package net.shibboleth.idp.authn.impl;

import com.google.common.base.Function;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import net.shibboleth.idp.authn.AbstractUsernamePasswordValidationAction;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.RequestedPrincipalContext;
import net.shibboleth.idp.authn.principal.PrincipalEvalPredicate;
import net.shibboleth.idp.authn.principal.PrincipalEvalPredicateFactory;
import net.shibboleth.idp.authn.principal.PrincipalSupportingComponent;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.collection.Pair;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import org.opensaml.profile.action.ActionSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/shibboleth/idp/authn/impl/ValidateUsernamePasswordAgainstJAAS.class */
public class ValidateUsernamePasswordAgainstJAAS extends AbstractUsernamePasswordValidationAction {

    @NotEmpty
    @Nonnull
    private static final String DEFAULT_METRIC_NAME = "net.shibboleth.idp.authn";

    @Nullable
    private String loginConfigType;

    @Nullable
    private Configuration.Parameters loginConfigParameters;

    @Nullable
    private Function<ProfileRequestContext, Collection<Pair<String, Subject>>> loginConfigStrategy;

    @Nullable
    private RequestedPrincipalContext requestedPrincipalCtx;

    @Nullable
    private Subject derivedSubject;

    @Nullable
    private String currentLoginConfigName;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(ValidateUsernamePasswordAgainstJAAS.class);

    @Nonnull
    private Collection<Pair<String, Subject>> loginConfigurations = Collections.singletonList(new Pair("ShibUserPassAuth", (Object) null));

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:net/shibboleth/idp/authn/impl/ValidateUsernamePasswordAgainstJAAS$SimpleCallbackHandler.class */
    public class SimpleCallbackHandler implements CallbackHandler {
        protected SimpleCallbackHandler() {
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
            if (callbackArr == null || callbackArr.length == 0) {
                return;
            }
            for (Callback callback : callbackArr) {
                if (callback instanceof NameCallback) {
                    ((NameCallback) callback).setName(ValidateUsernamePasswordAgainstJAAS.this.getUsernamePasswordContext().getUsername());
                } else if (callback instanceof PasswordCallback) {
                    ((PasswordCallback) callback).setPassword(ValidateUsernamePasswordAgainstJAAS.this.getUsernamePasswordContext().getPassword().toCharArray());
                }
            }
        }
    }

    @Nullable
    public String getLoginConfigType() {
        return this.loginConfigType;
    }

    public void setLoginConfigType(@Nullable String str) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.loginConfigType = StringSupport.trimOrNull(str);
    }

    @Nullable
    public Configuration.Parameters getLoginConfigParameters() {
        return this.loginConfigParameters;
    }

    public void setLoginConfigParameters(@Nullable Configuration.Parameters parameters) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.loginConfigParameters = parameters;
    }

    public void setLoginConfigurations(@Nullable Collection<Pair<String, Collection<Principal>>> collection) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        if (collection != null) {
            this.loginConfigurations = new ArrayList(collection.size());
            for (Pair<String, Collection<Principal>> pair : collection) {
                String trimOrNull = StringSupport.trimOrNull((String) pair.getFirst());
                if (trimOrNull != null) {
                    if (pair.getSecond() == null || ((Collection) pair.getSecond()).isEmpty()) {
                        this.loginConfigurations.add(new Pair<>(trimOrNull, (Object) null));
                    } else {
                        Subject subject = new Subject();
                        subject.getPrincipals().addAll((Collection) pair.getSecond());
                        this.loginConfigurations.add(new Pair<>(trimOrNull, subject));
                    }
                }
            }
        }
    }

    public void setLoginConfigNames(@NonnullElements @Nullable Collection<String> collection) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        if (collection != null) {
            this.loginConfigurations = new ArrayList(collection.size());
            Iterator<String> it = collection.iterator();
            while (it.hasNext()) {
                String trimOrNull = StringSupport.trimOrNull(it.next());
                if (trimOrNull != null) {
                    this.loginConfigurations.add(new Pair<>(trimOrNull, (Object) null));
                }
            }
        }
    }

    public void setLoginConfigStrategy(@Nullable Function<ProfileRequestContext, Collection<Pair<String, Subject>>> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.loginConfigStrategy = function;
    }

    protected boolean doPreExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        if (!super.doPreExecute(profileRequestContext, authenticationContext)) {
            return false;
        }
        this.requestedPrincipalCtx = authenticationContext.getSubcontext(RequestedPrincipalContext.class);
        return true;
    }

    protected void doExecute(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext) {
        boolean z = false;
        for (Pair<String, Subject> pair : this.loginConfigStrategy != null ? (Collection) this.loginConfigStrategy.apply(profileRequestContext) : this.loginConfigurations) {
            if (isAcceptable(authenticationContext, (String) pair.getFirst(), (Subject) pair.getSecond())) {
                try {
                    this.currentLoginConfigName = (String) pair.getFirst();
                    this.log.debug("{} Attempting to authenticate user '{}' via '{}'", new Object[]{getLogPrefix(), getUsernamePasswordContext().getUsername(), this.currentLoginConfigName});
                    authenticate(this.currentLoginConfigName);
                    this.log.info("{} Login by '{}' via '{}' succeeded", new Object[]{getLogPrefix(), getUsernamePasswordContext().getUsername(), this.currentLoginConfigName});
                    recordSuccess(profileRequestContext);
                    this.derivedSubject = (Subject) pair.getSecond();
                    buildAuthenticationResult(profileRequestContext, authenticationContext);
                    ActionSupport.buildProceedEvent(profileRequestContext);
                    return;
                } catch (LoginException e) {
                    this.log.info("{} Login by '{}' via '{}' failed", new Object[]{getLogPrefix(), getUsernamePasswordContext().getUsername(), this.currentLoginConfigName, e});
                    handleError(profileRequestContext, authenticationContext, e, "InvalidCredentials");
                    recordFailure(profileRequestContext, true);
                    z = true;
                } catch (Exception e2) {
                    this.log.warn("{} Login by '{}' via '{}' produced exception", new Object[]{getLogPrefix(), getUsernamePasswordContext().getUsername(), this.currentLoginConfigName, e2});
                    handleError(profileRequestContext, authenticationContext, e2, "AuthenticationException");
                    recordFailure(profileRequestContext, false);
                    z = true;
                }
            }
        }
        if (z) {
            return;
        }
        this.log.warn("{} No JAAS application configurations are available or acceptable for use", getLogPrefix());
        handleError(profileRequestContext, authenticationContext, "RequestUnsupported", "RequestUnsupported");
    }

    private boolean isAcceptable(@Nonnull AuthenticationContext authenticationContext, @NotEmpty @Nonnull String str, @Nullable final Subject subject) {
        if (subject == null || this.requestedPrincipalCtx == null || this.requestedPrincipalCtx.getOperator() == null) {
            return true;
        }
        this.log.debug("{} Request contains principal requirements, evaluating JAAS config '{}' for compatibility", getLogPrefix(), str);
        for (Principal principal : this.requestedPrincipalCtx.getRequestedPrincipals()) {
            PrincipalEvalPredicateFactory lookup = this.requestedPrincipalCtx.getPrincipalEvalPredicateFactoryRegistry().lookup(principal.getClass(), this.requestedPrincipalCtx.getOperator());
            if (lookup != null) {
                PrincipalEvalPredicate predicate = lookup.getPredicate(principal);
                if (predicate.apply(new PrincipalSupportingComponent() { // from class: net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstJAAS.1
                    public <T extends Principal> Set<T> getSupportedPrincipals(Class<T> cls) {
                        return subject.getPrincipals(cls);
                    }
                })) {
                    this.log.debug("{} JAAS config '{}' compatible with principal type '{}' and operator '{}'", new Object[]{getLogPrefix(), str, principal.getClass(), this.requestedPrincipalCtx.getOperator()});
                    this.requestedPrincipalCtx.setMatchingPrincipal(predicate.getMatchingPrincipal());
                    return true;
                }
                this.log.debug("{} JAAS config '{}' not compatible with principal type '{}' and operator '{}'", new Object[]{getLogPrefix(), str, principal.getClass(), this.requestedPrincipalCtx.getOperator()});
            } else {
                this.log.debug("{} No comparison logic registered for principal type '{}' and operator '{}'", new Object[]{getLogPrefix(), principal.getClass(), this.requestedPrincipalCtx.getOperator()});
            }
        }
        this.log.debug("{} Skipping JAAS config '{}', not compatible with request's principal requirements", getLogPrefix(), str);
        return false;
    }

    private void authenticate(@NotEmpty @Nonnull String str) throws LoginException, NoSuchAlgorithmException {
        LoginContext loginContext;
        if (getLoginConfigType() != null) {
            this.log.debug("{} Using custom JAAS configuration type {} with parameters of type {}", new Object[]{getLogPrefix(), getLoginConfigType(), getLoginConfigParameters().getClass().getName()});
            loginContext = new LoginContext(str, getSubject(), new SimpleCallbackHandler(), Configuration.getInstance(getLoginConfigType(), getLoginConfigParameters()));
        } else {
            this.log.debug("{} Using system JAAS configuration", getLogPrefix());
            loginContext = new LoginContext(str, getSubject(), new SimpleCallbackHandler());
        }
        loginContext.login();
    }

    @Nonnull
    protected Subject populateSubject(@Nonnull Subject subject) {
        Subject populateSubject = super.populateSubject(subject);
        if (this.derivedSubject != null) {
            populateSubject.getPrincipals().addAll(this.derivedSubject.getPrincipals());
        }
        return populateSubject;
    }

    @NotEmpty
    @Nonnull
    public String getMetricName() {
        return super.getMetricName() + '.' + this.currentLoginConfigName;
    }
}
