package org.jboss.wsf.stack.cxf.security.authentication;

import java.io.ByteArrayOutputStream;
import java.io.UnsupportedEncodingException;
import java.nio.ByteBuffer;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.util.Base64;
import java.util.Calendar;
import java.util.TimeZone;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.cxf.common.security.SimplePrincipal;
import org.jboss.security.auth.callback.CallbackHandlerPolicyContextHandler;
import org.jboss.security.plugins.JBossAuthenticationManager;
import org.jboss.ws.common.utils.DelegateClassLoader;
import org.jboss.wsf.spi.classloading.ClassLoaderProvider;
import org.jboss.wsf.spi.security.SecurityDomainContext;
import org.jboss.wsf.stack.cxf.i18n.Loggers;
import org.jboss.wsf.stack.cxf.i18n.Messages;
import org.jboss.wsf.stack.cxf.security.authentication.callback.UsernameTokenCallbackHandler;
import org.jboss.wsf.stack.cxf.security.nonce.NonceStore;
import org.wildfly.security.auth.server.RealmIdentity;
import org.wildfly.security.auth.server.RealmUnavailableException;
import org.wildfly.security.auth.server.SecurityDomain;
import org.wildfly.security.credential.PasswordCredential;
import org.wildfly.security.password.interfaces.ClearPassword;

/* loaded from: input_file:org/jboss/wsf/stack/cxf/security/authentication/SubjectCreator.class */
public class SubjectCreator {
    private static final int TIMESTAMP_FRESHNESS_THRESHOLD = 300;
    private boolean propagateContext;
    private NonceStore nonceStore;
    private int timestampThreshold = TIMESTAMP_FRESHNESS_THRESHOLD;
    private boolean decodeNonce = true;

    public Subject createSubject(JBossAuthenticationManager jBossAuthenticationManager, String str, String str2, boolean z, byte[] bArr, String str3) {
        return createSubject(jBossAuthenticationManager, str, str2, z, convertNonce(bArr), str3);
    }

    /* JADX WARN: Finally extract failed */
    public Subject createSubject(JBossAuthenticationManager jBossAuthenticationManager, String str, String str2, boolean z, String str3, String str4) {
        if (z) {
            verifyUsernameToken(str3, str4);
            CallbackHandlerPolicyContextHandler.setCallbackHandler(new UsernameTokenCallbackHandler(str3, str4, this.decodeNonce));
        }
        SimplePrincipal simplePrincipal = new SimplePrincipal(str);
        Subject subject = new Subject();
        boolean isTraceEnabled = Loggers.SECURITY_LOGGER.isTraceEnabled();
        if (isTraceEnabled) {
            Loggers.SECURITY_LOGGER.aboutToAuthenticate(jBossAuthenticationManager.getSecurityDomain());
        }
        try {
            ClassLoader contextClassLoader = SecurityActions.getContextClassLoader();
            SecurityActions.setContextClassLoader(createDelegateClassLoader(ClassLoaderProvider.getDefaultProvider().getServerIntegrationClassLoader(), contextClassLoader));
            try {
                if (!jBossAuthenticationManager.isValid(simplePrincipal, str2, subject)) {
                    throw Messages.MESSAGES.authenticationFailed(simplePrincipal.getName());
                }
                SecurityActions.setContextClassLoader(contextClassLoader);
                if (isTraceEnabled) {
                    Loggers.SECURITY_LOGGER.authenticated(str);
                }
                return subject;
            } catch (Throwable th) {
                SecurityActions.setContextClassLoader(contextClassLoader);
                throw th;
            }
        } finally {
            if (z) {
                CallbackHandlerPolicyContextHandler.setCallbackHandler((CallbackHandler) null);
            }
        }
    }

    public Subject createSubject(SecurityDomainContext securityDomainContext, String str, String str2, boolean z, byte[] bArr, String str3) {
        return createSubject(securityDomainContext, str, str2, z, convertNonce(bArr), str3);
    }

    /* JADX WARN: Finally extract failed */
    public Subject createSubject(SecurityDomainContext securityDomainContext, String str, String str2, boolean z, String str3, String str4) {
        if (z) {
            verifyUsernameToken(str3, str4);
        }
        SimplePrincipal simplePrincipal = new SimplePrincipal(str);
        Subject subject = new Subject();
        SecurityDomain elytronSecurityDomain = securityDomainContext.getElytronSecurityDomain();
        boolean isTraceEnabled = Loggers.SECURITY_LOGGER.isTraceEnabled();
        if (isTraceEnabled) {
            Loggers.SECURITY_LOGGER.aboutToAuthenticate(securityDomainContext.getSecurityDomain());
        }
        RealmIdentity realmIdentity = null;
        if (elytronSecurityDomain != null) {
            try {
                realmIdentity = elytronSecurityDomain.getIdentity(simplePrincipal.getName());
            } catch (RealmUnavailableException e) {
                throw Messages.MESSAGES.authenticationFailed(simplePrincipal.getName());
            }
        }
        if (realmIdentity == null || realmIdentity.getClass().getName().equals("org.jboss.as.security.elytron.SecurityDomainContextRealm$PicketBoxBasedIdentity")) {
            if (z) {
                CallbackHandlerPolicyContextHandler.setCallbackHandler(new UsernameTokenCallbackHandler(str3, str4, this.decodeNonce));
            }
            try {
                ClassLoader contextClassLoader = SecurityActions.getContextClassLoader();
                SecurityActions.setContextClassLoader(createDelegateClassLoader(ClassLoaderProvider.getDefaultProvider().getServerIntegrationClassLoader(), contextClassLoader));
                try {
                    if (!securityDomainContext.isValid(simplePrincipal, str2, subject)) {
                        throw Messages.MESSAGES.authenticationFailed(simplePrincipal.getName());
                    }
                    SecurityActions.setContextClassLoader(contextClassLoader);
                } catch (Throwable th) {
                    SecurityActions.setContextClassLoader(contextClassLoader);
                    throw th;
                }
            } finally {
                if (z) {
                    CallbackHandlerPolicyContextHandler.setCallbackHandler((CallbackHandler) null);
                }
            }
        } else {
            try {
                if (realmIdentity.equals(RealmIdentity.NON_EXISTENT)) {
                    throw Messages.MESSAGES.authenticationFailed(simplePrincipal.getName());
                }
                ClearPassword password = realmIdentity.getCredential(PasswordCredential.class).getPassword(ClearPassword.class);
                if (password == null) {
                    throw Messages.MESSAGES.authenticationFailed(simplePrincipal.getName());
                }
                String str5 = new String(password.getPassword());
                if (!z || str4 == null || str3 == null) {
                    if (!securityDomainContext.isValid(simplePrincipal, str2, subject)) {
                        throw Messages.MESSAGES.authenticationFailed(simplePrincipal.getName());
                    }
                } else {
                    if (!getUsernameTokenPasswordDigest(str3, str4, str5).equals(str2)) {
                        throw Messages.MESSAGES.authenticationFailed(simplePrincipal.getName());
                    }
                    if (!securityDomainContext.isValid(simplePrincipal, str5, subject)) {
                        throw Messages.MESSAGES.authenticationFailed(simplePrincipal.getName());
                    }
                }
            } catch (RealmUnavailableException e2) {
                throw Messages.MESSAGES.authenticationFailed(simplePrincipal.getName());
            }
        }
        if (isTraceEnabled) {
            Loggers.SECURITY_LOGGER.authenticated(str);
        }
        if (this.propagateContext) {
            securityDomainContext.pushSubjectContext(subject, simplePrincipal, str2);
            if (isTraceEnabled) {
                Loggers.SECURITY_LOGGER.securityContextPropagated(str);
            }
        }
        return subject;
    }

    private String convertNonce(byte[] bArr) {
        if (bArr == null) {
            return null;
        }
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            byteArrayOutputStream.write(bArr);
            return byteArrayOutputStream.toString();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    protected void verifyUsernameToken(String str, String str2) {
        if (str2 != null) {
            Calendar unmarshalDateTime = unmarshalDateTime(str2);
            Calendar calendar = Calendar.getInstance();
            calendar.add(13, -this.timestampThreshold);
            if (calendar.after(unmarshalDateTime)) {
                throw Messages.MESSAGES.requestRejectedTimeStamp(str2);
            }
        }
        if (str == null || this.nonceStore == null) {
            return;
        }
        if (this.nonceStore.hasNonce(str)) {
            throw Messages.MESSAGES.requestRejectedSameNonce(str);
        }
        this.nonceStore.putNonce(str);
    }

    public void setPropagateContext(boolean z) {
        this.propagateContext = z;
    }

    public void setTimestampThreshold(int i) {
        this.timestampThreshold = i;
    }

    public void setNonceStore(NonceStore nonceStore) {
        this.nonceStore = nonceStore;
    }

    public void setDecodeNonce(boolean z) {
        this.decodeNonce = z;
    }

    private static DelegateClassLoader createDelegateClassLoader(final ClassLoader classLoader, final ClassLoader classLoader2) {
        return System.getSecurityManager() == null ? new DelegateClassLoader(classLoader, classLoader2) : (DelegateClassLoader) AccessController.doPrivileged(new PrivilegedAction<DelegateClassLoader>() { // from class: org.jboss.wsf.stack.cxf.security.authentication.SubjectCreator.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public DelegateClassLoader run() {
                return new DelegateClassLoader(classLoader, classLoader2);
            }
        });
    }

    private static Calendar unmarshalDateTime(String str) {
        Calendar calendar = Calendar.getInstance();
        calendar.clear();
        int parseDate = parseDate(str, 0, calendar);
        if (str.charAt(parseDate) != 'T') {
            throw Messages.MESSAGES.invalidDateTimeFormat(str.charAt(parseDate));
        }
        int parseTime = parseTime(str, parseDate + 1, calendar);
        TimeZone timeZone = null;
        if (str.length() > parseTime) {
            timeZone = parseTimeZone(str, parseTime);
        }
        if (timeZone != null) {
            calendar.setTimeZone(timeZone);
        }
        return calendar;
    }

    private static int parseDate(String str, int i, Calendar calendar) {
        if (str.charAt(i) == '-') {
            i++;
        }
        if (!Character.isDigit(str.charAt(i))) {
            throw Messages.MESSAGES.invalidDateValueFormat(str);
        }
        int indexOf = str.indexOf(45, i);
        if (indexOf == -1 || indexOf - i < 4) {
            throw Messages.MESSAGES.invalidDateValueFormat(str);
        }
        int parseInt = Integer.parseInt(str.substring(i, indexOf));
        int i2 = indexOf + 1;
        int indexOf2 = str.indexOf(45, i2);
        if (indexOf2 == -1 || indexOf2 - i2 < 2) {
            throw Messages.MESSAGES.invalidDateValueFormat(str);
        }
        int parseInt2 = Integer.parseInt(str.substring(i2, indexOf2));
        int i3 = indexOf2 + 3;
        int parseInt3 = Integer.parseInt(str.substring(indexOf2 + 1, i3));
        calendar.set(1, parseInt);
        calendar.set(2, parseInt2 - 1);
        calendar.set(5, parseInt3);
        return i3;
    }

    private static int parseTime(String str, int i, Calendar calendar) {
        if (str.charAt(i + 2) != ':' || str.charAt(i + 5) != ':') {
            throw Messages.MESSAGES.invalidTimeValueFormat(str);
        }
        int parseInt = Integer.parseInt(str.substring(i, i + 2));
        int parseInt2 = Integer.parseInt(str.substring(i + 3, i + 5));
        int parseInt3 = Integer.parseInt(str.substring(i + 6, i + 8));
        int i2 = 0;
        int i3 = i + 8;
        if (str.length() > i3 && str.charAt(i3) == '.') {
            int i4 = 100;
            while (true) {
                i3++;
                if (i3 >= str.length()) {
                    break;
                }
                char charAt = str.charAt(i3);
                if (!Character.isDigit(charAt)) {
                    break;
                }
                if (i4 != 0) {
                    i2 += Character.digit(charAt, 10) * i4;
                    i4 = i4 == 1 ? 0 : i4 / 10;
                }
            }
        }
        calendar.set(11, parseInt);
        calendar.set(12, parseInt2);
        calendar.set(13, parseInt3);
        calendar.set(14, i2);
        return i3;
    }

    private static TimeZone parseTimeZone(String str, int i) {
        TimeZone timeZone;
        if (str.charAt(i) == '+' || str.charAt(i) == '-') {
            if (str.length() - i != 6 || !Character.isDigit(str.charAt(i + 1)) || !Character.isDigit(str.charAt(i + 2)) || str.charAt(i + 3) != ':' || !Character.isDigit(str.charAt(i + 4)) || !Character.isDigit(str.charAt(i + 5))) {
                throw Messages.MESSAGES.invalidTimeZoneValueFormat(str.substring(i));
            }
            timeZone = TimeZone.getTimeZone("GMT" + str.substring(i));
        } else {
            if (str.charAt(i) != 'Z') {
                throw Messages.MESSAGES.invalidTimeZoneValueFormat(str.substring(i));
            }
            timeZone = TimeZone.getTimeZone("GMT");
        }
        return timeZone;
    }

    private static String getUsernameTokenPasswordDigest(String str, String str2, String str3) {
        ByteBuffer allocate = ByteBuffer.allocate(1000);
        allocate.put(Base64.getDecoder().decode(str));
        try {
            allocate.put(str2.getBytes("UTF-8"));
            allocate.put(str3.getBytes("UTF-8"));
        } catch (UnsupportedEncodingException e) {
            Loggers.SECURITY_LOGGER.failedToComputeUsernameTokenProfileDigest();
        }
        byte[] bArr = new byte[allocate.position()];
        allocate.rewind();
        allocate.get(bArr);
        return new String(Base64.getEncoder().encode(DigestUtils.sha(bArr)));
    }
}
