package org.wildfly.security.auth.realm.ldap;

import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.InvalidKeySpecException;
import java.util.Collection;
import java.util.function.Supplier;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.BasicAttribute;
import javax.naming.directory.BasicAttributes;
import javax.naming.directory.DirContext;
import javax.naming.directory.NoSuchAttributeException;
import org.wildfly.common.Assert;
import org.wildfly.common.codec.Base64Alphabet;
import org.wildfly.common.iteration.ByteIterator;
import org.wildfly.common.iteration.CodePointIterator;
import org.wildfly.security.auth.SupportLevel;
import org.wildfly.security.auth.server.RealmUnavailableException;
import org.wildfly.security.credential.Credential;
import org.wildfly.security.credential.PasswordCredential;
import org.wildfly.security.password.Password;
import org.wildfly.security.password.PasswordFactory;
import org.wildfly.security.password.interfaces.OneTimePassword;
import org.wildfly.security.password.spec.OneTimePasswordSpec;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:wildfly.zip:modules/system/layers/base/org/wildfly/security/elytron-private/main/wildfly-elytron-realm-ldap-1.14.1.Final.jar:org/wildfly/security/auth/realm/ldap/OtpCredentialLoader.class */
public class OtpCredentialLoader implements CredentialPersister {
    private final String algorithmAttributeName;
    private final String hashAttributeName;
    private final String seedAttributeName;
    private final String sequenceAttributeName;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:wildfly.zip:modules/system/layers/base/org/wildfly/security/elytron-private/main/wildfly-elytron-realm-ldap-1.14.1.Final.jar:org/wildfly/security/auth/realm/ldap/OtpCredentialLoader$ForIdentityLoader.class */
    public class ForIdentityLoader implements IdentityCredentialPersister {
        private final DirContext context;
        private final String distinguishedName;
        private final Attributes attributes;

        public ForIdentityLoader(DirContext dirContext, String str, Attributes attributes) {
            this.context = dirContext;
            this.distinguishedName = str;
            this.attributes = attributes;
        }

        @Override // org.wildfly.security.auth.realm.ldap.IdentityCredentialLoader
        public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str, AlgorithmParameterSpec algorithmParameterSpec, Supplier<Provider[]> supplier) {
            if (cls != PasswordCredential.class) {
                return SupportLevel.UNSUPPORTED;
            }
            Attribute attribute = this.attributes.get(OtpCredentialLoader.this.algorithmAttributeName);
            return (attribute == null || this.attributes.get(OtpCredentialLoader.this.hashAttributeName) == null || this.attributes.get(OtpCredentialLoader.this.seedAttributeName) == null || this.attributes.get(OtpCredentialLoader.this.sequenceAttributeName) == null || !(str == null || attribute.contains(str))) ? SupportLevel.UNSUPPORTED : SupportLevel.SUPPORTED;
        }

        @Override // org.wildfly.security.auth.realm.ldap.IdentityCredentialLoader
        public <C extends Credential> C getCredential(Class<C> cls, String str, AlgorithmParameterSpec algorithmParameterSpec, Supplier<Provider[]> supplier) {
            if (cls != PasswordCredential.class) {
                return null;
            }
            try {
                Attribute attribute = this.attributes.get(OtpCredentialLoader.this.algorithmAttributeName);
                Attribute attribute2 = this.attributes.get(OtpCredentialLoader.this.hashAttributeName);
                Attribute attribute3 = this.attributes.get(OtpCredentialLoader.this.seedAttributeName);
                Attribute attribute4 = this.attributes.get(OtpCredentialLoader.this.sequenceAttributeName);
                if (attribute == null) {
                    return null;
                }
                if ((str != null && !attribute.contains(str)) || attribute2 == null || attribute3 == null || attribute4 == null) {
                    return null;
                }
                Object obj = attribute.get();
                Object obj2 = attribute2.get();
                Object obj3 = attribute3.get();
                Object obj4 = attribute4.get();
                if (obj == null || obj2 == null || obj3 == null || obj4 == null || !(obj instanceof String) || !(obj2 instanceof String) || !(obj3 instanceof String) || !(obj4 instanceof String)) {
                    return null;
                }
                Password generatePassword = PasswordFactory.getInstance((String) obj, supplier).generatePassword(new OneTimePasswordSpec(CodePointIterator.ofString((String) obj2).base64Decode(Base64Alphabet.STANDARD, false).drain(), (String) obj3, Integer.parseInt((String) obj4)));
                if (cls.isAssignableFrom(PasswordCredential.class)) {
                    return cls.cast(new PasswordCredential(generatePassword));
                }
                return null;
            } catch (NamingException | NoSuchAlgorithmException | InvalidKeySpecException e) {
                if (!ElytronMessages.log.isTraceEnabled()) {
                    return null;
                }
                ElytronMessages.log.trace("Getting OTP credential of type " + cls.getName() + " failed. dn=" + this.distinguishedName, e);
                return null;
            }
        }

        @Override // org.wildfly.security.auth.realm.ldap.IdentityCredentialPersister
        public boolean getCredentialPersistSupport(Class<? extends Credential> cls, String str, AlgorithmParameterSpec algorithmParameterSpec) {
            return OtpCredentialLoader.this.getCredentialAcquireSupport(cls, str, algorithmParameterSpec).mayBeSupported();
        }

        @Override // org.wildfly.security.auth.realm.ldap.IdentityCredentialPersister
        public void persistCredential(Credential credential) throws RealmUnavailableException {
            OneTimePassword oneTimePassword = (OneTimePassword) credential.castAndApply(PasswordCredential.class, passwordCredential -> {
                return (OneTimePassword) passwordCredential.getPassword(OneTimePassword.class);
            });
            try {
                BasicAttributes basicAttributes = new BasicAttributes();
                basicAttributes.put(OtpCredentialLoader.this.algorithmAttributeName, oneTimePassword.getAlgorithm());
                basicAttributes.put(OtpCredentialLoader.this.hashAttributeName, ByteIterator.ofBytes(oneTimePassword.getHash()).base64Encode().drainToString());
                basicAttributes.put(OtpCredentialLoader.this.seedAttributeName, oneTimePassword.getSeed());
                basicAttributes.put(OtpCredentialLoader.this.sequenceAttributeName, Integer.toString(oneTimePassword.getSequenceNumber()));
                this.context.modifyAttributes(this.distinguishedName, 2, basicAttributes);
            } catch (NamingException e) {
                throw ElytronMessages.log.ldapRealmCredentialPersistingFailed(credential.toString(), this.distinguishedName, e);
            }
        }

        @Override // org.wildfly.security.auth.realm.ldap.IdentityCredentialPersister
        public void clearCredentials() throws RealmUnavailableException {
            try {
                BasicAttributes basicAttributes = new BasicAttributes();
                basicAttributes.put(new BasicAttribute(OtpCredentialLoader.this.algorithmAttributeName));
                basicAttributes.put(new BasicAttribute(OtpCredentialLoader.this.hashAttributeName));
                basicAttributes.put(new BasicAttribute(OtpCredentialLoader.this.seedAttributeName));
                basicAttributes.put(new BasicAttribute(OtpCredentialLoader.this.sequenceAttributeName));
                this.context.modifyAttributes(this.distinguishedName, 3, basicAttributes);
            } catch (NamingException e) {
                throw ElytronMessages.log.ldapRealmCredentialClearingFailed(this.distinguishedName, e);
            } catch (NoSuchAttributeException e2) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public OtpCredentialLoader(String str, String str2, String str3, String str4) {
        Assert.checkNotNullParam("algorithmAttributeName", str);
        Assert.checkNotNullParam("hashAttributeName", str2);
        Assert.checkNotNullParam("seedAttributeName", str3);
        Assert.checkNotNullParam("sequenceAttributeName", str4);
        this.algorithmAttributeName = str;
        this.hashAttributeName = str2;
        this.seedAttributeName = str3;
        this.sequenceAttributeName = str4;
    }

    @Override // org.wildfly.security.auth.realm.ldap.CredentialLoader
    public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str, AlgorithmParameterSpec algorithmParameterSpec) {
        if (cls != PasswordCredential.class) {
            return SupportLevel.UNSUPPORTED;
        }
        if (str == null) {
            return SupportLevel.SUPPORTED;
        }
        boolean z = -1;
        switch (str.hashCode()) {
            case -1543890167:
                if (str.equals(OneTimePassword.ALGORITHM_OTP_SHA_256)) {
                    z = 2;
                    break;
                }
                break;
            case -1543889115:
                if (str.equals(OneTimePassword.ALGORITHM_OTP_SHA_384)) {
                    z = 3;
                    break;
                }
                break;
            case -1543887412:
                if (str.equals(OneTimePassword.ALGORITHM_OTP_SHA_512)) {
                    z = 4;
                    break;
                }
                break;
            case -1140442148:
                if (str.equals(OneTimePassword.ALGORITHM_OTP_MD5)) {
                    z = false;
                    break;
                }
                break;
            case -993784217:
                if (str.equals(OneTimePassword.ALGORITHM_OTP_SHA1)) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return SupportLevel.POSSIBLY_SUPPORTED;
            case true:
                return SupportLevel.POSSIBLY_SUPPORTED;
            case true:
                return SupportLevel.POSSIBLY_SUPPORTED;
            case true:
                return SupportLevel.POSSIBLY_SUPPORTED;
            case true:
                return SupportLevel.POSSIBLY_SUPPORTED;
            default:
                return SupportLevel.UNSUPPORTED;
        }
    }

    @Override // org.wildfly.security.auth.realm.ldap.CredentialPersister, org.wildfly.security.auth.realm.ldap.CredentialLoader
    public ForIdentityLoader forIdentity(DirContext dirContext, String str, Attributes attributes) {
        return new ForIdentityLoader(dirContext, str, attributes);
    }

    @Override // org.wildfly.security.auth.realm.ldap.CredentialLoader
    public void addRequiredIdentityAttributes(Collection<String> collection) {
        collection.add(this.algorithmAttributeName);
        collection.add(this.hashAttributeName);
        collection.add(this.seedAttributeName);
        collection.add(this.sequenceAttributeName);
    }
}
