                        DomainManagementLogger.SECURITY_LOGGER.tracef("Delegated verification failed for user '%s'", this.principal.getName());
                    }
                    return validatePassword;
                }
                UsernamePasswordHashUtil access$100 = PlugInAuthenticationCallbackHandler.access$100();
                synchronized (access$100) {
                    generateHashedHexURP = access$100.generateHashedHexURP(this.principal.getName(), PlugInAuthenticationCallbackHandler.this.getRealmName(), guess);
                }
                boolean equals2 = ((DigestCredential) this.credential).getHash().equals(generateHashedHexURP);
                if (!equals2) {
                    DomainManagementLogger.SECURITY_LOGGER.tracef("Digest verification failed for user '%s'", this.principal.getName());
                }
                return equals2;
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public boolean exists() throws RealmUnavailableException {
                return this.credential != null;
            }
        }

        private SecurityRealmImpl() {
        }

        @Override // org.wildfly.security.auth.server.SecurityRealm
        public RealmIdentity getRealmIdentity(Principal principal) throws RealmUnavailableException {
            return new RealmIdentityImpl(principal);
        }

        @Override // org.wildfly.security.auth.server.SecurityRealm
        public SupportLevel getCredentialAcquireSupport(Class<? extends org.wildfly.security.credential.Credential> cls, String str) throws RealmUnavailableException {
            Assert.checkNotNullParam("credentialType", cls);
            return SupportLevel.POSSIBLY_SUPPORTED;
        }

        @Override // org.wildfly.security.auth.server.SecurityRealm
        public SupportLevel getCredentialAcquireSupport(Class<? extends org.wildfly.security.credential.Credential> cls, String str, AlgorithmParameterSpec algorithmParameterSpec) throws RealmUnavailableException {
            Assert.checkNotNullParam("credentialType", cls);
            return SupportLevel.POSSIBLY_SUPPORTED;
        }

        @Override // org.wildfly.security.auth.server.SecurityRealm
        public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> cls, String str) throws RealmUnavailableException {
            return PasswordGuessEvidence.class.isAssignableFrom(cls) ? SupportLevel.SUPPORTED : SupportLevel.UNSUPPORTED;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/wildfly-domain-management-15.0.1.Final.jar:org/jboss/as/domain/management/security/PlugInAuthenticationCallbackHandler$ServiceUtil.class */
    public static final class ServiceUtil {
        private ServiceUtil() {
        }

        public static ServiceName createServiceName(String str) {
            return SecurityRealm.ServiceUtil.createServiceName(str).append(PlugInAuthenticationCallbackHandler.SERVICE_SUFFIX);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PlugInAuthenticationCallbackHandler(Consumer<CallbackHandlerService> consumer, Supplier<PlugInLoaderService> supplier, String str, String str2, Map<String, String> map, AuthMechanism authMechanism) {
        super(supplier, str, str2, map);
        this.callbackHandlerServiceConsumer = consumer;
        this.mechanism = authMechanism;
    }

    @Override // org.jboss.msc.Service
    public void start(StartContext startContext) {
        this.callbackHandlerServiceConsumer.accept(this);
    }

    @Override // org.jboss.msc.Service
    public void stop(StopContext stopContext) {
        this.callbackHandlerServiceConsumer.accept(null);
    }

    private static UsernamePasswordHashUtil getHashUtil() {
        if (hashUtil == null) {
            try {
                hashUtil = new UsernamePasswordHashUtil();
            } catch (NoSuchAlgorithmException e) {
                throw new IllegalStateException(e);
            }
        }
        return hashUtil;
    }

    @Override // org.jboss.as.domain.management.security.CallbackHandlerService
    public AuthMechanism getPreferredMechanism() {
        return this.mechanism;
    }

    @Override // org.jboss.as.domain.management.security.CallbackHandlerService
    public Set<AuthMechanism> getSupplementaryMechanisms() {
        return Collections.emptySet();
    }

    @Override // org.jboss.as.domain.management.security.CallbackHandlerService
    public Map<String, String> getConfigurationOptions() {
        return this.mechanism == AuthMechanism.DIGEST ? Collections.singletonMap(RealmConfigurationConstants.DIGEST_PLAIN_TEXT, Boolean.FALSE.toString()) : Collections.singletonMap(RealmConfigurationConstants.VERIFY_PASSWORD_CALLBACK_SUPPORTED, Boolean.TRUE.toString());
    }

    @Override // org.jboss.as.domain.management.security.CallbackHandlerService
    public boolean isReadyForHttpChallenge() {
        return true;
    }

    @Override // org.jboss.as.domain.management.security.CallbackHandlerService
    public CallbackHandler getCallbackHandler(Map<String, Object> map) {
        String plugInName = getPlugInName();
        final AuthenticationPlugIn<Credential> loadAuthenticationPlugIn = getPlugInLoader().loadAuthenticationPlugIn(plugInName);
        if (loadAuthenticationPlugIn instanceof PlugInConfigurationSupport) {
            try {
                ((PlugInConfigurationSupport) loadAuthenticationPlugIn).init(getConfiguration(), map);
            } catch (IOException e) {
                throw DomainManagementLogger.ROOT_LOGGER.unableToInitialisePlugIn(plugInName, e.getMessage());
            }
        }
        return new CallbackHandler() { // from class: org.jboss.as.domain.management.security.PlugInAuthenticationCallbackHandler.1
            @Override // javax.security.auth.callback.CallbackHandler
            public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                PasswordFactory passwordFactory;
                KeySpec clearPasswordSpec;
                String generateHashedHexURP;
                String realmName = PlugInAuthenticationCallbackHandler.this.getRealmName();
                LinkedList<AuthorizeCallback> linkedList = new LinkedList();
                String str = null;
                Object obj = null;
                for (Callback callback : callbackArr) {
                    if (callback instanceof AuthorizeCallback) {
                        linkedList.add(callback);
                    } else if (callback instanceof NameCallback) {
                        str = ((NameCallback) callback).getDefaultName();
                        Identity loadIdentity = loadAuthenticationPlugIn.loadIdentity(str, realmName);
                        if (loadIdentity != null) {
                            obj = loadIdentity.getCredential();
                        }
                    } else if (callback instanceof PasswordCallback) {
                        linkedList.add(callback);
                    } else if (callback instanceof CredentialCallback) {
                        linkedList.add(callback);
                    } else if (callback instanceof EvidenceVerifyCallback) {
                        linkedList.add(callback);
                    } else {
                        if (!(callback instanceof RealmCallback)) {
                            throw new UnsupportedCallbackException(callback);
                        }
                        String defaultText = ((RealmCallback) callback).getDefaultText();
                        if (!realmName.equals(defaultText)) {
                            throw DomainManagementLogger.ROOT_LOGGER.invalidRealm(defaultText, realmName);
                        }
                    }
                }
                for (AuthorizeCallback authorizeCallback : linkedList) {
                    if (authorizeCallback instanceof AuthorizeCallback) {
                        AuthorizeCallback authorizeCallback2 = authorizeCallback;
                        boolean equals = authorizeCallback2.getAuthenticationID().equals(authorizeCallback2.getAuthorizationID());
                        if (!equals) {
                            DomainManagementLogger.SECURITY_LOGGER.tracef("Checking 'AuthorizeCallback', authorized=false, authenticationID=%s, authorizationID=%s.", authorizeCallback2.getAuthenticationID(), authorizeCallback2.getAuthorizationID());
                        }
                        authorizeCallback2.setAuthorized(equals);
                    } else if (authorizeCallback instanceof PasswordCallback) {
                        if (obj == null) {
                            DomainManagementLogger.SECURITY_LOGGER.tracef("User '%s' not found.", str);
                            throw new UserNotFoundException(str);
                        }
                        if (!(obj instanceof org.jboss.as.domain.management.plugin.PasswordCredential)) {
                            throw new UnsupportedCallbackException(authorizeCallback);
                        }
                        ((PasswordCallback) authorizeCallback).setPassword(((org.jboss.as.domain.management.plugin.PasswordCredential) obj).getPassword());
                    } else if (authorizeCallback instanceof CredentialCallback) {
                        if (obj == null) {
                            DomainManagementLogger.SECURITY_LOGGER.tracef("User '%s' not found.", str);
                            throw new UserNotFoundException(str);
                        }
                        CredentialCallback credentialCallback = (CredentialCallback) authorizeCallback;
                        if (!org.wildfly.security.credential.PasswordCredential.class.isAssignableFrom(credentialCallback.getCredentialType())) {
                            throw new UnsupportedCallbackException(authorizeCallback);
                        }
                        String algorithm = credentialCallback.getAlgorithm();
                        if ((obj instanceof DigestCredential) && (algorithm == null || DigestPassword.ALGORITHM_DIGEST_MD5.equals(algorithm))) {
                            passwordFactory = PlugInAuthenticationCallbackHandler.getPasswordFactory(DigestPassword.ALGORITHM_DIGEST_MD5);
                            clearPasswordSpec = new DigestPasswordSpec(str, realmName, ByteIterator.ofBytes(((DigestCredential) obj).getHash().getBytes(StandardCharsets.UTF_8)).asUtf8String().hexDecode().drain());
                        } else {
                            if (!(obj instanceof org.jboss.as.domain.management.plugin.PasswordCredential)) {
                                throw new UnsupportedCallbackException(authorizeCallback);
                            }
                            if (algorithm == null || "clear".equals(algorithm)) {
                                passwordFactory = PlugInAuthenticationCallbackHandler.getPasswordFactory("clear");
                                clearPasswordSpec = new ClearPasswordSpec(((org.jboss.as.domain.management.plugin.PasswordCredential) obj).getPassword());
                            } else {
                                if (!DigestPassword.ALGORITHM_DIGEST_MD5.equals(algorithm)) {
                                    throw new UnsupportedCallbackException(authorizeCallback);
                                }
                                passwordFactory = PlugInAuthenticationCallbackHandler.getPasswordFactory(DigestPassword.ALGORITHM_DIGEST_MD5);
                                UsernamePasswordHashUtil access$100 = PlugInAuthenticationCallbackHandler.access$100();
                                synchronized (access$100) {
                                    clearPasswordSpec = new DigestPasswordSpec(str, realmName, access$100.generateHashedHexURP(str, realmName, ((org.jboss.as.domain.management.plugin.PasswordCredential) obj).getPassword()).getBytes(StandardCharsets.UTF_8));
                                }
                            }
                        }
                        try {
                            credentialCallback.setCredential(credentialCallback.getCredentialType().cast(new org.wildfly.security.credential.PasswordCredential(passwordFactory.generatePassword(clearPasswordSpec))));
                        } catch (InvalidKeySpecException e2) {
                            throw new IllegalStateException(e2);
                        }
                    } else if (!(authorizeCallback instanceof EvidenceVerifyCallback)) {
                        continue;
                    } else {
                        if (obj == null) {
                            DomainManagementLogger.SECURITY_LOGGER.tracef("User '%s' not found.", str);
                            throw new UserNotFoundException(str);
                        }
                        EvidenceVerifyCallback evidenceVerifyCallback = (EvidenceVerifyCallback) authorizeCallback;
                        char[] guess = ((PasswordGuessEvidence) evidenceVerifyCallback.getEvidence()).getGuess();
                        if (obj instanceof org.jboss.as.domain.management.plugin.PasswordCredential) {
                            boolean equals2 = Arrays.equals(((org.jboss.as.domain.management.plugin.PasswordCredential) obj).getPassword(), guess);
                            if (!equals2) {
                                DomainManagementLogger.SECURITY_LOGGER.tracef("Password verification failed for user '%s'", str);
                            }
                            evidenceVerifyCallback.setVerified(equals2);
                        } else if (obj instanceof DigestCredential) {
                            UsernamePasswordHashUtil access$1002 = PlugInAuthenticationCallbackHandler.access$100();
                            synchronized (access$1002) {
                                generateHashedHexURP = access$1002.generateHashedHexURP(str, realmName, guess);
                            }
                            boolean equals3 = ((DigestCredential) obj).getHash().equals(generateHashedHexURP);
                            if (!equals3) {
                                DomainManagementLogger.SECURITY_LOGGER.tracef("Digest verification failed for user '%s'", str);
                            }
                            evidenceVerifyCallback.setVerified(equals3);
                        } else if (obj instanceof ValidatePasswordCredential) {
                            boolean validatePassword = ((ValidatePasswordCredential) obj).validatePassword(guess);
                            if (!validatePassword) {
                                DomainManagementLogger.SECURITY_LOGGER.tracef("Delegated verification failed for user '%s'", str);
                            }
                            evidenceVerifyCallback.setVerified(validatePassword);
                        }
                    }
                }
            }
        };
    }

    @Override // org.jboss.as.domain.management.security.CallbackHandlerService
    public org.wildfly.security.auth.server.SecurityRealm getElytronSecurityRealm() {
        return new SecurityRealmImpl();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static PasswordFactory getPasswordFactory(String str) {
        try {
            return PasswordFactory.getInstance(str);
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException(e);
        }
    }

    static /* synthetic */ UsernamePasswordHashUtil access$100() {
        return getHashUtil();
    }
}
