package net.shibboleth.idp.authn.impl;

import java.io.IOException;
import java.net.URI;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.URIParameter;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import net.shibboleth.idp.authn.AbstractUsernamePasswordCredentialValidator;
import net.shibboleth.idp.authn.AuthnEventIds;
import net.shibboleth.idp.authn.CredentialValidator;
import net.shibboleth.idp.authn.context.AuthenticationContext;
import net.shibboleth.idp.authn.context.RequestedPrincipalContext;
import net.shibboleth.idp.authn.context.UsernamePasswordContext;
import net.shibboleth.utilities.java.support.annotation.constraint.NonnullElements;
import net.shibboleth.utilities.java.support.annotation.constraint.NotEmpty;
import net.shibboleth.utilities.java.support.annotation.constraint.ThreadSafeAfterInit;
import net.shibboleth.utilities.java.support.collection.Pair;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.component.ComponentSupport;
import net.shibboleth.utilities.java.support.primitive.StringSupport;
import org.opensaml.profile.context.ProfileRequestContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.io.Resource;

@ThreadSafeAfterInit
/* loaded from: input_file:WEB-INF/lib/idp-authn-impl-4.3.1.jar:net/shibboleth/idp/authn/impl/JAASCredentialValidator.class */
public class JAASCredentialValidator extends AbstractUsernamePasswordCredentialValidator {

    @Nullable
    private String loginConfigType;

    @Nullable
    private Resource loginConfigResource;

    @Nullable
    private Configuration.Parameters loginConfigParameters;

    @Nullable
    private Function<ProfileRequestContext, Collection<Pair<String, Subject>>> loginConfigStrategy;

    @Nonnull
    private final Logger log = LoggerFactory.getLogger((Class<?>) JAASCredentialValidator.class);

    @NonnullElements
    @Nullable
    private Collection<String> loginConfigNames = Collections.singletonList("ShibUserPassAuth");

    @NonnullElements
    @Nonnull
    private Collection<Pair<String, Subject>> loginConfigurations = Collections.emptyList();

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:WEB-INF/lib/idp-authn-impl-4.3.1.jar:net/shibboleth/idp/authn/impl/JAASCredentialValidator$SimpleCallbackHandler.class */
    public class SimpleCallbackHandler implements CallbackHandler {

        @Nonnull
        private final UsernamePasswordContext context;

        public SimpleCallbackHandler(@Nonnull UsernamePasswordContext usernamePasswordContext) {
            this.context = usernamePasswordContext;
        }

        @Override // javax.security.auth.callback.CallbackHandler
        public void handle(Callback[] callbackArr) throws UnsupportedCallbackException {
            if (callbackArr == null || callbackArr.length == 0) {
                return;
            }
            for (Callback callback : callbackArr) {
                if (callback instanceof NameCallback) {
                    ((NameCallback) callback).setName(this.context.getTransformedUsername());
                } else if (callback instanceof PasswordCallback) {
                    ((PasswordCallback) callback).setPassword(this.context.getPassword().toCharArray());
                }
            }
        }
    }

    @Nullable
    public String getLoginConfigType() {
        return this.loginConfigType;
    }

    public void setLoginConfigType(@Nullable String str) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.loginConfigType = StringSupport.trimOrNull(str);
    }

    @Nullable
    public Configuration.Parameters getLoginConfigParameters() {
        return this.loginConfigParameters;
    }

    public void setLoginConfigParameters(@Nullable URI uri) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        if (uri != null) {
            this.loginConfigParameters = new URIParameter(uri);
        } else {
            this.loginConfigParameters = null;
        }
    }

    public void setLoginConfigResource(@Nullable Resource resource) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.loginConfigResource = resource;
    }

    public void setLoginConfigurations(@Nullable Collection<Pair<String, Collection<Principal>>> collection) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        if (collection != null) {
            this.loginConfigurations = new ArrayList(collection.size());
            for (Pair<String, Collection<Principal>> pair : collection) {
                String trimOrNull = StringSupport.trimOrNull(pair.getFirst());
                if (trimOrNull != null) {
                    if (pair.getSecond() == null || pair.getSecond().isEmpty()) {
                        this.loginConfigurations.add(new Pair<>(trimOrNull, null));
                    } else {
                        Subject subject = new Subject();
                        subject.getPrincipals().addAll(pair.getSecond());
                        this.loginConfigurations.add(new Pair<>(trimOrNull, subject));
                    }
                }
            }
        }
    }

    public void setLoginConfigNames(@NonnullElements @Nullable Collection<String> collection) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.loginConfigNames = StringSupport.normalizeStringCollection(collection);
    }

    public void setLoginConfigStrategy(@Nullable Function<ProfileRequestContext, Collection<Pair<String, Subject>>> function) {
        ComponentSupport.ifInitializedThrowUnmodifiabledComponentException(this);
        this.loginConfigStrategy = function;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // net.shibboleth.utilities.java.support.component.AbstractIdentifiedInitializableComponent, net.shibboleth.utilities.java.support.component.AbstractInitializableComponent
    public void doInitialize() throws ComponentInitializationException {
        super.doInitialize();
        if (this.loginConfigStrategy == null && this.loginConfigurations.isEmpty()) {
            this.loginConfigurations = new ArrayList(this.loginConfigNames.size());
            Iterator<String> it = this.loginConfigNames.iterator();
            while (it.hasNext()) {
                this.loginConfigurations.add(new Pair<>(it.next(), null));
            }
        }
        if (this.loginConfigType == null || this.loginConfigParameters != null) {
            return;
        }
        if (this.loginConfigResource == null) {
            throw new ComponentInitializationException("No login configuration resource or parameters supplied");
        }
        try {
            this.loginConfigParameters = new URIParameter(this.loginConfigResource.getURI());
        } catch (IOException e) {
            throw new ComponentInitializationException("Invalid login configuration resource", e);
        }
    }

    @Override // net.shibboleth.idp.authn.AbstractUsernamePasswordCredentialValidator
    @Nullable
    protected Subject doValidate(@Nonnull ProfileRequestContext profileRequestContext, @Nonnull AuthenticationContext authenticationContext, @Nonnull UsernamePasswordContext usernamePasswordContext, @Nullable CredentialValidator.WarningHandler warningHandler, @Nullable CredentialValidator.ErrorHandler errorHandler) throws Exception {
        RequestedPrincipalContext requestedPrincipalContext = (RequestedPrincipalContext) authenticationContext.getSubcontext(RequestedPrincipalContext.class);
        Exception exc = null;
        for (Pair<String, Subject> pair : this.loginConfigStrategy != null ? this.loginConfigStrategy.apply(profileRequestContext) : this.loginConfigurations) {
            if (isAcceptable(requestedPrincipalContext, pair.getSecond(), pair.getFirst())) {
                String first = pair.getFirst();
                try {
                    this.log.debug("{} Attempting to authenticate user '{}' via '{}'", getLogPrefix(), usernamePasswordContext.getTransformedUsername(), first);
                    Subject authenticate = authenticate(first, usernamePasswordContext);
                    this.log.info("{} Login by '{}' via '{}' succeeded", getLogPrefix(), usernamePasswordContext.getTransformedUsername(), first);
                    return populateSubject(authenticate, pair.getSecond(), usernamePasswordContext);
                } catch (LoginException e) {
                    this.log.info("{} Login by '{}' via '{}' failed", getLogPrefix(), usernamePasswordContext.getTransformedUsername(), first, e);
                    if (errorHandler != null) {
                        errorHandler.handleError(profileRequestContext, authenticationContext, e, AuthnEventIds.INVALID_CREDENTIALS);
                    }
                    exc = e;
                } catch (Exception e2) {
                    this.log.warn("{} Login by '{}' via '{}' produced exception", getLogPrefix(), usernamePasswordContext.getTransformedUsername(), first, e2);
                    if (errorHandler != null) {
                        errorHandler.handleError(profileRequestContext, authenticationContext, e2, AuthnEventIds.AUTHN_EXCEPTION);
                    }
                    exc = e2;
                }
            }
        }
        if (exc != null) {
            throw exc;
        }
        this.log.info("{} No JAAS application configurations are available or acceptable for use", getLogPrefix());
        return null;
    }

    @Nonnull
    private Subject authenticate(@NotEmpty @Nonnull String str, @Nonnull UsernamePasswordContext usernamePasswordContext) throws LoginException, NoSuchAlgorithmException {
        LoginContext loginContext;
        if (getLoginConfigType() != null) {
            this.log.debug("{} Using custom JAAS configuration type {} with parameters of type {}", getLogPrefix(), getLoginConfigType(), getLoginConfigParameters().getClass().getName());
            loginContext = new LoginContext(str, (Subject) null, new SimpleCallbackHandler(usernamePasswordContext), Configuration.getInstance(getLoginConfigType(), getLoginConfigParameters()));
        } else {
            this.log.debug("{} Using system JAAS configuration", getLogPrefix());
            loginContext = new LoginContext(str, (Subject) null, new SimpleCallbackHandler(usernamePasswordContext));
        }
        loginContext.login();
        return loginContext.getSubject();
    }

    @Nonnull
    protected Subject populateSubject(@Nonnull Subject subject, @Nullable Subject subject2, @Nonnull UsernamePasswordContext usernamePasswordContext) {
        if (subject2 != null) {
            subject.getPrincipals().addAll(subject2.getPrincipals());
        }
        return super.populateSubject(subject, usernamePasswordContext);
    }
}
