package io.hawt.system;

import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.security.Principal;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AccountException;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.codec.binary.Base64;
import org.codehaus.plexus.util.SelectorUtils;
import org.osgi.jmx.service.useradmin.UserAdminMBean;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/hawtio-system-1.4.redhat-621211-03.jar:io/hawt/system/Authenticator.class */
public class Authenticator {
    private static final transient Logger LOG = LoggerFactory.getLogger(Authenticator.class);
    public static final String HEADER_AUTHORIZATION = "Authorization";
    public static final String AUTHENTICATION_SCHEME_BASIC = "Basic";
    private static Boolean websphereDetected;
    private static Method websphereGetGroupsMethod;
    private static Boolean jbosseapDetected;
    private static Method jbosseapGetGroupsMethod;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/hawtio-system-1.4.redhat-621211-03.jar:io/hawt/system/Authenticator$AuthenticationCallbackHandler.class */
    public static final class AuthenticationCallbackHandler implements CallbackHandler {
        private final String username;
        private final String password;

        private AuthenticationCallbackHandler(String str, String str2) {
            this.username = str;
            this.password = str2;
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            for (Callback callback : callbackArr) {
                if (Authenticator.LOG.isTraceEnabled()) {
                    Authenticator.LOG.trace("Callback type {} -> {}", callback.getClass(), callback);
                }
                if (callback instanceof NameCallback) {
                    ((NameCallback) callback).setName(this.username);
                } else if (callback instanceof PasswordCallback) {
                    ((PasswordCallback) callback).setPassword(this.password.toCharArray());
                } else {
                    Authenticator.LOG.debug("Unknown callback class [" + callback.getClass().getName() + SelectorUtils.PATTERN_HANDLER_SUFFIX);
                }
            }
        }
    }

    public static void extractAuthInfo(String str, ExtractAuthInfoCallback extractAuthInfoCallback) {
        String str2;
        int indexOf;
        String[] split = str.trim().split(" ");
        if (split.length != 2) {
            return;
        }
        String str3 = split[0];
        String str4 = split[1];
        if (!str3.equalsIgnoreCase("Basic") || (indexOf = (str2 = new String(Base64.decodeBase64(str4))).indexOf(58)) < 0) {
            return;
        }
        extractAuthInfoCallback.getAuthInfo(str2.substring(0, indexOf), str2.substring(indexOf + 1));
    }

    public static AuthenticateResult authenticate(String str, String str2, String str3, Configuration configuration, HttpServletRequest httpServletRequest, PrivilegedCallback privilegedCallback) {
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null || header.equals("")) {
            return AuthenticateResult.NO_CREDENTIALS;
        }
        final AuthInfo authInfo = new AuthInfo();
        extractAuthInfo(header, new ExtractAuthInfoCallback() { // from class: io.hawt.system.Authenticator.1
            @Override // io.hawt.system.ExtractAuthInfoCallback
            public void getAuthInfo(String str4, String str5) {
                AuthInfo.this.username = str4;
                AuthInfo.this.password = str5;
            }
        });
        if (authInfo.username == null || authInfo.username.equals("public")) {
            return AuthenticateResult.NO_CREDENTIALS;
        }
        if (!authInfo.set()) {
            return AuthenticateResult.NO_CREDENTIALS;
        }
        Subject doAuthenticate = doAuthenticate(str, str2, str3, configuration, authInfo.username, authInfo.password);
        if (doAuthenticate == null) {
            return AuthenticateResult.NOT_AUTHORIZED;
        }
        if (privilegedCallback != null) {
            try {
                privilegedCallback.execute(doAuthenticate);
            } catch (Exception e) {
                LOG.warn("Failed to execute privileged action: ", e);
            }
        }
        return AuthenticateResult.AUTHORIZED;
    }

    private static Subject doAuthenticate(String str, String str2, String str3, Configuration configuration, String str4, String str5) {
        boolean checkIfSubjectHasRequiredRole;
        try {
            if (LOG.isDebugEnabled()) {
                LOG.debug("doAuthenticate[realm={}, role={}, rolePrincipalClasses={}, configuration={}, username={}, password={}]", new Object[]{str, str2, str3, configuration, str4, "******"});
            }
            Subject subject = new Subject();
            AuthenticationCallbackHandler authenticationCallbackHandler = new AuthenticationCallbackHandler(str4, str5);
            (configuration != null ? new LoginContext(str, subject, authenticationCallbackHandler, configuration) : new LoginContext(str, subject, authenticationCallbackHandler)).login();
            if (str2 == null || str2.equals("")) {
                LOG.debug("Skipping role check, no role configured");
                return subject;
            }
            if (str2.equals("*")) {
                LOG.debug("Skipping role check, all roles allowed");
                return subject;
            }
            if (isRunningOnWebsphere(subject)) {
                checkIfSubjectHasRequiredRole = checkIfSubjectHasRequiredRoleOnWebsphere(subject, str2);
            } else if (isRunningOnJbossEAP(subject)) {
                checkIfSubjectHasRequiredRole = checkIfSubjectHasRequiredRoleOnJbossEAP(subject, str2);
            } else {
                if (str3 == null || str3.equals("")) {
                    LOG.debug("Skipping role check, no rolePrincipalClasses configured");
                    return subject;
                }
                checkIfSubjectHasRequiredRole = checkIfSubjectHasRequiredRole(subject, str2, str3);
            }
            if (checkIfSubjectHasRequiredRole) {
                return subject;
            }
            LOG.debug("User " + str4 + " does not have the required role " + str2);
            return null;
        } catch (LoginException e) {
            LOG.warn("Login failed due " + e.getMessage());
            return null;
        } catch (AccountException e2) {
            LOG.warn("Account failure", e2);
            return null;
        }
    }

    private static boolean checkIfSubjectHasRequiredRole(Subject subject, String str, String str2) {
        String[] split = str.split(",");
        boolean z = false;
        for (String str3 : str2.split(",")) {
            LOG.debug("Looking for rolePrincipalClass: {}", str3);
            for (Principal principal : subject.getPrincipals()) {
                LOG.debug("Checking principal, classname: {} toString: {}", principal.getClass().getName(), principal);
                if (principal.getClass().getName().equals(str3.trim())) {
                    int length = split.length;
                    int i = 0;
                    while (true) {
                        if (i >= length) {
                            break;
                        }
                        String str4 = split[i];
                        if (str4 != null && principal.getName().equals(str4.trim())) {
                            LOG.debug("Matched role and role principal class");
                            z = true;
                            break;
                        }
                        LOG.debug("role {} doesn't match {}, continuing", principal.getName(), str4);
                        i++;
                    }
                    if (z) {
                        break;
                    }
                } else {
                    LOG.debug("principal class {} doesn't match {}, continuing", principal.getClass().getName(), str3.trim());
                }
            }
            if (z) {
                break;
            }
        }
        return z;
    }

    private static boolean isRunningOnWebsphere(Subject subject) {
        if (websphereDetected == null) {
            boolean z = false;
            for (Principal principal : subject.getPrincipals()) {
                LOG.trace("Checking principal for IBM specific interfaces: {}", principal);
                z = implementsInterface(principal, "com.ibm.websphere.security.auth.WSPrincipal");
            }
            LOG.trace("Checking if we are running using a IBM Websphere specific LoginModule: {}", Boolean.valueOf(z));
            websphereDetected = Boolean.valueOf(z);
        }
        return websphereDetected.booleanValue();
    }

    private static boolean isRunningOnJbossEAP(Subject subject) {
        if (jbosseapDetected == null) {
            boolean z = false;
            for (Principal principal : subject.getPrincipals()) {
                LOG.trace("Checking principal for JBoss EAP specific interfaces: {} {}", principal, principal.getClass().getName());
                z = "org.jboss.security.SimplePrincipal".equals(principal.getClass().getName());
                if (z) {
                    break;
                }
            }
            LOG.trace("Checking if we are running using a Jboss EAP specific LoginModule: {}", Boolean.valueOf(z));
            jbosseapDetected = Boolean.valueOf(z);
        }
        return jbosseapDetected.booleanValue();
    }

    private static boolean checkIfSubjectHasRequiredRoleOnWebsphere(Subject subject, String str) {
        boolean z = false;
        LOG.debug("Running on websphere: checking if the Role {} is in the set of groups in WSCredential", str);
        for (Object obj : subject.getPublicCredentials()) {
            LOG.debug("Checking credential {} if it is a WebSphere specific WSCredential containing group info", obj);
            if (implementsInterface(obj, "com.ibm.websphere.security.cred.WSCredential")) {
                try {
                    List list = (List) getWebSphereGetGroupsMethod(obj).invoke(obj, new Object[0]);
                    if (list != null) {
                        LOG.debug("Found a total of {} groups in the IBM WebSphere Credentials", Integer.valueOf(list.size()));
                        Iterator it = list.iterator();
                        while (true) {
                            if (!it.hasNext()) {
                                break;
                            }
                            Object next = it.next();
                            LOG.debug("Matching IBM Websphere group name {} to required role {}", next, str);
                            if (str.equals(next.toString())) {
                                LOG.debug("Required role {} found in IBM specific credentials", str);
                                z = true;
                                break;
                            }
                        }
                    } else {
                        LOG.debug("The IBM Websphere groups list is null");
                    }
                } catch (IllegalAccessException | IllegalArgumentException | NoSuchMethodException | SecurityException | InvocationTargetException e) {
                    LOG.debug("Caught exception trying to read groups from WebSphere specific WSCredentials class", e);
                }
            }
            if (z) {
                break;
            }
        }
        return z;
    }

    private static boolean checkIfSubjectHasRequiredRoleOnJbossEAP(Subject subject, String str) {
        LOG.debug("Running on Jboss EAP: checking if the Role {} is in the set of groups in SimpleGroup", str);
        for (Principal principal : subject.getPrincipals()) {
            LOG.debug("Checking principal {} if it is a Jboss specific SimpleGroup containing group info", principal);
            if ("org.jboss.security.SimpleGroup".equals(principal.getClass().getName()) && UserAdminMBean.ROLES.equals(principal.getName())) {
                try {
                    Enumeration enumeration = (Enumeration) getJbossEAPGetGroupsMethod(principal).invoke(principal, new Object[0]);
                    if (enumeration != null) {
                        while (enumeration.hasMoreElements()) {
                            Principal principal2 = (Principal) enumeration.nextElement();
                            LOG.debug("Matching Jboss EAP group name {} to required role(s) {}", principal2, str);
                            for (String str2 : str.split(",")) {
                                if (str2.equals(principal2.toString())) {
                                    LOG.debug("Required role {} found in Jboss EAP specific credentials", str2);
                                    return true;
                                }
                                LOG.debug("role {} doesn't match {}, continuing", str2, principal2.toString());
                            }
                        }
                    } else {
                        LOG.debug("The Jboss EAP groups list is null");
                    }
                } catch (IllegalAccessException | IllegalArgumentException | NoSuchMethodException | SecurityException | InvocationTargetException e) {
                    LOG.debug("Caught exception trying to read groups from JBoss EAP specific SimpleGroup class", e);
                }
            }
            if (0 != 0) {
                break;
            }
        }
        return false;
    }

    private static Method getWebSphereGetGroupsMethod(Object obj) throws NoSuchMethodException {
        if (websphereGetGroupsMethod == null) {
            websphereGetGroupsMethod = obj.getClass().getMethod("getGroupIds", new Class[0]);
        }
        return websphereGetGroupsMethod;
    }

    private static Method getJbossEAPGetGroupsMethod(Object obj) throws NoSuchMethodException {
        if (jbosseapGetGroupsMethod == null) {
            jbosseapGetGroupsMethod = obj.getClass().getMethod("members", new Class[0]);
        }
        return jbosseapGetGroupsMethod;
    }

    private static boolean implementsInterface(Object obj, String str) {
        boolean z = false;
        Class<?>[] interfaces = obj.getClass().getInterfaces();
        int length = interfaces.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            Class<?> cls = interfaces[i];
            LOG.trace("Checking interface {} if it matches {}", cls, str);
            if (cls.getName().equals(str)) {
                z = true;
                break;
            }
            i++;
        }
        return z;
    }
}
