package org.wildfly.security.auth.login;

import java.io.IOException;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.util.Collections;
import java.util.Iterator;
import java.util.Map;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLSocket;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.SaslException;
import javax.security.sasl.SaslServer;
import javax.security.sasl.SaslServerFactory;
import org.wildfly.security.auth.callback.AnonymousAuthorizationCallback;
import org.wildfly.security.auth.callback.AuthenticationCompleteCallback;
import org.wildfly.security.auth.callback.CallbackUtil;
import org.wildfly.security.auth.callback.CredentialCallback;
import org.wildfly.security.auth.callback.CredentialParameterCallback;
import org.wildfly.security.auth.callback.FastUnsupportedCallbackException;
import org.wildfly.security.auth.callback.PeerPrincipalCallback;
import org.wildfly.security.auth.callback.RealmIdentityCallback;
import org.wildfly.security.auth.callback.SocketAddressCallback;
import org.wildfly.security.auth.spi.RealmIdentity;
import org.wildfly.security.auth.spi.RealmUnavailableException;
import org.wildfly.security.password.PasswordFactory;
import org.wildfly.security.password.TwoWayPassword;
import org.wildfly.security.password.interfaces.ClearPassword;
import org.wildfly.security.password.spec.ClearPasswordSpec;
import org.wildfly.security.sasl.WildFlySasl;
import org.wildfly.security.sasl.util.AuthenticationCompleteCallbackSaslServerFactory;

/* loaded from: input_file:org/wildfly/security/auth/login/ServerAuthenticationContext.class */
public final class ServerAuthenticationContext {
    private static final Map<String, String> QUERY_ALL = Collections.singletonMap(WildFlySasl.MECHANISM_QUERY_ALL, "true");
    private final SecurityDomain domain;
    private boolean done = false;

    /* JADX INFO: Access modifiers changed from: package-private */
    public ServerAuthenticationContext(SecurityDomain securityDomain) {
        this.domain = securityDomain;
    }

    public SaslServer createSaslServer(SaslServerFactory saslServerFactory, String str, String str2, String str3) throws SaslException {
        if (this.done) {
            throw new SaslException("Authentication already performed");
        }
        return new AuthenticationCompleteCallbackSaslServerFactory(saslServerFactory).createSaslServer(str2, str3, str, QUERY_ALL, createCallbackHandler());
    }

    public SSLEngine createServerSslEngine() {
        throw new UnsupportedOperationException();
    }

    public SSLSocket createServerSslSocket() {
        throw new UnsupportedOperationException();
    }

    CallbackHandler createCallbackHandler() {
        return new CallbackHandler() { // from class: org.wildfly.security.auth.login.ServerAuthenticationContext.1
            RealmIdentity identity;

            @Override // javax.security.auth.callback.CallbackHandler
            public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                try {
                    handleOne(callbackArr, 0);
                } catch (RealmUnavailableException e) {
                    throw new IOException(e);
                }
            }

            private void handleOne(Callback[] callbackArr, int i) throws IOException, UnsupportedCallbackException, RealmUnavailableException {
                Object credential;
                if (i == callbackArr.length) {
                    return;
                }
                Callback callback = callbackArr[i];
                if (callback instanceof NameCallback) {
                    if (this.identity != null) {
                        this.identity.dispose();
                    }
                    RealmIdentity mapName = ServerAuthenticationContext.this.domain.mapName(((NameCallback) callback).getName());
                    if (mapName == null) {
                        throw new SaslException("Unknown user name");
                    }
                    this.identity = mapName;
                    try {
                        handleOne(callbackArr, i + 1);
                        return;
                    } finally {
                    }
                }
                if (callback instanceof PeerPrincipalCallback) {
                    if (this.identity != null) {
                        throw new SaslException("Mechanism supplied multiple login names");
                    }
                    RealmIdentity mapName2 = ServerAuthenticationContext.this.domain.mapName(((PeerPrincipalCallback) callback).getPrincipal().getName());
                    if (mapName2 == null) {
                        throw new SaslException("Unknown user name");
                    }
                    this.identity = mapName2;
                    try {
                        handleOne(callbackArr, i + 1);
                        return;
                    } finally {
                    }
                }
                if (callback instanceof PasswordCallback) {
                    PasswordCallback passwordCallback = (PasswordCallback) callback;
                    RealmIdentity realmIdentity = this.identity;
                    if (realmIdentity == null) {
                        throw new SaslException("No user identity loaded for credential verification");
                    }
                    char[] password = passwordCallback.getPassword();
                    if (password == null) {
                        TwoWayPassword twoWayPassword = (TwoWayPassword) realmIdentity.getCredential(TwoWayPassword.class);
                        if (twoWayPassword == null) {
                            throw new FastUnsupportedCallbackException(callback);
                        }
                        try {
                            passwordCallback.setPassword(((ClearPasswordSpec) PasswordFactory.getInstance(twoWayPassword.getAlgorithm()).getKeySpec(twoWayPassword, ClearPasswordSpec.class)).getEncodedPassword());
                        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
                            throw new FastUnsupportedCallbackException(callback);
                        }
                    } else {
                        if (realmIdentity.getCredentialSupport(char[].class).isDefinitelyVerifiable() && !realmIdentity.verifyCredential(password)) {
                            throw new SaslException("Invalid password");
                        }
                        if (!realmIdentity.getCredentialSupport(TwoWayPassword.class).isDefinitelyVerifiable()) {
                            throw new SaslException("Password verification not supported");
                        }
                        try {
                            if (!realmIdentity.verifyCredential(PasswordFactory.getInstance(ClearPassword.ALGORITHM_CLEAR).generatePassword(new ClearPasswordSpec(password)))) {
                                throw new SaslException("Invalid password");
                            }
                        } catch (NoSuchAlgorithmException | InvalidKeySpecException e2) {
                            throw new SaslException("Password verification not supported", e2);
                        }
                    }
                    handleOne(callbackArr, i + 1);
                    return;
                }
                if (callback instanceof CredentialCallback) {
                    CredentialCallback credentialCallback = (CredentialCallback) callback;
                    if (this.identity == null) {
                        throw new SaslException("No user identity loaded for credential verification");
                    }
                    Iterator<Class<?>> it = credentialCallback.getAllowedTypes().iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        Class<?> next = it.next();
                        if (this.identity.getCredentialSupport(next).mayBeObtainable() && (credential = this.identity.getCredential(next)) != null) {
                            credentialCallback.setCredential(credential);
                            break;
                        }
                    }
                    handleOne(callbackArr, i + 1);
                    return;
                }
                if (callback instanceof CredentialParameterCallback) {
                    handleOne(callbackArr, i + 1);
                    return;
                }
                if (callback instanceof AnonymousAuthorizationCallback) {
                    ((AnonymousAuthorizationCallback) callback).setAuthorized(ServerAuthenticationContext.this.domain.isAnonymousAllowed());
                    handleOne(callbackArr, i + 1);
                    return;
                }
                if (callback instanceof AuthenticationCompleteCallback) {
                    this.identity = null;
                    ServerAuthenticationContext.this.done = true;
                    handleOne(callbackArr, i + 1);
                } else if (callback instanceof SocketAddressCallback) {
                    if (((SocketAddressCallback) callback).getKind() == SocketAddressCallback.Kind.PEER) {
                    }
                    handleOne(callbackArr, i + 1);
                } else if (!(callback instanceof RealmIdentityCallback)) {
                    CallbackUtil.unsupported(callback);
                } else {
                    ((RealmIdentityCallback) callback).setRealmIdentity(this.identity);
                    handleOne(callbackArr, i + 1);
                }
            }
        };
    }
}
