package org.wildfly.security.sasl.localuser;

import java.io.File;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Collections;
import java.util.Map;
import java.util.Random;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.sasl.AuthorizeCallback;
import javax.security.sasl.RealmCallback;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import org.wildfly.common.Assert;
import org.wildfly.common.array.Arrays2;
import org.wildfly.common.iteration.CodePointIterator;
import org.wildfly.security.manager.action.ReadPropertyAction;
import org.wildfly.security.mechanism._private.ElytronMessages;
import org.wildfly.security.sasl.util.AbstractSaslServer;

/* loaded from: input_file:WEB-INF/lib/wildfly-elytron-1.15.3.Final.jar:org/wildfly/security/sasl/localuser/LocalUserServer.class */
final class LocalUserServer extends AbstractSaslServer implements SaslServer {
    public static final String LOCAL_USER_USE_SECURE_RANDOM = "wildfly.sasl.local-user.use-secure-random";
    public static final String LEGACY_LOCAL_USER_USE_SECURE_RANDOM = "jboss.sasl.local-user.use-secure-random";
    public static final String LOCAL_USER_CHALLENGE_PATH = "wildfly.sasl.local-user.challenge-path";
    public static final String LEGACY_LOCAL_USER_CHALLENGE_PATH = "jboss.sasl.local-user.challenge-path";
    public static final String DEFAULT_USER = "wildfly.sasl.local-user.default-user";
    public static final String LEGACY_DEFAULT_USER = "jboss.sasl.local-user.default-user";
    private static final byte UTF8NUL = 0;
    private static final int INITIAL_CHALLENGE_STATE = 1;
    private static final int PROCESS_RESPONSE_STATE = 2;
    private volatile String authorizationId;
    private volatile File challengeFile;
    private volatile byte[] challengeBytes;
    private final File basePath;
    private final String defaultUser;
    private final boolean useSecureRandom;

    /* JADX INFO: Access modifiers changed from: package-private */
    public LocalUserServer(String str, String str2, Map<String, ?> map, CallbackHandler callbackHandler) {
        super("JBOSS-LOCAL-USER", str, str2, callbackHandler, ElytronMessages.saslLocal);
        Object property;
        map = map == null ? Collections.emptyMap() : map;
        if (map.containsKey(LOCAL_USER_CHALLENGE_PATH)) {
            this.basePath = new File(map.get(LOCAL_USER_CHALLENGE_PATH).toString()).getAbsoluteFile();
        } else if (map.containsKey(LEGACY_LOCAL_USER_CHALLENGE_PATH)) {
            this.basePath = new File(map.get(LEGACY_LOCAL_USER_CHALLENGE_PATH).toString()).getAbsoluteFile();
        } else {
            String property2 = getProperty(LOCAL_USER_CHALLENGE_PATH);
            if (property2 != null) {
                this.basePath = new File(property2).getAbsoluteFile();
            } else {
                String property3 = getProperty(LEGACY_LOCAL_USER_CHALLENGE_PATH);
                if (property3 != null) {
                    this.basePath = new File(property3).getAbsoluteFile();
                } else {
                    this.basePath = new File(getProperty("java.io.tmpdir"));
                }
            }
        }
        if (map.containsKey(LOCAL_USER_USE_SECURE_RANDOM)) {
            property = map.get(LOCAL_USER_USE_SECURE_RANDOM);
        } else if (map.containsKey(LEGACY_LOCAL_USER_USE_SECURE_RANDOM)) {
            property = map.get(LEGACY_LOCAL_USER_USE_SECURE_RANDOM);
        } else {
            property = getProperty(LOCAL_USER_USE_SECURE_RANDOM);
            if (property == null) {
                property = getProperty(LEGACY_LOCAL_USER_USE_SECURE_RANDOM);
            }
        }
        if (property == null) {
            this.useSecureRandom = true;
        } else if (property instanceof Boolean) {
            this.useSecureRandom = ((Boolean) property).booleanValue();
        } else if (property instanceof String) {
            this.useSecureRandom = Boolean.parseBoolean((String) property);
        } else {
            this.useSecureRandom = true;
        }
        if (map.containsKey(DEFAULT_USER)) {
            this.defaultUser = (String) map.get(DEFAULT_USER);
        } else if (map.containsKey(LEGACY_DEFAULT_USER)) {
            this.defaultUser = (String) map.get(LEGACY_DEFAULT_USER);
        } else {
            this.defaultUser = null;
        }
    }

    private static String getProperty(String str) {
        return (String) doPrivileged(new ReadPropertyAction(str, null));
    }

    private static <T> T doPrivileged(PrivilegedAction<T> privilegedAction) {
        return System.getSecurityManager() != null ? (T) AccessController.doPrivileged(privilegedAction) : privilegedAction.run();
    }

    private Random getRandom() {
        return this.useSecureRandom ? new SecureRandom() : new Random();
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    public void init() {
        setNegotiationState(1);
    }

    public String getAuthorizationID() {
        assertComplete();
        return this.authorizationId;
    }

    private void deleteChallenge() {
        if (this.challengeFile != null) {
            this.challengeFile.delete();
            this.challengeFile = null;
        }
    }

    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    public void dispose() throws SaslException {
        super.dispose();
        deleteChallenge();
    }

    /* JADX WARN: Finally extract failed */
    @Override // org.wildfly.security.sasl.util.AbstractSaslParticipant
    protected byte[] evaluateMessage(int i, byte[] bArr) throws SaslException {
        String str;
        String str2;
        switch (i) {
            case 1:
                if (bArr.length == 0) {
                    return NO_BYTES;
                }
                if (bArr.length == 1 && bArr[0] == 0) {
                    this.authorizationId = null;
                } else {
                    this.authorizationId = new String(bArr, StandardCharsets.UTF_8);
                }
                Random random = getRandom();
                try {
                    this.challengeFile = File.createTempFile("local", ".challenge", this.basePath);
                    try {
                        FileOutputStream fileOutputStream = new FileOutputStream(this.challengeFile);
                        boolean z = false;
                        try {
                            byte[] bArr2 = new byte[8];
                            random.nextBytes(bArr2);
                            try {
                                fileOutputStream.write(bArr2);
                                fileOutputStream.close();
                                z = true;
                                if (1 == 0) {
                                    deleteChallenge();
                                }
                                try {
                                    fileOutputStream.close();
                                } catch (Throwable th) {
                                }
                                this.challengeBytes = bArr2;
                                byte[] drain = CodePointIterator.ofString(this.challengeFile.getAbsolutePath()).asUtf8(true).drain();
                                setNegotiationState(2);
                                return drain;
                            } catch (IOException e) {
                                throw ElytronMessages.saslLocal.mechFailedToCreateChallengeFile(e).toSaslException();
                            }
                        } catch (Throwable th2) {
                            if (!z) {
                                deleteChallenge();
                            }
                            try {
                                fileOutputStream.close();
                            } catch (Throwable th3) {
                            }
                            throw th2;
                        }
                    } catch (FileNotFoundException e2) {
                        throw ElytronMessages.saslLocal.mechFailedToCreateChallengeFile(e2).toSaslException();
                    }
                } catch (IOException e3) {
                    throw ElytronMessages.saslLocal.mechFailedToCreateChallengeFile(e3).toSaslException();
                }
            case 2:
                deleteChallenge();
                if (bArr.length < 8) {
                    throw ElytronMessages.saslLocal.mechInvalidClientMessage().toSaslException();
                }
                if (!Arrays.equals(this.challengeBytes, Arrays.copyOf(bArr, 8))) {
                    throw ElytronMessages.saslLocal.mechAuthenticationRejectedInvalidProof().toSaslException();
                }
                int indexOf = Arrays2.indexOf(bArr, 0, 8);
                if (indexOf > -1) {
                    str = new String(bArr, 8, indexOf - 8, StandardCharsets.UTF_8);
                    int indexOf2 = Arrays2.indexOf(bArr, 0, indexOf + 1);
                    str2 = indexOf2 > -1 ? new String(bArr, indexOf + 1, (indexOf2 - indexOf) - 1, StandardCharsets.UTF_8) : null;
                } else {
                    str = null;
                    str2 = null;
                }
                if (str == null || str.isEmpty()) {
                    str = this.defaultUser;
                }
                if (str == null || str.isEmpty()) {
                    throw ElytronMessages.saslLocal.mechAuthenticationNameIsEmpty().toSaslException();
                }
                if (this.authorizationId == null || this.authorizationId.isEmpty()) {
                    this.authorizationId = str;
                }
                NameCallback nameCallback = new NameCallback("User name", str);
                AuthorizeCallback authorizeCallback = new AuthorizeCallback(str, this.authorizationId);
                if (str2 == null) {
                    handleCallbacks(nameCallback, authorizeCallback);
                } else {
                    handleCallbacks(new RealmCallback("User realm", str2), nameCallback, authorizeCallback);
                }
                if (!authorizeCallback.isAuthorized()) {
                    throw ElytronMessages.saslLocal.mechAuthorizationFailed(str, this.authorizationId).toSaslException();
                }
                negotiationComplete();
                return null;
            default:
                throw Assert.impossibleSwitchCase(i);
        }
    }
}
