package org.jboss.as.security;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.AccessController;
import java.security.NoSuchAlgorithmException;
import java.security.acl.Group;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.sasl.RealmCallback;
import org.jboss.as.core.security.RealmRole;
import org.jboss.as.core.security.RealmUser;
import org.jboss.as.core.security.SubjectUserInfo;
import org.jboss.as.domain.management.AuthMechanism;
import org.jboss.as.domain.management.AuthorizingCallbackHandler;
import org.jboss.as.domain.management.SecurityRealm;
import org.jboss.as.security.logging.SecurityLogger;
import org.jboss.as.server.CurrentServiceContainer;
import org.jboss.msc.service.ServiceContainer;
import org.jboss.msc.service.ServiceController;
import org.jboss.security.SimpleGroup;
import org.jboss.security.auth.callback.ObjectCallback;
import org.jboss.security.auth.spi.UsernamePasswordLoginModule;
import org.wildfly.common.iteration.ByteIterator;
import org.wildfly.security.auth.callback.CredentialCallback;
import org.wildfly.security.auth.callback.EvidenceVerifyCallback;
import org.wildfly.security.credential.PasswordCredential;
import org.wildfly.security.evidence.PasswordGuessEvidence;
import org.wildfly.security.password.interfaces.DigestPassword;
import org.wildfly.security.sasl.util.UsernamePasswordHashUtil;

/* loaded from: input_file:org/jboss/as/security/RealmDirectLoginModule.class */
public class RealmDirectLoginModule extends UsernamePasswordLoginModule {
    private static final String DEFAULT_REALM = "ApplicationRealm";
    private static final String REALM_OPTION = "realm";
    private static final String[] ALL_VALID_OPTIONS = {REALM_OPTION};
    private SecurityRealm securityRealm;
    private AuthMechanism chosenMech;
    private ValidationMode validationMode;
    private UsernamePasswordHashUtil hashUtil;
    private AuthorizingCallbackHandler callbackHandler;
    private DigestCredential digestCredential;

    /* loaded from: input_file:org/jboss/as/security/RealmDirectLoginModule$ValidationMode.class */
    private enum ValidationMode {
        DIGEST,
        PASSWORD,
        VALIDATION,
        NONE
    }

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        addValidOptions(ALL_VALID_OPTIONS);
        super.initialize(subject, callbackHandler, map, map2);
        String str = map2.containsKey(REALM_OPTION) ? (String) map2.get(REALM_OPTION) : DEFAULT_REALM;
        ServiceController service = currentServiceContainer().getService(SecurityRealm.ServiceUtil.createServiceName(str));
        if (service != null) {
            this.securityRealm = (SecurityRealm) service.getValue();
        }
        if (this.securityRealm == null) {
            throw SecurityLogger.ROOT_LOGGER.realmNotFound(str);
        }
        Set supportedAuthenticationMechanisms = this.securityRealm.getSupportedAuthenticationMechanisms();
        if (supportedAuthenticationMechanisms.contains(AuthMechanism.DIGEST)) {
            this.chosenMech = AuthMechanism.DIGEST;
        } else if (supportedAuthenticationMechanisms.contains(AuthMechanism.PLAIN)) {
            this.chosenMech = AuthMechanism.PLAIN;
        } else {
            this.chosenMech = (AuthMechanism) supportedAuthenticationMechanisms.iterator().next();
        }
        if (this.chosenMech != AuthMechanism.DIGEST && this.chosenMech != AuthMechanism.PLAIN) {
            this.validationMode = ValidationMode.NONE;
            return;
        }
        Map mechanismConfig = this.securityRealm.getMechanismConfig(this.chosenMech);
        if (mechanismConfig.containsKey("org.jboss.as.domain.management.verify_password_callback_supported") && Boolean.parseBoolean((String) mechanismConfig.get("org.jboss.as.domain.management.verify_password_callback_supported"))) {
            this.validationMode = ValidationMode.VALIDATION;
            return;
        }
        if (this.chosenMech != AuthMechanism.DIGEST) {
            this.validationMode = ValidationMode.PASSWORD;
            return;
        }
        if (mechanismConfig.containsKey("org.jboss.as.domain.management.digest.plain_text") && Boolean.parseBoolean((String) mechanismConfig.get("org.jboss.as.domain.management.digest.plain_text"))) {
            this.validationMode = ValidationMode.PASSWORD;
            return;
        }
        this.validationMode = ValidationMode.DIGEST;
        try {
            this.hashUtil = new UsernamePasswordHashUtil();
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException(e);
        }
    }

    public boolean login() throws LoginException {
        DigestCredential digestCredential = getDigestCredential();
        this.digestCredential = digestCredential;
        if (digestCredential != null && this.validationMode == ValidationMode.VALIDATION) {
            this.validationMode = ValidationMode.DIGEST;
        }
        return super.login();
    }

    protected String createPasswordHash(String str, String str2, String str3) throws LoginException {
        throw new UnsupportedOperationException();
    }

    protected String getUsersPassword() throws LoginException {
        if (this.validationMode == ValidationMode.VALIDATION) {
            return null;
        }
        Callback realmCallback = new RealmCallback("Realm", this.securityRealm.getName());
        Callback nameCallback = new NameCallback("User Name", getUsername());
        String str = null;
        switch (this.validationMode) {
            case DIGEST:
                Callback credentialCallback = new CredentialCallback(PasswordCredential.class, "digest-md5");
                handle(new Callback[]{realmCallback, nameCallback, credentialCallback});
                str = ByteIterator.ofBytes(credentialCallback.getCredential().getPassword(DigestPassword.class).getDigest()).hexEncode().drainToString();
                break;
            case PASSWORD:
                PasswordCallback passwordCallback = new PasswordCallback("Password", false);
                handle(new Callback[]{realmCallback, nameCallback, passwordCallback});
                str = String.valueOf(passwordCallback.getPassword());
                break;
        }
        return str;
    }

    private void handle(Callback[] callbackArr) throws LoginException {
        try {
            getCallbackHandler().handle(callbackArr);
        } catch (IOException e) {
            throw SecurityLogger.ROOT_LOGGER.failureCallingSecurityRealm(e.getMessage());
        } catch (UnsupportedCallbackException e2) {
            throw SecurityLogger.ROOT_LOGGER.failureCallingSecurityRealm(e2.getMessage());
        }
    }

    private AuthorizingCallbackHandler getCallbackHandler() {
        if (this.callbackHandler == null) {
            this.callbackHandler = this.securityRealm.getAuthorizingCallbackHandler(this.chosenMech);
        }
        return this.callbackHandler;
    }

    protected boolean validatePassword(String str, String str2) {
        if (this.digestCredential != null) {
            return this.digestCredential.verifyHA1(str2.getBytes(StandardCharsets.UTF_8));
        }
        switch (this.validationMode) {
            case DIGEST:
                return str2.equals(this.hashUtil.generateHashedHexURP(getUsername(), this.securityRealm.getName(), str.toCharArray()));
            case PASSWORD:
                return str2.equals(str);
            case VALIDATION:
                RealmCallback realmCallback = new RealmCallback("Realm", this.securityRealm.getName());
                NameCallback nameCallback = new NameCallback("User Name", getUsername());
                EvidenceVerifyCallback evidenceVerifyCallback = new EvidenceVerifyCallback(new PasswordGuessEvidence(str.toCharArray()));
                try {
                    handle(new Callback[]{realmCallback, nameCallback, evidenceVerifyCallback});
                    return evidenceVerifyCallback.isVerified();
                } catch (LoginException e) {
                    return false;
                }
            default:
                return false;
        }
    }

    private DigestCredential getDigestCredential() {
        Callback objectCallback = new ObjectCallback("Credential:");
        try {
            ((UsernamePasswordLoginModule) this).callbackHandler.handle(new Callback[]{objectCallback});
            Object credential = objectCallback.getCredential();
            if (credential instanceof DigestCredential) {
                return (DigestCredential) credential;
            }
            return null;
        } catch (IOException | UnsupportedCallbackException e) {
            return null;
        }
    }

    protected Group[] getRoleSets() throws LoginException {
        HashSet hashSet = new HashSet();
        hashSet.add(new RealmUser(getUsername()));
        try {
            SubjectUserInfo createSubjectUserInfo = getCallbackHandler().createSubjectUserInfo(hashSet);
            Group simpleGroup = new SimpleGroup("Roles");
            Iterator it = createSubjectUserInfo.getSubject().getPrincipals(RealmRole.class).iterator();
            while (it.hasNext()) {
                simpleGroup.addMember(createIdentity(((RealmRole) it.next()).getName()));
            }
            return new Group[]{simpleGroup};
        } catch (Exception e) {
            throw SecurityLogger.ROOT_LOGGER.failureCallingSecurityRealm(e.getMessage());
        }
    }

    private static ServiceContainer currentServiceContainer() {
        return System.getSecurityManager() == null ? CurrentServiceContainer.getServiceContainer() : (ServiceContainer) AccessController.doPrivileged(CurrentServiceContainer.GET_ACTION);
    }
}
