package net.shibboleth.idp.authn.impl;

import com.google.common.base.Strings;
import java.io.IOException;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.security.NoSuchAlgorithmException;
import java.util.HashMap;
import java.util.Map;
import java.util.Scanner;
import java.util.concurrent.ConcurrentHashMap;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import net.shibboleth.idp.authn.AbstractUsernamePasswordCredentialValidator;
import net.shibboleth.idp.authn.CredentialValidator;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.UsernamePasswordContext;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullAfterInit;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.annotation.constraint.ThreadSafeAfterInit;
import net.shibboleth.utilities.java.support.codec.StringDigester;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.logic.Constraint;
import org.apache.commons.codec.digest.Crypt;
import org.apache.commons.codec.digest.Md5Crypt;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.io.Resource;

@ThreadSafeAfterInit
/* loaded from: input_file:net/shibboleth/idp/authn/impl/HTPasswdCredentialValidator.class */
public class HTPasswdCredentialValidator extends AbstractUsernamePasswordCredentialValidator {

    @NonnullAfterInit
    private StringDigester digester;

    @Nullable
    private Resource htPasswdResource;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger(HTPasswdCredentialValidator.class);

    @Nullable
    private long lastModified = 0;

    @NonnullElements
    @Nonnull
    private final Map<String, String> credentialMap = new ConcurrentHashMap();

    public void setResource(@Nonnull Resource resource) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.htPasswdResource = (Resource) Constraint.isNotNull(resource, "Resource cannot be null");
    }

    protected void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        try {
            if (this.htPasswdResource == null) {
                throw new ComponentInitializationException("Resource cannot be null");
            }
            this.digester = new StringDigester("SHA1", StringDigester.OutputFormat.BASE64);
            InputStream inputStream = this.htPasswdResource.getInputStream();
            try {
                this.credentialMap.putAll(readCredentials(inputStream));
                if (inputStream != null) {
                    inputStream.close();
                }
                if (this.htPasswdResource.isFile()) {
                    this.lastModified = this.htPasswdResource.lastModified();
                } else {
                    this.htPasswdResource = null;
                }
            } finally {
            }
        } catch (IOException e) {
            throw new ComponentInitializationException("Error reading htpasswd resource", e);
        } catch (NoSuchAlgorithmException e2) {
            throw new ComponentInitializationException("Error creating digester", e2);
        }
    }

    @Nullable
    protected Subject doValidate(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nonnull UsernamePasswordContext usernamePasswordContext, @Nullable CredentialValidator.WarningHandler warningHandler, @Nullable CredentialValidator.ErrorHandler errorHandler) throws Exception {
        String transformedUsername = usernamePasswordContext.getTransformedUsername();
        String str = this.credentialMap.get(transformedUsername);
        if (str == null) {
            this.log.debug("{} Username '{}' not found in password resource", getLogPrefix(), transformedUsername);
            LoginException loginException = new LoginException("UnknownUsername");
            if (errorHandler != null) {
                errorHandler.handleError(profileRequestContext, authenticationContext, loginException, "UnknownUsername");
            }
            throw loginException;
        }
        this.log.debug("{} Attempting to authenticate user '{}' ", getLogPrefix(), transformedUsername);
        if (authenticate(usernamePasswordContext, str)) {
            this.log.info("{} Login by '{}' succeeded", getLogPrefix(), transformedUsername);
            return populateSubject(new Subject(), usernamePasswordContext);
        }
        this.log.info("{} Login by '{}' failed", getLogPrefix(), transformedUsername);
        LoginException loginException2 = new LoginException("InvalidCredentials");
        if (errorHandler != null) {
            errorHandler.handleError(profileRequestContext, authenticationContext, loginException2, "InvalidCredentials");
        }
        throw loginException2;
    }

    @Nonnull
    private boolean authenticate(@Nonnull UsernamePasswordContext usernamePasswordContext, @Nonnull String str) {
        refreshCredentials();
        return str.startsWith("$apr1$") ? str.equals(Md5Crypt.apr1Crypt(usernamePasswordContext.getPassword(), str)) : str.startsWith("{SHA}") ? str.substring("{SHA}".length()).equals(this.digester.apply(usernamePasswordContext.getPassword())) : str.equals(Crypt.crypt(usernamePasswordContext.getPassword(), str));
    }

    private void refreshCredentials() {
        if (this.htPasswdResource == null) {
            return;
        }
        try {
            if (this.htPasswdResource.isFile() && this.htPasswdResource.exists() && this.htPasswdResource.lastModified() > this.lastModified) {
                InputStream inputStream = this.htPasswdResource.getInputStream();
                try {
                    this.credentialMap.clear();
                    this.credentialMap.putAll(readCredentials(inputStream));
                    if (inputStream != null) {
                        inputStream.close();
                    }
                } finally {
                }
            }
        } catch (IOException e) {
            this.log.error("{} Error reloading credentials", getLogPrefix(), e);
        }
    }

    @NonnullElements
    @Nonnull
    private Map<String, String> readCredentials(@Nonnull InputStream inputStream) {
        HashMap hashMap = new HashMap();
        Pattern compile = Pattern.compile("^([^:]+):(.+)");
        Scanner scanner = new Scanner(inputStream, StandardCharsets.UTF_8.name());
        while (scanner.hasNextLine()) {
            try {
                String trim = scanner.nextLine().trim();
                if (!trim.isEmpty() && !trim.startsWith("#")) {
                    Matcher matcher = compile.matcher(trim);
                    if (matcher.matches()) {
                        String group = matcher.group(1);
                        String group2 = matcher.group(2);
                        if (Strings.isNullOrEmpty(group)) {
                            this.log.warn("{} Skipping line with empty username", getLogPrefix());
                        } else if (Strings.isNullOrEmpty(group2)) {
                            this.log.warn("{} Skipping '{}' user with blank password", getLogPrefix(), group);
                        } else {
                            hashMap.put(group.trim(), group2.trim());
                        }
                    }
                }
            } catch (Throwable th) {
                try {
                    scanner.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        }
        scanner.close();
        this.log.debug("{} Loaded {} password entries", getLogPrefix(), Integer.valueOf(hashMap.size()));
        return hashMap;
    }
}
