package org.jboss.security.auth.spi.otp;

import java.io.IOException;
import java.io.InputStream;
import java.security.GeneralSecurityException;
import java.security.acl.Group;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import java.util.StringTokenizer;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import javax.security.jacc.PolicyContext;
import javax.security.jacc.PolicyContextException;
import javax.servlet.http.HttpServletRequest;
import org.jboss.security.PicketBoxLogger;
import org.jboss.security.PicketBoxMessages;
import org.jboss.security.SecurityConstants;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.otp.TimeBasedOTP;
import org.jboss.security.otp.TimeBasedOTPUtil;

/* loaded from: input_file:WEB-INF/lib/picketbox-5.0.3.Final-redhat-00007.jar:org/jboss/security/auth/spi/otp/JBossTimeBasedOTPLoginModule.class */
public class JBossTimeBasedOTPLoginModule implements LoginModule {
    private static final String ALGORITHM = "algorithm";
    public static final String TOTP = "totp";
    private CallbackHandler callbackHandler;
    private boolean useFirstPass;
    private Subject subject;
    private static final String PASSWORD_STACKING = "password-stacking";
    private static final String USE_FIRST_PASSWORD = "useFirstPass";
    private static final String NUM_OF_DIGITS_OPT = "numOfDigits";
    private static final String ADDITIONAL_ROLES = "additionalRoles";
    private static final String[] ALL_VALID_OPTIONS = {PASSWORD_STACKING, USE_FIRST_PASSWORD, NUM_OF_DIGITS_OPT, "algorithm", ADDITIONAL_ROLES};
    private Map<String, Object> lmSharedState = new HashMap();
    private Map<String, Object> lmOptions = new HashMap();
    private int NUMBER_OF_DIGITS = 6;
    private String additionalRoles = null;
    private String algorithm = TimeBasedOTP.HMAC_SHA1;

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        HashSet hashSet = new HashSet(Arrays.asList(ALL_VALID_OPTIONS));
        for (String str : map2.keySet()) {
            if (!hashSet.contains(str)) {
                PicketBoxLogger.LOGGER.warnInvalidModuleOption(str);
            }
        }
        this.subject = subject;
        this.callbackHandler = callbackHandler;
        this.lmSharedState.putAll(map);
        this.lmOptions.putAll(map2);
        String str2 = (String) map2.get(PASSWORD_STACKING);
        if (str2 != null && str2.equalsIgnoreCase(USE_FIRST_PASSWORD)) {
            this.useFirstPass = true;
        }
        String str3 = (String) map2.get(NUM_OF_DIGITS_OPT);
        if (str3 != null && str3.length() > 0) {
            this.NUMBER_OF_DIGITS = Integer.parseInt(str3);
        }
        String str4 = (String) map2.get("algorithm");
        if (str4 != null && !str4.isEmpty()) {
            if (str4.equalsIgnoreCase(TimeBasedOTP.HMAC_SHA256)) {
                this.algorithm = TimeBasedOTP.HMAC_SHA256;
            }
            if (str4.equalsIgnoreCase(TimeBasedOTP.HMAC_SHA512)) {
                this.algorithm = TimeBasedOTP.HMAC_SHA512;
            }
        }
        this.additionalRoles = (String) map2.get(ADDITIONAL_ROLES);
    }

    public boolean login() throws LoginException {
        String name;
        if (this.useFirstPass) {
            name = (String) this.lmSharedState.get("javax.security.auth.login.name");
        } else {
            Callback nameCallback = new NameCallback(PicketBoxMessages.MESSAGES.enterUsernameMessage(), "guest");
            try {
                this.callbackHandler.handle(new Callback[]{nameCallback});
                name = nameCallback.getName();
            } catch (Exception e) {
                LoginException loginException = new LoginException();
                loginException.initCause(e);
                throw loginException;
            }
        }
        ClassLoader contextClassLoader = SecurityActions.getContextClassLoader();
        InputStream inputStream = null;
        Properties properties = new Properties();
        try {
            try {
                inputStream = contextClassLoader.getResourceAsStream("otp-users.properties");
                properties.load(inputStream);
                safeClose(inputStream);
                String property = properties.getProperty(name);
                String timeBasedOTPFromRequest = getTimeBasedOTPFromRequest();
                if (timeBasedOTPFromRequest == null || timeBasedOTPFromRequest.length() == 0) {
                    throw new LoginException();
                }
                try {
                    boolean z = false;
                    if (this.algorithm.equals(TimeBasedOTP.HMAC_SHA1)) {
                        z = TimeBasedOTPUtil.validate(timeBasedOTPFromRequest, property.getBytes(), this.NUMBER_OF_DIGITS);
                    } else if (this.algorithm.equals(TimeBasedOTP.HMAC_SHA256)) {
                        z = TimeBasedOTPUtil.validate256(timeBasedOTPFromRequest, property.getBytes(), this.NUMBER_OF_DIGITS);
                    } else if (this.algorithm.equals(TimeBasedOTP.HMAC_SHA512)) {
                        z = TimeBasedOTPUtil.validate512(timeBasedOTPFromRequest, property.getBytes(), this.NUMBER_OF_DIGITS);
                    }
                    if (!z) {
                        throw new LoginException();
                    }
                    Set principals = this.subject.getPrincipals(Group.class);
                    if (principals != null && principals.size() > 0) {
                        appendRoles((Group) principals.iterator().next());
                    }
                    return z;
                } catch (GeneralSecurityException e2) {
                    LoginException loginException2 = new LoginException();
                    loginException2.initCause(e2);
                    throw loginException2;
                }
            } catch (Throwable th) {
                safeClose(inputStream);
                throw th;
            }
        } catch (IOException e3) {
            LoginException loginException3 = new LoginException();
            loginException3.initCause(e3);
            throw loginException3;
        }
    }

    public boolean commit() throws LoginException {
        return true;
    }

    public boolean abort() throws LoginException {
        return true;
    }

    public boolean logout() throws LoginException {
        return true;
    }

    private String getTimeBasedOTPFromRequest() {
        String str = null;
        try {
            str = ((HttpServletRequest) PolicyContext.getContext(SecurityConstants.WEB_REQUEST_KEY)).getParameter("totp");
        } catch (PolicyContextException e) {
            PicketBoxLogger.LOGGER.debugErrorGettingRequestFromPolicyContext(e);
        }
        return str;
    }

    private void appendRoles(Group group) {
        if (!group.getName().equals("Roles") || this.additionalRoles == null || this.additionalRoles.isEmpty()) {
            return;
        }
        StringTokenizer stringTokenizer = new StringTokenizer(this.additionalRoles, ",");
        while (stringTokenizer.hasMoreTokens()) {
            group.addMember(new SimplePrincipal(stringTokenizer.nextToken().trim()));
        }
    }

    private void safeClose(InputStream inputStream) {
        if (inputStream != null) {
            try {
                inputStream.close();
            } catch (Exception e) {
            }
        }
    }
}
