package org.wildfly.security.http.digest;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.function.Supplier;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import org.wildfly.common.iteration.ByteIterator;
import org.wildfly.security.auth.callback.AuthenticationCompleteCallback;
import org.wildfly.security.auth.callback.AvailableRealmsCallback;
import org.wildfly.security.http.HttpAuthenticationException;
import org.wildfly.security.http.HttpConstants;
import org.wildfly.security.http.HttpServerAuthenticationMechanism;
import org.wildfly.security.http.HttpServerMechanismsResponder;
import org.wildfly.security.http.HttpServerRequest;
import org.wildfly.security.http.HttpServerResponse;
import org.wildfly.security.mechanism.AuthenticationMechanismException;
import org.wildfly.security.mechanism._private.ElytronMessages;
import org.wildfly.security.mechanism.digest.DigestQuote;
import org.wildfly.security.mechanism.digest.DigestUtil;
import org.wildfly.security.mechanism.digest.PasswordDigestObtainer;
import org.wildfly.security.password.interfaces.DigestPassword;

/* loaded from: input_file:org/wildfly/security/http/digest/DigestAuthenticationMechanism.class */
final class DigestAuthenticationMechanism implements HttpServerAuthenticationMechanism {
    private static final String CHALLENGE_PREFIX = "Digest ";
    private static final String OPAQUE_VALUE = "00000000000000000000000000000000";
    private static final byte COLON = 58;
    private final Supplier<Provider[]> providers;
    private final CallbackHandler callbackHandler;
    private final NonceManager nonceManager;
    private final String configuredRealm;
    private final String domain;
    private final String mechanismName;
    private final String algorithm;
    private final boolean validateUri;

    /* JADX INFO: Access modifiers changed from: package-private */
    public DigestAuthenticationMechanism(CallbackHandler callbackHandler, NonceManager nonceManager, String str, String str2, String str3, String str4, Supplier<Provider[]> supplier, String str5) {
        this.callbackHandler = callbackHandler;
        this.nonceManager = nonceManager;
        this.configuredRealm = str;
        this.domain = str2;
        this.mechanismName = str3;
        this.algorithm = str4;
        this.providers = supplier;
        this.validateUri = str5 == null ? true : Boolean.parseBoolean(str5);
    }

    @Override // org.wildfly.security.http.HttpServerAuthenticationMechanism
    public String getMechanismName() {
        return this.mechanismName;
    }

    @Override // org.wildfly.security.http.HttpServerAuthenticationMechanism
    public void evaluateRequest(HttpServerRequest httpServerRequest) throws HttpAuthenticationException {
        List<String> requestHeaderValues = httpServerRequest.getRequestHeaderValues(HttpConstants.AUTHORIZATION);
        if (requestHeaderValues != null) {
            for (String str : requestHeaderValues) {
                if (str.startsWith(CHALLENGE_PREFIX)) {
                    try {
                        validateResponse(DigestUtil.parseResponse(str.substring(CHALLENGE_PREFIX.length()).getBytes(StandardCharsets.UTF_8), StandardCharsets.UTF_8, false, ElytronMessages.httpDigest), httpServerRequest);
                        return;
                    } catch (AuthenticationMechanismException e) {
                        ElytronMessages.httpDigest.trace("Failed to parse or validate the response", e);
                        httpServerRequest.badRequest(e.toHttpAuthenticationException(), httpServerResponse -> {
                            prepareResponse(selectRealm(), httpServerResponse, false);
                        });
                        return;
                    }
                }
            }
        }
        httpServerRequest.noAuthenticationInProgress(httpServerResponse2 -> {
            prepareResponse(selectRealm(), httpServerResponse2, false);
        });
    }

    private void validateResponse(HashMap<String, byte[]> hashMap, HttpServerRequest httpServerRequest) throws AuthenticationMechanismException, HttpAuthenticationException {
        int parseInt;
        String decodeRfc2231;
        String convertToken = convertToken("nonce", hashMap.get("nonce"));
        String convertToken2 = convertToken(HttpConstants.REALM, hashMap.get(HttpConstants.REALM));
        if (hashMap.containsKey(HttpConstants.NC)) {
            parseInt = Integer.parseInt(convertToken(HttpConstants.REALM, hashMap.get(HttpConstants.NC)), 16);
            if (parseInt < 0) {
                throw ElytronMessages.httpDigest.invalidNonceCount(parseInt);
            }
        } else {
            parseInt = -1;
        }
        final byte[] bytes = convertToken2.getBytes(StandardCharsets.UTF_8);
        boolean useNonce = this.nonceManager.useNonce(convertToken, bytes, parseInt);
        if (hashMap.containsKey(HttpConstants.USERNAME) && !hashMap.containsKey(HttpConstants.USERNAME_STAR)) {
            decodeRfc2231 = convertToken(HttpConstants.USERNAME, hashMap.get(HttpConstants.USERNAME));
        } else {
            if (!hashMap.containsKey(HttpConstants.USERNAME_STAR) || hashMap.containsKey(HttpConstants.USERNAME)) {
                throw ElytronMessages.httpDigest.mechOneOfDirectivesHasToBeDefined(HttpConstants.USERNAME, HttpConstants.USERNAME_STAR);
            }
            try {
                decodeRfc2231 = decodeRfc2231(convertToken(HttpConstants.USERNAME_STAR, hashMap.get(HttpConstants.USERNAME_STAR)));
            } catch (UnsupportedEncodingException e) {
                throw ElytronMessages.httpDigest.mechInvalidClientMessageWithCause(e);
            }
        }
        if (!hashMap.containsKey(HttpConstants.URI)) {
            throw ElytronMessages.httpDigest.mechMissingDirective(HttpConstants.URI);
        }
        byte[] bArr = hashMap.get(HttpConstants.URI);
        if (!digestUriMatchesRequestUri(httpServerRequest, bArr)) {
            fail();
            httpServerRequest.authenticationFailed(ElytronMessages.httpDigest.mechResponseTokenMismatch(getMechanismName()), httpServerResponse -> {
                httpServerResponse.setStatusCode(HttpConstants.BAD_REQUEST);
            });
            return;
        }
        if (!hashMap.containsKey(HttpConstants.RESPONSE)) {
            throw ElytronMessages.httpDigest.mechMissingDirective(HttpConstants.RESPONSE);
        }
        byte[] drain = ByteIterator.ofBytes(hashMap.get(HttpConstants.RESPONSE)).asUtf8String().hexDecode().drain();
        String convertToken3 = hashMap.containsKey(HttpConstants.ALGORITHM) ? convertToken(HttpConstants.ALGORITHM, hashMap.get(HttpConstants.ALGORITHM)) : "MD5";
        if (!this.algorithm.equals(convertToken3)) {
            throw ElytronMessages.httpDigest.mechUnsupportedAlgorithm(convertToken3);
        }
        try {
            MessageDigest messageDigest = MessageDigest.getInstance(convertToken3);
            if (!checkRealm(convertToken2)) {
                throw ElytronMessages.httpDigest.mechDisallowedClientRealm(convertToken2);
            }
            String selectRealm = selectRealm();
            if (decodeRfc2231.length() == 0) {
                ElytronMessages.httpDigest.trace("Failed: no username");
                fail();
                httpServerRequest.authenticationFailed(ElytronMessages.httpDigest.authenticationFailed(), httpServerResponse2 -> {
                    prepareResponse(selectRealm, httpServerResponse2, false);
                });
                return;
            }
            byte[] h_a1 = getH_A1(messageDigest, decodeRfc2231, convertToken2);
            if (h_a1 == null) {
                ElytronMessages.httpDigest.trace("Failed: unable to get expected proof");
                fail();
                httpServerRequest.authenticationFailed(ElytronMessages.httpDigest.authenticationFailed(), httpServerResponse3 -> {
                    prepareResponse(selectRealm, httpServerResponse3, false);
                });
                return;
            }
            if (!Arrays.equals(drain, calculateResponseDigest(messageDigest, h_a1, convertToken, httpServerRequest.getRequestMethod(), bArr, hashMap.get(HttpConstants.QOP), hashMap.get(HttpConstants.CNONCE), hashMap.get(HttpConstants.NC)))) {
                ElytronMessages.httpDigest.trace("Failed: invalid proof");
                fail();
                httpServerRequest.authenticationFailed(ElytronMessages.httpDigest.mechResponseTokenMismatch(getMechanismName()), httpServerResponse4 -> {
                    prepareResponse(selectRealm, httpServerResponse4, false);
                });
                return;
            }
            if (!useNonce) {
                ElytronMessages.httpDigest.trace("Failed: invalid nonce");
                httpServerRequest.authenticationInProgress(httpServerResponse5 -> {
                    prepareResponse(selectRealm, httpServerResponse5, true);
                });
                return;
            }
            if (!authorize(decodeRfc2231)) {
                ElytronMessages.httpDigest.trace("Failed: not authorized");
                fail();
                httpServerRequest.authenticationFailed(ElytronMessages.httpDigest.authorizationFailed(decodeRfc2231), httpServerResponse6 -> {
                    httpServerResponse6.setStatusCode(HttpConstants.FORBIDDEN);
                });
            } else {
                ElytronMessages.httpDigest.trace("Succeed");
                succeed();
                if (parseInt < 0) {
                    httpServerRequest.authenticationComplete(new HttpServerMechanismsResponder() { // from class: org.wildfly.security.http.digest.DigestAuthenticationMechanism.1
                        @Override // org.wildfly.security.http.HttpServerMechanismsResponder
                        public void sendResponse(HttpServerResponse httpServerResponse7) throws HttpAuthenticationException {
                            DigestAuthenticationMechanism.this.sendAuthenticationInfoHeader(httpServerResponse7, bytes);
                        }
                    });
                } else {
                    httpServerRequest.authenticationComplete();
                }
            }
        } catch (NoSuchAlgorithmException e2) {
            throw ElytronMessages.httpDigest.mechMacAlgorithmNotSupported(e2);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void sendAuthenticationInfoHeader(HttpServerResponse httpServerResponse, byte[] bArr) {
        httpServerResponse.addResponseHeader(HttpConstants.AUTHENTICATION_INFO, "nextnonce=\"" + this.nonceManager.generateNonce(bArr) + "\"");
    }

    private boolean digestUriMatchesRequestUri(HttpServerRequest httpServerRequest, byte[] bArr) {
        if (!this.validateUri) {
            return true;
        }
        URI requestURI = httpServerRequest.getRequestURI();
        String str = new String(bArr, StandardCharsets.UTF_8);
        if (requestURI.toString().equals(str)) {
            return true;
        }
        String query = requestURI.getQuery();
        return ((query == null || query.isEmpty()) ? requestURI.getPath() : requestURI.getPath() + "?" + requestURI.getQuery()).equals(str);
    }

    private boolean checkRealm(String str) throws AuthenticationMechanismException {
        String[] availableRealms = getAvailableRealms();
        if (availableRealms == null) {
            return false;
        }
        for (String str2 : availableRealms) {
            if (str.equals(str2)) {
                return true;
            }
        }
        return false;
    }

    private byte[] calculateResponseDigest(MessageDigest messageDigest, byte[] bArr, String str, String str2, byte[] bArr2, byte[] bArr3, byte[] bArr4, byte[] bArr5) {
        messageDigest.update(str2.getBytes(StandardCharsets.UTF_8));
        messageDigest.update((byte) 58);
        byte[] digest = messageDigest.digest(bArr2);
        messageDigest.update(ByteIterator.ofBytes(bArr).hexEncode().drainToString().getBytes(StandardCharsets.UTF_8));
        messageDigest.update((byte) 58);
        messageDigest.update(str.getBytes(StandardCharsets.UTF_8));
        if (bArr3 != null) {
            messageDigest.update((byte) 58);
            messageDigest.update(bArr5);
            messageDigest.update((byte) 58);
            messageDigest.update(bArr4);
            messageDigest.update((byte) 58);
            messageDigest.update(bArr3);
        }
        messageDigest.update((byte) 58);
        return messageDigest.digest(ByteIterator.ofBytes(digest).hexEncode().drainToString().getBytes(StandardCharsets.UTF_8));
    }

    private byte[] getH_A1(MessageDigest messageDigest, String str, String str2) throws AuthenticationMechanismException {
        return new PasswordDigestObtainer(this.callbackHandler, str, str2, ElytronMessages.httpDigest, DigestPassword.ALGORITHM_DIGEST_MD5, messageDigest, this.providers, null, true, false).handleUserRealmPasswordCallbacks();
    }

    private String convertToken(String str, byte[] bArr) throws AuthenticationMechanismException {
        if (bArr == null) {
            throw ElytronMessages.httpDigest.mechMissingDirective(str);
        }
        return new String(bArr, StandardCharsets.UTF_8);
    }

    private String selectRealm() throws HttpAuthenticationException {
        try {
            if (this.configuredRealm != null) {
                if (checkRealm(this.configuredRealm)) {
                    return this.configuredRealm;
                }
                throw ElytronMessages.httpDigest.digestMechanismInvalidRealm(this.configuredRealm);
            }
            String[] availableRealms = getAvailableRealms();
            if (availableRealms == null || availableRealms.length <= 0) {
                throw ElytronMessages.httpDigest.digestMechanismRequireRealm();
            }
            return availableRealms[0];
        } catch (AuthenticationMechanismException e) {
            throw e.toHttpAuthenticationException();
        }
    }

    private String[] getAvailableRealms() throws AuthenticationMechanismException {
        AvailableRealmsCallback availableRealmsCallback = new AvailableRealmsCallback();
        try {
            this.callbackHandler.handle(new Callback[]{availableRealmsCallback});
            return availableRealmsCallback.getRealmNames();
        } catch (AuthenticationMechanismException e) {
            throw e;
        } catch (IOException e2) {
            throw ElytronMessages.httpDigest.mechCallbackHandlerFailedForUnknownReason(e2);
        } catch (UnsupportedCallbackException e3) {
            return new String[0];
        }
    }

    private void prepareResponse(String str, HttpServerResponse httpServerResponse, boolean z) throws HttpAuthenticationException {
        StringBuilder sb = new StringBuilder(CHALLENGE_PREFIX);
        sb.append(HttpConstants.REALM).append("=\"").append(DigestQuote.quote(str)).append("\"");
        if (this.domain != null) {
            sb.append(", ").append(HttpConstants.DOMAIN).append("=\"").append(this.domain).append("\"");
        }
        sb.append(", ").append("nonce").append("=\"").append(this.nonceManager.generateNonce(str.getBytes(StandardCharsets.UTF_8))).append("\"");
        sb.append(", ").append(HttpConstants.OPAQUE).append("=\"").append("00000000000000000000000000000000").append("\"");
        if (z) {
            sb.append(", ").append(HttpConstants.STALE).append("=true");
        }
        sb.append(", ").append(HttpConstants.ALGORITHM).append("=").append(this.algorithm);
        sb.append(", ").append(HttpConstants.QOP).append("=").append("auth");
        httpServerResponse.addResponseHeader(HttpConstants.WWW_AUTHENTICATE, sb.toString());
        httpServerResponse.setStatusCode(HttpConstants.UNAUTHORIZED);
    }

    private boolean authorize(String str) throws AuthenticationMechanismException {
        Callback authorizeCallback = new AuthorizeCallback(str, str);
        try {
            this.callbackHandler.handle(new Callback[]{authorizeCallback});
            return authorizeCallback.isAuthorized();
        } catch (UnsupportedCallbackException e) {
            return false;
        } catch (Throwable th) {
            throw ElytronMessages.httpDigest.mechCallbackHandlerFailedForUnknownReason(th);
        }
    }

    private void succeed() throws AuthenticationMechanismException {
        try {
            this.callbackHandler.handle(new Callback[]{AuthenticationCompleteCallback.SUCCEEDED});
        } catch (Throwable th) {
            throw ElytronMessages.httpDigest.mechCallbackHandlerFailedForUnknownReason(th);
        }
    }

    private void fail() throws AuthenticationMechanismException {
        try {
            this.callbackHandler.handle(new Callback[]{AuthenticationCompleteCallback.FAILED});
        } catch (Throwable th) {
            throw ElytronMessages.httpDigest.mechCallbackHandlerFailedForUnknownReason(th);
        }
    }

    private static String decodeRfc2231(String str) throws UnsupportedEncodingException {
        int indexOf = str.indexOf(39);
        int indexOf2 = str.indexOf(39, indexOf + 1);
        return URLDecoder.decode(str.substring(indexOf2 + 1), str.substring(0, indexOf));
    }
}
