package org.jboss.as.domain.management.security;

import java.io.IOException;
import java.net.URI;
import java.security.Principal;
import java.security.spec.AlgorithmParameterSpec;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.function.Supplier;
import javax.naming.CommunicationException;
import javax.naming.NamingException;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.RealmCallback;
import org.jboss.as.core.security.RealmUser;
import org.jboss.as.domain.management.AuthMechanism;
import org.jboss.as.domain.management.RealmConfigurationConstants;
import org.jboss.as.domain.management.SecurityRealm;
import org.jboss.as.domain.management.connections.ldap.LdapConnectionManager;
import org.jboss.as.domain.management.logging.DomainManagementLogger;
import org.jboss.as.domain.management.security.LdapSearcherCache;
import org.jboss.as.domain.management.security.SecurityRealmService;
import org.jboss.msc.Service;
import org.jboss.msc.service.ServiceName;
import org.jboss.msc.service.StartContext;
import org.jboss.msc.service.StopContext;
import org.wildfly.common.Assert;
import org.wildfly.security.auth.SupportLevel;
import org.wildfly.security.auth.callback.EvidenceVerifyCallback;
import org.wildfly.security.auth.principal.NamePrincipal;
import org.wildfly.security.auth.server.RealmIdentity;
import org.wildfly.security.auth.server.RealmUnavailableException;
import org.wildfly.security.auth.server.SecurityRealm;
import org.wildfly.security.credential.Credential;
import org.wildfly.security.evidence.Evidence;
import org.wildfly.security.evidence.PasswordGuessEvidence;
import org.wildfly.security.manager.WildFlySecurityManager;

/* loaded from: input_file:WEB-INF/lib/wildfly-domain-management-15.0.1.Final.jar:org/jboss/as/domain/management/security/UserLdapCallbackHandler.class */
public class UserLdapCallbackHandler implements Service, CallbackHandlerService {
    private static final LdapSearcherCache.AttachmentKey<PasswordCredential> PASSWORD_KEY = LdapSearcherCache.AttachmentKey.create(PasswordCredential.class);
    private static final String SERVICE_SUFFIX = "ldap";
    public static final String DEFAULT_USER_DN = "dn";
    private final Consumer<CallbackHandlerService> callbackHandlerServiceConsumer;
    private final Supplier<LdapConnectionManager> connectionManagerSupplier;
    private final Supplier<LdapSearcherCache<LdapEntry, String>> userSearcherSupplier;
    private final boolean allowEmptyPassword;
    private final boolean shareConnection;
    protected final int searchTimeLimit = 10000;

    /* loaded from: input_file:WEB-INF/lib/wildfly-domain-management-15.0.1.Final.jar:org/jboss/as/domain/management/security/UserLdapCallbackHandler$LdapCallbackHandler.class */
    private class LdapCallbackHandler implements CallbackHandler {
        private final Map<String, Object> sharedState;

        private LdapCallbackHandler(Map<String, Object> map) {
            this.sharedState = map;
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
            String str;
            if (callbackArr.length == 1 && (callbackArr[0] instanceof AuthorizeCallback)) {
                AuthorizeCallback authorizeCallback = (AuthorizeCallback) callbackArr[0];
                String authenticationID = authorizeCallback.getAuthenticationID();
                String authorizationID = authorizeCallback.getAuthorizationID();
                boolean equals = authenticationID.equals(authorizationID);
                if (!equals) {
                    DomainManagementLogger.SECURITY_LOGGER.tracef("Checking 'AuthorizeCallback', authorized=false, authenticationID=%s, authorizationID=%s.", authenticationID, authorizationID);
                }
                authorizeCallback.setAuthorized(equals);
                return;
            }
            EvidenceVerifyCallback evidenceVerifyCallback = null;
            String str2 = null;
            for (Callback callback : callbackArr) {
                if (callback instanceof NameCallback) {
                    str2 = ((NameCallback) callback).getDefaultName();
                } else if (callback instanceof RealmCallback) {
                    continue;
                } else {
                    if (!(callback instanceof EvidenceVerifyCallback)) {
                        throw new UnsupportedCallbackException(callback);
                    }
                    evidenceVerifyCallback = (EvidenceVerifyCallback) callback;
                }
            }
            if (str2 == null || str2.length() == 0) {
                DomainManagementLogger.SECURITY_LOGGER.trace("No username or 0 length username supplied.");
                throw DomainManagementLogger.ROOT_LOGGER.noUsername();
            }
            if (evidenceVerifyCallback == null || evidenceVerifyCallback.getEvidence() == null) {
                DomainManagementLogger.SECURITY_LOGGER.trace("No password to verify.");
                throw DomainManagementLogger.ROOT_LOGGER.noPassword();
            }
            if (evidenceVerifyCallback.getEvidence() instanceof PasswordGuessEvidence) {
                char[] guess = ((PasswordGuessEvidence) evidenceVerifyCallback.getEvidence()).getGuess();
                str = guess != null ? new String(guess) : null;
            } else {
                str = null;
            }
            if (str == null || (!UserLdapCallbackHandler.this.allowEmptyPassword && str.length() == 0)) {
                DomainManagementLogger.SECURITY_LOGGER.trace("No password or 0 length password supplied.");
                throw DomainManagementLogger.ROOT_LOGGER.noPassword();
            }
            LdapConnectionHandler createLdapConnectionHandler = UserLdapCallbackHandler.this.createLdapConnectionHandler();
            try {
                try {
                    evidenceVerifyCallback.setVerified(UserLdapCallbackHandler.verifyPassword(createLdapConnectionHandler, ((LdapSearcherCache) UserLdapCallbackHandler.this.userSearcherSupplier.get()).search(createLdapConnectionHandler, str2), str2, str, this.sharedState));
                    if (!UserLdapCallbackHandler.this.shareConnection || createLdapConnectionHandler == null || evidenceVerifyCallback == null || !evidenceVerifyCallback.isVerified()) {
                        createLdapConnectionHandler.close();
                    } else {
                        this.sharedState.put(LdapConnectionHandler.class.getName(), createLdapConnectionHandler);
                    }
                } catch (Exception e) {
                    DomainManagementLogger.SECURITY_LOGGER.trace("Unable to verify identity.", e);
                    throw DomainManagementLogger.ROOT_LOGGER.cannotPerformVerification(e);
                }
            } catch (Throwable th) {
                if (!UserLdapCallbackHandler.this.shareConnection || createLdapConnectionHandler == null || evidenceVerifyCallback == null || !evidenceVerifyCallback.isVerified()) {
                    createLdapConnectionHandler.close();
                } else {
                    this.sharedState.put(LdapConnectionHandler.class.getName(), createLdapConnectionHandler);
                }
                throw th;
            }
        }
    }

    /* loaded from: input_file:WEB-INF/lib/wildfly-domain-management-15.0.1.Final.jar:org/jboss/as/domain/management/security/UserLdapCallbackHandler$MappedPrincipal.class */
    static class MappedPrincipal extends RealmUser {
        private final String originalName;

        MappedPrincipal(String str, String str2) {
            super((String) Assert.checkNotNullParam("name", str));
            this.originalName = (String) Assert.checkNotNullParam("originalName", str2);
        }

        MappedPrincipal(String str, String str2, String str3) {
            super(str, (String) Assert.checkNotNullParam("name", str2));
            this.originalName = (String) Assert.checkNotNullParam("originalName", str3);
        }

        public String getOriginalName() {
            return this.originalName;
        }

        @Override // org.jboss.as.core.security.RealmUser, org.jboss.as.core.security.AbstractRealmPrincipal, org.jboss.as.core.security.SecurityRealmPrincipal, java.security.Principal
        public boolean equals(Object obj) {
            return (obj instanceof MappedPrincipal) && equals((MappedPrincipal) obj);
        }

        public boolean equals(MappedPrincipal mappedPrincipal) {
            return mappedPrincipal != null && getName().equals(mappedPrincipal.getName());
        }

        @Override // org.jboss.as.core.security.RealmUser, org.jboss.as.core.security.AbstractRealmPrincipal, org.jboss.as.core.security.SecurityRealmPrincipal, java.security.Principal
        public int hashCode() {
            return getName().hashCode();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/wildfly-domain-management-15.0.1.Final.jar:org/jboss/as/domain/management/security/UserLdapCallbackHandler$PasswordCredential.class */
    public static final class PasswordCredential {
        private final String password;

        private PasswordCredential(String str) {
            this.password = str;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean verify(String str) {
            return this.password.equals(str);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/wildfly-domain-management-15.0.1.Final.jar:org/jboss/as/domain/management/security/UserLdapCallbackHandler$SecurityRealmImpl.class */
    public class SecurityRealmImpl implements SecurityRealm {

        /* loaded from: input_file:WEB-INF/lib/wildfly-domain-management-15.0.1.Final.jar:org/jboss/as/domain/management/security/UserLdapCallbackHandler$SecurityRealmImpl$RealmIdentityImpl.class */
        private class RealmIdentityImpl implements RealmIdentity {
            private final Principal principal;
            private final LdapConnectionHandler ldapConnectionHandler;
            private final LdapSearcherCache.SearchResult<LdapEntry> searchResult;
            private final Map<String, Object> sharedState;

            private RealmIdentityImpl(Principal principal, LdapConnectionHandler ldapConnectionHandler, LdapSearcherCache.SearchResult<LdapEntry> searchResult, Map<String, Object> map) {
                this.principal = principal;
                this.ldapConnectionHandler = ldapConnectionHandler;
                this.searchResult = searchResult;
                this.sharedState = map != null ? map : new HashMap<>();
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public Principal getRealmIdentityPrincipal() {
                return this.principal;
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str) throws RealmUnavailableException {
                return SecurityRealmImpl.this.getCredentialAcquireSupport(cls, str);
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str, AlgorithmParameterSpec algorithmParameterSpec) throws RealmUnavailableException {
                return SecurityRealmImpl.this.getCredentialAcquireSupport(cls, str, algorithmParameterSpec);
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public <C extends Credential> C getCredential(Class<C> cls) throws RealmUnavailableException {
                return null;
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> cls, String str) throws RealmUnavailableException {
                return SecurityRealmImpl.this.getEvidenceVerifySupport(cls, str);
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public boolean verifyEvidence(Evidence evidence) throws RealmUnavailableException {
                if (!(evidence instanceof PasswordGuessEvidence)) {
                    return false;
                }
                char[] guess = ((PasswordGuessEvidence) evidence).getGuess();
                if (guess == null || (!UserLdapCallbackHandler.this.allowEmptyPassword && guess.length == 0)) {
                    DomainManagementLogger.SECURITY_LOGGER.trace("No password or 0 length password supplied.");
                    return false;
                }
                boolean verifyPassword = UserLdapCallbackHandler.verifyPassword(this.ldapConnectionHandler, this.searchResult, this.principal.getName(), new String(guess), this.sharedState);
                if (UserLdapCallbackHandler.this.shareConnection && verifyPassword) {
                    this.sharedState.put(LdapConnectionHandler.class.getName(), this.ldapConnectionHandler);
                }
                return verifyPassword;
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public boolean exists() throws RealmUnavailableException {
                return true;
            }

            @Override // org.wildfly.security.auth.server.RealmIdentity
            public void dispose() {
                UserLdapCallbackHandler.this.safeClose(this.ldapConnectionHandler);
            }
        }

        private SecurityRealmImpl() {
        }

        @Override // org.wildfly.security.auth.server.SecurityRealm
        public RealmIdentity getRealmIdentity(Principal principal) throws RealmUnavailableException {
            String originalName = principal instanceof MappedPrincipal ? ((MappedPrincipal) principal).getOriginalName() : principal.getName();
            if (originalName.length() == 0) {
                return RealmIdentity.NON_EXISTENT;
            }
            LdapConnectionHandler createLdapConnectionHandler = UserLdapCallbackHandler.this.createLdapConnectionHandler();
            try {
                return new RealmIdentityImpl(new NamePrincipal(originalName), createLdapConnectionHandler, ((LdapSearcherCache) UserLdapCallbackHandler.this.userSearcherSupplier.get()).search(createLdapConnectionHandler, originalName), SecurityRealmService.SharedStateSecurityRealm.getSharedState());
            } catch (IOException | CommunicationException e) {
                UserLdapCallbackHandler.this.safeClose(createLdapConnectionHandler);
                throw new RealmUnavailableException(e);
            } catch (IllegalStateException | NamingException e2) {
                UserLdapCallbackHandler.this.safeClose(createLdapConnectionHandler);
                DomainManagementLogger.SECURITY_LOGGER.tracef(e2, "Unable to lookup the principal '%s' in the LDAP.", originalName);
                return RealmIdentity.NON_EXISTENT;
            }
        }

        @Override // org.wildfly.security.auth.server.SecurityRealm
        public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str) throws RealmUnavailableException {
            return SupportLevel.UNSUPPORTED;
        }

        @Override // org.wildfly.security.auth.server.SecurityRealm
        public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str, AlgorithmParameterSpec algorithmParameterSpec) throws RealmUnavailableException {
            return SupportLevel.UNSUPPORTED;
        }

        @Override // org.wildfly.security.auth.server.SecurityRealm
        public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> cls, String str) throws RealmUnavailableException {
            Assert.checkNotNullParam("evidenceType", cls);
            return PasswordGuessEvidence.class.isAssignableFrom(cls) ? SupportLevel.SUPPORTED : SupportLevel.UNSUPPORTED;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/wildfly-domain-management-15.0.1.Final.jar:org/jboss/as/domain/management/security/UserLdapCallbackHandler$ServiceUtil.class */
    public static final class ServiceUtil {
        private ServiceUtil() {
        }

        public static ServiceName createServiceName(String str) {
            return SecurityRealm.ServiceUtil.createServiceName(str).append("ldap");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public UserLdapCallbackHandler(Consumer<CallbackHandlerService> consumer, Supplier<LdapConnectionManager> supplier, Supplier<LdapSearcherCache<LdapEntry, String>> supplier2, boolean z, boolean z2) {
        this.callbackHandlerServiceConsumer = consumer;
        this.connectionManagerSupplier = supplier;
        this.userSearcherSupplier = supplier2;
        this.allowEmptyPassword = z;
        this.shareConnection = z2;
    }

    @Override // org.jboss.msc.Service
    public void start(StartContext startContext) {
        this.callbackHandlerServiceConsumer.accept(this);
    }

    @Override // org.jboss.msc.Service
    public void stop(StopContext stopContext) {
        this.callbackHandlerServiceConsumer.accept(null);
    }

    @Override // org.jboss.as.domain.management.security.CallbackHandlerService
    public AuthMechanism getPreferredMechanism() {
        return AuthMechanism.PLAIN;
    }

    @Override // org.jboss.as.domain.management.security.CallbackHandlerService
    public Set<AuthMechanism> getSupplementaryMechanisms() {
        return Collections.emptySet();
    }

    @Override // org.jboss.as.domain.management.security.CallbackHandlerService
    public Map<String, String> getConfigurationOptions() {
        return Collections.singletonMap(RealmConfigurationConstants.VERIFY_PASSWORD_CALLBACK_SUPPORTED, Boolean.TRUE.toString());
    }

    @Override // org.jboss.as.domain.management.security.CallbackHandlerService
    public boolean isReadyForHttpChallenge() {
        return true;
    }

    @Override // org.jboss.as.domain.management.security.CallbackHandlerService
    public CallbackHandler getCallbackHandler(Map<String, Object> map) {
        return new LdapCallbackHandler(map);
    }

    @Override // org.jboss.as.domain.management.security.CallbackHandlerService
    public org.wildfly.security.auth.server.SecurityRealm getElytronSecurityRealm() {
        return new SecurityRealmImpl();
    }

    @Override // org.jboss.as.domain.management.security.CallbackHandlerService
    public Function<Principal, Principal> getPrincipalMapper() {
        return principal -> {
            ClassLoader currentContextClassLoaderPrivileged = WildFlySecurityManager.setCurrentContextClassLoaderPrivileged((Class<?>) UserLdapCallbackHandler.class);
            LdapConnectionHandler createLdapConnectionHandler = createLdapConnectionHandler();
            try {
                try {
                    LdapSearcherCache.SearchResult<LdapEntry> search = this.userSearcherSupplier.get().search(createLdapConnectionHandler, principal.getName());
                    MappedPrincipal mappedPrincipal = principal instanceof RealmUser ? new MappedPrincipal(((RealmUser) principal).getRealm(), search.getResult().getSimpleName(), principal.getName()) : new MappedPrincipal(search.getResult().getSimpleName(), principal.getName());
                    safeClose(createLdapConnectionHandler);
                    WildFlySecurityManager.setCurrentContextClassLoaderPrivileged(currentContextClassLoaderPrivileged);
                    return mappedPrincipal;
                } catch (IOException | IllegalStateException | NamingException e) {
                    DomainManagementLogger.SECURITY_LOGGER.trace("Unable to map principal.", e);
                    safeClose(createLdapConnectionHandler);
                    WildFlySecurityManager.setCurrentContextClassLoaderPrivileged(currentContextClassLoaderPrivileged);
                    return principal;
                }
            } catch (Throwable th) {
                safeClose(createLdapConnectionHandler);
                WildFlySecurityManager.setCurrentContextClassLoaderPrivileged(currentContextClassLoaderPrivileged);
                throw th;
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: private */
    public LdapConnectionHandler createLdapConnectionHandler() {
        return LdapConnectionHandler.newInstance(this.connectionManagerSupplier.get());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean verifyPassword(LdapConnectionHandler ldapConnectionHandler, LdapSearcherCache.SearchResult<LdapEntry> searchResult, String str, String str2, Map<String, Object> map) {
        LdapEntry result = searchResult.getResult();
        PasswordCredential passwordCredential = (PasswordCredential) searchResult.getAttachment(PASSWORD_KEY);
        if (passwordCredential != null) {
            if (!passwordCredential.verify(str2)) {
                DomainManagementLogger.SECURITY_LOGGER.tracef("Password verification failed for user (using cached password) '%s'", str);
                return false;
            }
            DomainManagementLogger.SECURITY_LOGGER.tracef("Password verified for user '%s' (using cached password)", str);
            map.put(LdapEntry.class.getName(), result);
            if (str.equals(result.getSimpleName())) {
                return true;
            }
            map.put(SecurityRealmService.LOADED_USERNAME_KEY, result.getSimpleName());
            return true;
        }
        ClassLoader currentContextClassLoaderPrivileged = WildFlySecurityManager.setCurrentContextClassLoaderPrivileged((Class<?>) UserLdapCallbackHandler.class);
        try {
            try {
                LdapConnectionHandler ldapConnectionHandler2 = ldapConnectionHandler;
                URI referralUri = result.getReferralUri();
                if (referralUri != null) {
                    ldapConnectionHandler2 = ldapConnectionHandler2.findForReferral(referralUri);
                }
                if (ldapConnectionHandler2 == null) {
                    DomainManagementLogger.SECURITY_LOGGER.tracef("Password verification failed for user '%s', no connection for referral '%s'", str, referralUri.toString());
                    WildFlySecurityManager.setCurrentContextClassLoaderPrivileged(currentContextClassLoaderPrivileged);
                    return false;
                }
                ldapConnectionHandler2.verifyIdentity(result.getDistinguishedName(), str2);
                DomainManagementLogger.SECURITY_LOGGER.tracef("Password verified for user '%s' (using connection attempt)", str);
                searchResult.attach(PASSWORD_KEY, new PasswordCredential(str2));
                map.put(LdapEntry.class.getName(), result);
                if (!str.equals(result.getSimpleName())) {
                    map.put(SecurityRealmService.LOADED_USERNAME_KEY, result.getSimpleName());
                }
                WildFlySecurityManager.setCurrentContextClassLoaderPrivileged(currentContextClassLoaderPrivileged);
                return true;
            } catch (Exception e) {
                DomainManagementLogger.SECURITY_LOGGER.tracef("Password verification failed for user (using connection attempt) '%s'", str);
                WildFlySecurityManager.setCurrentContextClassLoaderPrivileged(currentContextClassLoaderPrivileged);
                return false;
            }
        } catch (Throwable th) {
            WildFlySecurityManager.setCurrentContextClassLoaderPrivileged(currentContextClassLoaderPrivileged);
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void safeClose(LdapConnectionHandler ldapConnectionHandler) {
        if (ldapConnectionHandler != null) {
            try {
                ldapConnectionHandler.close();
            } catch (IOException e) {
                DomainManagementLogger.SECURITY_LOGGER.trace("Unable to close ldapConnectionHandler", e);
            }
        }
    }
}
