package net.shibboleth.idp.authn.impl;

import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import net.shibboleth.idp.authn.AbstractValidationAction;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.UsernamePasswordContext;
import net.shibboleth.idp.authn.principal.UsernamePrincipal;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import net.shibboleth.utilities.java.support.logic.ConstraintViolationException;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/authn/impl/ValidateUsernamePasswordAgainstJAAS.class */
public class ValidateUsernamePasswordAgainstJAAS extends AbstractValidationAction {

    @Nullable
    private UsernamePasswordContext upContext;

    @Nullable
    private String loginConfigType;

    @Nullable
    private Configuration.Parameters loginConfigParameters;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(ValidateUsernamePasswordAgainstJAAS.class);

    @NonnullElements
    @Nonnull
    private List<String> loginConfigNames = Collections.singletonList("ShibUserPassAuth");

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:net/shibboleth/idp/authn/impl/ValidateUsernamePasswordAgainstJAAS$SimpleCallbackHandler.class */
    public class SimpleCallbackHandler implements CallbackHandler {
        protected SimpleCallbackHandler() {
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
            if (callbackArr == null || callbackArr.length == 0) {
                return;
            }
            for (Callback callback : callbackArr) {
                if (callback instanceof NameCallback) {
                    ((NameCallback) callback).setName(ValidateUsernamePasswordAgainstJAAS.this.upContext.getUsername());
                } else if (callback instanceof PasswordCallback) {
                    ((PasswordCallback) callback).setPassword(ValidateUsernamePasswordAgainstJAAS.this.upContext.getPassword().toCharArray());
                }
            }
        }
    }

    @Nullable
    public String getLoginConfigType() {
        return this.loginConfigType;
    }

    public void setLoginConfigType(@Nullable String str) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.loginConfigType = StringSupport.trimOrNull(str);
    }

    @Nullable
    public Configuration.Parameters getLoginConfigParameters() {
        return this.loginConfigParameters;
    }

    public void setLoginConfigParameters(@Nullable Configuration.Parameters parameters) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.loginConfigParameters = parameters;
    }

    public void setLoginConfigNames(@NonnullElements @NotEmpty @Nonnull List<String> list) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        Constraint.isNotNull(list, "Configuration name list cannot be null");
        this.loginConfigNames = new ArrayList(StringSupport.normalizeStringCollection(list));
        if (this.loginConfigNames.isEmpty()) {
            throw new ConstraintViolationException("Configuration name list cannot be empty");
        }
    }

    protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        if (!super.doPreExecute(profileRequestContext, authenticationContext)) {
            return false;
        }
        if (authenticationContext.getAttemptedFlow() == null) {
            this.log.info("{} No attempted flow within authentication context", getLogPrefix());
            ActionSupport.buildEvent(profileRequestContext, "InvalidProfileContext");
            return false;
        }
        this.upContext = authenticationContext.getSubcontext(UsernamePasswordContext.class);
        if (this.upContext == null) {
            this.log.info("{} No UsernamePasswordContext available within authentication context", getLogPrefix());
            handleError(profileRequestContext, authenticationContext, "NoCredentials", "NoCredentials");
            return false;
        }
        if (this.upContext.getUsername() == null) {
            this.log.info("{} No username available within UsernamePasswordContext", getLogPrefix());
            handleError(profileRequestContext, authenticationContext, "NoCredentials", "NoCredentials");
            return false;
        }
        if (this.upContext.getPassword() != null) {
            return true;
        }
        this.log.info("{} No password available within UsernamePasswordContext", getLogPrefix());
        handleError(profileRequestContext, authenticationContext, "InvalidCredentials", "InvalidCredentials");
        return false;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        for (String str : this.loginConfigNames) {
            try {
                this.log.debug("{} Attempting to authenticate user '{}'", getLogPrefix(), this.upContext.getUsername());
                authenticate(str);
                this.log.info("{} Login by '{}' succeeded", getLogPrefix(), this.upContext.getUsername());
                buildAuthenticationResult(profileRequestContext, authenticationContext);
                ActionSupport.buildProceedEvent(profileRequestContext);
                return;
            } catch (LoginException e) {
                this.log.info("{} Login by {} failed", new Object[]{getLogPrefix(), this.upContext.getUsername(), e});
                handleError(profileRequestContext, authenticationContext, e, "InvalidCredentials");
            } catch (Exception e2) {
                this.log.warn("{} Login by {} produced exception", new Object[]{getLogPrefix(), this.upContext.getUsername(), e2});
                handleError(profileRequestContext, authenticationContext, e2, "AuthenticationException");
            }
        }
    }

    @Nonnull
    protected Subject populateSubject(@Nonnull Subject subject) {
        subject.getPrincipals().add(new UsernamePrincipal(this.upContext.getUsername()));
        return subject;
    }

    private void authenticate(@NotEmpty @Nonnull String str) throws LoginException, NoSuchAlgorithmException {
        LoginContext loginContext;
        if (getLoginConfigType() != null) {
            this.log.debug("{} Using custom JAAS configuration type {} with parameters of type {}", new Object[]{getLogPrefix(), getLoginConfigType(), getLoginConfigParameters().getClass().getName()});
            loginContext = new LoginContext(str, getSubject(), new SimpleCallbackHandler(), Configuration.getInstance(getLoginConfigType(), getLoginConfigParameters()));
        } else {
            this.log.debug("{} Using system JAAS configuration", getLogPrefix());
            loginContext = new LoginContext(str, getSubject(), new SimpleCallbackHandler());
        }
        loginContext.login();
    }
}
